Slashdot

I spent last night playing with Symantec Client Firewall version 7.1.2.1021 including our corporate SCS2 Baserule set 9 (so it seems to be a creation of our brilliant IT department).

First of all, even though I cranked the Symantec Firewall security level up to the High, I was still able to access TCP ports greater than 1024. This means that for example the MS SQL Server (1433/tcp) is wide open. And of course unpatched MS SQL Server has some known vulnerabilities.

Also, I was able to perform a port scan to several interesting TCP ports without the firewall reacting at all.

Symantec Firewall provides a mechanism for detecting possible intrusions by checking if someone is performing a port scan and banning the IP address in question for about 30 minutes. But if you do a port scan by trying to open ports normally (so, no SYN scans or anything like that) and slowly enough, then the Symantec doesn't detect anything. I was able to do a port scan by scanning a port every 30 seconds and the firewall didn't react at all. (By the way, this "slow attack" is described at a SciFi book called Neuromancer, by William Gibson.)

Finally, I created a situation, where I opened a third-party proxy connection with SSH tunneling to the port 8000 at my work laptop and allowed remote connections (I was using PuTTY). Then I launched a port scan from a remote location (ie. over the Internet). With the scan I was able to detect that the port 8000 was open and I created a connection through the port to the third-party proxy server. So, I was able to surf the Internet anonymously by using my "Symantec secured" machine. All the time the Symantec Firewall settings were at "High".

Biggest flaws, I'm able to point out are:

• No warning, when letting the PuTTY to access the Internet.
• No warning, when a port scan has been performed.
• No blocking of incoming connections. Not even a warning!

Note that there isn't anything fancy in what I was doing. The above is just a proof of concept, which shows how easy it is to work around the software firewall, if the settings aren't set correctly.

With Symantec Client Firewall it was just a matter of running a simple wizard to create a "Deny All" rule to the firewall software, which prevents any incoming connections from the Internet. I can't understand, why our IT department haven't done this. It seems that they are willingly leaving the machine wide open.

Anyway. Why am I writing this? I just want to let some steam out, because this has been the stupidest thing from our IT department so far. There are so many things wrong with this scenario that I even have a hard time remembering all the details and situations where things have gone wrong and how much damage can be caused both inside of our local network and from the public access Internet.

Finally, here's my quick hack for a port scanner, written in TCL:

# List of ports to be scanned.
set portlist [list 13 20 21 22 23 25 80 110 113 135 139 443 445 1433 6667 6881 8000 8080]

# Returns true, if port can be opened. Otherwice returns false.
proc check {host port} {
if {[catch {socket $host $port} s]} then {
return false
}

close $s
return true
}

# Scans a list of ports and reports results to the standard output.
proc portscan {host list} {
puts "Scanning $host..."

foreach i $list {
set port [format %5d $i]
if {[check $host $i]} then {
puts " Port $port is open."
} else {
puts " Port $port is closed."
}
after 30000
}
}

proc main {argv} {
if {[llength $argv] < 1} then {
set host {127.0.0.1}
} else {
set host [lindex $argv 0]
}

portscan $host $::portlist
}

main $argv

(How wonderful is that? No intendation. Thanks Slashdot!)

I have to say that the IT department of my employer doesn't have a clue at all.

They forced a new installation of a Symantec Firewall package to my computer (thanks, AD!). This new installation disables automatically the built-in Windows firewall. Well, that's fine except there seems to be a teeny tiny problem with the Symantec rule set. It doesn't block anything at all from the outside!

Well, of course my machine was hit immediately when this happened. Now I have the Windows firewall re-enabled and I hope that the Symantec application doesn't disable it again.

The worst part of this story is that there seems to be no way to tell this situation to anyone so the rule sets could be fixed. At the moment I'm writing this, the IT department is happily installing this defected rule set to all of our computers. Nice to know, that there will be tens of thousands machines vulnerable in our own local network. It will take just one contaminated machine to bring down the entire company.

Mandrake 10.1 is just awesome.

I'm a die-hard Slackware fan and it has been the distro of choice for me the last 10 years. But last night I tried Mandrake 10.1 on my HP laptop and I'm just stunned.

The HP ze4423 has some quirks and sometimes a Linux installation is quite an adventure, when I have to dodge all APCI/APIC/LAPIC/USB/PCMCIA stuff and try to find my way to successful installation. The laptop itself is nice and it works great, but unfortunately most of the Linux distributions have a kernel with some very specific kernel options turned on, which will make them incompatible with my laptop. But Mandrake... well, it seems to have everything set up correctly for my machine. Right out of the box. Amazing.

I didn't even know that there is Xorg driver for ATI Radeon IGP 320 chipset available.

Wow! I learn new things almost daily, when I'm using the Opera browser. I just noticed that it's possible to check spelling in Opera by installing Aspell.

Aspell, by the way, is a great open-source product.

In just 36 lines of code (including comments) I created an mp3 streaming server, which can serve multiply clients and stream multiply mp3 files one after another from given source directory. I'm using it for my private talk-show "radio station".

Tcl as a scripting language just doesn't stop amazing me.