| Author |
Message |
Juergen Nieveler
Guest
|
 Posted:
Thu Jan 20, 2005 12:25 am Post subject:
Re: What does a firewall do? |
|
|
"Arthur Hagen" <art@broomstick.com> wrote:
| Quote: | Not exactly. An endpoint should never drop a packet intended for it,
but either accept or reject it (in which case there will be a packet
back). A firewall, on the other hand, doesn't normally[1] reject
packets, but silently discards them.
|
Not really. First of all, what people refer to as firewall usually is
really a paketfilter - a firewall can (and often does) consist of two
packet filters with an application proxy in between.
You can have packet filters between internal networks, too - and that
also is a firewall :-)
In such cases, you won't be dropping packets but instead reject them -
if only because it's much easier to troubleshoot your network.
As to the original poster: Yes, a secure OS doesn't need a firewall to
protect itself. Even Windows can be turned into such an OS. However, as
soon as you install the first service that can be reached from the
network, it all boils down to wether or not the application is well
written - for example the application should be configurable to accept
requests only from specified IP ranges, and by default only from
127.0.0.1
Juergen Nieveler
--
Is "puppy love" bestiality? |
|
| Back to top |
|
 |
E.
Guest
|
| Posted:
Thu Jan 20, 2005 12:46 am Post subject:
Re: What does a firewall do? |
|
|
Nick Roberts wrote:
| Quote: | I'll be as brief as possible. I am leading a project that is writing a new
operating system (yes, really), and naturally it will have an IP stack. This
entire stack will be written from scratch, and it will be written to be
secure (as will the entire OS).
I recently had an argument (in comp.lang.ada) with someone who simply could
not believe that a secure OS will completely obviate the need for any
firewall. Obviously, I believe that it will.
I'd be very, very grateful if someone could post a list of all the different
kinds of protection a really good firewall could be expected to provide. Be
as technical as possible (but no need for piles of detail).
I'll follow up such a post with some more details on the security of the OS.
I'm just surprised that non-one in this thread mentioned logging and |
alerting ;-)
E. |
|
| Back to top |
|
|
Nick Roberts
Guest
|
| Posted:
Thu Jan 20, 2005 1:51 am Post subject:
Re: What does a firewall do? |
|
|
Leythos <void@nowhere.lan> wrote:
| Quote: | What you are asking for is that someone take the time to retype what's
already available in google searches. While I can understand your wanting
to know, we, as professionals, do expect that people with a desire to
learn will at least scan the Internet for information before asking for
such detailed information.
The answer could entail spending hours typing a proper response, or we
could let you read up on firewalls, then post any questions you have that
you were not able to understand to your satisfaction.
The short of it - Firewalls block access to networks and services that you
don't configure them to allow access to. Firewalls also allow access to
specific services/networks without allowing access to non-configured
services/networks.
|
Okay, but I have done that, and found that the information available does
not go into sufficient technical detail. But I'll keep looking. Thanks.
Perhaps I could ask another question (or the same question in another way)?
Supposing there is a network of computers (bog standard PCs) -- let's say
they are connected by Fast Ethernet -- all running AdaOS (the new OS in
question). AdaOS is fully distributed, so this network acts as if it were
one computer, and is called a cluster. A new protocol is used for
intercommunication between the AdaOS computers in a cluster, totally
unrelated to IP (it will piggyback on the Ethernet as IP does), and has its
own security features (switched on by default).
One of the computers in the network has a (physically distinct) connection
to the global Internet (let's say through another Fast Ethernet adaptor to a
backbone computer). The cluster provides a few classic services to the
Internet. Let's say: a web server with several CGI programs offering
e-commerce or similar services (hence SSL is supported); an anonymous FTP
providing some public domain files for download; a POP3 mail server to
clients who log on with a password (and which therefore uses an
authentication exchange protocol).
I'll try to explain what would be the normal set up of the IP stack software
in AdaOS. First of all, all the IP stack will be made of application
programs, each running outside the TCB (Trusted Computing Base, the part of
AdaOS that is trusted to be secure), and so with full security controls
applied to it.
An authority is a token that a program (the client) 'quotes' when requesting
service from another program (the server), and cannot be forged. Every
application program is permitted to quote one (or several) 'authorities'.
Thus, every server program in AdaOS can rely upon the quoted authority when
making its security decisions. Upon this framework, typical security
structures are built, such as file groups, and user roles.
