• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

How to transfer a file without being blocked by software firewalls?

My current solution:
I transfer files from an FTP server I have setup on a Win2K3 server (Port 21).  I have a .NET 2.0 Windows Form application (call it MyClientApp) that runs on the client PC that communicates with my FTP server to determine if it needs to get a file.  MyClientApp when installs registers itself with the Windows firewall and the ports it uses -- this works in about 70% of the cases.  But some clients run Norton or McAfee or other 3rd party software firewalls that block MyClientApp.

This generates a lot of support calls, so I was wondering if there is some other method I can use to transfer files that isn't automatically blocked by most firewall software.  I know Port 80 is always left open so that the browser works -- is there a way using .NET 2.0 framework (VB.NET) to reliably transfer files over this port?

Rob.
0
RobAinscough
Asked:
RobAinscough
  • 6
  • 5
  • 3
  • +1
2 Solutions
 
ElrondCTCommented:
I think you're trying to defeat the fundamental purpose of a firewall, which is to protect against unknown attempts to connect to or from a computer. If a particular port were always open, you can bet that hackers would be using it.

AFAIK, all software firewalls will block any unregistered program that's trying to access the Internet no matter what port it uses; that's why they exist. It becomes the user's responsibility, when installing a new program, to set permissions in the firewall to allow the outbound access by your program. You might want to write up clear instructions on how to set permissions for any of the major firewalls (Norton, McAfee, and ZoneAlarm come to mind), and include that in your installation instructions.
0
 
RobAinscoughAuthor Commented:
Port 80 is always open -- so what is your point?

"User's responsibility" -- there are literally 100's of 3rd party software firewalls -- a large percentage of my users don't even understand what blocking means, let alone what the firewall is and why it exists in the first place.  If the solution is "User's responsibility" then that is NOT a solution -- that's a guaranteed support call.

Like I said, I register my .NET App with the Windows Firewall exception list -- that's working fine, but other 3rd party firewall software doesn't use or care about Windows Firewall exceptions list.

Perhaps you just don't understand the situation.  Client purchase my software.  They install my software on their PC.  My software configures itself (registers itself) for Windows XP SP2+ firewall exceptions list.  So far so good, all works.

You make the assumption that a file transfer and connection automatically means a hacker or security flaw -- that's just NOT a valid assumption.  If it were case, then PC's may as well just not come with any networking facilities at all -- get my point?  Who's the prisoner her?  The hacker or the user?
 
Valid applications Install by the end user should have a valid means of communications without being automatically blocked.  If not, then it's time to buy dump Windows as a viable OS.

Rob.
0
 
ElrondCTCommented:
You don't seem to understand the purpose of a software firewall, or more specifically a two-way firewall (protecting against unauthorized access both inbound and outbound). A two-way firewall is designed to prevent ANY program from accessing the Internet without the user specifically permitting that outbound access. They are specifically designed NOT to allow the program to automatically give itself access, or every hacker in the world would use that hook to allow bots and other malicious software to connect outbound without the user knowing. The Windows XP firewall may allow such a hook, but that's just another example of how it's a sorry excuse for a real firewall.

Even Internet Explorer has to be validated by the firewall to make the outbound connection. Some firewalls will automatically validate IE and a very few other, well-recognized, digitally signed programs. But with any other program, the first time they try to access the Internet, a popup will typically display asking, "Do you want to allow this program to access the Internet?" Your user has to respond to that; your program can't do it for them. What you're asking for is essentially a master key to all firewalls; it doesn't exist.

Let me rephrase the issue: What makes your software any different from a bot? Yes, the user paid for it and wants it, but the computer has no way of knowing that. And a firewall has to protect against a bot gaining outbound access and transferring data to & from the botnet. Exactly how should the firewall distinguish between you and the bot? The method that all the two-way firewalls I know of have chosen is to prompt the user for confirmation when the program asks for outbound access. Which OS you're using isn't really the issue; the problem is not based on the OS, but based on the need for outbound security.

