firewall vs. closing ports


 
Thread Tools Search this Thread
Special Forums Cybersecurity firewall vs. closing ports
# 1  
Old 02-08-2002
firewall vs. closing ports

This may be kind of a stupid question, but here goes:
Say I'm running a FreeBSD webserver (w/apache). I've managed to close ALL open ports (including SSH/telnet and portmapper), excepting '80' that apache is listening on. A netstat -a shows me nothing open.
Discounting DoS/DDoS or holes in apache, is there really a reason to run a firewall on a box like this? If nothing is listening on any ports but 80, what function will a firewall perform (like ipf (pf now I guess))? Some super-sekrit port-opening prevention?
The TCP/IP stack isn't really vulnerable to say, the Ping of Death or something like, and there are no sessions to hijack (w/this particular website), so I'm at a loss as to what a firewall would do. Or am I just beating a dead horse, so to speak?
# 2  
Old 02-08-2002
Well, the best installation would be to have a seperate firewall box upstream from your server (cool graphics to followSmilie

(internet) =====> (firewall) -------> (webserver)

If you don't have ports open, you can't attack them. That's as simple as it is. But it may be good just to keep people from scanning and probing the box.

Also, you can set it up to help protect from becoming the man in the middle of an attack; i.e. Someone magically roots your box through an insecure CGI script, manages to open a remote shell on a high port. Now if you had a firewall, they still couldn't get in to use the shell they uploaded for you. But also, say they begin using your box to jump to others - not good...
# 3  
Old 02-08-2002
If you have one box (a webserver) behind a firewall and you are already managing the webserver well, then a firewall is still necessary to block individual IP addresses that may be attacking open ports.

However, if you can add filtering rules on the webserver using firewall-like filtering software AND you have plenty of CPU and memory to handle the processing load, then a firewall is not necessary.

Having an extra and unnecessary firewall in place that is not well configured or managed is more dangerous than having no firewall when the firewall is just protecting one server.

I tend to disagree with LivinFree and think that firewalls are good, but not necessary 'the best' solution. The best solution depends on your configuration, your time, how much time you want to spend managing servers, etc.

If you have 100 or 1000 servers to manage then a firewall is much more critical than if you have to manage a single web server. And, as stated, if the web server has plenty of horse power, has IP filtering software at the kernel level, and is well managed, a firewall is an extra expense that adds minimal value for a potential large management expense.

Don't be fooled by buzzwords and seduced by technology, good process and well thought out architectures bring more security than adding more gizmos.
# 4  
Old 02-09-2002
This is/was a purely theory-based question. The server farms I manage get both treatments (invidual 'hardening', and a cluster of high performance firewalls) because a) no single solution will ever be totally secure, and b) not all attacks come from filtered IPs. This is common knowledge. I guess what my question should have been is this:
Excluding any form of packet based denial of service (wherein a target's service is denied due to an overwhelming amount of 'bad' traffic), can a unix system be attacked using TCP/IP, if no programs are listening? I guess a case in point would be the old Ping of Death, where nothing had to be listening on the host (besides a conformant TCP stack), but a specially malformed ICMP echo request would crash the system. I may be groping in the dark for something that has no real answer, or no 'easy' answer, but I have just been wondering on what avenues an exposed system is open to attack.
If no daemons or other programs are listening on a given port, does the OS and it's TCP stack just ignore inbound packets destined for that port? Is there a special 'dead packet zone'? I could probably look this up in the source, but I'm not exactly a hotshot C coder (in fact, I might go as far as to say I suck worse than a 1st year CS student Smilie.
# 5  
Old 02-09-2002
Good question.

If I'm not mistaken, unless specifically denied or not configured in the kernel (ICMP) an IP interface properly configured with ifconfig will respond to ICMP ECHO_REQUESTS independent of sockets bound to listening processes.

Having said that, it is not difficult to install kernel level filtering software on most of our favorite UNIX systems to stop this 'normal' behavior. "Deny ICMP filters" are fairly common practice these days.
# 6  
Old 02-09-2002
I see Neo's point here in what 'the best' config would be. I guess I just like seperating each service in it's own area - For example, my ideal config for most (but not all) situations would be to have a seperate fileserver, web server, firewall, etc. That way, you could perform mainenance on your webserver without downing your whole network. But, then again, if the only external contact you've got is the webserver, it wouldn't make any difference - either it's up, or it's down.

