Page 4 of 4 FirstFirst 1234
Results 61 to 68 of 68

Thread: It seems every firewall is slagged as snake oil. So how should it be done?

  1. #61
    John
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?


    "Rick" <rsimon@cris.com> wrote in message
    news:Xns9BCD46B3D4A3rlsomewhere@74.209.136.99...
    > "Martin C" <martinC@invalid.com> wrote in
    > news:49ba16d9$1_1@glkas0286.greenlnk.net:
    >>
    >> From reading this newsgroup, there seem to be an incredible number of
    >> postings that basically say that no personal firewall should be used
    >> on a PC as they are all basically snake oil and don't really do much.

    >
    >
    > Personal firewalls are one of those things that people love to argue back
    > and forth. Both sides have some validity to their views so the argument
    > goes on ad infinitum. Sort of like asking "which auto brand is better,
    > Ford, Chevy or Chrysler?"
    >
    >

    Lexus


  2. #62
    Ansgar -59cobalt- Wiechers
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?

    Lie Ryan <lie.1296@gmail.com> wrote:
    > Ansgar -59cobalt- Wiechers wrote:
    >> - A system that doesn't have any open ports, because it doesn't have
    >> any services listening on the external interface, doesn't need a
    >> personal firewall to protect the system from direct inbound
    >> attacks.

    >
    > A system is always vulnerable to ICMP DOS unless the firewall is
    > instructed to ignore and ignore ICMP packets.


    DoS by ICMP usually is an ICMP flood, which means that the attacker is
    sending so many ICMP packets that they consume the entire bandwidth of
    your uplink. Dropping ICMP packets on the receiving side doesn't change
    anything at all about that.

    >> - A system that is properly patched isn't vulnerable to attacks
    >> targeting the already patched bugs.

    >
    > There is always zero days vulnerability. Having a firewall can help to
    > prevent these vulnerability, since most vulnerability assumed a
    > vanilla system.


    Nonsense. If you need the service to be accessible, the firewall cannot
    protect it, because blocking access would obviously make the service
    inaccessible. And if you don't need the service to be accessible: why
    are you running it in the first place? A service that isn't running
    cannot be exploitet, no matter how many zero-day vulnerabilities it
    might have.

    >> - Personal firewalls cannot protect services that are supposed to be
    >> accessible to begin with.

    >
    > Personal firewalls should not be used for web server in the first
    > place.


    Ummm... outside of your private reality there are a lot more services
    than just HTTP. Which people may or may not need to access depending on
    their current situation.

    >> - When the user is working with admin privileges, personal firewalls
    >> can be disabled from the inside, even if they employ rootkit
    >> techniques.

    >
    > That is true even for hardware firewall, and it is true for any kind
    > of protection. Even a moderately security conscious people would not
    > be as foolish to run as Administrator nowadays.


    Pray tell how you think you can disable a firewall running on a separate
    device (provided it's configured properly, i.e. UPnP disabled, no
    default password, firmware up-to-date, etc.).

    >> - Malware should be prevented from being run in the first place, not
    >> from communicating outbound after it's already running. There are
    >> various measures helping to achieve the former, including, but not
    >> limited to: disabling autostart on removable media, using Software
    >> Restriction Policies, setting appropriate "execute" permissions, or
    >> running (up-to-date) AV software.

    >
    > HAHAHAHAHAHAHAHAHAHA!!
    >
    > What a laugh... I'm sure in your unfirewalled system there is a worm
    > that is currently contacting home, and you are CLUELESS about its
    > existence because your firewall didn't tell you (OOOOPSS I forgot you
    > don't have firewall).


    a) Just because I'm not using a personal firewall doesn't mean I'm not
    using a firewall.
    b) Since I'm normally logged in with a normal user account, and I also
    know how to use Process Explorer, netstat, TCPView, Port Reporter,
    Wireshark and a variety of other tools, I'm pretty certain that my
    system is not currently infected.

    > Fully updated antivirus? Do you think a "fully updated antivirus"
    > stand a chance to zero day vulnerability? A firewall has a much better
    > chance against zero days since it does not rely on signatures.