The whole operating system (outside the TCB) is object oriented: everything
is an object. Typical security controls allow each different kind of access
(e.g. 'read', 'write') for each object to be permitted or denied for each
authority (and hence for each role of each user). Generally, access is
denied by default.
The IP/UDP router program creates an object that permits 'host' objects to
be created. A host corresponds to an IP address. Each host object allows
'port range' objects to be created, each corresponds to a range of ports
(e.g. 0 to 1000), and may not overlap with any other port range). Each port
range object allows 'port' objects to be created. Each port object can then
be opened (which is a kind of access for this object) for input and/or
output (packet-oriented).
The TCP program opens a pair of port objects, and creates a 'connection'
object. The connection object can be opened for client session input/output
(byte stream based), corresponding to a TCP session. The connection object
can also be opened for server reception I/O; incoming session requests are
accepted and dealt with by the server. These two different ways of opening a
connection are two different kinds of access for this object.
The web server program opens a connection for reception, and deals with
incoming session requests by accepting HTTP requests, and running a CGI
program in response to each request. The server can be configured to execute
each CGI program under a different 'role', meaning that the program can be
given a different authority, and so a different set of access permissions.
The default set up of typical CGI programs will isolate them from each other
to a high extent. For example, suppose there are two sub-sites
("http://anycorp.com/sales" and ""http://anycorp.com/members", say) that
operate completely different services (one is e-commerce, another is a
society membership system). They will be configured so that one cannot
access the data of the other.
The same principle is applied to other IP services (FTP, POP3, whatever).
In particular, there is no 'root' user in AdaOS, and everything is installed
by default with access denied (rather than the other way around, as with
Unix in the old days). All sensitive activities (changing administrative
settings, modifying user privileges, changing your own password, etc.) are
done in a separate role (which uses a different authority) to normal
activities, and different normal activities are separated from each other by
a few broad roles (e.g.: Idle Web Surfing; Secretary to Mr Jones; Helping
the Typists; Personal Internet Banking; Personal Chat; and so on). There
would be a separate role (and authority) for running each different major
program in the IP stack, and access would be given on a fairly strict 'need
to access' basis.
Admittedly, I may not have got the above details exactly correct. However,
my question is, in essence, is there a form of attack that can be launched
over the Internet that would (probably?) be able to subvert the above
security arrangements, but that would (in combination with those
arrangements) be preventable by using a firewall? Assume typical corporate
conditions, but please assume the company only uses AdaOS on all its
computers. Would it be reasonable to say "I don't think it would be safe
without a firewall"?
Thanks for your patience. I don't think I asked the right question
originally!
--
Nick Roberts |
|
| Back to top |
|
|
Nick Roberts
Guest
|
| Posted:
Thu Jan 20, 2005 2:36 am Post subject:
Re: What does a firewall do? |
|
|
Jose Maria Lopez Hernandez <jkerouac@bgsec.com> wrote:
| Quote: | To complete a little your answer there are basically three kinds of
firewalls:
|
Thank you!
| Quote: | Packet firewalls: They only allow/deny packets or sessions without
checking the payloads. Example: Netfilter/iptables for Linux.
|
Do I assume that these are not very useful? Is it important that this kind
of filtering is done on a separate machine (for speed)? I suspect that
choosing the correct filter conditions is a nightmarish job; no?
| Quote: | Level 7 firewall: They allow/deny checking the payloads of the packets.
Example: l7 filter proyect for Linux
|
I assume, then, that these filters need to have special knowledge of
particular applications; is that correct? If so, it does seem to me that it
would be more appropriate for the applications to do the filtering instead.
| Quote: | Proxy firewalls: The allow/deny connections checking the protocols of each
session that goes through the firewall. Example: TREX or fwtk.
|
This type of firewall makes the most sense, to my mind. But why should the
computer which runs these proxy programs be any less vulnerable than the
computers which run the programs they are proxying for? Perhaps proxy
firewall computers are actually a juicy target for the attacker?
In particular, I wonder if the fact that they are more isolated could
actually make them easier to compromise, since it is likely to be more
difficult for administrators to regularly check them. Their software may be
more specialised, and so less well tested in the field for vulnerabilities?
Is a software firewall of this kind (proxy) worthwhile? Is the expense of a
hardware firewall of this kind justified?