The only way I know of to avoid a "guaranteed support call" is to clearly explain to them what they need to do to set up their copy of the application.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
RobAinscoughAuthor Commented:
I do understand inbound and outbound very well.  I think you are missing the real world application and impact firewall software is having -- my typical end user does NOT know nor really care that much about what the software is doing behind the obvious GUI interface presented them.  They have no concept of firewalls, routers, nor do they have any expectation that the software they just purchased is to be used for anything other than what they paid for.

Here is what you/firewalls have assumed:

1.  All software installed that communicates thru any ports is consider unsafe -- reality is that 99.99% of the software in the real world IS safe and >0.0001% of "purchased" software is not actually safe.
2.  All users understand firewall blocking messages (I can assure you at least 50-60% of my user don't) and can respond accordingly -- again, real world is no they can't.
3.  Users read anything (very few RTFM, <10%)

Now, you can argue til ya blue in the face that a User must do this and must do that but the reality is they don't -- the simply don't.  They pick up the phone and make a support call or they just don't do anything and continue with crippled software and/or stop using their computer completely or buy a Mac.

So we have digitally signed software, ok -- pay someone money to get a digitally signed app (BTW, I've seen digitally signed bots sooo this isn't affective), but the end result is still the same -- some firewall software will still block it regardless -- back to a support call.

You can't just say "it's the user responsibility" because they'll just stop using -- and that does NO ONE any good.  I'm a little surprised that current "solutions" to a very small problem are blanket solutions -- make everyone pay so we can stop that 1 in a million chance.  This is not effective risk mgmt.

We can live in paranoia for the rest of our lives or we could manage the risk intelligently and build far more sophisticated OS and/or security software that doesn't dump 100,000 gallons of water on 1 foot camp fire -- you get my point?

The vast majority of firewall software (Microsoft, Norton, McAfee, etc.) isn't promoting a stealthy intelligent blocking method, instead they're IN YOUR FACE approach with endless prompts to an end user that says "MyApp.DLL is trying to access the internet thru port 1400, is this Ok?" -- what the heck does the end user know about MyApp.DLL??  Not to mention what do they know about port 1400.  Just as they couldn't answer a question like those provide by uninstalls that say "this is a shared component with XYZ.EXE do you want to keep it?"  You should NEVER prompt a user with a question you know they can't answer.  Why is this relevant, because it's the same old assumption being made by the same old designers/developers and nothing is changing -- I would have expected Vista to come up with a much better end user experience in this area, yet it is actually worse than WinXP.

But your way of thinking is exactly part of the problem, nobody is investing the time and money to deal with a significant issue in a manner that is truely end user human friendly.  The same old stuff just keeps coming out from the same old big names.  Hacking and hackers have very similiar patterns to their activity -- these patterns is what firewall/security software should be detecting, not over simplified solutions with no regard to end user convinence nor the support that it might generate.

Sorry for the long response.

Rob.
 





0
 
ElrondCTCommented:
Your problem isn't with me, it's with 1) the makers of two-way firewalls, and 2) the scum who are writing malicious code. I'm telling you what software can and can't do in the real world, while you're complaining that life ought to be different.

Security is always a nuisance; it is, by definition, a limitation on freedom caused by lack of trust. That's true whether it's software, hardware, or a lock on the front door. Having to keep track of a variety of passwords and usernames on the literally hundreds of websites I'm registered with is a major pain. But complaining that "anyone ought to be able to see I'm me and I'm a good guy" isn't going to help me any.

I do tech support for my company and I have several years of experience doing home & small business PC repair as well. I fully understand the difficulty of explaining to users what they need to do. But the point is that in the situation you're describing, THERE IS NO CHOICE! Two-way software firewalls require user interaction to confirm that a program requesting outbound access is legitimate. That is the way they work, and all your complaining isn't going to change it, so you have to figure out a different way to deal with it.

The answer to your original question is: You cannot avoid software firewalls by using a different port  I know that's not the answer you want, but that's the way it is. Either write better installation documentation (and error messages in your software), or plan that you're going to get phone calls, and price your software to include the cost of answering the calls and walking people through what they need to do.
0
 
RobAinscoughAuthor Commented:
So port 80 can't be used to transfer files?  Port 80 is commonly left alone (by default) by the majority of firewall products.

