Outbound Application Filtering

Re: Firewall suggesting?

Xp's icf is not much better than nothing in my opinion for the simple reason that i don't think a firewall that doesn't filter outbound info is worth having on my machine. It is like having a car that the brakes only work in reverse. Zonealarm free would be a good start for a firewall, if they don't like it they can always change it later.

bigc

 

Re: Firewall suggesting?

my point exactly.

 

Re: Firewall suggesting?

I totally disagree with this emphasis on outbound filtering. It isn't even a mainstream concept. It is one thing to have fun and experiment with firewalls and security applications. It is completely another to be making recommendations based on this outlook. Ask yourself if you were an IT professional responsible for 2000 workstations and your job depended on it, would you give this advice?

 

Re: Firewall suggesting?

so, your whole basis of firewall security is to block anything from getting through in the first place? furthermore, you're trusting microsoft to do this for you? what about viruses and malware that get through to your computer using legitimate programs? once they get there, you're screwed if you aren't running other third party programs to stop them from dialing out. and not that i know for sure, but i get the feeling that trbot's auntie isn't running processguard or something else that could prevent this from happening.

sorry diver; either you been under water too long with lack of oxygen, or you been sniffin' glue.

 

Re: Firewall suggesting?

Diver your thoughts on not needing out bound protection and detection is a strange way of thinking for anyone that wants internet security to the best of their ability. but it is your computer and you can do as you wish with it. But I have been in computer repair and security for many years and I would never suggest your way of thinking on firewalls to one of my customers.

bigc

 

Re: Firewall suggesting?

We are talking Auntie not an IT professional in charge of 2000 workstations....Good grief Diver... it is one more heads up...why is this application asking for access to the net...no, request denied. Let me do an Asquared scan or whatever (free scanner)...and so on. Outbound alerts are another layer or method of protection. And as you learn you can set the things up more to your liking or move on to more advanced setups. Sorry to disagree, but thats what makes the world go around I guess.

 

Re: Firewall suggesting?

Diver,

The simple answer is no for a couple of reasons. The primary ones being:

• The personnel at those 2000 workstations really shouldn't be freely surfing the net going who knows where.
• IT has likely implemented some domain level measures which enforce policies on these workstations to limit some of the more serious issues
• IT should have implemented a site level content filter or url blocking system to inhibit the less inhibited surfers
• These workstations are for work. The range of applications on them and their need to access the internet are rather limited.

The fact of the matter is that a properly administered commercial LAN is a rather civilized cyber-environment with domain level protections and people trained to properly configure them. A single or handful of home PC's are akin to naive city dwellers wandering around the seediest frontier towns in the American wild west days of the 1800's. They might need an extra hand to notify and control who they're talking to and what they're saying.

It doesn't seem to be a difficult concept to me. By the way, on the commercial LAN the I reside on at work - which has well over 2k workstations - mobile laptops which can go off domain and connect through a broadband based VPN are configured precisely this way. They always have a local firewall. Most of the users probably don't have a clue regarding outbound communication control, but it there in that selected case for rather obvious reasons.

If I asked an IT professional for advice, I'd hope that they consider the target environment and needs and not necessarily provide the specifications for the solution they've implemented at work.

I do agree with one aspect of your perspective, outbound filtering is generally not required in general usage. However, it can provide early diagnostic signals of something going astray and can be used during detailed diagnosis of system problems arising from malware infections. In this context, it is much easier if it is already present and running. Under circumstances where this possibility is heightened, a software firewall with outbound filtering capabilities is a very desireable (though I'll grant, not absolutely required) measure.

Blue

 

Re: Firewall suggesting?

Actually, the concept that you must put a lot of effort into catching a trojan by its outbound communication after it has installed itself oon your computer is a strange way of looking at internet security. I just guess that I am as strange as James Grant (developer of Conseal and 8Signs) and Stephan from CHX-1 and every enterprise firewall out there, and Microsoft. MS, decided to do their firewall the way they did because they wanted everyone to use it. Anyone that thinks outbound filtering is for the masses has lost touch with the average guy. Once someone has some technical ability it is very easy to forget the state of mind of those who do not.

Put your self in the place of the other guy. Imagine you have 5000 workstations to look after and 4950 of them are being used with persons who have no idea of what to do when they get a firewall pop-up that says should I allow xyx to do...

Hoy do they roll this out? Do they sit there at each computer and respond to the firewall alerts? Do they do it on one machine for a few days and roll out an imate with that config and hope they tried everything? What happens when some secretary or lawyer or executive gets a firewall warning and everything stops while they call the help desk? Who get fired?

It is very nice to play with outpost pro or Tiny as a hobbyist, but none of this stuff flies in the real world.

BTW, what do you mean by strange, or serious? You know, all this outbound filtering is easily defeated by a trojan that installs a communications driver to get around the firewall. See the post by Stephan on this, and he discussed it with James Grant. Either that, or the firewall could be terminated.

Outbound app control is just part of a big marketing machine started by Zone Labs and and enhanced by Steve Gibson.

