[Dshield] it totally figures

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Sat Aug 24 20:29:19 GMT 2002


-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Johannes Ullrich
Sent: Saturday, August 24, 2002 5:33 AM, To: list at dshield.org
Subject: Re: [Dshield] it totally figures

Johannes, et al.

Good writing in general. Much appreciated. Liked it!

- Peter

<Please, find my latest strive for <pruning> above this point, thank
you.>
<Please, beware: Eminent danger of finding non-pruned version below this
line!>

+ I.e., in my opinion only a few minor points with disinformation. Hence
brief comment-

00) Supposing a general responsibility ratio of 1/1 (or 50/50 [%])
between 'Author' and 'Reader' regarding how written material is
understood by the Reader, I would however this time for my part take
full responsibility for possible misinterpretation(s) in [previous]
reading in addition to responsibility of [present] writing as well.

0) Citations of original message are presented (below) in double quotes
(").


"Well, more and more broadband ISPs do recommend personal firewalls.
Some
even offer discounts or provide a free one (which make a lot of sense if
they can standardize customers to use a particular program... easier to
support)"

1) Could not agree more (on the above).

"However, not all is right with the personal firewalls available
so far."

2) Also agree. Especially with an even more self-evident formulation:
'However, not all is right with ALL OF the personal firewalls available
so far.'

[In my opinion expressions containing statements of type: 'all',
'never', 'always' etc. reflect more often attitude or opinion of the
person expressing her/himself, rather than factual matter. It may also
provide a cheap way to influence people, since the expression is usually
built to reduce opposition by self-evident formulation.  ;)]

3) This [(2) above] would be a safer truism.

"Some of the messages are just too cryptic."

4) For clarification:

     a) Would you, please be kind enough to give, e.g. five examples of
messages that are challenging to comprehend for the average user?

     b) In my opinion these Users [or people as referred to (below)]
exist rather in mental images of those considering themselves to be
different - than in reality, i.e.]

"A common result is that after a while, people just get use to click 
'permit' ..."

5) For clarification:

     a) What statistically reliable source does this information come
from?
     b) Or is it merely an opinion? 

"... and end up with an open box after all."

6) Interesting-

     a) "Open box" in what sense?

     b) Since the Author is probably referring to so called software
firewalls, the comment below is for SW FW [point (5) c) ii and d)]
onwards-

     c) In my experience the fundamentals of a good firewall [be it
software or hardware implemented] is the following:

          i. It blocks by default all traffic.
          ii. Only explicitly allowed traffic [or traffic type] is let
thru.

     d) What is referred to by: "get use to click 'permit' ..."?

          i. In my experience SW FWs are configured and set up in the
following fashion:

                    1) The user is possibly curious, or in order to get
to know the [for her/him] new product sets the controls up in such a way
that it causes noisy or semi-noisy operation.

                    2) However, please note that program authentication
is recommended to be set to 'learning' mode at this stage, i.e.

                    3) Authentication takes place as per Program level
rather than as per Program Component level
                              a) This provides more granular control,
but
                              b) Has the positive effect of reducing the
noise of operation significantly
                              c) Please see further below for examples
of Program Component Types relating to Component Level Access Control
and Component Level Program Authentication [in [(6) 5) e) C)]

                    4) Soon after this 'honeymoon' the user alters the
setup of controls due to confidence deserved by the SW FW

                    5) This results in-

                              a) All inbound, blocked traffic does not
cause any noise at all. It may however, be logged at whatever
granularity the user prefers.

                              b) I myself changed my settings for
logging significantly after joining reporting to DShield.org's
Collaborative Intrusion Detection, however-

                              c) Joining reporting to DShield.org's
Collaborative Intrusion Detection, however did not affect in, e.g.
giving up silent operation [regarding inbound intrusion attempts]

                              d) If user prefers, this blocking of
intrusion attempts may not show to intruders at all.

                              e) If user prefers, all or any outbound
traffic may be permitted or disallowed by one or several combinations of
the following principles:

                                                  A) As per Case [one
time permit/refusal only]
                                                  B) As per Program
[identified, e.g. by full path and MD5]
                                                  C) As per Program
Component [component level access control for outgoing traffic (on
*.acm, *.cnv, *.cpl, *.dll, *.drv, *.ftl, *.ocx, *.qtx, ... level)]

                              f) All inbound traffic is still blocked
[except authenticated responses to authorised outbound traffic]

                              g) Running server program(s) is an
entirely different issue and can be dealt and commented with pleasure on
separate request

                              h) Program authentication control is no
longer in 'learning' mode same as [(6) 5) e) C) (above)]

                              j) This gives trustworthy and accurate
control, but causes occasional noise in otherwise silent operation

7) I am more for the "Closed box" variant and would think it to be more
likely supported with, e.g. following argumentation, theory and
practice:

8) Machine is clean [or cleaned] before installing and starting
implementation of good SW FW product.

9) All inbound traffic is blocked all the time.

10) Only response(s) to authenticated outbound traffic is not blocked.

