Firewalls and Cryptography
Firewalls and Cryptography
am 13.10.2006 14:31:35 von popboyz69
As we know, firewall is designed to keep unauthorized outsiders from
tampering with a computer system or network. We don't talk about
computer security without mentioning cryptography.
In that situation, may I know,How does cryptographic protection (at the
TCP/IP layers or at the application layer) affect a firewall's ability
to protect against viruses?
For sure there should be some important effects to enforce or weaken
firewall's ability....
thanks!!!!
Re: Firewalls and Cryptography
am 13.10.2006 16:08:26 von Volker Birk
popboyz69@gmail.com wrote:
> In that situation, may I know,How does cryptographic protection (at the
> TCP/IP layers or at the application layer) affect a firewall's ability
> to protect against viruses?
A firewall cannot protect against viruses.
Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.
Rudolf Polzer in de.comp.security.misc
Re: Firewalls and Cryptography
am 13.10.2006 17:45:02 von BobS
"Volker Birk" wrote in message
news:452f9dda@news.uni-ulm.de...
> popboyz69@gmail.com wrote:
>> In that situation, may I know,How does cryptographic protection (at the
>> TCP/IP layers or at the application layer) affect a firewall's ability
>> to protect against viruses?
>
> A firewall cannot protect against viruses.
>
> Yours,
> VB.
> --
> Viel schlimmer als die Implementation von PHP ist jedoch das Design.
>
> Rudolf Polzer in de.comp.security.misc
VB,
A firewall can protect against viruses - I just purchased one for a client,
a Sonicwall TZ170 with Gateway AV service.
http://www.sonicwall.com/products/tz170_wireless.html <<< last paragraph
Bob S.
Re: Firewalls and Cryptography
am 13.10.2006 18:58:52 von Volker Birk
BobS wrote:
> A firewall can protect against viruses - I just purchased one for a client,
> a Sonicwall TZ170 with Gateway AV service.
> http://www.sonicwall.com/products/tz170_wireless.html <<< last paragraph
This is a combined Firewall with Virus Scanner. The Virus Scanner part
can protect against already known viruses - not against new ones, of
course.
Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.
Rudolf Polzer in de.comp.security.misc
Re: Firewalls and Cryptography
am 14.10.2006 02:11:12 von unknown
Post removed (X-No-Archive: yes)
Re: Firewalls and Cryptography
am 14.10.2006 12:50:23 von securebuddha
Volker Birk wrote:
> popboyz69@gmail.com wrote:
> > In that situation, may I know,How does cryptographic protection (at the
> > TCP/IP layers or at the application layer) affect a firewall's ability
> > to protect against viruses?
>
> A firewall cannot protect against viruses.
>
That is a broad categorization. Utilization of a third-generation
firewall could conceivably perform such processes and procedures. An
application layer firewall is a third-generation firewall technology
that evaluates network packets for valid data at the application layer
before allowing a connection. There is nothing to say that a firewall
could not analyze and permit or deny transmissions at the application
level. This analysis could differentiate virii before transfer down the
protocol stack.
Granted I do not have knowledge of any firewalls that perform this
function per se; however in theory it seems entirely possible.
BTW --- what effect does cryptography have; first and foremost
performance issues. This however is dependent on the type of
cryptography utilized. Which you did not state. Also you must take into
consideration the resource consumption required to perform crypto
procedures at a given bandwidth. Not to mention key sizes!
Thomas R. Jones
Re: Firewalls and Cryptography
am 14.10.2006 18:35:45 von Jeff B
Casey wrote:
> Firewalls (hardware & software) are to control connections
> to/from a computer or lan.
> Crypto is to provide privacy for messaging and data storage.
> Casey
the firewall operates(ie inspects) the tcp headers, not the payload.
SPI ensures that bogus packets(ie those other than the initial contact)
are reject.
the newest generation of FWs performs deep inspection (ie the payload)
but only for specific applications and only non-encrypted data(payloads)
--
try a random act of kindness today -- you just might surprise even
yourself :)
Re: Firewalls and Cryptography
am 16.10.2006 01:13:56 von BobS
"Volker Birk" wrote in message
news:452fc5cc@news.uni-ulm.de...
