• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Firewall with hardware router

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Hayduke

Hayduke

Registered
Joined
Aug 27, 2001
Location
Zen State
Software firewall with router

I decided to do some experimenting to determine if I need to leave my Zonealarm running with a router/switch (mine's an SMC Barricade) which is already a good firewall in itself. The answer is a definite YES!!

I went to grc.com (Gibson Research) and read nearly every article they have written on security and tried out their tools. I did the Shield Test and Nanoprobe and my computer was absolutely invisible with only the router's firewall. I thought Great! I'll disable Zonealarm. But then I ran the Leak Test which basically emulates a trojan attempting to "phone home". It got right out and the router firewall didn't even see it! I then turned Zonealarm on, reran the test, and Zonealarm caught it immediately and asked for a permission. This is something Black Ice will NOT do.

Another bit of advice from grc - if you run Windows XP you need to install this patch:
http://grc.com/xpdite/xpdite.htm
to fix a severe security flaw. Read their caution on Microsoft Service Pack 1 also.

The problem of XP's raw sockets is also rather serious:
http://grc.com/dos/xpsummary.htm

Keep your firewall up and running! And I'm also sticking with 98 for now. Until I get my Linux box running!
 
Ohh yes I love http://grc.com it certainly makes an interesting read, the claims and statements made by Gibson are simply a little suspect.. Ask any person who does networking for a living or security if they have ever heard of nano probes ?
In fact, a simple traffic sniffer reveals the truth about those probes, they are merely ICMP and TCP/UDP based connect and scan attempts.
It is strange that Gibson places so much concern over XP's raw sockets when his own shields up service states that XP machines are safe and hidden on the internet. If this is the case then an XP box can not be scanned, which makes the only threat a trojan which needs to be downloaded and installed by the XP user... Hardly something to be concerned about then it is ?
Gibson does not make appearances on *real* security boards/interviews/gatherings such as Defcon or the BlackHat Conference ? Why doesn't he comment on Bugtraq
Gibson worked for years as a marketer specializing in media advertising and public relations , and that's what he is really good at.

IMHO Take GRC information with a pinch of salt.. these are my opinions after researching the matter and are not endorsed in anyway by Overclockers.com

Also check out http://grcsucks.com do not take my views as being true, read up on the matter, run a traffic sniffer discover for yourself the facts and decide what you wish to believe
 
I'm no expert either but, barring his slight ego problem, Gibson seems to have some good advice. I mean the average home user, and even many businesses, have NO protection whatsoever. Their computers are wide open to the world. Anything that scares them a little and makes them pull their heads out of the sand and do something about it is ok by me. I get really tired of telling everyone I know that's allowed themselves to become infected to get a firewall and a virus scanner. Of course they rarely listen unless I babysit them and basically do it for them.

I've run several tests elsewhere similar to the ones on grc and they all convinced me that I need software like Zonealarm in addition to my router. I consider myself very security aware and I've even accidentally activated on a trojan on my own system! And the daily random trojan port probes are so numerous I finally stopped counting after the first few thousand. I don't even bother saving the logs anymore. Most of those probes comes from providers with known lax security like Rogers, Shaw, Home, etc. Many are from overseas. Add to this the fact that many home users still have outdated apps full of security holes and it's only a matter of time before another massive attack brings the internet to a crawl.

I'm not up on all the in-depth hardware details but Gibson's analysis of the reflected syn/ack attack seems logical. Is this how it actually works? If so then it appears the entire internet is at risk unless most ISPs install spoofed packet network egress filtering. Or did he leave something out of his analysis?
 
Hayduke said:
I'm no expert either but, barring his slight ego problem, Gibson seems to have some good advice.
Click to expand...

This advice though appears to be full of things which do not add up or make sence, such as the dangerous Windows XP raw sockets which according to Gibson is a threat to the internet, one which he was so concerned about that he contacted MS. Even Though Gibsons ShieldsUp service says that "For all intents and purposes a Windows XP machine doesn't exist to scanners on the Internet!". If ShieldsUP is a crap toy, and XP really is a weapon broadcasting its deadly raw sockets to the dark side, then Steve is a fraud. But if the XP firewall really offers 'full stealth' right out of the box, then Steve is a fraud because the danger is not there without a Trojan installed, because you can not locate Windows XP machines to exploit them. Either way one is a lie.
The information is also inaccurate as Gibson makes bold claims about inventing various things such as 'Nano probes' which are nothing more than TCP/UDP based connect and scan attempts.. you may call it advice, I call it misinformation.

