I have a simple setup that passed all leaktests listed here.

http://www.firewallleaktester.com/

The two programs that I used are
1. Netop Firewall
2. Process Guard

Very simple setup.

1. Netop
goto Tools/ Options and make sure that Enable DNS Auto resolve is unchecked.

2. XP
goto Start/ Run/ "msconfig" / Services and uncheck DNS Client.

3. Process Guard
goto the PROTECTION tab
click Add Application
Add both iexplore.exe and firefox.exe
make sure under the box "Protect this application from" [modification] is checked.
[reboot system]

One note. When running the leaktest against your system, allow PG to run the programs. If you get a popup from the firewall, click do not allow.

I like Netop firewall due to the fact that it is the only driver-centric firewall and in theory your system is protected during startup. More importantly, the only way to turn off the firewall is to uninstall and reboot system.

I don't know what you mean by driver centric, but quite a few fiewalls consist of a kernel level driver and a GUI to tell it what to do. Even Kerio 2.15 can be set up to block all traffic when the GUI is terminated.

Not to mention what I think of leak tests...

Not to mention what you think of leaktests?? Why should I care what you think? This post is for people who do care about leaktests so take your 2 cents and ......guess you think you are immune to ever getting a trojan.

As for driver centric.. look it up. Here is a clue for you. Try NDIS driver. Kernal level firewalls will leave you open during startup. I love the people here who go on about kernel level firewalls...yawn.

Well, if you ask why you should care about what I think, then you may as well ask why would anyone care about what you think.

Wow, got me there. I will stop now. I have learned never argue with an xxxxx




word edited by request of a member, very uncalled for . please refrain from useing these kind of words bigc

If the personal attacks keep on, this thread will be closed.

bigc

Hi BudFox, ;)

Welcome to Wilders' ;)

As Wilders' is a discussion forum, everyone is entitled to their opinions. Discussion and sharing knowledge is what it's all about, but let's keep it on an academic level, there isn't any need for any type of personal comments toward others.

I hope we can all discuss this subject in a civilized manner, based on fact, interpretation of facts, and opinions/merits of such.

I hope you will both enlighten us/share with us with your thoughts on the matter. There of course isn't a need to agree, but an academic debate/discussion, will serve to expand all of our knowledge.

So let's keep this friendly guys

Steve

EDIT: Sorry BigC ... I was in mid response, when you replied. No intention of stepping on your toes, my friend. ;)

no problem on this end ;)

bigc

I have setups with Kerio 2.15 and Sygate that will pass almost all leak tests thrown at it.

-{ Quote: "I have setups with Kerio 2.15 and Sygate that will pass almost all leak tests thrown at it." }-

could you please tell me how the setups are?
many thanks

Hi Polaris,

Combine Kerio+BZ rules with strict implementation of loopback proxy as well as specify ports of all programs that need to to access the net. Combine that with Prevx, Winsonar or Antihook or PG free, and you have a leakproof Kerio. On is own without any other programs, Kerio stops tooleaky and Leaktest and blocks PC Audit and Wallbreaker as well. I dont' use IE and any security conscious person shouldn't' either, so I don't' have any rule for it, this way, it has to ask every time it needs to access the net for some reason.

Best of all, my solutions listed above are all free.

As for driver centric firewall, dont' wish to ruffle any feathers but Sygate free and pro have been offering that for quite a while as well as secure mode and password protection where no programs except DCHP is allowed while the system is loaded or firewall is turned off. Unlike Kerio's reghack secure mode, the Sygate's is superior due to its feature of allowing DCHP broadcasts for setups that need it.

Although jetico firewall is still under development, it could pass almost all the leak tests already. I also tried kerio2.15 + process guard and they could pass too. Since the leak test (http://www.firewallleaktester.com/tests.htm) was done on October, 2004, i believe some other FWs also can pass the tests now.

