I am playing around with my home LAN, and installed a Linux PC to act as a firewall.
Now I am getting interested in firewall security issues in generall, and start to wonder how safe a network, that has ports open to the Internet, realy is?
I was planning to install Skype at home, and read this web page:
Wow, what kind of a stupid firewall is that? Opening all ports to any host, even if "only" from the LAN side?Quote:
Ideally, outgoing TCP connections to all ports (1..65535) should be opened.
Now having any port open from LAN to Internet seems to me a security risk. Any Virus or other user installed "bad program" could then send data to any host on the net, if it finds the open port ?
But one can not restrict hosts for HTTP, that would be impossible.
Ok, so if I open port 80 on the firewall from LAN to Internet ?
Now any program can use that port. Not only my web browser. A virus could "call home" and upload my C: drive or what ever it wants to do...
So my next thought is to use a Proxy server right?
We have a proxy server at work, that has to be the right way to get a fool proof security right?
So I installed a proxy server, and only allow the proxy server IP to contact the outside world.
My workstation has no direct access to the Internet from any port.
Then I install Skype and BANG it authenticates me and is up and running. What ?!?
I double check my firewall settings, nope no holes there.
Then I get it, the Proxy server. Skype has detected the ip of my proxy server and is using that !
Ok, so I stop the proxy server, and confirm that Skype is now unable to connect.
So a software, Skype or a virus, can be programmed to detect my proxy server and use that for 2 way communication from my LAN to the Internet. Thats no good?
Now im really confuced, so I installed Skype at work, to test if it will connect there, and yes it did.
The person who is in charge of the Proxy server at work, told me that he has turned off proxy authentication, because of strange problems, and that is why Skype now can use the proxy server.
So I asked him to turn on authentication for my IP and he did.
Yes ! Skype was unable to connect to the Internet.
Only IE should be able to use the proxy, without me (the user) knowing it is accessing Internet, right?
Wrong again. Doh.
I installed FireFox and it was aslo able to authenticate to the proxy without prompting me for a password ! And so did msn-messenger...
If FireFox can do that, then I suppoce any program could be programmed to authenticate transparetly also !
Only way to controll what program uses the Internet, that I can think of, is to have a personall firewall on all PC's on the LAN, that can allow only certain exe files to access certain ports?
That should prohibit a virus from using the proxy / 80 port.
But that would not help if a user would disable the local firewall and install own p2p type of programs, or even bring his personal laptop to work.
So my question is:
"Is there really no secure way to enable www (http, https) for users behind a firewall ?"