> BobS wrote:
>> A firewall can protect against viruses - I just purchased one for a
>> client,
>> a Sonicwall TZ170 with Gateway AV service.
>> http://www.sonicwall.com/products/tz170_wireless.html <<< last paragraph
>
> This is a combined Firewall with Virus Scanner. The Virus Scanner part
> can protect against already known viruses - not against new ones, of
> course.
>
> Yours,
> VB.
> --
> Viel schlimmer als die Implementation von PHP ist jedoch das Design.
>
> Rudolf Polzer in de.comp.security.misc
VB,
Your statement was that a firewall cannot protect against viruses. They
can. Nothing was said about "how" they perform that function (UTM) so don't
make statements that are ill defined and then decide to bend it to suit you
when someone calls you on it.
As for "new ones" are you referring to zero-day virus detection or something
even newer than that? If it's not known - then is it really a virus?
There's a lot of technology out there that has attempted over the years to
detect malicious code but I seriously doubt we'll ever get to 100%
efficiency - in our lifetime.
Bob S.
Re: Firewalls and Cryptography
am 16.10.2006 11:13:53 von Volker Birk
BobS wrote:
> Your statement was that a firewall cannot protect against viruses. They
> can.
Seems to be a problem of definitions.
> make statements that are ill defined and then decide to bend it to suit you
> when someone calls you on it.
I'm trying to be exact now:
A Virus Scanner is something, that detects malware in streams or in
persistent data ("detecting negative things"). I'm not using virus
scanners, which search RAM, because I think they're useless.
A Firewall is a filtering entity on a way of network traffic, which
filters away any traffic, which is not conforming to a security policy
(where I define "allowed traffic", not "forbidden traffic", so this is
"detecting positive things and filtering away anything else" in network
traffic).
These are the terms I'm working with commonly.
You can say, that a Virus Scanner can be a special case of firewall
on layer 7 according to RFC 2979, if it filters away data with malware.
You can say, that a Firewall can be a special case of a virus scanner,
according to RFC 2979, if it filters on layer 7 and removes mails and
transmitted files with malware.
I would not prefer to define in such a way, because this mixes terms.
I'd prefer to define, that if a firewall implementation filters that
way, it additionally has a virus scanner component (as I did).
Clear now?
YMMV.
> As for "new ones" are you referring to zero-day virus detection or something
> even newer than that? If it's not known - then is it really a virus?
No. I'm not refering to such terms.
> There's a lot of technology out there that has attempted over the years to
> detect malicious code but I seriously doubt we'll ever get to 100%
> efficiency - in our lifetime.
I cannot see anything working with the exception of predefined patterns¹.
All heuristics I know have so many false positives and so less hits, that
I would call them useless in practice.
Yours,
VB.
¹ With "patterns" I don't mean regular patterns only. They may be
defined arbitrary algorithmically. They may not be designed to
implement heuristics, though. In any case, such patterns describe
one single type of malware each.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.
Re: Firewalls and Cryptography
am 17.10.2006 02:39:00 von BobS
VB,
Excuse the top posting but I'll respond after each of your comments:
>> Your statement was that a firewall cannot protect against viruses. They
>> can.
> Seems to be a problem of definitions.
Yes it is and I took your comment at face value and as a stand-alone comment
but you obviously were thinking a few miles ahead.
> A Virus Scanner is something, that detects malware in streams or in
> persistent data ("detecting negative things"). I'm not using virus
> scanners, which search RAM, because I think they're useless.
A Gateway AV solution is an on-the-fly solution so while the packet(s) are
being inspected, it's typically at wire speed on the bigger/better
appliances. Whether they're using a high-speed shift register or buffering
it in RAM, I don't know but supposedly, the "time hit" is only slightly
greater than a firewall only device. Manufacturer dependent. So, the AV is
not searching through RAM in this architecture.
> A Firewall is a filtering entity on a way of network traffic, which
> filters away any traffic, which is not conforming to a security policy
> (where I define "allowed traffic", not "forbidden traffic", so this is
> "detecting positive things and filtering away anything else" in network
> traffic). These are the terms I'm working with commonly.
