Solved

How secure is a whitelisting firewall?

Posted on 2011-09-07
11
437 Views
Last Modified: 2012-05-12
I have a computer with very narrow focus of purpose, it's just going to connect to a couple of commercial services via internet, they have state of the art firewalls. My browser is never going to be used except for setting up a hardware firewall via LAN. Said hardware firewall is set up to allow traffic [whitelisted] on only the handful of numerical [bypassing the DNS's seems a good thing to do for the sake of "less moving parts" if nothing else] url's required to access servers at the abovementioned commercial institutions, and the hardware firewall does Stateful Packet Inspection [url's cannot be spoofed, right?], is it at all possible for entry to be gained to my computer from any computer not at the places allowed by the whitelist?
0
Comment
Question by:FuturesTrader
  • 5
  • 5
11 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 36498131
Never say never. If you are only concerned about accessing things from your PC, then you might be OK. But if you are concerned about someone getting TO your computer from the outside or even from another device on your LAN, a single point, no matter how good, is probably not good enough.

Security is a multi-layer approach. What tools you use depends on your risk exposure, who has access locally to the device, firewall security, AV security, and perhaps even IDS/IPS systems.

Even at my home I have a couple of layers of protection for my kids PCs.
0
 

Author Comment

by:FuturesTrader
ID: 36498326
I was only thinking of threats via the internet, lets say I encrypted the drive with the intellectual property that I want to defend and even added a hidden encrypted volume so that security can't be breached by theft of the computer itself or theft of a password or two... nobody is sneaking in and connecting to my LAN after they give me knock-out drops, etc...

I'll admit it, I'm sort of asking somebody to prove that something is impossible, in Philosophical circles that is not a valid thing to do. Up until recently I had concluded that if SPI and whitelisting was in place that nobody not in the whitelist could access my computer. How could they if they can't spoof a url in the whitelist and can't get past the whitelist?

Assuming that the hardware firewall can't be gamed somehow, doesn't SPI and whitelisting pretty muchly ensure that the internet cannot be an avenue for intrusion?
0
 
LVL 32

Accepted Solution

by:
aleghart earned 500 total points
ID: 36498562
Using IP address can be hijacked by a router.  Make sure you have no routers outside of your control between you and the "internet".  A router controlled by your ISP for access...you have to trust somebody at some point.

Using URLs...they can be redirected with a proxy or by DNS.  Verizon and some other ISPs do this for advertising purposes.  If an URL comes back with no matching IP address, they will redirect you to their own search server's web page.  It's incredibly easy for the DNS server operator to change things.  So, you need to make sure your DNS service is stable and relatively secure from tampering.  If you an ISP'sDNS server...they are generally not out to steal your stuff.

Since you will not be running a root DNS server in your home or office, you do need to trust upstream servers at some point for domain name resolution.
0
 

Author Comment

by:FuturesTrader
ID: 36498878
I use the numerical ip addresses to bypass the DNS servers, I guess there really isn't anything stopping somebody with control of a server somewhere from redirecting my traffic though...

Are there commercially available direct routes to the root servers?

I can use https connections with at least one of the services I want to connect to, might that make a difference to somebody trying to redirect traffic?
0
 
LVL 32

Expert Comment

by:aleghart
ID: 36499105
>Are there commercially available direct routes to the root servers?

Use a known DNS server like 4.2.2.1 , an old GTE server which is faster than Verizon's servers they offer to home/business customers.  Root DNS servers are the standard...primary DNS servers go to them for reference.  Not end users.  There are only 13 root name servers spread around the world.

> can use https connections

That's good for a couple of reasons.  If it's a commercially-obtained cert, there is _some_ level of authentication, and an exchange of money, in order to get the cert.  Certs can be forged or self-issued, so it's not a 100% solution.  Of more benefit is that the traffic is encrypted, and less visible to others on your network or in a position between you and the end node.  HTTPS generally jumps around HTTP proxies and some content filtering.

A VPN would be good if you were dealing with a single node or network on the other end.  But, commercial DNS service (not home-grown) with HTTPS are "normal" ways to stay secure.  I wouldn't exchange financial transactions or state secrets with it...but then again, I have neither secrets nor money.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:FuturesTrader
ID: 36499225
VPN would, indeed, be great but I think that would require some work on the part of the services I'm connecting to that they don't want to do..

If I'm specifying url's in their numerical formats do my packets even go to a DNS server?

0
 
LVL 32

Expert Comment

by:aleghart
ID: 36499268
Using IP address does bypass DNS lookup.  It's not as convenient, since one host may be serving up many domains on a single address.  Likewise, a single gateway could be serving up many hosts on one IP address.  If you have enough IP addresses, that would do the trick.

But, since it is now "hard-coded", moving the server to another IP address (changing service provider, etc.) cannot be fixed in DNS updates.  You have to change the shortcuts on every machine that accesses the service.
0
 

Author Comment

by:FuturesTrader
ID: 36499696
hard coding is barely an inconvenience, I just have one computer behind a hardware firewall.. I guess I should have a T3 line from Sprint or something like that. That would eliminate some of the middlemen and reduce the number of moving parts...

Let's say I negotiate with the companies that are in my whitelist and we establish a VPN connection. Does that make it [very nearly] impossible for somebody in the middle to pull off some fakery?
0
 

Author Comment

by:FuturesTrader
ID: 36499744
Gadz... I just found this youtube video, somebody hacks a VPN connection... I hope VPN's aren't typically that easy...  http://www.youtube.com/watch?v=BcPPyW3TwGg
0
 
LVL 32

Expert Comment

by:aleghart
ID: 36499854
ASLEAP was released around 2003?  Well-published vulnerability in Microsoft PPTP, the technique in the video was published in around 2004.  Read more here.

Yes, if you are using Microsoft MSCHAP (v2 was introduced with Windows NT 4 SP4, and an "upgrade" to Win98)  to obscure your passwords...it would be that easy.

Capture the packets, find the password hash.  Regenerate the password from known patterns...faster than true brute-force where every single combination/permutation is attempted.

PPTP (point-to-point tunneling protocol) with MSCHAP shouldn't be used when you can use a vendor-specific client that matches with their firewall (SonicWall uses AES & 3DES), or another form of IPSEC/L2TP or OpenVPN.

I have an L2TP tunnel running on my phone, so it can't require too much horsepower.

But, when you have multiple tunnels running, you are doing a lot of encryption/decryption.  A firewall appliance could get overloaded at say 5 tunnels running simultaneously.  A beefier appliance, or running the tunnel on the workstaion might help.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 36499893
Put it this way...Amazon sold $9.9 billion just last quarter.  They use HTTPS to secure the individual transactions.  Nobody has VPN to them to buy stuff.  But, I'm pretty sure that no admins are logging in to the e-commerce or corporate servers over a web connection.  There are different levels of access and security that you'd have to judge.

HTTPS is good enough to secure web config for people's DNS setup...the easiest way to "hijack" a domain is by changing the DNS record.

In that same vein, I can buy stocks with an online brokerage with an HTTPS web page.  I hope that large transactions from brokerage houses use a more private link.  (I don't know...I'm assuming.)
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now