Software/Hardware firewall interaction?

Software/Hardware firewall interaction?

am 07.03.2006 04:41:50 von galt_57

How can router log messages get to a monitor program like Wallwatcher
without needing to put
the router IP into the software firewall's "trusted zone" which I would
think would have the effect of disabling the software firewall? I have
a Linksys BEFSX41 and free Zonealarm.

Re: Software/Hardware firewall interaction?

am 07.03.2006 08:51:36 von Sebastian Gottschalk

galt_57@hotmail.com wrote:
> How can router log messages get to a monitor program like Wallwatcher
> without needing to put
> the router IP into the software firewall's "trusted zone" which I would
> think would have the effect of disabling the software firewall? I have
> a Linksys BEFSX41 and free Zonealarm.

You're confused, very confused.

Re: Software/Hardware firewall interaction?

am 07.03.2006 09:45:50 von Fulcanelli

How about helping him?

Re: Software/Hardware firewall interaction?

am 07.03.2006 09:47:21 von newsgroups

Good question. The answer is that the log records will be identified
with the router's LAN IP address (probably 192.168.1.1). By contrast,
packets arriving from the Internet will be identified with the remote
IP addresses from which they originated. Although they pass through
the router, they don't originate within the router, and packet header
information distinguishes them from each other as well as from log
records.

All of those addresses are in the packet headers, and are passed along
to your computer, along with the information in their packets.

If a malicious remote site "spoofs" (falsifies) the address in the
header so that it appears to be "192.168.1.1", the router's defences
catch that, drop the packet, and create a log entry to report the
blocked intrusion attempt. So, if the router's working properly (and
it is), all packets that reach your computer claiming to have
originated at "192.168.1.1" really did originate there.

When the software firewall on your LAN computer examines the packets,
it looks at several things in their headers, including the originating
addresses. If you placed "192.168.1.1" in the Trusted Zone, the
firewall will allow those packets to pass. If a packet has an IP
address that is not in the Trusted Zone, the packet will be blocked
unless other information in its headers shows that it's a reply to a
previous request made by an application on your computer (such as your
browser or email program).

A logging program such as WallWatcher does not request log records from
a router, it just passively waits for them to arrive. That means those
log records are not replies, and that's why the router's LAN address
has to be placed in the Trusted zone: otherwise, the software firewall
will block them. (There are other ways to give permission, but the
"zone" analogy is appropriate for ZoneAlarm.) The first time
WallWatcher runs and a log record arrives at your computer, Zone Alarm
will ask you whether WW should be allowed to receive that unsolicited
log record. Unless you say "allow", WW will never be able to log
anything.

Telling ZoneAlarm to always allow that kind of event does not grant
WallWatcher other Internet privileges; all you've authorized is to let
WW receive those log records from the router's LAN IP address.

Now, if you've asked WallWatcher to "Convert IP addresses to names" (on
its LOGGING menu), WW will have to ask your ISP's DNS server to do the
actual lookup, and will have to receive a reply to that request. In
that situation, WW is originating Internet traffic, and Zone Alarm will
ask you a second question: should this application be allowed to send
things out to the Internet.

If you want to use the "Convert" option, the answer should be "always
allow", but you can restrict what ZoneAlarm will allow WW to do: WW
only needs to use port 53 to do DNS lookups, and only has to
communicate with your ISP's DNS servers. It doesn't need permission to
communicate with any other remote address, nor to use any other ports.
By placing such limits, you can be sure WW will not be able to perform
communications you don't think it should be allowed to make, and you
will be able to use ZoneAlarm's own event logs to verify that WW isn't
trying to make other contacts.

(There's a possible exception to that last limit: if you want to use
WW's "Check for updates" option on the HELP menu, you'll have to tell
your software firewall to let WW communicate with its website and
retrieve a small file that contains the current version information.
If you don't want to allow that, you can just browse to the website
occasionally and see what's current.)

A rather long answer to a short question.

-Dan Tseng, WallWatcher author

===============

galt_57@hotmail.com wrote:
> How can router log messages get to a monitor program like Wallwatcher
> without needing to put
> the router IP into the software firewall's "trusted zone" which I would
> think would have the effect of disabling the software firewall? I have
> a Linksys BEFSX41 and free Zonealarm.

Re: Software/Hardware firewall interaction?

am 07.03.2006 09:59:24 von Sebastian Gottschalk

Fulcanelli wrote:
> How about helping him?

I don't even understand his problem.

1. Why is he fucking up his computer with the well-known malware
ZoneAlarm if he actually wants security through a packet filter?
2. Why isn't the router's IP already fully trusted? Too dumb for
configuration?
3. Why should one care about that? NAT is transparent wrt to destination
IP address for outbound and source address for inbound communication.

