• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

Can a firewall be set up to stop and input or output from a specified application?

If one is running an application, say an Electronic Medical Record, which is not ASP; it runs on the workstations and accesses the database from the server. The workstations connect to the Internet through the server, and the server connects via a switch -> router -> cable modem. Router = PIX 501.
Rumor has it that the developer of the EMR has written code into the latest upgrade whereby he can disconnect the program via the Internet.
 
I remember that software firewalls such as ZoneAlarm, etc. can stop traffic in and out to a certain software program. But, it also popped up quite a bit on programs that you wanted to obtain access to the Internet such as antivirus programs or Outlook, etc. Is there a way to block assess to a program via a hardware firewall or via a software firewall either on the server or on each client computer wihtout affected other programs? The program isn't actually running on the server, just the databases.

Thanks.
0
Bert2005
Asked:
Bert2005
  • 5
  • 4
  • 2
2 Solutions
 
rsivanandanCommented:
PIX 501 is not a router but a very good firewall. So we can do a lot of access control based on protocols. But I didn't quite get what exactly you want to do. Can you clarify more ?

See the point is, once the traffic reaches internet, from internet somebody does something to it then nothing can be done, but we'll see. So explain what you would like to do and then we'll see about it.

Cheers,
Rajesh
0
 
Bert2005Author Commented:
Rajesh,

Thanks. There is a just a particular program on our server, which supposedly the owner of the company who made it claims he can access the program through some code which he placed in it so he can shut it down. I guess similar to how Microsoft uses Microsoft Genuine Advantage to access a computer via downloading updates then matching Product Keys and sending info back to Microsoft.
0
 
Bert2005Author Commented:
Rajesh,

I realize that the PIX-501 is a good firewall. I guess I'm confused because our netowrk is set up:

Modem -> Cisco PIX -> switch -> private network and server.

I was always under the impression that one had to have a router to connect a network to the Internet. Of course, my home computer using a LInksys router/firewall, but it can connect directly through the modem, so maybe I am wrong. Maybe as long as I have a switch?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
rsivanandanCommented:
No you network looks good. PIX can handle only ethernet connections and that is why you're needing the Modem to terminate your internet connection.

Coming back to the problem. So this particular program, what does it access from the internet ? Can you give a brief overview of what it does (specifically by doing to internet) ?

I need to know that, the reason being by default in PIX everything is allowed to go out, but coming in is not allowed. We can see if he is working towards the pix or towards the program connectivity itself.

Cheers,
Rajesh
0
 
lrmooreCommented:
>claims he can access the program through some code which he placed in it so he can shut it down.
Is he posing this as a threat for his own job security?
Malicious code can indeed be imbedded into programs, just look at Sony and the heat it took for its rootkits. But, typically, the server would have to initiate a connection to him first. Like Logmein or Webex to have someone take control of your system even through a firewall because it uses port 80.
If you do not have any static nat statements in the PIX and applicable inbound acls permitting some traffic, then it is virtually impossible for him to access the system remotely, unless or until some process opens a connection from the server to him. That would be easy enough to shut down by using netstat on the server to see any open connections, note the remote IP address, then shut down any access to that IP in the PIX.
0
 
Bert2005Author Commented:
Rajesh,

The programd does two things over the Internet. One, it checks every so often for updates, which I think can be turned off, but I haven't looked in awhile. Also, I send a backup of the data over the Internet to an offsite storage.

Irmoore: In the beginning, the author of this EMR was revered since he offered a fairly good EMR for not much money. The EULA was not very threatening. As the user base began to grow, his EULA and his personality has seemed to change. He has threated two users who he deems "as......... to take away their user licenses. Meanwhile, there was an uproar on the userboards. I was not too worried, because unlike the Microsoft Partner program where it is understood that it is a lease agreement, we have all paid for our licenses. He has threated to take away everyone's licenses if they don't automatically choose to upgrade every time there is a new version. Plus, one must purchase support as well.

One of the physicians has been allowed access to the source code, because he writes a lot of updates and patches. He has confideed in a few of us that he has found code which its only intent is to stop or damage the program.

I am probably confused, because Microsoft's update process that is downloaded from the Internet does have the Microsoft Genuine Certificate thing which is able to check your Microsoft Key and report back.

Would the netstat only work during a communication from his IP?
0
 
lrmooreCommented:
>Would the netstat only work during a communication from his IP?
Yes. It must be an active connection at the time you look at it.
nbtstat -b will tell you what application is kicking off the connection.

He could also set a bomb that if the application can't "phone  home" after x number of tries, it will shut itself down. Just like Microsoft if you don't activate your license key within so many days...

I'd be looking for a new application vendor quick... or hire a good lawyer..
Since these are personal medical records, I'm sure HIPPA rules apply and by virtue of knowingly using what could be deemed malicious software your office could end up in deep hot water.
0
 
rsivanandanCommented:
I agree. You can chose either path but I would rather think of going to an alternate vendor instead of lawyer, just because it gets messy (At least here in India).

In the code if something is there, then there is nothing we can do about it.

Cheers,
Rajesh
0
 
Bert2005Author Commented:
Irmoore and Rajesh,

I appreciate the help as always. Basically, there are 2000 users in the same boat. We each pay $500 a year for support (which is basically non-existent). Given that his entire staff is probably three people, I have no idea why he would want to give up on $1,000,000 per year with new offices joining everyday simply to be able to "terminate a few as......." as he says it. He actually came on the boards and said that.

Everyone has years of data in this EMR, and it would be hard to go from an EMR which costs $500 in the beginning to Logicial, let's say, which costs $40,000 startup.
0
 
rsivanandanCommented:
I understand, at the same time do you think if the software isn't that large then you could probably have someone do code coverage on it ? Basically the guy hired should be able to go through it and remove off the unwanted stuff.

Cheers,
Rajesh
0
 
Bert2005Author Commented:
One would think.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now