Jump to content


Photo

HTTP port 80/80 vulnerability


  • Please log in to reply
7 replies to this topic

#1 spyster

spyster

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 July 2006 - 02:54 PM

Hey firewall masters!

Let's see who can answer this one.

I have a hardware router firewall (router is DI-614+). One of the ports I kept opened on the firewall is port 80 for servicing HTTP request/responses.

Some progs on my computer often request updates from the internet. Among those are AVs, Adobe Acrobat and others. These access the internet transparently, and I suppose the router allows them that access I suppose through TCP port 80 (HTTP). Now, when I installed zone alarm on my comp, it tracked all attempts for these progs to download data from the internet.

I was wondering ... Let's say I go with a hardware-only firewall solution:
- will there be any way for me to control which applications can use TCP port 80 (HTTP)?
- will hazardous applications be able to download malicious data onto my comp if I keep port 80 open?
- can this be done in all security?

Edited by spyster, 14 July 2006 - 08:59 AM.


#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 11 July 2006 - 09:37 PM

Hardware firewalls don't usually stop things from going out; they just block stuff coming in.

Port 80 is on the server side. You are a client.
You use a different port to initiate a connection and send data to the server's port 80. You will not receive anything via port 80 unless you are running a server.

Install (free) TcpView from http://www.sysintern...es/TcpView.html and watch the connections in real time; new connections are red; then you will see them turn green for a while.
In the attached screen shot the numbers after the colons are port numbers. 127.0.0.1 is "localhost", i.e. your own PC.

Attached Thumbnails

  • ScreenShot001.jpg

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 spyster

spyster

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 14 July 2006 - 08:58 AM

watch the connections in real time

Thank you, I installed TCPView and it will be a great utility from now on.
By the way, what is the number beside the process (after the colon)?

You said something important:

Hardware firewalls don't usually stop things from going out; they just block stuff coming in.

So does that mean that while my router stops stuff from coming in, zonealarm stops things from going out?
So, if I understand correctly, by using only my router's firewall, if a request is made to a server, there is no way to avoid receiving a response?

Edited by spyster, 14 July 2006 - 03:26 PM.


#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 14 July 2006 - 09:51 PM

The set of four numbers separated by dots is the IP address of the thing connected. Please read What is IP Address?

The IP address is followed by a colon and the number after the colon is the port number.

If you have only a hardware firewall, it might stop servers from connecting to you, but probably won't stop the response if you initiated the connection. And it won't stop a "server" on your PC - usually that would be a trojan - from connecting to something on the web. Zonealarm will prevent that.

This is a good simple article that you should read: Firewall Debate:Hardware vs. Software
Note, though, that there is no problem at all in having both.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 spyster

spyster

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 July 2006 - 12:54 PM

.

The set of four numbers separated by dots is the IP address of the thing connected. The IP address is followed by a colon and the number after the colon is the port number.

cnm, can you take a closer look at my request? Can you please inform me on the number beside the process name (not the IP Address, thanks you had already informed me on that). I noticed that it didn't correspond to the port number. Just as a reference, here is what I had asked for:

By the way, what is the number beside the process (after the colon)?

Oh, and the article you referred me to (Firewall Debate:Hardware vs. Software) is excellent. :D
In the article though, why did the author say that,

To most broadband hardware firewalls, the traffic generated by such programs [(DDOS attacks or Keystroke loggers)] would appear legitimate since it originated inside your network and would most likely be let through. This malevolent traffic might be blocked if the hardware firewall was configured to block outgoing traffic on the specific Transmission Control Protocol/Internet Protocol (TCP/IP) port(s) the program was using, but given that there are over 65,000 possible ports and there's no way to know which ports a program of this nature might use, the odds of the right ones being blocked are slim.

Couldn't one just block all the ports and then specify the ports one wishes to allow internet access to?
.

#6 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 19 July 2006 - 01:01 PM

The number beside the process name is the process id (PID):
http://en.wikipedia....wiki/Process_ID

If you go to Windows Task Manager (press control-alt-delete) and select Processes, go to View -> Select Columns, you can choose to see the PIDs there too.

By the way, regarding blocking outbound ports: you *could* in theory block all outbound ports except for a few known ones but that would get fairly inconvenient for using many programs.... especially ones that randomize the ports they use.

#7 spyster

spyster

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 July 2006 - 09:57 AM

The number beside the process name is the process id (PID)

Thanks. I was guessing that right after I had posted. ^_^

By the way, regarding blocking outbound ports: you *could* in theory block all outbound ports except for a few known ones but that would get fairly inconvenient for using many programs.... especially ones that randomize the ports they use.

Randomizing ports, is this something that many programs do? If I could know which programs randomized their ports, I could evaluate how inconvenient this actually is. The reason why I say this is because the apps that are run on the network computers are monitored by the IT Staff, and there aren't that many apps that the office users need.

The thing is though, the author said that most routers don't block outbound requests, but rather inbound requests. How could I tell whether or not my router allows me to block outbound requests? Here is the interface for my router manager.
(In manager UI, the combo box for Source and Destination allows *, WAN or LAN).

Edited by spyster, 20 July 2006 - 10:00 AM.


#8 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 22 July 2006 - 10:41 PM

Randomizing ports is not all that common, except for P2P, it is true.

Some routers do block outbound requests, I think.... (but I could be wrong). I am not at all an expert at configuring routers, but I would guess that if you choose to block traffic with LAN (local area network) for source and WAN (wide area network) for destination, you would be filtering outbound traffic....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button