Hole in the wall

By Ashton Mills
10:26 Jun 4, 2009 | 2 Comments
Tags: firewall | internet | security

Prevention > cure
It's common knowledge, and an unfortunate reality, that the single greatest security threat to any computer and any network isn't malware, viruses, or trojans - it's the fleshbag sitting between chair and keyboard. The only way malicious software ever spreads so rapidly and so expansively on the net is thanks to users - users who open unknown attachments, click on flashy and annoying pop-ups, and who download anything they're prompted to.

If there is one reliable variable about malware, it's that it can only be dangerous if it's allowed on a system.

Part of the problem, which Vista tried to improve and hopefully Windows 7 will get right, is that under the hood Windows makes the assumption that the user knows best (which is kind of ironic, considering how the interface assumes a user to be computer illiterate). The user can always get administrative (sometimes through prompts) access to the machine. It only takes a user to incessantly click 'Yes' to allow a program to run for malware to gain a foothold. And users will, because they don't like to be bugged by pop-ups (years of using the Web has trained them well in this regard).

You don't necessarily need to run an overly-protective firewall if you're not going around installing everything that pops up on your screen, but you might be better informed than friends and family, so educate them about the social engineering techniques some malware can use to get onto machines - "No, that free virus checker you were prompted to download really isn't a virus checker, no matter how many flashing pop-ups told you otherwise!"

In the end, no matter how good a firewall can be, the security of a machine is dependent on its user. In a perfect world, a stateful firewall is all anyone should need. But the proliferation of malware speaks otherwise.

Attacks on the inside
A good source of example programs to test various methods of bypassing firewalls can be found at www.firewallleaktester.com. The programs here are proof of concept and safe to try out - some firewalls do well at picking up their tricks, while others fail dismally. In the end, because the exploits revolve around abusing the inherent trust of firewall software with the user, and like viruses the methods for doing this continually evolve, there's no guaranteed solution to this Achilles heel.

States of a wall
Firewalls aren't just passive defenders, they can be helpful or downright rude. When another machine attempts to connect to or ping a port, the firewall has three ways to respond:

* If the port is open, let the request though.

* If the port is closed, be polite and inform the host the port is closed.

* Don't respond at all, and silently drop the packet into the void.

When you run firewall tests on the web to ping your machine (such as Shields Up!), they will often report which ports are open, closed, or stealthed. The latter is just a fancy way of saying the program doesn't actually now what's there. Because the packets are dropped, there is no response from your machine, and bar the fact you requested a test to your particular IP your machine would otherwise appear non-responsive on the net - the safest option of all. While a firewall that responds a port is closed is polite netiquette, it means anyone trying to access you machine at least knows your machine is, indeed, there and thus could try other means of gaining access. Generally, use a firewall that stealth's your machine (and your router may already do this).

Firewall fun
Firewalls can be used for more than keeping people out, you can also use them to act as a gatekeeper with port knocking.

Port knocking is a technique to open ports - say port 22 to enable access to an SSH server - on a remote machine by deliberately banging on the machine's firewall, but in a particular sequence. Since firewall software can easily monitor and log the attempts to connect on ports, it's very easy to run a program to monitor the logs and, if a particular range of ports is accessed in a particular sequence, open up a port as a result. It's a very clever use of ports as a private code for access to a machine that would otherwise remain locked down.

This article appeared in the May, 2009 issue of Atomic.

Behind the scenes with Mass Effect 3! GTX 560 VGA round-up! Essential Skyrim tweaks to improve your game! Plus reviews, news, hardware, more games, and easy to following modding guides for PC builders. ON SALE NOW!

Ads by Google

2 Comments

TheSecret

Jul 2, 2009 3:46 AM

There is no Achilles heel as is described in the article. Firewalls, of any type, are not designed to distinguish between traffic the user consented to send, and malicious traffic. Firewalls are never designed to tell "good from bad".

Personal firewalls were never meant to prevent malware in this way, nor are they capable of stopping sufficiently advanced malware. The answer to the problem of malware is not one that can be solved by malware, but rather a better application of existing security models. UAC was a start, then ultimately ended up as a failure.

It's also possible with windows to sign known executables, so if one of these executables is hijacked, they can be prevented from executing. A firewall does not come into it.

TheSecret

Jul 2, 2009 7:58 AM

"the problem of malware is not one that can be solved by malware" should be "the problem of malware is not one that can be solved by firewalls"....

Comments have been disabled on this article.

Latest Competitions

Thermaltake kicks off your gaming year with a BANG
Thermaltake has started off the new year with a bang by giving away a Tt eSport Theron Laser mouse to not one or two, but TWENTY lucky Atomicans!

Atomic Magazine

Issue: 133 | February, 2012

Atomic is a magazine aimed squarely at computer enthusiasts, gamers, and serious PC upgraders.

Every month we bring you the latest reviews of new technology and PC components, in depth features on everything from overclocking to console hacking, and gaming previews and interviews.

What's in this issue?