Outpost Firewall Pro 2009 Testing and Optimization Thread

Hello 2 way firewall users:

This thread is NOT a learning thread, it is a testing and optimization thread.

As before this thread is:

1. Not a product X vs product thread these are a waste of effort
2. Not offer a chance to "knock" OP or the vendor
3. Support for OP is available in their user forum and direct from the vendor's technical support

On my own systems setup, I have the firewall program that comes embedded with Outpost Firewall Pro 2009 ver. 6.5.4 (2525.381.0687) which is the paid version. Like so most 3rd party FW's, OP FW has other security features so if you like it is NOT a pure firewall.

What is posted here may or may not apply to the new Outpost Firewall Free. There is a thread here on this one https://www.wilderssecurity.com/showpost.php?p=1454667&postcount=1

As well, this thread is silent on the OP Security Suite.

Here is a portion of OP's features description of the paid version of Outpost Firewall Pro 2009:

 

ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

Hello Stem:

Attached are my settings for ARP Attack Protection:

Question: Do they work?

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

They didn't. I don't know now.

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

I did check earlier, and yes they do now work correctly on my setup, and will block my ARP attacks and attacks from such as netcut.
The only possible problem can be from the gateway ARP cache becoming poisoned. Normally when under ARP spoof attack I would start to ping the actual gateway to refresh the cache.


- Stem

 

Escalader, Hello and Nice Idea..improve on a great peice of
software...wonderful

 

Hello Giddyup:

Exactly.

The more transparency and testing the better for everybody vendor and users. At least that is how I see it.

Testing is the only way to uncover facts otherwise all we have is opinions.

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

Right,here are the default ICMP settings in jpg.

What changes should or can be made to these to defeat your pinging refresh test?

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

You misunderstand, or my description was not so good. The ping is part of the defense. When attacked from such tools as Netcut the ARP cache in an unprotected gateway can become poisoned (spoofed packets can also be sent direct to the gateway), this can cause connection problems even when the hosts ARP cache is correct. Pinging the gateway from the host can update the gateway cache.


- Stem

 

Stem
So what you are saying is, there are pro and cons to
having 'ARP filtering' enabled?

 

In most cases ARP protection is not needed. It is doubtful that you will come under attack inside your own home LAN, but if the protection is there, then users want to enable it and it should work correctly.The quick tests I make for the ARP spoofing is based on the attacks I have seen from the various tools that are (or where) available to anyone who could use google (or similar), so I only check a firewall against these types of attacks. However, I can craft attacks that combine various protocols with ARP that will make the firewall think it is under attack from the gateway, and the firewall will then block the gateway and the firewall will DOS itself. It is even possible that a firewall will see a gateway as an attacker simply because of normal activity from the gateway, such as if it is updating its cache and scanning the LAN.

- Stem

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

Hi Stem:

I misunderstood and assumed that the ping was part of the test attack. I have next to nada knowledge of attack testing. but maybe not, never claimed any!

At any rate, can you have a look at the OP defaults for ICMP and advise what changes you would suggest to maximize security?

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

[I presume you are on a LAN with only XP on all nodes(PCs) as I (personally) currently have issues with ICMPv6 and Teredo.]

Personally I see no problem with the settings you have. there is a setting in the attack_plugin to block ICMP fragments, if that is not enabled, then I would enable that.

- Stem

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

You presume correctly. All nodes/PC's are xp sp3 no ICMPv6.

I will check the settings again in attack plugin for the fragments in fact I will confirm the enable and post the 2 sets of settings via jpg.

The only one I blanked out was the single port scan.

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

Disable the "Port scanning", it is not needed on your own setup. Disabling that will then stop a possible FP of attack from your router if it scans the LAN for cache update.



- Stem

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

Ahhh, it was only the single port scan. All my other port scanning is enabled.

Sort of like that that movie hunt for red october 1 "ping" and 1 "ping" only.

Does your response remain the same?


note, I'm no longer on ARP attacks here so title is off a bit

 

I just tested the blocked content feature. I choose my OLB client # and the psw.

First step is entering the bank ip addy to the exclusion list so you can still do OLB.

Next I entered the data to be protected

The test I did related to email I tried to email the protected data to myself at my web email on my ISP using MS Outlook. Well 1 piece of data just evaporated the second was replaced with meaningless letters.

Then I went to the ISP site to pick the eamil up and it was the same scambled

However, when I used the ISP mail service Internet Explorer the whole attempt failed got a message IE unable to connect. In this test I tried to use the web mail to send the same data back to myself.

There are 2 ways to prevent the data , block any packet containing the data from leaving the PC and the second way is the data is replaced by ****. This 1st test was with the whole packet being blocked option the next test is going to be the replaced by *** option.

More later.

 

Very interesting

 

What happens when the private data is sent out encrypted?


- Stem

 

Hi Stem:

The quick answer is I don't know, BUT I intend to find out by asking the support folks at:

http://www.agnitum.com/support/

or the user forum.

One way I have right now of testing encrypted "protected by OP" data is to create say an encrypted attachment containing this data and repeating the email send test. At this point, I was only trying to see if the feature worked at all. It does. On https well, the jury's out. Or I could remove the banks ip from the exclusion list and see if I can log in, that will be faster.

This same issue came up on another product where the insertion of a license number in the protected data list showed that the vendor SW was "phoning home". They were caught on their own feature as their code tried to send the license number home each time product started up.

 

Question Stem, besides own network, does it also helps to protect against with 'man in the middle attacks' where the supposedly internal connection is in fact an external onea

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

Escalader, it's been my understanding over time, that if you're the only machine on the network, you only need to enable the "smart arp filtering", the other options are more for machines that are on a network with many others. Also in the attack detection exclusions, you can add your dns servers, and your router ip (gateway). That's been my understanding, anyway, but stem or manny carvhallo (spelling?) can offer much more insight I imagine.

Also under the lan settings, if you don't need them, you can uncheck netbios, nat zone, and trusted.

Under the properties of your network adapter, you can disable the protocols you don't need (client, network load balancing, printer sharing etc).

Hope this helps in some way

 

Uuuhm nope, this will not test the outpost capacity to read the e-mail before it gets into the SSL communication but the capacity to crack an attachment (not really possible).

You could simply create a free gmail account to test. It uses SSL pop/smtp.

Fax

 

It can only protected from within its own LAN, but even then there must be some check made and protection of possible DHCP/DNS spoofing.

One of my concerns as always been where a user, who could probably be connecting through an ISP LAN is informed to use a router, and most home routers do not protect against ARP/DHCP/DNS spoofing, so any protection on the host is not effective against any attacks against the router, so traffic that leaves the PC going through the router could easily be redirected to "Man in the middle"


- Stem

 

Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

Hi Chrome:

Thanks a lot. I am sharing a router with other PC's one for sure I don't trust as it is a gaming machine. As you suggest I have already disabled netbios, nat zone and trusted. So that confirms that.

On the ARP threat, I'm leaving that to those guys you listed as ARP is above my pay grade. All I want to do ( selfish I know) is optimize the OP security give the features of my set up.

 

When data is encrypted nothing happens because it can not read encrypted data. Private data transfer only works for data sent clear.