My point was that security does NOT have to be IN YOUR FACE -- Mac OS X is NOT in your face nor are the various Linux versions.  Only Microsoft employ this type of solution.  It doesn't have to be this way, this is just the easy road for Microsoft's implementation which they're forcing on the end user -- more "take it or leave" from the king's of leverage -- same with all the other major firewall players.

But do you really understand what you're saying -- if you believe there is "no choice" then you have pretty much sealed the fate of Microsoft's OS and have by your own definition limited the market share.  1 in 5 people use computers -- this is not a good statistic -- this is a bad one.  This has remained the same since about the year 2000.  If the technology industry wants to expand, they need to start changing some of their basic assumptions and start working on real solutions that do NOT put the responsibility into the end user.  A consumer buys a tool (aka computer) to help them, not to "make them responsible".

Anyway there are solutions -- dumping or evolving TCP/IP is 1st part of the solution so that packet source can't be modified.  Hacker programs pretty much do that same type of activity over and over, this activity has a common signature and can be detected at the OS level (if such detection were built into the OS).  If the OS were coded better so that listening services can't be crashed with overflow you'd remove a huge number of threats right there.  There are so many things that can be done at the OS level, that just aren't being done -- instead the blanket firewall approach is used because it's easy for Microsoft to shift the responsibility to the end user rather than come up with a better OS that is more secure.  That's the real bottom line.

This is human nature -- and there is always a choice.  Boom town is no more in the computer industry simply because we made stupid assumptions about the end user and we're just to lazy to come up with better solutions.  The tech industry has effectively built it's own prison and seems have convinced you and other that this is "way it is".

Trust no one.  This is flawed is so many ways.

Rob.
0
 
ElrondCTCommented:
If you want to redesign the entirety of the computing experience, be my guest. That's a considerably bigger job than answering a support call. If you think it's hard to get a user to click "Allow" when a firewall pops up asking him whether a program should have outbound access, I don't know how you think you're going to be able to convince a user to move to a new OS or a new Internet protocol.

When I say you have no choice, I'm talking about how to get your program working in the environment that exists today, where your clients are running some version of Windows and have a two-way firewall (which was, after all, your original question). Given that context, you cannot program around the situation; you MUST involve the user. If you want to choose to make your software available only under Mac OS or Linux, you can, but don't then complain if your potential customers don't go there with you.

But if you want to talk at the blue sky level--exactly how do you think a firewall should distinguish your good software from bad software that wants outbound access, from the very first request? Looking for a pattern of behavior is shutting the barn door after the horses have escaped; by definition, a pattern is developed after multiple actions, but if the very first outbound access includes your credit card number, you're already in trouble. Getting a message from the firewall, "Sorry, based on the pattern of operation of program ABC123.exe, we believe that in the last 24 hours all your personal information has been sent to Russia," is hardly the kind of security I want. Looking for a hacker's signature, by the way, leaves everyone vulnerable to brand-new exploits. I have personally found viruses on clients' computers that weren't picked up by fully up to date antivirus software, because the signature of the program had been slightly altered. Such a program, however, won't be able to send information out through a firewall, because the firewall blocks all programs based on what they want to do, not based on whether they're in a list of known dangerous programs.

I agree that the messages firewalls and installation programs provide are often difficult to decipher. Part of that is the fault of the program developers; why is WebEx's remote PC linking program called Raagtapp.exe, for instance? When the firewall says, "Raagtapp is asking for Internet access," is there any surprise that a user will be confused? But that's not the firewall's fault. Sometimes the firewall will offer a link to a web page that will translate the program name to something meaningful, but you can't expect Norton or McAfee to keep a database of every program that might legitimately want Internet access, so often the page just says, "Unknown program." I don't blame them for that.

"1 in 5 people use computers"--if true, that's got to be a global statistic, not the U.S. or other developed countries. Broadband penetration alone is considerably higher than that in the U.S. (I did a little poking around, and it looks like that's the number of people worldwide using the Internet, which is not the same thing as using computers. It looks like in the U.S., about 2/3 of people use the Internet.) But the reason that the huddled masses of Calcutta and Nigeria aren't using computers has little to do with the difficulty of understanding and using the Windows operating system; when you're living on $1 a day or less, being able to surf the Web isn't really high on the priority list.

