Once in a while administrators are asking themselves, why the use of p2p Applications like Skype is possible in their networks with a Firewall blocking all incoming traffic.
I’ll try to explain this in a simple way. The mentioned Applications are no ‘real’ p2p Apps, because they’re using a Server to establish the connection.
So what happens when Alice (IP 10.0.0.1) wants to call Bob (IP 11.0.0.1)? She sends a request to the Server, who’s requesting Bob and informs him about Alice (her IP and Port she wants tu use, let’s say 2020). As a result, Bob sends a UDP message to Alice on that Port. While Alice’S Firewalls drops this, Bobs one is in a state where it accepts replys from Alice on this Port. Alice does the same now, and we have two Firewalls, both Accepting communication over this „Connection“, thinking they’re accepting answers to former requests.
This uses the feature of many Firewalls to treat UDP as „statefull“, thinking that packets with corresponding ports and addresses are belonging to the same connection, what can be a mistake. This is different to the TCP Protocol, where there’s a real, reliable creating of connections.
So one should think twice before allowing all outgoing traffic, because this can have strange side-effects.

Bookmark to:

Allgemein, Security | 3 Kommentare »

Tags: Firewall, eMule, Skype, p2p

There are a lot of discussions worldwide about the pro’s and con’s of RFID, what it brings, how safe it is, is it a blessing or a curse. Well, one can’t deny that it’s quite comfortable. You can move freely in your Company’s buildings, and doors you’re allowed to pass will be opened by a magic hand. You have not to wait at the checkout in the supermarket, and your microwave knows in which way your meal have to be prepared. On the other hand, there are also many disadvantages. If banknotes are equipped with RFID tags, every bad guy knows instantly if I’m a valuable target. My daily routine, my route of moving, can possibly become known by anybody, and so can my social status (the clothes I wear, the credit cards I own and so on). And at least, the dustman knows if packing of your microwave meal is in the right garbage can.
Well, we can in some way protect ourselves, by either limiting thees tags with some sort of Faraday shield or destroy them completely. But this is can be complex, or in the last case, even irreversible.
Andrew S. Tanenbaum is a guy who’s quite familiar with this topic, and he presented a quite interesting approach. The RFID Guardian was once created to warn the user if his RFID tags are getting read by someone else. By now, this device has been developed to be a ‘personal firewall’ (in the best sense of the word) for RFID, giving the user control about what information tho share, when and who is allowed to access.

I see this as a very interesting approach. Maybe this is able to keep the advantages and the comfort of RFID and reduces the dangers, and the potential of misuse. For further information, the main page of the project is very useful.

Bookmark to:

Thoughts, Adventskalender | 2 Kommentare »

Tags: RFID, Firewall, security

There is a wide variety of pro’s and con’s about Desktop Firewalls. The main problem is, that a normal user has no idea which tools should get access to the internet, and which should not.
Checkpoint offers a quite mighty piece of Software to solve this problem, named ‘Integrity‘, originating from the ZoneAlarm Desktop firewall that Checkpoint bought some time ago.
Along with that Client, there comes the Integrity server, and within lies the biggest part of the systems power.
This server is responsible for the management, the creation and the deployment of the policies enforced on the desktop clients. These policies can enforce restrictions on OSI Layer 4, based on IT addresses and ports, nothing new. But in addition, there’s the chance to restrict the Software on the clients on an application basis.
Based on a checksum, a file name or whatever, only ‘good’ programs are allowed to access the internet, or even ale allowed tu run. For example, if there’s a file sharing client active, Integrity Client can close this, prevent it’s access to the Internet, or isolates the whole client from the company’s network. It can also have an eye on the Windows Hotfixes, or make decisions based on the kind and freshness of the Anti Virus Solution.
But all this is a lot for an Administrator to handle, an therefore, Integrity provides solution to help him with the software management. At first, every client reports the programs trying to connect to somewhere to the server, so the Administrator can see what kind of software is hanging around in his network, and make decisions what to restrict. A second nice feature is the chance to set up reference clients. All the Software on this clients is regarded as ‘good’, an can be used on other systems with the same restrictions as on that reference machine. So the Administrator has only to keep one machine up to date.
In times where notebooks and PDA’s are getting more and more common, and employees are often working with their machines in different, sometimes untrusted networks, this s a good way to not only keep an eye on the interface to the outside world, but also deal with the traffic inside a network.

There’s a lot more of interesting features in the Integrity Bundle, so if you’re interested you’re welcome to leave a short comment, maybe I’ll do a part 2, or even a more thorough how-to.

Bookmark to:

Security, Checkpoint | Kein Kommentar »

Tags: Checkpoint, Firewall

It’s a firewalls job to protect the network behind, based in the policy implemented by the administrator. Therefore, a firewall can only be as good as the guy behind. There are mostly two rules considered as substantial, and for the “clean-up” rule I think this is true. That rule is the last one in the policy, and drops (or rejects) all connections that have not been allowed so far. The second one is the “stealth rule”, blocking any kind of communication with the firewall. Of course, the administrator has to take care of not locking out himself. In common systems, this happens by implied rules, allowing communication with the firewalls management initiated by miscellaneous computers.

Well, I’m not a totally friend of this rule. Of course one should avoid unnecessary risk and block for example ssh from the outside world as long as not using this, ’cause why should an attacker get the chance of guessing this password? It’s also a fact that there should be no other daemon running on the firewall. But what about ICMP? Is this one necessary? It’s quite easy to gain quite a lot of information based on ICMP with common tools (ping, nmap). There are also known attacks from the past, the “ping of death” is widely known. So why take a risk of an attack, and giving information about the system to the world? But there are voices claming that ICMP is absolutely important, and needs to be untouched. Well, indeed, troubleshooting without ICMP is not that easy.

I’d like to discuss the advantages, and disadvantages, of the stealth rule. I hope that you have a minute to propagate your opinion.

Bookmark to:

Security | 3 Kommentare »

Tags: Firewall