Hints on using Online Armor FW-a Learning Thread 4

Discussion in 'other firewalls' started by Escalader, Oct 26, 2007.

Thread Status:
Not open for further replies.
  1. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The first obviouse ill effect is you cannot "ping" and "traceroute". While you don't do it usually it seems to be not a big problem. Then there can be another ill effect in case some program you run uses ICMP to check its services online status. Default ICMP settings in OA are configured in a way you can execute any ICMP request but all the "responces" from your system are blocked. Thus your system is invisible from outside, still you can use ICMP. But question appeared why OA does not have ICMP packets direction control. For example, if you allow ping packet, then the packets can freely go in and out. For an expert this does mean a lack of configuration power, for newbie this does mean something dangerous, but this does mean nothing from the security point of view. Allowing incoming ping requests doesn't mean security hole. This is what I tried to say. Which is more, those ICMP functions and directions may cause granma's brains to blow.
     
  2. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Lundholm:

    Have a look at:

    https://www.wilderssecurity.com/showpost.php?p=1114567&postcount=103

    The way I interpret that is in OA if there is no rule, connection is not allowed or is blocked. I hope this can be tested, but it exceeds my current pay scale.

    Could you help me out by posting a jpg here of your disabled services in sp 2 I need to compare them with my own. This is a task for you! :D

    See ya
     
  3. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Hi Escalader,
    This is a key point in you learning process, and mine! Of course this is possible somehow, but the question is, can ordinary people do it, or is the design too complex or even buggy? And is it documented?

    I don't like the posts I have seen at the OA forum, and it seems that you are now getting into the same sort of situation. So take it easy. Small steps. :D

    I'm afraid that I can't follow your discussion on services in relation to firewall settings, so let me guess.

    I guess that you are referring to windows services hosted in SVCHOST. The rules apply to SVCHOST, i.e. to all services, right?

    So you want to know, which services are not relevant and can be blocked by a rule? hmmm, I do it the other way by defining necessary services and block the rest. And I disable services I don't want, like windows update. I only want two internet services from Windows: DHCP and DNS (and the TCP stack, of course). 4 rules?

    I'm sure that this is not what you are talking about, so let me know, but take it easy. Get some sleep. Maybe OA is stronger than you? Dangerous! :D
     
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi stapp:

    Thanks for your contribution.

    Do you run that way ie unticked all the time or just to test ?
    How do you deal with autoconfig option ? On or off all the time?

    If you have time to describe that could help the learning thread:cool:

    OT a bit but, FWIW, IMHO you made the right choice on WMP! It is one of my pet examples of frequent hidden phone homes! Unfortunately, it is not alone in this programmed by vendor behaviour.
     
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,938
    Location:
    UK
    I think how we use options on any software program can sometimes be governed by what we want from it.

    I found it suited me to untick 'allow trusted progs to access the internet' so I could see who wanted to do what.

    Found quite a few things, like WMP, PhotoScape and of course Logitek seem to like to talk to their masters. So I block them:)

    After I have set up my programs to be as I want them, I sometimes run with that option ticked until I install something new.

    Most of the time I have the autoconfigure option ticked.
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks, I will add those vendors to my candidates for blocking list!


    FWIW I'm running the same way autoconfig ticked and unticked on trusted
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    OA includes a firewall, this should be filtering inbound/outbound packets. Only you have mentioned a "Network Manager", OA is intended for host. So why give this referance?
    We are on a thread concerning OA firewall, not routers.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    We are not beta-testing on this thread. We are looking at the latest full releases.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Have you never come across ICMP flood
    There are other ways, via ICMP to cause system TCP/IP stack problems.

    Should users of OA simply block all ICMP to avert these possible types of problems?
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Stem:

    Using OA 2 I have set the ICMP table entries to deny in all cases.

    Thing is how do users know that even with these settings they are blocking against theses ICMP problems?

    I took a look at the windows FW one way FW settings.

    They don't quite line up with the OA 2 options. I don't mean the direction since OA has said it's denies are both directions.

    But the option descriptions are different. Differences are router solicitation, information request, information reply, parameter problem and outgoing packet to big.

