New tests from Matousec

Discussion in 'other firewalls' started by Dwarden, May 7, 2008.

Thread Status:
Not open for further replies.
  1. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The entire concept is completely correct. But to take it correct you need to accept it as just another layer of protection. Then this is OK. The concept is no mean can help with a zero-day malware except behaviour based detection system. Idea "once malware is started you are defeated" is wrong. To make something malware needs to do something unusual. And here it will be catched by behavoiur based defence.
     
    Last edited: May 12, 2008
  2. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Did you ever set "Deactivate HIPS Features" to test the OA firewall?
    And did you ever run "Uninstall Firewall" before to test OA HIPS?
    Who may win...

    The entire concept is completely false and misleading.
    It's clearly a HIPS test, not a firewall test.
    But why don't they label this tests as HIPS tests?
    Evidently because of commercial interests, more companies to molest and a lot more money in sight...
    "There are no limits of the frequency of the paid tests."
    It is really ridiculous.

    Cheers
     
  3. wat0114

    wat0114 Guest

    Some of you complaining that it should be a HIPS test are missing the point. Matousec has made it abundantly clear in his Design of ideal personal firewall page his concept of the ideal personal firewall. Read through it and you will see that he feels the ideal personal firewall should include HIPS-like features. It is his opinion only. That is all.

    Unlike recently, this does not mean I'm for these leak tests and the race to design the leak proof firewall. These firewalls are just turning into bloated monstrosities, giving the users of them more headaches than they're worth. It's okay maybe for a while to use these products, because they can be useful tools, aiding the user in learning about the inner workings of Windows, but eventually they become tiresome. Even Jetico 2 is getting out of control. They want first place, so they block even the user from Windows Services :(
     
  4. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Ok, again... Personal Firewall must be able to control net request of ALL application and that include: Leak test, malware, rootkit, spyware, viruses... ALL application.
    How will that be achieved, I don't care.
     
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Why should I disable my protection to run the tests ?
    As for entire concept, it depends on what you personally do call Firewall. In case Firewall is only a packet filter for you, then you are right, but in case one regards Firewall as a program that controls all the network activity (as in my case), then you are wrong. Try wikipedia. Packet filters were the first firewalls generation. Now we have at least the third generation and the term meaning also shifted. I mean modern firewall just cannot run without HIPS to comply with the modern requierements. This is mainstream, there is nothing anybody can do with this.
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Security and convinience are two contradicting things, unfortunately :)
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    To all posters:

    Well, FWIW I agree in principle with alex_s.

    It is clear that different users have different definitions of "FW". That is fine, but wastes gobs of time while posters talk past each other. Maybe it is not a waste.

    If user looks at any modern FW SW, say ZA Pro or say CFW or say OA 2, OA 2 + with AV etc they will see many security features that weren't around in the early days. This doesn't mean the past was bad or that the present FW Suites are good or anything like that.

    What it does mean is the user needs to KNOW what they need/want security wise on their PC's. That is hand they can look at the latest offerings including the Matousec tests draw their own conclusions and select their tools!

    In my case, FWIW I use a set of tools for security. OA 2 has the 2 way FW I want/need and a HIPS integrated with it. It has a bunch of other features as well like web and mail shields that since they come with the suite I use.

    I decided not to get the AV from the same vendor since I didn't want all my security eggs in one basket.

    In doing a test I would only remove the H/W shields otherwise all you test is them not the SW FW/suite.

    The Matouse and all these testing services are good IMO since they make the vendors review their logic and gives their flaws a public airing!

    Just my usual rant :D
     
  8. The_1337

    The_1337 Registered Member

    Joined:
    Aug 10, 2007
    Posts:
    112
    it's stupid if he tests based on "his ideal firewall." how is it fair if companies don't think exactly as he does? the tests just become his opinion on a what a firewall should be.
     
  9. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Fair ? LOL

    Any company, any customer and any private person may think whatever he wishes and test whatever he wants with whatever criterias he chooses. This is the only fair idea I know. And everybody is free to develop his own testing program and introduce it to the public (if he is skilled enough and brave enough, of course).

    What does prevent you from doing it right ?? Just do it, and everybody will applaud :)
     
  10. The_1337

    The_1337 Registered Member

    Joined:
    Aug 10, 2007
    Posts:
    112
    there is no fair way to do testing, and that's my point.
     
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I think it is hardly anybody would argue this statement. Does it mean anybody who tries should be bashed ? :)

    My point is a clever person can find useful information is anything, including Matousec tests. I'd say there is a lot of useful information a person can get there. But to do it information should be treated properly. If treated improperly it goes completely meaningless and even misleading. But this is not Matousec fault, this is a person's fault. Matousec is сonsistent. He publishes his methodology, testing conditions, tests themselves and his approach. You can disagree with his approach, but you can hardly find any inconsistency in case you read everything carefully. And I should add, the work he does is VERY timeconsuming and VERY difficult.
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    There is no such thing as "modern requierements". Security requirements varies from person to person, this is why a general testing methodology like Matousec's is meaningless. Of course, for Matousec everything it's fine because the testing is in accord with his view on firewalls.

