Software/Hardware firewall interaction?

How can router log messages get to a monitor program like Wallwatcher without needing to put the router IP into the software firewall's "trusted zone" which I would think would have the effect of disabling the software firewall? I have a Linksys BEFSX41 and free Zonealarm.

Reply to
galt_57
Loading thread data ...

You're confused, very confused.

Reply to
Sebastian Gottschalk

How about helping him?

Reply to
Fulcanelli

Good question. The answer is that the log records will be identified with the router's LAN IP address (probably 192.168.1.1). By contrast, packets arriving from the Internet will be identified with the remote IP addresses from which they originated. Although they pass through the router, they don't originate within the router, and packet header information distinguishes them from each other as well as from log records.

All of those addresses are in the packet headers, and are passed along to your computer, along with the information in their packets.

If a malicious remote site "spoofs" (falsifies) the address in the header so that it appears to be "192.168.1.1", the router's defences catch that, drop the packet, and create a log entry to report the blocked intrusion attempt. So, if the router's working properly (and it is), all packets that reach your computer claiming to have originated at "192.168.1.1" really did originate there.

When the software firewall on your LAN computer examines the packets, it looks at several things in their headers, including the originating addresses. If you placed "192.168.1.1" in the Trusted Zone, the firewall will allow those packets to pass. If a packet has an IP address that is not in the Trusted Zone, the packet will be blocked unless other information in its headers shows that it's a reply to a previous request made by an application on your computer (such as your browser or email program).

A logging program such as WallWatcher does not request log records from a router, it just passively waits for them to arrive. That means those log records are not replies, and that's why the router's LAN address has to be placed in the Trusted zone: otherwise, the software firewall will block them. (There are other ways to give permission, but the "zone" analogy is appropriate for ZoneAlarm.) The first time WallWatcher runs and a log record arrives at your computer, Zone Alarm will ask you whether WW should be allowed to receive that unsolicited log record. Unless you say "allow", WW will never be able to log anything.

Telling ZoneAlarm to always allow that kind of event does not grant WallWatcher other Internet privileges; all you've authorized is to let WW receive those log records from the router's LAN IP address.

Now, if you've asked WallWatcher to "Convert IP addresses to names" (on its LOGGING menu), WW will have to ask your ISP's DNS server to do the actual lookup, and will have to receive a reply to that request. In that situation, WW is originating Internet traffic, and Zone Alarm will ask you a second question: should this application be allowed to send things out to the Internet.

If you want to use the "Convert" option, the answer should be "always allow", but you can restrict what ZoneAlarm will allow WW to do: WW only needs to use port 53 to do DNS lookups, and only has to communicate with your ISP's DNS servers. It doesn't need permission to communicate with any other remote address, nor to use any other ports. By placing such limits, you can be sure WW will not be able to perform communications you don't think it should be allowed to make, and you will be able to use ZoneAlarm's own event logs to verify that WW isn't trying to make other contacts.

(There's a possible exception to that last limit: if you want to use WW's "Check for updates" option on the HELP menu, you'll have to tell your software firewall to let WW communicate with its website and retrieve a small file that contains the current version information. If you don't want to allow that, you can just browse to the website occasionally and see what's current.)

A rather long answer to a short question.

-Dan Tseng, WallWatcher author

===============

galt snipped-for-privacy@hotmail.com wrote:

Reply to
newsgroups

I don't even understand his problem.

  1. Why is he f****ng up his computer with the well-known malware ZoneAlarm if he actually wants security through a packet filter?
  2. Why isn't the router's IP already fully trusted? Too dumb for configuration?
  3. Why should one care about that? NAT is transparent wrt to destination IP address for outbound and source address for inbound communication.
Reply to
Sebastian Gottschalk

Thanks Dan. I should have prefixed my question with "Here is a dumb newbie question..." since I don't yet know what I'm doing and I didn't realize that the router address couldn't be spoofed. Also I don't really want much "trust" in my local network. I now see that you have quite a bit of readable help in the WW help files so I will read that today. Thanks for the lenghty answer.

Reply to
galt_57

So now ZoneAlarm is malware? Yes I am dumb about routers -- I've owned one and worked with one for exactly one day. Is it impossible to spoof a local IP? What purpose does a software firewall serve behind a hardware firewall? I thought it would still block the ports externally but I have to make the local zone trusted so the ports aren't blocked externally.

Reply to
galt_57

Obviously. It's f****ng up computers and DDoSing Verisign servers. And it has no good use.

It's more about network configuration. To make a packet filter or even firewall achieve actual security you need a good configuration and you need to understand it.

No. Actually ZoneAlarm is vulnerable to packet modification through reassembly of overlapping IP fragments, so depending on what the router does it's even possible to spoof 127.0.0.1.

Does your router actually provide a good hardware-enhanced firewall? In case of doubt: not.

Questioning back: Are there any ports open due to running necessary but potentially insecure network services?

Question: Connect to

formatting link
and take a look at the reply. The source adress of the related packets is

[ ] 212.58.224.131 [ ] your public adress [ ] your router's local adress [ ] your local adress [ ] 127.0.0.1
Reply to
Sebastian Gottschalk

Using what software? Or do you mean by looking at the router logs?

Reply to
galt_57

None, it's trivial if you just got a little clue about NAT. But if you really need a network sniffer, then try Ethereal.

Anyway, didn't you get the point? Without a big and deep comprehensive understanding of TCP/IP you cannot achieve any security through host-based packet filters or firewalls, no matter what certain colorful click-here-wizards wants to tell you.

Reply to
Sebastian Gottschalk

Ok, so what books on TCP/IP would you suggest? Any in particular?

Reply to
galt_57

[X] 212.58.224.131, so it doesn't matter whether your router's IP adress is trusted

Cisco's "Understanding IP Adressing" O'Reilly: TCP-IP Network Administration IP Routing Building Internet Firewall (2nd Edition)

But at first I recommend reading and understanding the relevant RFCs.

The better idea would be understanding why you don't need any firewall and how to disable unnecessary and harden wanted services.

Reply to
Sebastian Gottschalk

"TCP/IP" from Craig Hunt. "UNIX Network Programming" from Richard Stevens.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.