[Dshield] Back to Multiple Firewalls

Stephane Grobety security at admin.fulgan.com
Tue Mar 19 07:34:03 GMT 2002


NR>     I use ZA even though I'm currently behind a router precisely for the
NR> outbound connection control: if a trojan somehow got past my anti-virus, 
NR> it's harder for it to report back to it's master without alerting me.

But would an IDS like SNORT be more effective at that task ? I mean:
you wouldn't have to bother with authorising everything, just keep an
eye on the alert log.

But anyway, once a trojan has been installed on your machine, it's not
your own any more. Since ZA is a pretty popular product, you can bet
theat the trojan author has included a way to disable it "silently"
as part of it's install procedure. It might even be that the trojan is
working at a level below ZA. On the overall, that seems to offer
little additional protection to me, if any.

NR> In
NR> addition, if I accidentally install something that contains "spyware," I'm 
NR> more likely to find out about it with the firewall ("What do you mean, 
NR> 'TextEditor.EXE is trying to be a server?'").

Well, spyware usually do not run as server: it's pretty pointless
since they only want to SEND information to a central server. But
anyway, that doesn't invalidate your point.

Hoever, the way I see it, a "spyware" would be something monitoring
your activity and reporting back home (we are not talking password
stealer here as they fall into the "trojan" cathegory") and that is
usually included in networked programs (download managers, browser
enhancements, etc.) so you'll have a hard time keeping trace of what
is a legitimate connection and what's not, in particular if the author
has been smart enought to use the same protocol than for legit
operation.

NR> And finally, it allows some
NR> control over when legitimate programs "phone home" (Real Audio, Windows 
NR> Media Player, etc.)

Ah... Unless something new hav been discovered about Media Player,
what it does it get the track name from a database. (I don't know
about RA. I just can't stand RA for other reasons).

NR>  (However, I admit that in this last case, it is only
NR> of marginal value: if the program can't phone home when I play local files, 
NR> nothing will stop it from attempting to do so when I play an internet 
NR> stream and have to grant it outgoing permission.)

Well, that's mostly your call, yes. Also, playing a local file might
still create a legit outgoing connection. In the curent state of
computing where even word processors start to require a TCP/IP stack to
work correctly, you'll have a harder and harder time deciding what is
a legitimate connection and what is not.

But anyway, I see you point, thanks for the precision.

Good luck,
Stephane
-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com





More information about the list mailing list