I mean the average home user, and even many businesses, have NO protection whatsoever. Their computers are wide open to the world. Anything that scares them a little and makes them pull their heads out of the sand and do something about it is ok by me. I get really tired of telling everyone I know that's allowed themselves to become infected to get a firewall and a virus scanner. Of course they rarely listen unless I babysit them and basically do it for them.
Click to expand...

While I do believe that Security is up to the individual, knowledge is a better tool to protect yourself with than fear. Common sence advice such as 'do not download things which you do not know where it comes from'.. its no so much, do I trust the file but do I trust the source.. To many users are willing to install screensavers and the like 'friends' have sent them through email without even questioning it.. Education on things such as this could reduce infection greatly, not to mention the way in which a system is set up.. remove active scripting etc

I've run several tests elsewhere similar to the ones on grc and they all convinced me that I need software like Zonealarm in addition to my router.
Click to expand...

Why do you need zone alarm as well as a hardware firewall ?.. is it because Zone alarm checks out going traffic?.. If your security aware your obviously scanning any files you download and are obtaining them from official sources and not the likes of peer to peer file applications, which reduce the risk greatly.
You do realise that you can get round most software firewalls. A demonstration was done at Defcon this year in which a virus was opening 'hidden explorer windows' which is a genuine feature of the Windows OS and downloading instructions from pre-determined websites.. thus getting around software firewalls as unless you block all traffic for IE as it is impossible to determine what is requested and what is not (this virus has not been leaked, and was demonstrating a exploit in the OS)... I am curious as to what convinces you that you require it as well

And the daily random trojan port probes are so numerous I finally stopped counting after the first few thousand. I don't even bother saving the logs anymore.
Click to expand...

A port probe does not mean anything, many legitimate services probe ports for various reasons, for example the DalNet IRC servers probe ports for infections for thier own protection and likewise my very own ISP does the same.

it's only a matter of time before another massive attack brings the internet to a crawl.
Click to expand...

This is a great possibility and the easiest way to do this would be to do a massive DOS attack on the DNS servers, but then again there is very little any protections could do from a sustained attack

I'm not up on all the in-depth hardware details but Gibson's analysis of the reflected syn/ack attack seems logical. Is this how it actually works? If so then it appears the entire internet is at risk unless most ISPs install spoofed packet network egress filtering. Or did he leave something out of his analysis?
Click to expand...

Ive not actually read this report, I generally keep away from the site unless there is a discussion regarding an article on other forums or mailing lists I partcipate in.
Do the research yourself and make your own opinions up, its just that when you consider that their are skilled people with a great deal of knowledge out there, if these threats are as much of a concern as sucggested by Gibson why are there minimal application's available to attack them.. Who do you know with Windows XP who has a raw socket problem and not a Trojan infection problem?

Advice, Misinformation.. its the same thing viewed with different opinions.
 
I think his basic problem with XP is that IF you have a trojan then XP is the preferred platform of a hacker to exploit your system as an attack zombie since it allows spoofing with raw socket access and it allows everything to be open by default unless changed by the user or an update patch. At least that's how I understand it.

The whole point of this is that it's extremely easy for uninformed users to get a virus if they don't have GOOD software running 24/7, which most people I know do NOT. Here's an article on CERT from 2001 which addresses the problem of increased trojan port scans:
http://www.cert.org/incident_notes/IN-2001-07.html

With all those thousands of scans going every day and all the unknowledgable users gleefully installing and emailing thousands of viruses without even knowing it, there is a definite concern here. I have helped 2 friends in the past few months get rid of trojans they had on home computers and neither had any clue about where they could have come from so it's not an imaginary problem. Zonealarm will uaually catch those trojan contact attempts. My Zonealarm has been silent since I installed my router but it doesn't interfere with other apps and it's already on the computers so why not leave it running as a backup firewall?

I have a full access programmable port scanner that I've used on some of the more suspicious probers in my Zonelog and they usually show numerous open ports. So I doubt those are legitimate cable technicians checking out the system.

I've heard of that hidden Explorer window "feature". That's why I try to use Opera or Netscape unless I don't have a choice. I plan on doing some more reasearch on that one also.
 
I have to agree with UnseenMenance here, GRC is not a reliable source of information. Most of the things he says are more his opinion, rather than objective information.

