Protecting What?

Hi Guys,

I'm using a NetGear router (GRC says all Stealth ports) I also use CPF. I figure CPF will protect outbound traffic. But what actually am I protecting by using CPF? Quicken's data is password protected, & anything else of value is stored in 'Roboform'. Also any app which can connect to the net has limited rights, via DropMyRights. So should I still keep CPF or cut it loose?

Take Care
Rico

 

Do you image your system ? If so what is the worst that could happen ? somehow a virus or malware gets on your machine and you just restore a good image. If you run returnil, deepfreeze, FD-ISR or similar the nastie would be gone at reboot.

People keep talking about the "dark side" where ever that is. If like me you have no idea and if you surf safely then I would agree with you and question the need for outbound protection.

 

Backups and virtualization are probably better tools in avoiding malware than a firewall(which isn't intended to defeat malware actually). A firewall, in my book, is a traffic cop. Someone who monitors the incoming and outgoing data transmission packets. I don't use a firewall to stop malware (even though others would do so). Removing the traffic cop does speed up the PC from my experience. But since data packets can get corrupted during receive/send operations and since I cannot verify each packet myself, I use the firewall.

 

Hi LongView,

I've read 'how to boil a frog' & that prompted me to post about CPF. CPF gives so many alerts & ALL are from legitimate activity. I just think CPF isn't protecting anything, due to RoboForm, DropMyRights, & password protected data.

As for: FD-ISR don't know where to get it? Returnil how do you get around install of apps that require a reboot? Deepfreeze I'll take a look. Thanks!

Take Care
Rico

 

Rico ,
Have a look HERE.

 

Many apps don't require a reboot - but if I want to try something for a few days
I would make an Acronis image ( system and programs partition) and then restore that partition when finished. Before using DeepFreeze6 and Returnil I used to make system images daily. Now I find that I only make them about once a week. Returnil simply restores my machine to the way it was before I messed it up. With FD-ISR you could always make a new snapshot - install to the new snapshot and then delete when finished. There are so many ways to do basically the same thing with these programs.

 

are you talking about hardware or software or both re speed ? My feeling is that not having a software firewall speeds things up but I have not run without a hardware firewall for years. Would just a simple modem make things faster ?
( not that I have any intention of going back to pre-hardware firewall days)

 

Hi LongView,

Well CPF has no gone to the bit bucket, big improvement, I miss those constant alerts like a headache.

Regarding Returnil & Deepfreeze many apps do require a reboot for install or updating, so something more elegant than a BU (I use SP3) is in order.

Next I'm toying with removing 'RegDefend.'

Take Care
Rico

 

Well,.. We see many posts/threads on this ~"do I need a software firewall while behind a router". Many put forward there is no need, and I would agree that from a point of a well protected system with no internal compromise then yes, go with it and remove any software firewall, certainly not a problem for me, its not my system.

A router, on its basics will give you NAT and protect from unsolicited inbound, is this enough? There are routers that state the inclusion of an SPI,.. I have asked before what the level of SPI is within a router, it would appear that no member on this forum actually knows what SPI function is available with the router they use. This in itself is a problem for me (and should be a concern for them)

I see too many bot/spam networks, most of these compromised and used (nodes/PC`s) remotely are actually behind a router.

 

Stem

I have a NetgearDG834 which claims to include SP1. All I know is that:

"This wired modem router includes a built-in True Firewall for secure Internet communication: Stateful Packet Inspection (SPI) and Denial of Service (DoS) features protect your home network from unwanted intruders"

Is there something else I should know about SP1 or some setting that I should be changing ?

 

Hello Stem,

The question was what is CPF protecting me from, as it's outbound protection. If sensitive information is password protected & passwords protected by Roboform. Then what outbound protection does CPF provide? Also I'm quite aware that any and all changes I make,will pose no problems to you!

Take Care
Rico

 

This is slightly off topic but I now think Comodo 2 is not up to the job . Just yesturday I cleaned a PC that had some malware installed. Although CPF was alerting to the outbound connection, after denying the exe it was still able to use Firefox to deliver it's ads. I installed Threatfire and immediately it had recognised the infection. The malware just cruised past Comodo, Avast and Windows Defender aswell as on demand scans of AVG AS and SAS. I promptly removed Comodo and Defender, activated XP sp2 firewall and left TF installed.

After sitting on the fence where outbound protection/leaks are concerned, I now firmly believe that outbound is not necessary. The only real reason for it is to control legitimate apps from calling home. Also, seeing as this malware appeared to defeat so many well respected apps i'm starting to think behaviour analysis is the way to go.

