Iain Buchanan wrote:
[snip]
>>>> A port on which no application is listening is closed anyway,
>>>> whether there is a firewall or not.
>>>
>>>
>>> A port on which no application is listening is handled by the
>>> appropriate daemon - usually xinetd.
>>
>>
>> Wrong. xinetd only listens on ports that it's been configured to
>> listen on.
>
>
> My mistake then. So who actually handles the attempt to connect and
> responds with the connection refused, the kernel?
Yes. All connections are first handled by the kernel, then passed to the
packet filter and then to a service. If there is no service, the kernel
responds with "TCP-RST", so he says to the sender: "Nothing there to connect
to. Go away." A packet filter can send the same answer pretending there is
no firewall, but as the kernel would do so in case there is no service
listening to the addressed port the packet filter is unnecessary.
>
>>>> This is also the case, if your box doesn't need to route between LAN
>>>> and internet.
>>>
>>>
>>> Never ever rely on the fact that you're in a "trusted" network to be
>>> your security. As has happened here before, laptops are taken
>>> outside (to home dialups), infected with viruses, and then brought
>>> back into our network. These viruses could potentially be packet
>>> sniffers which broadcast all our plain text passwords to hackers
>>> around the world who can then break in and take over.
>>
>>
>> If you're transmitting passwords in plain text, you're doing something
>> wrong anyway.
>
>
> Including ftp, windows file sharing (not that I personally use it),
> email, etc? Relying on individuals to use safe practices is not a
> security measure. If you're responsible for the network, then you
> should expect that people will do The Wrong Thing(TM).
Which doesn't mean that you as the network administrator can not do your
best to keep them from doing so. Use SSL connections whenever you can,
switch to digest as authentication for password protected directories and so
on. And keep these laptops on their own physical subnet, which would protect
all your unsafe client boxes from viruses brought with them...
>
>>> I couldn't disagree more. I believe that every linux distribution
>>> should come with a simple deny all policy by default. (They should
>>> also include a reasonable tool for configuring it!)
>>
>>
>> That'd break more things than it'd fix.
>
>
> Wellllll, I'm not convinced that a default no-firewall installation is
> good either. If you make it obvious (redhat's "firstboot", gentoo's
> howto's, etc) then it won't be so bad. Gentoo is a bit of an exception
> though, cause you can choose just about every single tool that you install.
I think, there is a little misunderstanding here. A packet filter with a
deny all policy can mean two things: 1. "Deny every packet regardless of its
origin and destination (port)" and 2. "Deny every packet comming from
outside of this box regardless of its origin and destination (port)".
The former would in deed break things, since many programs rely on being
able to send and receive packets to and from the localhost (127.0.0.1). If
the latter is meant, yes, this would be a good default since it would cause
the administrator to think of which communication he should enable then of
which to disable. But then if there's no service listening to one of the
external interfaces there is no need for a packet filter since the kernel
would take care of communication.
>
>>> You shouldn't even let outsiders know that your box is there - ie
>>> even drop pings.
>>
>>
>> Why? This behaviour is considered incorrect by RFC standards.
>
>
> however, if you make it harder for the kiddies to find you, its harder
> for them to hack you. I know there are other ways of finding hosts that
> are alive, but how many people use ping as the primary test for a host?
Not responding to pings doesn't hide you from kiddies. A simple traceroute
or tracepath to your IP would show them that it is possible to reach the
last router prior to your endpoint and that this router doesn't respond
"destination unreachable". So the attacker would know that you _are_ there
but simply not responding to his pings. Also responding with "destination
unreachable" to pings from your own box marks you as false hide-out, since
it is clear that you are there and responding to network traffic. All it
costs are ten seconds of thinking or a better tool at the kiddie.
So there's nothing harmful in following the RFCs.
>
>>> For a good test, once you have your firewall up, go to grc.com and
>>> navigate (a few clicks) to Shields Up.
>>
>>
>> Shields Up is considered a source of hysteria. For more information, see
>>
>> http://grcsucks.com/shieldsup.html
>
>
> I don't totally agree with everything they say. However I do agree that
> "A FALSE sense of security is worse than being unsure." I'm happy to
> suggest
> http://whacker9.hackerwhacker.com.nyud.net:8090/main.php
> https://secure1.securityspace.com/sspace/index.html or
> http://www.vulnerabilities.org/ instead then.
>
> It seems as though you don't agree with the necessity for a firewall
> either?
I'd say, there _are_ occasions when you need one, but connecting a single
linux-only box to the internet with proper service configuration and without
a packet filter is better than using a lousy service config and rely on a
packet filter.
>
> I still don't believe that locking down every service and trusing the
> fact that no program is going to open any port, or no config file change
> is a good security measure. A firewall will do that for you, and in
> addition you can put rules on who can access what ports, at what times,
> and at what throughput. As well as many more things.
This is only true, if the firewall resides on a separate box than the
services. If I got access to a shell on the box through one of the open
services, I have also the possibility to change firewall rules. If you don't
rely on your box's config, you can not rely on its built-in firewall. That's
why a good service configuration is more helpful than having a good packet
filter configuration. And it can be much simpler to deactivate external
listening for services than to do a good packet filter configuration.
Greetings,
Felix