How secure is a firewall? [Archive]

View Full Version : How secure is a firewall?

whipet

20-07-2006, 09:55

If a firewall nails all the ports but 80 for HTTP and 53 for DNS does it just come down to browser vulnerability?
At a user group when firewalls were mentioned one expert said about Zonealarm:
"They practice against it"
Seems to indicate there are other factors but surely a closed port is a closed port?

steev

20-07-2006, 10:03

Zonalarm is more application based, I didn't think you could restrict purely by IP address?

If you only want restricting to ports 80 & 53 (you'd want at least 110 & 25 too unless you purely use webmail) you can use the Windows tcp-ip filtering options.

richard

20-07-2006, 10:14

A closed port is closed, so should be safe. What happens is that a program which wishes to recieve info from the internet will open a port and connect to it. The person wanting to connect to that program must know which port to send the data to (by being told or checking all the ports). The kernel (linux, windows etc) will identify incoming packets of data and pass the data through to the port requested if there is any program registered on that port.

So the data is interpreted in a really minimal way before it's passed to the port, so that should be safe, but there is a very very slight possibility that it's not.

If there is nothing on the port the packet will be dropped.

If there is something on the port then the data is passed to it, unless there is a firewall which will get the data first, check it and then pass it along to the program.

Of course the firewall is another potential target for attack, but given it's job it would be shockingly bad form if it was susceptible.

The firewall may well be preventing things which are application specific to cover known bugs.

The data is eventually passed to the target program which will then deal with it. Sometimes you can get programs that alter the firewall settings depending on what the target program goes on to do. For instance on attemting a login in with ssh a report is made, a firewall can then be altered in accordance with the report to prevent an obvious cracker from connecting to the box again.

Getting back to the point: How secure is a firewall? More secure than no firewall is probably the best answer.

Joelc

20-07-2006, 10:21

You can restrict by a billion different things with the right tools. iptables for Linux can restrict by IP, port, interface, dns name, route the packet came by, and plenty more.

Zonealarm is a shed, it is slow, eats system resources, and genrally is a pain in the backside. But yes, if you have all your ports shut, bar DNS and web, then your vunerablilites are restricted tho those applications which use those ports.

Many software firewalls block at the IP layer, and at the application layer, so in theory, you should be well protected.

Ports have 3 states, open, close, and stealth. Closed just means that its there, but refusing connections, and thus telling the connection source that it is there. Stealth ports just drop any packets that reach it thus not reavaling that there is anything on the end of it.

Joel