Tips on blocking 'difficult' services..

Get a firewall, one that isn't just a NAT Router pretending to be a firewall, and you can block all of those.

After follwing Leythos "Brilliant" suggestion, go here...

a list of ports used by various applications. Then, block those ports at your new firewall. Voila, no more MSN, Hamachi, Skype and whatever else you choose to block.

Where do you plan to do this? The apps you list make me think you may be trying to do this at your place of work. This isn't for your home network, is it?

ASMx4

I'd be happy to demonstrate the contrary. You should be able to do so, too.

internet

Not the best advice I've ever seen. I believe the base hould be block everything, then allow only the services that are erquired. Once you start blocking unwanted services one-by-one, your ruleset will become too large to be easily interpreted.

Me.

"Me" schreef in bericht news:Lk0dh.1327$ snipped-for-privacy@newsfe1-gui.ntli.net...

And more worse, you always forget ports.

arja

And even worse, you can run all of these protocols over any port you want. Now when will people stop following this "outbound filtering" nonsense?

"Now when will people stop following this "outbound filtering" nonsense?"

Sebastian is quite correct. It is possible to run any TCP service on any TCP port or any UDP service on any UDP port.

However, in the original post, it was asked how it would be possible to block services such as Hamachi, MSN Messenger, Skype, etc.

I doubt it would be hugely possible to convince Microsoft to change the port their connection server sits on, the same goes for Skype, etc.

It is not flawed to want to block outgoing traffic at the firewall based on a port ruleset. If I were to block ports 6666-6669 I will be blocking access to IRC. Yeah, sure, I could set up a server running on a different port, some ARE configured on a different ports BUT if the default is minimum allowed, it is unlikely that unwanted services will be accessible and those that are will likely be hugely limited.

It is a false statement to say that outbound filtering is nonsense. As I am sure Sebastian is aware, the best security is that of layers and least privilege. Outbound filtering is just another layer.

It is worth remembering Sebastian's warning that services can run on any port and if your security profile requires steps to mitigate this risk, then steps can be taken.

Hope this helps,

Bogwitch

Except only allowing outbound ports that are required is the standard for firewalling.

If you don't allow outbound except for DNS and HTTP/HTTPS then things like P2P apps, File sharing, IM, and many other fail. Yes, you can change the service ports, but most of the "running services" that people connect to are running on the standard ports and don't allow the client to pick what those ports are.

So, if you want to block access for LimeWire you just don't allow the destination ports outbound, and for 99% of cases it will block limewire from working.

So, outbound port blocking, in conjunction with a firewall that inspects the traffic to make sure that the ports you do expose is really that type of traffic, does work, works well, and should be used.

None of those listed services would get connected to from any of our networks.

Never because it often provides usefull information in case of an infection.

arja

Not running the malware in first place? Deploying Least Privilege principle? Estimating trustworthyness of software?

At any rate, you can only achieve security with a packet filter if you have in-depth knowledge about TCP/IP and networking, as well as having secured the host. That's exactly the qualification a non-technical person / average computer user fails.

Indeed. The didn't waste code and therefore complexity on pretty useless features.

A sandbox, usually implemented with a VM. Ranging from specific ones like Java to full-scale PC copies like VMware.

Well, for online banking it's quite easy: Boot up from a Linux Live-CD.

What does "good quality" mean for you in terms of AV software? What does "good" or "quality" mean for "anti-spyware" software anyway?

And now you're telling me that you made your computer intentionally vulnerable...

Very wrong. MSN Messenger trivially traverses via HTTP, Skype does both allow any port as well as SOCKS traversal, Hamachi allows any port...

So you don't even know what a IRC Bouncer is.

Ah, "layered security", the buzzword that twists everything with "defense in-depth".

Yes, a layer of insecurity or non-security.

Indeed. What the hell of an administrator is this guy if he both technically and by policy allows the users to run arbitrary programs?

OK, at first you may provide me with a "personal firewall" that provides useful information. At next, you may present one that provides information in case of an infection.

And then we might discuss how serious Intrusion Detection Systems are implemented.

Point taken.

blocking access

You are quite correct. However, I do now. Thanks for bringing that to my attention! That doesn't change the fact that many services run on particualr ports and it would be up to the service provider to change the listening port. I guess IRC was a bad example!

Do you have a problem with layered security, defence in depth, or both?

Are you saying that you can see NO justification for outbound filtering, under *ANY* circumstances? I agree that in many situations, outbound port filtering may provide a false sense of security, but if the implications are known, it can provide an additional layer of security.

And probably the main point, but without knowing the architecture, security model, business requirements, etc. it is a difficult one to call. Don't forget, some software will allow the user to install under a user context if the Administrator context is not available.

Bogwitch

I have a problem with "layered security", as it's just a buzzword describing a misnterpretation of the concept "defense in depth".

