Hax and firewalls?

fightingfi

fightingfi

2[H]4U
Joined
Oct 9, 2008
Messages
3,231
So when the govt whoevers gets hacked by whoever does that mean the firewall thats supposed to work and block attacks didnt work? are windows or any other firewall really protecting you and me from hacks at all or is it something more deep itself that isnt working to protect us ?
 
Yeah dude. Why do you think we wear these hats?

mlbf_865229883_th_45.jpg
 
Often times it isn't the firewall that failed, it is the application that failed. Some firewalls will detect common buffer overrun/overflow attacks, but new ones pop up all the time.

One other thing, sometimes it is a configuration of a firewall that fails. Someone didn't activate, didn't know about, or didn't purchase a feature that would allow an attack to be detected and defeated.
 
Far too often, you will read a follow up on a breech where one of the correctives listed is "Install configured firewall". And a firewall is mostly useless if not properly configured and the logs monitored.

2nd the application problem. The infamous Equifax breech was due to known software issues that weren't patched. When your database server allows web users to do full data dumps, bad juju usually follows.
 
Firewalls typically are not the issue, application security vulnerabilities that can be exploited are.
No code is perfect.
 
Most of the time whatever issue was exploited to give an attacker a beachhead was only exploited because some user clicked some link or opened some files they weren't supposed to. You can have all the security in the world and be undone because one idiot wanted free porn or opened a suspicious e-mail.

fightingfi said:
so are you not able to exploit a glitch in a firewall ?
Click to expand...

Anything is possible, but why bother going to that effort when phishing is a lot more effective?
 
fightingfi said:
so are you not able to exploit a glitch in a firewall ?
Click to expand...

If there is one, sure. But frankly even a basic stateful firewall (like many routers now are) will make a direct "hack their system" approach very difficult unless there is an application open that has a vulnerability.
Yes, there have been stateful firewalls with exploits in the past, but to the above point unless it is widespread and easily taken advantage of, it is usually more fruitful for hackers to go after known application vulnerabilities or exploit users directly.
 
Last edited:
Haven't seen it mentioned yet, but a firewall isn't necessarily an IDS/IPS ( intrusion detection/prevention system ). Sure, in some fancier cases it can be, but more often it's a simple traffic filter, and one way at that ( internet -> in ).

Setting up a full IPS solution, complete with SSL intercept, can be a daunting task, to say nothing of monitoring it. I knew a company that splurged for the works; it was really an impressive setup, then manned it with the boss's useless basement dwelling son because "he likes to tinker with computers". You should have seen the look on the contractors face when he was handing over credentials for the thing, I wish I had gotten a picture. You need trained security professionals who have an eye for this kind of thing; they know what they need to keep up on, and what to keep an eye out for. Particularly if you are running services out of your network. Even with all this fancy tech, I'd give it a 50/50 chance if you have a clueless user clicking on shit they should know better than to click on.

To answer the OP's question; tech can only do so much, and people are still stupid.
 
Last edited:
grasshoppa said:
Haven't seen it mentioned yet, but a firewall isn't necessarily an IDS/IPS ( intrusion detection/prevention system ). Sure, in some fancier cases it can be, but more often it's a simple traffic filter, and one way at that ( internet -> in ).

Setting up a full IPS solution, complete with SSL intercept, can be a daunting task, to say nothing of monitoring it. I knew a company that splurged for the works; it was really an impressive setup, then manned it with the boss's useless basement dwelling son because "he likes to tinker with computers". You should have seen the look on the contractors face when he was handing over credentials for the thing, I wish I had gotten a picture. You need trained security professionals who have an eye for this kind of thing; they know what they need to keep up on, and what to keep an eye out for. Particularly if you are running services out of your network. Even with all this fancy tech, I'd give it a 50/50 chance if you have a clueless user clicking on shit they should know better than to click on.

To answer the OP's question; tech can only do so much, and people are still stupid.
Click to expand...

