musings

by Rik Farrow

Rik Farrow provides UNIX and Internet security consulting and training. He is the author of UNIX System Security and System Administrator's Guide to System V.

<[email protected]>

Dare we celebrate? I think not. Just because Microsoft has lost its browser monopoly case doesn't mean that anything will change soon. Microsoft employs many of the most brilliant programmers and marketeers this world has, and some of the things they do are really amazing. Yet Microsoft will continue to wield its 800-pound gorilla image, seeking to impose its will "in the good of the people," at least until the appeals process winds down years from now.

I did buy a Sony VAIO 505VE, a tiny subnotebook that I had seen in the hands of a Japanese man at a USENIX conference years ago (it seems). I immediately set about installing a version of Linux (Red Hat 6.1), because I wanted the notebook for several purposes that were not aligned with the version of BSD I run at home. That is, running hacker's tools for demonstration purposes, and running VMware.

The installation went smoothly, once I found the right information at a Web site (<http://www.cs.utexas.edu/users/kharker/linux-laptop/>). For example, you must add flags to the boot line or the CD-ROM will not be recognized by the Linux kernel. Getting the X server running was trivial. But getting the internal modem working was extremely frustrating, because it turned out to be impossible.

The internal modem, exposed via a little flap in the back left corner of the subnotebook, was supposed to be a v90 supporting 56k. It turned out to be a winmodem, essentially a modem implemented partially in software that will not run in a real operating system (at least, not yet). I even reinstalled Windows 98 just to test it and see whether I had a hardware problem. Worked fine under Win98, although I had to brandish a big stick several times as Win98 and the Sony stuff kept trying to sign me up for several Internet services.

Linux software, such as wvdialconf, could see that there was a UART installed but could not talk to it. The same held true for a modem card I stuck in the single PC slot. I had checked for interrupt conflicts under /proc and didn't see any. Finally, I checked again at the linux-laptop site and there were several new pages posted about the 505VE. There I learned that it had a winmodem and that I needed to add a line to the
pcmcia.conf file to prevent interrupt conflicts. Geeze! The network cards I tried worked like a charm, but not the modem cards (or even the part of a combo card that was the modem).

Once I had given up on using the internal modem, I got a 3COM combo card, 56k modem, and 10/100 MHz LAN (3CCFEM556B). Worked great under Linux, but required me to install software under Win98. That is when the Win98 partition died. It is really amazing to me that installing something (using the standard Install Wizard) would result in Win98 losing critical files, which would in turn require reinstallation. Installing Win98 from the recovery CDs also trashed the Linux partition, and at that point I punted on Windows.

VMware has been working great. I have not yet installed the 2.0 version, but have been running NT4/SP4 so that I can run PowerPoint. Not that I ever wanted to run PowerPoint, mind you. I bought Office 97 so that I could see if the way I configured NT (ACLs and such) would prevent Office from working for non-administrators. I was also curious about Word macros and about the ability of Internet Explorer to execute various malware on a system. The nice thing about VMware is that you can save an entire copy of an NT installation, so if you trash it through testing malware, you can simply run a copy created before the test. Much easier than trying to reinstall.

One thing I did notice about running VMware and IE: I cannot access Microsoft's Web sites. I have no problem with other Web sites, but get only blank pages from Microsoft. (Navigator under BSD or Linux does not have this problem.) Perhaps Microsoft does not like VMware? How do they know I am running VMware?

Also, thanks to Jill Sole of the NSA for hand-entering all 320 pages of my Intrusion Techniques and Countermeasures course. The NSA wanted to use the course internally, and that required that it be a PowerPoint presentation. My first experience with running PowerPoint was a prophetic one — it turned out that about 20% of the slides I had edited were blank! This has happened on random occasions since, but I learned my lesson long ago. I just started treating PowerPoint the way I treated WordStar under CPM back in 1980: you make a backup copy every ten minutes or so. In my case, that meant saving the file and sending a copy via ftp to a UNIX system (keeping redundant backups there, of course). Just amazing how far software has come in 20 years!

Worthless Firewalls

Having spent years promoting the benefits of firewalls, I have my own systems sitting behind a firewall. Mostly, the firewall does a good job (is nonintrusive; deletes dangerous content, that is, attachments for Microsoft products, automatically; and works much faster than the max throughput over my WAN link). Occasionally it does get in the way — for example, when I go to TCP fingerprint someone with nmap (<http://www.insecure.org/nmap/index.html>). I have to remember to stick a machine outside of the firewall before doing that, or I wind up scanning the inside of the firewall.

