More Feature Requests

Well all those concepts sound a lot to someone like myself but if they make LnS a better firewall I'm all for it.
peterc

 

I recently decided to purchase LNS and would like to see some more updates. It is a very good FW and I love how it comes with lifetime updates and how lite it is compared to Sygate and others, but there is a lot it needs. Some of the things I would like to see are:

SP2 bug fixes like incompatability with LinkSys software and more importanly rebooting on shutdown. If phant0m can do it the creator of the software should be able to in a timely manor.

Some sort of password protection encryption like phant0m suggested.

Some sort of application termination prevention (same as above).

Another feature that is not important, but I think would be neat is not only showing a users IP address, but there MAC address also.

I would also like to say that I agree with all of the suggestions other users have made so far.

Edit: Besides LNS Ban all plug-in

 

I would like more rules for the next lns , about 200 lol, blacklist ip(bogons) plugins and better SPI in order to don't block p2p software .new icons and interface because it's old fashion .

email alert or windows messenger alert when there are a lot of intrusions

voila

 

I would TRULY APPRECIATE an option you can check or leave unchecked.....

Check this box if you are using a router.

 

It would be very good, if the rules can be grouped in group.
for example: the group of rules "LAN", "Internet", or, say Need For Speed,..
then this group of rules could be grouped in lager groups... etc., say Games....

the application filtering could be more powerful, as it is in Sygate

 

*Bump*

Just keeping this around so Frederick can easilly find these during his extremely busy lifestyle and maybe even respond with his thoughts on some of these features.


Out of the features requested in this thread:

The following have not been implemented :

Temination prevention (for the GUI which is nice to have around)
Warn Safe
Log Always
Log Safe
Log Connections
Seperate rulesets per driver
Service Drop-down List
Banned IPs
UDP/ICMP Stateful Packet Inspection
Allow/Block icons to indicate packet authority
Controls for both source IP/ports & destination IP/ports
Tying IP to port
Application Filtering rules that can be exported/imported
No limitations of how many rules per Application
Controls for Local Activities (Loopback)
a stronger enhanced ruleset
detection/user specification of router
grouped rules

The following have been implemented :

SP2 bug fixes
Stronger Password Encryption

I beleive that the following smiley expresses my deepest feelings:

 

UDP (much like ICMP) is a connectionless protocol – so it wouldn’t be a true "stateful" analysis, hence the term "pseudo" stateful UDP. And it would be nice to see him implement "state" related ICMP algs, for ICMP query response analysis. However, before implementing these features he should focus on enhancing the current implemented SPI.

As for a stronger enhanced rule-set bundled up with Look ‘n’ Stop package, you probably understand Frederic goal is to have it be compatible with everyone using different setups, but there much that can be done and yet still be compatible with everyone. He should also have something implemented to retrieve the BOOTP and DHCP servers and have it automatically inserted into those rules to tighten them up for better ease. Wouldn’t be difficult I could easily do that with third-party app, but I believe it is a job of the developer to implement.

Enhancements to Application Filtering Layer would be terrific considering Look ‘n’ Stop isn’t true Application-filtering base Software Firewall, so at the moment packet-filtering strength is critical.

I’m not convinced the Password Encryption been improved, the only thing I see done is it isn’t using stored registry location now, when you enter Password it saves to memory and when you re-launch Look ‘n’ Stop manually or otherwise you have to re-enter and re-enter and re-enter the Password info every-time. Any determined user could easily make app to retrieve the password from the memory, and decrypting would be a breeze.

Regards,
Phant0m``

 

I think you are all wasting you time here! It sure look's like Frederic could care less in our requests to improve LNS.This thread was started on June 25th, 2003.

Can you please fill us in if you are every going to grant any request's in this forum?

It's been over a year and I have not seen much improvement in your firewall,don't get me wrong this is not an attack against you,but you are after all, the author of LNS.

So please tell us do you every read the English forum request's,or just the French one's?

Good Luck anyway with LNS,I for one had enough of questions that go unanswered,and requests that would only make you product even better,but it seems to me you feel it is perfect as is.I will find another one.Because LNS far from perfect! And you don't seem to care what people are asking you for.

sa la vie!

 

Is this a joke ?
Did you look at the history section of the help file ? and did you see the features/improvements that have been made since one year ?
All these features were requested by users either through the forum or by email.

Initial post said:
"Anyways this is enough for the moment; I hope you guys will carefully view and take into consideration and show your support and even E-mail Frederic requesting these features… Otherwise how else we going to get these Features if no-one request them? "

How many user have answered this post in 2003 ?
Unfortunately by email, I did neither receive a lot of requests about that.

On the other hands many requests about HyperThreading, Port & IP in application filtering, passing more Leaktests...

