On 2010-08-06 19:36, John Sessoms wrote:
Hardware firewall won't stop "phone home" behaviour, will it?
I think it should if you tell it to.
Hmmm, that can be really tricky due to what's generically known as
"application level gateways". Please excuse the massive
oversimplification to follow ...
Basically, a number of network protocols require what I'll call
ancillary connections. For example, when you FTP into a computer, it
opens an FTP connection and you communicate with it over that connection.
When you send over that connection a command to download a file, both
ends keep the original connection open for your "FTP command line", and
they also open another connection for the file transfer. The firewalls
know about this protocol behavior, and accommodate it by silently
opening a temporary (ephemeral) hole in the firewall for that secondary
(ancillary) connection for the FTP file transfer.
A variety of common Internet protocols exhibit similar behavior, and the
firewalls know about them. As a "convenience", they often provide
similar "silent leaking" logic for many different protocols, as
described above.
These sorts of "convenience" features can allow "phone homes" to egress
your network unreported by subverting some unrelated protocol.
That's one of the reasons that I run a hardware router, a hardware IPS
(I get it free because I help write the IPS code), and I also have
firewall software installed on my systems ... the (software) firewall on
the host is the only one I can thoroughly rely on to stop phone homes.
And the only reason for that is that I have it configured to always
alert me when a program tries to send data out the network port and
require my acquiescence (it has a white list, of course, which is a risk).
I won't even get into the ways that the nefarious can leverage normal
protocols, ports, and hosts to do their misdeeds in ways that would
require blocking essentially all, for example, Web or email traffic, to
completely prevent the egress.
Powerful, flexible technologies confer powerful, flexible capabilities
and often (at least imply) onerous responsibilities. Those capabilities
can be used for good or evil, and will probably be used for both, if the
technology is prevalent enough. Acceptance of the responsibilities is
optional. Some people choose not to accept the responsibility and are
thus unconstrained.
--
Thanks,
DougF (KG4LMZ)
--
PDML Pentax-Discuss Mail List
[email protected]
http://pdml.net/mailman/listinfo/pdml_pdml.net
to UNSUBSCRIBE from the PDML, please visit the link directly above and follow
the directions.