--
Nick Roberts |
|
| Back to top |
|
|
Nick Roberts
Guest
|
| Posted:
Thu Jan 20, 2005 3:06 am Post subject:
Re: What does a firewall do? |
|
|
Casey <Casey@nosuch.net> wrote:
Thanks, this is excellent.
One of the functions mentioned is an Attacker Tracing System. Is this,
perhaps, a touch of marketing hype? I would have thought that the software
required by a practical tracing system (e.g. a high-power database engine)
would be a little bit beyond a firewall? Are these products (Sygate Personal
Firewall Pro & Sygate Personal Firewall) very expensive? How many customers
would, in reality, be likely to use this function?
How useful is the Instrusion Alarm System, in reality? Is it useful for a
pop-up window to inform you that "Your computer has just been hacked, all
your data files have been corrupted, and the computer will reboot in five
seconds. Haha."? I suspect the hacker would delight in popping up a window
of this sort for you anyway. :-)
The Evidence Logging System raises a few questions. I know (from reading the
literature) that auditing can be useful for analysis (usually after an
'event' [i.e. an attack]). But I also know that case studies show how hard
it is to get the balance right between usefulness of information and mass of
information (too little and it's useless, too much and the audit storage
space overflows, resulting in partial data that is also usually useless). I
am a little dubious that this function will be useful to most firewall
users, except, perhaps, for use by an outside consultancy after an event.
Security Policy Customization sounds good, but, in practice, who's going to
use it, how easily, and how effectively?
That these products can penetrate VPNs is superb (if it really works).
The Active Response feature says "By dynamically stealthing open ports and
temporarily blocking the intruders' IP address." The sentence seems cut off.
What it mean, please? (What does "dynamically stealthing open ports" mean?
:-)
How does the MAC and IP address spoofing protection work, please?
One feature is to "Prevent Internet browsers from revealing the OS, browser
version and the browser history information, which can be stored or used by
the web server to exploit known security vulnerabilities." Surely this is
going to cause a variety of web sites (badly designed ones, admittedly) to
fail, since they (their pages) detect the browser (version) in order to
conform their Javascript etc.?
Finally, I note that these products are software firewalls. Would I be right
in assuming that the main advantage of using a hardware firewall is to do
with the vulnerabilities inherent: in Windows due to its lack of security in
default installations; in Unix (et al) due to the fact that many programs
are compelled to run as the root user (to get special functionality only
available to the root user)?
--
Nick Roberts |
|
| Back to top |
|
|
Eirik Seim
Guest
|
| Posted:
Thu Jan 20, 2005 3:08 am Post subject:
Re: What does a firewall do? |
|
|
On Wed, 19 Jan 2005 20:51:08 +0000, Nick Roberts wrote:
[cutting away lots of interesting stuff on AdaOS]
This looks nice, but with all this operating system design (and
the email-address you use... On a side note, I prefer not to expose
my ACM-address to newsgroups. Do you get much spam, as in spam
that's not taken care of by their spam filtering?), I'm sure you
must have more reliable sources than newsgroups for these kinds of
questions?
| Quote: | Admittedly, I may not have got the above details exactly correct. However,
my question is, in essence, is there a form of attack that can be launched
over the Internet that would (probably?) be able to subvert the above
security arrangements, but that would (in combination with those
arrangements) be preventable by using a firewall?
|
The problem with this way of asking is the nature of attackers; the
ones you really need to worry about are those who do something you
couldn't anticipate.
A few things are always to expect though (not that I, or any other
one person will ever get a complete list), you should (have the
possibility to) do packet reassembly and sanitychecking [1] _before_
other more traditional packet filters, or attack detection, and this
is especially true if you consider the system to act as a network
firewall.
You should of course also look at all the previous mistakes made
by other open source initiatives, like what made Linux vulnerable
to teardrop attacks, and similar. Not really what I would call a
firewall, but just plain, solid code with error handling that makes
sense. Also, I must admit I'm not sure how Plan9 is licensed, but
I'm sure it's worth taking a look at if allowed.
| Quote: | Assume typical corporate
conditions, but please assume the company only uses AdaOS on all its
computers. Would it be reasonable to say "I don't think it would be safe
without a firewall"?
|
The individual computers might be safe, but assuming a homogeneous
environment in a real-world company is a bit far-fetched. A perimeter
device (firewall) should be used to filter unwanted traffic from
entering the network, including not only the Internet but also
potential less-trusted networks (like the DMZ for external services
like email, and/or perhaps a separate network for workers with a
need to use laptops that for some reason cannot always be under
the companys strict control. The problem is not AdaOS (which as far
as I can see is aiming to be perfect), but its need to communicate
with other, less-perfect systems.
