Value of FW Learning Threads

Hello Fellow Members:

Over the past few months, I have worked a number of so called learning threads dealing with software firewalls. The purpose of these was twofold:

1) A selfish need for me to learn more about FW's and to optimize my own security setup within the strengths and weakness of each tool. To a large extent this goal has been met.

2) Help others who wanted to know more either about the tools or just strengthen their skills on FW's. I would like to know if this goal has been achieved at least for some of members.

The amount of effort to not just raise questions but understand, clarify, research test out rules and settings , post results etc is not small. I am wondering if there is value for effort expended particularly for members who read the threads but don't post in them. By the way, no one has complained about the effort they expend least of all myself, since I am the prime beneficiary here!

To get a better handle on the value of these learning threads I have attached a set of 7 questions for posters and viewers alike. What ever happens, I will finish the Kerio 2.1.5 thread to a natural close just as in the others.

Here are 3 main threads with their links so you can skim before you comment.

How to Optimize Security in Kerio 2.1.5 -Learning Thread 3 (Yesterday, 06:49 PM)
90 replies, 2808 views, Interest level =2808/90=31.2
https://www.wilderssecurity.com/showthread.php?t=182158

Re: How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2 (last post August 8th, 2007, 09:44 AM)
143 replies, 7,615 views, Interest level =7615/143=53.3
https://www.wilderssecurity.com/showthread.php?t=176866

Re: How to set optimum settings in ZA Pro? (last post July 19th, 2007, 05:49 PM)
229 replies, 7, 334 views, Interest level =7334/229=32.0
https://www.wilderssecurity.com/showthread.php?t=172579

Please provide examples with your comments, ie what you learned if anything.

Was your own security configuration stregthened?
Did you learn anything new about SFW's?
Do security learning threads like SFW's have value?
Should Escalader continue with learning threads?
Did the ZA Pro thread provide new techical information for you?
Did the Comodo 2.4 thread provide new technical information for you?
Is the Kerio 2.1.5 thread providing new technical information for you?

Thank you in advance for your views

 

I haven't voted but I agree it does not really make much sense. I assume checking the boxes means you approve, but shouldn't there be a box then that says you didn't gain anything or find any of the above worthwhile? Not to be harsh, but I am just saying that so that every few can be said not just those in favor to even everything out.

I'll put my two pieces in eventually once my workload decreases.

Cheers,

Alphalutra1

 

Peter:

The poll design is flawed, my first here , can you remove the poll for me please.

I will put the 7 questions in post 1

Thanks

 

I read your Kerio 2.1.5 thread, and decided to take the plunge. I imported the BZ-rules and now I'm using your thread to tighten the rules. Thanx for the help-thread, as I've been without a regular FW since I dumped Filseclab! I think I got a keeper! Thanx to Stem, Herbalist & others for their imput! Kerio rules *****

 

Value of FW Learning Threads?

Personally not very beneficial and a lot of headache on some of them.
They have been however useful to convincing me not to move from my setup and the firewall I have choosen... that should be:

1. Easy to use;
2. Set it and forget it;
3. Fully integrated into my other security tools;
4. Provide good protection out of the box.

I have found only two firewalls so far able to satisfy my criteria.

Online Armor (OA+AV) and ZA (ZASS).

Cheers,
Fax

 

And if you wanted to tighten the ruleset for ZASS's-FW, the thread is there, it's 1 of the 3 mentioned.......

 

Yep, I know... but I don't personally need to tighten rules...

The improvements (security wise) of custom rules are not proportional with potential compatibility problems with the OS or programs been unnecessarily blocked or limited in their connection.

But of course, OP asked for user input and this is just my opinion.
I think the thread mix security issues with privacy issues and strict outbound control approach.

I do trust application installed on my system, I don't need to block them without a specific reasons that should be connected to the safety of my system due to malware and hackers attacks. So, I am happy with preconfigured settings that are designed to ensure a good protection while guaranteeing maximum compatibility.

Fax

 

I agree completely! That's why I trialled so-o-o-o-o-o many firewalls. Something with a balance of security & privacy, but most impotantly, compatability with my machine. To a noob, the firewall can be overwhelming. With familiarity of seeing it done step by step, the fear is less and the chances of finding what you are looking for are greater! If you are comfortable with your set-up....GREAT.....that's what we're all looking for.

 

Hi 19monty64:

As someone said to me the other day, if only one has been helped it is/was worth it. You have been helped and that is good.

On Kerio thread go ahead and post a question, Stem and others will be open to you for sure.

 

Hi Alphalutra1:

The poll has been removed as it didn't do what was needed! Sort of like a function in a tool that failed!

Please put your ideas/comments in when you have time.

 

Hi Pete:

Thanks for your views. You are not alone in wanting simplicity! I was the same! I still want it but not at the price of unrequested call homes and leakage.

Until looking just 1 level down showed me that if users are serious about security and privacy (which can't be separated) when using their PC's they need to verify and test that the FW they are using isn't giving them a false sense of safety. I have never used Online Armor so it maybe both simple and secure with no leakage of information you didn't ask for. Stem would likely know the answer to that.

Anyway, have a look at the post count to views again. It seems to me they reach and interest a fair number of members. If you sort the other FW threads by views one really ranks high! (based on yesterdays data)

 

I was beginning to think I was the only one who thought on your wave legnth. Set it and forget it. ZASS was like that and Comodo is like that if you set it up on Auto. My old brain can't grasp all that rules crap, but I'm determined to start from scratch and learn it one of these days when I'm snowed in.

 

Escalander,
I think your learning threads are great! They are clear and help newcomers set up their firewalls. I agree with some of the other posters: simplicity and ease is wonderful, I just don't think we're at the stage (and may never be ) where it is safe to 'not bother'.

Thanks for your efforts!

 

Thanks, it's good to know these threads help.

Simplicity yes, but test if tool is also safe and does what it claims to do.

That means digging in the detail.

 

Escaleder,
The learning threads have been great.
I hope you and STEM and the others keep it up.

OA2 is good but is again experiencing a problem. Waiting for another update.
Prosecurity seems very good too but I'm not even sure if it's technically a firewall.
Possibly the new version of Comodo will be what we need. But they need to let the users decide before installation about their HIPS.

I look for out of the box tight security with good GUI and easy to use controls for the uneducated (me) to use to adjust it. And granular for when I get lucky enough to learn more.
Thanks.
Doc

 

Hi Doc:

Thanks for your kind words, it helps to know what members think of the work.

Sorry, I can't comment on OA 2 as I have not test driven it.

Prosecurity is technically a HIPS not a SFW (but I had to check first ). There is a security warning out about it. I checked these out on SiteAdvisor

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4971

http://www.securityfocus.com/bid/25718

Meanwhile your HIPS may be a bit iffy on the basis of these findings. There are other HIPS tools.

You are right CFW has it's own HIPS and it MAY be better than Prosecurity. But I'm just suggesting a result, I don't know it.

Maybe some HIPS guys can help you here? Enter HIPS in the search and you will get a lot of posts on the matter.

CFW 3 is near and a lot of people are anticipating it. I'm interested but will check out the real release not the beta. Stem's and the other experts here will kick the tires and no doubt report their findings.

Meanwhile, I'm working the Kerio thread!

Thanks

 

Security, privacy, and outbound traffic control are inter-related issues and IMO, should be addressed together as part of an overall strategy. When an app or OS component connects out and calls home with data you didn't authorize it to send, it's not that different from a trojan. When does it become a security issue as opposed to a privacy issue when the user doesn't know what the data contains? AFAIC, outbound connections that I didn't either directly establish (such as a browser connection) or previously authorize (such as an auto-updater) are unnecessary, probably undesired, and possibly malicious. Example, without examining each instance, the user doesn't know if all of those outbound svchost.exe or rundll.exe connections are all system functions or if one is the result of malware exploiting the process.

The "out of the box settings" of most firewalls are not very secure. Kerio 2.1.5 for instance allows most of the XP services to connect out even though the average user doesn't need them. The default rules of many firewalls are like this. They're designed not to cause problems for users who don't know how to tighten them up, not to provide strong security out of the box.

I also trust the apps I've installed, up to a point. Very few apps behave exactly the way the user would want. An app might want to automatically check for updates every time it's started. Users who want their systems to patch and update automatically would like that. Ones who do their updating manually would not. Some users don't care if an app calls home. Others like myself won't tolerate that behavior. My "trust" of applications is also limited by the fact that no application is exploit-proof or totally secure. While the possibility of a any one single application (or system component) being exploited on a given PC is small, there's a lot of apps and system components that do get successfully exploited. Over a period of time, the chance that something on a given PC will be exploited is quite a bit higher. Allowing unnecessary outbound connections only increases the chance that such an exploit can be sucessfully used. Windows itself and Internet Explorer are another matter entirely. The default settings and behavior of windows and other MS software are very insecure. Would you trust IE6 using its default settings for every day usage, including banking? Trust? I trust that windows, Internet Explorer, etc will always have unpatched vulnerabilities that are being actively exploited. I also feel that system components and MS apps that call home in combination with the large amount of user activity records kept by Windows represents a big privacy issue at the very least. IMO, the safest option from both a security and privacy perspective is to give them as little internet access as possible, and that connecting to the net should be done with 3rd party software that isn't integrated into the operating system, thru 3rd party firewalls to control that traffic. Yes, using a different OS would solve all of this, but the topic is windows firewalls.