    Really? Well, I can do something about it. I run Sygate (or Kerio 2), both being without HIPS.
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    There are. Modern firewall has to treat modern network-related malware in a safe way. This is the main modern requirement. Also modern firewall should be easy to use by a non-technically skilled average user (computers are now not only IT tools as it was not too long ago).
     
    Last edited: May 14, 2008
  14. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Personal Firewall must distinguish which application made net request, that is now like it was before, if it cant it is useless. ← period
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Why does a firewall have to distinguish what application made the net request?
    Mrk
     
  16. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    http://en.wikipedia.org/wiki/Firewall

    ===
    Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s to separate networks from one another [1]. The view of the Internet as a relatively small community of compatible users who valued openness for sharing and collaboration was ended by a number of major internet security breaches, which occurred in the late 1980s.[1]:
    Clifford Stoll's discovery of German spies tampering with his system [1]
    Bill Cheswick's Evening with Berferd" 1992 in which he set up a simple electronic jail to observe an attacker[1]
    In 1988 an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues[citation needed] that read,“ We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames. ”

    The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.[2]

    [edit]
    First generation - packet filters

    The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.

    Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).

    This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).

    Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.

    [edit]
    Second generation - "stateful" filters
    Main article: stateful firewall

    From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls.

    Second Generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful firewall as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

    This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

    [edit]
    Third generation - application layer
    Main article: application layer firewall

    Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall, also known as a proxy-based firewall. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the DEC SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.

    The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in a known harmful way.

    [edit]
    Subsequent developments

    In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

    The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).

    Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.
     
  17. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,286
    Location:
    Las Vegas
    That is why I use software that detects behavior changes. You did not refute what I argued about firewalls- if anything, you reinforced it with your comments.
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    alex, I can read wikipedia myself. I still do not have your answer. Why should a firewall need to tell what process made the request?

    Now, my explanation:

    Application-based filtering is good for a TRUSTED environment only. For instance, I use firewalls to restrict Windows services from outbound connections, knowing these are legitimate applications. They will not try to do anything more than what the firewall reports. What you see is what you get.

    If you have "malware" on your machine and this malware has access to the kernel, it can effectively reroute process IDs or process calls, making any driver or application running on top of it (including firewall) think it's executing a legitimate application.

    A subverted kernel cannot be trusted, hence all and any internal identification becomes meaningless. This is why leaktests have no meaning.

    You might install some simple malware that will not try to outsmart your firewall and then the firewall will be effective. But then, you might install something that rewrites half the kernel and from that moment on, nothing is as it ever seems to be. Not only does your firewall become useless - and remains silent - everything else is changed, too.

    Leaving the chances of existence of either aside, as well as the ways how one gets infected or infects himself or herself, it is impossible to protect the operating system from itself.

    Any system where any application has FULL control - like in Windows - the kernel can be changed and manipulated.

    The firewall might work 50%, 90%, 99.3% of times, but there are times when it might not. Testing leaktests in a controlled environment, where you know when and what to expect does not reflect the reality where the user downloads something and then starts to install and begins clicking yes yes yes.

    Mrk
     
  19. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    I said Personal firewall
    because it is personal fw job.
    Your question is dumb, like this one: Why media player playing video?
     
    Last edited: May 15, 2008
  20. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,286
    Location:
    Las Vegas
    Finally someone/something I agree with in over a year in this forum. :thumb: There is more paranoia and nonsense about security in this forum than any other place I have seen. So-called outbound protection from a firewall is a myth if your operating system has been compromised. The kernel can be changed and manipulated.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    No it's not.

    Media player - plays media
    Firewall controls - ?

    Firewall is also an application so ... but it can also control packets ...

    Now, questions cannot be dumb. Only answers can.

    Mrk
     
  22. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Personal fw is not just packet filter, it can also distinguish which app. made call,
    Like media player can play music and movies...:rolleyes:
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    It MAY distinguish - provided the kernel has not been compromised ...
    That's where the ENTIRE problem rests.
    Mrk
     
  24. wat0114

    wat0114 Guest

    With all due respect, the same can be said about anitiviruses; they work usually < 100% of the time. I side somewhat with you and Bunkhouse, but I also side in part with alex. In the right hands, a personal firewall can be an invaluable security tool, provided, of course, that the malware does not completely circumvent it. You mention the user will click yes, yes, yes, but a knowledgeable, responsible user will probably see that during installation of unknown malware, application whoopie.exe is attempting to connect to remote port 6666, therefore having the opportunity to stop it from connecting out. Maybe the system is toast because the malware is installing, but at least it does not transmit personal data.

    As I've mentioned earlier, I do believe these firewalls, some of them at least, are getting out of control. I don't mind basic, solid application control incorporated in the firewall, but the race to keep up with every conceivable leaktest is causing some of these products to bulge at the seams, so to speak ;)
     
  25. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Oh, if kernel is compromised then everything is compromised...
    Personal FWs should have rootkit installation detection and other similar HIPS like tools for not to be kernel compromised and thus to be able to control app net requests properly, so I hope Matousec will implement more of rootkit like and similar test in the future...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.