Security during shutdown... - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Nov 21^st, 2008, 1:10pm

   Mischel Internet Security Forum
   Internet Security
   Firewalls (Moderators: Helena, Gavin_Coe, Magnus)
   Security during shutdown...

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: Security during shutdown... (Read 1355 times)

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2913

Security during shutdown...
« on: Nov 22^nd, 2003, 7:38pm »

Quote

Modify

I guess this question has been in my mind for a long while now, hence my habit of cutting the ADSL or dial-up connection before shuttingdown the PC, but it has relevance to LAN and WiFi stuff now, which are always active once logged in.

Q:
When shutting down a PC, how is the protection offered by a firewall maintained during logoff and the last few seconds? For example, the desktop, systray and services are apparently shut down during the stage indicated by 'Closing Network Connections' on XP, but (here's the niggle) it then saves the profile over the network afterwards ('Saving Settings'). Therefore, the LAN or WiFi connection is open right to the last few seconds of PC activity.

Just curious. I've not heard of anyone getting hit whilst logging off, but it seems to be an opening nonetheless.

IP Logged

... but crap arrives pretty much straight away.

MadAxe
Senior Member

Gender:

Posts: 319

Re: Security during shutdown...
« Reply #1 on: Nov 24^th, 2003, 2:03pm »

Quote

Modify

I have my cable modem turned OFF during startup and shutdown so that window of opportunity never exists.

IP Logged

DC
Veteran

I love YaBB 1G - SP1!

Posts: 567

Re: Security during shutdown...
« Reply #2 on: Nov 24^th, 2003, 5:06pm »

Quote

Modify

Interesting question Ian. A few weeks ago I noticed one of those certificate revocation things in my temporary internet files after booting up. I've seen them before when I took a look at some porn sites. After trying to figure out how they were getting onto my computer I started unplugging the cable before shutting down and not plugging it back in until everything had started up. They stopped appearing. Sounds like something sneaky is happening as soon as the protection is shut down, I dunno.

IP Logged

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Security during shutdown...
« Reply #3 on: Nov 24^th, 2003, 5:12pm »

Quote

Modify

I absolutely don't trust any software firewall to do the job on its own. If anyone wants to hack in they'll have to get past a hardware firewall that protects the internal network. Thus, no problems with "windows of opportunity" here Wink

IP Logged

8Signs
Newbie

I love YaBB 1G - SP1!

Posts: 11

Re: Security during shutdown...
« Reply #4 on: Nov 24^th, 2003, 8:27pm »

Quote

Modify

Well, software firewalls should be able to handle shutdown just as easily as when running or during bootup, for that matter.

Software firewalls do their job by hooking function calls. They have themselves inserted in the chain of events, making protocol drivers send outgoing packets to them, which they in turn pass to the NIC drivers, and NIC drivers pass received packets to them, which are in turn passed to the protocol drivers. As long as they are inserted before network adapters are opened and choose to be inserted between all protocols and the NIC drivers, they will see every single packet, in or out, right until devices are closed. No window of opportunity.

Problems would happen if software firewalls were coded carelessly and are only filtering "MSTCP", the Microsoft protocol driver that handles IP traffic (TCP, UDP and ICMP, for example). If they don't hook others, they don't control them. It is my suspicion that is the case for some if not most, because I keep getting bug reports about 8Signs Firewall (=VisNetic Firewall) blocking PPPoE or IPSEC or something when this or that personal firewall doesn't, so what's my problem? My problem is I'm trying to cover it all.

Another weakness is if the software firewall allowed all traffic unless the firewall app is actually running, telling it what to filter. I know early version of personal firewalls were like that. I believe most can be set to block traffic during bootup, so that should include shutdown too.

This covers the packet layer and incoming threats. People expect personal firewalls to control outgoing traffic as well (I've argued this point before, won't here) on a per-application basis. This is usually done by a TDI hook driver (kernel-mode) or an LSP (Layered Service Provider, user-mode). The TDI is a harder solution, but tighter for security. The LSP is easier, but can be bypassed.

I've never thought shutdown presents much of an opportunity for hackers, but if I'm wrong, I'd like to know about it.

James Grant
8Signs Ltd.

IP Logged

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Security during shutdown...
« Reply #5 on: Nov 24^th, 2003, 9:13pm »

Quote

Modify

Nicely written James. I actually learned a few things reading your post. I think the only problem with a "window of opportunity" during shutdown is that you could catch an Internet worm if the firewall isn't filtering. I know some recent worms have been infecting unpatched systems only minutes after they were brought online. As for a malicious hacker gaining access to the system during the small window where the firewall is possibly not active, I don't think the risk is all that great. I would actually say it's insignificant.