    No, it doesn't. Because in the case of a service that doesn't need to be
    accessible, you're better off shutting it down than just trying to block
    access with a packet filter. And in any other case the system is already
    hosed when the firewall detects the compromisation.

    >> - The popups of personal firewalls are more confusing than anything
    >> else, because in order to understand these messages, the user would
    >> have to have a good understanding of both networking and Windows
    >> internals. Which is quite uncommon with the target group of
    >> personal firewalls.

    >
    > I doubt that.


    You can doubt that as much as you like. It doesn't change anything about
    the fact.

    > If there is a program named autorun.exe trying to get access to
    > Internet, I'm sure anyone moderately computer literate will be
    > suspicious.


    Do you believe he'll get suspicious when a program named iexplorer.exe
    or iexp1ore.exe or ssvchost.exe is trying to access the Internet?
    Really?

    >> - The logging of personal firewalls usually is laughable, since vital
    >> information is omitted.

    >
    > How is no logging compared to some logging?


    It's neither worse nor better. Insufficient logging is just the same as
    no logging at all: it doesn't help, because you still lack vital
    information.

    >> On top of that, more often than not personal firewalls introduce
    >> additional vulnerabilities on the system they're supposed to protect:
    >>
    >> - Automatic network shunning (default with various personal
    >> firewalls) can be abused by an attacker for a DoS attack.

    >
    > Which is better than compromised system. Anyway, most personal
    > firewall can selectively block the attacker's IP address without
    > blocking the whole network.


    Yeah. Especially when the attacker spoofs the IP addresses of your ISP's
    name servers (or those of the root name servers). Right. Did you even
    understand what I'm talking about?

    >> - Some personal firewalls run interactive services with elevated
    >> privileges, making them susceptible to shatter attacks.

    >
    > Better than an unfirewalled system, which can be easily turned to a
    > zombie without any effort to do shattering.


    I call ********. How do you plan to turn a system into a zombie, when it
    doesn't have any publicly accessible services, and the users are working
    with normal user accounts?

    >> - Exploitable bugs in personal firewalls can be used to compromise
    >> the system. This has already happened ITW (W32/Witty.worm).

    >
    > A worm can only target a very small and specific set of firewall. In
    > the case of Witty worm, it can only break through ISS firewall, it
    > won't be able to break my Comodo's firewall or my Kerio's firewall. By
    > adding diversity, it makes it harder for worm to have widespread
    > impact. By having uniform configuration (i.e. all no firewall) it is
    > only a matter of time before the worm makes the next hops.


    *sigh*

    You didn't understand the problem at all, did you? Those systems were
    infected *because* they were running a personal firewall. Had they not
    been running a personal firewall but instead had their unneeded services
    disabled, they would not have been affected by this attack (more
    precisely: not only this attack, but any attack of this kind) at all.

    >> And you dare calling the critics of personal firewalls ignorant?

    >
    > And you dare calling yourself know anything about security?


    A great deal more than you, obviously. Plus, I have at least some
    understanding of networking concepts.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. #63
    DevilsPGD
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?

    In message <Uuvul.28396$cu.19613@news-server.bigpond.net.au> Lie Ryan
    <lie.1296@gmail.com> was claimed to have wrote:

    >Ansgar -59cobalt- Wiechers wrote:
    >> - A system that doesn't have any open ports, because it doesn't have any
    >> services listening on the external interface, doesn't need a personal
    >> firewall to protect the system from direct inbound attacks.

    >
    >A system is always vulnerable to ICMP DOS unless the firewall is
    >instructed to ignore and ignore ICMP packets.


    You do know that ICMP does a heck of a lot more then echo
    request/responses, much of which you probably want, at least if you
    enjoy reliable connectivity.

  4. #64
    DevilsPGD
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?

    In message <gqmbueU7v9L1@news.in-ulm.de> Ansgar -59cobalt- Wiechers
    <usenet-2009@planetcobalt.net> was claimed to have wrote:

    >Lie Ryan <lie.1296@gmail.com> wrote:
    >> Ansgar -59cobalt- Wiechers wrote:
    >>> - A system that doesn't have any open ports, because it doesn't have
    >>> any services listening on the external interface, doesn't need a
    >>> personal firewall to protect the system from direct inbound
    >>> attacks.

