Page 3 of 3 FirstFirst 123
Results 41 to 54 of 54

Thread: Avira's firewall

  1. #41
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Avira's firewall

    gufus <stop.nospam.gbbsg@shaw.ca> wrote:
    > 13 Apr 10, Ansgar -59cobalt- Wiechers writes to Gypsy BBS:
    >> From: usenet-2010@planetcobalt.net
    >>> Employees /need/ to understand the system,

    >>
    >> True, but besides the point. Repeating myself: even the best
    >> employees are still human and *will* make mistakes here and

    >
    > Agreed... and you don't have to repeat your self, there will always be
    > human error in life. Thats life.


    *sigh*

    I give up. Apparently I'm unable to explain matters in a way you'd
    understand.

    Please do yourself and the world a favor and don't ever touch anything
    security-related.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  2. #42
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Avira's firewall

    gufus <stop.nospam.gbbsg@shaw.ca> wrote:
    > 12 Apr 10, Grant Taylor writes to All:
    >> Conversely if the web servers were running a software based firewall,
    >> they could easily filter SNMP and / or RPC traffic so that only the
    >> management station(s) could access them. There by protecting them
    >> from the program running locally on the compromised server.
    >>
    >> These types of side attacks (if you will) are what I'm saying that a
    >> software based firewall will help prevent.

    >
    > I still think your way is more secure. IMHO.


    That's simply because you entirely failed to understand the
    implications.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. #43
    gufus
    Guest

    Re: Avira's firewall

    Hello, Ansgar!

    You wrote on 13 Apr 2010 20:58:45 GMT:

    AcW>
    AcW> Please do yourself and the world a favor and don't ever touch anything
    AcW> security-related.
    AcW>

    :-)


    --
    With best regards, gufus. E-mail: stop.nospam.gbbsg@shaw.ca



  4. #44
    Grant Taylor
    Guest

    Re: Avira's firewall

    Ansgar -59cobalt- Wiechers wrote:
    > Sorry, but that's just ridiculous. If you're that concerned about
    > security, you don't allow SNMP or RPC in the first place. Period.
    > Rather than running additional code on the servers, you'd lock them
    > down tight, update them frequently, and monitor them closely.


    I was just using SNMP / RPC as an example.

    For the sake of discussion, please provide a service that would be
    needed internally to support line-of-business applications (even in a
    DMZ) that would not be allowed externally.

    > You don't seem understand how SNMP works. What exactly prevents
    > compromised server A from spoofing the source address of the SNMP
    > packets it sends to victim server B on the same network segment? The
    > protocol is UDP-based after all.


    I do understand SNMP well enough for this discussion. There is nothing
    that prevents the compromised server from spoofing any thing.

    However, I think we can agree on the fact that there is an order of
    magnitude difference in complexity in mal-ware that is capable of
    spoofing IP and possibly MAC addresses verses not doing so and relying
    on the OS IP stack. Likewise, I believe there is quite a bit of
    difference in the number of each.

    You can't protect against everything. There is a point of diminishing
    return with more security.

    > You mean the "sanitizing reverse proxy" thingie? Those are not about
    > egress filtering, but ingress filtering. They sanitize (i.e. rewrite/
    > canonicalize) the input data stream going from a client to a server,
    > and thus protect a server from malicious user-supplied data.
    > mod_security for Apache is an example of this kind of software.


    No. I mean an edge firewall that is (hopefully) only allowing replies
    from TCP ports 80 and 443 (and possibly some ICMP) as well as only
    allowing the internal subnet as a source IP range.

    I am perfectly aware of what a reverse (or forward) proxy is for and can
    do. I was not bringing them in to this discussion.

    > As explained above, this won't necessarily work as you expect.


    Aside from IP spoofing and your opinion that the firewalls present a
    bigger target, I fail to see how this will not work or at least help
    prevent (read: slow down / limit attack) internally initiated attacks.

    > SSH is a perfect example of a service that does not need to be
    > "protected" with a local firewall at all. You disallow password
    > authentication and restrict which user can login from where.


    Other than the fact that SSH is a little more intelligent about the
    application layer, I believe it too is equally susceptible to the IP
    spoofing that you were referring to above. (Granted, once successfully
    spoofed, there is a greater hurtle to overcome at the application layer
    with encryption RSA keys and the likes.)

