Firewall with these features??

In addition to the PS; But I do see a problem, don’t normally leaks occur over www-http? And don’t software normally use http to retrieve updates also? So really Application-filtering here wouldn’t serve no purpose, unless it offers web content filtering, and many great web content filtering standalone software to choose from.

Anyways, as everyone always says, that is my 2cents worth...

 

Since no firewall offers full application stateful inspection for all P2P protocols - Checkpoint's Firewall-1 only lists Fastrack, Morpheus and Gnutella, excluding Direct Connect, eDonkey (now the most popular), OverNet, Gnutella2 and BitTorrent - that seems rather an empty issue.

Full stateful inspection provides no protection against malware that simulates legitimate application usage (e.g. wrapping its data in an HTTP POST command and sending it to remote port 80 to make it appear like a web browser). If you feel you are more secure without application filtering, then it is just you who is blinded.

Phant0m,

Assuming that you are addressing this comment at me (it's hard to tell with everyone else posting here ), I'll provide three examples where application-based rules can be key to improving security:

Blocking Web-Bugs in Email
A common feature of spam emails is to include an HTML graphic link which causes most email clients to automatically retrieve the graphic from the server - this can allow the sender to confirm that the email has been read and inform them of the time and IP address of the PC used. This can be blocked by an application-filtering firewall by limiting email clients to email protocols only (POP3/IMAP and SMTP) and blocking any further access. A firewall not offering per-application rules could not block this traffic without affecting normal web-browsing.

Enforcing Browser Proxy Usage
A concern among proxy users (especially anonymising proxies) is the ability of a website to "trick" a browser using Java or Javascript into opening a direct connection to the site, bypassing the proxy. With per-application rules, the browser could be restricted to accessing the proxy only, preventing any such exploit.

Partially Trusted Applications
There are many applications with "phone home" features that may have security or privacy implications. One of these is Windows Media Player which sends usage data back to Microsoft. This can be handled by an application-specific rule for WMP blocking access to windowsmedia.com - but blocking this on a firewall without per-application rules would prevent access by any application to this site which may be undesireable.

Any unsolicited packets can be detected and filtered using network-level stateful inspection which virtually all personal firewalls already implement (and some include an attack/intrusion detection module to specifically catch malformed packets).

Assuming that your "strong & true stateful packet-filtering system" means application-level stateful inspection (as defined previously - if you mean something else, then please provide a precise definition), the only benefit this would provide over network-level SPI is the ability to implement tighter rules for certain "awkward" applications (e.g. Microsoft NetMeeting) that use a wide range of ports. However since specific support has to be built-in for each protocol, many applications will not be covered at all especially with home-use and gaming protocols (Skype, GameSpy and ShoutCast being three examples not listed by CheckPoint). Hence my view is that the ability to set application-specific rules is of greater importance - and the leaktests available should give a good indication of how well firewalls implement this.

 

I agree completely with P2K....
A home user DOES NOT need protection from a hacker who is targetting a single system (in a general case, NOT when someone is obsessed with you)... A hacker will direct his energies ONLY at a place where he can derive profit for the time he spends, and a home user DOES NOT offer that kind of opportunities... not even to someone who's doing it for "educational" purposes, as a home system is supposed to be really weak anyways.
Most hackers, thus will attack commercial interests, from which they stand to gain much more. The home user needs protection from mass mailing worms, trojans, backdoors, malware that is "downloaded" from malformed webpages... some users need protection on their LAN neighbourhood (when the ISP is a local operator and distributes ISP services over a LAN)... protection is generally needed from apps "phoning home"... from other such arbitrary junk that just sits on a users PC...
Which is why I feel both Application Control and Content filtering are important...

 

When it comes to the point users starts manipulating, twisting things around and attempt to poster things I obviously already known, it is a time for me to stop right here and now.

no13, you really must think you understand hackers and so on, could you write me a book please? Anyways I haven’t disagreed to the idea of Application-filtering (of applications accessing client&server environments, different than Application Control which controls every launched executable on the persons system) being beneficial to some. And I surely didn’t say web content filtering isn’t important, because it is.

I know all advantages and disadvantages of different application-filtering based software firewalls, however I’ll choose strong & true stateful packet-filtering system any-day for my needs, I’m using it for home use, I run many varieties of p2p software 24/7, I surf sites that would make many people shiver. Though I do see some benefits of application-filtering based software firewalls too, I actually like Look ‘n’ Stop application-filtering implementation and it works perfectly along side my strong & stateful packet-filtering system.

Anyways you can go play with newbs application-filtering based software firewalls, I’m not trying to stop you, and I never recommended anyone to switch anyways.

As it was I spent too much time focus on the two topics, I have work to-do folks. Hope to have future discussions like these.