Understand.
> You can say, that a Virus Scanner can be a special case of firewall on
> layer 7 according to RFC 2979, if it filters away data with malware.
> You can say, that a Firewall can be a special case of a virus scanner,
> according to RFC 2979, if it filters on layer 7 and removes mails and
> transmitted files with malware.
>
> I would not prefer to define in such a way, because this mixes terms. I'd
> prefer to define, that if a firewall implementation filters that
> way, it additionally has a virus scanner component (as I did).
> Clear now?
Almost.....;-)
Your reference to RFC2979 made me go looking and digging a bit and I can't
see where this version http://rfc.net/rfc2979.html dated Oct 2000 allows
for those two statements - not even in the broadest sense. RFC's do change
and I may not have found the latest version.
You make a valid point about not wanting to group the two terms together
from a purists viewpoint but the industry has already done so and they call
it, UTM (Unfified Threat Management). Every company seems to have a
different slant on what that means but for now - it's hype that has some
legitimacy and I have no doubt it will eventually be rolled into the
firewall definition. Right now, the "application" references in RFC2979 are
for applications that transverse a firewall. A Gateway AV solution does not
traverse the firewall but is a secondary function - after the firewall.
> snip.....
> I cannot see anything working with the exception of predefined patterns¹.
> All heuristics I know have so many false positives and so less hits, that
> I would call them useless in practice.
It's obvious you do not care for antivirus solutions and I chuckled when I
read this statement in RFC2979. It pretty well sums up the defintion of a
firewall:
Quoted from RFC2979.....in part....
"Nevertheless, it is important to remember that the only perfectly secure
network is one that doesn't allow any data through at all and that the only
problem with such a network is that it is unusable."
So where does that leave us? Right smack in the middle of choosing the
lesser of the evils. But in this case - and the reason I jumped in on this
thread was to point out that there is technology out there at a price point
that is reasonable and provides a modicum of security via a UTM approach for
small business, SOHO applications.
Is it good enough for the IBM's, GE's, AMEX type company's - absolutely not
since they are big targets. But for a small business, yes, it's a
reasonable and efficient solution. Not perfect by a long shot but what esle
would you recommend?
Bob S.
Re: Firewalls and Cryptography
am 17.10.2006 03:18:53 von unknown
Post removed (X-No-Archive: yes)
Re: Firewalls and Cryptography
am 17.10.2006 05:06:34 von Volker Birk
BobS wrote:
> > A Virus Scanner is something, that detects malware in streams or in
> > persistent data ("detecting negative things"). I'm not using virus
> > scanners, which search RAM, because I think they're useless.
> A Gateway AV solution is an on-the-fly solution so while the packet(s) are
> being inspected, it's typically at wire speed on the bigger/better
> appliances. Whether they're using a high-speed shift register or buffering
> it in RAM, I don't know but supposedly, the "time hit" is only slightly
> greater than a firewall only device. Manufacturer dependent. So, the AV is
> not searching through RAM in this architecture.
I agree. Of course, implementation needs RAM here. But it's not the RAM
of the computers which should be protected.
> > You can say, that a Virus Scanner can be a special case of firewall on
> > layer 7 according to RFC 2979, if it filters away data with malware.
> > You can say, that a Firewall can be a special case of a virus scanner,
> > according to RFC 2979, if it filters on layer 7 and removes mails and
> > transmitted files with malware.
> > I would not prefer to define in such a way, because this mixes terms. I'd
> > prefer to define, that if a firewall implementation filters that
> > way, it additionally has a virus scanner component (as I did).
> > Clear now?
> Almost.....;-)
> Your reference to RFC2979 made me go looking and digging a bit and I can't
> see where this version http://rfc.net/rfc2979.html dated Oct 2000 allows
> for those two statements - not even in the broadest sense. RFC's do change
> and I may not have found the latest version.
From there (Chapter 1. Introduction, second paragraph):
| A "firewall" is an agent which screens network traffic in some way,
| blocking traffic it believes to be inappropriate, dangerous, or both.
