Policy-based Firewalls, Ports and Protocols.
Source-address based-firewall scheme's didn't work that well for me.
I thought I might get by just blocking a few spurious IP addresses, update my software firewall/antivirus and get by on the Web for quite a while, since, out of the millions of PC's on the Internet, I'm not all that popular, else my résumé would have been found by that perfect employer by now. After blocking over 400 IP ranges, I decided it would be easier to implement a policy-based schema on the hardware firewall.
Software vs. Hardware Firewalls.
On a certain consumer level, hardware firewalls aren't that much better than software firewalls. In fact in some cases, the software firewall / anti-virus packages may be better because they're updated regularly. However, if the software firewall fails and you have to re-image your computer, if you aren't able to recover the configuration information, it will be lost, while the hardware firewall is a lot less likely to lose it's configuration and its configuration can be backed-up just as your computer's information can be backed-up. It's more a matter of doing the back-up than whether the back-up can be done.
The main problems I've had with hardware firewalls is that they're slow and easy to over-run, at which point, they fail. They don't block all that many IP ranges before they run out of space, they principally deal only in TCP and UDP protocols and maybe a few ports within those protocols.
Protocols and Tunneling.
Surprise! As of March, 2011, there are some 144 or so Internet routable protocols of which TCP, UDP and ICMP comprise only three. Microsoft didn't tell you that, did they? Please see:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml .
Now you can refute that with your MSCE, CNE and CCNA, but IANA, the Internet Assigned Numbers Authority, ICANN, the Internet Corporation for Assigned Names and Numbers, together with the IETF, Internet Engineering Task Force, not Microsoft, are the ultimate authorities on which and how many Internet protocols exist. (Notice that I'm not discussing hardware networking protocols here.)
If software firewalls and typical consumer firewalls only deal with TCP, UDP and ICMP (Ping, etc.), is that all that's relevant? No! Not by a long shot.
Suppose I could encapsulate an otherwise non-routable IP address within a routable one. Suppose I could hide my firewalled IP address within the same type of encapsulation and slide packets right by your firewall without it even noticing. It's not even difficult. It requires only a few lines of Unix/Linux configuration code and a considerable amount more configuration if you want to do this from Windows or DOS. For an example of such code, please see:
http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling#IPIP_tunnels .
I wanted to provide you with an example of the code because there's always some "expert" who would just shake his head and mutter "No!". "No!" simply means he doesn't know how to do this or how to block it, not that it doesn't exist at all, In fact, people have been tunneling IPv6 through IPv4 addresses for several years now. You can believe that "expert", or you can see for yourself, in the following example:
http://msdn.microsoft.com/en-us/library/ms737544(VS.85).aspx .
Policy-based Hardware Firewalls.
At the time of this writing, I have over 400 IP ranges blocked on one border-network firewall and if I relied solely on source-address-based firewalling, that wouldn't even be enough. It's a big world and a big Internet out there. This weekend, I watched as IP addresses attacked my home network faster than I could write down the offending addresses, and it seemed there was no end the the addresses that were attacking. In practice, it was probably a bot attacking my Internet firewall and it was possibly someone I knew who maybe didn't agree with my point of view. Nonetheless, I couldn't differentiate between the real IP numbers attacking and the feigned IP addresses, especially not at the rate the attacks were coming in.
I only needed to get my email, see a few Web sites, for information purposes, and conduct a few secure transactions. I just wanted to study for my MSCE and get by, not conquer the Internet but, in order to get the information I needed without having someone infect or reconfigure my computers' operating systems and data, I didn't have a choice.
Getting your email, updating your Web site, paying your bills, etc., on the Internet only requires a few ports out of two protocols: Transmission Control Protocol (TCPv4), protocol #6 and User Datagrams Protocol (UDPv4), protocol #17. That's it. I didn't need IP-in-IP, protocol #4, Private IP Encapsulation Within IP (PIPE), protocol #130, and I sure as heck didn't want IPv6 for which I don't know of any hardware firewall appliances available for under $1000.00.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports:_0.E2.80.931023 .
Since getting email, making secure connections to pay your bills, and browsing the Internet only require about 20 of the 65535 ports available just within two of the 144 Internet protocols, I blocked 98% of the Internet protocols, obviously the most potentially harmful ones, and 75% of the ports within the protocols I needed.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports:_0.E2.80.931023 .
