Jetico 2.0.1.5 Released

Hi! Just in case...

18-February-2008 | v.2.0.1.5.

Changelog:

Short filenames problem fixed.
"Clone table" problem fixed.
Dutch translation updated.
Seamonkey detection added.

Greetings

 

I am currently looking for some feedback concerning the "Indirect access" within Jetico2. Mainly on possible understanding (or do not understand) from users on this,.. or those that simply bypass this.

TIA,

 

I don't fully understand how it all works, especially the "Indirect relativeness" alerts which are quite vague to me. However, I feel confident in J2's ability to alert on anything that tries to escape its steely gaze. In fact, so confident that I uninstalled System Safety Monitor, re-enabled J2's Indirect access, Process attack filter and Checksum filter, and mitigated Nod32 2.7 to on-demand only, except for email checking and use Sandboxie for surfing.

This on a LUA (to some extent using a power user account) affords me what I feel is a light (we all like to talk about this ) yet powerful security arsenal.

As for its level of SPI, I'd really like to see some expert opinion on that, but based on my observations of the logs, the number of "Block all not processed protocol packets" entries seems to lend credence to J2 being very strong in this area too, though perhaps I'm wrong.

 

I thought you where relativly happy with explanation given on the "Jetico forum?"

I still prefer to actually know what interception is made. The indirect access is grouped, so that users will simply allow all indirect access based mainly on some concept that they are related due to parent.
For simple example. I see alerts from Jetico, that FF wants to "indirect" FF. But allowing this then gives the possibility of FF making internal attacks etc against other system process (Think about it)

For UDP/ ICMP there is no implimentation. This as been confirmed from Jetico. As for TCP, this was also put forward as not changed from V1. So I do ask why anyone would want to upgrade from V1 to V2.
I do have full license for V2, this expires in less than 2 months, but I do feel I am still beta testing this firewall due to undocumented changes in interception.
As for ARP,.. well, this still needs user rules to filter a reply

 

Happy enough as your explanation made things clearer I just can't claim to have expert understanding of it but enough to make an educated decision when the alerts occur.

True and I was answering alerts that way in the beginning, but have recently created rules - for the most part - based on individual "Individual access" alerts, though I do have some "Application groups" that are tied to some of these rules that are a little more liberal than others. However, these are known, trusted apps so I do not feel the absolute need to restrict them quite as much as some other processes such as rundlll32.exe, svchost.exe, explorer.exe and some others. Besides, the checksum filtering will alert on anything that changes or tries to disguise itself as one of the known applications. I like the groups option as it helps keep rules a little tidier.

Anyone seriously wanting to use this firewall and use it properly does have to spend considerable time and mental effort trying to figure it out. It's not a point and click firewall so it is important to read the manual, maybe several times over like I did because my memory sucks, in order to use the product to its full potential.

I'm more comfortable using ver 2.

Nail does not seem to like saying too much in the forums, but I feel he is doing an excellent job developing the product.

 

Hi wat0114,

Many thanks for your feedback. Very honest and to point.

I would personally like more direct info from Nail/vendor. As at the moment, I admit, I am having to test each release, as I have found that each version gives different alerts to "Indirect" (this based on installation on same VM).

@: More feedback from others please.

 

The Indirect Access is buggy in that Blocked (Rejected) Services will overwhelm Jetico with repeat requests and prevent access to Internet.

I finally figured out what was going on and turned off those Blocked Services with Administrative Tools in the Control Panel- a roundabout way to "end of problem".

 

Can I install this upgrade "over" 2.0.1.4 OR do I need to uninstall 2.0.1.4 first?

 

Hello.

Not much of a feedback from me as I have "indirect access" table in Jetico disabled for a few months already, together with "process attack" and "hash checking". I have noticed that SSM uses a bit less CPU cycles when processing these events so I am using it for now. I use Jetico mainly as a packet filter but also to control net access for applications. SSM deals with all inter-process activities.
I have used "groups" for a few days, but I quit as I don't like to generalize the rules. I prefer to filter each app/address separately.

I can only state my personal reasons. Jetico 1 is no longer developed and it is a stable product. Jetico is one of few firewalls I really like so I am using v2 just to monitor its progress. I do not conduct extensive firewall tests and the best way for me to check the firewall is to use it every day. I am not overly concerned with security, hell I could even go with NAT only, but as I said I am simply using it because I like it. I am just not very impressed with response from the developers, I think this company is more into encryption than networking Lately I've been thinking to switch to InJoy for a while, to see how it goes. I am aware that I may have to build a gateway to put it on though.

