Skip to main content

understanding what firewalls are capable of

More
13 years 2 months ago #36136 by Ender
I'm trying to figure out how secure a firewall really makes a machine. I've heard that as long as you don't have a service listening on a port, then there's no way to break into that machine through that port. And I've also heard that pro's can get through any firewall in existence and once you send something behind the firewall, you then open it up from the inside to to more.

So I'm trying to figure out what I need to do in order to understand these details for myself, about how secure firewalls really are … otherwise, it will be a never ending feud for anyone w/ an opinion and I'll always be confused.

I've read configuration manuals for devices like the ASA 5505, but only on a user level and was hoping someone could shed some light or point me to the right resources so that I can get a deeper understanding of how secure todays machines really are. It will be a long study, but I'm up for it.

Any help much appreciated.
More
13 years 2 months ago #36137 by Chris
Ender,

Securing Firewalls is a big topic and one that can't be covered in a forum thread, however, we can all provide some input to sort of help clear the scene.

There's a big theory behind what is supposedly considered a secure Firewall and I personally believe that its one of these topics that you'll most probably never agree with others 100% - everyone has their own opinion based on their experience.

Firewalls aim to protect the internal network from public attacks, while they are also used sometimes to protect specific network segments in a intranet.

A 'Firewall' in its most basic functionality is a device that allows traffic in or out a network based on the access lists applied by the administrator. So, if the administrator says allow port 80 from inside toward outside (public), the Firewall will do just that.

Secure as it might seem, its not all really that secure as you already know. The Firewall will not examine the content of the data payload to check if its valid data or some type of attack. In addition, it most -early firewalls- won't check if the HTTP session going in-out the network is actually a valid TCP session that's originated from an internal client.

These two important security features led to the next generation of Firewalls that aimed to overcome these limitations.

Firewalls with integrated IPS (intrusion prevention systems) would examine each packet going through the firewall and would check it against a large database for any signatures that look suspicious. If it finds that a certain packet or stream is suspicious, it would automatically block that stream, hence preventing an attack or hack attempt against a company.

Stateful firewalls made their appearance a bit after the 'early basic firewalls'. These firewalls would monitor each session, making sure that all TCP sessions were actually replies to previous internal requests - or the other way around depending on how it was configured.

These two features provided a much greater level of security and in-depth examination of packet flows, boosting the protection quite high.

However, despite these new features, there are still ways to get around a firewall that's protected by them!

As you so correctly noted, many attempts these days are made from the inside, rather than outside. A user accepts a download from a suspicious website or an email, runs it and nothing happens. This application installs itself and starts automatically downloading another application that does the damage, opening ports toward the Internet or scanning information from the local host and network drives its connected to, and sending them out via email or some other method.

As you can understand, having simply one firewall with all the bells and whistles is not enough.

I strongly believe that one must combine firewall technologies with local host protection e.g antivirus/antispyware, plus a very strict policy of services and sites available to the internal users e.g with the use of a proxy server with content filtering.

Combining such solutions will surely help tighten the security even more, until some other new attack comes out and we are forced to invest in newer technologies to protect our networks from them!

I hope this personal viewer provided an insight on how I see things, obviously you can find many resources and I'd highly recommend you taking a look at the following titles which will provide real life examples to the questions you are asking:

1) High-tech crimes revealed - Addison Wesley ISBN 0-321-21873-6
2) Defend I.T - Addison Wesley ISBN 0-321-19767-4
3) Crimeware - Symantec Press ISBN: 0-321-50195-0

The first two titles are a personal favourite and bring you behind the scenes of some very exciting hacker investigations and interviews. There's much to learn from them!

Closing, if anyone else would like to provide some input on this great topic, please do - I feel it would be much worth it for the community.


Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
13 years 2 months ago #36139 by rizin
Hi Chris,

Nice brief coverage, one question arises in my mind is that, Why no security type either in hardware or software comes as All in One protection.

