Opinion please on where firewall rules should be kept

I have seen in various discussions that the Comodo firewall secures its rules in the registry. Other firewalls like Kerio use a config file in their own folder which I assume is encrypted.

Seems to me that the registry is not the best place since if you wind back your registry or reinstall Windows after some corruption you have lost all your settings and have to start again.

What is the experts opinion?

 

Its not where, its how you protect it that matters!

Melih

 

In the file of course. The most likely one who can corrupt a ruleset is the user itself.

File concept allows to name rulesets by date or how anyone pleases. Might not be a bad idea to even send a backup copies to some other computer. I keep a few backups in my gmail account.

File concept allows also a fast ruleset change flexibility for various purpose configuration changes. And importing rulesets from other computers.

 

Missing the point Melih - take this scenario

I want to reinstall windows (got corrupted - whatever). My f/w is on another partition. With Kerio and the like I can retrieve my config file and be back up to speed with my rules. With Comodo you have to start all over again going through the endless pop ups.

 

And how about to export registry branch with Comodo ruleset before and import after system reinstall? U may find them at HLM\SYSTEM\Software\Comodo\Personal Firewall

 

Assuming you are at a stage where you can still get into Windows. I had an instance recently where I had to reformat the partition because of a corruption somewhere. Getting the f/w back was no problem because it is kept on another partition and has its own configuration file.

 

Yes. But what average beginner computer user is going to want to
go into the registry and start editing things? A configuration file is
more safe, easier and convenient especially if you use muliple rulesets.

 

I need a little help in understanding this please. I have tried to get this answered in the Comodo forum but they seem not to understand.

I am wary of keeping the rules in the registry so tried out some experiments on it. Using RegSeeker I deleted all the rules. 40% were deleted and the rest retained. There was no action from Comodo. I then rebooted and found that the firewall no longer worked even though a part of it was still loaded. It allowed any program to connect out even though the program had never been granted access.

Strangely this then happened for real. It stopped working and blocked all outgoing, then on a reboot it was no longer working.

I should add that at all times I had the registry protection on and secure on boot enabled.

Don't know if this is a legitimate complaint about the structure of Comodo or whether this is justified.

Would welcome the experts opinion on this please.

 

Hmmm, I am not imagine "average beginner computer user", who: format HDD, install windows, install hardware drivers, install network, tune firewall, but can't export/import registry branch. Sorry

 

I think it was more of a question for you, not directly meaning you.
Would you recommend a newbie go into the registry and start editing files ?

The question was posted "What about the average beginner computer users ?" because Comodo was made for ease of use without alot of hassle to setup, something that beginners could use as a firewall while at the same time giving them great protection
Its not like you're telling them to download OutPost Pro or another rules based firewall.

 

Post this suggestion in the Comodo forums and it will be considered for future releases.

 

If all else is equal, if given a choice between storing firewall rules in the registry or as a configuration file, I'd choose to store them as a configuration file.
Storing them as a file makes it easier to save a copy of the ruleset on a backup disk. By using configuration files such as Kerio 2.1.5 does, the user can have several different firewall configurations and switch between them easily. It also would be easier to export a pre-made ruleset in a multiple PC system as a configuration file.
IMO, storing the rules in the registry makes them more vulnerable to corruption, either thru system error, poor registry editing, an error by a registry cleaning tool, or an attack on the system. Stored in the registry, an attacker who's familiar with the particular firewall would know where to find the rules. Even if he couldn't read them, he'd know what area of the registry to target and try to corrupt. As a configuration file, the firewall and its rule file could be installed anywhere. If a user changes firewall rules and needs to do a registry restore, the restored rules may be the pre-edited set.
As far as normal system reliability is concerned, registry corruption isn't near the problem it used to be. On the other hand, malicious code is much nastier than it's ever been and can easily target the registry. I doubt most registry monitoring/ defending software would protect the specific portion of the registry containing firewall rules by default. It would probably need to be added manually. That would also create the possibility of the registry defending software preventing the user from editing the firewall rules.
IMO, a configuration file is the more secure option, though the difference isn't that great. The bigger advantage of configuration files is the ease of copying, backing up, deploying to multiple PCs, and the ability to have more than one configuration saved.
Rick

 

Those are my feelings as well as a non expert. This does seem to leave an exploit open to malware to remove the run command from the registry and on boot up you have no protection. This happens with Comodo, Kerio 2.1.5 and probably others. So you can have a fancy f/w with all the bells and whistles but can be removed simply via the registry.

Don't know how feasible this is in practice to do. Probably the more popular the f/w the easier it will be to target.

 

Personally, I prefer an encrypted configuration file - primarily for tamper-resistance. I do think though it's perfectly valid to have rules stored in the registry provided that they are adequately protected - either by the application itself, or a third-party tool such as RegDefend.

 

Of course, the average beginner computer user is probably not going to know to install the firewall on a separate partition to preserve config files in the first place.