 

Done: I haven't written these, I've read these, and the views I echo are theirs...
Internet CryptoGraphy by Richard E. Smith (its relevant, read the part where he explains WHY crypto is important)
A Hacker's Perspective : Network Security, by Ankit Fadia (he was called by the FBI, at age 16, post 2001 to investigate Bin L*den's use of Steganography as reported by TeenUSA, and he was responsible at the age of 14 for catching separatist militants' hacker groups from chat rooms, where they were planning to take down some websites...Indian websites I believe...He's now in Stanford U doing Comp. Sc. after releasing Book #3 I think)

hmmm Note to self : must append to all posts... "free chocolates to sarcastic remarks, none for caustic"

 

And this as totally uncalled for...
I'm going to play with an old and NOT bs, but reputed firewall, viz., Tiny.
Nice to hear from you... but there's no "twisting" or "bending" stuff here... Sorry if you were "enraged" into a personal attack, but please refrain from doing that again.

'Nuff hijacking this thread....

Obviously, we have strayed from the original question...

I believe termination protection may be had if you use Process Guard or Sygate firewall
A firewall with component control will help you in case of injection tricks (BlackICE does)

 

Let's keep on topic and not stray into anything that could be considered personal attacks.

Regards,

CrazyM

 

Hey john_fl....
you never replied with what you finally chose...

 

Well, lot's of replies here. Right now I'm testing Outpost Pro 2.0. I've tried LNS. Like the fact that it's light on the resources. I had a problem uninstalling LNS with Total Uninstall. DON'T EVER DO IT!! I had to reinstall my OS. It's a long story. I have a thread in the LNS forum about it.

 

FYI: Current version of OutPost Pro is 2.5.

 

And I believe Outpost 2.5 is lighter than v2.0 on most configs. Try it.

 

Sorry,I meant Outpost Pro 2.5

 

Jon_fl,

Did you find answers to your question in the meantime? Anything you want to share?

 

Just to add one more to the mix, the free (still beta quality) Jetico firewall also claims to protect from process attack tricks.
-hojtsy-

 

I don't think we like betas very well....
uninstallation issues still there with Jetico.
Try Tiny PF to really feel the power of LSD [liquid supply of demand]
Another nice choice could be Securepoint's free firewall [kinda weird 'coz it catches MANY things I don't think anyone would call a connection attempt... anyways]
more stuff.
https://www.wilderssecurity.com/showthread.php?t=57655&page=1

 

Bottomline is ... any software application be it a firewall or an AV program is vulnerable ... Software (no matter how good) is still just lines of code ... and lines of code can be altered and manipulated given time to find a weakness (they all have them).

If you really want to be protected then get a good hardware firewall ... nobody can inject anything into it ...nobody can shut it down and it doesn't develop a new security hole on a weekly basis.

 

I agree.

Your better off spending $40.00 on a hardware router than you are $40.00 on any software firewall - regardless of who makes it (Tiny, L&S, Outpost)

 

I would rather spend $40 on my bar tab and get a free firewall. Actually, its a good idea to have both a NAT and a software firewall. And, if you have any ports forwarded in your NAT, then you are going to need a software firewall any way. I have heard the same goes for AOL subscribers because AOL uses tunneling.

 

I would just like to say I found this discussion interesting, even with the attacks back and forth. These posts are certainly food for thought anyway.

Maybe they have been mentioned alreadyHere are some timely links:
Firewall Evolution - Deep Packet Inspection
http://www.securityfocus.com/infocus/1716
The Perils of Deep Packet Inspection
http://www.securityfocus.com/infocus/1817

--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/

 

firendly banter... NOT attacks

WHY don't you sign up on WSF ghost ...err... dude?
we'll love hearing the comments of another expert!
BTW: what's your opinion INSIDE the discussion?
WHEN can we see a download link for your GHOST firewall?

 

Any attempt to alter/hijack a software firewall requires in-depth code analysis and a patch specific to each firewall (each one would have to be analysed separately - and different versions may require separate patches). So while this is possible, it would require significant work and subsequent exploits would be limited to specific firewalls. Furthermore, such process manipulation could be intercepted and blocked using software like Process Guard or System Safety Monitor - these do offer other facilities for controlling program behaviour so are well worth using as a second line of defence on any system.

No hardware firewall can offer application filtering (with the exception of Nvidia's firewall built into its nForce chipsets) which means that they could not distinguish between malware using "standard" ports to make its traffic appear legitimate (e.g. port 80 which is used for web traffic) and legitimate network access (e.g. by your browser when accessing a website). They certainly could not cope with more subtle exploits like DNSTester (which disguises its traffic as DNS requests). As such, while a hardware firewall can provide a good first line of defence (blocking unsolicited incoming traffic), it cannot filter outgoing traffic from a PC (except on a port basis) so cannot be relied upon to identify or block malware traffic. This has been discussed extensively already in this thread.

If you want to argue between a choice of hardware or software firewall (pointless in my view since there are many free software ones available making their use a no-brainer in most circumstances), I would suggest you consider which exploit is the more likely:

1. An attempt to bypass a software firewall which would:
   • Be limited to specific products and versions.
   • Require indepth analysis of firewall code.
   • Could be blocked by process protection software (Tiny, which you mention in your post, includes process control so could not be modified unless you configured it improperly).
2. An attempt to bypass a hardware firewall which would:
   • Work with all firewalls.
   • Require only basic understanding of common network protocols.

