[SLUG] [Corrected] Firewalls, Viruses, Worms and Security

From: steve szmidt (steve@szmidt.org)
Date: Tue Apr 25 2006 - 08:17:28 EDT

[Phew, too many spelling errors in the last post.]

There are some things to be aware of when it comes to firewalls. Here's a
technical description brought down to layman language. I'm taking certain
technical liberties (or inaccuracies) to keep it simple.

The best of firewalls cannot block what is looking like legitimate
communication. All it does is block access to most, and let some through.

Network communication is done with compact data called a packet. If you
imagine a truck with its paperwork showing where to pick it up and where to
deliver it. This is called header information. Then in the back is the
payload. The data that is being transmitted.

Usually it takes many trucks / packets to deliver all the data as the typical
payload only carries about 1500 bytes. (One byte being one character, or
letter, number or symbol.) A typical web page should not contain more than
about 100,000 bytes (100K). The reason is the time it takes to download
across the Internet. Too much takes too long. Of course that number is going
up as more and more people are able to download larger amounts due to
increasing transmission speeds.

OK, so we have the header information telling the driver where to deliver the
1500 or so bytes of payload. It does contain various other little tidbits but
we don't have to worry about it.

If you visit a website, you are now sending out a truck with the request to
get a webpage from your computer to a remote server online. When the page
shows up on your monitor that means the remote server delivered information
through the firewall to your computer.
The modern firewall keeps track of outgoing requests, noting the time, origin
and destination. Then if a reply returns it checks to see if it's from a
requested destination within the timeframe. This is called statefull

On network communication there is a standard method of starting up a
connection. A packet is sent out saying I'm an origination. I wish to start a

It's received and another packet is returned back to the originating computer
saying I got your request. Next the originator would send a new communication
saying here is what I want from you. Which in turn is acknowledged. This is
referred to as handshaking. If both shake then both knows all is well and a
connection can be go on.

All the time there is a stream of packets flowing from each side with requests
and acknowledgments, ensuring they are in good communication with each other.

Older firewalls simply looked to see if a packet arrived that said it was a
response to an established connection. Not having any notes of requests that
went out the firewall would not know any better and let it in. These days
probably all firewalls do statefull inspection.

Real crackers (criminal hackers) are people who knows things like exactly how
network communications should work and try to find flaws in implementations
so that they can gain additional access or information out of a device.

A hacker (knowledgeable computer person) is a person who knows things like
exactly how network communications should work and try to find flaws in
implementations so that they can gain additional access or information out of
a device.

Wait a minute! That's the same definition!

The difference is really how it is used. Being a hacker is a good thing
because you can find faults and fix them. A cracker has criminal intent. The
definitions tend to float around but the criminal intent is a pretty good

So what a cracker might do is hack into a website and plant some instructions
that when executed installs some software on your computer.

When you then visit the website you happily download the page and his
instructions into your computer. Where your browser faithfully executes the

The result is limited to the capabilities of your browser and what your
computer will let the browser do.

Under windoze you can quite easily get it to give away total control of the
computer. That has a lot to do with the fact that the user is usually running
as the Administrator. Whom has full unfettered access to the computer.

Never mind all the various security design flaws that microsoft has made in
its quest for functionality.

When you run as a user with limited access the viral instructions have limited
capabilities too. This is a good thing. :)

So always run as a normal user! Only run as root when needed, and never browse
the Internet as root.

Now, there are actually more than one type of firewall.

The most common one is called a packet filter. It filters packets according to
IP address and port, source and destination. A good one can also filter
according to the type of packet.

It looks at where it came from, where it's going and executes the filter rule
that covers that request.

Another type is called proxy firewall. It receives a requests and then
generates its own requests to the remote server. When it comes back it
receives it and generates its own reply.

This method stops bad requests hidden within a good request. The firewall acts
like a proxy for you. You have given it rights to do things for you. Not
unlike an efficient secretary.

Then we have application firewalls. It looks at what the application is trying
to do and decides according to what it has learned to be normal acceptable
behavior. When a computer tries to do things differently, which a cracker
almost always does, it's noted and the packets are stopped.

Due to the relative effectiveness of modern packet filters that is the most
prevalent one. Ideally you have all three. Forming several layers that all
have to be circumvented to gain access.

Application firewalls are usually pretty expensive. They need to know a lot
and work very fast.

The network industry has seen a lot of developments where devices gain new
capabilities, like a router having a firewall and a switch built-in.

(A switch is a communication hub. It lets different computers get together and
access each other. It used to be called hub. The problem with hubs were that
when a packet arrived at the hub it was regenerated to all ports on the hub.
Generating a lot of extra noise as it was usually only one computer that
needed to receive it.

A switch knows who is connected, and can route packets to the correct port and
not simply broadcast it to all, all the time. A great improvement.

A typical attack by a cracker is often to first establish what type of device
is it reaching. What brand and model would be nice to know. With that
information he can then see what known vulnerabilities there are. Then try to
exploit them.

Exploits always entails doing things wrong. (Unless it's a really really dumb
flaw.) The cracker will do the unexpected in hopes to break the
"concentration" of the device, find a flaw in the software, causing some
unusual response.

The most common one is called bugger overflow if you type poorly. For all
others its called buffer overflow.

A buffer is a place which temporarily holds information, before it moves
along. A data entry field is a good example. It may ask for the name of
someone. By entering maybe 1000 characters the program may get overwhelmed
and simply continue writing all of it into memory. These 1000 bytes would not
be random characters, but actual instructions.

All data to be processed must be in memory (RAM) where the processor can get
to it. Now if you can get viral instructions into memory it can be executed.

Basically programmers must ensure they put limits on data entry fields to
avoid this.

There are of course lots of ways to do the unexpected. Which is why most
people will think they are safe when they simply don't realize the
possibilities available to a cracker.

Attempting to break through a firewall by doing the normal thing will seldom
work. Unless it's misconfigured. Having found a flaw he gains unexpected
access, which is then used to get further in.

Sometimes a cracker might take 20 steps, sequentially through various cracks
found along the way. Following a path that nobody else would ever have though
of even trying. By being really knowledgable about computers he manages what
is considered impossible by almost everyone. He is by all means very skilled.

The typical mindset of a cracker is also not that of a normal citizen. To him,
or very occasionally her, information (or data) is his if he can reach it.
It's your failure to close all the doors, and letting him in. Once reached
it's his, like a rescued ship at sea belongs to the salvager.

A lot of crackers don't break anything once in. They may even tell you about
how they got in, trying to be helpful to society. I know several network
managers who never reported the guy as he helped him secure his network.

Below crackers or black hats as they are often known, we have wanna be
crackers. They don't have the know how and are simply running small programs
which are written to take advantage of known flaws. These small programs are
often called scripts. Basically a series of manual instructions. These wanna
bee's are called script kiddies. (Usually a cracker is a young boored kid,
trying to have some fun.)

Enters organized crime stage left.

A few years ago organized crime in Russia realized the potential they have in
the Internet. Being in a country in upheaval it was easy to find kids to do
the dirty work for a few Rubles.

Soon organized crime worldwide had crackers on their payroll.

A computer Virus is a program that will take advantage of an ignorant user. A
virus by definition needs to be executed by a user to work. Thus email
attachments became the most popular method of spreading viruses. People are
too curious and too willing to be ignorant about things that affect them.

A worm however, is a virus which does not require a user to execute it. It
will spread automatically to computers which have some particular flaw in

Thanks to the money of organized crime viruses and in particular worms have
gotten very sophisticated. Often running some smoke screen as to its actual
intent. They also spread across the world at an increasing speed and

This has created a digital universe which is very dangerous. It has raised the
stakes at both sides, but is still very successful mostly due to ignorance.
Most software developers respond pretty fast to flaws in their code. Poorly or
not maintained at all, computers is the breeding ground for viral code to

Keeping security patches up to date and having multiple layers of security in
place is vital. Simply installing a firewall does not cut it.

You need to know about your vulnerabilities.

This is a problem all in itself as most people have no idea at all as how to
approach the problem. Fortunately there are very good open source solutions
which can detect past successful attacks, locate flawed configurations and

One very good program is called Nessus. It detects about 10,000 known
vulnerabilities across platforms. Others are SNORT which sees attacks in
progress, and Tripwire which notices when programs are modified, added or

Tripwire should be installed after a fresh install and before any network
connection is established to ensure you have a "virgin" system.

SNORT can be installed at any time after Tripwire, and Nessus is run after
each change in hard or software.

Of the three Tripwire is the most important, then Nessus and finally SNORT.

If you depend on your computer educate yourself a little bit all the time. In
time you will quickly cease to be a clueless victim and start being aware of
your digital surroundings.

Ensure Linux firewall is running on each Linux box. Use Zonealarm under

Pay attention to changes, like a slower computer, network, Internet
connection. Investigate the reason for the change.

There are logs which tells you what has transpired. [Note that a good cracker
will erase his trail form the log files. But a too clean log can also be a
sign.] If you think you might be "owned" disconnect your network and

Have a plan of what to do in writing so that the steps are easy to execute.

If you can't do it find someone who can.

This has to be part of any business plan as a known expense. And on that note,
some bad numbers. To keep up with all the threats is a 40 hour / week job.

If you own a business you might not be able to afford a full time security
consultant. It may not even be needed if you only have a couple of computers
and don't offer any services like hosting a web server. And have limited
Internet activities. But someone needs to keep an eye on it.

What you don't know will probably bite you sooner or later.

Security is a tradeoff. You spend as much time and resources as is practical.
The more security the less functioning things tend to get. Install a good
infrastructure and find a good workable balance.

Then have a standard written routine of what to do if violated. Steps that has
to be taken, like shutting down the network. Rebuild server, restore backups,
check for covert physical devices connected to your internal network. In some
states you have to notify clients if you store sensitive information.

You may have backup hard disks ready to take over. This way someone can audit
the violated servers/computers once you have recovered all. It will leave the
evidence intact on the original disk(s). Having identified the method of
access you can now correct it. (There are very good forensics tools under
Open Source which are used by security and law officials.)

Unfortunately it's a pretty big subject. You can subscribe to news from many
good sources.

Bruce Schneier is one such expert. He has a newsletter at:
http://www.schneier.com and http://www.counterpane.com

He will educate you about views and practical activites based on real life

https://secure1.securityspace.com/secnews/subscribe.html tracks security

CERT is a good government list to subscribe too:

There are high traffic security lists such as Full Dislosure and Bugtraq. A
list of tools and readings can be found on:

Be safe,


Steve Szmidt

"To enjoy the right of political self-government, men must be capable of personal self-government - the virtue of self-control. A people without decency cannot be secure in its liberty. From the Declaration Principles ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:52:23 EDT