Outbound Security

Discussion in 'other firewalls' started by Blackcat, Apr 27, 2003.

Thread Status:
Not open for further replies.
  1. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,007
    Location:
    Christchurch, UK
    During my testing of a number of software firewalls, it became clear that none of them offered complete outbound security as revealed by a number of tests.

    A number of firewall vendors put forward the argument that firewalls are mainly to block incoming threats and therefore leave outbound security to AV/AT programs.

    Since these tests have been available for 2 years or more, I am surprised that very few freeware/commercial firewalls appear to pass all of these tests.

    In my experience, a number of software vendors have little knowledge of the firewall testing programs, both inbound and outbound, available on the net. Therefore, they are surprised when their particular product fails particular tests.

    3 main questions arise.

    1. How can the average computer user protect him/herself against malware determined to get out. Is inbound protection sufficient?

    2. What is the significance/reliability of these outbound tests e.g.tooleaky?

    3. Is this again an example of 'snakeoil'!!!!!
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Blackcat,
    weith Port Explorer you can at least see and control outgoing and incoming traffic in the full version including blockage, but we discussed this recently with the developer, it's a real great help but not a complete outbound firewall.
    Give it a try!
     
  3. The Snowman

    The Snowman Guest

    BlackCat

    LOL...watch this thread grow..grow...grow...


    The first I recall of firewall leaks was when users of Spyblocker software realized that it passed right through zone alarm(previous versions)..Paul K.(Spyblocker) contacted zone alarm vendors openly......sometime later leak test began appearing
    Leak Tests: aka: trogans
    Do they server a purpose.....to learn of firewalls leaks, yes.......but should not firewall vendors know of these leaks prior to marketing their product.....of course, how many vendors of any product reveals the products shortcomings.
    But....since the leak tests are trogans should not trogan scanners detect them? the intended purpose of anti virus programs is not to detect trogans....how many times have this been stated by vendors of trogan scanners?
    But then again.....WINDOWS is a insecure os.....an the leak tests play on the weakness of the os.....hmmmm snake oil??
    but wait....the leak test are knowingly installed.....just like USER AGENT.....so...is a leak test really a trogan?? After all..can't USER AGENT bypass firewalls.....an could perhaps one of those leak test just be doing what USER AGENT does??/
    Am I going to be even slightly concerned about a firewall not passing a leak test>>>>ABSOLUTELY NO!!
    I don't knowingly install trogans.....an if a trogan does get into the os the trogan scanner best darn well detect it....an the firewall LOGS show its active.........
    Popular point of view...no way....
    Leak test server a useful purpose.....when used by the proper people for the proper reasons.

    Preventing outbound connections......if there is an outbound connection I WANT TO KNOW OF IT......then I can take the required action.......
    BlackCat you summed it up very well...here it is several years after the first leak test and firewalls still leak......it has not be fixed............so in my case forget it........protect with what I have...an not play someone elses game...panic..no way! There are no puppet strings on my back to be pulled.
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Blackcat!

    Actually there is a firewall software which passes all the Leak Tests. It's Look'n'Stop. :cool: For further information go here:

    www.pcflank.com

    Read the two articles:

    -Personal firewalls vs Leak Tests
    -Personal firewalls vs. Stealth Test, part II

    added direct link to articles - CrazyM

    With this software there won't be any outbound activity you didn't allow. Even if there's a minor change in one of the allowed programs Look'n'Stop will give an alert and ask again for the permission. :D

    Best regards!

    Patrice
     
  5. Ph33r_

    Ph33r_ Guest

    Look ‘n’ Stop passes all the known Outbound Leak-tests so far;

    Leaktest, Yalta, Tooleaky, FireHole, Outbound, Atelier Web Firewall Tester v3.0, pcAudit 3.0.0.3, Thermite, Oops… Is there something I left off, and is there something I’m not seeing?

    Yea that’s so very true, like James Grant had over on Becky’s Board when brought up to him…

    1. Application Filtering is very useful and necessary, without that it’ll be quite deficult for an average Joe to protect himself against malicious Outbounds…

    2. The significance/reliability of these Outbound Tests is to bring awareness of such methods existing which bypass Software Firewall’s Application Filtering Features. Everything has limitations; there is only so many ways to bypass Software Firewall’s Application Filtering Layer without it being destructive… In Reference to Windows NT Systems (NT, 2K, XP)

    3. You tell me… :)
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Software Firewalls: Is there such a thing anymore?

    Or are they all destined to become overall system security applications/suites?

    There was a time firewalls were considered something that simply controlled traffic between networks.

    As things evolved more features were introduced and the definition of “firewall” and what it is/does will likely vary depending on whom you ask.

    Application control became popular. Then the original leaktest demonstrated a possible need for application checksums. Later the more advanced leaktests demonstrated the potential for application hijacking and .dll injection. Some provide ad, cookie, active content and other privacy and content filtering. Most firewalls now provide stateful inspection and are introducing intrusion detection systems and sandboxing capabilities as well.