More to the point, however, I would never want my firewall rules to be retained after a format and reinstall unless I have specifically saved certain rules. I am always learning more about computer security and each time I have reformatted and reinstalled Windows, my system has gotten tighter because of my application of knew security knowledge to rule creation.

And what would happen if the need to reformat arose because of a malicious program that the average beginner computer user installed and gave internet access permissions with the firewall? Upon reinstallation of Windows with the saved rulesets, that permission for the malicious software would remain.

 

We are not talking about dll's and such cthorpe, only basic firewall rulesets.
You normally have spent a great length of time in making them? Learning stuff, all that, bring a bell?
Something that can be seen in a firewall interface and not what is hidden behind some crazy registry.

So, my viewpoint is, a renameable file to save the settings and to restore them when needed.
That is how every larger configureable program should work, or am I really that wrong?

Would be totally crazy if I tried some other firewall and not know that when I get back to my kerio 2.1.5 I would not have my protection I worked really hard restored.
I know good old Sygate has not that ability, I miss it sometimes when I like to get back. Some features.
It is a little understandable for a commercial firewall, although I always used just a free version.
But not something like Comodo that is free, now anyways. Did not like it have to say anyways.

I cannot understand? You want, have, some knowledge you want backup or not? It is always good to keep stuff in memory too, LOL. But remember what computers were made for. To store information, not always good these days. And one should never need a reformat?
If you think reformat is necessary cause of some bad things, you have not been running secure. Sometimes it is, things happen, reformatted my PC once, but it was not cause it was malware invested. It was a privacy matter.

 

That is your point of view but cannot agree with it. I try out other firewalls and keep coming back to 2.1.5 where I have my various rule sets stored. However you can just delete some of the settings in the registry leaving you without a f/w when you reboot. Applies to Comodo, Kerio 2 and probably others.

 

Sorry. I don't aggree with you!! Average beginner computer user can NOT do any of things you sugest.
I know of NO new computer user that has never seen,heard or touched a computer before do any of things you sugest. Sorry

 

I can imagine. I am such a person. I know how to do all the rest, but touching windows registry, I would not do that. Shows me maybe as an ignorant but I have not touched it! Some programs I have used like CCleaner, but that is all.

A normal user should not need to go to windows registry, to save rules etc. Goes for my above post with needing to reformat either. I exclude gamers and programs installing illegal sites.

 

I note that you are using Jetico. I was under the impression that it kept its rules in a separate file.

 

Ah, but I never made any comments about registry vs. separate file. I was only responding to the posts regarding saving the config through reinstalls, reformats, etc. I just said that I didn't want the rules retained unless I specifically retain them.

 

That's not so much a firewall problem, more of an incomplete security package. A good security package will have registry protection included. IMO, it should be separate from the firewall, no files, bugs or potential exploits common to both. For me, SSM provides that protection, plus protects Kerio in other ways. Besides directly protecting the registry autostart, it also prevents unknown and unwanted processes from running that may try to make those registry changes. SSM also has a "keep process in memory" option that can be used on specified processes, like firewall engines and resident AV executables. If anything gets past the process monitor and manages to kill the firewall, it's automatically restarted. SSM protects the firewall and its registry entries. The firewall prevents anything on the net from connecting to SSM. Layered security is more than layers of security apps. In a well designed setup, the layers directly protect and defend each other. While many don't feel the HIPS component is necessary, I feel it's the ideal solution to security issues that have been hard to address, like new exploits. With or without HIPS, any good security package should include registry protection, which will take care of the firewall startup entries and more.
Rick

 

I would definitely want to keep a backup of my Kerio 2.1.5 rulesets. I've invested a lot of time and effort in making the tight set I use. I have nearly a hundred rules, many address and port specific, and I don't want to have to do it all over again. While I do reformat my primary system from time to time, it's never been because of a malware infection. It's usually to implement some new idea that I can't do by editing. The last time was to add Linux and a bootloader. Apps like Kerio 2.1.5 and SSM are good teachers. Both can teach you a lot about what's going on on your system. Configuring Kerio to defeat the leaktests that normally get past a firewall and usually require some form of hook detection to defeat was an excellent education.

If a user finds themselves needing to reformat because of something that not only got past their defenses, but persuaded them to allow it internet access, I would hope that they'd delete that rule or not use that particular configuration file. I'd like to think that if they had to reformat due to malware infection, that they'd at least have identified the culprit so they don't do it repeatedly.
There are several problems with the scenario you describe. Most beginners aren't using rule based firewalls. Many beginners wouldn't know what one is, let alone be able to name one. Assuming a beginner has installed one, the only way I see that situation arising is from the user clicking thru the alerts to get rid of them and not taking the time to learn about what they're allowing. That's an example of a firewall not being compatible with the users skill level. A combination like that is a security risk, and unless the user learns his system better, incidents like that will repeat. The user either needs to learn more about what he's allowing and his system in general or switch to a firewall with some version of automatic rule creation.
Rick