-{ Quote: "I dont' use IE and any security conscious person shouldn't' either." }-

Due to the compatibility problem with Firefox, many chinese websites could only browse with ie and i have to stick with it. my choice is GreenBrowser, ie based the web browser including pop-up killer, with activeX and Java disable. Besides that, i also use script defender. So i feel pretty safe when surfing online. but i do use FF if i go to some crack websites.

Any driver is actually kernel mode, NDIS or otherwise.. a usermode firewall wouldn't be very effective. Most firewalls do run on a driver in 2k/XP.

As far as leaktests go, do you have something for the likes of WallBreaker and CopyCat, or do you just keep IE on "permit once" in PG? What about Firefox and other internet apps?

Have you tried out Opera? I go to quite a lot of Chinese forums and it works nice there with the Chinese language fonts.

Thank you very much Arup for the free advice...

You are welcome, just forgot to add, if using Sygate, uncheck act as server for all the applications apart from using the supplementary security softwares that I listed.

almost all of the good firewalls can be setup to pass all the leak tests it just takes some time patience and learning the program. most good firewall can do this with work some just takes more than others. i am using outpost right now and it will pass everything i throw at it. as did kerio 4.1.3 once configured right

Arup-

Even if IE is effectively disabled, couldn't a rouge program launch the default browser and use it to send data outbound?

By the way, the kerio reghack will get around the DHCP problem in most cases if kerio is started from the startup folder, or if you are on a router and can set up your computer for static IP (local IP only , the router gets a dynamic IP from outside.

Chinese? I can't read a word of it.

Good question Diver, so far, WB, Tooleaky and others only try and launch IE due to MS's implementation of using IE as gateway to the net for other programs. My default browser is Opera in my system but WB and others never try and lauch that one.

I know about the Kerio reghack workaround, however have to admit that Sygate makes it far easier to implement.

-{ Quote: "Have you tried out Opera? I go to quite a lot of Chinese forums and it works nice there with the Chinese language fonts." }-
opera is not totally free. besides that, there are still lots of chinese websites which don't follow W3C criteria. it's a little off topic. ;D

if people use winxp sp2's ICF and Kav (real time protection with up-to-date extended database), what's the chance to get infected and sent out user's personal info by a malware? I think it is very low and the extra benefit from a better FW, which pass the leak test, will be less than 1%, i guess.

The deal with Kerio is it is a program that has not been developed for two years and the reghack is just that, a hack. There are other firewalls that shut down communications when the gui is not running such as 8Signs and Visnetic.

I just checked around here and links in help files do launch IE rather than my default browser, Firefox. And that is how windows works. So, if you don't mind having to give IE explicit permission every time it runs... Not to try and give you a hard time, but I would not want to have to do that myself.

Shek-

I tend to agree with you on the 1% or less benefit of "leak proofing". It can even be argued that the additional user interaction required to set up and maintain advanced application controls interfers with the users ability to correctly respond to really important browser or Java warnings such as "do you trust xxx toolbar".

I think the effort should be on prevention. Finding a leak is only detection after the fact. Other means of after the fact detection are programs like Tcpview, process monitors, looking at the hidden devices in device manager, checking start up entries or even a scan with an updated AV signature base.

However, I do notice you have a long list of security apps in your signature in order to cover that 1%. My setup is nearly the hypothetical one you mention. That is, a good AV and a traditional non application filtering firewall. Of course, I use Firefox to browse with Java off unless I need it, and run without administrative rights.

Diver,

Since I never or hardly ever use IE, it doesn't really matter to me. True Kerio is 2 years old, but it has been polished and is now a very good and formidable resource light and free alternative to many.

The combination of Zone Alarm Pro and Process Guard will defeat all the leaktests cited - with the exception of WallBreaker. I don't know of any FW that will defeat WallBreaker, is Budfox telling us that Netop will?

Shek ......How come you state this.

if people use winxp sp2's ICF and Kav (real time protection with up-to-date extended database), what's the chance to get infected and sent out user's personal info by a malware? I think it is very low and the extra benefit from a better FW, which pass the leak test, will be less than 1%, i guess.

