Advantages from Advanced Rules?

Discussion in 'other firewalls' started by I_lack_commonsense, Mar 27, 2003.

Thread Status:
Not open for further replies.
  1. I_lack_commonsense

    I_lack_commonsense Registered Member

    Jan 22, 2003
    I guess before I can even start with my question, I should ask what firewall signatures do. Every so often certain software firewalls like ZA and Sygate get a signature update, and I wonder is that for updates in intrusion detection or patching or something else?

    Main Question: What advantages can be gained by setting your own advanced rules? I assume it is to further lock down certain types of communication? While I havent looked into too many sites of advanced rules (dont really know many good ones :( ) I have looked at CrazyM's posts of advanced rules configuration and the look n stop one (both which i think are really nice), and it made me wonder... Shouldnt most firewalls now be already configured to handle some of these "advanced rule entries." Especially with the newer versions and newer builds. Is it still necessary to add some of these... like the ones for Nimda, WinNuke, and Subseven?
  2. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    Wow, this is a big and complicated question ILC (may I call you ILC? ;) ). I'm sure some of the expert "rules" folks will be by soon to respond...

    For myself, I'm going to take a simple path through these questions... First of all, to my knowledge, Zone Alarm has never released a 'signature update'. It has released both major and minor application updates, to either add entirely new features or to just fix bugs (the patches you mentioned). I don't know Sygate, but, I know BlackIce uses known signatures in it's IDS, especially to detect specific forms of network based attacks (like Code Red against a webserver).

    As far as the IDS goes... If you run a webserver and use ZAP, all you can do is either allow or block incoming port 80 connections to the web server application. That's it. BlackICE (and probably other IDS capable apps) can monitor the specific traffic on port 80 to the web server, and it can alert based upon specific traffic patterns. It can recognize 'Code Red' within the data stream. ZAP can't.

    In any case, it would seem logical that if a new Internet worm were to emerge, an IDS based product might very well release an IDS signature update for it. I know this is true in the Enterprise world for IDS products like RealSecure from ISS.

    Now, I know Sygate uses the term 'advanced rules', but I don't know about other rules based firewalls. My assumption here is that you are referring to application rules. Whether in a rules based firewall, or even advanced / custom settings in something like ZAP, yes, they are to further tweak and control exactly what an application can do.

    A good rules based firewall can control the networking capabilities of any application to a very great degree. How valuable this is, and how useful, depends entirely upon what you are trying to accomplish, and how good a rule you create. You need to understand what the application needs and what you can control, and make sure you make the rule properly to meet those two criteria.

    A simple example of tweaking an applications access levels using ZAP can be seen in this thread here: Zone Alarm Plus/Pro Program Options. Rules based firewalls can go much deeper into controlling applications than that.

    I hope this starts to address your questions,
  3. root

    root Registered Member

    Feb 19, 2002
    Missouri, USA
    Like LWM, I too am not familiar with any signature updates for firewalls such as ZA and Sygate.
    Blackice was the first of it's kind, and used an IDS that was different from most other firewall, so if LWM says it uses signatures, then that doesn't surprise me.
    Most firewalls do not rely on signatures. The work by monitoring traffic in and out of your computer to various degrees.
    The advantage of having an application AND rules based firewall is that it gives you more control in determining how different services and applications can communicate with the net and remote hosts. Advanced rules increase your ability to control traffic.
    Is this necessary? That really depends on one, your need to configure advance rules based on your computing habits, and two, on your ability to learn how to configure advanced rules and do it with the desired results.
    One example is rules for DNS. You can set up a rule to allow tcp and UDP outgoing to remote port 53 and that will allow DNS. Some like to tighten that up by making a rule for each application that needs DNS resolving and allow that application out to rmote port 53, to their ISPs DNS servers IP only. You see you are really limiting what is allowed.
    I think most firewalls today use the policy of block all traffic unless it is allowed, when using their normal mode. A few may still allow most traffic except what is blocked, I don't know.
    Some firewalls like ZA are configured to allow rule making the way they think the rules should work for most people and do not allow real advanced rulesets. That does not make it a poor firewall, it is just easier for some to use and is fine for those that do not care to get into making advanced rules for each and every instance of communication.
    I settled on Outpost because it has the ability to make any rule I can think of and then some. Again, is this necessary? Is it better? Depends on the user, their requirements and their skills. That's the bottom line.
    All firewalls are not equal in protection, but the leading firewalls today such as ZA, Tiny, Kerio, LNS, Sygate, and Outpost all do a pretty good job. It's nice to have a choice.
  4. Ph33r