    > If you're referring to exploitable vulnerabilities: trying to
    > "protect" SSH with some kind of personal firewall would just move the
    > problem from sshd to the personal firewall instead of solving it, and
    > I clearly trust SSH more than any personal firewall. IPv6, anyone?


    I will agree that SSH is quite a bit more hardened than most public
    services, and can probably withstand quite an onslaught.

    For the sake of discussion, suppose that the server farm that we are
    talking about is for multiple MS-SQL servers that have to allow inbound
    connections, at least from the systems behind the edge firewall.

    > I don't consider the potential gain in security (which may be a lot
    > less than you expect, as explained above) worth the additional
    > complexity and effort in keeping another piece of software
    > up-to-date.


    That is a valid opinion that I can't argue with. Nor can I say that
    it's logically wrong. The only thing that I can say is that mine
    differs from yours.

    > Of course not, because that's not what management of services is
    > about. I believe I already said that if you want that level of
    > isolation, you're far better off putting the servers in separate
    > DMZs.


    I was referring to something specifically meant to remotely manage the
    configuration of aspects of services in such as you can control what IPs
    that SSH (or what ever) will talk to.

    I am referring to a server farm / DMZ of servers for a given task, off
    by them selves. I.e. a subnet dedicated to web servers or email servers
    or db servers or ...

    Or do I mis-understand you in such as you are stating to put each
    individual server in it's own DMZ away from other servers?



    Grant. . . .

  5. #45
    Grant Taylor
    Guest

    Re: Avira's firewall

    Ansgar -59cobalt- Wiechers wrote:
    > True, but besides the point. Repeating myself: even the best employees
    > are still human and *will* make mistakes here and there. Unnecessarily
    > raising the complexity of a system will only increase the chances of
    > this happening.


    I agree. The human element of a network is (at times) one of it's
    weakest links.



    Grant. . . .

  6. #46
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Avira's firewall

    Grant Taylor <gtaylor@riverviewtech.net> wrote:
    > Ansgar -59cobalt- Wiechers wrote:
    >> Sorry, but that's just ridiculous. If you're that concerned about
    >> security, you don't allow SNMP or RPC in the first place. Period.
    >> Rather than running additional code on the servers, you'd lock them
    >> down tight, update them frequently, and monitor them closely.

    >
    > I was just using SNMP / RPC as an example.
    >
    > For the sake of discussion, please provide a service that would be
    > needed internally to support line-of-business applications (even in a
    > DMZ) that would not be allowed externally.


    The only services that come to mind are Remote Desktop and SSH.

    >> You don't seem understand how SNMP works. What exactly prevents
    >> compromised server A from spoofing the source address of the SNMP
    >> packets it sends to victim server B on the same network segment? The
    >> protocol is UDP-based after all.

    >
    > I do understand SNMP well enough for this discussion. There is
    > nothing that prevents the compromised server from spoofing any thing.
    >
    > However, I think we can agree on the fact that there is an order of
    > magnitude difference in complexity in mal-ware that is capable of
    > spoofing IP and possibly MAC addresses verses not doing so and relying
    > on the OS IP stack.


    No, actually we can't agree on that, as it's just plain wrong. Unless
    you are talking about script-kiddy level, spoofing of addresses (either
    IP or MAC) is the most basic of the basics. And in case of UDP sending
    the packet with a fake sender address is all there is to it. It's
    neither difficult nor complex at all.

    [...]
    >> As explained above, this won't necessarily work as you expect.

    >
    > Aside from IP spoofing and your opinion that the firewalls present a
    > bigger target, I fail to see how this will not work or at least help
    > prevent (read: slow down / limit attack) internally initiated attacks.


    Because with UDP you don't need to establish a connection. You write the
    spoofed sender address to the packet, fire and forget.

    >> SSH is a perfect example of a service that does not need to be
    >> "protected" with a local firewall at all. You disallow password
    >> authentication and restrict which user can login from where.

    >
    > Other than the fact that SSH is a little more intelligent about the
    > application layer, I believe it too is equally susceptible to the IP
    > spoofing that you were referring to above.


    On top of being a lot more intelligent at the application layer, SSH
    (unlike SNMP) is also TCP-based. How do you think the compromised host
    is going to receive TCP response packets when they're not going back to
    the attacker's IP address? Unlike UDP, TCP is not stateless.