And you run all these?

AntiVir Personal Edition + EScan toolkit Utility + Jetico Firewall + Process Guard 3.0 (free version) + MJ Registry Watcher + F-secure Anti-spyware ( from Shaw Secure)+ Script Defender

Topper do you mean the 4th test of Wall breaker?

I'm not really sure what it does...Always acts the same no matter what I try.
I notice no modem flashes when I try it...does that mean I pass it.

The first 3 are a breeze with my FW

I'm just going by the results given here:- http://www.firewallleaktester.com/tests.htm

Plus the fact PG defeats all the ones ZAP fails on, save for WBreaker.

When I test for leaks.....I let PG pass them first..so I'm testing the FW alone.

I use Netveda now....and have trialed most of the others.

Like I said....block first 3 tests no problems....I am just not sure what the
forth one means....when I test it...it just says a "task has been scheduled at"
and lists the next minute.....but i see no flashes on my modem ....when I do it
So I assume I pass the test...

just wondering-

i do run all the apps in my signature to cover that 1%. although i know there is no big difference with a good av plus a traditional FW, no app filter, I just feel better and i also try different security combinations all the time.

my hypothesis for that statment is the majority of the computer user in the world is novice to computer security. Maybe they are experts in other field, but they don't know how to handle the pop-up warnings from advanced security apps such as jetico and process guard. So using these apps will cost them more. For example their system might crash and they have to discuss with tech support for hours so that they could not finish their professional work. IMHO, a good av and a traditional FW is enough for beginner. on the other hand, i am pretty sure that the people who visit forums like wilders security regularly are able to respond properly to the pop-up warning. of course, they could use whatever apps they like to.

-{ Quote: "just wondering-

i do run all the apps in my signature to cover that 1%. although i know there is no big difference with a good av plus a traditional FW, no app filter, I just feel better and i also try different security combinations all the time.

my hypothesis for that statment is the majority of the computer user in the world is novice to computer security. Maybe they are experts in other field, but they don't know how to handle the pop-up warnings from advanced security apps such as jetico and process guard. So using these apps will cost them more. For example their system might crash and they have to discuss with tech support for hours so that they could not finish their professional work. IMHO, a good av and a traditional FW is enough for beginner. on the other hand, i am pretty sure that the people who visit forums like wilders security regularly are able to respond properly to the pop-up warning. of course, they could use whatever apps they like to." }-

I have come to the point where I have to define a new term "hobby computer security" as opposed computer security in the normal sense of the word. Hobby computer security is when installing and testing computer security applications becomes an end in itself, on one's home computer, were little useful work actually gets done. Perhaps, I can refine that definition later. Hobby computer security involves a lot of cutting edge stuff that is not ready for most users IMO. In that category I would have to include Process Guard, SSM and similar utilities, Jetico PF, Tiny PF and even some of the leaktest oriented optional features of products that are considered to be main stream like Zone Alarm.

Most of us have the freedom to put whatever we want (subject to budget restrictions) on our home PC's. However, I feel it is necessary to draw the line when folks act like all this advanced stuff is really necessary and start giving advice to clueless people who will be worse off with it, as shek noted. Its too bad more folks do not have that insight. I often get comments like "how could anyone serious about computer security not want application filtering". Those are people that concern me.

I am not too wild about the conclusions reached on the leaktest web site. Back in October it rated Looknstop as the top firewall. Anyone can check in the LnS support forum on this board and see just how many serious issues have been fixed (some in the form of beta drivers) since that time. It may be a decent firewall now, but I don't think it was then. The rating was based solely on one criteria that is not the only criteria for firewall performance. To me it is a perfect example of becoming enchanted with this leak test thing to the exclusion of all else. Just like the hunter who had the elephant centered in his telescopic sight, then a lion jumped out from the side and ate him. It never fails.

