Firewall Wizards: Host Based Packet Filters (was: OT: The Morris worm to Nimda, how little we've learned or gained)

["Robin S. Socha" <robin-dated-1010506831.4920dd () socha net>]

* Roelof JT Jonkman <roel () SiliconDefense com> writes:

> Internet security constantly boils down to risk assessment.
I presume you are talking of network security. The real problem is not some
sorry Win2k luser losing his pr0n collection but large corporations losing
confidential data. And risk assessment boils down to risk compensation. If
you run a system whose security and data integrity you cannot guarantee
because you do not have access to its source code, you have to calculate
your losses in advance.

> Tying a machine to the Internet regardless of how well secured is a
> risk, simply because IP is fundamentally not secure. It's just a matter
> of how much risk you care to expose yourself to. In general people are
> terrible at risk assessment when it comes to the Internet. (And propably
> dito in other areas too, but that's aside.)
Tune in again tomorrow when you hear Roelof JT Jonkman say "And this is
how I r00t3d an OpenBSD box running djbdns and qmail". ;-) Yes, there is
a risk. No, the risk is not evenly distributed. If you run well audited
code from a trusted source, your risk is significantly lower. If you run
opaque code from companies with a track record of total incompetence
(nice glossy brochures, though, Sir, do you want the firewall painted
blue or red?), well...

There is a very wide gap between running OpenBSD/qmail and
Win2k/Exchange. The web server risk assessment is quite simple if you
base it on your favourite defacement mirror and Netcraft. If you decide
to run software guaranteed to be broken, get a good insurance and a good
lawyer and don't come whining. It's basically that simple.

> The other major issue is that security is almost inherently user
> unfriendly, for your ordinary internet user security is an obstacle,
You're missing something there, Roelof. You seem to assume that everyone
is running desktop computers with broken software. What is the risk for
a user in a client/server environment if the server is well maintained
and the backup strategy is good? What is unfriendly about running
OpenBSD (I'm not shoving one Unix down everyone's throat, it's just that
a) OpenBSD is a prime example of secure software and b) makes a good
desktop system if you don't need MS Office).

> hence people get highly inventive about avoiding and working around
> these obstacles.  (avoid security, tunneling through chat/p2p network
> clients eg.)
And we're back to risk compensation. If you want to risk those nudy pix
of your favourite inflatable sheep, that's fine: run ICQ; run Internet
Explorer; run Outlook; allow attachments. But don't ever blame it on the
internet - it's you, your taking unnecessary risks, and an OS vendor
incapable of writing more than 10 lines of code with less than 5 buffer
overflows.

> Unless we as security professionals make security accessible for your
> average user Internet Security will be a utopia. 
Define "security". Data integrity? System integrity? You can't guarantee
those by adding things to your setup. You have to remove the broken
parts. 

> I believe that one of not so recent developments of personal firewalls
Could we call these things by their proper name, please? They are host
based packet filters. Some have content scanning abilities. They are not
firewalls, though. A firewall IMVHO is a concept though.

> has helped considerably in making security more accessible for an
> average Internet User. 
Get real. Fast. Start here: http://www.securityfocus.com/bid/3647 and
here: http://www.securityfocus.com/archive/1/244026 (Flawed outbound
packet filtering in various personal firewalls). 

When you're done with this, have some fun with Zone Alarm:

,----[ http://groups.google.com/groups?selm=3B3B7A4E.C2EF27C4%40hrz.tu-chemnitz.de ]
| Code:
| 
| Option Explicit
| Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
| Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
| Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, 
ByVal dwProcessId As Long) As Long
| Const PROCESS_TERMINATE = &H1
| Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
| Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName 
As String) As Long
| 
| Private Sub Close_ZoneAlarm()
| Dim xhwnd As Long
| Dim pwid As Long
| xhwnd = FindWindow(vbNullString, "ZoneAlarm")
| GetWindowThreadProcessId xhwnd, pwid
| Dim Task As Long, result As Long
| Task = OpenProcess(PROCESS_TERMINATE, 0&, pwid)
| TerminateProcess Task, 1&
| CloseHandle Task
| End Sub
| 
| End Code
`----

In case anyone ever had any doubts that Zone Alarm is broken beyond
repair, this is the proof.

> (I'm not quite sure, but is Microsoft shipping a personal firewall
> integrated with the latest windows incarnations?)
Let me ask you two questions, Roelof:

1. Why does OpenBSD's default install not have a "personal firewall" and
   still has not been broken into in 4 years?

2. How come Microsoft is *adding* code to its broken system instead of
   *removing* the broken code (hint: the answer to question one is the key to
   question 2)?

You make it appear as if secure programming was impossible and only
sprinkling some magic personal firewall dust can make a system
secure. That, if you pardon my french, is
bullshit. http://cr.yp.to/qmail/guarantee.html nicely wraps up the basic
concepts of how to write secure code. Compare qmail to sendmail to
Exchange - getting the drift? Then take a look at
http://www.openbsd.org/security.html and compare OpenBSD to Linux to
Win2k - see the similarity? Secure code is small, and modularized.

Secure systems only have the functionality you need and nothing more. If you
call this "user unfriendly", then you've made a risk assessment and decided
for yourself that you believe in voodoo programming, fixing broken systems by
adding obscure code and trusting companies with a track record that speaks
for itself (if you consider root exploits "remote administration tools"). But
don't make the mistake of presenting your version of the truth as an absolute
truth. Because it is not.
-- 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards