hardware firewall

There's also cross-over devices like the Symantec (formerly Nexland) Security Gateway series and similar devices, which are NAT devices with

*some* security functions. While they won't allow you a fine grained control over all packets, they do allow for defaulting to "deny all", as well as protecting against specific threats, and in some cases also VPN functionality.

You might want to reconsider remote ports 1433-1434 -- any port number higher than 1023 can (and thus sooner or later will) be used as valid ports for return traffic, and blocking them will cause timeouts and hopefully a retransmit, but sometimes a failure.

In the case of a NAT box that doesn't let anyone in, this is most likely to appear as an intermittent but hard-to-reproduce problem with FTP, where the client on the inside when sending PASV is told to use port XXXX for data traffic, and then can't connect to that port. An alternative solution then if you *really* want the high ports blocked is to set up port triggering for active FTP, allowing incoming traffic from port 20 if a connection has been made to port 21 on the same host. That's not 100% safe (IP spoofing and man-in-the-middle attacks are possible), but probably good enough for everyday use.

Regards,

Reply to
Arthur Hagen
Loading thread data ...

No, that is exactly what I read, and what *is* a potential problem.

No, but consider this FTP transaction (very simplified -- syn/ack/syn+ack and most behind-the-scenes communication removed for clarity):

command client port server port ftp 123.45.67.89 XXXXX -> 21 USER anonymous XXXXX -> 21 PASS snipped-for-privacy@bar.com XXXXX -> 21 PASV XXXXX -> 21

The FTP server, when getting a PASV request, will open a dynamic port (chosen sequentially or randomly by the OS), and tell this to the client:

XXXXX 1433

Your NAT box setup blocks this outgoing request to a perfectly valid port, which is picked sequentially or randomly at the remote server.

Many operating systems will not assign ports as low as 1433 for unspecified port traffic, but there's plenty that do.

This is not a problem unique to FTP, although it's most noticable here, due to there not being any recovery mechanisms. Unless the client sends a new PASV request (and yet another new one if that yields port 1434), the data connection will FAIL.

It will also affect all other traffic where a remote port is assigned dynamically. If you run any kind of server behind the NAT box, this will affect you as well. A remote client might very well have port 1433 assigned as *its* local port, and when contacting a server behind your NAT device, won't get any return traffic, because you block it.

Reply to
Arthur Hagen

No, I did not miss this. See my other post. You might not be aware that these ports can be legitimate destination ports on the outside.

For the low ports, this is mostly correct. But for the high ports (1433-1434), they can also be assigned dynamically in the remote end, and be perfectly valid ports for traffic not having anything to do with MSSQL. Just because the ports are used for MSSQL doesn't mean that they're used

*exclusively* for MSSQL -- they're in the high range where they can be assigned dynamically unless something is already listening to them.

One of my pet peeves is ISPs that block high ports (in either direction) without knowing the full impact of doing so. Again, just because a port is used for exploits doesn't mean that it's not *also* used for legitimate traffic, and blocking it can prevent a valid connection from working.

Regards,

Reply to
Arthur Hagen

Can a router/hardware firewall stop incoming and outbound traffic just like a software firewall does?

Reply to
blackcatz

Sure. A standalone network device doing the filtering will even do a better job than your software firewall because it is not a subject to problems you might introduce on your computer (viruses, resource starvation or whatever). The network device is of course running an operating system, but it's not the same system you use for p2p, CS, pornsites and installing random applications from non-trusted sites.

But it cannot see if the connection is originating from a worm like Slammer or a database client application. Or MSN (on port 80) versus your favorite web browser. However, if you have a worm or virus infecting your system it is (obviously!) already compromised.

So, where does that leave us? IMHO, the most useful thing a software firewall (or "personal firewall") can do is to stop more or less legit applications who are attempting to "phone home". I write "more or less" as most of these actually have a statement in the EULA where you give them permission to do just that. I won't discuss how useful this is, people have different needs (but I really hate it when they come bugging me about their network problems which is resolved in an instant once the "personal firewall" goes away -- even when I make money on them).

Reply to
Eirik Seim

All firewalls have a processor running software just like your PC does, even though 'hardware firewalls' may not look like a PC.

The capability of the particular firewall depends on what the software it's running is doing and how it's configured.

Jason

Reply to
Jason Edwards

Yes, but in general an hardware firewall won't "stop an application" since that's not its job; a firewall job is to analyze incoming/outgoing packets and drop or allow them according to the rules you set; by the way there are "mix & match" solution like (e.g) the one from SecurePoint

formatting link
consist in both an hardware firewall and in some s/w modules to install on the clients, those modules will enforce traffic/applications control using centralized rules; by the way the above is just an example, if you search a little you will find other products which implement both "gateway" level filtering and "borderline" filtering

Regards

Reply to
ObiWan

Yes and no - you need to break-apart the two

1) Routers (like Linksys and other home user ones) are really mostly NAT devices, the block inbound as part of the normal NAT function. These devices typically default to allowing ALL OUTBOUND traffic and no inbound traffic that wasn't requested by something inside the network.

2) Firewalls (like WatchGuard, CISCO, etc...) are actually firewalls and do not have to implement NAT. They default to NO INBOUND TRAFFIC AT ALL, and also block all outbound traffic completely. Some of these units default to allowing some outbound traffic like DSN and Web browsing, but many block everything in both directions and require the user to configure exactly what they want in/out.

In the case of some of the newer NAT units, they allow users to configure X number of outbound destination ports to be considered "Private" - meaning that you an block your computers from connecting to another (external) users computer port XXXXXX by entering it in the Private Ports settings. You can also make some internal IP's private so that they can't access the internet.

