RISC OS Open: Forum: Firewall

Dec 2, 2016 10:45am

Colin Ferris (399) 1818 posts

With the advent of Virus/Malware attacking modems – common passwords/fixed passwords.

Also with a RO portable – used outside the home.

How difficult would it be to add a Firewall to RO5?
Could the one from RO4/6 be used?

Dec 2, 2016 11:54am

Steffen Huber (91) 1953 posts

Malware would not find any services running on any ports on RISC OS (unless someone is follish enough to run a webserver on RISC OS), so what should a firewall protect?

Anyway, running a firewall on the same OS as the user runs his software is considered unsafe. A firewall should always be a seperate piece of hardware.

Dec 2, 2016 12:05pm

Jeffrey Lee (213) 6048 posts

Malware would not find any services running on any ports on RISC OS

ShareFS? :-)

There’s also this bug which I need to revisit at some point.

Dec 2, 2016 2:28pm

Rick Murray (539) 13850 posts

bq. unless someone is follish enough to run a webserver on RISC OS

http://heyrick.ddns.net/

Logs show regular attempts to hack phpmyadmin and SQL, etc.
Yeah.
Good luck with that. :-)

Dec 2, 2016 4:00pm

Steve Pampling (1551) 8172 posts

Good luck with that. :-)

Look if Quinetiq staff¹ brought in for penetration testing² can (script kiddie) run through a set of default passwords and exploits that work on some versions of firmware on Cisco switches when they have already been verbally informed the network kit was Nortel and the prompt that appeared on the screen when connecting on a remote console session clearly said Nortel what do you expect from your average hacker who doesn’t even know where you are never mind what you’re running.

¹ That said, known organisation etc and all but given their performance I’d not be sure about having them make the tea
² Not my instigation, I’d have checked people out before giving them the contract. We use someone different now.

Dec 2, 2016 4:41pm

Steve Pampling (1551) 8172 posts

http://heyrick.ddns.net/

Hey Rick our filters don’t like you:

Details
Blocked Category:
Personal Pages
Blocked URL:
http://heyrick.ddns.net/
Report:
Blocked Category (Personal Pages)

Dec 2, 2016 4:53pm

Rick Murray (539) 13850 posts

No, your filters don’t like you – you’re supposed to be slaving away for a pittance, not looking at stuff that might be…you know…more interesting. ☺

Dec 2, 2016 6:56pm

Steve Pampling (1551) 8172 posts

No, your filters don’t like you – you’re supposed to be slaving away for a pittance, not looking at stuff that might be…you know…more interesting. ☺

Hackcherly that was work you see the filters on the UTM have to be checked before we start pointing users outside the department at that route.

So, first the network bods poke the filters and deliberately attempt to access betting web sites (and stuff)¹, then the third line support do the same and then the whole IT building²… “and tomorrow ze world” – OK, actually it will be done in stages applying the change to each VLAN and then a routing change to make everything go via that box (except essential services)

Returning to the original question: A firewall in the OS would first require a decent IP stack to use it on.

¹Going into you bookmarks and selecting a block to “open all in tabs” works quite well :)
² At this point having your line manager point out that it’s blocking access to the ESR (Electronic Staff Record) system is a clue that a tweak is needed.

Dec 2, 2016 9:15pm

Clive Semmens (2335) 3276 posts

At this point having your line manager point out that it’s blocking access to the ESR (Electronic Staff Record) system is a clue that a tweak is needed.

Possibly to the ESR, however. I fell out with a company I was doing contract work for over things I found out about the ESR. I recounted the story, with names changed of course, as one of the heroine’s anecdotes in my novel, The Reminiscences of Penny Lane.

Dec 2, 2016 9:20pm

Rick Murray (539) 13850 posts

exploits that work on some versions of firmware on Cisco switches when they have already been verbally informed the network kit was Nortel

Look on the bright side, your Nortel kit doesn’t suffer the same vulns that can take down Cisco devices…
…though stuff I’ve seen on El Reg kind of gives me the impression that Cisco is only marginally better than your average IoT camera. Aren’t they supposed to be a major player?

A firewall in the OS would first require a decent IP stack to use it on.

I am afraid I agree with Steffen. RISC OS doesn’t need a firewall as the blocking should be done by another device downstream, so all I need to worry about are the ports exposed to the world in NAT. My Livebox is my firewall, plus there are no open shares on the LAN. I only expose a share when I have a need, and it is passworded, and VNC is also passworded and blocked so it will refuse connections that aren’t from a LAN IP. In other words, I’m using the Livebox as the firewall but also considering the potential of it being compromised. Something that TalkTalk users probably understand right now.

Though any such problems should be short-lived as I have a Livebox I purchased myself configured identically to the one I’m renting from Orange (same SSID and password) intended to be a drop-in replacement; though I also have a WAG200G ADSL box running OpenWAG. It doesn’t support VoIP phone, but if the Livebox was actually compromised, I would be inclined to want to plug that in place of the Livebox until I knew the problem was resolved.
That said, the first course of action is a low-level reset of the Livebox (hold Reset button while powering on and keep holding it for a while). That appears to invoke some sort of bootloader that will download and reflash the firmware. Of Orange have any intelligence at all, this will be read-only memory so it can’t be messed with.

But, yes. As far as I’m concerned, if the first line of defence is your computer, then the battle is already lost. RISC OS doesn’t need a firewall…

Dec 2, 2016 9:37pm

Rick Murray (539) 13850 posts

The Reminiscences of Penny Lane

How do you do the dead-tree / Kindle book in Amazon? Does Lulu look after that for you? What software did you use to create the book?

I ask because I have an idea of getting one of my stories together (you know, the one I’ve been working on since the late middle ages… ☺), but nor really sure what the process is. I mean, it looks pretty easy to make a Kindle book (the Amazon guide is practically dummy-proof), but it’s the Kindle plus dead tree that I’m not so sure about.

I also see two books by Clive K Semmens. Is that you?

BTW, it’s £9.99 for the printed book in the UK. Were you aware that Amazon France is asking €21,42 for it? Yikes. It’s €16,82 in Germany and €19,43 in Spain and Italy, and only available as an ebook in Holland. <scratches head>

Dec 2, 2016 9:44pm

Steve Pampling (1551) 8172 posts

Possibly to the ESR, however. I fell out with a company I was doing contract work for over things I found out about the ESR.

A contractor working for us had to have dealings with their support. His assertion that the three steps up the line manager he spoke to was guilty of the sin of Onan left a deep impression at our end and the ESR.

Q. Starting letter or two for the company?

Dec 2, 2016 9:58pm

Steve Pampling (1551) 8172 posts

Look on the bright side, your Nortel kit doesn’t suffer the same vulns that can take down Cisco devices…

Look on the down side, that’s the old kit. I was one vote in three about the choice for the new.

…though stuff I’ve seen on El Reg kind of gives me the impression that Cisco is only marginally better than your average IoT camera.

Most of the high profile players fit the bill. That said in most cases the major failing is the staff setting them up and not being suitably paranoid or just overly cocky.

To go with the comments from Steffan essentially you have to accept that if you need to enable a software firewall on your client device(s) you’ve basically screwed up on your other security.
At work the current pen test people remark favourably on their inability to connect properly on the LAN until we let them past the authentication
Personally, I want to spend time improving the authentication system. Every MAB instance is a hole in my book.

Aren’t they supposed to be a major player?

So they say. No one else is as good, so they say.

Dec 2, 2016 10:26pm

Rick Murray (539) 13850 posts

That said in most cases the major failing is the staff setting them up and not being suitably paranoid or just overly cocky.

Ah, so stuff was installed by this guy: http://i.imgur.com/tl5za8a.jpg

At work the current pen test people remark favourably on their inability to connect properly on the LAN until we let them past the authentication

Turn of phrase? “Connect properly” should surely be “connect at all”?

Every MAB instance is a hole in my book.

Given the sector you work it, I trust stuff is encrypted before it gets kicked out to a cloud service (where the data is, arguably, completely out of your control).

Dec 2, 2016 10:45pm

Steve Pampling (1551) 8172 posts

Turn of phrase? “Connect properly” should surely be “connect at all”?

Plug it in, the link light comes on. I can tell what the MAC of the device is and for a PC style device what it’s NETBIOS name is if it was unwise enough to respond to the challenge. Traffic to the device – EAP challenge packets. Inbound dies at the port.

Not “connecting at all” requires a physical barrier between them and the network switch in my book.

Given the sector you work it, I trust stuff is encrypted before it gets kicked out to a cloud service

Ah the cloud servers. The place where our data is not.

Firewall

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Dec 2, 2016 10:45am Colin Ferris (399) 1818 posts	With the advent of Virus/Malware attacking modems – common passwords/fixed passwords. Also with a RO portable – used outside the home. How difficult would it be to add a Firewall to RO5? Could the one from RO4/6 be used?

Dec 2, 2016 11:54am Steffen Huber (91) 1953 posts	Malware would not find any services running on any ports on RISC OS (unless someone is follish enough to run a webserver on RISC OS), so what should a firewall protect? Anyway, running a firewall on the same OS as the user runs his software is considered unsafe. A firewall should always be a seperate piece of hardware.

Dec 2, 2016 12:05pm Jeffrey Lee (213) 6048 posts	Malware would not find any services running on any ports on RISC OS ShareFS? :-) There’s also this bug which I need to revisit at some point.

Dec 2, 2016 2:28pm Rick Murray (539) 13850 posts	bq. unless someone is follish enough to run a webserver on RISC OS http://heyrick.ddns.net/ Logs show regular attempts to hack phpmyadmin and SQL, etc. Yeah. Good luck with that. :-)

Dec 2, 2016 4:00pm Steve Pampling (1551) 8172 posts	Good luck with that. :-) Look if Quinetiq staff¹ brought in for penetration testing² can (script kiddie) run through a set of default passwords and exploits that work on some versions of firmware on Cisco switches when they have already been verbally informed the network kit was Nortel and the prompt that appeared on the screen when connecting on a remote console session clearly said Nortel what do you expect from your average hacker who doesn’t even know where you are never mind what you’re running. ¹ That said, known organisation etc and all but given their performance I’d not be sure about having them make the tea ² Not my instigation, I’d have checked people out before giving them the contract. We use someone different now.

Dec 2, 2016 4:41pm Steve Pampling (1551) 8172 posts	http://heyrick.ddns.net/ Hey Rick our filters don’t like you: Details Blocked Category: Personal Pages Blocked URL: http://heyrick.ddns.net/ Report: Blocked Category (Personal Pages)

Dec 2, 2016 4:53pm Rick Murray (539) 13850 posts	No, your filters don’t like you – you’re supposed to be slaving away for a pittance, not looking at stuff that might be…you know…more interesting. ☺

Dec 2, 2016 6:56pm Steve Pampling (1551) 8172 posts	No, your filters don’t like you – you’re supposed to be slaving away for a pittance, not looking at stuff that might be…you know…more interesting. ☺ Hackcherly that was work you see the filters on the UTM have to be checked before we start pointing users outside the department at that route. So, first the network bods poke the filters and deliberately attempt to access betting web sites (and stuff)¹, then the third line support do the same and then the whole IT building²… “and tomorrow ze world” – OK, actually it will be done in stages applying the change to each VLAN and then a routing change to make everything go via that box (except essential services) Returning to the original question: A firewall in the OS would first require a decent IP stack to use it on. ¹Going into you bookmarks and selecting a block to “open all in tabs” works quite well :) ² At this point having your line manager point out that it’s blocking access to the ESR (Electronic Staff Record) system is a clue that a tweak is needed.

Dec 2, 2016 9:15pm Clive Semmens (2335) 3276 posts	At this point having your line manager point out that it’s blocking access to the ESR (Electronic Staff Record) system is a clue that a tweak is needed. Possibly to the ESR, however. I fell out with a company I was doing contract work for over things I found out about the ESR. I recounted the story, with names changed of course, as one of the heroine’s anecdotes in my novel, The Reminiscences of Penny Lane.

