Firewalls: Re: Can a virus affect NT/UNIX firewalls?

Firewalls
(June 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Can a virus affect NT/UNIX firewalls?
From:	"Paul D. Robertson" <proberts @ clark . net>
Date:	Thu, 20 Jun 1996 13:24:54 -0400 (EDT)
To:	Bill Stout <bill . stout @ hidata . com>
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<199606201603 . JAA12546 @ osc . osc . hidata . com>

On Thu, 20 Jun 1996, Bill Stout wrote:

> What is the potential of having a virus infect a UNIX or NT 
> firewall?

The potential exists.  I'd think that in general trojans were more
worrysome than viruses.  Last I'd looked, there were no known Unix viruses
actally "in the wild", and only a couple of NT specific ones (though some
DOS and Windows ones still work, I believe).

> 
> I can think of various (non-proxy) programs on a firewall 
> that exchange data directly with the net: SMTP/SMAP (MIME), 
> NTP, DNS, finger responses, etc.  I am not sure if you 
> can connect to a firewall and 'place' a (binary) virus 
> using one of these services.

It would depend on how the services were designed.  In general, buffer
overrun attacks are probably the most thought of ways of getting binary
code to execute on a platform that offers minimal services, unless there
is a way to execute an interpreted program or commands during transmission
(eg. about 90% of the old sendmail bugs).

> 
> I believe DNS only accepts ASCII data, but imagine if there
> were such a thing as a DNS virus!
> 

Buffer overrun attacks against resolver routines have existed, and 
I think you'll probably even come across a CERT advisory about BIND in 
that regard (memory is hazy on that specific score).

> I've had experiences with viruses (ex: NOINT, Stealth) on 
> desktop PCs, once the 'Stealth' virus killed off boot 
> sector/partition table of a disks, forcing me to replace 
> the disks of 10 new PCs.

Ideally, your firewalls/gateways shouldn't execute any code that isn't
trusted.  You should checksum and baseline all the code (as well as
router configurations), and do frequent comparisons.  If you use routers
that require passwords to read the configs, look closely at using an out
of band channel, or stronger authentication than an in-the-clear password.  

If you're truely concerned about the integrity of the firewall, a B-rated
OS based system may help aleviate some of your concerns.

Paul.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

References:

Can a virus affect NT/UNIX firewalls?
From: Bill Stout <bill . stout @ hidata . com>

Indexed By Date	Previous:	Re: Pilot Network Services From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Date	Next:	WWW-access to Mainframe databases From: "Lars Hornborg, Managing dir" <Lars . Hornborg @ microfront . se>
Indexed By Thread	Previous:	Can a virus affect NT/UNIX firewalls? From: Bill Stout <bill . stout @ hidata . com>
Indexed By Thread	Next:	RE: Can a virus affect NT/UNIX firewalls? From: Russ <Russ . Cooper @ RC . Toronto . on . ca>