The best protection comes from all the process blockers, Winsonar is a prime example, the online mode will not let any process execute, period unless that mode is disabled and the process is added to the trusted list. The best part is that unlike app bound firewalls, Winsonar can be shut off when not needed.

Good response Shek.....Terse and to the point... you explained yourself well.

I see you felt no need to get on a pedestal and orate to the great unwashed
on the follies of our ways...and how stupid we are, for not following "HIS" one
true path for total bliss, world peace and computer security.

I can get you total bliss, but it is expensive.

Very good ...short and sweet......Plus ya gave me a good chuckle

-{ Quote: "I can get you total bliss, but it is expensive." }-First time isn't free? ;D

The best bliss is always free, never paid.

There are many ways to pay...

Great post Diver!!!!

Yes, budfox is telling you that the setup I described will pass wallbreakers tests no problem. Copycat was an issue until I saw that PG wasnt protecting Firefox against modification. I passed every leaktest on the site of my original post.

As for the kernal mode..Netop installs a NDS driver which operates at ring zero. Since it operates here, the security is enabled before the network drivers are loaded. Also, since Netop uses a NDS driver, if the program is terminated, the driver remains still protecting the system

That driver thing sounds like a good design to me. I can't knock the company as they have several well regarded networking products, including their Remote Control and School applications.

-{ Quote: "driver which operates at ring zero" }-As do all drivers :)

-{ Quote: "Since it operates here, the security is enabled before the network drivers are loaded. Also, since Netop uses a NDS driver, if the program is terminated, the driver remains still protecting the system" }-Look n Stop does this as well :) NetOp is undoubedly a good firewall, and probably better than many, but almost all firewalls install as a network driver and filter the traffic before it reaches the TCP/IP stack.. without this a firewall would be pretty much useless since anything running in user mode can not access hardware without requesting service from a driver. Generally the interface that you see and use just allow you to change the rules set in the driver. Some firewalls will continue filtering after the UI terminates, others will allow all traffic to, I suspect, ensure compatibility, however I'm sure this will change at some point in the future. Without the UI, however, it will not alert you to new applications trying to connect, it will simply filter the traffic, which is why it is important to have a strong set of rules. You wouldn't want it to block all traffic because it would make users on networks unable to log on.

-{ Quote: "Yes, budfox is telling you that the setup I described will pass wallbreakers tests no problem" }-I got that it does, but was asking how. Does NetOp alert you when something new tries to start a trusted application to connect, or did you just use the workaround of only allowing IE to run (via PG) or connect (via NetOp) just once so it alerts you to it each time? PG and NetOp may both be powerful applications, but they won't do a person any good if they don't know how to use it. It would be helpful to other members of the forum if you detailed how you achieve this protection. Pretty much everyone is here to learn :)

Hello all, wanted to hopefully jump in and clarify a couple of things - and I'm sure raise even more questions. BTW I am a tech with NetOp Desktop Firewall (NDF) and came accross this great exchange about the product, "everyone is here to learn" and Ive learned alot already just reading this thread.

Driver-centric: OK, kind of a marketing term initially but really does mean something pretty unique :-) A lot of personal/desktop firewalls these days install both an NDIS and a TDI driver for traffic filtering true; however, NDF not only monitors communication but can also prevent processes from launching - similar to process gaurd but not something most other desktop firewalls do. This is handled completely by the NetOp driver, so if you exit the GUI and stop the service your rule set still applies - hence, driver-centric. Alot of other firewalls (i.e. application-centric) stop filtering and open right up if the service is stopped or disabled on the system, so their NDIS driver does not stand alone, it requires the service to function properly.

You're right in that no GUI means no pop up alerts, no service with NDF means you can not receive policy updates from the central server, and then ofcourse no driver means in this case no traffic filtering (disable the driver by unchecking the Danware Security checkbox in the LAN properties of the network adapter bindings).