While the general recommendation for all apps is to uninstall the old one first, you can install new Jetico build over the old one. Backup your ruleset just in case Jetico screwed something with this build, shutdown firewall and do an upgrade. I have done this with a couple of last builds. Never had problems.

Cheers,

 

You can install onto a normal home PC. It is just a case that it can act as a gateway (nat, dhcp server etc)

 

I hear you Stem. I have briefly used version 3 a few months ago but since I am behind a router I quickly realized that I would have to devise a totally different network setup in order to fully utilize this filter. imho, it is a waste of InJoy to use it behind a NAT. My router does not have a firewall and moreover it does not support "true" DMZ (which I use quite often) so I thought why not make a gateway of my own and put a firewall of my choice on it instead of bying a new router? I can think of several advantages to this approach, and it is not just security aspect that counts. There is also a fair amount of knowledge to be gained from this as I have never done anything similar.
This is why I said "I have to" build a gateway, but I actually meant "I want to" build a gateway.
I have now wandered too far OT so I'll stop.

Cheers,

 

...x64 and start early as service, perhaps.

You're right for ARP and lack of documentation/implementation details. I can understand how it can become difficult to manage complex programming AND provide good manuals simultaneously, but it has to go together once decision is made to make both user controllable AND finely granular software (no automation/dumification). All other is not exactly recipe for success.

 

I can understand some lack of documentation, even some lack in change log from one version to another. But,...

I (personally) need to understand what an application on my system is doing, not only from my own point of view, but from a possible need to give support (help others)

As example:

Latest release of Jetico2

Attack table "send message to another application":

That for me is simple, but from tests/checks, this is only interception on certain windows messages. Yes, I can understand that, as if all messages where intercepted, then there would be many (maybe too many for user) interceptions, and therefore more popups, but why should I need to test/check to see what is intercepted?

We now also have this ("send message to another application") in the "indirect" table. Please,.. how can a message be Indirect?

 

The help file explains Indirect access as:

This is obviously a very simplistic explanation, but it does imply that whatever the "Indirect access type", there is a parent process influencing a child process to access the network.

In other words, the message is not indirect for the "send message to another application" type. It is a direct message to another application but the "indirectness" of the process is the parent process sending this message to a child process in an attempt to force it to access the network.

At least that is how I interpret it.

 

How can that be indirect?, it is still a windows message.

I could go on, but will wait for reply.

 

Exactly, the "Action" windows message is direct but it is the complete step-by-step process of application (a) sends windows message to application (b) which then (by force of appliction (a)) proceeds to access the network subsystem. This entire process is - according to the help file's explanation - the "indirect access". Send message to another application is just one of the 6 indirect access types.

BTW Stem, this is not an attempt to argue with you. It is just my interpretation on what "indirect access" means. Something tells me you are going to indisputably prove otherwise You are clever, Stem - LOL!

 

Hi wat0114,
I am not attempting to argue, just trying to find a base for this.

If I had direct answer, I would not ask. I am not one to ask, wait for answer, then prove otherwise. I waited only for discussion. (rather than just going on with my own thoughts)

I can understand the thought, but then again, I cannot see this.

Lets us look at this.

Keeping all other (indirect/direct) applications out of loop(or chain (as by Jetico))

We start notepad (by explorer)
We start FF (by explorer)
We then have indirect relativeness between notepad -> FF.
OK, I can handle/understand that (but cannot see any direct leak or problem from such, there would need to be some other form of comms/attack to find reason for any concern)

Notepad sends message to FF: this would be attack table: notepad->FF)
Notepad sends message to explorer to pass to FF (I would like to see such): should this not be attack table: Notepad->Explorer, then Explorer->FF).

Personally, until correct description by Vendor is made, we will have our own thoughts, I know from checking (various tests) that there is something not quite right with the interceptions made by Jetico.
It is one thing for a Vendor to advertise the ability to intercept "leaktests", but for me, it is a need to know if these are being intercepted correctly.

I know that leaktests are not something everyone likes, but they do present a documented attack/leak attempt. Now when any firewall/HIPS keeps changing the alerts to the interception of these leaktests, then I need to ask why, and I do need to try and find answers.

 

You bring up good points. My feeling is there must be something not right with the alerts, because you have tested the product and I don't have to question the accuracy of your testing. I'll have to look at this some more to try and gain a better understanding, as I will admit many of the alerts are not clear to me as to why they're happening, only that I have no reason yet to believe J2 is weak in this area. It may not be alerting correctly on all counts, but it does appear to let nothing get past its defenses, which matters the most to me.