Kerio 2 and CHX-I

Diver--

yeah, I don't use emule at all, I believe firmly in a one to one connection for P2P! That is why I use Mirc with Invision (server script). That way, I could set one port a paticular port number, ie: 50253 for outgoing connections in order to download! Emule to me, is either too slow and or too risky with respect to tcp/udp ports. Just like Bit torrent! I heard and witnessed too many horor stories about having mulitple connections to and from your system for hours on end. I am to Pnoid for that!

As far as why CHX-I behaves better than 8signs is beyond me, I never run into the issue, since I don't use Emule. The only issue I had with 8signs is running it with Snortsam that logged a lot of outgoing false positives. Not sure if it was a conflict or something else. Other than that, James Grant has done a great job on it...
As far as protecting LNS, I don't use PG (Process Guard) because one can bypass CMH by just clicking cancle a number of times (5) times to be exact. To me, that is not security...And SSM is too cumbersum! So I just rely on common sense and my AT/AV. I have not run into any problems so far with that approach.
As far as what PeterC was referring to, this is what they tested with respect to Kario and CHX-I:

So They used them on the server together (erio 2.15 and CHX-I) Wich seemed to work for them using ICS...

Take care
Jazzie

 

I don't think you are missing anything with 8Signs. While it has improved TCP stateful inspection (ie. FTP), it will not dynamically handle UDP connections. It is encouraging to see the direction CHX-I has taken introducing dynamic filtering of UDP and ICMP in addition to TCP stateful filtering. Stateful/dynamic filtering like this is still pretty limited in software firewalls.

Regards,

CrazyM

 

Jazzie-

After reading over the last few posts, There is one more question. Were you using LnS as a firewall with its packet filter enabled, or as a utility to provide some degree of application control while using 8Signs to filter packets?

Your comments about eMule are well taken. I do not know of any other application having that behavior with respect to UDP. It is bad behavior. The autors outright assume eMule will be used with an application aware firewall and advise to give it permission for two way communication for TCP and UDP on all ports. Kind of wild. It is an understatement to say that eMule is slow.

Bittorrent connects out on a random TCP port and receives on the same port, but this seems to be for the initial connection only . After that the inbound traffic is on a designated server port. At least the random port is TCP so the return is handled by TCP stateful inspection that is available on most firewalls. Literally dozens of simultaneous connections are open, and for many hours if the transfer is large. Traffic to the designated inbound port goes on seemingly forever after the bittorrent application is no longer running. Generally, I use a rule to cut the logging, when I can. With CHX-1 the port stays closed and nothing goes in the log by default. The port is not stealthed, but it does not matter because everyone in the world knows where you are after running bittorrent for a while. At least it is fast.

IRC- I have heard good things about that. Time to try it.


CrazyM-

Thanks for the confirmation. Can you explain that FTP feature you mentioned?

 

Diver--
I use LNS strictly as an app filter, that is it! I don't enable the NIC (options) or the internet filter Or anything else to do with TCP/IP!

IRC is a lot faster than Bit Torrent, I download at 90 Kbs with slow DSL. Here is a link to get you started:
h**p://www.ircmadeasy.com/modules.php?name=Invision_HowTo

Take care
Jazzie

 

Using passive FTP as an example, the only rule you require is outbound to remote port/service 21. The stateful inspection will dynamically allow the data connection outbound to the negotiated high port.

Regards,

CrazyM

 

CrazyM-

Very cool. I have noticed that I can do something like that with CHX-1 using active FTP along with some of the sample rule sets that allow incoming connections orriginating from just a few remote ports in the range below 1024. For passive ftp with CHX-1 I have yet to get it to work unless it is set tup to allow incoming TCP originating from remote ports 1024-65535. Matter of fact, I have no idea of what those two check boxes do for passive FTP on the interface properties tab.

Jazzie-

Thanks for the info, but the link returns no data in document this AM. There is always Google....

 

On each interface you have:

- Incoming Active/Passive ftp - this means either:
a) You allow active and passive ftp to traverse the firewall
to the DMZ ftp servers
b) You allow active/passive ftp to a server on the box
running chx

- Outgoing Active/Passive ftp - this means either:
a) you allow outbound active/passive sessions initiated from
the lan/dmz segments to traverse the fw
b) you allow outbound active/passive initiated sessions from
the box running chx

Active ftp:

- control channel : port n
- data channel: Inverse direction (SYN originates from "remote" port n-1 to "local "PORT IPort argument)

Passive ftp:

- control channel : port n
- data channel: same direction (dst IP and port found in server's response to PASV reply)


Hope this clarifies a little the ftp options on each interface.


Regards,

Stefan.

