All firewalls lack NDIS driver-no firewall is safe!!!

Hi, everybody.
Please, see this website:
It appears that it's true that firewalls really don't care about inbound protection:
http://www.rootkit.com/newsread.php?newsid=849

 

From this very website I gave you can download real rootkit samples-about 30 of them!!!
Why doesn't someone please use Virtual Machines to test Comodo 3.0, ZA Pro, Outpost Firewall Pro and all other HIPS+firewall programs against these rootkits?

 

You seem to draw some wrong conclusions from that article. First of all, all firewalls have inbound protection. There is no good or bad inbound protection - any method that stops a packet from reaching the port on your computer, according to a rule you specified can be used for inbound protection. The article you are talking about reffers to the situation when a rootkit/malware/etc. is already installed on your system. In that case no matter what method you use for inbound protection, it can be bypassed. But the main reason for inbound protection is to stop the bad software to reach your computer...
As for the title of the thread, it's true that no firewall is 100% safe, but if you will read the article carefully, then you will see that there are some firewalls using NDIS driver - so you should not spread wrong information.

 

I stumbled across the article a few days ago quoted in post 1 by CoolWebsearch looking for something else in Google - see http://blog.layeredsec.com/2008/03/truth-about-personal-firewalls.html

I thought it was interesting, but over my head when it comes to my understanding of firewalls.

 

The article says that it is theoretically possible to restore the fuctions most NDIS drivers hook in TCP/IP stack. But, to do it maliciouse code has to get into the kernel, and to prevent it there is HIPS. So until there is a POC it can be called groundless speculations.

As for NDIS control, I can say for sure at least OA does have it:
===log
[11:58:44] 564 Installing NDIS filter for:
[11:58:44] 564 \DEVICE\{F5ABDA96-5D25-45DA-91CE-BA58EEB887F7}
[11:58:44] 564 Address:
[11:58:44] 564 192.168.187.1;192.168.186.1
[11:58:44] 564 Installing NDIS filter for:
[11:58:44] 564 \DEVICE\{1ED37CD1-1AD2-47FB-BF47-9C4C301D4110}
[11:58:44] 564 Address:
[11:58:44] 564 192.168.2.1
===

 

Just because there is no proof of concept code available, that doesn't make it "groundless speculations". But it's true that in order to function, that form of unhooking needs kernel access, and HIPS usually stops that.

 

By groundless speculations I meant rather this line in the end of the post:

===
Cool, there is not any trouble to write some **** in the kernel space, we can make a DoS or even a code execution. I just don’t want to dig deeper, hope that will be done by one of my colleagues
===

 

Wow, I need to contact Kaspersky and see why they fake this entry in my Connection properties.

 

http://samspade.org/d/firewalls.html

Something I ran across, interesting read!

 

I'm not sure the author of the article knows something about how firewalls are made or about the way they are fuctioning. Quote: "So... what does a 'personal firewall' actually do? Well, effectively it listens on all the ports on your system." Or: "What it does do is break standard network applications".

 

why is so hard to provide exact software builds ?

i wonder why test old Comodo PF 2.4 and not last v3, ZA 6 ? isnt 7 latest ? Kerio 4.3? isn't latest Sunbelt PF 4.5? and so on ?

i mean it's quite easy to downplay products using obsolete builds or builds which were already abadoned as EOL (Tiny Firewall 6.5 unfinished,unfixed,abadoned) months ago

or not test some like Kaspersky mentioned above ^^^

oh well ...

p.s. i don't want to say TF 6.5 was bad , it was in many things far ahead of any product even today but lacks of finalizing and polishing the product and then CA takeover was 'dead end'

 

Hm,

I like this one:

MaD, reverse engineer and researcher

Reliable empirical social research...

Cheers

 

These articles make me wonder if all the add ons that firewalls have today is just a way to take up the slack in actual protection they really provide? Also I fear that I may install a third party firewall and actually have less protection than the built in Vista firewall, as far as inbound is concerned. Leak tests mean very little to me anyway.

 

Once a rogue driver is loaded it is game over for security ... All this article is talking about it abusing an existing program (in this case firewalls) to get around them. It is no different then saying how to hook a function to hide files/processes.