    >>
    >> A system is always vulnerable to ICMP DOS unless the firewall is
    >> instructed to ignore and ignore ICMP packets.

    >
    >DoS by ICMP usually is an ICMP flood, which means that the attacker is
    >sending so many ICMP packets that they consume the entire bandwidth of
    >your uplink. Dropping ICMP packets on the receiving side doesn't change
    >anything at all about that.


    There is one large exception: A target with asymmetric bandwidth.

    If you're attacking a user on a typical consumer grade connection,
    they'll probably have far more downstream then upstream.

    If a user is on a 10Mb/1Mb connection, all you need to do is throw a
    little over 1Mb/s in IMCP echo requests their way to make their
    connection annoyingly slow, and any more then 4Mb/s or so will probably
    cause a decent percentage of their outbound ACKs to get dropped due to
    their bandwidth being used processing ICMP echo replies.

    Now if the target is smart, they'll hopefully rate limit or otherwise
    deprioritize ICMP echo handling, and it's honestly been a long time
    since I screwed around with this technique, but having been the
    recipient of their type of attack, it can be effective in at least some
    cases.

  5. #65
    Volker Birk
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?

    DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    > In message <Uuvul.28396$cu.19613@news-server.bigpond.net.au> Lie Ryan
    > <lie.1296@gmail.com> was claimed to have wrote:
    >>A system is always vulnerable to ICMP DOS unless the firewall is
    >>instructed to ignore and ignore ICMP packets.

    > You do know that ICMP does a heck of a lot more then echo
    > request/responses, much of which you probably want, at least if you
    > enjoy reliable connectivity.


    I don't have the impression that he understands.

    Yours,
    VB.
    --
    Bitte beachten Sie auch die R├╝ckseite dieses Schreibens!

  6. #66
    Ansgar -59cobalt- Wiechers
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?

    DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    > Ansgar -59cobalt- Wiechers was claimed to have wrote:
    >> Lie Ryan <lie.1296@gmail.com> wrote:
    >>> A system is always vulnerable to ICMP DOS unless the firewall is
    >>> instructed to ignore and ignore ICMP packets.

    >>
    >> DoS by ICMP usually is an ICMP flood, which means that the attacker
    >> is sending so many ICMP packets that they consume the entire
    >> bandwidth of your uplink. Dropping ICMP packets on the receiving side
    >> doesn't change anything at all about that.

    >
    > There is one large exception: A target with asymmetric bandwidth.
    >
    > If you're attacking a user on a typical consumer grade connection,
    > they'll probably have far more downstream then upstream.
    >
    > If a user is on a 10Mb/1Mb connection, all you need to do is throw a
    > little over 1Mb/s in IMCP echo requests their way to make their
    > connection annoyingly slow, and any more then 4Mb/s or so will
    > probably cause a decent percentage of their outbound ACKs to get
    > dropped due to their bandwidth being used processing ICMP echo
    > replies.
    >
    > Now if the target is smart, they'll hopefully rate limit or otherwise
    > deprioritize ICMP echo handling, and it's honestly been a long time
    > since I screwed around with this technique, but having been the
    > recipient of their type of attack, it can be effective in at least some
    > cases.


    Although true, this isn't that much of an exception, IMHO. As you said
    yourself, decent firewalls can handle ping-floods from few sources by
    rate-limiting the responses, and a distributed ping-flood usually can
    exhaust 10 Mb/s just as easily as a 1 Mb/s.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  7. #67
    DevilsPGD
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?

    In message <gqq598U4pkL1@news.in-ulm.de> Ansgar -59cobalt- Wiechers
    <usenet-2009@planetcobalt.net> was claimed to have wrote:

    >DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    >> Ansgar -59cobalt- Wiechers was claimed to have wrote:
    >>> Lie Ryan <lie.1296@gmail.com> wrote:
    >>>> A system is always vulnerable to ICMP DOS unless the firewall is
    >>>> instructed to ignore and ignore ICMP packets.
    >>>
    >>> DoS by ICMP usually is an ICMP flood, which means that the attacker
    >>> is sending so many ICMP packets that they consume the entire
    >>> bandwidth of your uplink. Dropping ICMP packets on the receiving side
    >>> doesn't change anything at all about that.