 

Diver-

The link is valid:
h**p://www.ircmadeasy.com/

Just didn't want to broadcast it on Wilders!

I use Opera and it they both work (links)

I would suggest that as a safer alternative than Emule or Bit Torrent.

CU
Jazzie

 

STEFAN--

Now is a good time to discuss the TDI Level Application filter plug in for CHX-I!!!! (j/k) I/we know how you feel on the subject. But, a re-cap on a plug-in would be a nice conversation piece!!!

CU
Jazzie

 

Jazzie-

I can't get it here using either IE or Firefox. Could be I am at a banned IP or something. There is a guide at www dot slyck dot com which ought to be enough to get me started.

 

I really think those with a need for application control security app have an enormous amount of choices. On our side we must ensure the chxpf is a stable, performant network control tool for server&gateway environments and that it performs as advertised (well...ok...not really advertised...).

However - if you can convince me there is a way to implement _reliable _ application control I am more than willing to listen. It would - indeed - be a nice conversation piece.

Regards,

Stefan.

 

Stefan-

I have been trying to convince both you and James Grant (8signs) on the subject of employing Appilication filtering of some kind within or as a plug-in to coincide with CHX-I . That way, CHX-I can be left as it is (packet filter) and the application plug-in can control apps from either calling home or out. Just a basic app filter would mean a lot to people, such as myself that like to control what and how bandwidth is to be dirstributed. I know that a lot of security specialist believe it is illusionary, but some control of what calls out and how/when is better than not having any control. I have not tried Kerio 2.15 like the TreeWalk (members.shaw.ca) but they claim it works well. I use it along side of LNS (app filtering only) And it works also well. Another app filter I tried was called 'Alert Wall' And it works ok. Would you at least be willing to look into a possibility of a third party plug-in to filter application in unison with CHX-I?

Diver--

That will work as well, wierd though, unless something like you say is blocking it! Try: h**p://www.i-n-v-i-s-i-o-n.com/

Thanks
Jazzie

 

Perhaps the wisest thing to do is release the 3.0 pf as open source. This way others can try and implement app control...

The problem I am having with app control - it is like playing chess with yourself. I do not know about Mr. Grant, but I am sure he comes from the same old school as I do. And perhaps - we are wrong, but I have yet to see a thought experiment that demonstrates app control efficiency.

However - I can certainly see how false hope can be better than no hope at all.

Regards,

Stefan.

 

LOL, yeah I hear what you are saying. And yes, he is 'old school' as you say. And maybe being open source will open up some doors to projects, such as pro-app filtering ones!

Thanks for your input

Jazzie

 

Jazzie- That last link worked for me. Thank you.

Stephan- After some experimenting, I was able to make the outgoing passive ftp button do what you say. Part of the problem (or all of it) is I am using IE and not a real FTP client for this. Some sites work just fine with passive FTP enabled even though the high numbred ports are not explicitly in the allow range, others show up in the log as "Does not match allow policy.) For the later bunch of sites active FTP works with the outgoing button enabled. However, they all work when IE is in the active FTP mode. I suspect this issue is more related to IE rather than CHX-1, but I have not had a chance to try this with Firefox, which does only passive FTP, or better yet, a real ftp client. I suspect your product was designed with a real ftp client or server in mind.

Everyone-

On the subject of adding app control to chx-1 or 8signs via a plug in, I tend to side with the developers when they say there are enough application oriented firewalls available.

However, there might be room for a product that does some version of app control without the packet filter because of the proliferation of hardware firewalls. At the moment the only thing out there is LnS with its packet filter disabled.

I wonder exactly why some of the experts say app control is an illusion. My piece on this has been the user gets numb from responding to far too many requests from the firewall and will simply allow anything after a while. The more the firewall attempts to warn on a generic basis of app x starts app y, the more overwhelmed the user gets. Anyone who can answer all of these warnings right can surely use their brain to avoid allowing malware on to their PC in the first place. I read in one of the big PC magazines this is exactly why Microsoft did not bother with app conrol in the SP2 firewall. Additionally, the fascination that many have with leak tests misses the point that fiewalls can be terminated, some more easily than others.

 

I am no expert - by any means...but this is what I mean:

- user Bob(or Alice to be politically correct) installs minesweeper version 9.8. And he's(she's) got root rights. After all, they want to play minesweeper.
- minesweeper has other things in mind. It installs a network driver (much like chxpf, chxnat, etc)

From this point on the minesweeper driver alters the data in transit( headers and payload alike). It is a crude thought experiment but there is absolutely no way in hell any system can reliably tell what is taking place with outgoing data.

Simple, no need to "circumvent" existing app control. Data is modified on its way out/in without any possibility to detect ity at tdi/whatever layer. A game of cat and mouse, reactive and deceiving.


