|
|
 | | From: | Nick Roberts | | Subject: | What does a firewall do? | | Date: | Wed, 19 Jan 2005 06:14:19 +0000 |
|
|
 | I'll be as brief as possible. I am leading a project that is writing a new
operating system (yes, really), and naturally it will have an IP stack. This
entire stack will be written from scratch, and it will be written to be
secure (as will the entire OS).
I recently had an argument (in comp.lang.ada) with someone who simply could
not believe that a secure OS will completely obviate the need for any
firewall. Obviously, I believe that it will.
I'd be very, very grateful if someone could post a list of all the different
kinds of protection a really good firewall could be expected to provide. Be
as technical as possible (but no need for piles of detail).
I'll follow up such a post with some more details on the security of the OS.
--
Thanks in advance,
Nick Roberts
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:39:03 +0000 |
|
|
| Leythos wrote:
> ... there has not been a secure OS produced on the market in the last 20
> years that I know of.
Of course, but I take that as a challenge.
--
Nick Roberts
|
|
| | From: | Leythos | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:52:10 GMT |
|
|
| In article ,
nick.roberts@acm.org says...
> Leythos wrote:
>
> > ... there has not been a secure OS produced on the market in the last 20
> > years that I know of.
>
> Of course, but I take that as a challenge.
It would be a good case study. I can remember learning to program back
in the 70's, it was always the intent to design good code and to write
good code, but, and there was never a valid reason for it, the bean
counters always forced the release before the designers wanted it to be
released.
The same holds true today. I've seen thousands of projects turn out
"good" code, but it's always before the developers and QA teams are
ready, always pushed by the political groups and in-fighting and the
need to get that ROI yesterday.
How many times have you been part of a team near the end of a project
that was over-budget (because of scope creep) where the managers told
the team to take their time, relax, get a little quality rest time, and
we'll delay the product as long as you feel it needs :)
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
|
|
| | From: | Wolfgang Kueter | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 12:10:48 +0100 |
|
|
| Nick Roberts wrote:
> I'd be very, very grateful if someone could post a list of all the
> different kinds of protection a really good firewall could be expected to
> provide.
A firewall filters and controls network traffic on the layers that is
programmed to filter traffic. This can be any layer above the physical.
> Be as technical as possible (but no need for piles of detail).
I tried to be as untechnical as possible, because that is adequate to the
level of of your question. After reading your posting I think you'd better
keep off from from writing an OS.
Wolfgang
|
|
| | From: | Jose Maria Lopez Hernandez | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 17:55:09 +0100 |
|
|
| Wolfgang Kueter wrote:
> Nick Roberts wrote:
>
>
>>I'd be very, very grateful if someone could post a list of all the
>>different kinds of protection a really good firewall could be expected to
>>provide.
>
>
> A firewall filters and controls network traffic on the layers that is
> programmed to filter traffic. This can be any layer above the physical.
To complete a little your answer there are basically three kinds of
firewalls:
Packet firewalls: They only allow/deny packets or sessions without
checking the payloads. Example: Netfilter/iptables for Linux.
Level 7 firewall: They allow/deny checking the payloads of the packets.
Example: l7 filter proyect for Linux
Proxy firewalls: The allow/deny connections checking the protocols of
each session that goes through the firewall. Example: TREX or fwtk.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 15:52:40 +0000 |
|
|
| CyberDroog wrote:
> I'd like to help but I'm busy leading a project to build the world's most
> powerful supercollider. Not knowing much about physics has made this
> quite a challenge.
>
> If anybody who doesn't jump on this firewall question has time to tell me
> how you get these little atom bastards to hit each other, I'd really
> appreciate it!
Look, I appreciate a little dry humour on Usenet -- it's rare enough for
anyone to show any wit these days -- but I suspect that I didn't phrase the
question in quite the right way. Let me try again.
I am a computer professional who has worked in the industry for 22 years, on
embedded systems and systems software of all kinds. I have been studying
systems software and operating systems technology /all my life/. It just so
happens that I am not an expert on firewall technology, and I would
appreciate somebody being kind enough to volunteer some information about
them. Please?
--
Nick Roberts
|
|
| | From: | Wolfgang Kueter | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:07:43 +0100 |
|
|
| Nick Roberts wrote:
> I am a computer professional who has worked in the industry for 22 years,
> on embedded systems and systems software of all kinds. I have been
> studying systems software and operating systems technology /all my life/.
> It just so happens that I am not an expert on firewall technology, and I
> would appreciate somebody being kind enough to volunteer some information
> about them.
IIRC there is something that called 'network layer model'? I think that
might have something to do with firewalls. I've heard rumours that on layer
1 something like
http://www.knipex.de/pix/katalog/produktfotos/9506230.jpg
makes a perfect firewall.
Wolfgang
|
|
| | From: | Duane Arnold | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:08:28 GMT |
|
|
| Wolfgang Kueter wrote:
> Nick Roberts wrote:
>
>> I am a computer professional who has worked in the industry for 22 years,
>> on embedded systems and systems software of all kinds. I have been
>> studying systems software and operating systems technology /all my life/.
>> It just so happens that I am not an expert on firewall technology, and I
>> would appreciate somebody being kind enough to volunteer some information
>> about them.
>
> IIRC there is something that called 'network layer model'? I think that
> might have something to do with firewalls. I've heard rumours that on
> layer 1 something like
>
> http://www.knipex.de/pix/katalog/produktfotos/9506230.jpg
>
> makes a perfect firewall.
>
> Wolfgang
LOL
Duane :)
|
|
| | From: | Duane Arnold | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 17:35:30 GMT |
|
|
| >
> I am a computer professional who has worked in the industry for 22
> years, on embedded systems and systems software of all kinds. I have
> been studying systems software and operating systems technology /all
> my life/. It just so happens that I am not an expert on firewall
> technology, and I would appreciate somebody being kind enough to
> volunteer some information about them. Please?
>
I am not into typing.
http://tinyurl.com/4awxu
Duane :)
|
|
| | From: | IPGrunt | | Subject: | Re: What does a firewall do? | | Date: | 19 Jan 2005 16:24:29 GMT |
|
|
| Nick Roberts confessed in
news:gemini.iajvzu001jomo04h4.nick.roberts@acm.org:
> I'll be as brief as possible. I am leading a project that is writing a
new
> operating system (yes, really), and naturally it will have an IP stack.
This
> entire stack will be written from scratch, and it will be written to be
> secure (as will the entire OS).
>
> I recently had an argument (in comp.lang.ada) with someone who simply
could
> not believe that a secure OS will completely obviate the need for any
> firewall. Obviously, I believe that it will.
>
> I'd be very, very grateful if someone could post a list of all the
different
> kinds of protection a really good firewall could be expected to provide.
Be
> as technical as possible (but no need for piles of detail).
>
> I'll follow up such a post with some more details on the security of the
OS.
>
Hard to get a straight answer here, isn't it? I have no problem with your
question and will answer briefly.
Basically, a firewall does what a good protocol stack *should* do: controls
when ports are opened and closed, according to a rule set.
As an adjunct, firewalls these days are also part router, in that they
provide a port proxy service by implemeting network address translation,
and part filter, in that they can provide arbitrary port blocking (never
accept connections on port 111, for instance).
But one of the most important features that firewalls provide is so-called
"statewise" or "stateful" port access control, in that the firewall
software maintains an open connection table that records the source of an
open port, and acts accordingly, allowing packets from only that source to
enter that particular port, blocking packets from any other address.
Firewalls also provide very good logging capabilities these days, so add
that to your list.
Finally, firewalls are now managing private channels through public
transports, like VPN, using both standard and proprietary protocols. Some
of these involve data packet encryption/decryption using symmetric and
asymmetric key mechansism, for example, IPSec.
As we move toward universal use of IP6, some of these functions will
migrate naturally to the network stack, however, I say it's high time to
move firewalling, or at perhaps the hooks and stubs for firewalling
appliances inside the network stack. In this century, networking without
security is a fool's undertaking.
-- ipgrunt
|
|
| | From: | Justins local account | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 13:07:40 +0000 |
|
|
| "Arthur Hagen" writes:
> IPGrunt wrote:
>>
>> Basically, a firewall does what a good protocol stack *should* do:
>> controls when ports are opened and closed, according to a rule set.