    So now I'm wondering if the OA options are complete:doubt:

    What do you think?
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have not yet been able to test. OA sets the LAN as fully trusted, with no option to change this. I would need to setup with a non-private IP LAN to test, I will not do this at this point, I will wait to see if the next full release of OA gives an option to trust/not trust a LAN.
     
  12. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This behaviour is known starting from the first release 190. The only exclusion was OAui itself. Not a big problem I think that Firewall autotrust itself. So it is not correct to say "OA allows trusted programs access internet despite of the setup". "Programs" must be replaced with "program == OAui.exe". And the last beta has it solved, I tested it personally. So is there still any space for the further discussion on _this_ issue ?
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Isn't it the OS that must protect implementation of its TCP/IP stack ? In any case if any problem exists a bugreport should be sent to the OS vendor as the first step. As for the FW it should provide network access policy. As for the workarounding OS's fault it is very questional either FW should do it, as long as this fault may be fixed by the next OS fix, and an "extra code" in FW will go to turn just a senseless set of bytes in the best case.
     
  14. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Maybe so, in an ideal world. I plan for us to at least have some nice inbound packet filtering in upcoming releases... but it's late here in OZ and this is not the thread for discussing it anyway..
     
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    To say the truth I have never experienced such a problem personally, despite of the fact that I'm on the huge LAN with the thousands of computers. I can concede that is theoretical problem, but until I see a practical complain I just do not care. In any case I think the best way is to complain to OS vendor. I'm for the strict roles here.
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    This is true, it is my learning/hints thread on OA 2 paid as it is today not what was just tested in beta over at OA. Why can't these discussions be there?

    Mike, will OA 2 be getting any updates to deal with some of these things or as Stem indicated he is waiting for a new release to test?

    This is an important question for me.
     
  17. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Yes. I think I posted here already (somewhere) that we do have plans to take on board Stem's comments. Particularly with inbound filtering/IDS on the firewall module
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Great!

    There are a number of posted upgrade ideas and comments not only from Stem.

    EG services monitoring at boot and startup, differentiation between local and remote ports, stop all traffic, trust/distrust the router etc.

    For now, I'll think I'll pause on this learning/ hints thread here, and like Stem wait until the next public release is out.

    Otherwise I'd be redoing and duplicating/ testing/ comments on an old or about to be old release.

    Move forward...:cool:
     
  19. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Not to mention the X file. Sorry, wrong thread! :cool:
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    So are you on a LAN with thousands, or, are you behing a router on a private home LAN? (which would basically be a sub_LAN)


    Well, I can certainly see you are only concerned with the product within your own setup, and have no thought for other users of the product, or what problems they may face.

    If the title of thread had been "alex_s using OA", then I may possibly agree with some of what you put forward. But as Ecalader made this an open thread, for all users, then I do look at all possible setups of all possible users, with this, all possible problems.

    Now, if we where to only look at Escaladers setup, I would again look at this differently. I know Escalder has a router and an "Alpha Shield", and as I have mentioned to him before, Internet filtering of packets is not a major concern in his setup. But, in his setup, he does not want the LAN to be trusted. So from that point, I would say that OA would only need to allow the option to not_trust the LAN ~~ in his setup.


    So, from that, I will continue to ask vendors (namely OA in this instance) to apply inbound protection/ filtering, based not on one or 2 setups, but for all possible setups.
     
  21. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    [mistake]
     
  22. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I'm on a lan, and I have no HW router. I have 10.x.x.x address and all the computers in the lan have addresses in the same range. And this would be incorrect to say that I'm concerned in the product within my own setup. More correctly is I'm concerned with the product that protects me from the actual threats, not theoretical, which are too many, but most of them are overestimated. It is plain simple, if you tell me about such an attack that causes DoS to Windows TCP/IP stack, I agree with you and change my mind. But until now I didn't hear about such (I mean present time, not past), this is why I do not care. And I presume we speak about an up to date system, not something like Windows 95.
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    In your setup, (as one simple example) "Spoofed ARP request" will completely DOS you.
     
  24. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Is there any exploit to demonstrate it ? I'm ready to run the test, but how ?
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Realise that this is an attack, from one PC on LAN against another, so you will need 2 PCs on the same LAN to check this.

    There was a tool called "Netcut" that you could of used to check this, but the website is no longer available. Have a search of the web to see if you can find a download.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.