Re: Software/Hardware firewall interaction?

am 07.03.2006 15:30:24 von galt_57

newsgroups@wallwatcher.com wrote:
> Good question. The answer is that the log records will be identified
> with the router's LAN IP address (probably 192.168.1.1). By contrast,
> packets arriving from the Internet will be identified with the remote
> IP addresses from which they originated. Although they pass through
> the router, they don't originate within the router, and packet header
> information distinguishes them from each other as well as from log
> records.
>
> All of those addresses are in the packet headers, and are passed along
> to your computer, along with the information in their packets.
>
> If a malicious remote site "spoofs" (falsifies) the address in the
> header so that it appears to be "192.168.1.1", the router's defences
> catch that, drop the packet, and create a log entry to report the
> blocked intrusion attempt. So, if the router's working properly (and
> it is), all packets that reach your computer claiming to have
> originated at "192.168.1.1" really did originate there.
>
> When the software firewall on your LAN computer examines the packets,
> it looks at several things in their headers, including the originating
> addresses. If you placed "192.168.1.1" in the Trusted Zone, the
> firewall will allow those packets to pass. If a packet has an IP
> address that is not in the Trusted Zone, the packet will be blocked
> unless other information in its headers shows that it's a reply to a
> previous request made by an application on your computer (such as your
> browser or email program).
>
> A logging program such as WallWatcher does not request log records from
> a router, it just passively waits for them to arrive. That means those
> log records are not replies, and that's why the router's LAN address
> has to be placed in the Trusted zone: otherwise, the software firewall
> will block them. (There are other ways to give permission, but the
> "zone" analogy is appropriate for ZoneAlarm.) The first time
> WallWatcher runs and a log record arrives at your computer, Zone Alarm
> will ask you whether WW should be allowed to receive that unsolicited
> log record. Unless you say "allow", WW will never be able to log
> anything.
>
> Telling ZoneAlarm to always allow that kind of event does not grant
> WallWatcher other Internet privileges; all you've authorized is to let
> WW receive those log records from the router's LAN IP address.
>
> Now, if you've asked WallWatcher to "Convert IP addresses to names" (on
> its LOGGING menu), WW will have to ask your ISP's DNS server to do the
> actual lookup, and will have to receive a reply to that request. In
> that situation, WW is originating Internet traffic, and Zone Alarm will
> ask you a second question: should this application be allowed to send
> things out to the Internet.
>
> If you want to use the "Convert" option, the answer should be "always
> allow", but you can restrict what ZoneAlarm will allow WW to do: WW
> only needs to use port 53 to do DNS lookups, and only has to
> communicate with your ISP's DNS servers. It doesn't need permission to
> communicate with any other remote address, nor to use any other ports.
> By placing such limits, you can be sure WW will not be able to perform
> communications you don't think it should be allowed to make, and you
> will be able to use ZoneAlarm's own event logs to verify that WW isn't
> trying to make other contacts.
>
> (There's a possible exception to that last limit: if you want to use
> WW's "Check for updates" option on the HELP menu, you'll have to tell
> your software firewall to let WW communicate with its website and
> retrieve a small file that contains the current version information.
> If you don't want to allow that, you can just browse to the website
> occasionally and see what's current.)
>
> A rather long answer to a short question.
>
> -Dan Tseng, WallWatcher author

Thanks Dan. I should have prefixed my question with "Here is a dumb
newbie question..." since I don't yet know what I'm doing and I didn't
realize that the router address couldn't be spoofed. Also I don't
really want much "trust" in my local network. I now see that you have
quite a bit of readable help in the WW help files so I will read that
today. Thanks for the lenghty answer.

Re: Software/Hardware firewall interaction?

am 07.03.2006 20:14:14 von galt_57

Sebastian Gottschalk wrote:
> Fulcanelli wrote:
> > How about helping him?
>
> I don't even understand his problem.
>
> 1. Why is he fucking up his computer with the well-known malware
> ZoneAlarm if he actually wants security through a packet filter?
> 2. Why isn't the router's IP already fully trusted? Too dumb for
> configuration?
> 3. Why should one care about that? NAT is transparent wrt to destination
> IP address for outbound and source address for inbound communication.


So now ZoneAlarm is malware? Yes I am dumb about routers -- I've owned
one and worked with one for exactly one day. Is it impossible to spoof
a local IP? What purpose does a software firewall serve behind a
hardware firewall? I thought it would still block the ports externally
but I have to make the local zone trusted so the ports aren't blocked
externally.

Re: Software/Hardware firewall interaction?

am 07.03.2006 20:47:16 von Sebastian Gottschalk

galt_57@hotmail.com wrote:
> Sebastian Gottschalk wrote:
>> Fulcanelli wrote:
>>> How about helping him?
>> I don't even understand his problem.
>>
>> 1. Why is he fucking up his computer with the well-known malware
>> ZoneAlarm if he actually wants security through a packet filter?
>> 2. Why isn't the router's IP already fully trusted? Too dumb for
>> configuration?
>> 3. Why should one care about that? NAT is transparent wrt to destination
>> IP address for outbound and source address for inbound communication.
>
>
> So now ZoneAlarm is malware?