>
> Not exactly. An endpoint should never drop a packet intended for it, but
> either accept or reject it (in which case there will be a packet back).
> A firewall, on the other hand, doesn't normally[1] reject packets, but
> silently discards them. Big difference.
They should reject them not drop them, but thats a whole different
argument.
--
Justin Murdock
|
|
| | From: | Juergen Nieveler | | Subject: | Re: What does a firewall do? | | Date: | 19 Jan 2005 19:25:40 GMT |
|
|
| "Arthur Hagen" wrote:
> Not exactly. An endpoint should never drop a packet intended for it,
> but either accept or reject it (in which case there will be a packet
> back). A firewall, on the other hand, doesn't normally[1] reject
> packets, but silently discards them.
Not really. First of all, what people refer to as firewall usually is
really a paketfilter - a firewall can (and often does) consist of two
packet filters with an application proxy in between.
You can have packet filters between internal networks, too - and that
also is a firewall :-)
In such cases, you won't be dropping packets but instead reject them -
if only because it's much easier to troubleshoot your network.
As to the original poster: Yes, a secure OS doesn't need a firewall to
protect itself. Even Windows can be turned into such an OS. However, as
soon as you install the first service that can be reached from the
network, it all boils down to wether or not the application is well
written - for example the application should be configurable to accept
requests only from specified IP ranges, and by default only from
127.0.0.1
Juergen Nieveler
--
Is "puppy love" bestiality?
|
|
| | From: | Justins local account | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 13:30:53 +0000 |
|
|
| Nick Roberts writes:
> All the documentation I have read says that the 'ident' service should never
> be used for authentication, and generally shouldn't be implemented at all.
> What am I missing?
It shouldn't be used for authentification, but it is used in logging.
the downside is that it allows thingsthe outside to recieve
identifiers from your system, and these are often usernames. Some
people consider this to be a dangerous information leak.
If you don't implement it, your server will reply with a port closed
message, and my server will carry on straight away.
If on the other hand, you do implement the service, and I have a query
about activity on my server, when I ask you for your input I can
advise you that your system advised me it was the httpd user that was
trying to send mail at 3:15 am, and you have a better clue where to
start looking.
--
Justin Murdock
|
|
| | From: | Juergen Nieveler | | Subject: | Re: What does a firewall do? | | Date: | 20 Jan 2005 08:38:21 GMT |
|
|
| Nick Roberts wrote:
>> As to the original poster: Yes, a secure OS doesn't need a firewall
>> to protect itself.
>
> That's basically what I wanted to know.
It's quite logical, of course: If the IP-Stack itself is secure and the
OS doesn't run any services listening to network requests, it's secure
by default - you can't exploit something that isn't there :-)
>> Even Windows can be turned into such an OS.
>
> But I suspect that would be a hard task. I think it would be hard for
> Windows 95/98/ME. What about NT/XP?
http://www.dingens.org/ got a manual on how to do it - only german
though, sorry :-)
Basically, you just have to disable all the services you don't need.
>> However, as soon as you install the first service that can be reached
>> from the network, it all boils down to wether or not the application
>> is well written
>
> I would go further, and suggest that almost any application will have
> a great many potential security vulnerabilities that /cannot/ be
> protected by a firewall (or any other mechanism essentially external
> to the application). I presume no firewall can protect a badly written
> PHP web page from, say, a SQL injection vulnerability.
Depends totally on the firewall layout. If it's only a packet-filter
(with or without NAT), you're right. But the firewall could also
feature a reverse-HTTP-proxy that filters out suspicious traffic.
Juergen Nieveler
--
Mr. Worf, fire phasers! ... Zzzzzap!
|
|
| | From: | Wolfgang Ewert | | Subject: | Re: What does a firewall do? | | Date: | Fri, 21 Jan 2005 15:35:13 +0100 |
|
|
| Hallo Juergen Nieveler, you wrote:
> Nick Roberts wrote:
> >> Even Windows can be turned into such an OS.
> >
> > But I suspect that would be a hard task. I think it would be hard for
> > Windows 95/98/ME. What about NT/XP?
>
> http://www.dingens.org/ got a manual on how to do it - only german
> though, sorry :-)
There is a good technical explanation in English at
http://www.ntsvcfg.de/ntsvcfg_eng.html
> Basically, you just have to disable all the services you don't need.
http://technet.microsoft.at/news_showpage.asp?newsid=10332&secid=14882
http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp
und eine englischsprachige französische Quelle, die ich gerade nicht
finde.
Wolfgang
--
Nirgendwo hängt der Schulerfolg so stark von Einkommen und Vorbildung
der Eltern ab wie in D'land. Das dt. Schulsystem versagt bei der
Förderung von Arbeiter- und Migrantenkindern. (dpa/FTD 22.11.04)
|
|
| | From: | Arthur Hagen | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 12:29:41 -0500 |
|
|
| IPGrunt wrote:
>
> Basically, a firewall does what a good protocol stack *should* do:
> controls when ports are opened and closed, according to a rule set.
Not exactly. An endpoint should never drop a packet intended for it, but
either accept or reject it (in which case there will be a packet back).
A firewall, on the other hand, doesn't normally[1] reject packets, but
silently discards them. Big difference.
[1]: The most common exception being the ident/auth port, which many
firewall implementations will mark as closed instead of discarding the
packets -- this greatly increases the speed of the hello phase for services
that can use auth (like SMTP (email) and to some extent FTP).
Regards,
--
*Art
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 14:13:25 +0000 |
|
|
| Justins local account wrote:
> > All the documentation I have read says that the 'ident' service should
> > never be used for authentication, and generally shouldn't be implemented
> > at all. What am I missing?
>
> It shouldn't be used for authentification, but it is used in logging.
Right. I recall reading that, now. (My memory! Sorry.)
> the downside is that it allows thingsthe outside to recieve identifiers
> from your system, and these are often usernames. Some people consider this
> to be a dangerous information leak.
Right. Definitely a poor (default) policy.
> If you don't implement it, your server will reply with a port closed
> message, and my server will carry on straight away.
That seems more sensible, to my mind.
> If on the other hand, you do implement the service, and I have a query
> about activity on my server, when I ask you for your input I can advise
> you that your system advised me it was the httpd user that was trying to
> send mail at 3:15 am, and you have a better clue where to start looking.
Right. Of course, what I do is advise the outside world that is was user
'5KJ8GN397LA0RHF2' - I keep a (secured) table that translates it to 'httpd
at 3:15 am on 15th Jan 2005' - and if you quote it back to me at some later
time, I can be sure you're not lying ;-) and you don't know that it was user
'httpd'.
I think the latest RFC on ident that says all this, in fact.
Thanks.
--
Nick Roberts
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 20:51:08 +0000 |
|
|
| Leythos wrote:
> What you are asking for is that someone take the time to retype what's
> already available in google searches. While I can understand your wanting
> to know, we, as professionals, do expect that people with a desire to
> learn will at least scan the Internet for information before asking for
> such detailed information.
>
> The answer could entail spending hours typing a proper response, or we
> could let you read up on firewalls, then post any questions you have that
> you were not able to understand to your satisfaction.
>
> The short of it - Firewalls block access to networks and services that you
> don't configure them to allow access to. Firewalls also allow access to
> specific services/networks without allowing access to non-configured
> services/networks.
Okay, but I have done that, and found that the information available does
not go into sufficient technical detail. But I'll keep looking. Thanks.
Perhaps I could ask another question (or the same question in another way)?
Supposing there is a network of computers (bog standard PCs) -- let's say
they are connected by Fast Ethernet -- all running AdaOS (the new OS in
question). AdaOS is fully distributed, so this network acts as if it were
one computer, and is called a cluster. A new protocol is used for
intercommunication between the AdaOS computers in a cluster, totally
unrelated to IP (it will piggyback on the Ethernet as IP does), and has its
own security features (switched on by default).
One of the computers in the network has a (physically distinct) connection
to the global Internet (let's say through another Fast Ethernet adaptor to a
backbone computer). The cluster provides a few classic services to the
Internet. Let's say: a web server with several CGI programs offering
e-commerce or similar services (hence SSL is supported); an anonymous FTP
providing some public domain files for download; a POP3 mail server to
clients who log on with a password (and which therefore uses an
authentication exchange protocol).
