OA Firewall (review)

I have seen and used earlier versions of this firewall, and was going to wait until a final release, but due to PM`s, and the open release (although not final) I will make a post.

First lets look at the settings.

Standard mode

From default installation the firewall is set at "Standard mode"
~screenshot taken during installation~


from this, if we check the firewall options


At the top there is the option "Automatically allow Trusted programs to access the internet". This of course does as it states, and will allow applications that are trusted to be allow internet access, and any rules for that application will be automatically created.
Below this are the logging options, then the "Content control", the later being how the firewall will check the applications, by ethier Hash(checksum), or by Hash and Path.
The "Notify me when programs are autotrusted" will make the firewall give a popup when an application is first (automatically) allowed internet access.

The "uninstall Firewall" is there if you are installing, and already have a firewall installed, or simply do not want to install this firewall.

All applications that have been allowed internet access, and the rules created for these can be reviewed at any time.

Select Firewall:- "Program access" tab for the programs allowed internet access


the "Rules" tab, which will show the rules created

 

Advanced Mode

Now, this is the setting I personally would use. The mode of the firewall can be changed at any time, by going to "Options"


If we then go to the "Firewall" tab, there are a couple of extra options



Again, at the top there is the "Automatically allow Trusted programs to access the internet, but with an extra option below "Autoconfigure trusted programs". Depending on how you have these selected, you could for instance, uncheck the "Automatically allow Trusted...." so that you are given the warning popup, but once a trusted program is allowed internet access, then any rules required will be made automatically. Or of course, you can uncheck both, and create rules from popups, or manually enter them (we will look at that a little later)
The other option to note is the "Intercept Loopback interface". Now this will intercept comms on the localhost, this is needed particularly if you are using a loclhost proxy such as "Proxomitron"

The main difference can be seen between "Standard" and "Advanced" mode when we go back to to the "firewall" settings/option.

 

First, the ICMP tab, this, as you may of guessed, is for the ICMP settings



We then have the "Restricted Ports" tab. This will block ports from being available to the internet. These can be added to, edited or deleted, depending on need.

 

"Restrictions / Blacklists" tabs.

I left these until now, as these options are also within the "program rules"

Under the tabs shown, these are global rules, and can be added to a programs rules which I will show a little later, first,

Restrictions.
This allows you to set what country, or single/range IP(s) are allowed or disallowed to be connected to. As you can see from the options:-



Blacklists,

This enables you to load a "blacklist". I personally download my blacklists using the "Blocklist Manager". This will download the selected blacklists, the lists do not need to be converted, they can simply be loaded into OA. They can then, if needed, be edited. I dont normally have so many lists installed, I added these as I wanted to see how OA would handle large lists.

 

Program rules

As mentioned, all program rules can be found: Firewall / rules / rules tab.
To edit the rule, either double left click the rule, or select and press "Edit Rule":-



An example of a program rule: this is for firefox HTTP (remote port 80)



Now, I was a little concerned with this at first, as there is no "local port(s)" entry. But as there is the inclusion of the "restricted ports" I can see possibly why this was not included.

You will note the other tabs on this rule,
Endpoint Restrictions.
Here you can leave as "Global Restrictions" (as you may of entered) or, you can use restrictions per rule, an example could be for DNS lookups, where you want to allow only comms to your DNS servers



Then the Blacklists tab,
Again, you can leave as global, or you can select just certain lists, or have none, depending on the application

 

I have probably missed some settings (and will add if/when found), but I must move on.

Now before I continue, I must say, that I am set up on W2K. I know from the release shown that OA2 is not compatible due to bugs/conflict with this OS, but, there as been a release (build 160) to resolve this issue, which I currently have installed, and running without issue, so,...

Memory usage.
I have had OA2 installed for around 18 hrs, the memory usage as varied. There are 2 processes running:-
oasrv.exe: 8,000k - 10,000k
oaui.exe 8,000k - 9,500k

So on average, below 20mb

I did expect a large increase in memory usage when I loaded the blacklists, as these between them are approx 12.8mb (txt files). There was a quick increase in memory usage of about 5mb when I loaded these, but this then went back down to normal.

Surfing speed,.. no noticeable decrease in browsing, even with the blacklists (I shown) loaded.

Now, kills/leaks

I would of prefered to test this on full release, and certainly not on W2K (due to possible bugs still present). But, I did some basics,

APT4
I ran the basic 12 kills againts oaui.exe, OA passed all that I could run (kill 10 would not run on my seup (terminal service))

SPT
Again I ran the basics (16 tests)
OA failed on:-
KILL 4 (terminate process by instruction pointer (IP) modification)

Stopped, but with auto restart notification on KILL 16

I still prefer to run these againts OA on XP, or when final.
Leaks,

I did/do not have time to run the full batch of leaktests, but did a quick test with leaktest 1.2 (just to check hash checking) which it passed. Out of interest, I did run the PCFlankleaktest, which it did intercept (I was a little surprised,.. and I will need to find time to check out the rest of the protection)

I hope this answers the questions I have been asked. Please do post to thread any findings you find yourself, or if you have other questions.

Stem

 

I´ll keep an eye on this firewall, it seems to get better each day
Questions:
- I also expect the local range to be included.
- How to add remote IPs per app (mail servers, HTTPS, DNS servers).
- How are handled DNS lookups (per app or global setting for svchost) and DHCP?
Thanks Stem for your tests.

