CHX-1

Adventurs in Firewalling.....

Some of you may notice that I have finally registered for Wilders.

I have CHX-1 up and running on my test machine. Very interesting. First thing I noticed is this baby does not have a service running. There is a driver somewhere, but no service. Over at the Device Manager, View, Show hidden devices, Non-Plug and Play Drivers, I found "CHX-1 filter Hook Driver".

By the way, if you never look in that non PnP driver list, you should. This is where some really nasty stuff can be found, like software keyloggers which tru to hide by not running a service.

It seems that all the examples in the documentation are for incomming filters.

I hope I understand this right, but an incomming filter set to allow, is only allowing incomming packets that is are responsonding to outgiong packets from my machine.

To allow unsolicited incomming packets, I had to set up a force allow incomming rule. For example, eMule requires a force allow incomming TCP on port 4662. Netbios required force allow from ports 137 and 138 to ports 137 and 138 with both local and remote addresses being my lan address range. And so on....

This seems to imply that any application on my machine can make outbound connections on any port to any remote port at any address.

Is this less secure than having a set of rules in 8Signs that allow all applications to make outbound connection on local ports 1024-5000 to remote ports 21,25,53,80-82,110,443,1024-65535 at any remote address?

Perhaps the answer is it is not less secure once you accept that you do not need application control. After all, most trojans are going to operate on these common services anyway.

Any thoughts from the firewall gurus?

 

OK, I think I figured out how to make CHX-1 behave more like 8Signs on the outbound side. I made a filter to allow outbound TCP for the usual stuff.

That is, local ports 1024-5000 out to 21, 80-82, 443, 1024-65535 and so forth.

Then I have a couple of force allow filters for any outbound TCP that needs some special treatment, like restricting port 139 to the trusted lan.

Similar strategy for UDP with special rules for DHCP, DNS etc.

 

This statement made me blink a few times...it is because of trojans using common ports that application control is needed. A firewall with application control can distinguish between Internet Explorer trying to send traffic to remote port 80 and StrangeNewApplication trying the same - and either block it or prompt you about this new program.

This feature is for many people the first indication that they have malware on their system and is why, in my view, firewalls like CHX-I and InJoy are suited for proxy servers and ICS gateways (where it is not possible to see the originating application on client machines anyway) - not end-user systems.

 

Just curious as to why the broad rule for 1024-65535 outbound for 8Signs?
It has been awhile since I looked at CHX-1 and whether it would need such a rule.

Regards,

CrazyM

 

Passive FTP perhaps?

 

Not required for 8Signs, the stateful inspection will dynamically allow the port used by the data connection.

Regards,

CrazyM

 

Hi Diver... Glad to see you finally reg'd with Wilders.

CHX-I runs as a Kernel Service. You can start and stop it in one of the menus if you need to.

As far as the rules go, it looks like you're figuring things out as you go, so that's good. You can set up rules for inbound and outbound traffic just like 8Signs. Takes a little getting used to at first, but it's fairly straightforward. The online docs are mandatory reading as you're finding out...

Once you get your rules set up, you might want to export them to a file. That way you don't have to go thru the hassle of setting them up again if you reinstall sometime.

All in all, it's the lightest on resources of all the firewalls/packet filters I've seen to date. Very nice...

I heard there is a version 3.0 in the works, perhaps coming out soon, so that'll be good to see too..

 

Passive FTP...

The range remote ports 1024-65535 on TCP outgoing is used for passive ftp, bittorent and eMule. I noticed on CHX-1 that this range is not necessary for passive ftp as I can check a passive ftp outging boox and it will allocate the ports. I don't know if this will work for bittorent or eMule, but I will test for it.

At the moment I have CHX-1 set up with most of the frequently used internet services (TCP outbound) in an "allow" rule. That blocks everything else, so I need a couple of "force allow" rules to take care of special situations like limiting port 25 to certain SMTP addresses.

I suppose I could run it without any outgoing rules. That would be like I mentioned in the first post. I think that is the equivalent of letting everything outbound which originates within the local machine. Is that right?

 

That's basically what I wound up doing. I allowed everything out and then used stateful inspection to control what was allowed in, along with a handful of force allow rules for inbound stuff. Very simple. But it worked for me...

I suppose some would say that's not much protection, but if you're not worried about what's running on your machine then it's all you need. Reminds me of just having a router and nothing else. I guess that's basically what it's like.

 

K-

I finally succeeded in getting CHX-1 going with both inbound and outbound rules. The hardest thing to work out was that I could not seem to open a server port for bittorrent while I could for eMule. It turns out that my outbond rules had the usual local ports 1024-5000 allowed out. eMule opens up 46xx inbound and bittorrent operates inbound in the 6881-6999 range. The inbound server ports needed outbound communication to work with these rules. Once an outbound port was opened up to match the inbound port for bittorrent it worked. But, it took me forever to realize that.

 

My conclusion is that CHX-1 is intended to function best without comprehensive outbound rules. This is because I can't find a single example or picture on their site showing anything but inbound rules and also because it was very difficult to deal with comprehensive outbound rules. Perhaps a typical outbound rule would be to reject a range of ports used for some service like IRC.