    Ph33r Guest

    Depends on what exactly you in Reference too…
    Software Firewalls with MD5 Signature Feature ensures that Trojan horse or type of malicious applications cannot communicate, while Software Firewalls with IDS (Intrusion Detection System) Feature uses engine (which needs to be updated regular or it’ll become quickly Outdated…) of some of the commonly known malicious Packets.

    Basically the idea of being capable of Authorizing or Denying by ones specifications which is more efficient depending on the user’s skill Level.

    No, it’s not necessary for some of today’s Software Firewalls. The fact these rules still exists is to allow the user to comprehend the types of malicious packets being Blocked by the users Software Firewall…
  5. I_lack_commonsense

    I_lack_commonsense Registered Member

    Jan 22, 2003
    Yep you can call me ILC as long as I can call you LWM :D , oh and sorry I didnt mention your ZA configuration thread the first time around, it is very well done, i got it bookmarked this time in case I decide to go back to ZA!

    And thank you for all the other great responses.

    Im sorry I wasnt more specific the first time about the type of firewalls. Was a lil hyper as I have been wanting to ask these questions for so long. As you probably know I was thinking more along the lines of Sygate as that is what I currently use and have been most accustomed to. That is probably why i confused ZA with the signatures :oops: , I use to use the free version of ZA.

    With Sygate for application control I usually just disallow ICMP traffic and server priviliges... is that enough for a firewall like Sygate, which advertises an IDS (though I dont think it is as strong as an IDS like the one found in BI.) While Im all for learning about advanced rules and adding them to my firewall (I have added like 15 or so, mainly for specific logging purposes) I worry more about creating a mistake in the rules. Like the warning dialog in Sygate says, these rules have priority over application settings, so I figure the more rules you add the higher the chance of creating a mistake and perhaps leaving your system open in some way. This might hold more true like root mentioned when configuring rules based on computing habits and for each application. Im sure this is where ones experience and skill level comes in to play though, as all of you have mentioned.

    A couple more questions also...
    Does it come down to IDS versus Advanced Rules, and which offers better protection? Is it possible to incorporate advanced rules that still prove to be useful with a strong IDS based firewall like Black ICE... without necessarily having to go to rules that are application specific.
  6. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    Hi ILC

    My understanding of how Sygate and it's protection works in the processing of packets: IDS > Advanced Rules > Application Rules.

    The IDS and Advanced Rules both offer protection, but to different aspects of the packets passing through your fiewall.

    The IDS as noted by others is signature based. It will process all packets entering and leaving your system and monitor for malicious activity. So even if you have a permit rule for certain communication it may block it if it detects something it considers malicious (matches a signature). LWM's example of IDS blocking Code Red (based on the content of the actual packets) if your running a web server where your rules would allow incoming packets to local service/port 80 is one. Another example is the IDS in my version of NIS will block my ability to test systems with certain types of NMap scans as it considers these outbound packets malicious/potential outbound attack. I have to disable the IDS to do vulnerability testing with this application even though my application rules allow it.

    Advanced Rules are global and should be used to filter those communicaitons/packets you want to explicity permit or deny regardless of application. This could be for something like restricting DNS to your ISP's DNS servers or other system wide rules. Global block rules might also be used here if required or for logging/tracking purposes.

    As mentioned above, Advanced Rules provide you the opportunity to explicitly allow or deny specified communications/packets prior to the processing of Application Rules. This type of protection (packet filtering) is still important and different than the protection offered by IDS or Application Rules. Application Rules can then be defined as broad or strict as you choose.


  7. Luthorcrow

    Luthorcrow Registered Member

    Nov 30, 2002
    LWM and Root, yes Sygate does use signatures for it's IDS engine and it does update. The last was about a little over a month ago with 1175. But then it is a FW w/an IDS feature rather than (BlackIce) an IDS engine w/a firewall feature;)
  8. TAG97

    TAG97 Registered Member

    Feb 10, 2002
    Connecticut USA
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.