Some statistics about my answers:
- English forum: 141/479 => 0,29%
- French Forum: 300/977 => 0,31%

Should I appologize for 0.02% less for the English forum ?
Not serious.

No problem with us, you are free to use another product if the proposed features are more interesting for your use.

We did, as explained above.

Frederic

 

Frederick, I think you should spend more time responding to people who make request that would obviously improve your product. I am not attacking you, but when you ignore request, or note them but do not reply it is as if you do not care. How about looking over the feature request that I listed in my above post and responding with your comments on them? Like when they will be implemented or why they will not be implemented.

And I am sorry if I overlooked something, simply note that it has been implemented.

Also, I think that you should add a Load as service option in the LnS configuration page.

 

Hi AJohn,

Here are some answers.

This is link to the password protection. No other specific fetaure is useful to prevent some to kill Look 'n' Stop application.
Anyway, with the "Keep Internet Filtering active" option, this part of Look 'n' Stop stay active even if Look 'n' Stop application has been terminated.
We will also add the same option for Application filtering, to have it still enabled even if Look 'n' Stop has been stopped.

Another thing: protection against application killing other application is not really the purpose of a firewall. Of the firewall could protect itself when possible but if you executed a malware application that is able to kill application (firewall or other) there is another vulnerability on your system and an Antivirus or System monitoring tools is a better answer than a firewall.

This is not directly linked to security.
However, some improvements were already made with the !! in the Internet Filtering and the Application filtering.
Also, about the "Safe" option, there is an anti-flood mechanism that already answers to that.
And there is already the possibility to log everything you want in log file or also to have a prompt dialog box for specific rules.

If the question is to filter 2 adapters at the same time, this can be done by starting two Look 'n' Stop instance (and each can have its own ruleset).
However filtering two adapters at the same time is very specific and not common to all users. Usually only one adapter has to be filtered for most of the users.
If the question is to change the ruleset depending on the adapter and using only one instance of Look 'n' Stop, this suppose you have several way to connect to internet. I don't see exactly why it could be important to have more rules on one adapter ant not on the other one.
If you have different use depending on the adapter, you can anyway associate application to rules so the rule will be enabled only if the specific application (you are using only with a specific adapter) is connected.

Don't see really the point here. The best way to simplify configuration to users is to propose .rie files.

This is on the todo list for the next release.

I don't see what extra protection it provides.
If someone can tell me a realistic scenario where having this feature enhance the security, Ok I will consider that as a something to be implemented.

This has been improved yet, not with an icon but with a + or - in the 1st row of the log.

I'm not sure destination ports enhance the security at application level.
Again if there is a proof of that, il will be examined.

Today a AND is already made between IP selection and port.
So if you precise one port & several IP, or several port & one IP it is already tied.
What are the cases you want to allow several IP and several port and not all the port for all IP ? Why does this improve security ?

This is unfortunately not possible since an application is blocked with a full pathname and since several versions of the same executable can exist (and so there is a problem with the signature).

No real request from users about that today.
And by the way there is a bug just discovered few days ago about IP range and mask that prooves this feature (IP selection in application) is not really used so this limitation is not really a problem today.

Application using 127.0.0.1 address are already detected as connecting.
That's true the port & IP are not applied for them, simply because it generates a lot of unwanted alerts to the user, since the system is using that for its own purpose. More investigation is required here, and anyway I don't see a security risk here.

When a ruleset becomes too strong it blocks too many things for most of the user, and the consequence is we get many complaints from users, and we have a lot of support to do to understand specific use of each user and to adapt each ruleset to each user. This is not possible, except some minor adaptation, stronger ruleset is a case by case basis.
Even today as soon the enhanced ruleset is enabled many users have to contact us because some game not working anymore...

This are new requests to be examined.

And other ones as per the 2.05p2 content. Even if they are not part of this list, they were asked by users anyway.

Frederic

 

AJohn,

I was preparing my above answer when you posted this.
Unfortunately I can't answer two posts at the same time...

Frederic

 

The service is still in beta, there are still some issues with XP-SP2.
When it will be Ok, sure it will be included in the GUI of Look 'n' Stop directly.
Version like 2.05px are supposed to be minor updates and in particular normaly no change to the GUI in these versions (because help files, screenshot, global setup package... need to be re-worked, more time is required, beta phase is required... this is not the purpose of p(atch) versions).

Frederic

 

Except if there is a bug, this is not true, the password is handled as before. Only the encryption changed.

This is only supposition...

Anyway, direct attack against a particular application is still possible.
And there are many ways to do it. If a malware application is started and begins to do that (removing files, changing the registry...) there is another security vulnerability on the system, and others security applications (antivirus, system monitor) are anyway required.

Frederic

 

Frederic is well able to defend himself, but hey guys, give him a break,

He is not part of a Company where there are supposedly large numbers of specific support staff.