> You make a valid point about not wanting to group the two terms together
> from a purists viewpoint but the industry has already done so and they call
> it, UTM (Unfified Threat Management).
Yes. I just want to differ for better describing the behaviour of some
products.
[Virus Scanners]
> Is it good enough for the IBM's, GE's, AMEX type company's - absolutely not
> since they are big targets. But for a small business, yes, it's a
> reasonable and efficient solution. Not perfect by a long shot but what esle
> would you recommend?
Secure configuration, which is called by some people "hardening". And
intelligent use. Maybe usage of not-so-b0rken software.
Yours,
VB.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.
Re: Firewalls and Cryptography
am 17.10.2006 06:09:22 von "GEO" Me
On Tue, 17 Oct 2006 03:18:53 +0200, Sebastian Gottschalk
wrote:
>BobS wrote:
>> Your statement was that a firewall cannot protect against viruses. They
>> can.
>No, they can't. By design, I can always create a virus that slips by.
And by the same logic no anti-virus ,'by design', can protect
against viruses since you can always create one that will slip by.
Geo
Re: Firewalls and Cryptography
am 17.10.2006 19:10:24 von BobS
"Sebastian Gottschalk" wrote in message
news:4pipcvFj2f3nU1@news.dfncis.de...
> BobS wrote:
>
>> Your statement was that a firewall cannot protect against viruses. They
>> can.
>
> No, they can't. By design, I can always create a virus that slips by.
>
>> As for "new ones" are you referring to zero-day virus detection or
>> something
>> even newer than that? If it's not known - then is it really a virus?
>
> Of course they are. And you'll understand it when it's tossing down your
> system.
>
>> There's a lot of technology out there that has attempted over the years
>> to
>> detect malicious code but I seriously doubt we'll ever get to 100%
>> efficiency - in our lifetime.
>
> Well, primitive guessing and relying on bad statistics has nothing to do
> with security.
Sebastian,
Think.... "Problem - Solution". I wasn't looking to get into a pissing
contest over firewalls or antivirus programs. No doubt you can write a
virus that will be "new" for a brief period and after it hits the first
computer - it's no longer new. But also, poorly written software will bring
down a system too.
So now tell us what your solution is please - we know the problem. I didn't
make any "primitive guesses" or spout any "statistics" so maybe you can
clarify your comment so we can learn from your experience.
Thanks,
Bob S.
Re: Firewalls and Cryptography
am 17.10.2006 19:22:07 von BobS
snip........
> [Virus Scanners]
>> Is it good enough for the IBM's, GE's, AMEX type company's - absolutely
>> not
>> since they are big targets. But for a small business, yes, it's a
>> reasonable and efficient solution. Not perfect by a long shot but what
>> esle
>> would you recommend?
>
> Secure configuration, which is called by some people "hardening". And
> intelligent use. Maybe usage of not-so-b0rken software.
>
> Yours,
> VB.
> --
> "Ich lache nie."
> Besim Karadeniz in d.c.s.m.
VB,
I obviously missed the interpretation of "firewall" in the sense of it being
an AV device but I see your point - now.
I'll age myself here but the last time I designed a "hardened"
communications circuit, it involved satellite circuits and KG-81 crypto's
for a very large radar system. The term "hardening" has been greatly
"softened" since mil-specs have essentially been abolished and commercial
specs now the norm. So what I know as hardening and securing a
communications network will vary widely from what a commercial application
considers to be a secure system.
Thanks for the lesson,
Bob S.
Re: Firewalls and Cryptography
am 17.10.2006 19:46:48 von Ansgar -59cobalt- Wiechers
BobS wrote:
> No doubt you can write a virus that will be "new" for a brief period
> and after it hits the first computer - it's no longer new.
