Good app control / outbound access / low resource FIREWALL ?

Discussion in 'other firewalls' started by halcyon, Nov 7, 2004.

Thread Status:
Not open for further replies.
  1. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That definition pretty much sums up x-Wall.. however it doesn't include protection against anything like dll injection, etc. It and PG, however, make a good combination. x-Wall is rules based, but a lot of the extended stuff you have to set with Kerio 2 seems to be covered by x-Wall just in the way it's designed, for instance DNS calls are treated just like any other network connection. Although the UI is kinda funky, it's pretty straight forward.

    I'd be interested in hearing what you think of it, if you decide to check it out.. there are hardly any opinions on it out there. I'm a fan, though, of letting PG handle the things like DLL injection since outbound internet connections aren't the only reason malware use that kind of attack.
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    While the term "application filtering" may suggest that a firewall works at application-level (in terms of the OSI 7-layer network model) in reality it works more at transport-level.

    Application filtering firewalls monitor the Windows Transport Device Interface (TDI) to check on what processes are allocated sockets by Windows. These sockets are mapped to network ports which are used to send and receive data (think of them as acting like a mailbox with Windows being the postman for an analogy of how they function).

    This TDI information is used to check which application has control of a specific port and therefore what action to take for traffic on that port. However since a number of exploits use the "run application X to call application Y to send data" technique, many firewalls are also including some form of Windows process monitoring to detect attempts by untrusted programs to invoke trusted ones (Internet Explorer being a favourite) for network access.

    Most firewalls do also implement a form of stateful filtering, but that topic is being discussed in another thread so need not be covered here also.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    All this talk of layers and everyone has forgoten one ;) More often than not, when a system gets compromised it's a result of a failure in Layer 8. Once you educate and get this layer under control your security policy, software/hardware choices included, gets much easier to define :)

    Regards,

    CrazyM
     

    Attached Files:

    Last edited: Nov 15, 2004
  4. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    To secure Layer 8, some nice guidelines are there in...
    "The Art of Deception" by Kevin Mitnick (written shortly after his jail term ended i believe)
     
  5. Pollmaster

    Pollmaster Guest

    Does it need to make coffee for you too? :) I suspect the reason why Kerio 2 is so fast and uses so little resources is partly due to the fact it focuses only on packet filtering, if you want something that handles application control and whatnot, it's probably going to be heavier.
     
  6. Pollmaster

    Pollmaster Guest

    Sounds interesting, I might try it. So in your opinion there is no reason to use Kerio 2 over X-wall?
     
  7. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Sorry, no coffee.
    True. But if you've used it before, you'll know that its configurable on a per-application basis. It's brutally nice, but it has some vulnerabilities and no *official* support, i.e. no patches...So most ppl are switching.
    I know this question ain't directed at me, but what the heck, it's a free forum... The only reason to use Kerio2 over X-wall is if you feel comfy with its UI, and want a hell lotta control... like I said...no official patches for vulnerabilties implies "bye bye".
    But since Notok has used x-wall, his opinion should carry more weight, I guess.
     
    Last edited: Nov 15, 2004
  8. Pollmaster

    Pollmaster Guest

    Sure. Most personal firewalls have that.

    But you talk about "catching outbound access variations" (leak tests?) which usually involves handling things like process spawning , ocx/dll monitoring, memory injection and other geeky terms you have mentioned in other threads.

    I'm guessing by the time you add these, any firewall is going to be pretty heavy compared to Kerio or X-wall.

    Well X-wall is not as popular so i doubt it has being tested as much as Kerio though. But why don't you try it and tell me what you think?
     
  9. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Tried it. Mucked up my system BAAAD. ditto for LnS. and Jetico. I want HEAVY DUTY app control (I have a separate thread for that) and hence I have Tiny... There are other things that need mentioning, which are going on in other threads (and I'm too lazy to repeat).
     
  10. Pollmaster

    Pollmaster Guest

    Your system sounds very unstable. I've trialled a couple of firewalls, with no problems at all.