I found the logging to be a bit too complete. Either it is flooded with all sorts of stuff or it is off. There did not seem to be any obvious way to tailor the logged events to what I am interested in seeing.

So much for that one for now....

 

A pretty good observation - I might say.

From a server and/or multi-homed system's point of view, filtering outbound doesn't make any sense(e.g. on a gateway the egress acls are on the internal/service interface, hence they are inbound filters with respect to the internal interface).

The kernel driver is oblivious to the user mode space ( which app is doing what) so outbound filtering in the context of a packet filter is only useful in debugging network apps.

Our packet filter is just what its title implies: a tool to enforce network level acls. If you have a rule blocking incoming TCP dstPort 80 then we can tell our customers that any such traffic will be blocked. Unfortunately, we cannot do the same in the context of "outbound" activity by unequivocally matching a user mode app, parallel protocol and/or driver to an exact network activity. The lack of such control restricts us from offering a viable solution, hence no "app control". Security through obscurity has its advantages, but it is not our primary focus.

Logging options and implicitly what you'd want to sort is available by right clicking on the log file, select view and then your desired options. You can also customize the mmc console in author mode to include several instances of a log file displaying different filtered info.( Pretty much the regular mmc stuff admins are used to.)

Best Regards,

Stefan

 

Diver, sounds like maybe you like Jetico a little better eh?

I think if I do want app control then I'd probably choose something else, but if I'm not concerned with app control, and I want something like 8Signs or CHX-I, then I'd have to choose CHX-I. I liked the logging myself and found it pretty good and you can tailor it to your needs as Stefan mentioned above. But then again, your situation is probably different from mine.

I'm glad you tried it though... You can at least add it to your list of things you've done...

 

K-

Actually, I was not thinking about Jetico.

Stefan-

Thank you for the advice. I will have to give CHX-1 another try. I amhaving a blast trying out these programs. I can really see some great applications for CHX-1. It can be set up as a set it and forget it firewall.

Fact of the matter is, folks are making a lot of noise about advanced app control and sandboxing. With that kind of thing you are never done with the pop-ups. Some of the folks around here take for granted their technical knowledge and forget what everyone else does not know.

In fact, thanks for droping in Stefan. A word from those in the know is always helpful.

 

There are others with quite a bit of knowledge and experience (much more than I) who insist that app control is a complete waste of time and that malware or other programs can always get past any 3rd party firewall.

I personally don't see the great need for app control for my own situation...

 

K-

I am with you on app control. The AV and user awareness are supposed to take care of that.

Well, just for fun I put CHX-1 back on. All of 5 rules and it does everything. It seems to run faster than anything else, and the no entry in the task manager is really a hoot after listening to all this stuff about resources.

Per Stefan, I took another look at the log, and indeed it is possible to filter it down to something managable.

I have been fooling around with PC's since the Apple II came out. It cost a bunch back then and you were lucky to have 64K bytes of memory. The PC came along and 640k bytes was high cotton. then 1 mb, 8mb...and now some have a gig or more.

CHX-1 reminds me of the good old days when software got the job done with elegant minimalism. This firewall is the closest thing to not being there while it still does its thing.

 

Yep, it's a great one isn't it? I know what you mean by the minimalist stuff. CHX-I was the lightest thing I encountered. I even went one better and tried configuring IPSEC as a packet filter. Since it's part of Windows itself, I figured it would have even less of an impact on resources than CHX-I, if that's even possible...

IPSEC is pretty cool but the only thing about it is you can't prevent someone from using a source port of 80 and getting into your system to either scan ports or send TCP in. Reason is you have to allow remote 80 out and in at the same time for things to work since there's no stateful in IPSEC. Also, there's no logging, and you can't set up individual ICMP types, it's all or nothing for ICMP (if I remember right).

Here's a link if you're interested in playing with it though:

http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp

I like CHX-I because of it's light footprint, great stateful inspection, good fragmented packet analysis, good logging, and ease of use. You can truly set it up and forget it, as you say. And the liberation you get from the lack of app control is somehow refreshing.. Some will scream at that I know... But the truth is, the best way to prevent programs from doing foul deeds is to not install and run them to begin with... and perhaps use something other than IE for your browser..

 

I started playing with computers around that time also I guess. The first one I got was a little Timex Sinclair with 16K of ram. Couldn't do much of anything with it except a little Basic. Then I got the first Compaq Portable with 2 floppies and got up to 640K of ram. No HD yet. Those were the days...

 

K-

I had one of those Compaq's too. The power supply burned out twice.

 

Yeah, I remember that was a problem... I think I paid $2500 for mine, if you can believe that. Prices in those days were really high.. Maybe they werent' the good old days after all..

 

Me too! Stefan has done an outstanding job I think in creating CHX-I! This packet filter is hard to beat, it is just so good all the way around. The lack of application control is a killer for most people I know. If you need it, at least there are programs such as LookNstop that are out there that can be added to control that aspect of things. For me I don't worry about it too much either since I am rarely ever downloading much of anything and if I do download something I am very careful about what it is and who its from. The most important thing I think is just having a very strong anti-virus in place along with many different anti-spyware programs and a little common sense goes a long ways too.