We definitely have different approaches to security, applications, operating systems, and what should be allowed or blocked. It shows in the terms we use. What you call "unnecessarily blocked" I call "blocking the unnecessary". I feel that a PC should do only what I want it to and connect only to where I tell it to, not what software vendors or Microsoft want it to.
Rick

 

Indeed we have a different approach... but my choice (i.e how to secure my system) doesn't come from a blind trust of applications installed on my system but from what I learned in more than 20 years of use of a PC...

In fact, I was exactly like you and other members here... but realised (some years ago) that "blocking the unnecessary" does not necessarily secure my system from attacks as I wished it would.

Without going into details on how I got compromised I can only say that after I have changed my strategy I never got infected again. Its a combination of a first class antivirus, hardware firewall, HIPS to help monitoring changes to the system as well as securing the http communications (control on scripts, activeX, etc).

The above has been much more effective than any rules in my firewall.

Indeed its a package of measures where "blocking the unnecessary" plays a very minor role. What I have seen is that the "blocking the unnecessary" may cause, before or later, instability of the system mostly related to bad design of applications we try to limit than the rules created.

All my respect for other approaches to security, I am just reporting about my experience in the field.

Cheers,
Fax

 

Rick:

TY for a great post on these opposing approaches to security! Your thinking is identical to mine. I wish I had written it!


However, we went down this same road in the ZA Pro thread again with Fax. Thread got HJ'd and OT, the moderator had to take the thread off line clean it out and then split it. I would hate to see that repeated here.

This thread is not about contending views of security. But that is an interesting topic for a thread. Maybe someone who wants to talk about that can start a thread on it?

Just to remind everybody, here are the questions being put in this thread, note there is zip there about contending views on security it is about the value of FW Learning threads. Does the effort produce value for the members?

 

Hello,

1. Was your own security configuration stregthened?
2. Did you learn anything new about SFW's?
3. Do security learning threads like SFW's have value?
4. Should Escalader continue with learning threads?
5. Did the ZA Pro thread provide new techical information for you?
6. Did the Comodo 2.4 thread provide new technical information for you?
7. Is the Kerio 2.1.5 thread providing new technical information for you?

1. No, because I'm not using the programs mentioned in production setups.
2. I am always learning something new.
3. Yes.
4. Why not, your choice.
5-7. Yes.

Mrk

 

Hi Mrk:

Thanks for responding!

 

I think any learning is good.

As from the threads mentioned, these have been looking at more control of applications access to the internet and the settings within the firewalls to do this. We have also looked at just about all the settings within the firewalls mentioned.
Every one is different, and have a different preference to how much control they want/have. Some users just prefer to block/allow an app access to the internet and then forget about this, some prefer to make some bindings, be it the ports used, or even the IP`s they can connect to. The learning threads have shown how to do this.

I do like the fact "Escalader" made these threads, but mainly the fact that some basic questions where asked and answered. I believe there are too many who do not fully understand some basics of firewalls but do not like to ask, as some think this will make them look "silly" to ask.

As far as I am concerned, Escalader, you install whichever firewall you want, and then ask as many questions you want. This in itself will put forward questions most will not ask, and answers will be made.

Regards,

 

Due to a very busy work schedule and other time constraints I usually don't have the time to be involved in some of the longer continuous threads but I think the information can very helpful for those who use the particular firewalls being discussed. The learning threads are also great for users who are not familiar with certain firewalls to feel more comfortable working with a FW they have never used before. For advanced software FW users who are already very familiar with the FW's discussed those learning threads obviously might not be as valuable to them. I think the FW learning threads have been a positive contribution to the forum. I would think that most forum users appreciate the efforts made in those threads. I give the thumbs up for them to be continued.

 

Hello Stem:

What can I say but thanks for the supportive words.

Agreed any learning is good. You and several others have been very patient with my questions even when I put them poorly. Looking silly is of no concern to me since it happens a lot My questions are not ones I think I know the answer to but want to know the answer.

Right now, I will continue then to work the Kerio thread, that tool has taught me (as you predicted) how to write rules.

Best regards