I'll try to explain what would be the normal set up of the IP stack software
in AdaOS. First of all, all the IP stack will be made of application
programs, each running outside the TCB (Trusted Computing Base, the part of
AdaOS that is trusted to be secure), and so with full security controls
applied to it.
An authority is a token that a program (the client) 'quotes' when requesting
service from another program (the server), and cannot be forged. Every
application program is permitted to quote one (or several) 'authorities'.
Thus, every server program in AdaOS can rely upon the quoted authority when
making its security decisions. Upon this framework, typical security
structures are built, such as file groups, and user roles.
The whole operating system (outside the TCB) is object oriented: everything
is an object. Typical security controls allow each different kind of access
(e.g. 'read', 'write') for each object to be permitted or denied for each
authority (and hence for each role of each user). Generally, access is
denied by default.
The IP/UDP router program creates an object that permits 'host' objects to
be created. A host corresponds to an IP address. Each host object allows
'port range' objects to be created, each corresponds to a range of ports
(e.g. 0 to 1000), and may not overlap with any other port range). Each port
range object allows 'port' objects to be created. Each port object can then
be opened (which is a kind of access for this object) for input and/or
output (packet-oriented).
The TCP program opens a pair of port objects, and creates a 'connection'
object. The connection object can be opened for client session input/output
(byte stream based), corresponding to a TCP session. The connection object
can also be opened for server reception I/O; incoming session requests are
accepted and dealt with by the server. These two different ways of opening a
connection are two different kinds of access for this object.
The web server program opens a connection for reception, and deals with
incoming session requests by accepting HTTP requests, and running a CGI
program in response to each request. The server can be configured to execute
each CGI program under a different 'role', meaning that the program can be
given a different authority, and so a different set of access permissions.
The default set up of typical CGI programs will isolate them from each other
to a high extent. For example, suppose there are two sub-sites
("http://anycorp.com/sales" and ""http://anycorp.com/members", say) that
operate completely different services (one is e-commerce, another is a
society membership system). They will be configured so that one cannot
access the data of the other.
The same principle is applied to other IP services (FTP, POP3, whatever).
In particular, there is no 'root' user in AdaOS, and everything is installed
by default with access denied (rather than the other way around, as with
Unix in the old days). All sensitive activities (changing administrative
settings, modifying user privileges, changing your own password, etc.) are
done in a separate role (which uses a different authority) to normal
activities, and different normal activities are separated from each other by
a few broad roles (e.g.: Idle Web Surfing; Secretary to Mr Jones; Helping
the Typists; Personal Internet Banking; Personal Chat; and so on). There
would be a separate role (and authority) for running each different major
program in the IP stack, and access would be given on a fairly strict 'need
to access' basis.
Admittedly, I may not have got the above details exactly correct. However,
my question is, in essence, is there a form of attack that can be launched
over the Internet that would (probably?) be able to subvert the above
security arrangements, but that would (in combination with those
arrangements) be preventable by using a firewall? Assume typical corporate
conditions, but please assume the company only uses AdaOS on all its
computers. Would it be reasonable to say "I don't think it would be safe
without a firewall"?
Thanks for your patience. I don't think I asked the right question
originally!
--
Nick Roberts
|
|
| | From: | Leythos | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 23:07:51 GMT |
|
|
| In article ,
nick.roberts@acm.org says...
> Admittedly, I may not have got the above details exactly correct. However,
> my question is, in essence, is there a form of attack that can be launched
> over the Internet that would (probably?) be able to subvert the above
> security arrangements, but that would (in combination with those
> arrangements) be preventable by using a firewall? Assume typical corporate
> conditions, but please assume the company only uses AdaOS on all its
> computers. Would it be reasonable to say "I don't think it would be safe
> without a firewall"?
I don't think that any OS or application written by a human (as a entire
group) could be truly secure from all exploits. While it's likely that
there can be many such unexploitable programs, it's been seen many times
that many large programs and even the smallest OS's have exploits.
So, what you have to ask yourself is can a firewall do anything to
protect against the exposed services?
Take your HTTP service - if you expose the HTTP service to the internet
and you've not properly coded for buffer overflows, there is a chance
that your AdaOS web service could be compromised leading to exposure of
the same security levels that it's running under. There is nothing that
a firewall is typically doing to do to protect the HTTP service since
the exploit attempt is part of a valid http request. The same would be
true for other services and firewall rules.
What the firewall does for people that use XXX OS is to block in/out
bound connections on services ports that could expose them to a
known/unknown exploit (such as blocking inbound internet connections to
ports 135~139 and 445 and the same on the remote destination side on
Windows systems).
If I were run run a secure OS, the only way to be sure it's secure is to
not allow access to it. They use to think that PLC's were secure, but,
I've seen a simple PING bring one down.
You can limit exposure to most of the exploits that you know about or
that you can expect or that you think might cause a problem later, but
you can't be sure you've covered it all.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
|
|
| | From: | Eirik Seim | | Subject: | Re: What does a firewall do? | | Date: | 19 Jan 2005 22:08:12 GMT |
|
|
| On Wed, 19 Jan 2005 20:51:08 +0000, Nick Roberts wrote:
[cutting away lots of interesting stuff on AdaOS]
This looks nice, but with all this operating system design (and
the email-address you use... On a side note, I prefer not to expose
my ACM-address to newsgroups. Do you get much spam, as in spam
that's not taken care of by their spam filtering?), I'm sure you
must have more reliable sources than newsgroups for these kinds of
questions?
> Admittedly, I may not have got the above details exactly correct. However,
> my question is, in essence, is there a form of attack that can be launched
> over the Internet that would (probably?) be able to subvert the above
> security arrangements, but that would (in combination with those
> arrangements) be preventable by using a firewall?
The problem with this way of asking is the nature of attackers; the
ones you really need to worry about are those who do something you
couldn't anticipate.
A few things are always to expect though (not that I, or any other
one person will ever get a complete list), you should (have the
possibility to) do packet reassembly and sanitychecking [1] _before_
other more traditional packet filters, or attack detection, and this
is especially true if you consider the system to act as a network
firewall.
You should of course also look at all the previous mistakes made
by other open source initiatives, like what made Linux vulnerable
to teardrop attacks, and similar. Not really what I would call a
firewall, but just plain, solid code with error handling that makes
sense. Also, I must admit I'm not sure how Plan9 is licensed, but
I'm sure it's worth taking a look at if allowed.
> Assume typical corporate
> conditions, but please assume the company only uses AdaOS on all its
> computers. Would it be reasonable to say "I don't think it would be safe
> without a firewall"?
The individual computers might be safe, but assuming a homogeneous
environment in a real-world company is a bit far-fetched. A perimeter
device (firewall) should be used to filter unwanted traffic from
entering the network, including not only the Internet but also
potential less-trusted networks (like the DMZ for external services
like email, and/or perhaps a separate network for workers with a
need to use laptops that for some reason cannot always be under
the companys strict control. The problem is not AdaOS (which as far
as I can see is aiming to be perfect), but its need to communicate
with other, less-perfect systems.
Or, to sum up what I think of firewalls in general (not exclusively
with regard to AdaOS); When considering hosts, they are just a pain
in the ass. Considering servers, they might be needed depending on
what services you want to offer, and to whom. Considering networks;
firewalls, or at least some sort of packet filtering ability, is a
must. Not because everyone should block all by default (which is
a good idea, however), but because of the ability to isolate certain
hosts, networks or protocols in case something unexpected turns up.
1. By this I mean like the OpenBSD projects "scrub" directive in pf.
--
New and exciting signature!
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 22:58:20 +0000 |
|
|
| "Arthur Hagen" wrote:
> IPGrunt wrote:
> >
> > Basically, a firewall does what a good protocol stack *should* do:
> > controls when ports are opened and closed, according to a rule set.
>
> Not exactly. An endpoint should never drop a packet intended for it, but
> either accept or reject it (in which case there will be a packet back). A
> firewall, on the other hand, doesn't normally[1] reject packets, but
> silently discards them. Big difference.
As I mentioned in another reply, I believe the router should send a few
rejects, but if it starts getting inundated (from a certain sender to a
certain port), it should simply drop further such packets for a while (on
the assumption that the sender is either faulty or does not have good
intent). I think this behaviour can be fully automatic (automatically
instigated and automatically reset), so as not to require high user skill or
frequent user intervention to be effective.