In fact I have received a lot more help on these forums and from Frederic himself than from other much bigger Security companies that I have bought software from. Some, I could mention, have never even bothered to reply to any of my problems after my money was taken.

I am very happy with LNS, but ALL software can be improved so let's give him time to carry out the necessary improvements which will make this firewall even better.

My 10 francs worth

 

* A security system should “try” at least to protect itself, regardless how insignificant it may be. Frederic is right though when malware is executed on the local system, pretty much anything is possible, but still… In any case, to implement Application-filtering the way Look ‘n’ Stop packet-filtering is, to be active regardless of the GUI running, I have to say excellent! And this does show Frederic making necessary steps, thanks.

* Indeed there is already anti-flood mechanism, great implementation too. And I should have been clearer but I was asking for something that didn’t work at a global scale, to specifically control specific rule or rules which override the global control. For instance, there is lot of traffic I like to block with certain rules but I don’t like to disable the warning flag on the rule, but I don’t like it wasting a lot of resources in such little time with warning flag enabled.

The logging to log-file with efficient controls I find vital, the logging capabilities in general I find vital.

If my memory serves me correctly, Look ‘n’ Stop “Log file” works at a global scale, and it only logs-to-file that of which gets logged into the Look ‘n’ Stop Log screen?

Many people loved to be capable of logging-to-file for particular rules such as for server-rules, and at later time analyze through those logs[log files] to identify anything specious, and since Look ‘n’ Stop doesn’t have IDS or fully implemented SPI, this happens to be crucial to many.

Logging particular rule blocks to log-file ONLY and going back and analyzing is very important to me as it is for many others, many of who which don’t purchase Look ‘n’ Stop firewall for reasons such like these.

… Log Connections: This option causes TCP Connection attempts to be recorded in the log file. This is useful in recording the systems you accessed...
This capability not only great addition for logging-to-file but optional for displays in Look ‘n’ Stop Log screen, if anyone actually thinks about it, they could see the benefits of this feature.

Following; is Log-Safe…

* Separate Rulesets for Each Device - this will create a separate ruleset for each device the firewall finds on your system.
First thing comes to my mind is ease, and neatly organizing.
I’m not sure of the statistics, but I know there is great deal of people definitely more than one NICs installed, and I personally don’t see why two or more instances of Look ‘n’ Stop per NIC is required, taking up more system resources, additional systray area and requiring much mouse-movement and mouse-clicks. Implemented support as one if implemented properly, which I have no doubt you capable of doing, using way fewer resources and offering much ease.

* Service Drop-down List

All due respect, you never think about ease, and many who really do think ease is vital. This isn’t a feature request I personally care for, personally I have no need for it, but again, this is about ease.

* UDP/ICMP Stateful Packet Inspection

You are joking right? I’m not going to go there….
… You may think it is insignificant, but a lot of developers who built some very strong packet-filtering systems don’t agree. I guess there is a lot of things you think are insignificant, strong and fully implemented SPI (of TCP of course…) for instance…

* Allow/Block icons to indicate packet authority

It sure has thanks, and I really do mean it, it serves a great purpose.
… And again, on behalf of ease, many doesn’t even notice it and still very confused, it would be serve to benefit implementing icon usage to indicate authorized, and block entries.

* Controls for both source IP/ports & destination IP/ports

Sure it does, it’ll also fix issues with software like FTP.

* Application Filtering rules that can be exported/imported

If you offer better controls such as modifying the pathname for an existing app-filter list entry, this wouldn’t be a problem. And so if someone had installed that software and hasn’t been installed in the default location one could easily modify the full pathname for quick adaptation. Or have it quickly adapt to application full pathname upon detection of first app using that signature, unless you saying the full pathname plays a roll in signature creation.

* No limitations of how many rules per Application

What falls into “real request” catalog, 200 and more users requests?

I do believe most users really don’t know what they want until they have it, most don’t even try to understand how this or that can benefit. And then there are many closed-minded people who stand up against with every fibre in their body to something new wanting to be implemented, usually thinking this could degrade the quality of the product. And this leads to many not even wanting to participate on the forums, and many are clueless to Message Boards and those who aren’t, despises it and those who don’t merely doesn’t care for Message Boards. And most simply to lazy to make any efforts at all, they rather uninstall the product then to waste their valuable time with requests which normally never becomes implemented.

Regardless of how many requests, and the importance and how many issues people have, it is always insignificant, look at the currently implemented SPI.

* Controls for Local Activities (Loopback)

Again it is always insignificant, I think the user should decide for him or her self if they want or not, if you are worried only because of the “unwanted alerts to users” you should consider implemented a switch. All due respect, you never see security risk, and obviously you never try to take a bit of time to try to understand the security risks.

