Educause Security Discussion mailing list archives
When is a firewall not a firewall?
From: Gary Dobbins <dobbins () ND EDU>
Date: Fri, 5 Sep 2003 13:28:27 -0500
Wondering if anyone out there has seen this characteristic of XP's built-in 'firewall', and/or if it's widely known: Some folks have asked recently how it's seemed possible for someone's XP machine to have contracted one of the recent RPC/DCOM worms even though they had the XP firewall enabled. Maybe they hadn't had a chance to install the patch yet, but knew the firewall would hold off the probes by worms seeking victims. They were right, except... Just don't reboot. During the period of time during Windows startup, between the IP stack coming up and the firewall service starting, Windows is fully exposed to the net. On one test I just ran, XP dutifully responded to probes for at least 10 seconds, while it was busy preparing the "welcome screen" for login. Same syndrome seen using Kerio v2 and McAfee v8. The XP firewall operates as a "service", which means it can start running even after other parts of the system have become ready (like the DCOM server processes). Messing with inter-service dependencies is tempting, but may bear no fruit as the XPFW may not hook network drivers low enough to hold them off during startup, and/or it may depend on other services, creating a Catch-22 sort of problem. Needless to say, we'll be looking at other firewall products to see if any are constructed in a way that lets them "fail closed" where they intercept the network at a low enough layer to deny everything until they're ready to permit, versus the other way 'round. -- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- When is a firewall not a firewall? Gary Dobbins (Sep 05)
- <Possible follow-ups>
- Re: When is a firewall not a firewall? Hahn, Jacob (Sep 05)
- Re: When is a firewall not a firewall? Jere Retzer (Sep 05)
- Re: When is a firewall not a firewall? Matthew Keller (Sep 05)
- Re: When is a firewall not a firewall? Gary Flynn (Sep 05)
- Re: When is a firewall not a firewall? Omar Herrera (Sep 05)