I am not an apologist for Microsoft; I think they have never had a high priority on security, though lately they seem to be getting dragged kicking and screaming into it. But I do think sometimes people don't really think through the technical challenges involved in dealing with people who are actively malicious. The old line, "If we can put a man on the moon, why can't we...?" almost always ends up referring to an issue where the problem isn't fundamentally technical, but human behavior. The moon wasn't trying to defeat our attempts to go there; hackers, on the other hand, are fighting the attempts to rein them in, and they have no moral compunction about lying, cheating, and stealing. It's sad not to be able to trust people, but unfortunately operating online on a principle of "trust until you're burned" is a guarantee to be turned into a cinder.
0
 
RobAinscoughAuthor Commented:
The 1 in 5 is from US computer users that use a computer more than once a week -- source was IDC.

That's my point, user should NOT need to be convinced to move to a new protocol, because they should not need to know what protocol they use -- for them it all happens behind the scenes (as it should be).  This is 2007 and the industry is stalled, no one is thinking outside the box or prison they've created.  Even you, your first reponse was how is a user going to deal with a new protocol -- that is an example of exactly how the project managers and developers are thinking.

Sometimes I just wanna shake those in my industry and get them to come out of the fog -- response of "it's too difficult" are weak.

Most hackers are complete idiots or get lucky and find a even more stupid IT person leaving a database unprotected.

Firewall -- no firewalls, what we should have are malicious software detection (and we have just now started on that but not really at the OS level).  But we have to start and dumping TCP/IP or extending it to secure packets very unsecure (and I'm not talking SSL).

Anyway, the problem will continue so long as the tech industry continue in ignorance.

And your Nigerian tribe has a TV -- so computers should be at the same level of distribution as TVs and/or radio -- they're not, not even close.

Rob
0
 
ElrondCTCommented:
"The 1 in 5 is from US computer users that use a computer more than once a week -- source was IDC."

That doesn't seem plausible. Current U.S. broadband subscribership (as of Dec 2006) is 58.1 million (http://www.oecd.org/document/7/0,3343,en_2649_37441_38446855_1_1_1_37441,00.html); that's 1 in 5 of the population, and it doesn't seem likely to me that many broadband subscribers are using their computers once a week or less. Add in additional family members in broadband households, users of dialup service, and those who use computers at work or elsewhere, and your number doesn't seem close to reality.

I don't think it's impossible to initiate a new protocol. But that's a long-term solution that has a wide range of problems that need to be resolved before it can be implemented.

"We should have malicious software detection"--but exactly how do you think any automated system is EVER going to be able to 100% reliably distinguish between malicious and valid software? Again, the problem is not merely technical; you have people who are actively trying to defeat the system. It's even worse than trying to find a vaccine for AIDS; at least the HIV virus doesn't have intelligence. Some hackers are dumb; there are others who are very intelligent, and are looking for ways to make money off break-ins. There's enough money available for those who can break security that there will always be a supply of would-be felons.

Sure, we should automate as much as we can of security, but there will always be some responsibility on the user, just like we all have to carry keys to our houses (ranchers in Wyoming perhaps excluded). And so we developers need to provide the information our users need to be able to use our software within the environment they have. Your complaints sound to me like blaming Home Depot because someone lost their keys.
0
 
ElrondCTCommented:
IMHO, the answer of "you can't do that" which I gave is correct, though obviously the questioner wasn't happy with it and tried to reorient the question. It's no big deal to me if you want to award points or just delete the question.
0
 
coindonCommented:
SSH and a port redirect?
0
 
RobAinscoughAuthor Commented:
What is SSH?
0
 
coindonCommented:
Secure SHell. it runs over port 22 and encapsulates traffic by encrypting the streams using fingerprint (key) encryption. Have a look at PuTTY:
http://www.chiark.greenend.org.uk/~sgtatham/putty/
0
 
coindonCommented:
PuTTY is the client end. Most free SSH server apps run under linux, so you'd need to run CygWin to use them, but there are SSH server application for Windows out there.
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 6
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now