Not true. A new virus remains new to any virus scanner as long as noone
has detected and analyzed it and created a signature for the respective
virus scanner. If the virus keeps a low profile that can be quite a
while.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Re: Firewalls and Cryptography
am 17.10.2006 20:07:05 von unknown
Post removed (X-No-Archive: yes)
Re: Firewalls and Cryptography
am 17.10.2006 20:10:35 von unknown
Post removed (X-No-Archive: yes)
Re: Firewalls and Cryptography
am 17.10.2006 22:17:51 von "GEO" Me
On Tue, 17 Oct 2006 20:07:05 +0200, Sebastian Gottschalk
wrote:
>>>BobS wrote:
>>>> Your statement was that a firewall cannot protect against viruses. They
>>>> can.
>>>Sebastian Gottschalk wrote:
>>>No, they can't. By design, I can always create a virus that slips by.
>> And by the same logic no anti-virus ,'by design', can protect
>> against viruses since you can always create one that will slip by.
>Wrong. Write-protecting all executables and/or removing exec right globally
>gives a complete protection against viruses.
Wrong? What is wrong? It seems that logic and common sense are not
exactly your forte.
You made a comment about firewalls and I pointed that using your
logic one could say that anti-virus programs would be useless. What
has that to do with your follow-up comment?
Geo
Re: Firewalls and Cryptography
am 17.10.2006 22:27:46 von BobS
"Ansgar -59cobalt- Wiechers" wrote in message
news:4pkj88Fjdbg6U2@individual.net...
> BobS wrote:
>> No doubt you can write a virus that will be "new" for a brief period
>> and after it hits the first computer - it's no longer new.
>
> Not true. A new virus remains new to any virus scanner as long as noone
> has detected and analyzed it and created a signature for the respective
> virus scanner. If the virus keeps a low profile that can be quite a
> while.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich
My unstated assumption was that the virus did it's dirty work and was
detected by a user. Doesn't need a signature file made by an AV company to
have a "detected" stamp placed on it. Like anything else, it only remains
new until used once....
Not to argue the point, I do agree with you that a virus can remain
undetected and proliferate to many systems before being detected.
Bob S.
Re: Firewalls and Cryptography
am 17.10.2006 23:02:15 von Volker Birk
BobS wrote:
> So what I know as hardening and securing a
> communications network will vary widely from what a commercial application
> considers to be a secure system.
Yes, this is really, _really_ true.
*sigh*
VB.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.
Re: Firewalls and Cryptography
am 17.10.2006 23:03:54 von Volker Birk
Sebastian Gottschalk wrote:
> The common serious solution against viruses is to globally remove exec
> rights for all non-admin users and whitelist all needed applications. Using
> file permissions to deny write access to all programs would be sufficient
> as well, and usually these are combined.
Then scripting viruses will get more important again.
Yours,
VB.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.
Re: Firewalls and Cryptography
am 18.10.2006 16:29:32 von Ansgar -59cobalt- Wiechers
BobS wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> BobS wrote:
>>> No doubt you can write a virus that will be "new" for a brief period
>>> and after it hits the first computer - it's no longer new.
>>
>> Not true. A new virus remains new to any virus scanner as long as
>> noone has detected and analyzed it and created a signature for the
>> respective virus scanner. If the virus keeps a low profile that can
>> be quite a while.
>
> My unstated assumption was that the virus did it's dirty work and was
> detected by a user. Doesn't need a signature file made by an AV
> company to have a "detected" stamp placed on it. Like anything else,
> it only remains new until used once....
You're still wrong, because a virus may very well do its "dirty work"
without being spotted by a user if it keeps a low profile (i.e. doesn't
interfere with the user's day-to-day work). And unless a signature is
created for it the virus still remains new to anyone else despite being
spotted by a user.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Re: Firewalls and Cryptography
am 18.10.2006 18:12:10 von unknown
Post removed (X-No-Archive: yes)
Re: Firewalls and Cryptography
am 23.10.2006 22:10:36 von bassbag
In article <45334d51@news.uni-ulm.de>, bumens@dingens.org says...
> BobS wrote:
> > Your statement was that a firewall cannot protect against viruses. They
> > can.
>
> Seems to be a problem of definitions.
>
> > make statements that are ill defined and then decide to bend it to suit you
> > when someone calls you on it.