    The various vendor offerings provide this added functionality via components/features within the application, plug-ins or application suites. Add in to the mix the increased public awareness to computer security issues and the vendors catering to a broader user base than before.

    With all this capability comes added complexity. Do we want all our eggs in one basket, so to speak?

    Is there such a thing as just a firewall anymore?

    Regards,

    CrazyM

    from a previous post of mine I can't find the link for right now
     
  7. The Snowman

    The Snowman Guest

    Truely I regret having made my previous post....I've seen so many debates on this subject that the post just finally came out...........now I'll back off this issue completely.......its just not worth the effort.......
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Phant0m!

    Good answer by the way! ;)

    Regards,

    Patrice
     
  9. Ph33r_

    Ph33r_ Guest

  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Snowy

    Nothing to regret, we all have our opinions and different approaches to the security of our computer systems. And it will always be the subject of much debate.

    I feel Blackcat’s original questions are worth discussion. A lot has changed in a very short time. Firewalls are changing and there are new utilities like Tiny Trojan Trap (now TPF), System Safety Monitor, Port Explorer, etc. These new utilities offer users different approaches to system security and what may or may not be needed in firewalls. As long as the discussion sticks to the big picture and viable options for users and avoids the “my firewall is better than your firewall” it should be a fun and worthwhile discussion.

    Regards,

    CrazyM
     
  11. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,007
    Location:
    Christchurch, UK
    Hi Patrice


    Yes, I have LookNStop on my main box and I know that it passes all of the leak tests. I just did not want to 'plug' this firewall.

    Do you know of any others which pass all of the tests?

    Snowy, I am sorry that you feel you cannot contribute to the general argument but your contribution would always be valuable to us newbies.
     
  12. Ph33r_

    Ph33r_ Guest

    Hey Blackcat

    When you said “I just did not want to 'plug' this firewall.” Do you mean configure? Make Internet Filtering rules? A lot of people agrees that EnhancedRulesSet.rls is very secure by Default compared to most Software Firewall’s Default rule-sets…
     
  13. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,007
    Location:
    Christchurch, UK
    Hi Ph33r_

    No. I simply meant I did not want to endorse LookNStop as the best firewall to use.

    It probably is by many criteria and I am a registered owner who runs it quite happily with the 'enhanced-rules set'. But I would like people to make up their own minds on what software to use.

    Thanks for your valuable inputs overall.
     
  14. Ph33r_

    Ph33r_ Guest

    Anytime, btw have you seen this Additional LnS Help Guide?

    http://looknstop.soft4ever.com/Tools/External%20Resources/Look_'n'_Stop.chm

    fixed link to download of help file and removed duplicate post - CrazyM
     
  15. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The tough part is how are you defining "average computer user"?

    If you are talking about users with limited knowledge of computer security, family systems with multiple users of varying ages and habits, then yes they would likely benifit from something more than just a "basic" firewall.

    Is there alternatives that will provide adequate protection from malware in addition to a "basic" firewall? Yes, there are a number of good utilities that would compliment a "basic" firewall and still provide a more experienced user the ability to monitor and protect their system. Applications/utilities such as TTT, SSM, Ehtereal, Port Explorer, Proxo, to name a few are examples of what could be used to compliment a "basic" firewall. I am quite comfortable running with a hardware solution (or solid packet filter like ConSeal), knowing what is on my system and the utilities I have at my disposal. But this is not for everyone.

    As proof of concept and identifying potential vulnerabilities they serve their purpose. If some of these exploits were to be seen in the wild, they would still require to be downloaded and executed. This may be a non issue for alot of us, but then we have to consider the "average user".

    To a certain extent it is marketing. Similar to the stealth vs. closed debate. The key is that there are other alternatives to system security and a firewall could be just a firewall...or it could be a lot more. Some vendors go to great lengths, to the benefit of their users, to keep up with the latest potential vulnerablilities. More and more you are seeing the firewall offerings becoming more complex and including new features that deal with overall system security.

    Regards,

    CrazyM
     
  16. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,007
    Location:
    Christchurch, UK
    Thanks for your valuable advice, CrazyM.

    I am familiar with SSM, TTT and Port Explorer but not Proxo nor Ehtereal.

    I can see why now lots of Firewall Vendors are incorporating AntiVirus software in their programs in general Internet Security Suites. Soon these programs will incorporate firewall, antivirus, antitrojan, antiworm, anti-spyware programs and cookie controls.

    TDS taken over by Norton or McAfee :D!!!!!! I hope not!!!!
     
  17. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Blackcat!
    Well, according to the tests of PC Flank, Sygate Pro 5.0 and ZoneAlarm Pro 3.0.091 passed four out of five tests. So these firewalls are certainly good as well! :cool:

    Regards,

    Patrice
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Blackcat

    Proxomitron is a web filter and Ethereal is a packet sniffer. I'm sure there will be other excellent utilities mentioned by members that would compliment a "basic" firewall.

    Some are pretty close to that already. I took your original comments and questions as looking for discussion as to whether this is really required or not, are there alternatives to firewalls becoming the be all, end all security applications.