 

I agree totally with yea dukebluedevil.

There are numerous reasons to favour CHX-I Packet-filter, for instance it’s by far the strongest packet-filtering system I have ever seen for Windows platforms, it is freeware for home use and the support is currently excellent. And because it uses proper notions everything is a breeze to understand and work with, for my case anyways.

I favour CHX-I but I like 8Signs also though, it does have some nice features that CHX-I doesn’t yet have, but after I get some spare time on my hands I’ll be contacting Stefan again with some more suggestions, and also introduce Phant0m``s rule-sets for CHX-I and even 8Signs.

 

I think there is a lot less discussion of whether app control is necessary than there ought to be.

While I respect P2k's opinion, I find it difficult to imagine that I would ever be in a situation where a firewall pops up and says "malware.exe wants to conect to remote port 80" as my first warning.

I suppose it can happen because computer techs are constantly cleaning up systems with all sorts of AV's that even had up to date definitions.

Thre are many layers of security, The first and most important one is user awareness. It goes a long way.

Several other layers involve things going on outside the PC. Is the machine in a secure location? If not it needs password enabled access and possibly a lock on the case. Ever check for a hardware keylogger? These beasties actually get used and people have been caught and arrested for it. The results of this attack are a lot more devastating than some search redirector crapware.

How about your ISP/mail provider? Do they bolck ports 135 and 445? How about scanning mail for viruses? Spam filters?

Firewall inbound protection is the next layer. Without it you will be cooked by a worm or hacker in no time at all. IMO, this is what a firewall should do for you.

Next layer: a goood AV. IMO, your AV should be comprehensive enough to catch all malware without the need of an anti trojan scanner although I do keep adaware around. The only AV I personally trust to do that is KAV with extended bases. Possibly, McAfee enterprise is up to the job. Because it is passive, I also like spyware blaster.

Next layer: Dump IE for Firefox or Opera, dump outlook/OE for some other mail client (Eudora, Thunderbird, The Bat, Pegasus etc).

If you have done all of the above, you will not need application control. Once you begin to believe in app control, then you are going to want sandboxing because the leak test guys will put the fear that a trusted app will be hijacked to gain internet access. IMO, sandboxing to prevent firewall outbound "leaks" is about as far as you can go and it results in an annoyance factor itself. Yet, many act like it is the first line of defense.

Sandboxing never seems to be finished. It is totally unacceptable for a non technical user or work enviornment. That's right, stop everything and call IT to find out what to do with the popup. In fact, app control is not generally not used on individual workstations on large corporate networks. It is just not worth the trouble to set it up and maintain.

I believe what is going on is that many users want a completely automated goog proof approach that requires no awareness. They might as well use deep freeze. That sucker is used to protect PC's in libraries.

Back to CHX-1...

I noticed that I could make a rule:

deny, outbound, TCP, source port & addres:any, remote port:25, remote address: not {address range of my email SMTP server}

This limits outbound mail to a particular mail provider, who also happens to require authorization. It would require any trojan sending mail to use the same mail provider that I do. It is a limited form of protection, but it is available.

OTOH, I cant seem to find any reason to have restricted DNS and DHCP rules unless someone around here wants to tell me why.

By the way, Eudora (and several other mail clients) will let you turn off downloading of HTML graphics. The microsoft search phone home can be eliminated with a host file entry for sa.windows.com. Most of the bad behavior of Windows media player 8 have been eliminated in version 9, or just use Media player clasic. Don't forget, back doors and other remotely run malware require inbound commands to run which a firewall blocks without application control. There is a discussion of this on DSLR in a FAQ for the security forum. Anyway , those are several often cited advantages of app control.

I am almost out of here...will cross the Pacific tomorrow...

 

In my much earlier posts I were trying to put that point across, but obviously hinting around doesn’t get comprehended quickly around here…

From my own experiences I know common sense outwits Application filtering, and of all the time I been using Application filtering systems, not once did it ever popup informing me of something unwanted trying to access client&server environments. And from my observations on the Look ‘n’ Stop forums I don’t recall anyone posting about Look ‘n’ Stop detecting something like Trojans on their systems or Spyware of its own code.

However I still see the benefits with “basic” Application filtering like what Look ‘n’ Stop offers, and it is indeed quite powerful one at that, and it is good for restricting unnecessary communications to remote servers such as those for privacy leaks. And I do like to see and control what accesses server&client environments, while Look ‘n’ Stop really doesn’t offer much in away for server defining and controls like something ZoneAlarm has, Look ‘n’ Stop does inform when applications accesses server environments and offers blocking capabilities.

But that said I still don’t think people should act as if App-filtering is first line of defense, because it isn’t and I can understand why James Grant and other authors of only packet-filtering systems don’t favour the idea of implementing app-filtering capabilities due to the fact people get the wrong impression and become careless to where we should be focused most importantly. And pretty much as I been saying, and what I interpreted what Diver have said, a packet-filtering systems should be among the first to have up and running and being properly maintained for today’s activities threats or otherwise…

And that being said I favour strong & true stateful packet-filtering systems much, much more then what I do for Application-filtering systems.