>
> I'm trying to be exact now:
>
> A Virus Scanner is something, that detects malware in streams or in
> persistent data ("detecting negative things"). I'm not using virus
> scanners, which search RAM, because I think they're useless.
>
Code red worm is a memory resident worm that doesnt write to the file
system.Why would you say a virus scanner that searchs ram is useless?
me
Re: Firewalls and Cryptography
am 23.10.2006 22:27:13 von bassbag
In article <4pkkg3Fjb3a7U1@news.dfncis.de>, seppi@seppig.de says...
> GEO wrote:
>
> > On Tue, 17 Oct 2006 03:18:53 +0200, Sebastian Gottschalk
> > wrote:
> >
> >>BobS wrote:
> >>> Your statement was that a firewall cannot protect against viruses. They
> >>> can.
> >
> >>No, they can't. By design, I can always create a virus that slips by.
> >
> > And by the same logic no anti-virus ,'by design', can protect
> > against viruses since you can always create one that will slip by.
>
> Wrong. Write-protecting all executables and/or removing exec right globally
> gives a complete protection against viruses.
>
Not having a net connection or runnning any introduced media such as cd
or floopies will also accomplish this.
me
Re: Firewalls and Cryptography
am 29.10.2006 01:13:58 von larstr
Sebastian Gottschalk wrote:
: His claim that no antivirus measure could defend against unknown viruses.
: This is wrong, as shown by counterexample. This is however true if you
: limit antivirus measures to virus scanners.
There exist a few security applications that can find threats by
executing them in a virtual machine and analyzing their behaviour. This
will of course not give the ultimate performance compared to other
solutions, but they will detect and defend against a number of threats
that there exists no signatures for. These applications will however not
give 100% protection as they will only monitor the virtual machine to a
certain level (can't let the program run forever in there before
determining if the program is ok or not).
I know Finjan had such a product that would analyze Java code while
running in a special VM that would analyze it (Finjan Surfingate). It
seems that they now have a somehow similar solution for web+spyware.
(http://www.finjan.com/Content.aspx?id=178)
Another product that I've had the opportunity to look inside is the
Norman Sandbox
(http://www.infosecurityproductsguide.com/technology/NormanS andboxAnalyzer.html).
It's a virtual machine running a win32 environment where many common applications
are installed. It loads a given application inside this VM and records
what it does. Everything is weighted and if it reaches a predefined
value after doing several suspicious things, execution is stopped and
it's flagged as a possible virus. And no, I'm not working for Norman or
even using it. I was just technically impressed when shown it's inner
workings. It's also possible to submit programs through the web and
receive a report through email. Look here to get an idea of how it
works: http://sandbox.norman.no/live_2.html
Lars
Re: Firewalls and Cryptography
am 29.10.2006 02:22:00 von unknown
Post removed (X-No-Archive: yes)
Re: Firewalls and Cryptography
am 29.10.2006 07:05:52 von larstr
Sebastian Gottschalk wrote:
: >
: > There exist a few security applications that can find threats by
: > executing them in a virtual machine and analyzing their behaviour.
: The correct word is "guess".
Well. As it's monitoring an application as it executes I guess the word
"guess" is a bit inpresise.
: Wonderful. Why not implement a trivial 100% solution?
Because malware are aware of this and some are trying to use just "good"
behaviour before starting doing it's malware business. It's also unknown
if the red pill works inside the sandbox, but if it does, some malware
can be able to detect that it's running in a virtual machine and perhaps
don't do anything wrong as it's executed in such an environment to fool
this kind of technology.
: Yeah, as if malware would care.
: Did you ever analyze a recent piece of malware? It does thousand of things
: just to place few specific data in a certain location purely by (largely
: undocumented) side effects.
No, I havent analyzed anything just lately, but I've tried a few ones
earlier. Why don't you submit a recent one and tell us what you can
find?
: Behaviour analysis on the run? Has been rendered ineffective some years
: ago!
I guess no single technology is perfect. But I believe this kind of
application has it's place in the hierarchy. Or do you have a better
solution? Maybe an ideal world free of malware and stupid users? ;-)
Lars