> [1]: The most common exception being the ident/auth port, which many
> firewall implementations will mark as closed instead of discarding the
> packets -- this greatly increases the speed of the hello phase for
> services that can use auth (like SMTP (email) and to some extent FTP).
All the documentation I have read says that the 'ident' service should never
be used for authentication, and generally shouldn't be implemented at all.
What am I missing?
--
Nick Roberts
|
|
| | From: | Arthur Hagen | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 21:17:04 -0500 |
|
|
| Nick Roberts wrote:
> "Arthur Hagen" wrote:
>
>> [1]: The most common exception being the ident/auth port, which many
>> firewall implementations will mark as closed instead of discarding
>> the packets -- this greatly increases the speed of the hello phase
>> for services that can use auth (like SMTP (email) and to some extent
>> FTP).
>
> All the documentation I have read says that the 'ident' service
> should never be used for authentication, and generally shouldn't be
> implemented at all. What am I missing?
That remote services beyond your control are still checking for it, whether
it's implemented on your end or not. When your email server connects to a
remote email server to deliver your mail, it's a relatively high likelihood
of the remote mail server sending an ident request to your server. If your
firewall drops the packets, the remote server will try again and wait in
vain for a while before timing out, and thus figuring out that it can't
connect. If the firewall on the other hand replies with a sorry, port
closed, the remote server won't have to resend and wait, and your email goes
through faster.
Regards,
--
*Art
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 15:53:21 +0000 |
|
|
| "Arthur Hagen" wrote:
> ...
> Exactly how grateful? The above is a request for *work*, and that
> requires palm greasing.
I understand if you don't have the time -- time is money -- I'd just be
grateful if someone could spare a little time to help me. I try to spare
some time to help others on Usenet when I can.
--
Nick Roberts
|
|
| | From: | Leythos | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 16:06:57 GMT |
|
|
| In article ,
nick.roberts@acm.org says...
> "Arthur Hagen" wrote:
>
> > ...
> > Exactly how grateful? The above is a request for *work*, and that
> > requires palm greasing.
>
> I understand if you don't have the time -- time is money -- I'd just be
> grateful if someone could spare a little time to help me. I try to spare
> some time to help others on Usenet when I can.
What you are asking for is that someone take the time to retype what's
already available in google searches. While I can understand your
wanting to know, we, as professionals, do expect that people with a
desire to learn will at least scan the Internet for information before
asking for such detailed information.
The answer could entail spending hours typing a proper response, or we
could let you read up on firewalls, then post any questions you have
that you were not able to understand to your satisfaction.
The short of it - Firewalls block access to networks and services that
you don't configure them to allow access to. Firewalls also allow access
to specific services/networks without allowing access to non-configured
services/networks.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
|
|
| | From: | CyberDroog | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 14:23:16 GMT |
|
|
| On Wed, 19 Jan 2005 06:14:19 +0000, Nick Roberts
wrote:
>I'll be as brief as possible. I am leading a project that is writing a new
>operating system (yes, really), and naturally it will have an IP stack. This
>entire stack will be written from scratch, and it will be written to be
>secure (as will the entire OS).
>
>I recently had an argument (in comp.lang.ada) with someone who simply could
>not believe that a secure OS will completely obviate the need for any
>firewall. Obviously, I believe that it will.
>
>I'd be very, very grateful if someone could post a list of all the different
>kinds of protection a really good firewall could be expected to provide. Be
>as technical as possible (but no need for piles of detail).
I'd like to help but I'm busy leading a project to build the world's most
powerful supercollider. Not knowing much about physics has made this quite
a challenge.
If anybody who doesn't jump on this firewall question has time to tell me
how you get these little atom bastards to hit each other, I'd really
appreciate it!
--
The government consists of a gang of men exactly like you and me. They
have, taking one with another, no special talent for the business of
government; they have only a talent for getting and holding office. Their
principal device to that end is to search out groups who pant and pine for
something they can't get and to promise to give it to them. Nine times out
of ten that promise is worth nothing. The tenth time is made good by
looting A to satisfy B. In other words, government is a broker in pillage,
and every election is sort of an advance auction sale of stolen goods.
- H.L. Mencken
|
|
| | From: | Geoff | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 16:05:51 +0000 |
|
|
| On Wed, 19 Jan 2005 14:23:16 +0000, CyberDroog wrote:
>
> I'd like to help but I'm busy leading a project to build the world's
> most powerful supercollider. Not knowing much about physics has made
> this quite a challenge.
>
> If anybody who doesn't jump on this firewall question has time to tell
> me how you get these little atom bastards to hit each other, I'd really
> appreciate it!
Route 'em through Usenet, the flames are hotter than anything seen since
the Big Bang and half the inhabitants would be delighted to hit the other
half if only the opportunity arose.
(I love the Mencken btw)
Geoff
Geoff
|
|
| | From: | Leythos | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 14:45:02 GMT |
|
|
| In article <8pqsu01q1o4lk7jsoa61uc20qcpsg57c1c@4ax.com>,
CyberDroog@ClockworkOrange.com says...
> I'd like to help but I'm busy leading a project to build the world's most
> powerful supercollider. Not knowing much about physics has made this quite
> a challenge.
>
> If anybody who doesn't jump on this firewall question has time to tell me
> how you get these little atom bastards to hit each other, I'd really
> appreciate it!
You can't get them to smack into each other until you remove the
firewall, they don't like heat.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
|
|
| | From: | Arthur Hagen | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 08:45:02 -0500 |
|
|
| Nick Roberts wrote:
>
> I'd be very, very grateful if someone could post a list of all the
> different kinds of protection a really good firewall could be
> expected to provide. Be as technical as possible (but no need for
> piles of detail).
Exactly how grateful? The above is a request for *work*, and that requires
palm greasing.
--
*Art
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:36:29 +0000 |
|
|
| Eirik Seim wrote:
> On Wed, 19 Jan 2005 20:51:08 +0000, Nick Roberts wrote:
>
> [cutting away lots of interesting stuff on AdaOS]
>
> This looks nice, but with all this operating system design (and the
> email-address you use...
> On a side note, I prefer not to expose my ACM-address to newsgroups. Do
> you get much spam, as in spam that's not taken care of by their spam
> filtering?),
I get lots of spam (more than 100 per day), but nearly all of it is removed
by my elaborate spam filtering (three levels: ACM; SpamPal; Gemini).
> ... I'm sure you must have more reliable sources than newsgroups for these
> kinds of questions?
It's not a question of reliability, it's a question of breadth of coverage.
Having got the opinions of (just about) everyone else, I'm very interested
to get the opinions of the denizens of comp.security.firewalls. Someone here
may have something to say that I haven't heard elsewhere.
> The problem with this way of asking is the nature of attackers; the ones
> you really need to worry about are those who do something you couldn't
> anticipate.
Absolutely. I think the question is: in the event of an attacker doing
something unexpected (and nasty), is a firewall likely to be hero or zero?
> You should of course also look at all the previous mistakes made by other
> open source initiatives, like what made Linux vulnerable to teardrop
> attacks, and similar. Not really what I would call a firewall, but just
> plain, solid code with error handling that makes sense. Also, I must admit
> I'm not sure how Plan9 is licensed, but I'm sure it's worth taking a look
> at if allowed.
Yes. Well, the whole AdaOS IP stack will be written in the Ada programming
language, and written with care (and very defensively). That should help.
It is interesting to note that the need for a very expedient emergency
blocking mechanism is a consideration. I'll take that idea on board.
Another thought that occurs to me is about spoofing. Advice for firewall
configuration is to disallow outgoing packets with an outgoing address that
does not match the real originating node's address. I find it slightly weird
that anyone ever wrote a router that permitted such packets in the first
place. My assumption was always that the router would simply write its own
address into that part of the IP header (overwriting whatever junk the
application program may have put there). This is how I intend to write the
AdaOS router. It never even occurred to me that application programs might
be allowed to put their own value there. Is there any possible valid use for
such a thing?
I will also write the router to check: outgoing packets for validity,
returning an error to the application upon failure; incoming packets for
consistency, fixing bad ones up as best possible before further processing.
I suspect that many IP software writers, in the past, have tended to omit
these kinds of checks, for commercial reasons, laziness, ignorance, or
possibly a fear of inefficiency (false, of course).