 

Do you know how this got onto the machine ?

 

I think it was a component of an app called Spyware Secure but not entirely sure. I think he may have installed it thinking it was an AS and not realising that it is rogue.

 

Thanks Beavenburt. So a minus mark for real time scanners ? A Hips program would have stopped this - but anyone daft enough to download an unknown , unchecked program would probably give the HIPs permission to proceed anyway? On balance this suggest to me that Returnil, deepfreeze type programs cover this type of infection best.

 

If you where to become infected, be it a trojan or a bot etc, then a software firewall would at least give you warnings of an unknown application attempting to connect out.

For me personally no. But if you where to become a node of a bot network, then you could be part of a problem for a main server being DDOS

 

Stem,

You are right that it is a hell of a job to determine what exactly is offered by a hardware firewall. What I could determine based on the settings (no sales guy can tell you, no info on the packaging, etc).

NAT:
- TCP on port and address restricted
- UDP only address restricted

SPI:
- Only on the header (no content or deep packet inspection / DPI)
- TCP on after a session is established until it times out
- UDP after established keeps alive

Other settings
- DHCP lease time set to 24Hrs before renew
- Security WPA (auto => WPA2), Cypher TKA and AES, Group key interval update 60 minutes
- MAC address control on
- Both admin and user have gotten passwords, default name and default
IP address of router changed
- Disabled Wan Ping respond to router IP address/enabled DoS protection
- Disabled ability of clients to change info between them

It has a QoS engine and a DoS attack prevention, passes Shields up, spam test, etc. The QoS engine and WISH is only setup for my son's gaming computer and to give much used connections to game servers a high priority.

On the VISTA64 gaming machine we use PRSC with Haute Secure, I do not know what PRSC exactly checks, so no idea how it will react when a program tries to connect out. On the two XP machines we have A2's IDS and TF. Both react when an application (unknown from internal list of IDS, other than allowed in a custom made rule).
The XP machine with A2 Malware and GeSWall Pro is reasonably protected against programs initiating out bound traffic because GW gives a pop-up when a programs wants to connect and A2's Malware IDS triggers for Trojan/Downloader activity (It must have a small internal white list of which programs to trust).
The XP wit TF only allowes programs to initiate outbound traffic which are also marked by DefenseWall as an untrusted program. This last machine is where we do on-line banking from, with Public/Private key encryption based on calculator which needs your debit card and your PIN (so PIN is only entered on the calculator token).


So all considered: I am protected against dll injection etc and have programs granting outbound traffic limited. The only hole in this defense is regular windows interprogram start up triggers like ole and dde. So a malware could use this, but I do not want the hassle of checking all ole/dde/etc triggers with a software FW/AE. What's your comment on this?

 

I don't see how Rico could become a node of a bot work if he is using Returnil ?

Also it appears you missed post #10 does it matter if I understand what SP1 does as long as the hardware firewall has it ? or do I have to change some settings to make it work ?

 

It would depend on what as been, and what is allowed to be installed on the system.

It is not a need for you to understand SPI, but more of a case of you knowing that the router provides a level of SPI that is actually protecting you. Is there anything in the router manual, or on the vendor website to give you this info (I doubt it)

 

This means what? That the full TCP header is checked (to flags/ sequence number), or that only IP info is checked?

 

Software type. Yes, without one, there is no bit filtering so your download speed is better. A simple modem without any additional software would speed things up since there is no additional program involved with data filtering.

 

Slowdowns with packet filtering is norrmally due to the way firewalls actually handle the packets.
A good SPI firewall should/will always give preferance to packets on an open connection and filter these for correctness (if that is the term to use). I do see many firewalls push all packets through all firewall rules rather than an internal SPI engine, some even push packets through other filters that an SPI should actually filter (and drop if needed)

 

Stem: Full header, sorry maestro I did not know there were several tastes of header checking.

Longview: The NAT/SPI itself was configured out of the box, only the "other settings" (advanced settings in my router) had to be entered manually.

Regards Kees

 

Thanks - using Returnil means that at reboot any changes no longer apply.

All I know is the NetgearDG834 says it has SP1. I can find nothing that I have to do. everyday I have it send me an e-mail and normally it is incredibly dull. I certainly don't want to tempt fate but I do wonder sometimes how some managed to get contaminated.

 

Linksys WRT54G v3, it has iptables as its firewall, so count one user .

Cheers,

Alphalutra1