Firewall Cocktails: Packet Filter + what

NetVeda Safety.Net seems to be the answer.

https://www.wilderssecurity.com/showthread.php?t=61925

 

You could probably spend weeks on Tiny.. It's overkill for me...

 

K-

A man could get lost in there...

 

I have been trying Tiny 6.5 for a while now. It consumes less memory than Tiny 6.0 does on my computer. It sometimes just takes about 25M memory (physical + virtual). But when GUI is opened and some configurations done, it can take about 40M total on my computer. So I figure, once I have finished all the configurations and no longer need to open GUI so often, it will be quite easy on memory. This is one reason that I like Tiny 6.5 so far. Other firewalls take more than 25M memory easily with fewer things done.

Yeah, to setup Tiny is tough. Although a lot to be desired, I have to admit that Tiny developers have done quite a good job on making things easier with the new Tiny 6.5 GUI design.

I personally do not think that the security of TINY is really that necessary, as I do not have P2P or download questionable applications. There is little chance for my computer to get virus or Trojan. Two reasons for me to use Tiny. 1) I do not want to always ask myself if my computer security is strong enough, as people are asking in the forum all the time 2) I am tired of trying all the security applications, for example, ProcessGuard, SSM, AbtrusionProtect, RegistryWatch and so on. They are good, but I just want to settle down on one thing and then take a rest

 

At the moment my conclusion is to run a very good AV and a firewall without advanced application controls, like Kerio 2.15.

This is based on my assessment of the actual risks as compared to the problems that I have encountered in using advanced application controls in a variety of firewall and non-firewall products.

Ultimately the malware has to get onto your machine first. This is probably the largest of the bad assumptions of the folks who are going wild over the various leak tests.

consider the ways:

1. If the PC is not in a secure area this presents many problems, not the least of which are the policies of theowner who is usually the employer of the user. themost likely means of attack here wil be a hardware keylogger. Fortunately I do not have this problem.

2. I have not seen an infected email attachment in several years since the ISP's that I have been using started to scan their email, with lowly Symantec AV to boot. This also says a lot for those very paranoid individuals who continually lecture the rest of us that AV's are unreliable.

3. Internet worms can be defeated with even the lowly SP2 firewall. Got $100 and have the time, there is Tiny 6.5.

4. Drive by downloads, although there have been periods of time when IE exploits allowed infection without any user action, things have been tightened up with SP-2. Besides I browse with Firefox. While there may be an occasional exception, drive by downloads require user action in the form of clicking on either an active x box in IE, or a Java box in FF. If you do not know how to say no to these things, how will you know how to say no when some malware causes your firewall to ask you permit a connection to some hacker paradise?

5. Downloading and running something from an unreliable source: Anyone who does not know the difference between downloading software from the site of a well known publisher and warez-are-us, is in trouble. It is possible to research any program before you run it. You might find out that some of the mainstream download sites are adding spyware to open source software. None the less, anyone who is clueless enough to install Kazaa or some free screensaver is not going to know how to respond to any security product with advanced program control. "Program inserts system wide hooks" might mean it is going fishing.

Anyway, that is how I look at the cost/benefit equation here. Before you need a leak test you need something wat wants o take a leak that was new enough to pass a good AV and somehow you let it on to the system.

Consider this: If AV's required the constant user interaction that advanced application control requires (especially alerts for every new program that is run) how many folks would actually run AV's. Anyway I am disaspointed with the available solutions for dealing with the leak problem and not convinced that this kind of malware is that prevalent. It continues to amaze me just how many folks are fixated on this concept.

It is fine to do anything you want if it is a hobby, but think about it before you give advice that no one but a computer hobbyist/geek can live with.

 

Diver - I have to agree with you on some points.. I too don't really feel a heavy need for much of what for example Tiny has to offer, however, I am trying it now mostly because it's a challenge for me to figure out, and this is indeed just a hobby for me.

I am a little concerned about using IE sometimes. I'm wondering if Tiny will actually protect me from some of the exploits that occur using IE. I'm not sure about this. I'm not really sure exactly what can happen using IE to be honest. Right now I'm using Firefox and like it. But I still do use IE frequently. That would probably be my only real concern here. I don't download and install the kind of crap that will eat my system and wreak havoc on it, so I'm not overly worried about that.

