Once and for all, you don't need a firewall!

[slitchfield]

In an attempt to flesh out my dismissal of the need for a separate third party firewall utility for Symbian OS, I thought a little testing was in order. I grabbed the nearest S60 phone (a Nokia 6630) at random, pointed at the Internet's leading port tester/prober and sat back and watched. How did Symbian OS do?

Read on in the full article.

[Rafe]

I'm not so 100% convinced. I just did the same test with Windows Xp with the Firewall turned off and it gave it the all clear... I'm fairly sure using a Firewall with Windows XP is recommended.

I thought part of the point of Firewalls was to control out going applications. i.e. control which applciations can have Internet access.

I'm no expert on such things, but would the same not apply to a Symbian phone?

[jrmt]

How did you test access to your phone? If you're using GPRS or 3G, chances are you're allocated an IPv6 address, and this is likely behind a NAT IPv6->IPv4 device. This effectively is an "incoming" firewall. It would have been better to "nmap" your phone's IP address, as this will also fingerprint the device to see if it really is SymbianOS answering nmap TCP, UDP or ICMP packets and not a NAT device in the middle.

In reply to Rafe's comment:
> I thought part of the point of Firewalls was to control out going applications. i.e. control which applciations can have Internet access.

Not traditionally (i.e. in the UNIX world where firewalls were first invented). They are used for incoming access mainly, although these days in universities and elsewhere often outgoing port 25 (smtp) is firewalled off to stop viruses sending spam. PlatSec capabilities in v9.x or one-shot granting of capabilities is really the outgoing "firewall" for Symbian. If your application doesn't have the "NetworkServices" capability when signed, or the user doesn't allow access to the network via the GUI, then you won't be able to use the network from that particular application. ("This capability controls access to ... all IP transport protocols", PlatSec book page 223)

[stuclark]

Surely most of the point here is that a phone isn't an IP based device, and doesn't have the same 65000 IP ports available to be hacked.

You can't telnet into a phone on port 23, you can't SMTP into it on port 25, you can't even try accessing it on port 80 UDP (an internet Ping) - how is a traditional firewall even worthwhile on a phone?

[jrmt]

Stu says:
> Surely most of the point here is that a phone isn't an IP based device, and doesn't have the same 65000 IP ports available to be hacked.

Absolutely it is. All 65535 ports are valid in SymbianOS, same as for any TCP/IP connected device. By default, I wouldn't expect anything to be listen()ing on any of them, so a SYN packet would get reset ("connection refused") by default.

> You can't telnet into a phone on port 23, you can't SMTP into it on port 25, you can't even try accessing it on port 80 UDP

There's no reason why you couldn't run a (small) webserver on port 80 on your phone. But whether you would have incoming network access to it via 3G/GPRS (e.g. because of NAT) is debatable. But SymbianOS supports running servers listening to the network, and is fully IP capable (both IPv6 and IPv4). No reason why a phone couldn't be part of a p2p network in future, if the data tariffs were low enough.

> 80 UDP (an internet Ping)

ping is ICMP, not UDP, and doesn't have port numbers associated with it. HTTP usually uses TCP port 80

[Rafe]

Ah thanks for the cinformation jrmt (and the scary network related TLAs!).

I can see Symbian 9 is good thing from another security view point then... (although I guess this stuff has been around for a while for J2ME apps). So can anyone tell me if there would ever be a need for a Firewall?

With WiFi devices it is presumably possible to have a device that is connected a lot of the time? e.g. the Eseries connecting over WiFi to a VOIP PBX or similar. That said I've never quite understood why windows was insecure and needed a firewall (I mean why would you be accepting anything incoming unless you explcitly needed to?). I do understand the need for it on some servers... although even then I would have thought it should be possible to secure things (i.e. limit which ports were accepting things / limit where thing are coming from).

[FRiC]

Quote:

Originally Posted by Rafe

That said I've never quite understood why windows was insecure and needed a firewall (I mean why would you be accepting anything incoming unless you explcitly needed to?). I do understand the need for it on some servers... although even then I would have thought it should be possible to secure things (i.e. limit which ports were accepting things / limit where thing are coming from).

Windows doesn't automatically allow all incoming connections. The problem is when it gets attacked and your PC gets infected without your knowing. Having a firewall and a virus scanner in place will reduce the problem.

There are also different types of firewalls. The type that most people on their home computers are personal firewalls and can filter either by ports or by application. To keep this on topic, an application that filters out unwanted calls or SMS can be called a firewall.

I work in a very large company with a lot of computers and smart phones, and I can tell you all you want about virus infections, on both computers and phones...

[slitchfield]

{I just did the same test with Windows Xp with the Firewall turned off and it gave it the all clear...}

Err... in that case you've got another security system in place. And if you really had turned your firewall off for a few minutes on an unprotected Windows system you'd now have half a dozen nasty worms sitting on your hard disk.

People, never EVER turn your Windows firewall off for any reason whatsoever. A typical online PC (or any other net device, including a smartphone) gets hit tens of thousands of times a day.

In response to the point that my GPRS smartphone might have been (unwittingly) behind a firewall within my network, that's true I guess, but the end result is the same - a firewall simply isn't needed on the mobile device.

Steve Litchfield

[stuclark]

Quote:

Originally Posted by jrmt

Absolutely it is. All 65535 ports are valid in SymbianOS, same as for any TCP/IP connected device. By default, I wouldn't expect anything to be listen()ing on any of them, so a SYN packet would get reset ("connection refused") by default.

Sorry, it was late, and my comment didn't come accross as I meant it to. What I was alluding to is that *by default* a phone won't be set to listen on it's IP ports - not unless you've got some form of server software installed. (be that web server, smtp, telnet etc)

The point that in OS9 it is much harder to install an application without the user realising what it is, and even then, it will have to be symbian signed to be able to access any of the network fucntionality within the phone, almost renders a firewall obselete before you even start to think about threars.

Quote:

Originally Posted by jrmt

ping is ICMP, not UDP, and doesn't have port numbers associated with it. HTTP usually uses TCP port 80

My bad, I meant ICMP

[CJackel492]

Quote:

Originally Posted by slitchfield

I grabbed the nearest S60 phone (a Nokia 6630) at random,

Why test a S60 phone and post the information on the S80 news forum?

Carl,

[puterman]

Quote:

Originally Posted by stuclark

The point that in OS9 it is much harder to install an application without the user realising what it is, and even then, it will have to be symbian signed to be able to access any of the network fucntionality within the phone, almost renders a firewall obselete before you even start to think about threars.

No, an app doesn't have to be Symbian Signed to be able to access network functionality. The user will get a warning when installing a self-signed app which uses network functionality, but that's it. I'm sure some network functionality requires Symbian Signing, but not all of it.

[slitchfield]

{Why test a S60 phone and post the information on the S80 news forum?}

Because this discussion is, of course, totally relevant to the 9300 and 9500 as well.

Steve

[Masamune]

If you think the scare-mongering is bad now for GPRS & 3G connections, wait until the WiFi enchanced phones start to become available.

[Rafe]

FYI: The reason I was safe when turning off the Windows Firewall was because I wa sitting behind a router that I think has NAT functioanlity / built in firewall.

Interesting that filtering SMS / calls might be considered a firewall. Clearly that might be useful for some people.

I suppose it is the same issue with anti-virus for Symbian OS 9 - peace of mind to have a complete system and not under estimate users ability to much things up!

[jrmt]

So can anyone tell me if there would ever be a need for a Firewall?

It's unlikely you'd need one, since a phone usually wouldn't be running listening servers, and your telco will probably NAT/firewall all 3G-derived IP addresses.

With WiFi devices it is presumably possible to have a device that is connected a lot of the time? e.g. the Eseries connecting over WiFi to a VOIP PBX or similar.

With WiFi it's more of a risk. It would be quite fun to have an ssh process and mini-shell running on your phone (perhaps written in Python first, and C++ later?). Or an rsync-daemon, then you could sync files to/from your laptop over WiFi to your phone. Or how about a mini web-server running on your phone? That would be quite cool. It should be quite easy to write. There are lots of potential uses.

That said I've never quite understood why windows was insecure and needed a firewall (I mean why would you be accepting anything incoming unless you explcitly needed to?).

It's a combination of things. Firstly, Microsoft left too many servers running in the default install in Win2k. (I think WinXP SP2 turns off all servers unless configured). So you have Windows listening on ports 137, 138, 139 for SMB for sharing, and various RPC ports, etc. Secondly, if any of these have potential for buffer overflows (due to programmer error), then you can compromise the machine, and if running as admin, you own the machine. Microsoft is gradually learning that servers should be run with the least privilege possible. They also didn't audit the code sufficiently before release to spot potential buffer overflows, nor did they use safer C++ string classes for input which are bounds-checked.

It is possible to run machines safely without firewalls but you really only want to run one or two listening servers (e.g. just ssh and maybe Apache) and then keep the machine patched and updated reguarly, etc.