[KLUG Members] Re: Broadband firewalls -- [continued] flawed logic and analysis
...
Bryan J. Smith
members@kalamazoolinux.org
07 Dec 2002 23:46:31 -0500
--=-thnfQ4MeaNKgOyeaRYnq
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Sat, 2002-12-07 at 23:32, Robert G. Brown wrote:
> Request of Bryan Smith:
> Please provide the readers with some examples of the kind of non-IP=20
> vulnerabilities you write about in such grat generality and length.
By using the word "vulnerabilities," you _miss_ the point. These aren't
"vunerabilities," they are _inherit_raw_access_to_your_system_ by
protocol design!
First off, I really don't want to get into this because I'll have to
dive into the differences between ICMP, UDP, TCP and proprietary
network/transport protocols. I've just run into endless Windows
applications, ActiveX/Java programs and other clients that act _exactly_
like a "service" from the standpoint of how the transport is handled. A
"real" firewall that "blocks by default" will not allow such programs to
work (and will force you to address them), but "simple, hardware
firewalls" often just let those packets right through.
Secondly, most game _client_ protocols work like FTP-data, only usually
worse. They require that your _client_ starts "servicing" to another
host. Most "simple, hardware firewalls" just say "ack, just let those
packets through unalderated."
Third, you should be _blocking_outgoing_ packets at your firewall port
to prevent Windows desktop spyware and rootkits from working. These
"simple, hardware firewalls" do _nothing_ to stop them because they
allow everything out!
Fourth, most "simple, hardware firewalls" don't have software to dected
when spywrae/rootkits are installed on your LAN nodes anyway. You
should be semi-vigilant in doing so because many of these "trojans" are
not detected by virus software. But they are _very_easy_ to detect if
you are doing #3 (let alone running an IDS, although that's not a
requirement).
[ God I don't know how many times I've caught spyware/torjans on even
small corporate networks -- and these people aren't even gamers, or
running "consumer" software! ]
-- Bryan
P.S. Again, NAT is an ultra-simple mechanism for mapping a transport
layer port to a private address. If an external system addresses the
mapped port on your NAT device, you _can_ route _directly_ to an
internal/private IP! By means of the so-called "firewall" that is
supposed to protect you!
--=20
Bryan J. Smith, E.I. (BSECE) Contact Info: http://thebs.org
[ http://thebs.org/files/resume/BryanJonSmith_certifications.pdf ]
------------------------------------------------------------------
The more government chooses for you, the less freedom you have.
--=-thnfQ4MeaNKgOyeaRYnq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA98s6nDjEszaVrzmQRApuYAJ9B09WnGEhcpiI5Zlcl/DcIeP8/CQCg0RjX
jr+gZNolleIXmCgnWzO4LKs=
=i6U4
-----END PGP SIGNATURE-----
--=-thnfQ4MeaNKgOyeaRYnq--