Or, to sum up what I think of firewalls in general (not exclusively
with regard to AdaOS); When considering hosts, they are just a pain
in the ass. Considering servers, they might be needed depending on
what services you want to offer, and to whom. Considering networks;
firewalls, or at least some sort of packet filtering ability, is a
must. Not because everyone should block all by default (which is
a good idea, however), but because of the ability to isolate certain
hosts, networks or protocols in case something unexpected turns up.
1. By this I mean like the OpenBSD projects "scrub" directive in pf.
--
New and exciting signature! |
|
| Back to top |
|
|
Nick Roberts
Guest
|
| Posted:
Thu Jan 20, 2005 3:44 am Post subject:
Re: What does a firewall do? |
|
|
IPGrunt <me@privacy.net> wrote:
| Quote: | Hard to get a straight answer here, isn't it? I have no problem with your
question and will answer briefly.
|
Hehe. I think I'm partly to blame, in the way I asked it.
| Quote: | Basically, a firewall does what a good protocol stack *should* do:
controls when ports are opened and closed, according to a rule set.
|
I understand the opening and closing of ports, but I don't entirely
understand the rule set.
My idea of the incoming packet functions for the IP router for host
(address) H is:
1. Forward packets not for H, if forwarding is activated. I would expect
that forwarding would usually be deactivated altogether in AdaOS (because it
uses a non-IP protocol to communicate within a cluster). If activated, I
think there should be an automatic adaptive filtering system, based on
reject packets coming back the other way: if H forwards a packet from node X
to node Y (from port P to port Q?) and a reject comes back to H, drop all
further packets from node X to node Y (from port P to port Q) for the next
15 minutes.
2. Direct packets that are for H to port P, provided port P is open for
receipt of packets. If the port is not open for receipt, send a reject
packet back. A port will be opened for receipt either by the TCP component
or by some other UDP-based server program. Again, I think there should be an
automatic filtering system: if more than 5 packets are sent to closed port P
within a 30 second window, drop all further packets to that port for the
next 15 minutes (unless the port is opened for receipt within that time).
In other words, if I want packets sent to port 111 to be rejected (and, if
they keep coming, dropped), I just don't open a service on port 111. Right?
| Quote: | As an adjunct, firewalls these days are also part router, in that they
provide a port proxy service by implemeting network address translation,
and part filter, in that they can provide arbitrary port blocking (never
accept connections on port 111, for instance).
|
Am I right that NAT tends to create problem for a variety of internet
applications (that were programmed to assume that if a packet's send address
is A, the computer that sent it was computer A)? I intend AdaOS to support
IPv6 (as well as IPv4 and IPSec). Roll on IPv6.
| Quote: | But one of the most important features that firewalls provide is so-called
"statewise" or "stateful" port access control, in that the firewall
software maintains an open connection table that records the source of an
open port, and acts accordingly, allowing packets from only that source to
enter that particular port, blocking packets from any other address.
|
Isn't that something that the TCP component could and should do (very
easily)? Or is it more complicated than that?
| Quote: | Firewalls also provide very good logging capabilities these days, so add
that to your list.
|
Yes, but I think (and I have read in the literature) that it is generally
better for applications to their own auditing, because they can do it at a
higher level (more intelligent filtering, more useful data).
| Quote: | Finally, firewalls are now managing private channels through public
transports, like VPN, using both standard and proprietary protocols. Some
of these involve data packet encryption/decryption using symmetric and
asymmetric key mechansism, for example, IPSec.
|
Is that a good argument for hardware firewalls? I'm thiking about the speed
of packet encryption.
| Quote: | As we move toward universal use of IP6, some of these functions will
migrate naturally to the network stack, however, I say it's high time to
move firewalling, or at [least] perhaps the hooks and stubs for
firewalling appliances inside the network stack.
|
That is what I feel.
| Quote: | In this century, networking without security is a fool's undertaking.
|
I couldn't agree more.
Thank you hugely for your helpful answer!