> > Assume typical corporate conditions, but please assume the company only
> > uses AdaOS on all its computers. Would it be reasonable to say "I don't
> > think it would be safe without a firewall"?
>
> The individual computers might be safe, but assuming a homogeneous
> environment in a real-world company is a bit far-fetched. ...
Okay, that's a very reasonable point, but not what I was originally arguing
about (on comp.lang.ada). That argument was about a purely AdaOS network.
I'm happy to accept the need for firewalls in a mixed network.
> Or, to sum up what I think of firewalls in general (not exclusively with
> regard to AdaOS); When considering hosts, they are just a pain in the ass.
> Considering servers, they might be needed depending on what services you
> want to offer, and to whom. Considering networks; firewalls, or at least
> some sort of packet filtering ability, is a must. Not because everyone
> should block all by default (which is a good idea, however), but because
> of the ability to isolate certain hosts, networks or protocols in case
> something unexpected turns up.
Right. That's an excellent point, and cuts to the chase, I think. Basically,
we're talking about belt and braces. In particular, braces that can be
strapped on in seconds, in the (unexpected) event of the failure of the
belt. Yes?
Cool. Thanks.
--
Nick Roberts
|
|
| | From: | Eirik Seim | | Subject: | Re: What does a firewall do? | | Date: | 20 Jan 2005 12:32:45 GMT |
|
|
| On Thu, 20 Jan 2005 00:36:29 +0000, Nick Roberts wrote:
> Eirik Seim wrote:
[snip]
> > ... I'm sure you must have more reliable sources than newsgroups for these
> > kinds of questions?
>
> It's not a question of reliability, it's a question of breadth of coverage.
> Having got the opinions of (just about) everyone else, I'm very interested
> to get the opinions of the denizens of comp.security.firewalls. Someone here
> may have something to say that I haven't heard elsewhere.
Ok, that makes sense :)
> > The problem with this way of asking is the nature of attackers; the ones
> > you really need to worry about are those who do something you couldn't
> > anticipate.
>
> Absolutely. I think the question is: in the event of an attacker doing
> something unexpected (and nasty), is a firewall likely to be hero or zero?
I'd say hero, assuming the firewall normalize or block the attackers
packets. But as I said, if the attacker does something completely
unexpected (perhaps even unthinkable), the firewall could miss it.
It's not just about the design and implementation of the packet
filter software, or the design and implementation of the packet
filter rules, or the design and implementation of the network
stack, but all of the above. Preferably mixed together, to make
sure not one single person involved in implementing it has the
complete picture of what is going on... In fact, I feel a little
depressed merely by writing this.
[snip]
> Another thought that occurs to me is about spoofing. Advice for firewall
> configuration is to disallow outgoing packets with an outgoing address that
> does not match the real originating node's address. I find it slightly weird
> that anyone ever wrote a router that permitted such packets in the first
> place. My assumption was always that the router would simply write its own
> address into that part of the IP header (overwriting whatever junk the
> application program may have put there). This is how I intend to write the
> AdaOS router. It never even occurred to me that application programs might
> be allowed to put their own value there. Is there any possible valid use for
> such a thing?
I'm not entirely sure of what those valid uses would be, but your
assumption on what routers does seems correct, only in their default
configuration they normally don't care which interface a packet is
recieved from. This may (should) have changed over the last years,
I hope. I'm not up to date on what defaults you get with a new cisco
router (or whatever) today, only what is recommended for reasonable
security...
[snip]
> > Or, to sum up what I think of firewalls in general (not exclusively with
> > regard to AdaOS); When considering hosts, they are just a pain in the ass.
> > Considering servers, they might be needed depending on what services you
> > want to offer, and to whom. Considering networks; firewalls, or at least
> > some sort of packet filtering ability, is a must. Not because everyone
> > should block all by default (which is a good idea, however), but because
> > of the ability to isolate certain hosts, networks or protocols in case
> > something unexpected turns up.
>
> Right. That's an excellent point, and cuts to the chase, I think. Basically,
> we're talking about belt and braces. In particular, braces that can be
> strapped on in seconds, in the (unexpected) event of the failure of the
> belt. Yes?
Yes.
A typical, but not necessarily a "panic" reaction, is to block ports
used by certain insecure services to prevent users from running them
on the Internet. Like plaintext-authenticated IMAP or POP3. In the
systems I frequently use, anyways.
> Cool. Thanks.
No worries.
--
New and exciting signature!
|
|
| | From: | Leythos | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 12:40:44 GMT |
|
|
| In article , eirik@mi.uib.no says...
> But as I said, if the attacker does something completely
> unexpected (perhaps even unthinkable), the firewall could miss it.
Imagine the firewall like a machine - if you tell it to only allow X
services/ports, then it won't allow anything else - unexpected or not,
without an explicit rule allowing a service/port it just wont work.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
|
|
| | From: | Eirik Seim | | Subject: | Re: What does a firewall do? | | Date: | 20 Jan 2005 12:52:36 GMT |
|
|
| On Thu, 20 Jan 2005 12:40:44 GMT, Leythos wrote:
> In article , eirik@mi.uib.no says...
> > But as I said, if the attacker does something completely
> > unexpected (perhaps even unthinkable), the firewall could miss it.
>
> Imagine the firewall like a machine - if you tell it to only allow X
> services/ports, then it won't allow anything else - unexpected or not,
> without an explicit rule allowing a service/port it just wont work.
Yes, and then some smart guy discovers a way to tunnel traffic
through open ports, or insanely stupid things like IP over http...
Proxies would hopefully be able to protect against these things,
but there will probably always be some weird way you, even with
a default-deny policy, failed to block. That's why monitoring is
also important.
--
New and exciting signature!
|
|
| | From: | Arthur Hagen | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 08:47:03 -0500 |
|
|
| Leythos wrote:
> In article , eirik@mi.uib.no
> says...
>> But as I said, if the attacker does something completely
>> unexpected (perhaps even unthinkable), the firewall could miss it.
>
> Imagine the firewall like a machine - if you tell it to only allow X
> services/ports, then it won't allow anything else - unexpected or not,
> without an explicit rule allowing a service/port it just wont work.
I don't think you understand "unexpected". All the above does is working
with the *expected*. The unexpected is what the designers did NOT think of,
even as a remote possibility.
Something unexpected could be like a high amount of RGMP packets of an odd
size, undocumented flag combinations and the target router appearing as the
group requestor. Of course having mentioned this as a speculation means
it's not unexpected, as I could think of it, but you should catch the drift.
Zuspect everyone, and no-one. Alwayz expect the unexpected.
--
*Art
|
|
| | From: | Eirik Seim | | Subject: | Re: What does a firewall do? | | Date: | 20 Jan 2005 17:27:34 GMT |
|
|
| On Thu, 20 Jan 2005 08:47:03 -0500, Arthur Hagen wrote:
> Leythos wrote:
> > In article , eirik@mi.uib.no
> > says...
> >> But as I said, if the attacker does something completely
> >> unexpected (perhaps even unthinkable), the firewall could miss it.
> >
> > Imagine the firewall like a machine - if you tell it to only allow X
> > services/ports, then it won't allow anything else - unexpected or not,
> > without an explicit rule allowing a service/port it just wont work.
>
> I don't think you understand "unexpected". All the above does is working
> with the *expected*. The unexpected is what the designers did NOT think of,
> even as a remote possibility.
>
> Something unexpected could be like a high amount of RGMP packets of an odd
> size, undocumented flag combinations and the target router appearing as the
> group requestor.
And of course, the flaw exploited could be a result of several
devices or services each acting completely normal and apparently
secure, enabling an attacker to put the systems in a weird state
that might allow for one in a million packets handling some
important function to fail in a predictable manner...
This is the very nature of security, the good guys have to do all
they can possibly think of to protect themselfes, while the bad
guys can focus all their attention in one specific area. It's
really not fair, but that's the way it is.
--
New and exciting signature!
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 15:57:13 +0000 |
|
|
| Wolfgang Kueter wrote:
> A firewall filters and controls network traffic on the layers that is
> programmed to filter traffic. This can be any layer above the physical.
>
> > Be as technical as possible (but no need for piles of detail).
>
> I tried to be as untechnical as possible, because that is adequate to the
> level of of your question. After reading your posting I think you'd better
> keep off from from writing an OS.