Obviously. It's fucking up computers and DDoSing Verisign servers. And
it has no good use.

> Yes I am dumb about routers -- I've owned
> one and worked with one for exactly one day.

It's more about network configuration. To make a packet filter or even
firewall achieve actual security you need a good configuration and you
need to understand it.

> Is it impossible to spoof a local IP?

No. Actually ZoneAlarm is vulnerable to packet modification through
reassembly of overlapping IP fragments, so depending on what the router
does it's even possible to spoof 127.0.0.1.

> What purpose does a software firewall serve behind a
> hardware firewall?

Does your router actually provide a good hardware-enhanced firewall? In
case of doubt: not.

> I thought it would still block the ports externally

Questioning back: Are there any ports open due to running necessary but
potentially insecure network services?

> but I have to make the local zone trusted so the ports aren't blocked
> externally.

Question: Connect to http://bbc.co.uk and take a look at the reply. The
source adress of the related packets is

[ ] 212.58.224.131
[ ] your public adress
[ ] your router's local adress
[ ] your local adress
[ ] 127.0.0.1

Re: Software/Hardware firewall interaction?

am 08.03.2006 02:36:04 von galt_57

Sebastian Gottschalk wrote:
> [...]
> Question: Connect to http://bbc.co.uk and take a look at the reply. The
> source adress of the related packets is
>
> [ ] 212.58.224.131
> [ ] your public adress
> [ ] your router's local adress
> [ ] your local adress
> [ ] 127.0.0.1

Using what software? Or do you mean by looking at the router logs?

Re: Software/Hardware firewall interaction?

am 08.03.2006 09:43:33 von Sebastian Gottschalk

galt_57@hotmail.com wrote:
> Sebastian Gottschalk wrote:
>> [...]
>> Question: Connect to http://bbc.co.uk and take a look at the reply. The
>> source adress of the related packets is
>>
>> [ ] 212.58.224.131
>> [ ] your public adress
>> [ ] your router's local adress
>> [ ] your local adress
>> [ ] 127.0.0.1
>
> Using what software?

None, it's trivial if you just got a little clue about NAT.
But if you really need a network sniffer, then try Ethereal.

Anyway, didn't you get the point? Without a big and deep comprehensive
understanding of TCP/IP you cannot achieve any security through
host-based packet filters or firewalls, no matter what certain colorful
click-here-wizards wants to tell you.

Re: Software/Hardware firewall interaction?

am 08.03.2006 14:06:42 von galt_57

Sebastian Gottschalk wrote:
> galt_57@hotmail.com wrote:
> > Sebastian Gottschalk wrote:
> >> [...]
> >> Question: Connect to http://bbc.co.uk and take a look at the reply. The
> >> source adress of the related packets is
> >>
> >> [ ] 212.58.224.131
> >> [ ] your public adress
> >> [ ] your router's local adress
> >> [ ] your local adress
> >> [ ] 127.0.0.1
> >
> > Using what software?
>
> None, it's trivial if you just got a little clue about NAT.
> But if you really need a network sniffer, then try Ethereal.
>
> Anyway, didn't you get the point? Without a big and deep comprehensive
> understanding of TCP/IP you cannot achieve any security through
> host-based packet filters or firewalls, no matter what certain colorful
> click-here-wizards wants to tell you.

Ok, so what books on TCP/IP would you suggest? Any in particular?

Re: Software/Hardware firewall interaction?

am 08.03.2006 15:06:49 von Sebastian Gottschalk

galt_57@hotmail.com wrote:
> Sebastian Gottschalk wrote:
>> galt_57@hotmail.com wrote:
>>> Sebastian Gottschalk wrote:
>>>> [...]
>>>> Question: Connect to http://bbc.co.uk and take a look at the reply. The
>>>> source adress of the related packets is
>>>>
[X] 212.58.224.131, so it doesn't matter whether your router's IP adress
is trusted
>>>> [ ] your public adress
>>>> [ ] your router's local adress
>>>> [ ] your local adress
>>>> [ ] 127.0.0.1

> Ok, so what books on TCP/IP would you suggest? Any in particular?

Cisco's "Understanding IP Adressing"
O'Reilly: TCP-IP Network Administration
IP Routing
Building Internet Firewall (2nd Edition)

But at first I recommend reading and understanding the relevant RFCs.


The better idea would be understanding why you don't need any firewall
and how to disable unnecessary and harden wanted services.

Re: Software/Hardware firewall interaction?

am 08.03.2006 17:21:27 von Volker Birk

galt_57@hotmail.com wrote:
> Ok, so what books on TCP/IP would you suggest?

"TCP/IP" from Craig Hunt.
"UNIX Network Programming" from Richard Stevens.

Yours,
VB.
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)