What does a leak proof firewall get you?

Saying it's a "buggy firewall" is a bit of a broad statement in my opinion.

While certainly there have been some folks who have experienced issues with it on their particular systems, not everyone has. I have installed it on three of my computers and it is running smoothly with no conflicts or issues.

So, what's buggy for one person may not be for another. I would venture to guess that every firewall (and other software for that matter) has the potential to be "buggy" for someone.

 

This is so obvious, that there is no need to post it.

 

if you read _any_ support forum you will find that _every_ security app has compatability issues and bugs. Every new version potentially brings the new bugs. As for me, the thing that does matter most is how fast the reported bugs are fixed. In OA case they are fixed pretty fast. And comparing to the other security apps when they fist stepped to the wide public, OA performed pretty well. Take in account, OA FW was released just a few months ago. For these few month in travelled much. I dare to say the current version differs from the first published as if it is a different product. So it can be said that aside from the excellent leaktest performance it has impressive development speed.

PS. BTW, when Windows itself was published first it was a true disaster

 

People automatically think software isn't any good when they read the forums about some of the problems they're having with it. You have to keep in mind that even if 50-100 complaints are posted, I'm sure there are 1000's more that aren't having any problems. People usually don't post just to say everything is running smooth.

A leak proof firewall is good but I always enjoy the ability to be able to configure the rules for everything. It just seems to me the user's ability to control the security of his computer is getting less and less because a lot of people are too lazy and or don't want to understand how to make the rules. It's getting more and more that certain programs are automatically considered trusted with less control. That's fine if you want it that way but I think we should also have the option to make it completely controllable, too.

 

But obviously it's something you felt compelled to respond to.

Yes it was an obvious statement, but I dare say no more obvious than the statement you made at post #18 in "Hints on using Online Armor FW-a Learning Thread 4".

My post (#26 in this thread) was, IMO, a valid "on topic" response regarding OA and my non-buggy experiences with it combined with a generalized statement that I have seen made hundreds of times on this forum and others. Just as you had other things to say in the above noted post 18, you also included an obvious statement, yet no one felt compelled to respond to it and point it out to you as an unnecessary statement. I'm feel very confident that neither you nor I were the first, nor will be the last, to make obvious statements in this or any other forum.

I apologize to everyone else for the off-topic post but rest assured I am done with this conversation.

 

I have said, and will say again, this is just another step. We did have at one time, the main feature of a firewall was to "Stealth",.. of course, the only way to completely "stealth" a PC is to unplug it from the internet.
For me, still, a base software firewall should be filtering packets. Other functions/events that lead to "Leaks" should be within an "HIPS". Yes, there are now a number of firewalls that contain "HIPS", but I do (with some) Question their implimentaion of this.

Excellent, In what respect? Yes, they will block unsolicited inbound without a need for user interaction, beyound that, there is only the fact that they handle the lower layers, such as ARP. What protection is based on these lower layers I am uncertain, but believe any software firewall should do this.(which not all do)

Basically yes. But other direct methods can be used.

It would depend on what you use your PC for, and to what concern you have for others.
If, for example, you do online banking, then maybe your banking details could be obtained by another. This may not directly result in money leaving your account, but (IMHO) another major concern is to Identity theft.
For concern to others, I would see this as a PC becomming part of a botnet. This may not affect that user much (apart from loss of some bandwitdh) but can be a major concern for those on the end of a DDOS from that botnet.

You do cover a lot of ground in this last statement.
[First, please realise, I am no expert on malware. I do look at/check what I can to monitor how these "malware" comms are made (but I can only look at the samples I have, which are actually few)]
You mention "specialized communications protocols", I take this as some form of encryption (?), which yes is done, this would be an attempt to send out personal details (banking etc).
Such as bots, will make direct/indirect outbound, as simple as a spoofed SYN packet to perform in a DDOS attack.
"Storm Worm", was this not directly spread via e-mail?

If we take this down to its simplest form. Execution prevention of any unknown program can prevent such incursions. Many do compromise themselves by installing (or allowing the installation) of "bad" programs.

A lot of techniques where unknown (or should I say,.. "not well known"). We now have coding freely available for all to use and impliment within their own programs, if that is what they want.

 

I don't find this to be very accurate. Yes, there are reported problems on the OA forum, but the OA forum is nothing like the Comodo forum, or Agnitum forum, and I probably don't even have to mention ZoneAlarm's.

I am a new customer of the OA2 paid version, and after years of intermittent problems with Zonealarm and Outpost, OA2 is like a breathe of fresh air.

 

Stem-

Thanks for your analysis. What I am after is a balance point where the effort to achieve security is justified by the results. Of course this point is different for different folks, and there are the ultra paranoid for whom there is no balance. This balance point being variable, the best I can do is to beat the bushes until some data points can be established.

Unfortunately, the proliferation of malware has made a simple inbound firewall plus blacklist AV inadequate in many cases. The question remains as to how far toes one reasonably have to go and where is the most benefit for the least cost and annoyance. Although not employed in a corporate IT operation, my standards are similar to theirs. The utility in question must stay quiet after initial set up an false alarms are to be very rare.

Not only do we have the option of HIPS, but there are also the behavioral detection systems like Threatfire, Antibot and the proactive module in Symantec Endpoint 11.

 

in many cases yes but I personally have found that running with a simple hardware firewall and no software protection (AV,AS, HIP, ) at all has not caused me any problems. So how far does one reasonably have to go ? my answer has to be not very far for many and certainly less far than they have actually gone.

Before the almost inevitable reply about my not being aware of contamination and becoming a part of a bot network I better explain that my system is frozen and reverts on reboot and that periodically I load on demand programs and have never found any infection. I'm not recommending this for everyone but do think that the lack of contamination over many years is of interest.

 

To a certain point, I can understand this. I personally go for minimal secirity software installation(layer) to give the best protection. I have been online for many years, the only compromise I have had is what I have actually intentionally allowed. My AV has only alerted to the "leaktests" and other "malware" I have stored (and forgot to hide/compress/exclude from that AV)

Beating bushes will bring out certain results, but of course depends on how hard you beat the bushes, and what can (and fully understood) be seen after.

We see this why? Is this because inbound protection is not available to protect from such? Or is it more a case of what users install?

I agree that most users are confused with alerts from HIPS/firewalls etc, maybe a better/ different approuch may be needed (comment?). Such as a poup to "dll injection", "memory access" is meaningless to most (no disrespect).

There are now many options/directions to take. Which is best? I am not one to say, as what works best for me (or another) will not always work best for everyone.

We can look at all security type softwares available, from HIPS to sandbox to "freeze". This means little if a user is to download/install "bad" software.
I know/ have found users who have actually downloaded an "OS",such as XP/Vista from P2P. Some are pre-compromised.


For me: From a clean installation of OS(original), install of good packet filter firewall, a good HIPS (with learning mode on that clean system), then AV, with use of good browser(with usual script etc control) is certainly difficult to compromise.

 

Stem-

Your saying how hard must I beat the bushes gave me a chuckle.

Let me explain my comment about blacklist plus simple inbound firewall being inadequate. Malware authors are modifying their programs every few days and checking the changes against the popular AV's. The zero day attack has become much more common. Furthermore, some are trying to keep the infection to a limited number or machines in the hope of delaying reporting to the AV labs. I can not give a specific link for this, but I see reports on Slashdot from time to time.

That is why something extra is needed. For the last couple of years the noise has been about leak proofed outbound filtering. Now there are other alternatives in the form of HIPS and behavioral analysis, or even using something like Deep Freeze to roll back frequently. The AV community appears to be going in the direction of including behavioral analysis in their testing in addition to the flat file scan.

Stem, it appears your choice for something extra is HIPS.

 

You did bring up this analogy your self. But yes, I did think it give(possibly) good description.

You do still look at the inability of firewalls to deep packet inspection. I have yet to see such as "Kaspersky" or "ZA" or "ESET" to put forward such inspection. I know it can be done, so do they, but,.. it does need process, and there is no simple/quick process to do this. (it takes systen process/memory~ but, with todays PCs, available possibility)

There is always "extra" needed for anything.

HIPS is one layer.
I block/filter inbound,.. but mainly dont install crap on my system.
If anything would ever get to a stage of "malware connecting out",.. I would certainly disconnect. (I have said this before)

 

A "proper detection" (the one provided by a firewall with good leaktest score) should have been something like this "wincom32.sys is trying to initiate an outbound connection using Explorer.exe". Also:
- The sample was manualy executed. A drive-by would have looked different. Almost all people (including those with strict rulesets) don't put restriction on remote endpoints/IPs for the browser (it would drive you nuts), so if the code is injected in the browser, a "leaky" firewall won't prompt you.
- The outbound attempt is detected because of a strict ruleset, something uncommon on most firewall rules.
- Once the sample was given outbound access, Kerio didn't show more prompts. Clearly, the network stack was patched and/or Kerio unhooked from it.
Perhaps Rmus has the screenshots saved somewhere.

But, as I've said, I don't care about leaktests.

 

Stem,

I wish I knew more about deep packet inspection and the inherent benefits. Perhaps you can point all of us to another thread around here or an article. Back when CHX-1 was supported there was a lot of interest around here in its abilities.

I realize a $40 router can only do so much. Likewise, a software firewall designed mainly with the goal of preventing leaks can only do so much. But, what is the extra benefit of deep packet inspection vs what may simply be the minimum needed to keep today's worms out?

 

I echo this. It has been argued in all of the threads discussing leak tests.

This, of course, is the weak point in any security setup. It really requires no further comment, for each user has her/his own guidelines for determining what is "safe" to download.

Can you find that reference? In the one I tested (courtesy of Firecat), Patch-52867.exe extracted Wincom32.sys and attemped an outbound connection using services.exe.

Initially, Patch.exe is prevented from extracting wincom32.sys:


________________________________________________________

Letting it run:


________________________________________________________

Kerio responds in remote code execution situations. I don't know of any Storm examples by remote code execution, so here is a different example.

Note that to test this exploit, I had to disable security. Otherwise, the spoofed .html file, an executable, doesn't even get to download:

http://www.urs2.net/rsj/computing/tests/bellsouth/

The above examples do not make use of "leaktest" methods. Is it really necessary, given the proclivity for people to click on attachments? How many people out there have sophisticated security aparatus?

How many known exploits in the wild use "leaktest" methods. I think one of the leaktest sites posts a list.

---
rich

 

I did a bit of ressearch on deep packet inspection. Seems it allows the use of IDS signatures in the firewall. I wonder if IDS is applied in both directions and what the signatures can pick up.

In the example of Kerio alerting on Patch-xxxx.exe, the warning that services.exe is trying to communicate would be confusing as it is a windows component. Perhaps the timing is the giveaway. None the less, it is left to the user to make a decision and not all that many are sophisticated enough to get it right.

I definitely agree that installing bad programs is a major source of security breaches. Free screen savers seem to be the biggest offender, but there are all sorts of tool bars and the like. This stuff is mainly associated with addware, the low impact stuff, because there is a trail back to those responsible. The main vector for the nasty malware, spam/ddos/keylogger packages appears to be hacked websites with drive by downloads. These are both legitimate sites that have been hacked and search spam that refers the victim to another site that delivers the package.

The distinction between low impact and nasty malware is important. Low impact malware draws civil penalties. The nasty stuff draws jail time if one is caught. The former gets to operate in the open, the later must go to great lengths to conceal its source.

 

My mistake I thought that Explorer.exe (not services.exe) attempted to connect on behalf of wincom32.sys.

DPI also allows to use AV signatures and other filtering. IDS signatures can catch lots of things: network probes, OS fingerpointing, web bugs, browser exploits, abnormal network traffic (FTP traffic on non-standard ports for instance), DOS attacks, etc.

Another paradox of leaktests. Does it matter to a "advanced" user (with a finished ruleset) that services.exe or services.exe on behalf of wincom32.sys unexpectedly tries to phone home?
Would Joe Sixpack answer the prompt correctly knowing that wincom32.sys and not services.exe is who really tries to connect out?

 

Hi, folks:
IMO, a leak-proofed firewall will let you sleep well at night, but does not warrant you will never get a nightmare. This reminds me of a research report; it reveals that consuming a 10 oz BBQ steak, the intake of ill-substance is equivalent to the amount of caffeine from 40 cups coffee. We all are aware that drinking 4 cups of coffee a day will increase the chance of getting a stroke by several folds(can not recall how many). BBQ steak is still a leading favorite meal among folks in North America. By the same token, a firewall, leakproof or not may not play a significant role in our daily cyberlife, but it is nice to know it. Take care.

 

Rmus,

What app (a HIPS I assume) is that acceptable use policy screen shot from?

Coffee is bad for you? I am toast.

 

Anti-Executable (whitelist-based HIPS)

 

If Joe Sixpack has a rulebased firewall, then he should know that services.exe (or svchost) connects out for DCHP and DNS so that the above alert would indicate that something is wrong, and there is only one answer to the prompt.

Of course, at this point, he is in deep muck, since wincom32.sys is already rootkitted.

What about less-technically savvy users who don't understand security programs or firewalls that prompt for a yes/no decision?

You have to return to basics:

How do you prevent?

1) User policies regarding email. From the January Esset Threat-Blog regarding Storm:

http://www.eset.com/threat-center/blog/?p=34

And, more recently:

Universities warned of Storm Worm attacks
http://www.theregister.co.uk/2007/08/17/storm_worm_attacks/

2) Protection from the unexpected: remote code execution; or, another user on your computer inadvertantly runs an attachment:

==> Having other users running as a Limited User

==> Use simple programs which provide execution protection. Unlike many HIPS, these are Default-Deny -- there is no Yes|No Prompt -- very easy for the non-technical person to use.

How does this pertain to LeakTests?

http://www.securityfocus.com/news/11442

These leak tests simulate the action of a trojan executable.

In order to test, you have to disable your security and permit the leak test executable to run. This action violates both of the above preventative measures, which keep unauthorized executables from running.

In the case of a simple software firewall which filters packets - all the leaktests show is the firewall fails at what it wasn't designed to do so in the first place. So, you get a leak proof firewall. Later, a new test is devised, which your firewall fails. So you wait for your firewall to update, or switch to the latest leak proof firewall, and so on...

It all boils down to your comfort level, of course, and only you can decide what level of protection you need.

---
rich

 

Missed your insight Rich, very good post as usual

 

Very interesting Rich. The "experts" say there has been a fall off in malware transmitted via email attachments since most ISP's and free email providers have started scanning email. Its not perfect, but its a step in the right direction.

It looks like there is a migration going on around here from Comodo 2.4 to Online Armor Free. As you describe, its the search for the latest and greatest.

 

Will be interesting to see what happens when Comodo 3 goes final, and eventually gets retested by Matousec...