As I replied to another replier, I think you may have got the wrong
impression. I am grateful for any replies, but would you be willing, please,
to actually make you answer as technical as possible? I'll tell you if I
don't understand anything.
--
Nick Roberts
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 21:36:11 +0000 |
|
|
| Jose Maria Lopez Hernandez wrote:
> To complete a little your answer there are basically three kinds of
> firewalls:
Thank you!
> Packet firewalls: They only allow/deny packets or sessions without
> checking the payloads. Example: Netfilter/iptables for Linux.
Do I assume that these are not very useful? Is it important that this kind
of filtering is done on a separate machine (for speed)? I suspect that
choosing the correct filter conditions is a nightmarish job; no?
> Level 7 firewall: They allow/deny checking the payloads of the packets.
> Example: l7 filter proyect for Linux
I assume, then, that these filters need to have special knowledge of
particular applications; is that correct? If so, it does seem to me that it
would be more appropriate for the applications to do the filtering instead.
> Proxy firewalls: The allow/deny connections checking the protocols of each
> session that goes through the firewall. Example: TREX or fwtk.
This type of firewall makes the most sense, to my mind. But why should the
computer which runs these proxy programs be any less vulnerable than the
computers which run the programs they are proxying for? Perhaps proxy
firewall computers are actually a juicy target for the attacker?
In particular, I wonder if the fact that they are more isolated could
actually make them easier to compromise, since it is likely to be more
difficult for administrators to regularly check them. Their software may be
more specialised, and so less well tested in the field for vulnerabilities?
Is a software firewall of this kind (proxy) worthwhile? Is the expense of a
hardware firewall of this kind justified?
--
Nick Roberts
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Fri, 21 Jan 2005 21:48:16 +0000 |
|
|
| Wolfgang Ewert wrote:
> Hallo Juergen Nieveler, you wrote:
>
> > Nick Roberts wrote:
> > > > Even Windows can be turned into such an OS.
> > >
> > > But I suspect that would be a hard task. I think it would be hard for
> > > Windows 95/98/ME. What about NT/XP?
> >
> > http://www.dingens.org/ got a manual on how to do it - only german
> > though, sorry :-)
>
> There is a good technical explanation in English at
> http://www.ntsvcfg.de/ntsvcfg_eng.html
>
> > Basically, you just have to disable all the services you don't need.
>
> http://technet.microsoft.at/news_showpage.asp?newsid=10332&secid=14882
I don't want to stray too far off topic here, but you (Juergen and Wolfgang)
have missed the original point. "Even Windows can be turned into such an OS"
referred to turning Windows into a secure OS. This is terrifically different
to mere security of IP services.
As I understand it, Windows 95/88/ME had essentially no security features at
all (that worked). Early Windows NT offered some effective security
features, but not in a very coherent, complete, or readily usable form.
Windows XP and its successors install by default with a fair degree of
security features already configured and operational, and have a few
features that make it easier for the user to actually take advantage of the
security mechanisms available.
AdaOS, however, will offer a much more advanced set of security features,
all enabled and well configured by default, designed to make it easy for the
user to protect herself to a high degree from viruses or other threats.
To put it another way, I was not talking about stopping the hacker from
getting in, but rather I was talking about what the OS does to stop the
hacker from doing harm (or to limit the harm) having got in.
But thanks for taking the trouble to provide links for me!
--
Nick Roberts
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 22:44:38 +0000 |
|
|
| IPGrunt wrote:
> Hard to get a straight answer here, isn't it? I have no problem with your
> question and will answer briefly.
Hehe. I think I'm partly to blame, in the way I asked it.
> Basically, a firewall does what a good protocol stack *should* do:
> controls when ports are opened and closed, according to a rule set.
I understand the opening and closing of ports, but I don't entirely
understand the rule set.
My idea of the incoming packet functions for the IP router for host
(address) H is:
1. Forward packets not for H, if forwarding is activated. I would expect
that forwarding would usually be deactivated altogether in AdaOS (because it
uses a non-IP protocol to communicate within a cluster). If activated, I
think there should be an automatic adaptive filtering system, based on
reject packets coming back the other way: if H forwards a packet from node X
to node Y (from port P to port Q?) and a reject comes back to H, drop all
further packets from node X to node Y (from port P to port Q) for the next
15 minutes.
2. Direct packets that are for H to port P, provided port P is open for
receipt of packets. If the port is not open for receipt, send a reject
packet back. A port will be opened for receipt either by the TCP component
or by some other UDP-based server program. Again, I think there should be an
automatic filtering system: if more than 5 packets are sent to closed port P
within a 30 second window, drop all further packets to that port for the
next 15 minutes (unless the port is opened for receipt within that time).
In other words, if I want packets sent to port 111 to be rejected (and, if
they keep coming, dropped), I just don't open a service on port 111. Right?
> As an adjunct, firewalls these days are also part router, in that they
> provide a port proxy service by implemeting network address translation,
> and part filter, in that they can provide arbitrary port blocking (never
> accept connections on port 111, for instance).
Am I right that NAT tends to create problem for a variety of internet
applications (that were programmed to assume that if a packet's send address
is A, the computer that sent it was computer A)? I intend AdaOS to support
IPv6 (as well as IPv4 and IPSec). Roll on IPv6.
> But one of the most important features that firewalls provide is so-called
> "statewise" or "stateful" port access control, in that the firewall
> software maintains an open connection table that records the source of an
> open port, and acts accordingly, allowing packets from only that source to
> enter that particular port, blocking packets from any other address.
Isn't that something that the TCP component could and should do (very
easily)? Or is it more complicated than that?
> Firewalls also provide very good logging capabilities these days, so add
> that to your list.
Yes, but I think (and I have read in the literature) that it is generally
better for applications to their own auditing, because they can do it at a
higher level (more intelligent filtering, more useful data).
> Finally, firewalls are now managing private channels through public
> transports, like VPN, using both standard and proprietary protocols. Some
> of these involve data packet encryption/decryption using symmetric and
> asymmetric key mechansism, for example, IPSec.
Is that a good argument for hardware firewalls? I'm thiking about the speed
of packet encryption.
> As we move toward universal use of IP6, some of these functions will
> migrate naturally to the network stack, however, I say it's high time to
> move firewalling, or at [least] perhaps the hooks and stubs for
> firewalling appliances inside the network stack.
That is what I feel.
> In this century, networking without security is a fool's undertaking.
I couldn't agree more.
Thank you hugely for your helpful answer!
--
Nick Roberts
|
|
| | From: | IPGrunt | | Subject: | Re: What does a firewall do? | | Date: | 20 Jan 2005 08:04:12 GMT |
|
|
| Nick Roberts confessed in
news:gemini.ial5ue00fcw1501u4.nick.roberts@acm.org:
> IPGrunt wrote:
>
>> Hard to get a straight answer here, isn't it? I have no problem with
your
>> question and will answer briefly.
>
> Hehe. I think I'm partly to blame, in the way I asked it.
>
>> Basically, a firewall does what a good protocol stack *should* do:
>> controls when ports are opened and closed, according to a rule set.
>
> I understand the opening and closing of ports, but I don't entirely
> understand the rule set.
>
> My idea of the incoming packet functions for the IP router for host
> (address) H is:
>
> 1. Forward packets not for H, if forwarding is activated. I would expect
> that forwarding would usually be deactivated altogether in AdaOS (because
it
> uses a non-IP protocol to communicate within a cluster). If activated, I
> think there should be an automatic adaptive filtering system, based on
> reject packets coming back the other way: if H forwards a packet from
node X
> to node Y (from port P to port Q?) and a reject comes back to H, drop all
> further packets from node X to node Y (from port P to port Q) for the
next
> 15 minutes.
>
> 2. Direct packets that are for H to port P, provided port P is open for
> receipt of packets. If the port is not open for receipt, send a reject
> packet back. A port will be opened for receipt either by the TCP
component
> or by some other UDP-based server program. Again, I think there should be
an
> automatic filtering system: if more than 5 packets are sent to closed
port P
> within a 30 second window, drop all further packets to that port for the
> next 15 minutes (unless the port is opened for receipt within that time).
>
> In other words, if I want packets sent to port 111 to be rejected (and,
if
> they keep coming, dropped), I just don't open a service on port 111.
Right?
