Firewalls of today not loading their drivers fast enough ?!

Discussion in 'other firewalls' started by Sm3K3R, Nov 24, 2013.

  1. jnthn

    jnthn Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    185
    @ellison64
    TCP handshake simply put is a take off point for tcp connection between two hosts. After which, the two hosts can then exchange data so to speak. The screenshot only shows the first two of three required for the handshake, Sm3K3R might know if the last Ack of the handshake occured and data was exchanged.

    Edit: first three packets of screenshot shows tcp handshake.
     

    Attached Files:

    Last edited: Nov 29, 2013
  2. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia

    Exactly.

    Keep in mind the screens are not for the entire sequence ,it s more than what you see in the 2 screens taking place.

    The connectivity to the server takes longer than what you see there.

    Pictures show just that connectivity is taking place when there should not be any as per policy.
    I expect Private Firewall maker to react faster in closing this issue.
     
  3. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Thanks for the info:thumb: .Is this screenshot from your testing though?....its different from the OPs screenshot?
     
  4. jnthn

    jnthn Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    185
    The screenshot was from a quick refresh of a wilders forum page just for demo purposes.
     
  5. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Can you ascertain from wireshark whether data is actually being leaked through an internet connection,or is it an attempt to do so but being blocked by outpost policy?.
     
  6. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Ok thanks.:thumb:
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Corrected big blooper in post#24. This is really under BLOCK ALL, once again without the benefit of Wireshark, just my router:

    BlockAllSummary.jpg

    There was only one successful connection, the stuff ellison64 mentioned in post#12 - the expected Microsoft thing.
     
  8. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    455
    Location:
    CSA Consulate, Glos., UK
    please note that, as someone mentioned earlier, outpost loads a sandbox driver very early in the pc's startup. also note agnitum have indicated in their blog that the current version 8.1.2 has an updated sandbox to disallow a possible exploit. those on earlier versions are urged to update.

    there are about three separate threads on this same subject now here at wilders and it's getting confused.

    those of you with outpost are invited over to the outpost user's forum and if you have specific technical queries you can also contact agnitum on their contact page HERE

    for those wishing to contact paranoid2000, he has moved on and no longer frequents our forum, tho he does occasionally pop in to say hi. you might be able to pm him, but do not expect a response. he definitely does not have time to update our guide to a secure configuration document.

    the consensus of the mods at our forum is that in version 8.1.2 there is no cause for concern over this issue. please note we are all users and not employed by agnitum, tho we do have contacts there.
     
  9. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia

    I wouldn t want confusion ,so i have to add that ,this thread has been created due to the fact 3 firewalls have been discovered to have this "window of opportunity".Outpost is one of them.Maybe more have this.

    My posts in the Outpost 8.1.2 thread were only in relation to it ,after discovering the default policy/configs of the firewall.

    Why am i doing this ?! Simple ,i wanted to reinstall Windows from scratch ,as i have new hardware ,and wanted to see what security software can be used.
    During installs this is what i have discovered.
    I usually use build in firewall even though it has some annoying stuff regarding configuration.

    So i had no intention to disturb the Agnitum team with possible bugs/design flaws during the end of the year ,when we all give more time to the family and such.

    Anyway ,in your reply ,and i thank you for it ,you ve said that firewall driver blocks any traffic until the policy (Block All in this case) is loaded.
    Having this in mind can we conclude that the title of the thread is well suited ?!
    I mean if it blocks all traffic by design ,but traffic happens (even Tomato loging logs it) ,we can conclude that traffic happens before the outpost driver loads ?!

    Or is this traffic happening after firewall driver loads before the policy is loaded ?!

    Thank you all for the posts and lets wait for a network expert to detail this. We all need to know if the protection is on all the time.
     
  10. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    Interesting thread. I contacted Jetico regarding this issue and below is what they said:

    @Sm3K3R - can you test if this is true (ie. that you can create a network layer rule to block ALL traffic IN and OUT) ?
     
  11. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia

    So why are they calling that option Block All if you need to block Network stuff even more.

    I may be able to install this again ,but Jetico 2 frozen the machine at first reboot after installation ,i tend to avoid software that freezes my machine.
    If they say they allow some stuff to go tru for the firewall to load i am afraid i may be part in some freezing sessions and not due to weather :)
    I ll try and install the trial again if it has not expired already.

    Nevertheless it is a surprise that a firewall like Jetico has holes in the network department ,as they always stated the network filtering is the strongest point of their software (when Matousec tests showed their HIPS strength).
     
  12. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    455
    Location:
    CSA Consulate, Glos., UK
    one additional thing to consider is that many network interfaces will stay powered on while the pc is asleep or hibernating or even powered off, and awaiting wakeup instructions from remote pc's.these allow traffic even without an OS. they can also respond to wakeups from the pc's alarm systems. wake-on-lan traffic is present at the LAN level even before the OS starts up, and there may be settings in your bios that allow the adapter to talk even before the OS loads 'to maintain it's presence on the network'.
     

    Attached Files:

    Last edited: Dec 2, 2013
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    @Wayne,
    Good thought. My adapter just show all this and I haven't yet disabled wake on LAN - it's a new win7 Lenovo box ... so much to do!
    IntelPwrMgt.jpg
    That said, my timing clearly shows (post#32) this was not Wake on LAN. Computer was already well into windows. And no, I'm not all that concerned about all this, but the thread is fascinating food for thought.
    I wish other people would post something about timing evidence especially with the twist you just introduced.

    OT: what is magic packet?
     
  14. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    455
    Location:
    CSA Consulate, Glos., UK



    The magic packet is a broadcast frame containing anywhere within its payload 6 bytes of all 255 (FF FF FF FF FF FF in hexadecimal), followed by sixteen repetitions of the target computer's 48-bit MAC address, for a total of 102 bytes.

    Since the magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it may be sent as any network- and transport-layer protocol, although it is typically sent as a UDP datagram to port 7 or 9, or directly over Ethernet as EtherType 0x0842.

    A standard magic packet has the following basic limitations:

    Requires destination computer MAC address (also may require a SecureOn password)
    Does not provide a delivery confirmation
    May not work outside of the local network
    Requires hardware support of Wake-On-LAN on destination computer
    802.11 wireless interfaces do not maintain a link in low power states and cannot receive a magic packet

    The Wake-on-LAN implementation is designed to be very simple and to be quickly processed by the circuitry present on the network interface card with minimal power requirement. Because Wake-on-LAN operates below the IP protocol layer the MAC address is required and makes IP addresses and DNS names meaningless.

    ref: Wake on Lan

    to further ubercomplexicate things, newer MBs with uefi bios' can be configured to completely load and energize the complete network stack, with dhcp,dns, IP, etc. independent of and well before any OS. on top of that, there can be bios compatibilty layers for non-uefi op. systems.
     
    Last edited: Dec 3, 2013
  15. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    No connectivity in my case until i initiate Windows booting.
    Pressing F8 for the Asus boot menu and waiting shows no connectivity from my Intel network card until OS initialized.All wake up and such are off in driver settings and in BIOS if any.
    Sabertooth FX 990 used here and i may add the booting is not from the UEFI device(as it is shown in BIOS) ,SATA HDD directly.
    The window of opportunity is quite big ,connection are being made for maybe 10 seconds during boot if not more.It s a WD Black Edition HDD ,so it s quite fast.
    With a SSD the exposure may be much less though.
    The network card should just be delayed with some script and everything would be just fine.

    I don t understand windows behavior though ,why it s opening up ,it has enough time to communicate with the "mothership" while the PC is idleing. :)
     
  16. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Outpost 9 (26 dec 2013) does the same as previous versions.

    New Windows 7 x64 (patched to the latest) install with Microsoft antivirus and Sandboxie.

    Same steps done as previously ,same handshakes and DNS calls to Microsoft.
    I even made svchost rule to totally block any connection explicitelly and in spite of the Block All policy outbounds still happened at start up.
    Is like the firewall is not controlling fully the svchost exe for some seconds at boot.Or maybe it s not svchost exe doing them ?!
    I ve seen the Agnitum driver to have an October 2013 date or something like that in Outpost 9.

    Due to this i felt unsafe using the firewall.Uninstalled the trial.
     
  17. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Same story for the latest Private Firewall release.
    DNS leaks and handshake + Block All not working practically at start up ,until desktop is loaded.
    Already seen this on 2 machine with 2 different network cards so it s not some network driver issue.
    NSA involved ?! :)
     
  18. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    @Sm3K3R,
    1. Since you use wireshark on another box, is it not possible to see what is being sent early on? Might be readable if not encrypted.
    2. In Win7, msconfig permits to setup both Boot log and OS boot for standard, not safe, booting - might those logs be helpful to catch activities such as you mentioned, or do the logs only list driver loads?
     
  19. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia

    The connectivity occurres at booting ,it is benign as described along the thread ,Microsoft stuff ,but that window of opportunity can be used by a rootkit ,no doubt.I am still waiting to find a firewall without this stupid bug ,except the OS build in one.
    It s strange though that i have to use the Windows firewall to have the traffic under control.Early on there is ARP traffic in the LAN as the sniff machine is also doing routing.Amazing what an OpenSuse can do on a HTPC like config.:) You should drop your SOHO and make such machine.

    In the mean time the Steam and CS:GO are driving me crazy creating at every update Inbound rules with no question asked in the Windows firewall.
    So the firewall itself has it s flaws too :)

    It s hilarious to see after so many years since W 7 got on the market the inability of a firewall to allow network traffic only when the user wants
    XP really was better with the right firewall :)
    In that one only Jetico 1 had such issue.
     
  20. SeReB

    SeReB Registered Member

    Joined:
    Oct 10, 2012
    Posts:
    13
    Location:
    Czech Republic
    As mentioner earlier, the filtering gap could be exploited by a rootkit, however the rootkit would bypass the firewall anyway. Without multilevel security (firewall + AV + antirootkit), basically every firewall is vulnerable to rootkits.

    Also the logon process requires certain traffic to be allowed, and firewalls cannot predict the local/remote type of login, the traffic has to be allowed anyway - otherwise you might get problems logging into Windows.

    You correctly pointed out that block all mode should really block all. However this is a typical example of the usability/security ratio. Regular users expect operating systems to run normally and starting the "mighty" block all mode could cause unexpected troubles (for them).

    To sum it up, yes, you found a bug; but no, you cannot expect that it will be fixed. There are many business/marketing things causing products to be less secure, but one has to understand that it's a business after all and there are regular paying users (enjoying more the look and usability) and those with technical skills of yours are deeply below 1%.

    Note: everything said is meant generally without pointing out any certain brand or product.

    Edit: Speaking ad absurdum the best "block all" firewall protection is your unplugged LAN cable ;).
     
  21. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    I think the point made is that there are firewalls able to "block all" without disrupting the system.
    Others seems not aiming at blocking all to ensure no disruption. Just different approaches with own merits and limitations.
     
  22. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    It s about the advertised features also.

    Vendor X states that it s product protects you from x,y,z and that allows you to block allow or whatever ,which the Windows firewall is not able to do.
    But when you check the features advertised you see that there are flaws or bugs in the product that question this advertised features.

    Creating a false sense of security and control is not what should happen when talking about security products.
    A lot of users struggle with all kind of firewalls that ask you all day long about what some application should do and when you look into the application closely ,and not as an expert ,what you see is the inability of some firewalls to filter traffic and apply their policies at all times.

    They concentrated so much on the HIPS part of this so called firewalls that the main job of controlling traffic is done poorly.
    And some ask money for this.

    I wonder what security experts say when they analyze this firewalls ,that should protect our PC-s of the so called hacker intrusions while in fact the doors are kept wide opened :)
     
  23. SeReB

    SeReB Registered Member

    Joined:
    Oct 10, 2012
    Posts:
    13
    Location:
    Czech Republic
    More interesting would be what product managers responsible for the suite products say when confronted with the reality by the security experts.
     
  24. zerotox

    zerotox Registered Member

    Joined:
    Jul 16, 2009
    Posts:
    419
    "They concentrated so much on the HIPS part of this so called firewalls that the main job of controlling traffic is done poorly.
    And some ask money for this"

    Exactly what I think. And I think one of the firewall experts here at Wilders was stating that very, really very few products can be a match for the built-in firewall concerning traffic filtering, not extra bells and whistles.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The individual components in security suites seldom match the abilities of their single purpose equivalents. The equivalent of "Jack of all trades, master of none."
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.