For me, when I'm not experimenting, a basic firewall like Kerio, with a good AV, is probably enough. I love CHX-I and 8Signs, but I find that I do like to know when a program wants to connect out, so I prefer some app control nowadays.

Meanwhile, Tiny 6.5 is a challenge to keep me busy for weeks in my spare time here.

 

K-

Challenges are fine. I go for them myself. Trying to understand CHX-1 is a blast. Hobby stuff is fine. I do it all the time. It is just when someone asks for adivce about what to do in a production enviornment, and they get a hobby answer, that is not ok with me. It happens all over the internet in forums involving just about anything. We can all get so lost in our own beliefs that it becomes impossible to see reality as it exists for others. It also happens in life in general, except in real offline life there is body language, emotions, voice stress, and other visible attributes to warn the listener that the speaker is not coming from a useful place.

Time to crash.

 

Crashing is good...

 

Diver -

Agree with you. That is exactly the reason why I suggested Outpost Pro instead of Tiny to someone who is looking for a good firewall in another thread. In my previous post, I did have pointed out that "I personally do not think that the security of TINY is really that necessary". Hopefully, you have not misunderstood me. By the way, I did not realize that you are asking for advice about what to do in a "production environment". I gave my response because I saw your post on Tiny 6.5. If I have responded with something that is not what you want, I am so sorry about that. It will NEVER happen to you again.

The market target of TINY is net security professionals for a so called "production environment", isn't it? Well, there must be something wrong somewhere

 

It is quite possible (though rare) for mainstream site downloads to have trojans without the site's knowledge (see the Outpost Pro with aol 9 broadband ok? thread for an example) so any downloading does pose at least a theoretical risk. Similarly, while most programs do not need to install hooks, some legitimate ones do. Therefore security measures like prompting before running any new programs or intercepting hook/service/driver installations need to be seen as a way of reducing, not eliminating, the risk of malware installation.

Therefore good firewall leaktest performance should be seen as another option to reduce risk further - if a downloaded program tries to install hooks and makes a network connection to send data out, it should be worth closer scrutiny. In fact, the firewall can often give a better indication (by reporting the protocol/destination of connection attempts) of whether software is likely to be malware than process control software - an IRC connection to a domain like irc.warez.net should certainly set alarm bells ringing...

 

Yahoo-

My comments were general in nature and not directed at you or the Outpost Firewall. I have not used Outpost enough to be able to judge its suitability in any given situation. I suspect that it has advanced application control, so the ability to turn that feature off for a user who would not benefit from it, is important.

P2k-

Additions to software coming from mainstream sites have mainly been limited to adware and what I would call low threat spyware. That would be software that at most reports your surfing habits.

Everybody-

And my point exactly is that in its current state, advanced application control involves so much user interaction that the user who can correctly respond to the numerous alerts correctly already has the facility to avoid the rare item that slips past a good AV or AV/AT combo. The user who does not have that ability will not be able to correctly respond to advanced application control warnings, especially because will receive so many of them for benign activity.

For these reasons, presently available advanced application controls do not provide for the automated prevention of the installation of trojans. On a typical installation these products will produce far more false alarms than true alarms. I am no longer willing to accept the notion that a warning issued for benign activity (other than program xyz wants to connect to the internet) is anything but a false alarm. To say that the product is simply doing its job is only semantics and is an attempt to create a distinction without a difference.

What the present crop of advanced application controls presents as is effectively a dumb filter that alerts on all activity of a certain type. It is roughly the equivalent of mounting a device at the front door of a bank that blurts out "potential bank robber" every time a customer younger than 80 walks in.

At this time I believe simple application controls, that is asking for permission for a connection on an application by application basis, does add an extra layer of security. The enhancements designed to pass the leak tests, which are mainly proof of concept are not likely to help that much.

There are a load of other firewall vunerabilities these exploits do not address including mouse/keyboard manipulation and termination. Some of these guardians need to be turned off to allow other applications to install, which would allow bundled malware to defeat them.