I guess the question about attacking a box without any open ports could be a very tricky one. The best thing I can think of is a simple DoS. Packet the heck out of the machine, and if nothing else, it at least absorbs your bandwidth. You really can't do that much about it, except try to block it as far upstream as possible. But an "exploit" should never work against a non-listening port. If no process is spawned upon connection (like in inetd), and no process is already listening, what exactly could you possibly attack?
# 7  
Old 02-10-2002
Thanks...that was exactly what i was looking for Smilie
I figured that if there was no prog attached, or no socket listening, that nothing would be able to happen (excepting Neo's answer). I was just making sure the kernel didn't carry any 'built-in' functionality, as far as answering calls on non-open ports were concerned. And apparently, the answer is, excepting ICMP, no. Thanks Guys!
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Post Here to Contact Site Administrators and Moderators

Closing thread

Hi, I guess, users do not have rights to close a thread. Please close thread 'Small automation' as it is resolved. Regards, snjksh (1 Reply)
Discussion started by: snjksh
1 Replies

2. UNIX for Dummies Questions & Answers

I have firewall rules to open ports, why telnet refuses connection?

Alright... this question comes from the fact that I'm trying to setup postfix to relay messages to Office 365 SMTP but its giving me connection refused... I read that if you have doubts if your port is open or not you should telnet to them so thats what I did. This is a Red Hat 6.3 box. My... (4 Replies)
Discussion started by: RedSpyder
4 Replies

3. What is on Your Mind?

AllTheWeb closing

It was officially announced that AllTheWeb is closing. Yahoo! no longer supports the function as per april 2011: AlltheWeb.com Before the world turned to google by default, there used to be a plethora of search engines. Most of them gave a headache with the prolific use of colors and animated gifs... (4 Replies)
Discussion started by: figaro
4 Replies

4. Shell Programming and Scripting

closing unwanted open ports using scripts

i have a text file i.e file1.txt which shows open ports on particular system. i have another text file i.e file2.txt which shows a list of allowed ports on a system. for eg: file2.txt 22/tcp ssh 23/tcp telnet. can i have a script which would compare these text files ,file1 and file2 ... (1 Reply)
Discussion started by: anand121
1 Replies

5. Shell Programming and Scripting

closing windows

Ok i know to open a window from a script (mac); open whatever(name of a directory) but i don't how to close it. please some help. thanks. (0 Replies)
Discussion started by: Tártaro
0 Replies

6. Cybersecurity

Firewall Ports

Could someone please settle an inter-office argument? Will your network traffic be slower through a firewall on any other port other than port 80. In other words, is port 80 faster than any other port you open on the firewall. I say no. Thanks in advance for the help! (2 Replies)
Discussion started by: cocolsmith
2 Replies

7. Post Here to Contact Site Administrators and Moderators

Closing a thread

hi, Just wondering if there could be a way to close threads whose creator has got the desired reply. however if someone still wants to give a remark or suggest further on the thread one can still do so. Besides on the control panel there should be some kind of selection criteria to view... (3 Replies)
Discussion started by: linuxpenguin
3 Replies

8. IP Networking

Closing out ports???

Hi all Is there a command that I can use to close out open ports? I did a netstat - a -p and got a long list of ports open (see sample below). I have disabled the some of the applications from /etc/services/. But there are still applications listening on certain ports. I need to know how to... (6 Replies)
Discussion started by: skotapal
6 Replies

9. Cybersecurity

closing open ports

/* Linux Slackware */ Nmap shows the following ports open on the gateway. 21/tcp ftp 22/tcp ssh 23/tcp telnet 25/tcp smtp 37/tcp time 80/tcp http 113/tcp auth 515/tcp printer 587/tcp submission 1024/tcp kdm 6000/tcp x11 ------------------------------- i would like to close as... (10 Replies)
Discussion started by: LowOrderBit
10 Replies
Login or Register to Ask a Question