Just cause you have a firewall, doesn't mean that nothing can beat it. Can people still steal your car when you put on an alarm? Phil put a good answer up though.<div><br><br><div class="gmail_quote">On Tue, Jan 22, 2013 at 9:15 PM, Phil Turmel <span dir="ltr"><<a href="mailto:philip@turmel.org" target="_blank">philip@turmel.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 01/22/2013 08:28 PM, Ron Frazier (ALE) wrote:<br>
> The discussion on vpn's and security at Emory prompted me to ask<br>
> this. This was prompted by some statements in another thread that a<br>
> PC could be in danger if attached to unfiltered lan ports on Emory's<br>
> network.<br>
><br>
> Assume you have a PC connected directly to the internet. It doesn't<br>
> matter if it's linux, windows, mac, or android. I'm speaking in<br>
> conceptual terms. Assume the PC is not running any server type<br>
> programs, so it is not listening on any ports. Assume no one is<br>
> browsing to potentially malicious web pages, or even any web pages.<br>
> The PC is just sitting there idling. Assume the PC has firewall<br>
> software running. The firewall's only job is to drop all packets<br>
> that are not part of a response to an inquiry that this PC has<br>
> issued. I don't want to debate, at this point, the pros and cons<br>
> of dropping all packets or operating in stealth mode.<br>
><br>
> My question is, conceptually speaking, how can this PC POSSIBLY be<br>
> vulnerable to any remote attack? How could anything phase it?<br>
<br>
</div>Because a software firewall is *software*, and it is part of a<br>
closed-source operating system that is opaque to audits. Said operating<br>
system has a history of alternate paths in its kernel that permit<br>
various packet types to reach the OS in spite of the firewall.<br>
<br>
Third-party firewalls couldn't close the loopholes either, as the hooks<br>
offered by MS for their use saw packets only after the loopholes' hook.<br>
<br>
I don't remember all the details, but I believe bypasses that caused the<br>
most trouble were part of the remote procedure call subsystem. I<br>
believe MS has since closed that one. But there's no way to know what<br>
MS still has, not to mention any exploitable flaws that remain.<br>
<div class="im"><br>
> Then, how does the answer change depending on whether it is linux,<br>
> windows, mac, or android.<br>
<br>
</div>Windows and MacOS have network protocol stacks with unpublished source<br>
code, and so have no independent audit of what happens to packets within<br>
them.<br>
<br>
Linux and the public 'BSDs have published source code that can be<br>
audited. Linux is known to apply its packet filtering algorithms as<br>
close to the drivers as possible.<br>
<div class="im"><br>
> Finally, if it were behind a hardware firewall, or router, how could<br>
> any unwanted packets get on the lan?<br>
<br>
</div>They generally can't, without an invitation. NAT relies upon outbound<br>
requests from a connection-oriented protocol (like TCP) to establish a<br>
return path. If the firewall is NATted, only packets that have been<br>
"invited" to return can get in.<br>
<br>
If the firewall is not a NAT, there's more opportunities for directed<br>
packets to get into the LAN, but the firewall's packet filters will<br>
still be applied before Windows sees the packets. It's holes don't<br>
apply in that case.<br>
<br>
Of course, most modern attacks are in the browser (or mail client),<br>
where a user, by loading a malicious page (or attachment), gives an<br>
attacker many invitations to deliver packets to the target machine.<br>
Here again, the auditable nature of open source software tends to expose<br>
flaws that an attacker would use to escape the browser's boundaries, and<br>
again to obtain elevated privileges.<br>
<br>
Windows is simply *not safe* to browse the internet with a direct<br>
connection, and only slightly safer behind a physical firewall.<br>
<span class="HOEnZb"><font color="#888888"><br>
Phil<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>SimonTek<br>912-398-6704<br>
</div>