I'd agree completely - hardware and software firewalls have complementary strengths (and weaknesses) so should be used together where possible. As for port forwarding, AOL subscribers may need to enable it to use the TopSpeed feature (which runs as a server on the PC) but such traffic should still be subject to some filtering.

 

Frankly I think Phantom is confusing SPI with DPI. If he/she was talking about relying on DPI rather than rules-based firewalls with software application control and some SPI inclusion then his/her argument would seem more logical. (That is not to say that given a firewall which has DPI and one which doesn't the one with DPI should always be considered as 'safer' as seen by the Securityfocus article.)

Here is another DPI link:
It's a SANS webcast which I have not listened to. The included PDF is worth downloading however. (Sorry you need to register; I would give you the direct link to the PDF but they have login problems at the moment or they don't like me .
http://www.sans.org/webcasts/show.php?webcastid=90474

EDIT: The direct PDF using my login is https://www.sans.org/webcasts/acces...iUserid=723442&iSdate=20040707&pid=1351154200
(not sure how long my pid or serial id will be valid for)

The way I see it, because everyone wants an "all-in-one box" product, we are ending up with security products branching out into areas in which they were never meant to protect and hence outside their expertise. Take firewalls for instance. I think a "firewall" should only allow or deny network traffic not act as an application sandbox or malware detection device. A firewall was never mean to act as an IDS. Nor an AV scanner or a vulnerability scanner. Or protect against SQL injection. Or content filtering. Yet more products with these features are being released under the term "firewall", and with them we get the problems associated with these other systems in one application/box. (See 'Perils of DPI' article).

On the other hand we have malware/AV scanners branching into firewall territory. eg. McAfee's Virusscan Enterprise has 'port blocking' rules which for example stop applications outside a whilelist from sending e-mail. (This move into firewall territory is perhaps quite a good thing, considering how poor all AVs rate in heuristic detection or even up-to-date signature detection.)

Taking these two trends into account I can forsee there being widespread conflicts between applications which at first seem to be completely independent from each other, and not just limited to security applications but anything with a security component. Which will be the most stable security program will be the one which uses a lower lever driver AND/OR whichever is installed last.

As for leaktests (aka scaretests) I do not worship them. Nor do I bow down and worship the firewall that claims to 'pass' all of them. The fact is, very few if any of these tests actually get traffic to pass through the firewall which the firewall cannot 'see'. What happens is the traffic is allowed because most firewalls have very limited user control over detailed parameters like port numbers or they use dll injection which is in the category of application sandboxing or application control. If the allowed user control is lacking, do we really expect any application that uses dll-injection to not allow traffic to any address any port for the trusted application?
(Mind you, it would be correct to say that many producers of firewalls have simply created leaktest-specific fixes for the issues raised by leaktests not fixes that would prevent other malware from using the same or modified technique).

It is in fact due to consumers believing the leaktest FUD that have caused firewall manufacturers to include basic allow/deny application sandboxing capabilities (eg KPF4) since they know they cannot account for every type of application-hopping technique. Yet when these same people find that the latest script-kiddie malware scripting technique for the Windows OS is not detected by their 'firewall' they want the manufacturers to do something about it still, even if they themselves have explicitly allowed the action in their rules.

These people want application-sandboxing. Yet when a hefty beomoth like Tiny Personal Firewall comes along they do not want to configure it in detail. As a consequence we are back to point A, firewall manufacturers make decisions for us (eg. ZA Free allows any port any address outbound for an allowed application). Many legitimate applications use dll-injection, so this protection is more likely to be lax rather than strict.

Not for quite a while yet. At the moment I'm working on a detailed spec, which I hope to release shortly. I guess the next question is: "What application-sandbox features will you include?"
The answer is that it will be optional, and similar to the Jetico's sandbox/process monitoring components but perhaps including less of them and rather broad controls.

 

Well what you think and what was the case is wrong, anyone to be confused between SPI and DPI surely wouldn’t know hell of a lot in regards to software security.

 

Edited: heck... this ain't my fight, is it?

 

OK, deep packet inspection is DPI. Never heard of it before this morning. I thought you guys were talking about dots per inch.

IMO, integrated security applications can either be a good or a bad thing. If they do the job right on each aspect then the possibility of application conflicts should be eliminated and it may even require less resources some overlap in functions will be eliminated.

Unfortunately, they do not do a good job on each aspect. Out of their area of expertise, probably. However, expertise can be hired. Many freeware authors eventually find jobs with major softwware vendors. The corect approach is to allow the various features to be turned off. With McAfee enterprise, port blocking rules can be disabled, but not the function (unless i missed it). The buffer overflow feature can be turned off. KAV's IDS can also be turned off. OTOH, Zone Alarm's integration with the Vet engine does nothing more than add a weak AV to a popular firewall.

I took a brief look at Tiny PF, and found it to be incomprehensible. Like, I did not know where to start and suspected that I would totally screw it up. Using Kerio 2.15 around here, but testing Jetico PF as builds come out. Today's Jetico release seems pretty nice.

Anyway, when Ghost gets the Kerio clone together, I bet it is going to be a really nice piece of software.

What Ghost says about fixes being directed at the particular leak test exploits is something that I suspected, but do not have the expertise to prove.