And I have a problem with your messed-up quoting style. :-)

I'm saying the outbound filtering is just a mere completition of the general traffic filtering concept, but hardly provides any security. It allows you to enforce proper usage of legitimate communication, but can hardly disallow non-legitimate one.

Or you can transfer the installation of such a software from another computer. Or you can modify the software to run properly without administrator access. Some software doesn't need any installation at all.

But well, where's your argument? Of course and enforcement of a no-exec policy is not done by assuming that software needs installers who enforce such policy, but rather by globally denying exec rights to all normal users and whitelist relevant applications.

provides

information

I hesitated to reply to this, but since you're in the business of providing good information I thought I might share.

Now, please be aware that I'm now talking about a home Internet connected PC, not sat behind a firewall, as I used to have set up. I use the system regularly, I use MS apps, and I go to 'dodgy' sites in order to collect infectious material. Not a standard user.

I used AtGuard, a reasonably good firewall (and, dare I say, IDS) It provides useful information in so far as I could see the purported IP address of intrusion attempts. It provided useful information if a piece of malware infected my system as I could (using outbound port blocking) see what connections the malware was trying to make, therefore, providing useful information in the case of infection. One particular piece of malware infected explorer.exe and attempted to spew spam out on port 25. Now, I'll have to admit at this point that I did not allow ANY software to freely spew on port 25, but AtGuard would have picked it up anyway as explorer.exe should not be communicationg over the Internet, let alone on port 25. Hence an infection detection. Sure, it took further research to identify the culprit DLL, which was then submitted to my AV companies of choice as it was not detected by them.

OK, so as I said before, it is not a standard user setup, but it is a case that required an outbound port blocking firewall and it worked as required.

Incidentally, I still use AtGuard when users where I work bring software they have a genuine business requirement to use, to check it to see what connections the software attempts to make.

I would be interested to hear how you would perform the task described. I am happy with the results I have achieved, but I'm sure that would be alternative and better ways to get there.

Bogwitch

But I guess you can't tell me how you define "intrusion attempts", or how AtGuard does define such, and why one should even bother about the common internet noise...

Very unlikely. No self-respecting firewall creates its own connection, at least without verifying that is has properly shut down all network filtering software - it just sits there, waits for you to open your webbrowser, and then hijacks this connection.

WTF? explorer.exe is write-protected to normal users. You're running as an administrator? Now you should really stop trying to tell me something about security.

I admit that I block outgoing port 25 as well, but hardly for the sake of intrusion detection and more for some stupid ISPs filtering it as well and redirecting it to their Smarthosts. My mail is usually delivered via SUBMISSION on Port 587.

At any rate, how do you justify that AtGuard makes your system vulnerable in first place? Not just potentially by the added complexity, but also known privilege escalating as well as even remotely Denial of Service?

Nah, it worked by coincidence.

Huh? I have the 'netstat' command for that, and some people prefer graphical versions like TcpView from Sysinternals. Using a packet filter is totally superfluos for such a task.

Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:

I understand what you are saying. I've spent too much time in management and have adopted a managemnet style speak.

Believe it or not, I actually like the interface provided by OE. I have switched reader lest I offend.

My point is, for an average administrator, who might not be a security expert, dealing with average users, an outbound port blocking firewall will provide SOME security.

Sorry , I wasn't looking for a fight! :-)

For sure, denying exec rights is the better option. However, the usability of such a system would be reduced. The company I work for has tried to implement a deny exec policy, albeit applied restrospectively, which effective caused a DoS. In short, deny exec is not always practical.

Bogwitch.

Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:

OK, AtGuard records all port connection attempts. I would define an intrusion attempt as a scan of seval service ports, YMMV.

I think you have mis-understood.AtGuard detects when any software attempts an outbound connection and, according to rules, would allow or block the attempt. Also, according to rules, it would log the connection, wether allowed or not. Hence, if malware is hijacking the browser, the connection would be recorded and identifiable by the DST IP *NOT* being that of the requested server.

As I explained, I am using this system to collect malware. Yes, I am running with administrative permissions, this is intentional and yes I do understand the ramifications of my actions. If I were not running with admin privs, I would not collect the same quantity of malware.

I don't block for intrusion detection, I block because I don't trust OE!

Again, we are speaking at crossed purposes. Did you mean do I justify that Atguard makes my system _LESS_ vulnerable? If so, the priv escalating is not an issue. This is a single user system. Also, I am not hugely concerned about DoS because I can reboot.

How so? It detects outbound connections, which is what I want.

I am not aware of netstat or TCPView keeping a log of connections. If a connection is only made for a very short time, would I catch it with netstat or TCPView? I don't think I would. Additionally, netstat and TCPView would not *BLOCK* the connection whilst logging it - I don't want to be responsible for squirting malware or spam all over the place!

Bogwitch