Thread: Why do I need a software firewall?
View Single Post
  #39 (permalink)  
Old 10-03-2005, 07:43 AM
Volker Birk
Guest
  
Posts: n/a
Default Re: Why do I need a software firewall?
Todd H. <comphelp@toddh.net> wrote:
> Volker Birk <bumens@dingens.org> writes:
> > Leythos <void@nowhere.lan> wrote:
> > > the NAT device will protect
> > > the user regardless of the settings in the Windows Firewall
> > The Windows-Firewall will protect the user regardless of the settings
> > of the NAT device. So what?
> Harder to crash

Please show one single way to crash the Windows-Firewall from outside.
After you showed, I will believe.

> harder to disable

*plug* *plug* vs. *click* *click* - Maybe you're judging this so.

> something separate to have to
> disable.

Yes. And?

> Security in depth.

Please explain. If you want to say, maybe one could use a filtering NAT
router _and_ the Windows-Firewall, I'd agree. Why not?

I've nothing against filtering NAT devices. The claim, that filtering
NAT devices are better to secure from network based attacks than the
Windows-Firewall is just wrong, though.

The claim, that a host based packet filter like the Windows-Firewall
is better to secure from network based attacks than filtering NAT devices,
is wrong, too BTW (if they're filtering and not only implementing NAT).

> > And the user is managing the NAT router, too. So what?
> A vast majority of users are set and forget types, and if there's no
> easy way to get at it, it won't ever BE disabled.

But sometimes bypassed or abused. You can read in Joab Jackson's
interesting summary about a discussion on the IETF discussion list here
for example:

http://technology.newsforge.com/arti...&tid=28&tid=31

| That NATs themselves are used as security devices - in place of firewalls -
| led to more problems. It was not a role they were designed to perform.
| ...
| NATs also have security issues. Since NAT boxes must forward packets from
| the outside IP addresses to internal ones, it must change forwarding
| information. "Basically, once you've committed to rewriting the forwarding
| information in an IP datagram, then it's open season on all manner of
| horrible opportunities for intermediaries to engage in Internet abuse,"
| wrote James Woodyatt.

> > If the computer of the user is compromized already, _every_ "Firewall"
> > is useless now. Also a NAT router cannot protect a PC, which is
> > compromized already.
> To borrow your type of discussing, let me say:
> This is nonsense.
> A NAT router certainly can protect a compromised PC. Consider the
> common case of malware opening a listener as a back door. It's
> awfully hard to connect to that listener if there's an added layer of
> firewalling that prevents a remote attacker from seeing past the
> router to get to the listening back door.

Yes. And the malware could also connect to the outside, and you lose.

I don't understand, why so many people believe in this advertizing
nonsense, that a compromized machine can be protected any more by a
"Personal Firewall" or even a NAT router.

If software is running on the box, which is implemented to harm, it will
harm. This is how computers are working, the software which is running
makes the computer to do things, wether they're wanted or not. Semantics
are no obect.

Or is this the "better _some_ security than nothing" thing you're claiming?
Better to make it a little bit more difficult for an attacker than doing
nothing?

Well, attackers do know today, that there are many NAT boxes in the wild,
don't they? What do you think, if I would hack such a remote control
software we're talking about ("phoning home", "Trojan"), would I check
if I have an internal address, and if, then would I connect to the outside
instead of listening to an interface with 192.168.0.anything?

Of course I would.

So the deal to secure a PC against malware must be not to get malware
running on the PC. Is this so difficult to understand?

> More sophisticated malware, or course does exist whereby an active
> outbound connection is made to join a botnet, or make another remote
> control connection.

Yes, of course, and the rest of the malware vanishes. So what extra
security did NAT bring here? It changes the malware slightly. That's
it. I would not call this "security".

> However, to say that a NAT router cannot ever
> protect a compromised PC is indeed nonsense.

It cannot protect a PC from being compromized any more, because the
PC is already compromized. Hard to understand?

> The value of multi-layer protection or defense in depth is
> lost on you.

No, not at all. If multi-layer protection isn't just an excuse for
"I don't know enough about computer security and this network protocol
stuff, but I'm using many, many devices in layers, so I have the hope
that one of them will work anyway", then multi-layer protection can
be very useful.

As a matter of fact, only the term is fishy, better let's talk about
security zones.

But "hope" usually is somewhat like an antonym to "being secure".
If we're talking about multi-layer protection, or better about security
zones, then hope cannot be our goal, but reading protocols and deciding
what to do to be secure against different attack vectors.

> The whole point of this discussion is that various classes of threats
> are mitigated by each tool, and both software and hardware firewalls
> are a prudent complimentary solution as part of a protection
> strategy.

No.

The points of the discussion are the claims of Lythos. He claimed:

1) NAT devices are better to secure against network attacks than the
Windows-Firewall

2) Zonealarm is better to secure against various attacks than the
Windows-Firewall

Both claims are wrong. Correct would be:

1) Filtering NAT devices are as good as the Windows-Firewall in default
configuration to secure against network attacks, if they're properly
configured, because both make network based attacks impossible then

2) Zonealarm is as good as the Windows-Firewall to secure against network
based attacks. The rest of the features are not working as described,
and some of the advertizing is just nonsense, like "Stealthing". But
unlike the Windows-Firewall, Zonealarm opens additional attack vectors
for the Windows-System it's running on, because it offers the user
popups with security relevant questions, the user is not able to decide
correctly, and it makes the PC vulnerable to the SelfDoS attack.

His claim, the Windows-Firewall is "a piece of crap" and badly implemented,
we can forget, of course. He had no single argument for that.

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

Reply With Quote