IP Logged

DC
Veteran

I love YaBB 1G - SP1!

Posts: 567

Re: Security during shutdown...
« Reply #6 on: Nov 25^th, 2003, 8:15am »

Quote

Modify

Tried shutting off the computer and starting up again without doing the unplugging thing and got another one of those certificates in temporary internet files.

IP Logged

MadAxe
Senior Member

Gender:

Posts: 319

Re: Security during shutdown...
« Reply #7 on: Nov 25^th, 2003, 3:36pm »

Quote

Modify

Ultimately I'd like to get a hardware firewall for my home computer but until the funds allow that I am stuck with a software firewall. I'm paranoid even if the risk is insignificant. A risk is a risk, and the more I minimize those risks the safer I'll be. I don't know what lies in the lines of code but I do know there is a such thing as human error and it's a human that codes it. I use ZA which I think loads as a service. The post by James made me think the "window of opportunity" is smaller than I once thought, but I will still continue my practice of turning off my cable modem during startup and shutdown.

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Security during shutdown...
« Reply #8 on: Nov 25^th, 2003, 6:44pm »

Quote

Modify

ZA does load as a Service, but it also provides a step in between the Internet Connection and the rest. For when the True Vector Service fails it severs the connectivity to the Internet. I forget right now how to explain it all, but anyone can go over and ask at the Zone Alarms Community for specifics. I think it has something to do with the Vxd, but my memory is still fuzzy at the moment. I figure between that and my NAT Router and my Start-up Monitor, I am in pretty good shape.

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

DC
Veteran

I love YaBB 1G - SP1!

Posts: 567

Re: Security during shutdown...
« Reply #9 on: Nov 28^th, 2003, 7:27pm »

Quote

Modify

I picked up a router/firewall. Working great so far. Thanks for the information and advice.
Regards, DC

IP Logged

MadAxe
Senior Member

Gender:

Posts: 319

Re: Security during shutdown...
« Reply #10 on: Nov 29^th, 2003, 5:54pm »

Quote

Modify

on Nov 25^th, 2003, 6:44pm, Jamming wrote:

ZA does load as a Service, but it also provides a step in between the Internet Connection and the rest. �For when the True Vector Service fails it severs the connectivity to the Internet. �I forget right now how to explain it all, but anyone can go over and ask at the Zone Alarms Community for specifics. �I think it has something to do with the Vxd, but my memory is still fuzzy at the moment. �I figure between that and my NAT Router and my Start-up Monitor, I am in pretty good shape.

I have an external RCA cable modem. It has lights for E-mail, Activity, Cable, PC Link and Power.

When my computer is completely shut down and I have the On/Off button of the modem set to Off, only 1 light is lit and that is the Cable light (connection between the modem and ISP). When I turn on the computer, it establishes a link to the modem as shown by the PC Link light during post. At this point I'm under the impression that my computer can be seen.

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2913

Re: Security during shutdown...
« Reply #11 on: Nov 30^th, 2003, 7:55pm »

Quote

Modify

Good answers all. It has relevance to my search for a FW to protect school laptops when away from the LAN/WLAN (temporarily suspended due to unexpected circumstances, but shortly to resume).

Having cracked the problem of getting 802.1x to run over really cheap D-Link WiFi kit, I can say that this has no problem with regards the FW's I've tried, since all have a level of trust in the school's LAN (sitting behind a Cisco 2600 router) that I'm not prepared to grant for home ISP links etc. It seems that IPSEC and VPN stuff is more widely supported by the hardware, but more problematic all the same. At least I don't have to worry about 802.11q-compatible network adapters, VLANs and so on.

From what has been said, the issue may cause problems in some instances (choice of firewall, whether additional hardware is involved etc).

Let's widen this a bit. Is there a priority order for startup/shutdown? If so, at what point are the network connections initialised/cut? If there's a way of getting something to run on a PC, for example, that can get in early enough, maybe it too can act like the software FW. This kind of back door could actually hold the connection open long enough to transfer stuff. If TrueVector can be loaded before the networking services, it's at least a possibility that something else could load even earlier.

Please excuse the paranoia trip... Wink

IP Logged

... but crap arrives pretty much straight away.

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register