Many people now a-days uses local proxy servers, for numerous reasons, I use one for the soul purpose of filtering web contents like many do, which that alone has many benefits security and otherwise. Proxomitron is what I use 24/7, and while I had been using Look ‘n’ Stop there were so many unauthorized and unnoticeable leaks merely because it offer no controls for what we say Local activities, any authorized clients can "Use the system conneciton/proxy settings." that would offer means to escape to Internet through Proxomitron (…and) when phoning home, same thing can happen with any malware wanting to send any sensitive data back home and offer means for server-side system controls that makes room for any possibility (… like controls offered in Netmeeting, pcAnywhere and etc). Now I didn’t want to have to block, configure a deny flag on the client application entry found in the app-filter list altogether (wouldn’t serve purpose to leave the software Installed if it can’t function) just to avoid any form (Privacy or otherwise) of leaks done by what we say “Local activity”. Whether you can or not admit to it, there are many who use software that does want to phone home for reasons we don’t like, and because of the main functionality serves great purpose we don’t like to uninstall it but instead deny it access to specific IP/Ports. And this isn’t possible with many of us who do use local proxy servers; this also corresponds with ease btw.

Regards,
Phant0m``

 

Hey things are getting on its way - rare times have seen such a civilized discussion on a board --)) Go ahead guys - make our Lns even better

Ruben

 

Here Here!

 

First of all I would like to thank you Frederic for taking the time to respond. The reason for my above post in the first place was to hopefully get your opinion on the requests. All we ask of you is for you to do this when new request are made. Second of all I would like to thank you Phant0m for taking the time to explain why you beleive some of the requests can benifit the security of L 'n' S. I really do hope that more of these features are implemented. I understand that you may not have a need for some of them Frederic, but as a user of L 'n' S I can say that I do have a need for them, and I would like my firewall to be as secure as it can be. I also would like to say that I understand what you are saying about letting system security software manage threats to various security programs, but my personal opinion is that every security application should be able to hold its own in every way it can. Afterall, if L 'n' S gets disabled somehow it doesn't work. I realize that Antivirus are needed and programs like Process Guard are also highly benificial, but if you could take any extra steps towards self preservation of L 'n' S it would be greatly appreciated.

Thank you all for your time and GJ/GL Frederic.

 

I like the suggestion of keeping Application Filtering Active even after LnS termination.

However, I would rather Frederic didn't spend a lot of time working on termination protection and instead spent his time developing the other features. As you mention AJohn, there are other products out there which can help with that problem (ProcessGuard probably being the best) and to achieve similar protection would take Frederic quite a long time. This could be better spent on other areas of LnS, where other products cannot provided the required protection.

I'm not saying termination protection should be ignored by Frederic, but just that it should have a lower priority.

 

(Not so much an enhancement - more a design request...! )

From a GUI perspective I'd like to see the 'Rule Editing' screen broken down / made easier to understand for both the experts and beginners.

Look'n'Stop is a very good firewall but I've got friends to whom I've recommeded it not use it due to the complex nature of the rule creation form.

Even just a text box that describes the rule as changes are made in the form might be good e.g.

'Where the direction is outbound, the ethernet port is IP, the protocol is IP...' etc

 

I agree.

Another thing that I think would improve L 'n' S is a seperate page for IDS rules that is by default disabled (invisible/not installed) and when enabled is by default blank. This would be GREAT for people who wanted to customize Snort or any other IDS rules to work directly through LNS and would not affect anyone who has no need for IDS or doesnt care to use it. I know this would take some time to implement but I personally think it would GREATLY improve L 'n' S. I can't stand using IDScenter and all those scripts that come with it after using Tiny's version of Snort IDS.

If this could be implemented I will personally change over all Snort rules to work with L 'n' S, or maybe the IDS could be made to use the Snort rule formatting?

Imagine L 'n' S with built in IDS (especially Snort).

 

Does this mean we'll be seeing AJohn's IDS Rule Set (to go along with Phant0m's) in the near future ? )

 

Sure, this can be done easily! Snort and Snort rules are GPL software. So all one would have to do is implement a IDS/IPS detection engine (Snort) and have it point to the rules! This can be done in next to no-time, because everything is allready done! Just have to implement it into L 'n' S and add a second logging gui (XML or HTML) and be able to auto-block intruders or just receive alerts... Tiny allready has this feature down packed as an IDS/IPS, but one can take it further and make it auto-block IDS/IPS! (Realtime)...But my first request would be a better implementation of a Statefull firewall, before everything else! Not statefull like.....

cheers
lowen

 

I also agree with that. All I was saying is that if Frederic would implement the IDS I would convert the Snort rules so that they would work with L 'n' S if necessary. If the Snort rules worked with the IDS like Tiny that would be even better. I would really like to see both these features in L 'n' S as it would make it so much better. Can only hope