11) If preferred, good SW FW can be set to filter/ terminate all or any
browser or Web site originated malicious code, based on mobile code
type:
     a) Blocking of scripts (javascript, vbscript,etc)
     b) Blocking of embeded objects (java, ActiveX)
     c) Blocking of mime-type integrated objects

12) If preferred, good SW FW can be set to filter/quarantine all or any
email originated malicious code, based on mobile code type. I would call
it interesting User would choose not to utilize this type of protection
since there is absolutely no harm done. You can use the quarantined
email attachments ad-hoc if you wish and have checked any individual
item to be safe. So, with a good SW FW you might also want to consider
disallowing all of the following extensions since they are capable of
spreading viruses, worms, Trojan horse programs, and other malicious
code or malware as well [the entire list in alphabetical order by name
of extension]:

Application (.EXE)
Batch File (.BAT)
Compiled HTML Help File (.CHM)
Control Panel Extension (.CPL)
HTML Applications (.HTA)
Internet Communication Settings (.INS)
Internet Communication Settings (.ISP)
Internet Shortcut (Uniform Resource Locator) (.URL)
JScript(r) Encoded Script File (.JSE)
Jscript(r) File (.JS)
Microsoft(r) Access Add-in (.MDA)
Microsoft(r) Access Application (.MDB)
Microsoft(r) Access MDE Database (.MDE)
Microsoft(r) Access Project Extension (.ADE)
Microsoft(r) Access Project (.ADP)
Microsoft(r) Access Wizard Template (.MDZ)
Microsoft(r) Common Console Document (.MSC)
Microsoft(r) Outlook(r) Profile Settings (.PRF)
Microsoft(r) Visual Foxpro Table (.DBX)
MS-DOS(r) Application (.COM)
Outlook Express Folder File (.NCH)
Photo CD Image (.PCD)
Registration Entries (.REG)
Screen Saver (.SCR)
Security Certificate (.CRT)
Setup Information File (.INF)
Shell Scrap Object (.SHB)
Shell Scrap Object (.SHS)
Shortcut to MS-DOS(r) Program (.PIF)
Shortcut (.LNK)
VBScript Encoded Script File (.VBE)
VBScript File (.VB) 
VBScript Script File (.VBS)
Visual Basic(r) Class Module (.BAS)
Visual Test Source File (.MST)
Windows(r) Explorer Command (.SCF)
Windows(r) Installer Package (.MSI)
Windows(r) Installer Patch (.MSP)
Windows(r) Media Audio/Video (.ASX)
Windows(r) Media Skin (.WMS)
Windows NT(r) Command Script (.CMD)
Windows(r) Script Component (.SCT)
Windows(r) Script Component (.WSC)
Windows(r) Script File (.WSF)
Windows(r) Scripting Host Settings File (.WSH)
Windows(r) Help File (.HLP)

13) There are more executables than those with the 46 extensions listed
above [please see point 
(14) (below)]. However an example of a good SW FW includes blocking of
the previously mentioned attachment types BY DEFAULT. This approach in
general gives powerful and flexible control over executables. It
provides the option of safely deciding per case what to do with the
attachment. 'Open or not to open' that's the question. But if to open:
only after having examined it to be safe.  :)  The solution includes
quarantine for all attachment types of user's decision. In addition to
that it provides an easy way to delete, open or “save as” options per
case.

14) Executables are defined as files having extensions of class, ~jav,
ade, adp, ans, asc, amm, bas, bat, bin, cgi, chm, cla, cmd, com, cpl,
crt, doc, dll, exe, hlp, hta, inf, ins, irc, isp, jav, jse, lnk, mdb,
mde, mrc, msc, msi, msp, mst, ocx, pcd, pdb, pif, prc, reg, scr, sct,
shb, shs, url, vbe, vbs, wsc, wsf, wsh, xls, do, js, pl, vb, or xl.

15) Using common sense and implementation of several independent,
overlapping and superfluous defense tactics originally a la “Defense in
Depth” method (in the Art of War by Niccolò Machiavelli, 1494–1527) in
addition to good behaviour supporting security is about what the user
can do.

16) Common sense should not be hard to find. It would appear to be one
of world's most democratically spread natural resources. -Judging from
the fact of very seldom hearing people complain about not having in
their possession the rightful share of this common natural recourse.

17) External firewall and NAT router appliances provide excellent
"natural protection" from external intrusion or hacking. For systems
where a NAT router makes sense (i.e. multiple machines sharing a single
Internet connection) I would start by taking a look in this direction
[for performance and price ratio - underlining expected performance, if
picked up at, e.g. B**t B*y for, e.g. US $19.99 - not that bad for what
it presumably delivers. Opinions expressed in posts at site below are
interesting in view of what I have previously found out about the box]:

http://www.practicallynetworked.com/review.asp?pid=470

"... On the other hand, I don't want to know how many confused firewall
users call tech support to have them explain some alert that just popped
up."

18) Yes! In my opinion this enlightens the problem further: Not wanting
to know [facts, i.e.]. Could that be a problem?  ;) -Understanding the
expression is merely used in this context to communicate an attitude and
opinion rather than periphrasis. Insufficient research applies for my
own 'research' on the NAT router issue - just as well.  :)


- Peter


                    "The surest way to be deceived 
               is to consider oneself cleverer than others."
        François, Duc de La Rochefoucauld (1613–80); French writer


PS.  Please, also bare in mind the Sixth Immutable Law of Security:

“A machine is only as secure as the administrator is trustworthy”





More information about the list mailing list