 

Yes, as I mentioned, I would prefer for local ports to be included in rules. The restricted ports does give some compensation to this.

Endpoint restrictions, check post 5. I can/will post examples if wanted (I know I should of given more detail, but spare time was/is short, sorry)

No problem,..

Stem

 

So, "Endpoint restrictions" always refer to remote IPs? Sounds like the "Custom addresses" of Kerio 2.1.5.
Thanks again Stem.

 

Stem, thanks for your excellent overview of this new FW (and HIPS?). Would you please let us know how much memory OA's processes use? ~pv

 

Post #6

 

Thank you for your trialing and evaluating this firewall, Stem.

Regarding this:

I'm looking forward (as I'm sure others are as well) to hearing your results once you've had time to put it through all the tests. Hopefully you'll be able to keep it around for a while afterward and put it through even more extensive testing, and keep readers like myself up-to-date on any developments as well as your opinion of it from your experiences (either positively or negatively).

Thanks again

 

Hi JR,
I did intend to setup and perform full leaktest "tests" ASAP, but as I have been informed that OA does block these,.. how can I not fully test. I will "pull`n`test"(so to say) tomorrow, with results as I find (both on W2k and XP)

 

very nice review Stem

also would you mind testing OA FW with online games or p2p. I want to see how it well it handles the connections and what not.

 

I want to ask, can u use just the firewall without use of OA HIPS?

Also one Q from MikeNash, is there any future plan of FW alone without HIPS?

Thanks

 

Hi Aigle,

Yes, you can disable the HIPS features selectively if desired - lots of configuration options. However, without some of the HIPS features enabled (for example, process tampering detection) then the firewall would fail the leaktests (if you care about such things).

With OA2 it is possible to get rid of most of the HIPS things without sacrificing these features. For example, you can deselect "alert when an unknown program tries to run" which will still give you the other facilities but will not prompt on unknown EXE.

Similarly, you can turn off the webshield popups (silently block) or turn off webshield all together.

I'm not sure it would be worthwhile releasing a standalone firewall for the reasons I mention above.


Mike

 

Thanks Mike!

You are right that disbling HIPS will let the FW fail against leak tests.
But I am concerned from marketing point of view. Many users might not like a full HIPS-like popups but will still like to use OA with less pop ups( related to anti-leak test functionality).
I think there should be a one click option that will diasble all HIPS functionality which is not related to FW and leaktsets while at the same time keeping FW and part of HIPS which are necessary for leak tests enabled.

I hope I am able to make my point clear.

 

Hi Aigle,

I agree it's a nice idea - but on this release, I must draw a line somewhere. For the last 8 months I've been adding "one more feature" to OA. We were ready long before Christmas with the firewall, but then I had to go and make it Kernel Mode... and now its March

So for this release - no more feature changes are going in. The slate is wide open for later versions of OA, of course.


Mike

 

Ofcourse I am not suggesting for now, just a suggestion for future versions.

Thanks

 

Hi WSFuser,

I can set up for a torrent client, and will download one of the large linux(or whichever) iso files. I do want to see performance and memory usage of OA with many connections, but also with the large blacklist in place.
I will do this after running through the leaktests (which I am setting up for now)

 

I appreciate it Stem.

 

leaktest1.2 ...........pass

PCFlankLeaktest .......pass

Wallbreaker v4.0
1 .....................pass
2 .....................pass
3 .....................Wallbreaker error "cannot create file"
4 .....................Wallbreaker error "cannot create file"

Tooleaky ..............pass

Surfer ................pass

pcaudit ...............Failed
pcaudit2 ..............Failed
(PCAudit uses DLL injection to inject it's code (as a DLL) into authorized application instead of launching it's aim directly.)

GHOST .................pass

jumper ................pass

firehole ..............pass

thermite ..............pass

dnstester .............pass

Up to now, OA fails only on blocking dll injection. I can find no settings for this.

 

Thanks Stem, nice work again.

 

Hi Stem, thanks for testing and providing the results of your findings (below):

Very much appreciated. Thanks again, Stem

Interestingly enough.....your test results are a little different from the test results that Mike Nash posted at the Tall Emu/Online Armor forums (I hope Mike doesn't mind, and that this doesn't "breach" some sort of "cross-forum posting/referrencing" rules):

In Mike's testing, PC Audit passed...but with your's it didn't. But yet in Mike's testing, Wallbreaker failed but in your testing it passed (well, passed on 2 attempts, couldn't execute on the other 2). While Mike admits that his "personal" testing is done on an informal basis....each of you have very similar results with just a couple of discrepancies. I notice that you didn't include "Breakout" in your test results, Stem....just wanted to mention that because that is one test that had not "passed" previously for Mike. Otherwise, it's looking pretty good right now

I hope that both you and Mike will please keep up the good work....

* And IF....the above post of Mike Nash is in violation of some sort of forum T.O.S., I hope that both Mike and Wilders Forums will accept my apologies in advance.....

 

Hi Stem,

Maybe we have a different version of pcAudit? I donwloaded mine from firewall leaktester a few months ago.

When I run the test here, OA gives me a set global hook warning, and then error 0 on step 5. When I look in avdnaced options in program guard I see that set global hooks is not allowed by OA - I'd be interested to see (offline/via PM) what you have seen.

@JR - I have no problems with people copying an pasting comments I've made from the public areas of our site.