    > (Granted, once successfully spoofed, there is a greater hurtle to
    > overcome at the application layer with encryption RSA keys and the
    > likes.)


    That (and the user/source restrictions) come on top of the problem of
    intercepting/spoofing a TCP connection.

    >> If you're referring to exploitable vulnerabilities: trying to
    >> "protect" SSH with some kind of personal firewall would just move the
    >> problem from sshd to the personal firewall instead of solving it, and
    >> I clearly trust SSH more than any personal firewall. IPv6, anyone?

    >
    > I will agree that SSH is quite a bit more hardened than most public
    > services, and can probably withstand quite an onslaught.
    >
    > For the sake of discussion, suppose that the server farm that we are
    > talking about is for multiple MS-SQL servers that have to allow inbound
    > connections, at least from the systems behind the edge firewall.


    Please be more specific about the scenario. By "from the systems behind
    the edge firewall" you mean connections from within some LAN (management
    or whatever) to the servers in the DMZ? What kind of connection? Why
    wouldn't RDP suffice? Why can't the connection be tunneled (e.g. with
    stunnel) in case RDP does not suffice?

    >> Of course not, because that's not what management of services is
    >> about. I believe I already said that if you want that level of
    >> isolation, you're far better off putting the servers in separate
    >> DMZs.

    >
    > I was referring to something specifically meant to remotely manage the
    > configuration of aspects of services in such as you can control what
    > IPs that SSH (or what ever) will talk to.
    >
    > I am referring to a server farm / DMZ of servers for a given task, off
    > by them selves. I.e. a subnet dedicated to web servers or email
    > servers or db servers or ...


    In a scenario like that: if an attacker can exploit one server, he can
    exploit the other (similar) servers just the same. No need at all to
    take a different route for compromizing them.

    > Or do I mis-understand you in such as you are stating to put each
    > individual server in it's own DMZ away from other servers?


    For a server farm as you described above: no. But as explained above,
    there's no need to further isolate them anyway. For servers carrying out
    different tasks it might be an option.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  7. #47
    Grant Taylor
    Guest

    Re: Avira's firewall

    Ansgar -59cobalt- Wiechers wrote:
    > The only services that come to mind are Remote Desktop and SSH.


    RDP.

    > No, actually we can't agree on that, as it's just plain wrong. Unless
    > you are talking about script-kiddy level, spoofing of addresses
    > (either IP or MAC) is the most basic of the basics. And in case of
    > UDP sending the packet with a fake sender address is all there is to
    > it. It's neither difficult nor complex at all.


    I was referring to script-kiddy.

    I'm of the opinion that little will stop a properly motivated skilled
    attacker.

    The rest of the chaff is what I'm thinking about protecting against.

    > On top of being a lot more intelligent at the application layer, SSH
    > (unlike SNMP) is also TCP-based. How do you think the compromised
    > host is going to receive TCP response packets when they're not going
    > back to the attacker's IP address? Unlike UDP, TCP is not stateless.


    The compromised host would need to be in the return path or local LAN of
    the spoofed host.

    > That (and the user/source restrictions) come on top of the problem of
    > intercepting/spoofing a TCP connection.


    Agreed.

    > Please be more specific about the scenario. By "from the systems
    > behind the edge firewall" you mean connections from within some LAN
    > (management or whatever) to the servers in the DMZ? What kind of
    > connection? Why wouldn't RDP suffice? Why can't the connection be
    > tunneled (e.g. with stunnel) in case RDP does not suffice?


    Let's say that it's a routed VLAN that is firewalled and using globally
    routable IPs for the servers in said VLAN. (Said another way, the same
    broadcast domain.)

    RDP or SSH should suffice for management. But what about some other
    service that is used by the server. - I've never messed with it, what
    ports need to be open for MS Cluster Server to communicate with each other?

    > In a scenario like that: if an attacker can exploit one server, he
    > can exploit the other (similar) servers just the same. No need at all
    > to take a different route for compromizing them.


    As long as the edge firewall will allow access to the other servers (not
    doing some sort of load balancing based on source IP that would ensure
    that one IP would talk to one server) sure.