What was left was going to be awfully difficult to mess with my computers with, but it was still possible. People could still create a secure tunnel right past my border-network firewall (from practical experience), and it would never even see the data stream. I had to ensure that the protocols and ports I authorized were initiated by me, and were not feigned IP's or nefariously constructed communication sessions. How I accepted connections turned out to be more important than whom I blocked, since the former is more simple to define than the later..
Consumer Firewalls and You.
Most of you aren't going to be able to do this because you're using software or hardware firewalls that can't always accurately differentiate between locally initiated connections and remotely initiated connections, despite having Stateful Packet Inspection (SPI) and despite being able to look at which port the packets came from and how the packets are addressed. Programmers send fragmented packets, to bog your firewall down, packets with the "from" and "to" address turned around and they send packets from IP's that aren't theirs. Despite what your local "experts" tell you, it works; it gets through your Internet firewall and it's right there on your inner software and hardware firewalls for you to read, if you know what you're looking for.
If you block an IP or IP range, on your consumer firewall or software firewall package, it will likely block both incoming and outgoing traffic to that IP. So while you'll be protected from the incoming malware, etc., you didn't get the Internet so that you could be blocked in, unable to get out. You need to be able to block incoming data connections, from specific IP's, from specific ports and protocols, while concurrently being able to get out to where you want to get to on the Internet. So, with your SOHO firewall, if someone feigns an IP address you need to get to, or an IP address in that range, while attacking your network, your own firewall will likely block that IP or range, for your own protection, and you won't be able to get to the Web site you were trying to get to for somewhere between 5 minutes to an hour.
So what do you do? Spend the money that's going to be ripped from your bank account, if you don't buy a decent firewall, and get one that will block hundreds of IP addresses, protocols and ports, as you see fit, not as the firewall sees fit, or the firewall salesman promises you the firewall will do. Use the links I've provided to learn about the Internet for yourself, because some of those teaching you "everything you need to know", don't know that much themselves or, at least, are unwilling to share that information with you. Learn for yourself; don't take my word for it. I could be wrong too and I'm sure there will be no shortage of people who are willing to assert that I am wrong.
Good luck!
JOHN
I thought I might get by just blocking a few spurious IP addresses, update my software firewall/antivirus and get by on the Web for quite a while, since, out of the millions of PC's on the Internet, I'm not all that popular, else my résumé would have been found by that perfect employer by now. After blocking over 400 IP ranges, I decided it would be easier to implement a policy-based schema on the hardware firewall.
Software vs. Hardware Firewalls.
On a certain consumer level, hardware firewalls aren't that much better than software firewalls. In fact in some cases, the software firewall / anti-virus packages may be better because they're updated regularly. However, if the software firewall fails and you have to re-image your computer, if you aren't able to recover the configuration information, it will be lost, while the hardware firewall is a lot less likely to lose it's configuration and its configuration can be backed-up just as your computer's information can be backed-up. It's more a matter of doing the back-up than whether the back-up can be done.
The main problems I've had with hardware firewalls is that they're slow and easy to over-run, at which point, they fail. They don't block all that many IP ranges before they run out of space, they principally deal only in TCP and UDP protocols and maybe a few ports within those protocols.
Protocols and Tunneling.
Surprise! As of March, 2011, there are some 144 or so Internet routable protocols of which TCP, UDP and ICMP comprise only three. Microsoft didn't tell you that, did they? Please see:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml .
Now you can refute that with your MSCE, CNE and CCNA, but IANA, the Internet Assigned Numbers Authority, ICANN, the Internet Corporation for Assigned Names and Numbers, together with the IETF, Internet Engineering Task Force, not Microsoft, are the ultimate authorities on which and how many Internet protocols exist. (Notice that I'm not discussing hardware networking protocols here.)
If software firewalls and typical consumer firewalls only deal with TCP, UDP and ICMP (Ping, etc.), is that all that's relevant? No! Not by a long shot.
Suppose I could encapsulate an otherwise non-routable IP address within a routable one. Suppose I could hide my firewalled IP address within the same type of encapsulation and slide packets right by your firewall without it even noticing. It's not even difficult. It requires only a few lines of Unix/Linux configuration code and a considerable amount more configuration if you want to do this from Windows or DOS. For an example of such code, please see:
http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling#IPIP_tunnels .
