Firewalls that don't fully protect?

Discussion in 'other firewalls' started by Gullible Jones, Jun 19, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :). The first paper in that thread is quite similar to what you're testing, I believe.
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Similar but much more thorough. I will try to go a bit further than I was originally planning - I will try Metasploit network attacks against the target netbook where possible. That way we can see if any of the open ports actually present a hazard.

    Edit: interesting in the PDF article I linked, that Windows 7 appears to recognize and block certain attacks without the knowledge of the personal firewall. That might indicate that third party firewalls for Windows are not as low-level as e.g. iptables on Linux, or pf on *BSD; i.e. that the kernel interacts with packets before they get to the firewall driver. Which would say good things about Windows; bad things about most firewalls; and very interesting things about how much Microsoft trusts firewall vendors...
     
    Last edited: Jun 21, 2014
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    They should have got a lot of criticism when it comes to how they tested Outpost. They tested Outpost in learning mode. Products in learning mode usually allow everything, and create a rule for it. They said they was only testing with the criteria defined by the computer magazine that payed for the test, but professional standards and ethics should have superseded any criteria defined by the magazine. IMO they should have refused to test Outpost in learning mode, and explained to the magazine why. It may, or may not have changed the test results. The point is that testing Outpost in learning mode is just asking for backlash instead of a response like, "thank you for letting us know about a weakness in our product", or even constructive criticism. I hope it was chalked up as lesson learned regardless of the validity of the results.
     
  4. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Well the underlying theme/lesson here is that you should learn all your apps (not just FW's) as intimately as possible, and tweak them accordingly. In some cases it may not even be possible for them to provide the protection you'd want. I know that Comodo FW/D+ certainly doesn't come out of the box the way I want a FW to be. It took me about a dozen tweaks, and not just within the program itself, and a few rules (even blocking 2 of Comodo's own processes) to get all ports closed, no phoning home or listening in. It can be made to be very tight and granular but I couldn't in good conscience recommend it to another person I knew wouldn't be as diligent as I was.

    And I've been using it for so long now I don't know where other 3'rd party FW's are at by comparison.

    I do remember that when trying out Windows 7 the integrated FW was about the ONLY thing I liked about the OS. Which surprised me based on comments I'd heard about it being a nightmare. I really liked it. The problem is the OS itself doesn't give you a chance to lock (any FW) down, as it's inherently designed/flawed to let things (like svchost) leak through them for internet connectivity. Aint nothin no FW can do about that.

    I have my XP FW locked on as well, and have to think it loads pretty early, before my Comodo FW would, and would block any of that theoretical stuff. But then, wouldn't my router already have taken care of it anyway? I don't really get it... or are they assuming people aren't using routers? I assume that everyone in here does.
     
  5. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    If you actually take the time to set the (tight) rules for your apps it becomes very quiet, and very effective though. I never hear a peep out of mine anymore. I'd never recommend it to the average user, or an impatient/OCD person though.
     
  6. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    Why would a firewall whitelist inbound traffic during learning mode? I guess if it's like, this application needs to act as a server, but were talking about allowing inbound traffic to windows services which should have in-place protection rules by the firewall by default, otherwise what's the point? If you install the software on a school or work network and malicious traffic happens to hit you during the white-listing what good is the firewall at all when the windows one protects you from this stuff out of the gate?
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Gein, you have a good point there, but i'm not sure it's an excuse to test a Firewall in Learning Mode. There are some cases where a network admin may need access to that machine remotely. I guess this test was meant for home users though. I do agree with you that Outpost should have some preset rules in place to protect common Windows services. If they are going to test in learning mode then they should also test with Outpost's protection enabled to see if there is any difference in protection. You would not test an AE against a virus while it is building it's whitelist. I know that's an extreme example, but it's a similar concept. AV-Comparitives made themselves an easy target when testing a product in learning mode. I don't think the test even gave that information up front. I think the Outpost users found out when they watched the video, and were outraged. I'm behind a Netgear Prosecure UTM 25 myself so I have pretty good inbound protection. I use a software firewall mainly for outbound leak protection. Also, I don't think anyone on my own network as a home user is going to attack me lol
     
  8. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    I'd like to see the test done without learning mode as well. I've just always thought it was silly to have it on by default during installation. IMO the defaults should be install -> white-list known applications, on first prompt inform user about learning mode and let them make the call.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On XP, the settings that determine when a firewall or HIPS starts is contained in the registry at
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    On mine, the start setting for SSM is zero while Kerio is one. Does Win 7 use the same arrangement? Can the time a firewall or HIPS starts be altered on Win 7 by manually editing these keys? Might be something worth exploring.
     
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    @noone_particular,
    that's on XP-SP2, correct?
    Interesting proposal.

    @Gullible Jones,
    I've never used nmap, decided to learn a bit.
    Can you help check what I did and what came out & does it make sense? If not, why not?

    1. Setup:
    On XP computer running Mint v13, I installed nmap from the package manager.
    Using terminal I ran same of the nmap tests against a Win7 box on the same subnet and a non-Windows firewall (NetBios,SMB allowed with LAN conputers)

    2. nmap commands I tried being mindful that linux stuff is case sensitive; three groups of switch results:
    -O, -sA, -sN require root priviledges
    On Mint, I guess. How do I do that (I knew once, but forgot)? I know it starts with sudo - then what?
    -F, -sV, -A, -p[port], -p[port range] report host down, "blocking ping probes", after sending SYN packets to ports 80 and 443, no others (curious), which the firewall blocks.
    Even though NetBios allowed and Win7 is listening on ports 137-139 and 445, a test for 137-139 was detected as port scan. I guess no process running?
    -PN
    Finally something interesting happened - nmap sending SYN packets to ports all over the place, low, high and inbetween, all blocked.
    Also during the -PN test firewall blocked TCP packets related to 3 processes:
    from Mint's 49051 and 49052 related to services,
    from Mint's 46481 and 46491 related to svchost,
    from Mint's49490 and 41489 related to system.
    How do you stop -PN thing on Mint? Exit terminal is the only way?

    Is that the sort of thing you were doing? What commands did YOU use?
    What have I learned from this experiment?

    If this belongs in the Linux thread, someone can move it please.

    edited- added "from Mint's"
     
    Last edited: Jul 13, 2014
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It appears to be the same for SP3 as well.
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Yes, and the categories 1,2,3 on Win7 seem the same, but I know zilch about Win7
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Yeah, that is useful info... thanks for that bro.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.