    I feel there are, but as I mentioned earlier, you have to keep in mind the type of user. Here at Wilders we have a broad range of experience among members, and thus any suggestions or alternatives should take this into account. We need to discuss what would be effective for different types of users. What may work for me, may not for you. Or if the kids were still here with their messaging, music, P2P, games and my wife did not have her own system, my approach might be a little different :D.

    :eek: Now you really are trying to get this post going :D.

    Regards,

    CrazyM
     
  19. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,007
    Location:
    Christchurch, UK
    I was looking for possible additional security for outbound connections for relative newbies.

    I, like most 'average computer users' had, until I first visited wilders, just had an AntiVirus program which I kept updated.


    Now, on each of my computers, I have an AV, 2 antitrojan programs, 2 spyware programs, a firewall and System Safety Monitor :D.

    Whether this is overkill, or a placebo effect, I do not know. But I feel more secure!!

    We have all heard stories about people who have 'surfed for years' without any protective measures at all. For example, I remember reading, not so long ago, about Alan Solomons who developed an excellent AV program- Dr Solomons HomeGuard ( the first AV program I used here in the UK which was eventually taken over and ruined by McAfee) who apparently never uses any Antivirus protection now. Whether this was a true story!!!!

    Most other 'newbies I know' just about remember to keep their AV program updated. But presently, there does seem to be more interest in software firewalls and 24/7 connections, particularly with the protection of confidential information stored on your system. Even very new 'newbies' are looking into firewalls.

    To return to my initial thread, this is one of my main concerns and I was looking for the best solution to this problem.
     
  20. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Blackcat,
    rule #1 if your are on a NT OS : don't connect to the W3 with an Administrator Account (only when needed for administration purpose) but with a stricly restricted User account : an intruder could only use its privileges and nothing more. Use strong pwds for all your accounts and pwd protect your AV and FW.

    Rgds,
     
  21. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Blackcat

    Well a couple of the most important things in system security is common sense and understanding the risks - knowledge. By coming here, and I imagine you have visited and learned elsewhere, you are well on your way.

    Well your set up will definitely keep on top of outbound control. You have an excellent firewall and SSM. Overkillo_O Only you from what you learn and understand about the risks can determine the best way to manage them on your system. Some people do tend to get carried away with all the hype, but I do not feel your set up is overkill.

    Yes public awareness and interest in computer security is growing as evidenced by the growth in membership in this forum. This is a good thing. We are all here to learn and share our experiences for the benefit of everyone.

    Your set up is a good example. A solid firewall and SSM for even finer application control. Applications such as SSM or TTT are fine additions to a good firewal for those that want to restrict applications further than is capable with some firewalls. Although a lot of the newer firewalls are starting to or have introduced features like Program Launch and Component Control. So all in one type applications are likely to become more prevalent.

    Other handy utilities you might want to consider that are effective for system security and for the learning experience and how things work: Port Explorer (port mapping, packet sniffing and more), or other port mapper like Vision and a packet filter like Ethereal.

    Jack mentioned knowing and securing you OS which is also very important.

    Last but not least, as we all make mistakes :eek:, backup regularly ;).

    Regards,

    CrazyM
     
  22. controler

    controler Guest

    On Your Windows Xp system :D

    Also try this on your broadband connection ( router ) ect. please?

    Control panel
    Right Click on netowork connections
    properties
    highlite TCP/IP
    click properties
    click advanced
    click options
    click properties

    It is good to be back at the lake again on my Linksys so I can try out the Walwatcher program you posted. I am geting some wierd UDP attemps now and don't know if I will get time this weekend to figure it all out or not.
     

    Attached Files:

  23. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi controler!

    I'm using a Linksys router as well. Don't install just WallWatcher, install GetLog as well. It will give you the last 70 entries (if you have a router of the BEF series) or 1000 entries (if you have a router of the BEFSX series) of the traffic, which happened when your computers were powered off. So you can see, if someone tried to attack your system.

    http://www.wallwatcher.com/GetLog_Readme.html

    Best regards!

    Patrice
     
  24. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    One of the functions or features that I want in a firewall is the ability to monitor applications.

    By that I mean,I want to be able to control one application starting another application.
    I'm not real knowledgable about terms.I think that this is called "piggybacking" by some.

    The first time I saw this feature in action was when I tested Kerio3b6.
    LooknStop has this feature also. :cool:
     
  25. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi the Tester

    Well your wish is coming true. As you noted Kerio was looking at this feature in the v3 beta. I would anticipate the v4 will have it, but we will have to wait and see. Should not be long now. LnS has it as well as NIS/NPF2003. It will be interesting to see if and how many of the other software firewall vendors include program launch and component monitoring in future offerings. Whether the firewall is the best way/place for this is debatable, but this ability is something a lot of users are starting to take interest in.

    Applications like System Safety Monitor and the sandbox in Tiny Personal Firewall are the alternatives. SSM would probably be easier for those starting out as the full blown sandbox in TPF (TTT) can be a little overwhelming for some.

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.