--
Nick Roberts |
|
| Back to top |
|
|
Nick Roberts
Guest
|
| Posted:
Thu Jan 20, 2005 3:58 am Post subject:
Re: What does a firewall do? |
|
|
"Arthur Hagen" <art@broomstick.com> wrote:
| Quote: | IPGrunt <me@privacy.net> wrote:
Basically, a firewall does what a good protocol stack *should* do:
controls when ports are opened and closed, according to a rule set.
Not exactly. An endpoint should never drop a packet intended for it, but
either accept or reject it (in which case there will be a packet back). A
firewall, on the other hand, doesn't normally[1] reject packets, but
silently discards them. Big difference.
|
As I mentioned in another reply, I believe the router should send a few
rejects, but if it starts getting inundated (from a certain sender to a
certain port), it should simply drop further such packets for a while (on
the assumption that the sender is either faulty or does not have good
intent). I think this behaviour can be fully automatic (automatically
instigated and automatically reset), so as not to require high user skill or
frequent user intervention to be effective.
| Quote: | [1]: The most common exception being the ident/auth port, which many
firewall implementations will mark as closed instead of discarding the
packets -- this greatly increases the speed of the hello phase for
services that can use auth (like SMTP (email) and to some extent FTP).
|
All the documentation I have read says that the 'ident' service should never
be used for authentication, and generally shouldn't be implemented at all.
What am I missing?
--
Nick Roberts |
|
| Back to top |
|
|
Wolfgang Kueter
Guest
|
| Posted:
Thu Jan 20, 2005 4:07 am Post subject:
Re: What does a firewall do? |
|
|
Nick Roberts wrote:
| Quote: | I am a computer professional who has worked in the industry for 22 years,
on embedded systems and systems software of all kinds. I have been
studying systems software and operating systems technology /all my life/.
It just so happens that I am not an expert on firewall technology, and I
would appreciate somebody being kind enough to volunteer some information
about them.
|
IIRC there is something that called 'network layer model'? I think that
might have something to do with firewalls. I've heard rumours that on layer
1 something like
http://www.knipex.de/pix/katalog/produktfotos/9506230.jpg
makes a perfect firewall.
Wolfgang |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Thu Jan 20, 2005 4:07 am Post subject:
Re: What does a firewall do? |
|
|
In article <gemini.ial0l700bawn401u4.nick.roberts@acm.org>,
nick.roberts@acm.org says...
| Quote: | Admittedly, I may not have got the above details exactly correct. However,
my question is, in essence, is there a form of attack that can be launched
over the Internet that would (probably?) be able to subvert the above
security arrangements, but that would (in combination with those
arrangements) be preventable by using a firewall? Assume typical corporate
conditions, but please assume the company only uses AdaOS on all its
computers. Would it be reasonable to say "I don't think it would be safe
without a firewall"?
|
I don't think that any OS or application written by a human (as a entire
group) could be truly secure from all exploits. While it's likely that
there can be many such unexploitable programs, it's been seen many times
that many large programs and even the smallest OS's have exploits.
So, what you have to ask yourself is can a firewall do anything to
protect against the exposed services?
Take your HTTP service - if you expose the HTTP service to the internet
and you've not properly coded for buffer overflows, there is a chance
that your AdaOS web service could be compromised leading to exposure of
the same security levels that it's running under. There is nothing that
a firewall is typically doing to do to protect the HTTP service since
the exploit attempt is part of a valid http request. The same would be
true for other services and firewall rules.
What the firewall does for people that use XXX OS is to block in/out
bound connections on services ports that could expose them to a
known/unknown exploit (such as blocking inbound internet connections to
ports 135~139 and 445 and the same on the remote destination side on
Windows systems).
If I were run run a secure OS, the only way to be sure it's secure is to
not allow access to it. They use to think that PLC's were secure, but,
I've seen a simple PING bring one down.
You can limit exposure to most of the exploits that you know about or
that you can expect or that you think might cause a problem later, but
you can't be sure you've covered it all.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Nick Roberts
Guest
|
| Posted:
Thu Jan 20, 2005 4:12 am Post subject:
Re: What does a firewall do? |
|
|
Juergen Nieveler <juergen.nieveler.nospam@arcor.de> wrote:
| Quote: | As to the original poster: Yes, a secure OS doesn't need a firewall to
protect itself.
|
That's basically what I wanted to know.
| Quote: | Even Windows can be turned into such an OS.
|
But I suspect that would be a hard task. I think it would be hard for
Windows 95/98/ME. What about NT/XP?
| Quote: | However, as soon as you install the first service that can be reached from
the network, it all boils down to wether or not the application is well
written
|
I would go further, and suggest that almost any application will have a
great many potential security vulnerabilities that /cannot/ be protected by
a firewall (or any other mechanism essentially external to the application).