    >>
    >> There is one large exception: A target with asymmetric bandwidth.
    >>
    >> If you're attacking a user on a typical consumer grade connection,
    >> they'll probably have far more downstream then upstream.
    >>
    >> If a user is on a 10Mb/1Mb connection, all you need to do is throw a
    >> little over 1Mb/s in IMCP echo requests their way to make their
    >> connection annoyingly slow, and any more then 4Mb/s or so will
    >> probably cause a decent percentage of their outbound ACKs to get
    >> dropped due to their bandwidth being used processing ICMP echo
    >> replies.
    >>
    >> Now if the target is smart, they'll hopefully rate limit or otherwise
    >> deprioritize ICMP echo handling, and it's honestly been a long time
    >> since I screwed around with this technique, but having been the
    >> recipient of their type of attack, it can be effective in at least some
    >> cases.

    >
    >Although true, this isn't that much of an exception, IMHO. As you said
    >yourself, decent firewalls can handle ping-floods from few sources by
    >rate-limiting the responses, and a distributed ping-flood usually can
    >exhaust 10 Mb/s just as easily as a 1 Mb/s.


    A DDoS attack is quite different then DoS attack though, and really is a
    different ballpark, both technologically and in terms of the
    sophistication needed to launch an attack. In other words, a echo
    request attack is script kiddie 101, a true flood takes a bit more
    effort (unless I missed a botnet firesale online)

    My 10/1 cable modem can easily use this type of attack to take down a
    user on a 2Mb/256Kb level of service with a pure DoS -- In other words,
    this type of attack means all I need is for my upstream to exceed the
    victim's upstream, rather then a traditional flood which would require
    my upstream to exceed the victim's downstream.

    If I don't care about spoofing my IP, I could do it from the Windows
    command prompt by launching the right number of ping.exe sessions with
    some carefully tuned packet sizes.

    "Decent firewalls" != "The cheapest NAT box at Best Buy" (in other
    words, I don't believe most people have a "decent firewall")

    Let me also say that I personally believe anyone advocating disabling
    ICMP is flat out ignorant and unqualified to dispense advice, and anyone
    advocating discarding echo requests in the name of security probably has
    a similar misunderstanding.

    As someone with more then a passing interest in both security and
    DoS/DDoS prevention/survival, I consider it important to understand the
    risks.

  8. #68
    DevilsPGD
    Guest

    Re: It seems every firewall is slagged as snake oil. So how should it be done?

    In message <gqq000UpunL1@news.in-ulm.de> Volker Birk
    <bumens@dingens.org> was claimed to have wrote:

    >DevilsPGD <DeathToSpam@crazyhat.net> wrote:
    >> In message <Uuvul.28396$cu.19613@news-server.bigpond.net.au> Lie Ryan
    >> <lie.1296@gmail.com> was claimed to have wrote:
    >>>A system is always vulnerable to ICMP DOS unless the firewall is
    >>>instructed to ignore and ignore ICMP packets.

    >> You do know that ICMP does a heck of a lot more then echo
    >> request/responses, much of which you probably want, at least if you
    >> enjoy reliable connectivity.

    >
    >I don't have the impression that he understands.


    Me neither, which is why I asked. If I thought he did understood and
    proceeded to dispense such poor advice anyway, I'd be assuming he has
    malicious intent, attempting to mislead other ignorant users rather then
    just being ignorant himself.

    There is no crime or shame in ignorance, only in wilfully remaining
    ignorant.

Similar Threads

  1. Gas Prices
    By Sava700 in forum General Discussion Board
    Replies: 1252
    Last Post: 01-20-15, 04:20 PM
  2. Bush to Congress: Embrace energy exploration now
    By Debbie in forum General Discussion Board
    Replies: 64
    Last Post: 06-20-08, 02:55 PM
  3. Oil exec: Prices driven by 'fundamentals'
    By Roody in forum General Discussion Board
    Replies: 66
    Last Post: 05-21-08, 08:57 PM
  4. Replies: 22
    Last Post: 12-20-06, 04:20 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •