Does spyware block your firewall?

Source: Arong online

If your network connection is frequently interrupted, this article will help you find the crux of the problem. Check whether your firewall is infected with spyware.

Enterprises often ask me to help diagnose and solve Internet problems. After some checks, I often find that these problems are not really Internet security issues. Because the company's network is very complex today, and a problem can appear in many places, it is easy to find the real cause of the network problem: the increasing network complexity.

Early this month, a hospital that regularly asked me questions called me and asked me to give them some assistance. I have done some other projects there, so I am very familiar with their network configurations and devices.

The hospital uses the Check Point FireWall-1 firewall platform, which is a modular firewall platform. This firewall depends on the network. Sometimes it can provide suitable protection for the network according to your needs, but sometimes it may be overdone.

The hospital also uses Websense Enterprise, an HTTP content filtering system that monitors and limits the content of the website. Websense uses UFP (URL Filtering Protocol) to interact with the HTTP proxy of the Firewall-1 (HTTP Security Server.

A few weeks after the problem occurred, the hospital called me to help them solve a computer problem that frustrated them very much: the intermittent failure of their network. The network may not work normally during normal working hours (but not always. This problem sometimes occurs even when you access an internal website that does not pass through a Firewall-1 proxy.

At first, the error description of the problem seemed to be a DNS fault, but in fact it was not. A more detailed description makes us think it is a fault with the Firewall-1 HTTP proxy.

After reviewing the log file, we found that a specific website always appears in the log file repeatedly, and Websense has been rejecting access to the website. But for some reason, it will also randomly become a legal URL-sometimes not even appear in the log file.

We finally found that the URL blocked by Websense is evidence of information transmitted by spyware. The program is running all day since half past seven, and other workstation displays similar information in the log.

After a further investigation, we conclude that a program called Wild Tangent Update is responsible for all the log entries. Wild Tangent Updater tries to pass useful information out, but fails because the Firewall-1 requires that all HTTP requests sent out must be authenticated.

Both Firewall-1 and Websense have done their part in this regard. But why are they still blocking legitimate websites?

All network devices connected using TCP have certain limitations in their communication capabilities. TCP is a connection-based communication protocol that uses Sockets for communication.

The Checkpoint Firewall-1 uses multiple isolated proxy servers that use TCP connections to handle communication between the Intranet and the Internet. At the same time, the Firewall-1 uses TCP to communicate with Websense to determine whether to let this URL in and out.

I suspect that Wild Tangent Updater is the reason for the Firewall-1 or Websense to exhaust the TCP socket, so they will not disappear immediately when communication is complete.

It seems that my theory can well explain these problems. After a quick search on Google and accessing the phoneboy.com website, I think my theory is correct. So I increased the number of socket limits for Firewall-1 and Websense and finally solved the problem.

Whether the problem is caused by Wild Tangent Updater or another unexpected cause, there are still a large number of firewall systems that may have this type of problem. If you have a similar problem, check your firewall first: it may be that Spyware has blocked your firewall.