I presume no firewall can protect a badly written PHP web page from, say, a
SQL injection vulnerability.
| Quote: | - for example the application should be configurable to accept requests
only from specified IP ranges, and by default only from 127.0.0.1
|
Actually, I feel that the above specific capability is really a fudge of an
authentication issue. I suspect that what is really required is for some
descriptor outside the packet to indicate that the packet came from an
internal source (and which specific internal source), which an
authentication layer can use to select an appropriate (internal)
authentication mechanism. I believe Windows XP does something like this, but
I don't know the details.
--
Nick Roberts |
|
| Back to top |
|
|
Nick Roberts
Guest
|
| Posted:
Thu Jan 20, 2005 4:38 am Post subject:
Re: What does a firewall do? |
|
|
Leythos <void@nowhere.lan> wrote:
| Quote: | So, what you have to ask yourself is can a firewall do anything to protect
against the exposed services?
|
Right, and also I think we have to ask "Is a firewall the most effective
(and/or cost-effective) form of protection"?
| Quote: | Take your HTTP service - if you expose the HTTP service to the internet
and you've not properly coded for buffer overflows, there is a chance that
your AdaOS web service could be compromised leading to exposure of the
same security levels that it's running under.
|
Hehe. It so happens that, since it will be written in the Ada language,
buffer overflow vulnerabilities can be discounted. However, doubtless other
forms of vulnerability remain possible, so your point remain valid.
| Quote: | There is nothing that a firewall is typically doing to do to protect the
HTTP service since the exploit attempt is part of a valid http request.
The same would be true for other services and firewall rules.
|
Right. I think that statement somewhat vindicates my original opinion (that
a secure OS doesn't need a firewall).
| Quote: | What the firewall does for people that use XXX OS is to block in/out bound
connections on services ports that could expose them to a known/unknown
exploit (such as blocking inbound internet connections to ports 135~139
and 445 and the same on the remote destination side on Windows systems).
|
Where it is easier to insert a firewall than to change the offending
software? Obviously this is often the case for commercial software. I should
have mentioned that AdaOS will be released under the GPL (so full source
code will be available for scrutiny and amendment).
| Quote: | If I were run run a secure OS, the only way to be sure it's secure is to
not allow access to it.
|
That's not really the usual meaning of 'secure'. A box that is out of
anyone's reach is just out of anyone's reach. It is secure if it is within
people's reach, but has a good lock on it (and is a stout box, etc.).
A secure computer system, according to the literature, is one which
correctly and reliably enforces a given security policy (regardless of how
good the policy is). Personally, I think a secure computer system is one
which enforces the given policy, and which also: supplies a default policy
that will be appropriate most of the time; makes it as easy as possible for
users to understand and set up a policy that suits them best.
| Quote: | They use to think that PLC's were secure, but, I've seen a simple PING
bring one down.
|
But presumably the consequences of it going down were quite controlled (loss
of service for a time, but no danger of confidential data being stolen, or
sensitive data modified)? In a way, such a device might be considered quite
secure. Consider a safe: it might be easy to bash the knob off with a hammer
(so the safe can no longer be opened), but that doesn't necessarily, in
itself, make the safe insecure. It is, however, a technique that might be
used as part of a more elaborate attack (e.g. you wait for staff to remove
the jewels from the broken safe, temporarily storing them in a cardboard
box, and then steal the box :-)
| Quote: | You can limit exposure to most of the exploits that you know about or that
you can expect or that you think might cause a problem later, but you
can't be sure you've covered it all.
|
A statement which applies at least as much to the protection that a firewall
can offer as to that which (the other components of) a secure OS can?
Thanks for your answer!
--
Nick Roberts |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Thu Jan 20, 2005 5:04 am Post subject:
Re: What does a firewall do? |
|
|
In article <gemini.ial8cc00haaa701u4.nick.roberts@acm.org>,
nick.roberts@acm.org says...
| Quote: | There is nothing that a firewall is typically doing to do to protect the
HTTP service since the exploit attempt is part of a valid http request.
The same would be true for other services and firewall rules.
