Firewall evaluation by Pro

Hi,
P2P is not illegal, regardless of what the Big Brother RIAA and similars want to tell you. P2P protocols are legal. In SOME countries, using P2P to download copyrighted content MIGHT be illegal.
Using P2P will not get you infected. Downloading cracks and stuff like that might get you infected. Using P2P is no different than using Word or Notepad.
Mrk

 

You can use Payload filters with all proxies I mentioned earlier to ensure the connection/delivery of data/packets go to their perspective locations/destinations. So using deep level packet inspections with spi and payload/content filter/ IDS-IPS, you can effectively control traffic to and from the clients...

I agree that a proxy by itself can't do that, but with all the above methods, including the human factor (monitoring) can!!! ( I used to work for a Check-Point security company and they had the human factor in place, because no matter how complex the fw policy is, there is still the anomaly factor. And Astaro has that feature as well!!)

The illusion is, that these so called 'leak tests' are just marketing techniques! Easy. Let me explain something, here, when a corporation or network security specialist is tasked to implement a network schematic to have VPN, LAN or WAN hierarchy, that they consider what clients might have software that might call home or out without the permission of the network policy or the server policy. The only things they worry about is the virus factor. Which is normally centralized.. To sum up my explanation, if you have a strong fw policy in place and keep up with your AV/AT updates, surf security forums, check e-mails and visit CNN once in a while to get the latest head-lines than what does AP filter do for you?? And I still say real time attacks, whether in the wild or not would not use those (any) leak test(s) that are known. So lets say you have Outpost (sorry I am using that, because I know that is what you boast most of the time) and you pass 'ALL leak tests' are you impervious to any sort of attack from malware? I would have to say no... So speaking from my experience (had a lot of it!) and speaking with other security experts (that don't design app based fw's) playing the cat and mouse game of trying to stay ahead of the hacker/cracker in this manor is a waste of time! Meaning it does no good... So back to the original point, if you have a single client, a good fw like Mcafee, ZA, CHX-I, 8signs, ect.. is fine. But for a network I would have to say no. BTW: when the do the yearly firewall tests, (meaning network function ability/intrusion detection) of all the main headliners of firewalls, where is any of the Windows based firewalls?? Do you get my point?

 

Jazzie,
the whole problem is that you are talking about work/office network environnement. Of course, you are right about that. There's no network security expert who would prefere Outpost to hardware firewalls or centralized linux server based SPI solutions. Paranoid is talking about home users, and this is completely different situation. Generally, most members here use single client PC and big network solutions are simply not adequate in such case.
Comparing two different things will lead you nowhere.

isnogood

 

It seems rather more likely that GKWeb doesn't have the time to continually update his list and doesn't see the need to have more than a couple of common examples.

It does however take a "brave" person to describe the likes of Flux or Bagle as a "poor" example of malware. A brief perusal of Google turned up the following which list more examples:

Scheinsicherheit: Wolves In Sheep's Clothing
Securiteam: Backdoor Spotcom Analysis (this one does use port 53 to exploit rules allowing DNS, though it does not actually use DNS like the DNS-Tester leaktest).
Rootkit.com: Vanquish rootkit readme

 

Unless that content is encrypted, which will be the case for more sophisticated malware - and any https: content.

Yes, a company prepared to pay for someone to check their firewall logs (very likely a full-time job too) will catch malware activity sooner, but this is getting ever further away from the home user situation...

Please review the extra examples I list above.

Of course having a firewall capable of countering leaktests is only one part of a complete security solution and other avenues (e.g. process termination) need to be countered also. No-one is saying that good leaktest performance makes you "invulnerable" - but good leaktest performance should be regarded as necessary if an application-filtering firewall is to play a useful role in your security setup.

For a network, other considerations (like installation and configuration management, accumulation and analysis of multiple logfiles) become issues which weigh against any client-based solutions. However the need for client-side protection is still present and if you think that a network proxy will detect, let alone block, malware using leaktest techniques to piggyback encrypted content within normal browser or DNS traffic then I'll be more than happy to wait for the day when experience teaches you otherwise.

What point? There are plenty of reviews looking at Windows based firewalls if you search for them. If you are talking about "business/corporate" firewall reviews ignoring client-side protection then it is likely that they are either treating it as a separate category or taking a similarly optimistic view of the effectiveness of centralised network filtering.

 

isnogood--

If you have a single node, yes I allready commented on that aspect. Than of course it is normal to use one of those windows based fw's. And if have a SOHO network, doesn't mean you can't use corp protection! (having more than one client) And I still disagree with Pnoid2000 who is had been brain washed along with everyone else here. Leak tests show only one thing, that system bypassing and using malicious applications to circumvent a system is possible! But you don't need a slide rule to figure that out... And in real time attacks or compromises, those so called leakless firewall's would be easily compromised using OTHER techniques, not one's that are known.

There again that is not the case at hand. It still has to bypass the Gateway which is controled, by either monitoring and payload/proxy filters in place...

So in other words, home users are too stupid to figure out what log translation means! This is bs, people are smarter than you think.. Log translations, whether it is ip-port source destination is striaght forward!!!

Or one can say COULD be regarded, but not necessary and in many cases over-kill!

I never stated that a proxy alone would do this! I said if all aspects were proxied, than it makes it virtualy impossible to bypass the firewall policy, since it controls bandwidth and connections from each client(s)...

Umm, no I don't mean any reviews on windows based firewalls, I know there is a lot of them. I meant when they test SOHO/Network-Corp firewalls (no windows firewalls) they are NOT part of the scheme. For obvious reasons. I don't know any corp or networks specialist who has a Centralized firewall and have all of clients behind an app filtering firewall. Just doesn't make sence. And being optimistic about the effectiveness has been tested and proven viable... In closing this futile topic, I just want to say that I stand firm on knowing that server based firewalls, on a harded linux system is really secure. And I sleep good at night knowing my network is protected by a very good SPI security gateway like Astaro. And I am sure you stand firm with your belief that the cat and mouse game of my firewall is better than yours because it catches some exploits that someone stumbled upon! That is the illusion!!!

Take care
Jazzie

 

As an ex network admin at a big IT firm, I can say, app filtering firewalls would create havoc among clients and probably get the admins job terminated.

 

Of course not. But the real difference is not the number of nodes - one or five. What I mean is the internet usage, surfingt habits and risk are completely different for office and home users. Both have different priorities concerning network/system security. Office users, for example, won't be working as root/admin accounts. They won't download programs from any kind of websites they find during their office time, they are not allowed to install any applications and so on. They fear more external attacks, home user fear (or not) viruses, trojans, spyware, worms, which are brought to his PC by himself in general. Software firewalls, while not 100% sure, add significant protection to home security.
You say it's illusion of security; still a lot of people prefere to control net access of their apps in say 70% than in 0%. There will always be security holes and bypass methods, but better to fix what can be fixed anyway.

isnogood

 

And your proof of concept is......?