Antileak Partitioning?

Discussion in 'other firewalls' started by sded, Feb 8, 2009.

Thread Status:
Not open for further replies.
  1. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Looking at the Matousec data (again), was wondering if anyone had seen/tested the difference in antileak results with and without the HIPS associated with a firewall (where it is separable). I tried the simple Comodo Leak Tests against OA and got 330/340 with HIPS on, 110/340 with HIPS off. Saw a bunch of test CLT results here in another thread, but couldn't find that kind of comparison.
     
  2. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Leaktesting is HIPS testing rather than firewall testing, without HIPS results would be poor.

    As for the test you mentioned, actually there should be 340/340, but one test (under XP) returns "error" (seems it is stopped in a way Comodo devs didn't expect) and the test improperly scores 330. I would not recommend to use this test to get a score because it is very inconsistent. On my Vista it returns 270/340 with 7 errors. 7 errors should be 7 passes.
     
  3. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Got to thinking about HIPS replacement, and wondered how generally the antileak functions are actually built into the firewall component (often things like localhost connection and browser hijacking monitoring) vs all moved to the HIPS component. Saw a couple of threads recently about possibility of removing a firewall and leaving the HIPS, replacing with another firewall and vice versa. o_O Sounds too hard to analyze; probably just have to try it. And yes, I sometimes got 340/340 in Vista, sometimes other scores. Thanks; Ed.
     
    Last edited: Feb 8, 2009
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    If a firewall has integrated HIPS system the best security outcome is to use the both components. If you are ready to sacrify some security in favour of a performance I think this is possible to find a replacement. But I do not think that with a combo of the two programs you will get a better integrated result (this is IMHO).
     
  5. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    That was my answer too; it seems very hard to predict what breaking up the architecture and substituting an unmatched component might do to security. Just wondered if anyone had actually done it and had any real information on it after seeing recent threads. But I wouldn't do it. ;)
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    This is why I use Malware Defender as a firewall.

    It generates zero pop-ups, allows programs to install, eats close to zero CPU cycles. It scores 110/340, only CLT is a very unreliable test, it claims victory to soon. MD protects against direct disk writes, so it scores 120/340 in this setup.

    I run MD together with an AntiVirus check at writes only (usually Avira or Avast) and with a policy Sandbox (GeSWall or DefenseWall). The policy sandboxes with MD score a 340/340 together.

    Now I have no pop-ups and full protection. See attached image for explanation. It looks stupid to use a classical HIPS as a sort of smart version of Look'nStop of a few years back, but in practise offers high security (combined with GeSWal or DefenseWall), requires no user interaction and is very CPU efficient.

    This setup generates only two rules: WGATRAY (phisical memory access) and IMAPI (direct disk access).

    Cheers
     

    Attached Files:

    Last edited: Feb 13, 2009
  7. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,150
    but it's like use comodo ..
     
  8. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia

    Hi Ed

    I missed this thread. In OA the firewall and HIPS parts are pretty tightly combined. In fact, it would be more logical to describe the FWC as a HIPS challenge, rather than a firewall challenge.

    Most of those tests revolve around doing something tricky, and trying to connect out. The "doing something tricky" part is managed by HIPS.

    We're trying to design OA to be an all in one security suite


    Mike
     
  9. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Hi Mike,
    That's sort of what you run into when you see threads about "can I use the firewall (or HIPS) by itself and use another HIPS (or firewall) with it. Adding to it, but not replacing it, sure seems a lot safer. And of course Matousec is never going to run an antileak test on one of these bastardized configurations. ;) Even the not so tricky stuff, like going out through a proxy or using a browser as a proxy can be an issue. Latest versions of some (most?) firewalls have abandoned things like parent/child checking, for example, and rely almost entirely on the HIPS to do things like monitor localhost connections or execution of another program that has internet access. But some answers to such questions here and elsewhere have been, "sure, use the firewall by itself if you want" without explaining what else still needs to be added. So wondered about the trend to move all of that stuff out to the HIPS vs incorporating some of it in the firewall process. Not a hot topic, obviously. :)
    Ed
     
  10. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I think the thing is - as a Vendor that tries to sell an all in one solution, and a firewall at that - why would we expend effort on testing if our firewall with the core out works with other products in leak tests? Escalader wants to do testing like that - more power to him - but for me, I want to know how OA runs in its proper config.

    The original goal of OA was always to be a single program that users could feel comortable running... this was back in the days when people had RegDefend, processguard, BOClean installed on their PCS, plus AV , plus some firewall and maybe antispyware or tools like that.

    My plan is to make OA that product :)
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    A firewalls intention is to filter packets, that is to allow outbound info and allow the returned info to be based on a system of rules albeit internal (SPI) to the firewall or custom built rules. On its simplest form, a firewall could be seen as a control on the network card and its ability to process info, then allowing the good and blocking bad packets.

    When you start looking at HIPS, you are looking at internal control of the OS, from some basic control of an applications ability to actually execute(start) to its interaction with the other applications and running processes.
    Do not confuse the 2, although we do see more of firewall vendors moving (or moved) to add HIPS and HIPS vendors moving (or moved) to add firewalls. This unfortunately does not always work well.



    - Stem
     
    Last edited: Feb 22, 2009
  12. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Hello sded,

    i tested DefenseWall HIPS on CLT (Comodo Leak Test) - also I have OA which is a classical HIPS and firewall software but in every window i click Allow because i only want to test how strong will be DefenseWall in this test.
    My video:
    http://www.youtube.com/watch?v=IA7PPFLx0Pw&feature=channel_page

    The result: 280/340, but please notice that most failed test by DW belongs to firewall job.

    enjoy watching
     
    Last edited: Mar 11, 2009
Thread Status:
Not open for further replies.