>
>> As an adjunct, firewalls these days are also part router, in that they
>> provide a port proxy service by implemeting network address translation,
>> and part filter, in that they can provide arbitrary port blocking (never
>> accept connections on port 111, for instance).
>
> Am I right that NAT tends to create problem for a variety of internet
> applications (that were programmed to assume that if a packet's send
address
> is A, the computer that sent it was computer A)? I intend AdaOS to
support
> IPv6 (as well as IPv4 and IPSec). Roll on IPv6.
>
>> But one of the most important features that firewalls provide is so-
called
>> "statewise" or "stateful" port access control, in that the firewall
>> software maintains an open connection table that records the source of
an
>> open port, and acts accordingly, allowing packets from only that source
to
>> enter that particular port, blocking packets from any other address.
>
> Isn't that something that the TCP component could and should do (very
> easily)? Or is it more complicated than that?
>
>> Firewalls also provide very good logging capabilities these days, so add
>> that to your list.
>
> Yes, but I think (and I have read in the literature) that it is generally
> better for applications to their own auditing, because they can do it at
a
> higher level (more intelligent filtering, more useful data).
>
>> Finally, firewalls are now managing private channels through public
>> transports, like VPN, using both standard and proprietary protocols.
Some
>> of these involve data packet encryption/decryption using symmetric and
>> asymmetric key mechansism, for example, IPSec.
>
> Is that a good argument for hardware firewalls? I'm thiking about the
speed
> of packet encryption.
>
>> As we move toward universal use of IP6, some of these functions will
>> migrate naturally to the network stack, however, I say it's high time to
>> move firewalling, or at [least] perhaps the hooks and stubs for
>> firewalling appliances inside the network stack.
>
> That is what I feel.
>
>> In this century, networking without security is a fool's undertaking.
>
> I couldn't agree more.
>
> Thank you hugely for your helpful answer!
>
Thanks for your reply, Nick.
Hardware firewalls are the only way to go, for a variety of reasons, but
speed and reliability are the two most important. First, you point is
correct--encryption using dedicated chips is one immediate advantage, and
the firewall appliance inherently more efficient as its cpu is dedicated to
the job at hand, examining packets, evaluating state, logging, etc.
Secondly, a network 'appliance' is less susceptable to buffer overflow
system failures, general crashes of the host computer, root capturing, etc.
There are of course, exceptions, but generally, a hw firewall is the only
way to go.
As far as applications doing their own auditing, I don't disagree. Let a
software intrusion detection system analyze the data. I'm not promoting
that to be a function of the firewall, though simple alerts are popular
features of most devices. The trigger is usually a parameter-based trip
value, like so many messages per hour, or a certain type or source of
attack. But I like simple tools. I'm not sure if the firewall should know
how to dial your pager.
(I'm reading your comments bottom to top). Your comment about having the
protocol stack manage ports is exactly the point I was getting at when I
said that some firewal functionality should reside in the protocol stack.
It just make sense--the stack manages the conection table. Why should an
external firewall have to duplicate that effort to the same end? Doesn't
seem efficient or most effective to me. Let this function be a piece of the
TCP protocol stack (which it is designed the IP6 specification, if I'm not
mistaken).
A word of advice...although youll have to support IP4, base your networkign
stack on IP6 and be backward compatible. Get familiar with this
specification.
Good luck. Sounds like a facinating project--I hope that it's well funded.
-- ipgrunt
PS--Is Grady Booch still around?
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 23:12:17 +0000 |
|
|
| Juergen Nieveler wrote:
> As to the original poster: Yes, a secure OS doesn't need a firewall to
> protect itself.
That's basically what I wanted to know.
> Even Windows can be turned into such an OS.
But I suspect that would be a hard task. I think it would be hard for
Windows 95/98/ME. What about NT/XP?
> However, as soon as you install the first service that can be reached from
> the network, it all boils down to wether or not the application is well
> written
I would go further, and suggest that almost any application will have a
great many potential security vulnerabilities that /cannot/ be protected by
a firewall (or any other mechanism essentially external to the application).
I presume no firewall can protect a badly written PHP web page from, say, a
SQL injection vulnerability.
> - for example the application should be configurable to accept requests
> only from specified IP ranges, and by default only from 127.0.0.1
Actually, I feel that the above specific capability is really a fudge of an
authentication issue. I suspect that what is really required is for some
descriptor outside the packet to indicate that the packet came from an
internal source (and which specific internal source), which an
authentication layer can use to select an appropriate (internal)
authentication mechanism. I believe Windows XP does something like this, but
I don't know the details.
--
Nick Roberts
|
|
| | From: | E. | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 06:46:51 +1100 |
|
|
| Nick Roberts wrote:
> I'll be as brief as possible. I am leading a project that is writing a new
> operating system (yes, really), and naturally it will have an IP stack. This
> entire stack will be written from scratch, and it will be written to be
> secure (as will the entire OS).
>
> I recently had an argument (in comp.lang.ada) with someone who simply could
> not believe that a secure OS will completely obviate the need for any
> firewall. Obviously, I believe that it will.
>
> I'd be very, very grateful if someone could post a list of all the different
> kinds of protection a really good firewall could be expected to provide. Be
> as technical as possible (but no need for piles of detail).
>
> I'll follow up such a post with some more details on the security of the OS.
>
I'm just surprised that non-one in this thread mentioned logging and
alerting ;-)
E.
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 03:54:17 +0000 |
|
|
| "Arthur Hagen" wrote:
> > All the documentation I have read says that the 'ident' service should
> > never be used for authentication, and generally shouldn't be implemented
> > at all. What am I missing?
>
> That remote services beyond your control are still checking for it,
> whether it's implemented on your end or not.
> ...
Thanks. (It's a bit shocking, but I don't doubt you.)
--
Nick Roberts
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 22:06:21 +0000 |
|
|
| Casey wrote:
> Check here for firewall features. (see whats inside)
> http://smb.sygate.com/products/spf/comparison_spf.htm
Thanks, this is excellent.
One of the functions mentioned is an Attacker Tracing System. Is this,
perhaps, a touch of marketing hype? I would have thought that the software
required by a practical tracing system (e.g. a high-power database engine)
would be a little bit beyond a firewall? Are these products (Sygate Personal
Firewall Pro & Sygate Personal Firewall) very expensive? How many customers
would, in reality, be likely to use this function?
How useful is the Instrusion Alarm System, in reality? Is it useful for a
pop-up window to inform you that "Your computer has just been hacked, all
your data files have been corrupted, and the computer will reboot in five
seconds. Haha."? I suspect the hacker would delight in popping up a window
of this sort for you anyway. :-)
The Evidence Logging System raises a few questions. I know (from reading the
literature) that auditing can be useful for analysis (usually after an
'event' [i.e. an attack]). But I also know that case studies show how hard
it is to get the balance right between usefulness of information and mass of
information (too little and it's useless, too much and the audit storage
space overflows, resulting in partial data that is also usually useless). I
am a little dubious that this function will be useful to most firewall
users, except, perhaps, for use by an outside consultancy after an event.
Security Policy Customization sounds good, but, in practice, who's going to
use it, how easily, and how effectively?
That these products can penetrate VPNs is superb (if it really works).
The Active Response feature says "By dynamically stealthing open ports and
temporarily blocking the intruders' IP address." The sentence seems cut off.
What it mean, please? (What does "dynamically stealthing open ports" mean?
:-)
How does the MAC and IP address spoofing protection work, please?
One feature is to "Prevent Internet browsers from revealing the OS, browser
version and the browser history information, which can be stored or used by
the web server to exploit known security vulnerabilities." Surely this is
going to cause a variety of web sites (badly designed ones, admittedly) to
fail, since they (their pages) detect the browser (version) in order to
conform their Javascript etc.?
Finally, I note that these products are software firewalls. Would I be right
in assuming that the main advantage of using a hardware firewall is to do
with the vulnerabilities inherent: in Windows due to its lack of security in
default installations; in Unix (et al) due to the fact that many programs
are compelled to run as the root user (to get special functionality only
available to the root user)?
--
Nick Roberts
|
|
| | From: | Casey | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:38:37 GMT |
|
|
| In article ,
nick.roberts@acm.org says...
> Casey wrote:
>
> > Check here for firewall features. (see whats inside)
> > http://smb.sygate.com/products/spf/comparison_spf.htm
>
> Thanks, this is excellent.
