I want your honest opinion about this . . .

Check this out, Another setup i am testing. I would like to know if you would class it as secure.


Zonealarm pro with the internet crap turned off using it for application access contrtol (accessing net + being a client / server)

8 Signs firewall with standard rules blocking netbios + misc ports i want blocked

2 rules in 8 signs that say allow IN tcp 1000 - 65535 and allow UDP in 1000 - 65535 . . This way zone alarm controls what programs are able to be acting as servers and requests to NON server allowed programs will be closed. Then also i can use the tarpit to open lots of ports like 80 21 445 etc lots of them so i can see who tries to connect.

So to sum it up, 8 signs blocks the ports i want blocking and takes care of icmp and lets all inbound TCP and UDP on 1000 - 65535 ports and relys on zonealarm for not letting connections to goto program that are not allowed to be servers . . . I know i dont show up as stealth any more lol but stealth does not give you extra security as far as i know, it just makes you not apear online which i dont care about now as long as they cant get in . . .

Also what are your opinions on the Tarpit function of 8 signs . . .?

Thanks for your input guys

 

What do you get on a Grc.com scan?

 

You do not need to open ports to use the tarpit function and your logs will show denied inbound connections.

You could accomplish the same thing with just ZA. Why do you feel you need to run two software firewalls?

While some like this functionality, it is not why I would use or recommend 8Signs.

Regards,

CrazyM

 

well technically i know that 8signs does not "open ports" the firewall accepts connections on them and acts acordingly and the computer never knows a thing about them. Point is i am talking basic language . . . 8signs opens a tone of ports and traps people connecting. and i dont like zone alarm . . i hate that firewall all i am using it for is to control programs and make sure whats a server and not. 8signs sorts my ports i want blocking and i have a god aweful block/tarpit port list like 0-999 +1024 +1025 +5000

I can not be hacked through a "port" that the computer does not know about and that the firewall does not communicate but for simple syn's etc to trick the connect'ee.

Sofar this is the best i have found sofar. and it was brought to my attention on this forum about using 1 firewall for "firewall" and ZA for application control for net access. It works well . ..

As for the picture . . ( for people new to tarpit functionality) these open (red) ports are not real ports and they are not open on the computer. The firewall is kind of emulating the face they are open and communicating with people trying to access them just enough to MAKE them stay connected to a fake port.

I do not get stealth status any more as you can see And i also made ICMP replys active so i can be pinged too. I really dont mind if people know i am here i just want to make sure they cant get in any of my ports. there is no such thing as 100% secure anything . . if the fbi and US army can be hacked and loose information due to hacks - Personal firewalls can be brieched with the right skill i am sure of it. This will keep 99% of the worlds hackers out of the system and the 1% of the ELITE hackers will get a good laugh while they spend the time to break you!!!!

 

I have to say, this seems silly. If you're going to allow all TCP and UDP incoming thru 8Signs, then why bother using 8Signs at all? Isn't it basically doing nothing then? Again, I see no need for 8Signs and 2 firewalls. Why not just put ZoneAlarm on and be done with it?

 

Point being . . I get the functionality of tarpit (which i love so much) and the ability to block ports with ease withought using a absolutly crap firewall . . . reason i let all (most) tcp and udp in 8 signs s so that certain games and MSN functions (that the ports are random every time) work all the time . . Else i would have stealth all the time apart from the tarpitted ports. zone alarm is not functioning as a normal firewall because it is not filtering or anylising the packets since i disabled all that functioanlty. its just only for controlling what applications are allowed to access the net And which ones can open external ports and act as a server. this goes well with 8 signs since the programs i dont allow to be servers in ZA the traffic that comes in from 8 signs will show up CLOSED . . . So i get all this functionality and it all works together . . i dont have to use tarpit, but i like it and since Yahoo users and script kiddies love to scan me and try to get in my Real ftp server this will make them think christmas came early when they see all these ports . . . and also when someone scans me from 0 - 1024 or more its going to use all their sockets up before they get into the very small hundereds of ports. causing them agrovation or confusion (why id my port scanner not working) I tested this with a friend who scanned my ports from his wifi pda over the internet and he was like "dude why is my port scanner wigging on me?" he said his scanner froze his PDA up so slow it was not funny and he had to close the program to get control back. All his sockets were spent up on previous port scanns. (the pda was a private joke because one day he port scanned me and said "haha you just got scanned by a f()ing PDA) thats why we use the pda since its as good as his pc for scanning with his WIFI router.

 

Seems to me that with this setup, you're wide open to anything coming in from the outside.. any part of Windows, any service listening or holding ports open and so on will be open to any kind of nonsense from the outside. This would appear to be the exact opposite of what most people would want..

 

I guess you just dont understand the concept. Everything is secure . . most of the net passes through 8signs and is turned away due to the programs in za are not aloud to serve on the internet adapter . . and the tarpit ports are secure because they are emulated by the firewall they dont really exist and can not be "used" for any purpose or be hacked. and i varified my theory about the port scan being hampered by all the tarpits with a fellow poster here, and the scanner stopped working and got all stuffed up with connections

 

OK.... if it works for you, then do it.. but I sure would test it out and make sure...

 

In his case, he wants to trap all the scanners with tarpit, works out well for him as he needs open ports in a big range.

 

Yep, I gathered that, thanks Arup.. As long as the good old tarpit works reliably, then great... Although, when I think about it, I'm not sure why he doesn't just allow certain port(s)/ranges in for whatever apps he needs. He can't use the tarpits for all ports or his legitimate inbound traffic will get trapped in there too. So he must be using tarpits for ranges of ports. Instead of that, why not just block those ranges normally?

Or do I, as he says, misunderstand the whole point?

 

I use the following tarpit ports 0-999 1024 1025 5000 . . .
the rest show as closed and a rule at the top of my list has a rule for letting my services inbound to my machine . . which the ports are stored in a port group called "Service ports" . . i can add and remove as needed and this rule over riders the tar pit and aloows these ports through. the tar pit is to anoy people scanning me as their sockets all get eaten up and keped alive on my end. and only like as i said about 1002 ports in total. the rest are closed unless something on ZA has allowance to run as a server then the traffic makes it to my pc

 

Ok, I think I see what you are doing.. I guess I kinda believe that one can do without the tarpits though. In my opinion, tarpits are just going to annoy potential troublemakers and possibly make them hang around or bother your system more than usual. It's a cute idea, but I tend to think they draw more attention than anything else. Why would you want that? Wouldn't it be easier to just block those ports the usual way and have scanners hit them and just move on..?

 

As most of the scans you are going to see are automated or from compromised systems, who are you annoying? How often do you think there is someone sitting at the other end thinking "gee this scan is taking a long time"?

Regards,

CrazyM

 

maybe, but point is wether i am stealth or not does not matter . . i have the same "protection" as ever, only i show up on everyones radar is they come across me. and like i say they will get a very bad headache trying to scan me
and they still cant "get in" because of the way i have it set up. if someone has my ip specifically they know its me and i am "online" wether i am stealth or not also . . tar pit just makes their life hell trying to get me.. all these ports? which ones real and not? or omg my scanner is taking for ever . huh why is it not working. see i like the novelty factor of anoying the hell out of them and making them cry! Real attempts to access me will yield the same results wether i am steal or not . . They cant get in a closed port, also my ftp has usernames and passwords and is installed and configured secure.

 

hi crazy,

I chat on yahoo and misc voice chat systems, and people know i am not a noob and like to try their luck. and i DO get scanned and people run scripts on my ftp to try and exploit it with no success, So next time when they have to have 1024 sockets to scann my system ports they will think twice before trying every few days . .

 

also crazy, as mentioned in 8signs information, It slows the automated systems down since their conenctions are stuck to me the more tarpits the compromised system encounters the safer the internet is for people to get their systems secured withought getting hit every second. since the scanners are trying to break free from our tarpits

 

So basically you are inviting trouble then? Tarpits can have some use perhaps for systems that occasionally (and unintentionally) get bothered manually, but as CrazyM says, most scans are automated, making tarpits a waste of time.

It is so much easier to just use typical routine methods of firewalling your system. But then again, you do seem to be inviting trouble don't you?

 

if you are secured the same way in both situations, i say why not have a little fun with the script kiddies / hacker ? they are so big and bad ah yes really ok son go back to school is what i say to them ! lol if they want to try and get to me (Yahoo chat users in hacker rooms) then i say have fun with them . . they are not going to get "in" to my system either way.

 

Removed (wrong meaning implied)

 

Hi,
I say, don't put your head in the lion's maw just to see his teeth.
And KIS - Keep It Simple - one firewall...
Mrk

 

Hi Techwg:
I am a license user of 8Signs for 2 years now and just read your post about 8Signs. In regards to Tarpit this is a unique function as you indicated where the scanners are stuck which is a way to get back at the potential hackers. I for one find 8Signs to be a solid firewall.......now granted there is no control outbound from ones pc.......however....8Signs concept on what a firewall should be is to keep the bad boys from getting in to you puter. I scan my pc daily with a trojan scanner......also have spyblaster installed......Nod32....... I feel quite safe at this point.

 

Yes music man,


Actually my security is in a state of flux at the moment . .

I am at the moment passing all traffic straight into zone alarm which deals with everything now and i use 8signs only for tarpit and manual blocking ports etc.


i really like 8 signs firewall, but for my needs its too restrictive to use on its own really. i need all inbound apart from x x and x not deny all inbound apart from x x and x. But with zone alarm and 8 signs for the "quirky" tarpit ability its ver nice indeed.

 

In the case of your subject, you may be right, but it is absolutly correct that pride goeth before a fall.....

 

I think it's kind of like using mace. It will stop most people, but the real threats are just likely to get annoyed, making them all that more determined. Since it's a unique function, it's going to give away what you're using for protection immediatly. If they know how to get by 8-Signs, they'll know immediatly to use that. Personally if I was going to get a setup that elaborate, I would rather go with something *nix based for the gateway, and spend some time really securing it down. Then use a top-notch (single) firewall product on the host. If you still want more put anything internet facing, like your IM & servers, in a sandbox, unable to even see the rest of the system.

Bears repeating