Monday, March 07, 2005

Firewalls aren't so magic

A recent post on Slashdot brings the LAND attack, an attack from eight (8) years ago in which a connection is initiated to a service with a SYN packet with the source and destination IP address set to the server's address. These attacks cause the server to infinitely loop and become nonresponsive for 15-30 second. Repeted attack can prove to be a fairly effective DoS.

In response, the current work-around according to the SecurityFocus vulnerability entry is to enable a host firewall to stop any and all connections to open ports. The vulnerability is fixed in all operating systems except Windows, affecting versions from Windows 95 up to and including Windows 2003 Server and Windows XP Service Pack 2. The users of Slashdot apparently think that firewalls are "basic security" and somehow mitigate this problem in its entirety.

Firewalls are not magic. They only allow an administrative control over the configuration of misbehaved services that bind to undesirable interfaces, or at the very best allow finegrained administrative control over what network ranges can connect to a port. If the connection is legitimate, or at least legitimate in the eyes of the firewall, the packets make it through.

More pertainently, Windows is now immediately not suitable for running an Internet-facing Web server on. As an example, Microsoft's Web site is running on Windows. Using one of the LAND exploits targetted at port 80, any user can take out Microsoft's main Web site with a light weight and effective Denial of Service.

As for desktop Windows machines, they generally hold a number of open ports for netbios and RPC. From inside the local network, these machines must be able to communicate with eachother and with themselves to be used effectively. Any remote exploit to enter a network, including social engineering (worms in e-mail and all flavors of viruses and trojans), can be used to take the network down. Networks with Windows-based file servers are made up of many hosts which each have the ability now to single handedly take down the file server.

In many situations, it is very difficult or even impossible to prevent a LAND packet from penetrating the defenses of a network. If the attack comes from within the network, or if it is aimed at a node which must host services to the outside world, then there is a 100% chance of success for LAND attacks on Windows machines. Because of this, firewalls cannot be relied upon as a cure for this and many other attacks.

Other attacks that can evade the firewall include most likely 99% or more of typical desktop network traffic. Desktop computers are very promiscuous on the Internet and connect out to instant messaging, chat, and Web services to get data from the outside world. This data always comes through the firewall, and can be used for an attack to inject code such as worms into a machine remotely. These situations can not be protected with a firewall because that would require disabling access to these services entirely.

Firewalls have their uses, but they're very, very minimal compared to the amount of faith people put into them. Firewalls can only stop connections aimed at specific destination addresses; it is possible in many situations for spoofed packets to penetrate a firewall allowing certain traffic and blocking other traffic on an interface. Firewalls do not protect servers from anyone who can connect to them, and they do not protect "legitimate" outgoing connections from fetching illegitimate data. A high-quality, up-to-date reactive content filter is most similar to most peoples' view of firewalls, and even that won't stop everything.


Anonymous Anonymous said...

Hey, you have a great blog here! I'm definitely going to bookmark you!
I have a local internet connectionlocal internet connection site/blog. It pretty much covers local internet connection Problems with your Windows Xp Computing !
Come and check it out if you get time :-)

8:24 PM  
Anonymous Anonymous said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:51 PM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:17 AM  

Post a Comment

<< Home