I wanted to provide you with an example of the code because there's always some "expert" who would just shake his head and mutter "No!". "No!" simply means he doesn't know how to do this or how to block it, not that it doesn't exist at all, In fact, people have been tunneling IPv6 through IPv4 addresses for several years now. You can believe that "expert", or you can see for yourself, in the following example:
http://msdn.microsoft.com/en-us/library/ms737544(VS.85).aspx .
Policy-based Hardware Firewalls.
At the time of this writing, I have over 400 IP ranges blocked on one border-network firewall and if I relied solely on source-address-based firewalling, that wouldn't even be enough. It's a big world and a big Internet out there. This weekend, I watched as IP addresses attacked my home network faster than I could write down the offending addresses, and it seemed there was no end the the addresses that were attacking. In practice, it was probably a bot attacking my Internet firewall and it was possibly someone I knew who maybe didn't agree with my point of view. Nonetheless, I couldn't differentiate between the real IP numbers attacking and the feigned IP addresses, especially not at the rate the attacks were coming in.
I only needed to get my email, see a few Web sites, for information purposes, and conduct a few secure transactions. I just wanted to study for my MSCE and get by, not conquer the Internet but, in order to get the information I needed without having someone infect or reconfigure my computers' operating systems and data, I didn't have a choice.
Getting your email, updating your Web site, paying your bills, etc., on the Internet only requires a few ports out of two protocols: Transmission Control Protocol (TCPv4), protocol #6 and User Datagrams Protocol (UDPv4), protocol #17. That's it. I didn't need IP-in-IP, protocol #4, Private IP Encapsulation Within IP (PIPE), protocol #130, and I sure as heck didn't want IPv6 for which I don't know of any hardware firewall appliances available for under $1000.00.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports:_0.E2.80.931023 .
Since getting email, making secure connections to pay your bills, and browsing the Internet only require about 20 of the 65535 ports available just within two of the 144 Internet protocols, I blocked 98% of the Internet protocols, obviously the most potentially harmful ones, and 75% of the ports within the protocols I needed.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports:_0.E2.80.931023 .
What was left was going to be awfully difficult to mess with my computers with, but it was still possible. People could still create a secure tunnel right past my border-network firewall (from practical experience), and it would never even see the data stream. I had to ensure that the protocols and ports I authorized were initiated by me, and were not feigned IP's or nefariously constructed communication sessions. How I accepted connections turned out to be more important than whom I blocked, since the former is more simple to define than the later..
Consumer Firewalls and You.
Most of you aren't going to be able to do this because you're using software or hardware firewalls that can't always accurately differentiate between locally initiated connections and remotely initiated connections, despite having Stateful Packet Inspection (SPI) and despite being able to look at which port the packets came from and how the packets are addressed. Programmers send fragmented packets, to bog your firewall down, packets with the "from" and "to" address turned around and they send packets from IP's that aren't theirs. Despite what your local "experts" tell you, it works; it gets through your Internet firewall and it's right there on your inner software and hardware firewalls for you to read, if you know what you're looking for.
If you block an IP or IP range, on your consumer firewall or software firewall package, it will likely block both incoming and outgoing traffic to that IP. So while you'll be protected from the incoming malware, etc., you didn't get the Internet so that you could be blocked in, unable to get out. You need to be able to block incoming data connections, from specific IP's, from specific ports and protocols, while concurrently being able to get out to where you want to get to on the Internet. So, with your SOHO firewall, if someone feigns an IP address you need to get to, or an IP address in that range, while attacking your network, your own firewall will likely block that IP or range, for your own protection, and you won't be able to get to the Web site you were trying to get to for somewhere between 5 minutes to an hour.
So what do you do? Spend the money that's going to be ripped from your bank account, if you don't buy a decent firewall, and get one that will block hundreds of IP addresses, protocols and ports, as you see fit, not as the firewall sees fit, or the firewall salesman promises you the firewall will do. Use the links I've provided to learn about the Internet for yourself, because some of those teaching you "everything you need to know", don't know that much themselves or, at least, are unwilling to share that information with you. Learn for yourself; don't take my word for it. I could be wrong too and I'm sure there will be no shortage of people who are willing to assert that I am wrong.
Good luck!
JOHN
Comments