Ant my fial word, your AV has to miss it for any of this to make a wit of difference. You can say that is easy, but I have not seen it happen around here except once since the days of the 8086, and it was so obvious what had happened that application filtering would have made no difference.

Anyone who can answer all of those firewall pop-up warnings correctly, is smart enough to avoid installing the trojan in the first place. I am getting tired of making this same argument over and over again. This application filtering thing has become a mantra and nobody even wants to think for themselves anymore.

 

Re: Firewall suggesting?

But if there is a piece of malware that gets through my firewall along with a legediment message or what ever and has the ability to send my private info out and if there is any chance that a firewall with outgoing filtering might stop it it is worth every bit of the minimal effort it takes to configure it or respond to a pop up or two. And when we talk firewalls her on this forum it is almost always a single comp or possibly a home network with two or three comps on it. which is a lot different than a corporate environment with thousands of workstations that are usually maintained by the IT personal anyways.

bigc

 

Re: Firewall suggesting?

I give up... based on Diver's last post I am not average and I might be a genius

 

I don't think you can make blanket statements about whether app control is needed or not. It all depends and boils down to your individual needs.. Some need it desperately, and some can do without it. Simple as that...

 

I have run Kerio 2.15 for years without app control but I have always emphasized on using good anti virus, till now,my system security remains to be breached. Maybe I am just plain lucky but I feel app controls take all the pleasure out of PC, don't need pop ups when I am busy doing C++.

 

I believe that this thread has led to the conclusion that outbound filtering is and probably will always be a personal preference. Some people like the idea and some don't so It all boils down to the one thing we all have and that is the right to believe in what we think is right for our selfs. At least we had an active disscusion and hopefully someone has learned something they didn't know at the start of the thread.

bigc

 

That's right BigC. And I did learn something...there is no way I could head up an an IT department, it would not matter if it had 2000 or 5000 workstations. I have a hard enough time Being IT "professional" for two simple machines here. But if I got one machine working I got help right here at the Wilders 24/7 to fix the one not working and I am sure most of you know more then the IT people at my place of business.

 

Although the discussion may seem a bit polarized, it's useful to have. Although I've come to a different conclusion than Diver, Diver's underlying message is one that is important to appreciate in advising or helping anyone.

There are two extreme possibilities - a user is completely frozen as to what to do with a firewall based pop-up, or they blithely click away with abandon, effectively rendering the firewall inoperative. Both extremes are obviously bad end results for any support staff.

Real users do lie between these two extremes. When I installed a firewall on my family PC's (Outpost Pro), I did do a few things that may make other Outpost users shudder. I disabled the component control feature - too many pop-ups that casual users wouldn't be able to intelligently handle. I simply assumed that they would approve any of these. I also ran through all the applications that would need Internet access immediately after the install to create all the needed application based rules for their machines. These machines have now been in use with Outpost for about 18 months. In that time the total number of pop-ups that have required my input been in the single digits for 4 machines. On each new application install that requires internet access (generally game or music applications), I helped with the install and made sure the application rule was created immediately. This occurred maybe a eight times in that period.

If something unusual occurs they can either call me or allow/disallow the connection. Let's say they simply allow everything and this leads to problems. I still maintain that I'm going to have an easier time correcting that problem and understanding the issues with a outbound control firewall in place. It doesn't necessarily limit damage - it may - but it aids in the resolution.

In the best case one has good preventive communication control. In the worst case, the post-mortem following a problem is aided. Is that worth the trouble incurred? Reasonable people can disagree on that answer.

Blue

 

Most of rhe members are more than willing to jump in and give a hand if they can and if they don't have the answer to a problem we have some very proficent search engine geeks here that can find almost anything.


bigc

 

Now Blue there is a real good suggestion for helping set up a newbie. I will do just that when setting up Moms.

"I also ran through all the applications that would need Internet access immediately after the install to create all the needed application based rules for their machines."

 

i just think outbound protection can be useful, especially for a newb. most people who are unfamiliar with computers and how they work, are more likely to open email attachments and respond to e-mail's directing them to download something they have no business messing with. this can also be the case with children or teens who may be searching the internet 'for a good time' or downloading files from kazzaa. a firewall with only inbound protection would miss stuff that could be downloaded from a trusted application, like program registration hacks that are full of viruses and malware. in my thinking, i would imagine outbound protection would be more important than ever for a new or unfamiliar user. with a firewall like outpost running, at least u may have the option to prevent malware from dialing out. as for pop-ups, the standard saying is to usually deny it if you're not sure what it is, and see what happens.

 

INTOX, That was a REALLY good post and I agree with you entirely. I am taking you for a few beers.

And I do agree, A kid goes to look for cracks, and searches google. It will bring up a terrible site called ]www.seri*ll.com (a removed due to site being a live trojan), which infects the Surfer with a Trojan ISTbar upon loading of the page.

Intoxicated rules.

 

sweeeeeeeeeeeeeet!