Regarding the Leak Test thing, basically it only needs to be a concern if you feel you have a trojan on your computer. I've been running a SMC barricade with 3 computers, running WinME, XP and Linux, and I've never had a problem, although LeakTest told me I had a 'hole'. Just keep your anti-virus software up to date, or better yet, limit your downloading and be careful, and you should never have a problem.
 
Hayduke said:
I think his basic problem with XP is that IF you have a trojan then XP is the preferred platform of a hacker to exploit your system as an attack zombie since it allows spoofing with raw socket access and it allows everything to be open by default unless changed by the user or an update patch. At least that's how I understand it.
Click to expand...

It is a well known fact that DDoS attacks will happen and do happen and they will happen with Windows XP, thats never ever been disputed however what Gibson fails to point out is that you will see them regardless. The matter of the raw sockets are completely irrelevant to the question of DDoS attacks on Windows XP, because if someone can compromise a machine....they will have every ability they want. Simply obtaining control of the machine is the only problem, once you've got control of the machine, if you don't have the raw socket functionality there you can simply add it.
Gibson also forgets to point out that the raw sockets are used for a wide range of security functionality in Windows XP such as the Internet connection firewall and IPsec, the IP security protocol and various network diagnostic tools, not to mention it is used by some games.
It is well known that a malicious user could if desired already take over Windows 95, 98, ME and NT, 2000 machines with easily available Trojans like NetBus, SubSeven and Back Orifice 2000 and use them for heavy packeting without the owner's knowledge. Raw socket functionality does not in itself make a machine more or less vulnerable to such infection and as such Windows XP machine's are not the preferred platform of choice.. it is simply another platform which can be used, Nothing More Nothing Less.
 
Yes but if my machine running Win 98 were exploited for example, the outgoing packets could not be spoofed right? My machine could be back-tracked and shut down because there's no way to hide the originating IP. With raw sockets the IP can be spoofed, thus making the originating computer(s) essentially untraceable. Or am I completely confused?
 
Hayduke said:
Yes but if my machine running Win 98 were exploited for example, the outgoing packets could not be spoofed right? My machine could be back-tracked and shut down because there's no way to hide the originating IP. With raw sockets the IP can be spoofed, thus making the originating computer(s) essentially untraceable. Or am I completely confused?
Click to expand...

You can add raw socket functionality to win98, if I remember correctly, all you need to do is replace 1 dll, (which is not a difficult feat for a trojan..)

I don't mind reading GRC, but as UnseenMenace said, he's a businessman, not a networker. He is creating a scare to make you want to buy his products.

It's great that he wants everyone in the world to be safe, but he could better make his point at security confrences. An analogy would be him selling bandaids, whereas he could be picketing congress for extra funding for hospitals.
 
Hayduke said:
Yes but if my machine running Win 98 were exploited for example, the outgoing packets could not be spoofed right?
Click to expand...

This is not correct, Win98 can easily be made to create spoofable packets (not sure, if the word 'spoofable' is correct English though :rolleyes: )
 
I have ZoneAlarmPro to stop out going trojans and make my pc invisible to random probes. The D-Link router firewall is just another layer for unrequested incomming packets and random probes. It doesn't stop inside trogans.

If guys can get into the DoD mainframe, who am I kidding if I think they couldn't get into my system. I'm just want to keep out the script kiddies and maybe M$ while at their site.
 
The only unhackable computer is turned off, unplugged form everything, sealed in a vault, buried deep blow the earth's surface and cemented in place. (and even then there are some people who would try..)

You will never be able to keep a dedicated and resourceful person out of your system, you just have to make it not worth their while to get in. Nowadays there are so many people out there w/o protection that hitting a router will cause most hackers to go screaming in the opposite direction, and find some old granny's box with an non-patched copy of win95 and no share passwords that they can use a script on.
 
You must log in or register to reply here.

Similar threads

V
Router or the device gets dropped form the active clients list in the Router after 20 seconds
Replies
3
Views
349
don256us
don256us
JrClocker
Considering Switching from Spectrum Cable Internet to Frontier Fiber
Replies
7
Views
2K
JrClocker
JrClocker
B
Ethernet Cables and Best Cat Rating. Some Thoughts
Replies
3
Views
190
Railgun
Railgun
J
Connecting router, modem and Ring Alarm pro
Replies
0
Views
414
JDMStanced
J
M
Ancient hardware VMM cooling
Replies
3
Views
188
don256us
don256us
Back