    That is also assuming that all the servers are serving the same content.
    That assumption might not be the case for a web farm that assigns a
    (vulnerable) web site to some but not all servers.



    Grant. . . .

  8. #48
    Grant Taylor
    Guest

    Re: Avira's firewall

    gufus wrote:
    > Hi Grant,


    Hi gufus,

    > Hmmmm... sounds like an echo here. <grin>


    ;-)

    > With only basic networking skills, I'm taking notes on you discussion
    > with Ansgar, interesting to-say-the least.


    Ansgar seems to have a very strong opinion on what we are discussing.
    Further, Ansgar is presenting logical points to support his / her
    opinion. With no insults going back and forth, I see no reason why it
    can't be a productive discussion, even if we ultimately decide to agree
    to disagree.

    That being said, Ansgar has presented a couple of compelling points:

    1) The code of the firewall its self could be a weakness.
    2) There is little point in protecting one server from another when
    both can be attacked the same way that successfully exploited the first.



    Grant. . . .

  9. #49
    Grant Taylor
    Guest

    Re: Avira's firewall

    gufus wrote:
    > Hi Grant,


    *wave*

    > Nice... yes no insults, I guess with myself he/her didn't like what
    > my opinion was about this thread, which started about a server having
    > a firewall, but with that, I do understand, /first/ firewall the
    > network boundary, then if wanted/needed firewall everything behind
    > it.


    A friend and colleague of mine used an analogy to describe the edge
    firewall (with lack of internal firewall / layers) that I chuckled at.
    I figured that others were over worked like my self and could use a
    chuckle, so here it is.

    "crunchy shell / soft-gooey center"



    > Good points! Agreed!


    :)

    > Kind Regards.


    Likewise.



    Grant. . . .

  10. #50
    gufus
    Guest

    Re: Avira's firewall

    Hello, Grant!

    You wrote on Wed, 14 Apr 2010 21:23:59 -0500:

    | chuckle, so here it is.
    |
    | "crunchy shell / soft-gooey center"
    |
    :-)

    Good one!

    --
    With best regards, gufus. E-mail: stop.nospam.gbbsg@shaw.ca



  11. #51
    Grant Taylor
    Guest

    Re: Avira's firewall

    gufus wrote:
    > Hello, Grant!


    *wave*

    > Good one!


    I thought so. That's why I shared it.

    Here's my colleagues full comment (with permission):

    """Yes, host-based firewalls are necessary to keep the "crunchy
    shell/soft-gooey center" phenomenon from happening in a network. It is
    about layers. If an attacker gets beyond a border firewall and there is
    nothing keeping them from accessing every machine, the network owner
    will wish host-based firewalls would have been in place."""

    Again, I think this is more talking about end user workstations than
    servers. But I still think it's a good point.



    Grant. . . .

  12. #52
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Avira's firewall

    Sorry about the late response. I had a busy week.

    Grant Taylor <gtaylor@riverviewtech.net> wrote:
    > Ansgar -59cobalt- Wiechers wrote:
    >> The only services that come to mind are Remote Desktop and SSH.

    >
    > RDP.


    That's the protocol Remote Desktop uses. So, what about it?

    >> No, actually we can't agree on that, as it's just plain wrong. Unless
    >> you are talking about script-kiddy level, spoofing of addresses
    >> (either IP or MAC) is the most basic of the basics. And in case of
    >> UDP sending the packet with a fake sender address is all there is to
    >> it. It's neither difficult nor complex at all.

    >
    > I was referring to script-kiddy.
    >
    > I'm of the opinion that little will stop a properly motivated skilled
    > attacker.


    Script-kiddies are no serious threat to properly maintained systems.
    It's the determined attackers that you need to defend agains. They are
    the guys that will cost your business real money.

    [...]
    >> On top of being a lot more intelligent at the application layer, SSH
    >> (unlike SNMP) is also TCP-based. How do you think the compromised
    >> host is going to receive TCP response packets when they're not going
    >> back to the attacker's IP address? Unlike UDP, TCP is not stateless.

    >
    > The compromised host would need to be in the return path or local LAN
    > of the spoofed host.


    TCP is not SMTP. If the compromised host spoofs the source address, the
    response packets will not go back to the compromised host (unless the
    attacker gets the switch into hub-mode, which your monitoring should
    notice).