 

Outbound protection does nothing more then tell you something is trying to access the internet. It does not tell you if it is a trojan. It may give a hint in that a method of indirectly starting an application is being used, but that is not enough for a newb. All they have to do is click yes on the pop up warning. By the way, that is the same way that trojans get on your machine. Do you want to install...? There lies the crux of the problem. None of these firewalls or sand box utilities are smart enough to tell you when there is a problem. They just take a dumb look at certain types of system behavior and ask the user what he/she wants to do. For the user that knows what to do, the process will not ever reach that stage.

When the firewall or sandbox can tell me "this is a trojan your AV missed" and be right 90% of the time, then I would be interested. The problem now is it is wrong 98% of the time, only fans of these programs say it is just doing its job.

Just for clarity, I don't buy the newb/kid argument at all. If you are worried about those who are even one bit irresponsible, nothing short of something like Deep Freeze will work. DF lets you mess up and restores your system on the next boot. It is effective enough to use for kiosk browsing. In fact, I discovered DF using a kiosk machine at a hotel.

Yes, home systems are different from corporate networks. A home user can spend all day Sunday fooling around with security applications, never get anything done, and not have to answer to anyone. That is why I say it is OK to have fun experinenting with this stuff, but think twice before giving anyone advice.

 

i understand where you're coming from, but for the cost of $0, why not use a free version of za or some other free 3rd party firewall that cannot hurt you and only help you? i think the outbound application filtering has more benefits than just stopping malware and trojans from accessng the web. for example: there are some programs with auto updaters or help files that access the internet when launched. some that cannot be turned off from inside the application itself. there are also programs that request server rights, like yahoo messenger, that i have found no reason to need server rights to access the web. i believe it is more reassuring to know what programs on my computer are accessing the web and why. for the cost of nothing, at least za can offer you some control over this and is simple enuff that even a newb can understand it. hope this makes sense, been a long night!

 

Diver:

First off home users arent running Enterprise Servers and were talking desktop firewalls not commercial business class firewalls. Secondly for your theory to be correct would rely on a firewall that is 100% effective against outside attacks which one doesn't exist. (Ill spare posting all the Cisco router and the like vulnerability's)
As far as websites go (business class) - most still allow unrestricted modem access. if unrestricted modem access is still permitted into a site protected by a firewall, attackers could effectively jump around the firewall. Modem speeds are now fast enough to make running SLIP (Serial Line IP) and PPP (Point-to-Point Protocol) practical; a SLIP or PPP connection inside a protected subnet is in essence another network connection and a potential backdoor. Why have a firewall at all if unrestricted modem access is permitted?

And for every security expert you mention i can rebuff with one who has the opposite opinion:

National Institute of Standards and Technology
John P Wack
Lisa J. Carnahan
http://csrc.nist.gov/publications/nistpubs/800-10/

http://www.hideaway.net/home/public_html/pc/firewalls.php

But they are all long reads (at least i provide links where are yours?) and really don't prove anything in the end. I surely wouldn't include Microsoft as any type of security expert.

Are we back from business class to desktop firewalls? ... you can't compare business class and desktop firewalls (thus the different names)
OK ... Desktop it is -So what do you do about Keyloggers and trojans ALOT of which are downloaded as legit applications? What do you do about DNS poisioning?, Hijacked URL's, etc ...For instance once your DNS cache is poisoned. All requests to .com hosts are redirected to malicious sites. A malicious DNS server can poison the entire .COM domain. (But we don't need no stinking outbound filtering)

The above statements hold no water and provide no proof other than the mere fact that you uttered the words.

More and more client-side hijackings slide past most AV engines and even desktop firewalls; they are considered "authorized" applications by most controls, therefore appear to be benign (when they really are not). Continuing the trend is to see trojan delivery models that leverage existing applications and are a huge threat going into the future. http://isc.sans.org/
http://i.cmpnet.com/nc/1605/graphics/1605f4_file.pdf

AV's are not trojan scanners with maybe the exception of Kaspersky ... if your relying on your AV to fend off all malicious programs your dead already. And the idea that it is a marketing tool shows what what little you actually know. I guess it can't be a good idea who's time has come?
I suppose you could say that about the first person to do anything security related ... even the improvements made to the first home burgular alarm such as the addition of motion detection. (we dont need that we have an alarm ... motion detection is just a marketing tool)

Keep your Inbound only protection i could really care less (youll get what you deserve eventually) but to come on the forum with a few quotes from people who are only trying to make a name for themselves by bucking whatever the current trend is just to stand out and influencing non educated users is not cool.

These are all "Real World" examples not just somebody's opinion that at the same time is also aggressively marketing a product against those whom he/she bashes.

Unwarranted personal comments excised - BlueZannetti 3/4/05

 

BRAVO......BRAVO.........BRAVO ......S!x

Granted I'm far far from a FW guru

But it seems to me if you get an alert from from any security app...and it

gives you a choice to deny or accept.....you may choose wrong....but at

least you have a 50/50 chance...of being right....I think that is far better

than have no chance at all.

 

To all:

Let's keep the discussion focused on the technical question at hand and please refrain from comments of a personal nature. They're always uncalled for and generally wrong.

Blue