Right. I think that statement somewhat vindicates my original opinion (that
a secure OS doesn't need a firewall).
|
I don't hink it vindicates your opinion, since there has not been a
secure OS produced on the market in the last 20 years that I know of.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Duane Arnold
Guest
|
| Posted:
Thu Jan 20, 2005 5:08 am Post subject:
Re: What does a firewall do? |
|
|
Wolfgang Kueter wrote:
| Quote: | Nick Roberts wrote:
I am a computer professional who has worked in the industry for 22 years,
on embedded systems and systems software of all kinds. I have been
studying systems software and operating systems technology /all my life/.
It just so happens that I am not an expert on firewall technology, and I
would appreciate somebody being kind enough to volunteer some information
about them.
IIRC there is something that called 'network layer model'? I think that
might have something to do with firewalls. I've heard rumours that on
layer 1 something like
http://www.knipex.de/pix/katalog/produktfotos/9506230.jpg
makes a perfect firewall.
Wolfgang
|
LOL
Duane :) |
|
| Back to top |
|
|
Casey
Guest
|
| Posted:
Thu Jan 20, 2005 5:32 am Post subject:
Re: What does a firewall do? |
|
|
In article <gemini.ial42l00dznle01u4.nick.roberts@acm.org>,
nick.roberts@acm.org says...
especially the users guide.
Unofficial Help:
http://bellsouthpwp.net/i/k/ikpe/SygateBasics.html
Sygate Forums:
http://forums.sygate.com/vb/
Users Guide and Quick Start Guide:
http://smb.sygate.com/support/documents/pspf/default.htm
Compare SPF Pro and SPF Free (See what's inside each one)
http://smb.sygate.com/products/spf/comparison_spf.htm
d/l
http://soho.sygate.com/free/default.php
| Quote: |
One of the functions mentioned is an Attacker Tracing System. Is this,
perhaps, a touch of marketing hype? I would have thought that the software
required by a practical tracing system (e.g. a high-power database engine)
would be a little bit beyond a firewall? Are these products (Sygate Personal
Firewall Pro & Sygate Personal Firewall) very expensive? How many customers
would, in reality, be likely to use this function?
This is probably the trace route and Whois check on an attacking |
site. For personal use, there is a pro version ($39.00) and a
free version.
| Quote: |
How useful is the Instrusion Alarm System, in reality? Is it useful for a
pop-up window to inform you that "Your computer has just been hacked, all
your data files have been corrupted, and the computer will reboot in five
seconds. Haha."? I suspect the hacker would delight in popping up a window
of this sort for you anyway. :-)
This feature is optional and can be turned on/off. Many users |
prefer know what is happening with their computer. These alarms
and the traffic log keeps one informed about what has been Blocked.
| Quote: | The Evidence Logging System raises a few questions. I know (from reading the
literature) that auditing can be useful for analysis (usually after an
'event' [i.e. an attack]). But I also know that case studies show how hard
it is to get the balance right between usefulness of information and mass of
information (too little and it's useless, too much and the audit storage
space overflows, resulting in partial data that is also usually useless). I
am a little dubious that this function will be useful to most firewall
users, except, perhaps, for use by an outside consultancy after an event.
Security Policy Customization sounds good, but, in practice, who's going to
use it, how easily, and how effectively?
That these products can penetrate VPNs is superb (if it really works).
The Active Response feature says "By dynamically stealthing open ports and
temporarily blocking the intruders' IP address." The sentence seems cut off.
What it mean, please? (What does "dynamically stealthing open ports" mean?
:-)
When Sygate recoginizes a attack (4 hits), the attacking IP is |
blocked for 600-sec.
| Quote: |
How does the MAC and IP address spoofing protection work, please?
One feature is to "Prevent Internet browsers from revealing the OS, browser
version and the browser history information, which can be stored or used by
the web server to exploit known security vulnerabilities." Surely this is
going to cause a variety of web sites (badly designed ones, admittedly) to
fail, since they (their pages) detect the browser (version) in order to
conform their Javascript etc.?
There are some who would prefer not to reveal their software type. |
If they are very concerned about computer security, they will not
allow java script.
| Quote: | Finally, I note that these products are software firewalls. Would I be right
in assuming that the main advantage of using a hardware firewall is to do
with the vulnerabilities inherent: in Windows due to its lack of security in
default installations; in Unix (et al) due to the fact that many programs
are compelled to run as the root user (to get special functionality only
available to the root user)?
|
--
micro..........Who? |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in