NetOp will check processes twice according to a checksum, once when they try to execute and once when they attempt to communicate; however, to protect processes in memory from being altered or from dll and process injection attacks (like some of the leak test mentioned), PG is the way to go cuz it monitors all processes all the time while in memory and NDF doesnt do that yet. The combination of both is pretty powerful stuff and as many of you have pointed out - its all about taking the time to configure them.

Even with no driver the process firewall rules of Kill Program in NDF still apply however the packet filtering part will finally be disabled, and ofcourse no new rules can be created so the firewall is locked down to the current rule set only until the service and gui are restarted.

Also, process hijacking and process renaming fraud are prevented by NDF because it is aware of the parent process and identifies processes by their checksums not their names. So if there is a deny communication on the parent process and an allow on the process that is launched the more restrictive rule counts - I think this answers one of the posts earlier on in this thread.

More info on the NDF and the central Policy Server in the Evaluators Guide:
http://www.crossteccorp.com/support/resources/NDF3EvaluatorGuide.pdf

Hopefully this info has been useful, please comment at will but don't shoot to kill :-)

Al

Thanks for dropping in Al.

Will it be okay....if I just shoot to scare?

Just a couple things.....No where on your site could I find the price.

Wouldn't it be a good marketing gimmic...to have the price easily found?

Another thing I noticed....You are asking a lot of personal sensitive info to

register .....on an un-locked page.

Well, here's the scoop. NetOp is developed by Danware Data A/S - Danish company and their site is www.netop.com but they've got distributors all over the world so price varies.

In the US if you're lookin' to buy NDF you would go to www.crossteccorp.com, prices listed here http://www.crossteccorp.com/buyit/index.html

BTW I forgot to make a mini-disclosure - the ideas presented in these posts are solely my own and not that of my company :-)

Had to say it!

Al

Thanks for the quick reply

But what about the second part

Another thing I noticed....You are asking a lot of personal sensitive info to

register for a trail.....on an un-locked page.

Right, sorry.

Well the main difference with the NDF and the rest of the firewalls mentioned in this thread is that its not really designed or marketed for the home/personal user (although I use it at home as well as many security savvy end users, and in its first few versions it dud have a home/presonal version that was not centrally managed). So most people that sign up for trials provide their company info which is usually public knowledge, not their personal information. Nevertheless you make a valid point so I'll bring it up with the powers that be. Thanks.

Good quick response again.....Glad you joined the forum, you should be a great
help to persons wishing to shed their "training wheels" to learn more of the mysteries of setting up a firewall.

luky13,
Danware should create 5 and 10 client pack for Home/Family/Personal users (with policy server). That wuld help to spred this great firewall. :-)

Yeah, there may be a market plan to target the home user at some point but not sure, atleast they kept the single license around... some vendors require an NDA just to test their product! Not sure what they've got to hide, but the NDF is up for the testing and the policy server doesnt require a dedicated server or sql backend, so you can install it at home real simple like. I dont recommend installing the policy server on the same box as the NDF cuz some key features wont work. Anyway I hope to get around the forum more, great stuff on all kinds of products.

hey luky13...
is your nick some kind of hero worship?
admit it... you like me ;D;D

welcome aboard.
I hope you have some fun here ;D
---
don't mind the jokes... Just blame it on dog ;D

lucky13-

Thank you for joining in. We all love it when developers or support persons add to this forum.

No 13! Wassup with that! :o Just kidding, I can definitely take the heat so keep'em coming... the number 13 has been real good to me through the years so I can't knock it.

Wish I had more time to post replies but being a little biased on my desktop firewall preference (and swamped at work) I think I'll just read how you guys rip up every other vendor out there to shreads and let them defend themselves, it makes for some great fun ;D

-{ Quote: "being a little biased on my desktop firewall preference" }-Everyone is ;D
-{ Quote: "(and swamped at work)" }- again... ;D
-{ Quote: "Awww.... you'r just being too nice to us ;D;D;D

-{ Quote: "the number 13 has been real good to me through the years so I can't knock it." }- ;D;D;D Thanks!