On Saturday, Jul 12, 2003, at 09:41 US/Pacific, Aaron Suen wrote:
home LANs. My concern is that viruses are smart enough to spread
through
the insecure MS netowork protocols, which can't be disabled normally
under various versions of Windows. I have Kerio firewall (It looks
like
a hacked-up version of the old Tiny, before they went commercial) on
most machines, but I'm fairly sure it's nothing more than a SYN
filter. I'm just concerned as to whether smarter virus writers are
going to slip around these firewalls and spread through my LAN. Also,
I'm not sure I can trust my users 100%.
Yeah, Tiny sold their version 2 code to Kerio just before they started
on v3. Kerio and similar filters should actually handle the MS
protocols just fine on filtering alone, as far as IP goes. You can
completely unload any non-IP protocols on the adapter.
Some malware writers are installing drivers anyway. Tiny's v3 stuff
and a few other commercial products claim to protect against this, but
it's always going to be a leapfrog race. If the machine is compromised,
it's compromised...
Actually, from what I've seen of both 9x and NT networking stacks, it
looks to me more like they exist entirely within "driverland", which
is neither kernel-land nor userland, really. The network drivers for
an ethernet card collect layer 2 packets and send them up through a
layer or two more of driver space before hitting the kernel. At least,
this seems to explain why the same firewall software works in pretty
much the same way between different versions of Windows. Also, dial-up
and ethernet connections are handled differently, so firewalls need to
know a lot about both to work for Windows (though I'm only interested
in ethernet). So one need (theoretically) only insert a sort of driver
between the network abstraction level of Windows (which reassembles
IP and manages things like ARP) and the physical device driver (which
simply captures and sends packets on the interface).
The Windows network architecture is extremely layered. That was one
of the reasons for my "time and willingness" comment -- anyone familiar
only with BSD-style network stacks is in for culture shock. But yes,
the NDIS layer has a couple slots for filtering, and is roughly in that
spot.
My comment about userland pf filtration is just the idea of some rather
strange uses of pf. Since there is only one pf running on a machine
at a time, and it can only be controlled by root, it can't be used for
anything but filtering real packets on real interfaces. There may be
a reason somebody wants to separate a series of networks, and perform
filtration on some channels at a reduced priviledge level (e.g. so a
regular user can control filtration, or to prevent leakage between
networks). So one could use userland tunneling applications and a
userland
pf. For instance, one could modify a pptp userland daemon to spit
packets
through a unix-domain socket instead of a tun driver. Chain two of
these
together with a userland pf in between, and the user now has a
filtering
pptp proxy, using the ultra-powerful pf engine, which the admin of that
machine doesn't have to maintain or worry about. The user running this
proxy could administer it as a normal user, without needing any kind of
priviledge escalation. So you could use your OpenBSD server to run a
VPN
that you don't want to actually be connected to.
Something like this would probably fit the bill:
http://www.tel.fer.hr/zec/vimage/
I haven't heard any rumors about that happening for OpenBSD though.
It would certainly be fun to play with.