    >> Please be more specific about the scenario. By "from the systems
    >> behind the edge firewall" you mean connections from within some LAN
    >> (management or whatever) to the servers in the DMZ? What kind of
    >> connection? Why wouldn't RDP suffice? Why can't the connection be
    >> tunneled (e.g. with stunnel) in case RDP does not suffice?

    >
    > Let's say that it's a routed VLAN that is firewalled and using
    > globally routable IPs for the servers in said VLAN. (Said another
    > way, the same broadcast domain.)
    >
    > RDP or SSH should suffice for management. But what about some other
    > service that is used by the server. - I've never messed with it, what
    > ports need to be open for MS Cluster Server to communicate with each
    > other?


    I didn't have to deal with it either, but the fine documentation [1]
    mentions these:

    Cluster Services 3343/udp
    RPC 135/tcp
    Cluster Administrator 137/udp
    Randomly allocated ports 1024/udp - 65535/udp
    49152/udp - 65535/udp (Server 2008)

    However, since the cluster nodes need to be able to talk to each other,
    there's nothing a personal firewall can do about protecting these.

    >> In a scenario like that: if an attacker can exploit one server, he
    >> can exploit the other (similar) servers just the same. No need at all
    >> to take a different route for compromizing them.

    >
    > As long as the edge firewall will allow access to the other servers
    > (not doing some sort of load balancing based on source IP that would
    > ensure that one IP would talk to one server) sure.
    >
    > That is also assuming that all the servers are serving the same
    > content. That assumption might not be the case for a web farm that
    > assigns a (vulnerable) web site to some but not all servers.


    A vulnerable web-site is not the same as a vulnerable service. And
    although the vulnerability may be exploited to compromise another
    service or even the system (through SQL injection for instance), this
    kind of attack can be done from the outside as well.

    [1] http://support.microsoft.com/kb/832017

    Regards
    Ansgar Wiechers
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  13. #53
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Avira's firewall

    Grant Taylor <gtaylor@riverviewtech.net> wrote:
    > Here's my colleagues full comment (with permission):
    >
    > """Yes, host-based firewalls are necessary to keep the "crunchy
    > shell/soft-gooey center" phenomenon from happening in a network. It is
    > about layers. If an attacker gets beyond a border firewall and there
    > is nothing keeping them from accessing every machine, the network
    > owner will wish host-based firewalls would have been in place."""
    >
    > Again, I think this is more talking about end user workstations than
    > servers. But I still think it's a good point.


    Catchy. However, despite all the catchiness your colleague is still
    wrong. Sorry to burst your bubble.

    A locked-down system is far from being "gooey on the inside". And I
    already outlined a couple reasons why your host-based firewall may not
    make your system as "crunchy" as you think it does.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  14. #54
    kalvin
    Guest

    Re: Avira's firewall

    We provide you with the most popular and most stylish, Patek 1579 .
    Welcome new and old customers to buy the corresponding product on this
    site, so stay tuned!
    Product is a credit guarantee, you can buy at ease, shasha will
    provide you all, welcome service.
    For more information, please visit our web site : http://www.ghdtradezone.com

    We will take the first answer for you.
    The company features:
    1) All shoes are high-quality first-class products and the lowest
    prices: first-class quality and best price.
    2) Quick shipment: ship the goods within 24 hours after we received
    your payment.
    3) Quick delivery: 5 - 7 days, door to door service
    4) the mode of transport: EMS EMS, TNT, DHL company, UPS, Federal
    Express
    5) Normal Packing: original box, tags, labels
    Welcome your presence! !

Similar Threads

  1. Did this get resolved?
    By Chad Ingram in forum ms.public.windows.networking.wireless
    Replies: 1
    Last Post: 11-20-09, 11:09 AM
  2. Need xp64 software firewall
    By GiantWaffle in forum Network Security
    Replies: 5
    Last Post: 05-21-09, 10:40 AM
  3. Richard's Firewall Rule Set - getting it to work (0/1)
    By Ian Cowan in forum comp.security.firewalls
    Replies: 0
    Last Post: 03-27-09, 09:00 AM
  4. No firewall home network setup
    By SRO_dude in forum Wireless Networks & Routers
    Replies: 3
    Last Post: 10-13-07, 06:30 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •