【原创翻译】是间谍程序阻塞了你的防火墙吗？

Is spyware clogging your firewall?
是间谍程序阻塞了你的防火墙吗？
(英文来源：http://techrepublic.com.com/5100-1009_11-5553653.html?tag=nl.e030)

by Jonathan Yarden
作者： Jonathan Yarden（乔纳森·雅登）
翻译： endurer

Takeaway:
If you're troubleshooting intermittent network connectivity, spyware could be the culprit. Jonathan Yarden tells you how to check your firewall for spyware infection.

简介：
如果你在正排解时断时续的网络连接这样的疑难问题，间谍软件可能是原凶。Jonathan Yarden（乔纳森·雅登）告诉你如何检查你的防火墙的间谍感染情况。

Organizations frequently ask me for assistance in diagnosing and resolving Internet problems. After a bit of detective work, I usually find that the problems are not really an Internet security issue. There's so much complexity in the corporate network these days, and so many places where a problem can occur, that simply identifying the true source of a networking problem is increasingly complex.
相当多的组织机构经常请我帮助诊断或解决互联网问题。在做少量检测工作后，我通常发现并不是互联网安全问题。当代公司团体的计算机网络是如此的复杂，所有有相当多可能发生问题的位置，仅仅确认网络问题的真正根源的复杂度也正在增加。

Earlier this month, a hospital that I periodically do some consulting for contacted me and asked for some assistance. Because I've worked there on other projects, I was already quite familiar with its network configuration and equipment.
本月初，一家此前我曾为之决策的医院与我联系并请求我协助。因为我曾经在那儿做过其他的项目，所以我已经相分熟悉它的网络配置和设备。

This organization uses Check Point's FireWall-1, a modular firewall platform. Depending on your network, this can either be just what you need or overkill.
这个机构使用Check Point's FireWall-1，一个组合式的防火墙平台。完全取决于你的网络，它可以仅满足你的需要，或者拥有更多的功能。

The company also uses Websense Enterprise, an HTTP content-filtering system that monitors and restricts Web sites. Websense interacts with the HTTP proxy on Firewall-1 (the HTTP Security Server) using the URL Filtering Protocol (UFP).
这家公司也使用Websense Enterprise，一个监视和约束Web站点的HTTP内容过滤系统。Websense通过URL过滤协议(UFP)与Firewall-1(HTTP安全服务器)中的HTTP代理服务交互。

After weeks of trouble, the organization called me in to help solve one of the more frustrating computer problems: intermittent failure. During normal business hours--but not always--Web surfing didn't always work. The problem sometimes occurred even with accessing internal Web sites not proxied by Firewall-1.
在困扰持续了几个星期后，这个机构请我帮助解决一个困扰计算机的问题，时断时续的失败。这个故障出现在正常的营业时间，但不总是这样--网页访问不是一直工作着。这个问题有时甚至出现在访问不需要经过Firewall-1代理的内部Web站点中。

At first, the description of the error sounded like a DNS failure, but this wasn't the case. Further details suggested a failure of the Firewall-1 HTTP proxy.
起初，错误描述听起来像是DNS解析失败，但实际上不是这样。进一步的细节暗示是Firewall-1 HTTP代理服务器失败。

After reviewing the log files, we discovered that one particular Web site was repeatedly turning up in the logs, and Websense was consistently denying access to this Web site. But for some reason, it was also randomly dropping legitimate URLs as well--sometimes not even showing up in the log files.
在复审log文件后，我们发现一个特定的web站点在log中反复出现，并且Websense一直拒绝访问这个web站点。但由于某些原因，它也随机丢弃/遗漏(endurer注：从后文看是阻塞引起的)一些合法URL——有时甚至不显示在log文件中。

We finally discovered that the URL that Websense was blocking was evidence of a spyware program transmitting information. It began at 7:30 A.M. and continued throughout the day, and other workstations were also showing up in the logs.
我们最终发现Websense阻塞的URL是间谍程序传输信息的证据。它开始于上午7:30，并持续了一天，其他工作站的log文件也有类似的记录。

After further investigation, we determined that a program called Wild Tangent Updater was responsible for all of the log entries. The Wild Tangent Updater was attempting to transmit usage information, but it was failing because outbound HTTP requests required authentication by Firewall-1.
进行更多的调查后，我们确定一个名为Wild Tangent Updater的程序需要为所有的log负责。
Wild Tangent Updater这个程序尝试传送习惯信息，但因为对外HTTP要求Firewall-1确认而失败。

Firewall-1 and Websense were doing exactly what they should. So why were they also blocking legitimate Web sites?
Firewall-1和Websense都十分精确地工作着。然而为什么他们会阻塞合法Web站点呢？

All network-connected devices using TCP have limits to their ability to communicate. TCP is a connection-oriented protocol, and it uses a socket for communication.
所有使用TCP的网络连接设备的通信能力是有限的。TCP是面向连接的协议，它使用套接字(socket)来通信。

Checkpoint Firewall-1 employs many individual proxy servers using TCP to handle communication from the internal network to and from the public Internet. Firewall-1 also uses TCP to communicate with Websense to determine whether to allow a URL.
Checkpoint Firewall-1为一些独特的代理服务器服务，这些代理服务器使用TCP来处理内部网络和因特网的通信。Checkpoint Firewall-1也使用TCP与Websense通信，决定是否允许一个URL访问。

I suspected that Wild Tangent Updater was causing either Firewall-1 or Websense to run out of TCP sockets. TCP sockets have timeouts, so they don't just disappear when you're finished with communication.
我怀疑Wild Tangent Updater造成了Firewall-1或Websense的TCP套接字运行超时。TCP套接字有超时设定，所以当你已经完成通信时，它们不立即消失。

My theory seemed to explain the problems quite well. After a quick Google search and a visit to phoneboy.com, I felt that I was on the right track. So we increased the socket limits for Firewall-1 and Websense from their default values, and the problem went away.
我的理论看起来很好地解释了这个问题。在Google快速搜索并访问phoneboy.com后，我感到我在正确的道路上。所以我们在Firewall-1和Websense的默认值上增加了套接字限制，这样问题解决了。

Whether the Wild Tangent Updater caused the problem or merely precipitated it, there are certainly a lot of other firewall systems out there that could also experience this type of problem. If you're having similar difficulties, check your firewall: Spyware may be clogging it.
无论Wild Tangent Updater是否造成了这个问题或仅仅促其发生，其他地方仍有大量的其他防火墙可能经历这类问题。如果你已经有相似的困难，检查你的防火墙：间谍程序可能正在阻塞它。

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday!

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.
Jonathan Yarden 是一位UNIX高级系统管理员，同时还是一名网络安全专家。他还在当地的一家ISP 中担任高级软件构架师。