In no case should a NAT unit be considered a firewall if it only does NAT/SPI.

With real firewalls, you can setup rules that allow basic functions, browsing the web, getting email, and block all other outbound connections - then setup an authentication method that lets user authenticate with the firewall and gain additional external access (like FTP, VPN, Telnet, etc..). You can't do this with a NAT box.

When I setup a small office or multi-user location with a NAT box, I always block outbound connecting to ports 135-139, 445, 1433-1434. This helps to slow the spread of worms and other things that directly attack the MS sharing ports (and the SQL ports).

The nice thing about an appliance is that there is no-user screw-ups that can take place to compromise the firewall, no trojans that can disable it, and it logs (if you set that up) all in/out bound traffic for review - some can even alert you to specific issues by sending a MSG or an email.

Hope this helps you some.

Reply to
Leythos

Wrong! It's not anything like the software/operating system running on your PC. The OS running on appliances runs ONLY the exact amount of code necessary to act as a firewall, it's hardened, it's tested for compliance with standards, and it's certified by independent labs for security compliance.

The OS for most firewalls runs from a ROM and runs code that is flashed to some form of EEProm or flash memory device.

Hardware, appliance, firewalls, are nothing like a PC, don't ever make that mistake.

Now, to be fair, I can install a real Firewall application on a dedicated Computer, not a cheap PC, and provide a quality solution, but I would never make the mistake of saying that they are the same.

Reply to
Leythos

I think you missed the part about blocking outbound connection DESTINATION (TO) ports xxx - this means I block the internal users from connecting TO DESTINATION ports listed. This does not block inbound on those ports, and it does not block the SOURCE PORT that the internal user would be using (which is not one of those ports).

Reply to
Leythos

You missed the part about the internal users being blocked from connecting TO those ports, I don't block the internal used ports, only the DESTINATION PORTS as listed. The blocking of the DESTINATION PORTS would not be a problem in any case - unless someone was trying to connect to MS SQL Server (1433-1434) or trying to map a drive across the internet to another users machine (135-139/445) or some other MS service on that remote machine.

As I mentioned, the Linksys units allow you to map what they call private ports - these block OUTBOUND connections to DESTINATION PORTS you specify in those areas. This has nothing to do with what port the users system uses to create the outbound connection.

Reply to
Leythos

The word "Wrong" certainly seems to be in fashion in this group. Is it compulsory to use it here? And should I always us a ! with it?

Well it all depends on what you mean by "like" "software" and "operating system" Leythos. Perhaps you could define these terms for me.

A firewall runs software and a PC runs software. Obviously it is not the same software, a child could tell you that (I know some that could) but the firewall does something which is like the PC in the sense that is runs software. This is what I was saying. Nothing more.

This is absolutely correct, and nothing that I said should have been interpreted as implying anything to the contrary. Clearly you were quick to interpret is as being contrary. Was that so that you could get to use the "Wrong" word?

The first EPROM I ever used was a 2708. I think you will find it difficult to flash an EPROM because you can only flash flash memory. Have you ever written code to flash a flash memory? One of us has.

I don't see any mistake here other than one which relates to the interpretaion of words.

And your real application is a piece of software, running on some hardware which is dedicated to the firewall function and nothing else. It is like a PC in the sense that it is hardware running software. Nothing more.

Jason

Reply to
Jason Edwards

Well, yes... in a perfect world.

I guess this applies to most serious vendors, but I fear it does not apply to all of them. The limitations on the hardware helps avoiding bloated software, but I think you're beeing too optimistic if you take this for granted.

.... until you open up one of the more serious PIXes and take a look at the hardware... If anyone wants to build their own high-end PIX, this is how:

formatting link
However, I doubt your local Cisco partner will support such a setup :)

Reply to
Eirik Seim

Sorry dude, you couldn't be more wrong.

Check out Netscreens Deep Inspection, Sonicwalls IPS, and Fortinets thingy.

Reply to
Mark S

Depends if you would call any PIX serious. Most security focussed resellers wouldn't these days.

Reply to
Mark S

You said "your PC" which imply's that you meant his personal computer - so your statement was wrong or, at the very least, very misleading. The OS and "software" running on a firewall appliance is NOTHING like that running on any users home computer.

The reason for my reply is so that people don't get the idea that you were talking about a standard personal computer running a OS that one would find on any other computer - since the Firewall appliances don't use an OS or software that is "Like" anything you would find on another PC.

[snip]

Notice I said EEProm (two E's), not EPROM. I was using EProms in the

70's and even used a sun-lamp to erase them before I could afford a UV Lamp. Later, when making changes to system designs we used EEProms and then Static memory that came with its own battery device by Dallas. I've written a LOT of hex and assy code, but we don't really care to trade war stories do we?
Reply to
Leythos

I only use CISCO, WatchGuard, Sonic, Netscreen and a couple others, the rest are nice, but I only trust what I've tested in our labs.

Reply to
Leythos
[cut]

Minor lapse of concentration there. You said EEPROM which is not the same thing as EPROM. You can ignore that paragraph.

Jason

Reply to
Jason Edwards

I see what you were saying now - and while I agree that it might be a problem some time, it has never been a problem in normal operation. I get the logs every day and have never seen 1433/1434 blocked at these locations. That being the case, I'm still going to do it, the benefit outweighs the trouble.

Reply to
Leythos

It's OK, I know what you were suggesting. At least I didn't mention PAL's :)

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.