Hints on using Online Armor FW-a Learning Thread 4

Discussion in 'other firewalls' started by Escalader, Oct 26, 2007.

Thread Status:
Not open for further replies.
  1. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Seems quite a good idea to automatically set internet-facing applications to Run Safer in a similar way to DefenseWall. We all probably end up doing it anyway.

    Could add it as an option during the Safety Check Wizard so that people have the choice.
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The ref was for control of the browser.
    You can look at (simplistic/basic) 3 different types of control for the browser,
    1/ where the browser can connect
    2/ What the browser is allowed to load from web pages (script etc)
    3/ How the browser can interact with the system (OS)

    For me, such options would be down to user.

    Isolating the browser does not cause problems for the OS. It can of course cause problems for windows updates. I think you need to re-read my posts.


    I think more (on a security forum) of what a compromised browser with full permissions to interact with OS could do,

    Average users want a default installation that will give them the best protection with as little need for interaction as possible.


    I do need to look more at the "Program Guard" and the implication of treating a program/ Application as trusted. I certainly do not want my browser to have permission to basically kill my system if it was compromised.

    - Stem
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    On testbox:

    I have removed Firefox from "trusted".
    I do on that setup have the DNS client active.
    I have set Firefox as "BLOCK ~ use DNS API" but FF can still access that service.

    So yes, still a bug.
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    It seems I didn't got you fully right first time and fired into the wrong direction :)

    All I agree with is skipped.

    Now to the core. The whole HIPS idea (as I see it) is about not allowing trusted apllications to be compromised, independently of their name and role. It may be browser, winlogon, svchost, explorer etc. I see no diffrence between browser and csrss.exe or lsass.exe, for example. Theoretically all the applications can be treated the same way - paranoid. But practically it appeared to lead to essentian system slowdown and incompatability. The trend I see in the modern HIPS is to concentrate on intrusions prevention itself rather than on controlling all and every.
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    But the assumption is compromise from unknown. A compromise of browser, that then can access all system is a problem.

    OA does handle these differently, such as "csrss.exe" which is a base system application, you cannot look at what options are available (hardcoded rules). I do wonder what options (as advanced user) I am actually allowed.
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Do you know any theoretical way to compromise browser by trusted application ? Or by maliciouse download ? I do not mean old MS holes that were fixed, but current ones.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Where is it mentioned a compromise from system to browser?
    A browser can compromise system. If you do not know this, then you have problems.
     
  8. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    May be you are right. But HOW browser can compromise a system ? Browser is not designed to compromise system, it is designed to get data by http protocol. So to compromise a system browser itself should be compromised first. And this is what I ask about. Do you know reproducable way to compromise a browser. At least not any browser, but some particular one.
     
  9. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    @Alex - Hmmm. part of the reason OA is in existence is because of security holes in the browser and the user - old, new, real, theoretical.

    @Stem - thanks for the confirmed bug;

    As far as trusted IE goes by default - obviously, I disagree with you otherwise this would not be the case in OA :)

    If some exploit to IE (be it actual exploit, driveby) then IE trust status does not matter. If the code is unknown and tries to run OA should detect it and prevent it.

    With RunSafer enabled, any damage that could be done is limited as well. Previously , we defaulted this on - bad idea - but now I think we should alert users to this function either the first time that the app runs, or during the setup wizard.

    @Hammerman -- it's almost like you were listening to the discussion I had yesterday on this :)


    Mike
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Mike:

    IMHO (ha) OA should offer this "Hammerman" option to users to run the id's browsers in safe mode. The Mom's and Aunties will not know what browsers they have so since OA scans during SCW id them for them and offer choice to them. If they fail to choose or pick default setting then OA would set the option OA (you) believe in even if I disagree! with your choice:D

    PLEASE do the same for the FW interface option to trust or not to trust the LAN, it is left to the student to guess what my choice would be for that default! (this is a joke for those who take life toooooo seriously:)
     
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OK, but shouldn't HIPS to protect a browser from compromise ? I agree in case of pure firewall you need a way to control connections because you have not other way to control browser. But OA is not only firewall, it's also HIPS, so this task I think should be shifted to HIPS.
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Alex_s:

    FWIW, IMHO OA is a hips and a fw. All these browsers need constraints on endpoints, ports countries etc etc AND as you say the HIPS can control if they even run.

    In my case, as an example, I block IE 7 from even running and use FF in safe mode with the endpoint etc constraints.

    So, like many things it is both.

    But this is just my view, others have different needs and may differ! :cool: We need options to adjust to user risk profiles.
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Don't we ? :)

    What about restrictions ? Global and program-based ? We have them !
    If you know the scope your browser is allowed to connect to you can setup restrictions. Isn't it enough ?

    The only other way -- to alert about every new remote address. But this can hardly be implemented inside exising concept and design without bringing inconvinience and confusion to many people and needs, I think, additional operation mode -- paranoid.

    Decision is on Mike, of course, but as for me I'd like OA go ahead. And may be I'm wrong, but I regard paranoid mode as step aside.
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes I agree OA has options. My point was about adding to them so you can adjust your way and I can adjust my way! :cool:

    I don't know where the idea of alterting on every new address came from but I would oppose that for sure. If that matters.

    I want to tell my browser what it can't do , then let it work within those restraints. I'm not sure we disagree here, just have different ways to describe things.

    The word "paranoid" has a negative conotation for me, but I'm sure you didn't intend that?

    I prefer to talk about different risk profiles for different folks. So yes a user may be more concerned about secuity of outbound packets than another but that doesn't make that user "paranoid". Others may want to trust all ip's, sites, SW and countries that is their business. But I won't call them reckless.

    To know if a user is "reckless" "or "overly worried" I would need to know how they intend to use the www. Only then can the settings and tools needed be defined.
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hello fellow learners and hint consumers:

    OA is now out with build 130 as the production version for those who don't know already.

    To get it, all you need do is rightclick the little green shield and click on product updates and OA will update your older version.

    But, before updating don't forget to backup your settings and after update reset the Interfaces from the default of trust :'( particulaly if you don't save settings. Also make sure all your shields are on under general. There is no warning to say they are off, if say you turn one off and forget to turn back on.

    I know I've said these things before but since I sometimes forget myself others might too!

    See ya!
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Scans, White lists and message boxes

    OA using white lists mainly on files. This is different than signature based systems.

    In the file system scan ( slooooooooo.... w) so don't say you didn't know, it does a rudamentary scan. Attached is my pop up from that scan.

    Some users have misread the pop up as saying infected with a virus. This is not the case, some gremlin ( I do believe in them) hit the enter key after zero!

    Just thought I'd alert you guys.
     

    Attached Files:

  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    A Simple Rule Example

    A while back I was asked in the poll thread if I could take the time to show some rule examples for those who don't get into the guts of FW's like OA.

    I thought about this an decided why not. So I have picked a program many here at wilder's probably have that is happy to co-exist with OA. I picked spywareblaster a freebie.

    So here goes. In OA, spywareblaster is in their white list, under the program as a trusted program. Fine, but I don't want to leave it at that as a user, I want to enhance MY PC security by applying some "rules" or restrictions to this program so that malware doesn't try to use spywareblaster as an easy route to other www places I don't want it to go to.

    I do this by restricting the TCP outbound to 1 ip for updates and by applying a country restriction as well.

    Attached are two jpg's showing these window pop ups and what to enter.
    I know some viewers don't like this approach of restrictions BUT OA offers me the ability to do it and this thread is about hints on how to use OA.

    If this rule post has any interest shown by viewers then I might do more for the thread.

    If Stem or Mike Nash see errors in what I have posted here please correct me as that is all part of MY learning quest!

    Oh BTW, I have never understood fully why Local Host is a country either so don't ask me about it. I've done it both with and without local host ticked and nothing ever happens with it. :doubt:

    What I really want the new to rules readers to do is copy my rules exactly and gain courage about making their own. So try it yourself first please then ask questions or report what happened. :cool:
     

    Attached Files:

  18. ChicknDip

    ChicknDip Registered Member

    Joined:
    Aug 15, 2007
    Posts:
    59
    We realy need a much more clever popup system.

    When a program is trying to access some site, we should have to option to set "Allow to this address" without having to go to the rules and set restrictions there.
     
  19. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Is this the option you meant? (autotrust, autoconfigure)

    Gerard
     

    Attached Files:

  20. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Do you mean like KIS firewall, one prompt for every single IP?
    Last time I started Opera with KIS 2009 beta, 26 popups for single IPs. :p
    I forgot to close all tabs. :ouch:
    I would agree with an advanced option , but please not as default option.

    Cheers
     
  21. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    My last learning thread post was about how to restrain a particular exe in this case spywareblaster from wandering about the www.

    I did that.

    As gerardwil correctly pointed out an OA user can trust and autoconfigure as they see fit for their security policy. That is their call.

    On 90% of my exe I do exactly that but on the www facing exe's like say browsers I place rules and on all my security SW.

    No one I know on the forums advocates a pop up for every ip. You manage via application, which ones do you want to grant www access too is the question every user needs to answer. Once the application is granted access either by the white list or by the user and you tick remember my decsion you should not be asked again.

    Forget this pop up for every ip thingie please.

    Most users don't know or even want to know so they should IMHO allow the FW/HIPS SW to decide for them.

    In advanced mode in OA the premise is we want to tweak a bit so I do (with help from Stem when he has the time)

    Today I'm going to post the 2nd and last rule for spywareblaster, it will deal with the ever popular subject of UDP and port 53!


    If the readers don't want to manage their exe's this way great, but this thread is for those who do!
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    2nd and last rule for spywareblaster

    Here as promised is the jpg set with the port 53 rule for spywareblaster.

    I have DNS client service disabled so my address's come from my router via the isp assigned ip. I may not be saying this perfectly so Stem if you read this feel free to correct. My Lan is untrusted in OA.

    It all works fine.
     

    Attached Files:

  23. Eh_Greg

    Eh_Greg Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    64
    Location:
    US.
    Re: 2nd and last rule for spywareblaster

    Whats up with the IEXPLORE.EXE rule allowing 0-65535 in/out ? Can you explain that to me ?

    Thx
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: 2nd and last rule for spywareblaster

    Those rules are deny (blocking rules)

    Rules in red are blocking, rules in green are allow.
     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: 2nd and last rule for spywareblaster

    Hi Eh_Greg:

    Good now I know at least some readers are actually looking at the posts! :cool:

    Stem is right (again) and although my post was about spyblaster restrictions, it also shows that I have choosen to block IEXPLORER completely. This forces my PC to use FF which in my view is a safer browser. As well, some SW uses IE to connect out and this hopefully prevents that from happening.

    M$'s record on security isn't the best and IE 7 although better still isn't up to snuff. I don't need it so why not block it.

    Anyway, that is my thinking on that one.

    See ya
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.