PDA

View Full Version : Same Machine software firewalls Junk? Malware working under APIs?



Captive
01-06-2003, 07:51 AM
Hello,

I was planning on writing a review on some firewalls I had come across for my own technical cataloging as well researching shopping carts tonight [ for one i plan on designing] and came across this.

Now I havent written a firewall before so I am taking someone elses opinion from a website as to gain some insight into the issue stated above.

I would appreciate *constructive* opinions on the same machine software firewalls being a potential hazard.

The article url I located is here:
http://cyberpunks.org/display/356/article/

robsonde
01-06-2003, 12:08 PM
I would agree with most of what the article says.

The problem I have with same system firewalls design is that the only way data can get into the firewall is throught the TCP stack of the host system, the whole point of having a firewall is to stop some/all data form getting into the TCP stack of any given system.

if there is a exploit in the TCP stack then a firewall will not stop the data from getting to use it.

the orignal design of a firewall was to have one computer designed to act as a firewall. same system firewalls only came about because of price of a program Vs price of a system + program.

as for the virus changing the firewall, this can happen and I have seen it done "in the lab".

for most home uses a same system firewall is the best option at this point unless they want to pay for another system just to run the firewall on.

Muzzer
01-06-2003, 02:36 PM
Its a never ending scamble with the consumers pockets being picked to to keep the participants nourished and healthy.

I take it that what is suggested in the article is, that I should not be logged on as admin on my Win2k machine other than to install software and alter system settings and that all the programs and processes that currently have permission to access the network or net (34 of them in MD5 of Kerio) should be trimed down to an absolute minimum. Even then I'm vulnerable due to the very fact that this comp is connected and the protocols that enable that connection to work.

So, I should:

Only log on as a user for everyday (business) usage.
Block all except the most basic programs from accessing the net.
Refresh the installed programs and OS every so often to ensure the signatures integrity.

or get another comp running with, say, Smoothwall as a firewall.

Reading the article it seems my habits have got a bit sloppy but even with the best practices this machine and the other one networked with it could still be compromised.

I use a free firewall but those who have paid for theirs may have been ripped of to some extent?

Cheers Murray P

bmason
01-06-2003, 02:48 PM
It more or less been said above, but..

Basically, a same-system firewall is only really any good against apps you trust, kind of defeating the purpose. Once a mallicous programme is running your system it can do anything it likes (assuming it has root/admin access, but then there is probably an exploit it can use to get around that).

Its not just the firewall it can go after, it could also exploit currently trusted apps. For example, I believe some spyware uses IE to handle its connections, so it shows up in Zonealarm etc as just IE wanting access.