    Which seems to imply heavy duty resource use yes? To expect something to run as light as Kerio and do everything you want seems to be asking for a miracle.

    I've read them already.
     
  11. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    I've trialled over 15 different firewalls in the past 3 years including Kerio v4 (which I currently use) and ZA 5 various builds...all said to be highly unstable...no problems with them here, sir.
    To both parts of this quote: Not quite....
    It's not necessary that a firewall be of heavy resource usage (SSM seems to work fine as App control if you're happy having another firewall control the network packets (I think Mercurie has this setup with 8Signs SPI firewall). Lns and x-wall seem to fit the bill from most user reviews as far as a unified firewall is concerned. Haven't seen them. No comments 'xept install/uninstall troubles.
    The firewall (or anything else for that matter) one uses must fit one's requirements. It appears that paranoid2000 and I have similar concerns for firewalls... but he prefers Outpost while I choose Tiny... you see?
    PERSONAL PREFERENCE, EXPERTISE and COMPATIBILITY with your other software (as far as I'm concerned) is as much a concern as potential and capability of a software. So if Tiny doesn't work out, I'll go to Outpost, then I'll see about Sygate.... and so on.
    If person X hates Kerio's UI, you can't convince him to take Kerio...as simple as that. Just like Photoshop vs. CorelDraw vs. PaintShopPro... you use what you are comfortable with...
    just my USD0.02
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    you cannot compare them NO13. tiny is not only a firewall.

    quite confusing if you ask me :D

    exactly... :)
     
  13. Pollmaster

    Pollmaster Guest

    My observation is that the system becomes unstable AFTER you install ZA :) . Normally firewalls can be unstable, but they won't trash your system if you surivive the install process.

    SSM intergreted into Kerio 2 would be heavier than Kerio alone. See Kerio 4 for a failed attempt.

    Why do you feel the need to say this? I'm sure everyone agrees.
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I fully agree :)
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Very droll, CrazyM... :)

    I guess for "stateful inspection" at this level, you'd suggest an EEG along with shock treatment for application control (running P2P again? Bad user! *Bzzzt*!).
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    Corporate orientated but a good read.

    PDF FILE
     
  17. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Kerio is light.

    L'n'S is light.

    Jetico is light.

    They all have an increasing amount of application network control built into them.

    So the theory about fw necessarily becoming heavy as app control is improved, isn't true.

    Coffee machine jokes are old, and are bad sarcasm and not an effort to help others.

    I'd really appreciate advice, rather than arguing against or trying to make mockery of others opinions.

    I thank you all for replying. Still Pollmaster's arguments are just trying to prove his opinions without giving any specific help or advice. That isn't helping me at all.

    And I'm afraid his opinion on system not being hosed with a firewall is also wrong in my case. I just did that with Jetico (and so have other people).

    So please, let's stick to the subject and stop proving your own pet opinions right. Take it to another thread, please :)

    best regards,

    halcyon

    PS Against my common sense I'm now trying out L'n'S 2.5p2 with d1 built sys driver. Looks ok, but it's too early for me to tell. Takes time to learn how the filtering works in this...
     
  18. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Sooner or later (most likely later) someone will program a firewall in pure ASM with all the features of Tiny. When that day comes I will **** my pants.

    Until then I will use way more than one program to suite my security needs.
     
  19. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    THIS IS THE FUNNIEST THING I'VE READ THUS FAR

    :D :D

    YIEEHAAAAA
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    btw, I hope I will never see you in real time when you are extremely excited...lol
     
  21. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Lotta traffic this way and that on this thread.....
    nope........
    currently : Kerio
    future : Tiny

    PS: What kind of resources does Kerio use (memory, Virtual memory and average cpu when under medium load)
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Does Kerio run off of floppy disk too? I always like my Firewalls running of floppy; It stays well protected against malicious attempts. :D
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    That is probably cause you are infected or something...

    :)
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Yea... I'm Infected with Microsoft :D
     
  25. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    :D damn nice one, Phantom.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.