Regards,

Stefan.

 

Stefan-

That thought had crossed my mind before, malware that installs its own network driver. I just had not made it around to asking that specific question in this forum or any other for that matter.

You have given me more fuel for the fire as I have been saying that the leak tests only look at one narrow aspect of the problem, impersonating an application that is authorized to communicate. This reminds me of the story of the hunter who was getting ready to shoot an Elephant. While he was looking through the telescopic sight on his rifle a lion jumped on him from outside his field of view.

 

Keep in mind that once you create an 'allow xxx but' rule everything but the rule you created will be blocked.

 

Regarding the CHX-I/Kerio 2 combination, I thought everything was fine, however, after some time I began to see things in the CHX logs which made me think that either Kerio was missing extraneous packets and CHX was catching them, OR there might be a conflict between the two somehow and which one caught the packets wasn't consistent. So for now I've given up on that combination here..

Besides, running 2 firewalls seems contrary to common sense...

 

Kerodo-
I haven't tried the combo (Kerio 2.15 and CHX-I) Did you look at the example that PeterC posted on both working on a server?

h..p://members.shaw.ca/BIND-PE_and_ICS/index.htm

They seemed to get it to work without any problems. Even though the site and info is out dated, it still should give you some insight on how to set it up. But, if you are discouraged, I understand. I use it with LNS and there is no conflicts. Of course, I don't have two kernel level drivers that are conflicting for resources either...

Stefan-- I understand what you mean with respects to trusted programs being able to execute/modify data at will. James Grant thinks just like you do! His analogy was (probably still is!) "if you have a leaking bucket of water and patch up some of the holes, will it still leak?" So yeah, I guess there is allways two sides to the arguement on App filtering.

Sand box technology and certaint process protectors would probably protect against this type of exploit, but I see proof of concept, which goes beyond the scope of application filtering. But,If you had, lets say Tiny Personal firewall, the above scenario would not go undetected, or some kind of component control, as with Outpost firewall. Have you seen any of these firewalls in action? (Outpost, LNS, Kerio, ect..)?? We use Check Point at work, so I don't fuss about not having app filtering. But at home, I like to control what and how the applications on my system use bandwidth... Thanks again for you valuable input.

CU
Jazzie

 

Jazzie - I've given up on the combo approach for now, but thanks for the link. I may try again soon when the urge hits me.. (and it always does)

 

Jazzie-

Within the concept is the assumption that the user affirmatively put the trojan on his/her system because they wanted to, in the case of the example, play minesweeper. So, if they had Tiny, they would have let minesweeper install and give it whatever priviledges it needed to run. What would Tiny tell them? "Installs system wide hooks?" Lots of stuff does that. It is the lack of intelligence in the present generation of sand boxes that makes them worthless IMO. Actually, a lot of them need to be turned off or put in an install mode when new stuff is installed.

Its a lot easier to be circumspect about what we run, than to try and live with something like Tiny. And for most users, Tiny is too difficult to be an option.

 

Diver--
I didn't mean that one should place "mindsweeper' as a trusted app within Tiny and the scenario that Stefan referred to wouldn't happen. What I meant is that if something (mindsweeper) tried to install it's own protocol stack, it would be detected by a sandbox by trying to install itself into the registry and or system drivers. I have configured Tiny before, I am no new user to it. Even if it is given Global hooks (system wide) it still would have to install itself one way or another. And with respect to Stefan's example, even though you allowed it to play (the game) it should not have to communicate through tcp/ip or any other protocol. Yes, Tiny is rough around the edges, I agree, but untill there is a good setup guide for it, the best way is to start by learning it hands on!

CU
Jazzie

 

Jazzie1-

Tiny kind of overwhelms me. As you may have noticed from many of my posts, I am opposed to systems tht require a lot of user interaction. If the user can interact with Tiny correctly, he/she is smart enough to avoid the infection in the first place, because these things stand out. I mean, they just don't look right. If the user does not understand how to use Tiny (most of us) then it is useless. IMO, when confronted with many warnings to permit harmless programs to run, the user becomes trained to not trust the warnings and lets everything run. What if an AV gave a warning for every file it scanned and asked you if it was OK? No one would use it. That is what a lot of the sand box stuff is like. It needs to be considerably smarter, because legit programs do a lot of the same stuff that trojans do, and most people don't understand the warnings in the first place.

You know, there are 2 or 3 million systems with Kazaa on them, all voluntarily infected with spyware because those folks wanted Kazaa to run and that was it.

 

I for one while doing some other things on my PC, namely programming or busy with word processing, have absent mindedly set up permissions that probably should not be there, point is, unless one is careful, one can end up setting up the wrong kind of rules especially in moments of distraction.