On the topic of firewalls: there has been a trend toward what I call the "checkbox firewall." The checkbox firewall is the one where the auditors check to see whether there is a firewall, and then check the appropriate box on the audit sheet. In one case, the firewall was actually still sitting in its original package (have a firewall, check!). In another, the firewall was configured to permit any source, any destination, and any service without logging. Worked fine, although it did tend to slow down the Internet link a little. As a security device it was totally without merit.

One of the leading firewall vendors, CheckPoint, has shipped a firewall for many years that can be configured into something reasonably secure. But the design of the user interface, and the defaults, encourage configuring the firewall insecurely. If FireWall-1 were a child's toy, it would be recalled as too dangerous. It epitomizes what I consider evil as far as design goes. Here's why.

To start out with, the design focuses on speed and flexibility. Neither of these features has anything to do with security. The defaults make the product easier to install, while leaving gaping holes in security. For example, you can scan through FireWall-1 (and many other firewalls) by using TCP packets with the ACK bit set. Tools like nmap make this easy to do. CheckPoint might argue that the firewall is doing NAT (Network Address Translation), making internal addresses not routable, but would this be true from the local ISP? FireWall-1 also leaves ports 53 TCP and UDP unprotected by default. At least later versions include a prepackaged definition for controlling DNS to each transport protocol. Too bad they don't filter out ICMP packets either.

But the real coup de grâce has to do with the interface itself. It permits the naive user to permit any of over 100 network services, most of which should never be permitted through a firewall. Now, none of us would be so unwise as to do that, right? Or only do it when the firewall is being used internally to partition networks. But what about most of the people who buy firewalls? What I have found is that if the firewall supports a network protocol, the customer assumes that it must be safe. In other words, the user interface misleads people into thinking that it is safe to permit NFS or SMB through the firewall (or even TFPT and SNMP), when, in truth, these protocols should be run in protected subnets.

When the market leader sets the stage, market followers generally converge on similar designs. This has meant that stateful packet filtering has become the standard for firewalls, even when it is not appropriate. An interesting hack was published in late February whereby you could open holes in SPF firewalls if you had access to an ftp server protected by that firewall.

In the example exploit, an unpatched Solaris system running an ftp server was hacked through FireWall-1 running on a Nokia router. By setting the MTU to 100, connecting to the ftp server, then sending a long string that included "227" at the packet boundary, you could trick the firewall into opening the port occupied by the ttdbserver and use an exploit to copy a shell in place of the ftpd. The "227" is the response sent by an ftp server to indicate that it is ready to receive a passive data connection, something that the firewall must respond to. Application gateways do a much better job at keeping track of state, regardless of the fact that the word "state" appears in SPF.

The Future

Alas, when I look into my crystal ball, the future I see is dark indeed. When firewall vendors, operating-system vendors, and networking vendors all appear bent on assuming that security is not an issue (ease-of-use and performance is what counts), then we are in trouble. It is not the case that doing security correctly is easy. Rather, security must be done right from the beginning, if the infrastructure we are building is meant to be robust. And TCP/IP, and most of our modern operating systems, were not written with security in mind.

Somehow, security must become as important as performance, or we will continually be spending our time cleaning up after intrusions, or just never keep any data that must be kept confidential online. So long, e-commerce!

Years ago, the security product manager at Sun told me that the reason Sun did not deliver its product with secure defaults (remember the plus sign in /etc/hosts.equiv?) was that customers did not include requirements for security when making purchases. In fact, making a system more secure generally makes it more difficult to use. Just plug the system into the network, give it an IP address, and it immediately becomes exploitable. How useful.

I still am foolish enough to get up in front of crowds of people and suggest that diskless workstations running some simple operating system (Java stations?) replace diskful desktops running Windows. Supporting Windows desktops is insecure, hard to maintain, and costly. Some people I mention this to immediately say, "Yes, going back to mainframes makes sense." No! Going back does not make sense. But replacing stupid desktops with simpler ones does make a lot of sense. People can play games at home, on their own PCs, and pay beaucoup bucks to the local Windows expert who knows how to replace the missing DLL that prevents their system from booting.

If anyone wants me to join a board of directors or tech advisory board on diskless workstations, let me know. I still believe this is the wave of the future, and I want to be on the crest before the wave passes.