Your welcome. You might also find these helpful--
especially the Users Guide.
Unofficial Help:
http://bellsouthpwp.net/i/k/ikpe/SygateBasics.html
Sygate Forums:
http://forums.sygate.com/vb/
Users Guide and Quick Start Guide:
http://smb.sygate.com/support/documents/pspf/default.htm
d/l
http://soho.sygate.com/free/default.php
Snip....
|
|
| | From: | Casey | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:32:36 GMT |
|
|
| In article ,
nick.roberts@acm.org says...
> Casey wrote:
>
> > Check here for firewall features. (see whats inside)
> > http://smb.sygate.com/products/spf/comparison_spf.htm
>
> Thanks, this is excellent.
Your welcome! You might also find the following helpful,
especially the users guide.
Unofficial Help:
http://bellsouthpwp.net/i/k/ikpe/SygateBasics.html
Sygate Forums:
http://forums.sygate.com/vb/
Users Guide and Quick Start Guide:
http://smb.sygate.com/support/documents/pspf/default.htm
Compare SPF Pro and SPF Free (See what's inside each one)
http://smb.sygate.com/products/spf/comparison_spf.htm
d/l
http://soho.sygate.com/free/default.php
>
> One of the functions mentioned is an Attacker Tracing System. Is this,
> perhaps, a touch of marketing hype? I would have thought that the software
> required by a practical tracing system (e.g. a high-power database engine)
> would be a little bit beyond a firewall? Are these products (Sygate Personal
> Firewall Pro & Sygate Personal Firewall) very expensive? How many customers
> would, in reality, be likely to use this function?
This is probably the trace route and Whois check on an attacking
site. For personal use, there is a pro version ($39.00) and a
free version.
>
> How useful is the Instrusion Alarm System, in reality? Is it useful for a
> pop-up window to inform you that "Your computer has just been hacked, all
> your data files have been corrupted, and the computer will reboot in five
> seconds. Haha."? I suspect the hacker would delight in popping up a window
> of this sort for you anyway. :-)
>
This feature is optional and can be turned on/off. Many users
prefer know what is happening with their computer. These alarms
and the traffic log keeps one informed about what has been Blocked.
> The Evidence Logging System raises a few questions. I know (from reading the
> literature) that auditing can be useful for analysis (usually after an
> 'event' [i.e. an attack]). But I also know that case studies show how hard
> it is to get the balance right between usefulness of information and mass of
> information (too little and it's useless, too much and the audit storage
> space overflows, resulting in partial data that is also usually useless). I
> am a little dubious that this function will be useful to most firewall
> users, except, perhaps, for use by an outside consultancy after an event.
>
> Security Policy Customization sounds good, but, in practice, who's going to
> use it, how easily, and how effectively?
>
> That these products can penetrate VPNs is superb (if it really works).
>
> The Active Response feature says "By dynamically stealthing open ports and
> temporarily blocking the intruders' IP address." The sentence seems cut off.
> What it mean, please? (What does "dynamically stealthing open ports" mean?
> :-)
When Sygate recoginizes a attack (4 hits), the attacking IP is
blocked for 600-sec.
>
> How does the MAC and IP address spoofing protection work, please?
>
> One feature is to "Prevent Internet browsers from revealing the OS, browser
> version and the browser history information, which can be stored or used by
> the web server to exploit known security vulnerabilities." Surely this is
> going to cause a variety of web sites (badly designed ones, admittedly) to
> fail, since they (their pages) detect the browser (version) in order to
> conform their Javascript etc.?
>
There are some who would prefer not to reveal their software type.
If they are very concerned about computer security, they will not
allow java script.
> Finally, I note that these products are software firewalls. Would I be right
> in assuming that the main advantage of using a hardware firewall is to do
> with the vulnerabilities inherent: in Windows due to its lack of security in
> default installations; in Unix (et al) due to the fact that many programs
> are compelled to run as the root user (to get special functionality only
> available to the root user)?
>
>
--
micro..........Who?
|
|
| | From: | Nick Roberts | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 23:38:36 +0000 |
|
|
| Leythos wrote:
> So, what you have to ask yourself is can a firewall do anything to protect
> against the exposed services?
Right, and also I think we have to ask "Is a firewall the most effective
(and/or cost-effective) form of protection"?
> Take your HTTP service - if you expose the HTTP service to the internet
> and you've not properly coded for buffer overflows, there is a chance that
> your AdaOS web service could be compromised leading to exposure of the
> same security levels that it's running under.
Hehe. It so happens that, since it will be written in the Ada language,
buffer overflow vulnerabilities can be discounted. However, doubtless other
forms of vulnerability remain possible, so your point remain valid.
> There is nothing that a firewall is typically doing to do to protect the
> HTTP service since the exploit attempt is part of a valid http request.
> The same would be true for other services and firewall rules.
Right. I think that statement somewhat vindicates my original opinion (that
a secure OS doesn't need a firewall).
> What the firewall does for people that use XXX OS is to block in/out bound
> connections on services ports that could expose them to a known/unknown
> exploit (such as blocking inbound internet connections to ports 135~139
> and 445 and the same on the remote destination side on Windows systems).
Where it is easier to insert a firewall than to change the offending
software? Obviously this is often the case for commercial software. I should
have mentioned that AdaOS will be released under the GPL (so full source
code will be available for scrutiny and amendment).
> If I were run run a secure OS, the only way to be sure it's secure is to
> not allow access to it.
That's not really the usual meaning of 'secure'. A box that is out of
anyone's reach is just out of anyone's reach. It is secure if it is within
people's reach, but has a good lock on it (and is a stout box, etc.).
A secure computer system, according to the literature, is one which
correctly and reliably enforces a given security policy (regardless of how
good the policy is). Personally, I think a secure computer system is one
which enforces the given policy, and which also: supplies a default policy
that will be appropriate most of the time; makes it as easy as possible for
users to understand and set up a policy that suits them best.
> They use to think that PLC's were secure, but, I've seen a simple PING
> bring one down.
But presumably the consequences of it going down were quite controlled (loss
of service for a time, but no danger of confidential data being stolen, or
sensitive data modified)? In a way, such a device might be considered quite
secure. Consider a safe: it might be easy to bash the knob off with a hammer
(so the safe can no longer be opened), but that doesn't necessarily, in
itself, make the safe insecure. It is, however, a technique that might be
used as part of a more elaborate attack (e.g. you wait for staff to remove
the jewels from the broken safe, temporarily storing them in a cardboard
box, and then steal the box :-)
> You can limit exposure to most of the exploits that you know about or that
> you can expect or that you think might cause a problem later, but you
> can't be sure you've covered it all.
A statement which applies at least as much to the protection that a firewall
can offer as to that which (the other components of) a secure OS can?
Thanks for your answer!
--
Nick Roberts
|
|
| | From: | Leythos | | Subject: | Re: What does a firewall do? | | Date: | Thu, 20 Jan 2005 00:04:49 GMT |
|
|
| In article ,
nick.roberts@acm.org says...
> > There is nothing that a firewall is typically doing to do to protect the
> > HTTP service since the exploit attempt is part of a valid http request.
> > The same would be true for other services and firewall rules.
>
> Right. I think that statement somewhat vindicates my original opinion (that
> a secure OS doesn't need a firewall).
I don't hink it vindicates your opinion, since there has not been a
secure OS produced on the market in the last 20 years that I know of.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
|
|
| | From: | Casey | | Subject: | Re: What does a firewall do? | | Date: | Wed, 19 Jan 2005 18:38:43 GMT |
|
|
| In article ,
nick.roberts@acm.org says...
> I'll be as brief as possible. I am leading a project that is writing a new
> operating system (yes, really), and naturally it will have an IP stack. This
> entire stack will be written from scratch, and it will be written to be
> secure (as will the entire OS).
>
> I recently had an argument (in comp.lang.ada) with someone who simply could
> not believe that a secure OS will completely obviate the need for any
> firewall. Obviously, I believe that it will.
>
> I'd be very, very grateful if someone could post a list of all the different
> kinds of protection a really good firewall could be expected to provide. Be
> as technical as possible (but no need for piles of detail).
>
> I'll follow up such a post with some more details on the security of the OS.
>
>
Check here for firewall features. (see whats inside)
http://smb.sygate.com/products/spf/comparison_spf.htm
|
|
|