1) Firewall+Content Filtering+IDS/PS+SSL+IAM (Identity and Access Management)

2) is it possible that OS like Windows and Linux comes with Built in Anti-virus with Internet Protection Software.

Any Idea ?

Thanks in Advance.

Rizin.

Known is a drop, unknown is an Ocean
More
13 years 2 months ago #36141 by Ender

Combining such solutions will surely help tighten the security even more, until some other new attack comes out and we are forced to invest in newer technologies to protect our networks from them!


So it's probably safe to say that all firewalls are capable of doing current best practices. And like viruses, you can only fight what you know, and those that you don't know about your are vulnerable to (which means your always too late because groups are always working on a new attack). So I wonder how you recognize a threat before it's too late (which is what it means to invest in newer technologies). I hate answering my own questions because I'm never satisfied with them.

Ports, buses, and a microprocessor to route packets. Anytime you need to add better protection, you just upgrade the software. But the hardware is in a fixed state, can't change that. My ASA 5505 is all manufactured in China, so who's to say that back-doors aren't being added in the chips which invalidates any and all protection it has when needed.

There's always a new attack in cyber warfare in which groups will not admit exists and is only used as a last precaution. So in my mind, there's no such thing as a secure solution, everything is just a hack away. Need to overcome something, then engineer a solution to do just that.

I may have gotten off-topic from what I was originally asking about there, general internet security is another interest I'm looking into. Thanks for the time and thought on your reply. I just put those 3 books on order. It's great to have good recommendations and I'll read up on those books to try to understand what capabilities the firewall os's are currently capable of, or at the least, what they currently try to protect against.

Why no security type either in hardware or software comes as All in One protection.

I can only imagine the reasons being:
- that the technologies involved are quite complex and that each area is a field of expertise in itself which complicates integration.
- vendors do not work in every are so you have a mix of vendors needing to "chain" compatible solutions.
- profit margins.
- OS vendors that sell operating systems mainly focus on "operating systems".

Without a proper definition of built-in (shipped with, user installed), I think that each OS does have these solutions available in some form.
More
13 years 2 months ago #36144 by Chojin
Security is always one step behind, how bad that even may sound.

Security stands or falls with how up-to-date your signatures are, but also with a good policy as you already said.

When using a good firewall (what is good?) you probably also use IDS/IPS which has a license and is being updated every day.

All known attacks are being recorded, investigated and added to the signature base, just hope your company is not the first one to be attacked by a new form of attack.

Do note that 99,99% of the attacks is based on a former known type of attack, the creators of the IDS/IPS will make a general signature database based on the types of attacks, not the specifick attack. The specifick attack will be based on some sort of general type, thus being blocked (or in case of IDS an alarm).

As mentioned before, a combination of types of protection will be the best. You can combine Firewall, IPS, NIPS, HIPS and above all a strict policy.

A 100% secured environment is never possible, but a 99,999% is. It is just a matter for the hacker to find that 0.001%, and thats not an easy one.

Also, note that when a new type of attack is known to a hacker (mostly on a exploit database) the attack is also known to the IPS/IDS creators... they will make a day2day job on searching for new types of attacks, new types of evolvements.... its a non-stop war between those two (if they are not the same :)).

CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
More
13 years 2 months ago #36145 by rizin
Hi All,

@Ender, A good News for you, Try the IPCop (Free of Cost Obsolutely Worth) Thanks to the Linux geeks.
Follow this link www.ipcop.org/ , Im sure you will be pleased with this Security Firewall which combined all features All in One :)

I'm going to set it up in my Vmware player to protect my Host, I stucked in configuring the adapters however i'm going to post my problem here soon.

Note: Linux Knowledge not required though IPCop is linux based Environment :)

Worried Note: :cry: I'm still taunting myself Why i haven't learn the linux years before :cry:

Good Luck !

Rizin

Known is a drop, unknown is an Ocean
Time to create page: 0.160 seconds