After years of running IPS/IDS at home, and reading Richard Bejtlich's book on security monitoring, I've come to the conclusion it's nearly worthless with the relatively ineffective "community rules" and lack of seriously actively monitoring it with a person full-time and a pen and paper. I never had anything really get "caught" with IPS and free rulesets, though I did see enough false positives to kill a yak and have enough connection headaches to bypass the whole lot of it. I feel like so many people run it at home because it comes with (insert router package here) but it only gives them a very false sense of security. You need professionals and highly tuned, paid for rule sets to really get anything (IMHO).
 
The issue is not the firewall per say. A lot of organizations have servers or services that are accessible through the firewall. And if they dont during a pentest for example you try and find another way in. like sending a phishing email with a payload that phones home over ssl. And since 99.9% of places allow SSL outbound through a firewall (how you are able to browse the internet) it gives the "hacker" access to the network. And this is only touching on a few methods there are lots more.
 
iroc409 said:
After years of running IPS/IDS at home, and reading Richard Bejtlich's book on security monitoring, I've come to the conclusion it's nearly worthless with the relatively ineffective "community rules" and lack of seriously actively monitoring it with a person full-time and a pen and paper. I never had anything really get "caught" with IPS and free rulesets, though I did see enough false positives to kill a yak and have enough connection headaches to bypass the whole lot of it. I feel like so many people run it at home because it comes with (insert router package here) but it only gives them a very false sense of security. You need professionals and highly tuned, paid for rule sets to really get anything (IMHO).
Click to expand...
Im thinking about getting a usg or usg pro is the ips worth it on that one? Its that or im thinking a edge router 4 for its faster cpu and some ap for wifi
 
tunatime said:
Im thinking about getting a usg or usg pro is the ips worth it on that one? Its that or im thinking a edge router 4 for its faster cpu and some ap for wifi
Click to expand...

I don't know what ruleset Ubiquiti uses, so I can't answer that directly but I doubt they use anything other than a community ruleset so I doubt it's really worth it. The other issue with IPS is that it requires performing man-in-the-middle "attacks" on your system. With software like Sophos UTM, this is done with certificates and so forth that have to be installed on each device. Since everything (almost) is encrypted today, IPS can't see any of the actual traffic going through it unless it breaks encryption.

What I have found to be reasonably effective is monitoring traffic stats, and using something like PiHole. DNS blacklisting will prevent a lot of undesired behavior without all the headaches of IPS at home.

Also, most businesses that rely on serious IPS are actually using IDS. IDS is the same thing, but it monitors and does not take any direct action on traffic. This is where professionals come in. They read the data, fine tune the IDS rules for the environment they're in. They detect intrusions as fast as they can, recover/prevent further damage, etc.
 
iroc409 said:
I don't know what ruleset Ubiquiti uses, so I can't answer that directly but I doubt they use anything other than a community ruleset so I doubt it's really worth it. The other issue with IPS is that it requires performing man-in-the-middle "attacks" on your system. With software like Sophos UTM, this is done with certificates and so forth that have to be installed on each device. Since everything (almost) is encrypted today, IPS can't see any of the actual traffic going through it unless it breaks encryption.

What I have found to be reasonably effective is monitoring traffic stats, and using something like PiHole. DNS blacklisting will prevent a lot of undesired behavior without all the headaches of IPS at home.

Also, most businesses that rely on serious IPS are actually using IDS. IDS is the same thing, but it monitors and does not take any direct action on traffic. This is where professionals come in. They read the data, fine tune the IDS rules for the environment they're in. They detect intrusions as fast as they can, recover/prevent further damage, etc.
Click to expand...


The new systems now are using AI to do both. It's an IDS that sends any potential attack back to the home server for analysis, then changes to IPS mode and blocks the IP once it hits a configured threshold. Signal Science is what we use for our cloud infrastructure, but that's way out of the price range of consumers.
 
You must log in or register to reply here.
Back
Top