Dec 2, 2016 9:20pm Rick Murray (539) 13850 posts	exploits that work on some versions of firmware on Cisco switches when they have already been verbally informed the network kit was Nortel Look on the bright side, your Nortel kit doesn’t suffer the same vulns that can take down Cisco devices… …though stuff I’ve seen on El Reg kind of gives me the impression that Cisco is only marginally better than your average IoT camera. Aren’t they supposed to be a major player? A firewall in the OS would first require a decent IP stack to use it on. I am afraid I agree with Steffen. RISC OS doesn’t need a firewall as the blocking should be done by another device downstream, so all I need to worry about are the ports exposed to the world in NAT. My Livebox is my firewall, plus there are no open shares on the LAN. I only expose a share when I have a need, and it is passworded, and VNC is also passworded and blocked so it will refuse connections that aren’t from a LAN IP. In other words, I’m using the Livebox as the firewall but also considering the potential of it being compromised. Something that TalkTalk users probably understand right now. Though any such problems should be short-lived as I have a Livebox I purchased myself configured identically to the one I’m renting from Orange (same SSID and password) intended to be a drop-in replacement; though I also have a WAG200G ADSL box running OpenWAG. It doesn’t support VoIP phone, but if the Livebox was actually compromised, I would be inclined to want to plug that in place of the Livebox until I knew the problem was resolved. That said, the first course of action is a low-level reset of the Livebox (hold Reset button while powering on and keep holding it for a while). That appears to invoke some sort of bootloader that will download and reflash the firmware. Of Orange have any intelligence at all, this will be read-only memory so it can’t be messed with. But, yes. As far as I’m concerned, if the first line of defence is your computer, then the battle is already lost. RISC OS doesn’t need a firewall…

Dec 2, 2016 9:37pm Rick Murray (539) 13850 posts	The Reminiscences of Penny Lane How do you do the dead-tree / Kindle book in Amazon? Does Lulu look after that for you? What software did you use to create the book? I ask because I have an idea of getting one of my stories together (you know, the one I’ve been working on since the late middle ages… ☺), but nor really sure what the process is. I mean, it looks pretty easy to make a Kindle book (the Amazon guide is practically dummy-proof), but it’s the Kindle plus dead tree that I’m not so sure about. I also see two books by Clive K Semmens. Is that you? BTW, it’s £9.99 for the printed book in the UK. Were you aware that Amazon France is asking €21,42 for it? Yikes. It’s €16,82 in Germany and €19,43 in Spain and Italy, and only available as an ebook in Holland. <scratches head>

Dec 2, 2016 9:44pm Steve Pampling (1551) 8172 posts	Possibly to the ESR, however. I fell out with a company I was doing contract work for over things I found out about the ESR. A contractor working for us had to have dealings with their support. His assertion that the three steps up the line manager he spoke to was guilty of the sin of Onan left a deep impression at our end and the ESR. Q. Starting letter or two for the company?

Dec 2, 2016 9:58pm Steve Pampling (1551) 8172 posts	Look on the bright side, your Nortel kit doesn’t suffer the same vulns that can take down Cisco devices… Look on the down side, that’s the old kit. I was one vote in three about the choice for the new. …though stuff I’ve seen on El Reg kind of gives me the impression that Cisco is only marginally better than your average IoT camera. Most of the high profile players fit the bill. That said in most cases the major failing is the staff setting them up and not being suitably paranoid or just overly cocky. To go with the comments from Steffan essentially you have to accept that if you need to enable a software firewall on your client device(s) you’ve basically screwed up on your other security. At work the current pen test people remark favourably on their inability to connect properly on the LAN until we let them past the authentication Personally, I want to spend time improving the authentication system. Every MAB instance is a hole in my book. Aren’t they supposed to be a major player? So they say. No one else is as good, so they say.

Dec 2, 2016 10:26pm Rick Murray (539) 13850 posts	That said in most cases the major failing is the staff setting them up and not being suitably paranoid or just overly cocky. Ah, so stuff was installed by this guy: http://i.imgur.com/tl5za8a.jpg At work the current pen test people remark favourably on their inability to connect properly on the LAN until we let them past the authentication Turn of phrase? “Connect properly” should surely be “connect at all”? Every MAB instance is a hole in my book. Given the sector you work it, I trust stuff is encrypted before it gets kicked out to a cloud service (where the data is, arguably, completely out of your control).

Dec 2, 2016 10:45pm Steve Pampling (1551) 8172 posts	Turn of phrase? “Connect properly” should surely be “connect at all”? Plug it in, the link light comes on. I can tell what the MAC of the device is and for a PC style device what it’s NETBIOS name is if it was unwise enough to respond to the challenge. Traffic to the device – EAP challenge packets. Inbound dies at the port. Not “connecting at all” requires a physical barrier between them and the network switch in my book. Given the sector you work it, I trust stuff is encrypted before it gets kicked out to a cloud service Ah the cloud servers. The place where our data is not.