Masa's Journal: SW Firewall Saga Continues...

I spent last night playing with Symantec Client Firewall version 7.1.2.1021 including our corporate SCS2 Baserule set 9 (so it seems to be a creation of our brilliant IT department).

First of all, even though I cranked the Symantec Firewall security level up to the High, I was still able to access TCP ports greater than 1024. This means that for example the MS SQL Server (1433/tcp) is wide open. And of course unpatched MS SQL Server has some known vulnerabilities.

Also, I was able to perform a port scan to several interesting TCP ports without the firewall reacting at all.

Symantec Firewall provides a mechanism for detecting possible intrusions by checking if someone is performing a port scan and banning the IP address in question for about 30 minutes. But if you do a port scan by trying to open ports normally (so, no SYN scans or anything like that) and slowly enough, then the Symantec doesn't detect anything. I was able to do a port scan by scanning a port every 30 seconds and the firewall didn't react at all. (By the way, this "slow attack" is described at a SciFi book called Neuromancer, by William Gibson.)

Finally, I created a situation, where I opened a third-party proxy connection with SSH tunneling to the port 8000 at my work laptop and allowed remote connections (I was using PuTTY). Then I launched a port scan from a remote location (ie. over the Internet). With the scan I was able to detect that the port 8000 was open and I created a connection through the port to the third-party proxy server. So, I was able to surf the Internet anonymously by using my "Symantec secured" machine. All the time the Symantec Firewall settings were at "High".

Biggest flaws, I'm able to point out are:

• No warning, when letting the PuTTY to access the Internet.
• No warning, when a port scan has been performed.
• No blocking of incoming connections. Not even a warning!

Note that there isn't anything fancy in what I was doing. The above is just a proof of concept, which shows how easy it is to work around the software firewall, if the settings aren't set correctly.

With Symantec Client Firewall it was just a matter of running a simple wizard to create a "Deny All" rule to the firewall software, which prevents any incoming connections from the Internet. I can't understand, why our IT department haven't done this. It seems that they are willingly leaving the machine wide open.

Anyway. Why am I writing this? I just want to let some steam out, because this has been the stupidest thing from our IT department so far. There are so many things wrong with this scenario that I even have a hard time remembering all the details and situations where things have gone wrong and how much damage can be caused both inside of our local network and from the public access Internet.

Finally, here's my quick hack for a port scanner, written in TCL:

# List of ports to be scanned.
set portlist [list 13 20 21 22 23 25 80 110 113 135 139 443 445 1433 6667 6881 8000 8080]

# Returns true, if port can be opened. Otherwice returns false.
proc check {host port} {
if {[catch {socket $host $port} s]} then {
return false
}

close $s
return true
}

# Scans a list of ports and reports results to the standard output.
proc portscan {host list} {
puts "Scanning $host..."

foreach i $list {
set port [format %5d $i]
if {[check $host $i]} then {
puts " Port $port is open."
} else {
puts " Port $port is closed."
}
after 30000
}
}

proc main {argv} {
if {[llength $argv] < 1} then {
set host {127.0.0.1}
} else {
set host [lindex $argv 0]
}

portscan $host $::portlist
}

main $argv

(How wonderful is that? No intendation. Thanks Slashdot!)