Application filtering problem

Discussion in 'LnS English Forum' started by Thomas M, Feb 26, 2003.

Thread Status:
Not open for further replies.
  1. Ph33r

    Ph33r Guest

    Quite shocked to see such an issue here, when ConSeal PC Firewall had this Feature “Apply only when running *.exe” it worked beautifully. And this was years, and years and years back, I’m quite sure it shouldn’t be too complicate for Frederic to implement this Feature with ease considering Today’s programming enhancements.

    I don’t see why we have to Trust an Application globally, that’s non-sense. Trusting mIRC globally with its Socket Features is non-sense. If this Feature “Rule-base Application Filtering” wasn’t taking advantage of we could prevent bad mIRC script from making secrete unauthorized Connections, and this is just an example doesn’t necessary mean this is specific to mIRC because it’s not… Note: I used this Example because it doesn’t refer to mIRC containing Spyware or Trojan Infections by Default.

    Now let’s use Explorer.exe which relates to privacy issues, Explorer.exe is on all Microsoft Windows Machines by Default of Installation, it’s very important part since its Windows Shell. I don’t trust this file Explorer.exe but I still require using it unless I want to find a shell replacement. I would like to be-capable of using Explorer.exe surfing capabilities, but I have to block it at Application Filtering Level, if I had this here Feature I could specific a rule to resolve all my issues regarding Explorer.exe.

    Now there’s many popular Freeware which contains Spywares like WebFerret, KaZaa, and not so Freeware like GetRight and so forth. Do I want to Trust these Applications Authorization on Global Scale? No. What Advise giving? Trust it on global scale or don’t use… Easy as that….

    Regards,
     
  2. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Thank you Frederic, Ph33r, Andreas(W), bluenose, lurker1 and tosbsas for your input on this topic :)

    Very much appreciated your comments and now I see much clearer about the current features of LnS! I still believe it is a very good firewall, this is why I am using it! - But here I put my name on the wish list for better control of application port filtering ! Priority level: HIGH !!!

    Thanks again,
    Thomas :)
     
  3. Ph33r

    Ph33r Guest

    Look ‘n’ Stop isn’t capable of doing comparison besides the Signatures, and so Opera 7 update contained the same Signature as Opera 6 of that I done a thorough check on… And thus is why no Look ‘n’ Stop Alerts shown up after updating… Perhaps implementing Build, Version and so forth comparisons isn’t such a bad idea… I don’t believe though for this to be a security issue, just and problem of detecting Updated Applications Executables…


    Care to explain bluenose how Opera 7 Update contained the same Signature as Opera 6, or MooSoft Live Update v1.5 - build 1058 containing the same Signature that of MooSoft Live Update v1.5 - build 1052 by Look 'n' Stop? Maybe Look ‘n’ Stop isn’t using MD5 after all?!? I really don't know this part, i'm starting to Question what Look 'n' Stop uses...
     
  4. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    ...uhm...

    What an interesting discussion, thanks to this my knowledge about how things go, in LnS world, can hope for a higher rating! :)

    I COMPLETELY AGREE with the quoted Ph33s's post, I too can't find any good reason to fully & always trust any, however good, software trying to reach the outer planes! :eek:

    Many other fws have this feature...I remember using Outpost & its rule maker...you could always specify a "and when PORT NUMBER is XXXX" (or the like, I can't remember it perfectly).

    LnS rules, really! Anyway it's true I'd really like to be able to specify what ports the apps I allow to get out may use!!
    HIGH PRIORITY, Frederic!

    I have been surfing this forum for a while now, I read many posts of yours...I'm sure, as most of us as well, that it would be so easy for you to implement that feature!
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Re:...uhm...

    Let me say first that i also think that feature to be of high priority. But then, i don't know if this can be done soooo easily. As i understand it (but actually i don't have much insight in this and am rather speculating), restricting apps to certain ports would require a completely different parsing of communications at a completely different place than does restricting the whole OS to certain ports etc. So i imagine this does mean quite some work. Maybe for some v3.0...
    Cheers,
    Andreas
     
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,017
    I personally don't understand all the hype about ports !
    Once you trust an app, much more enphasis should be put IMO on restricting it to ip's, rather than trying to focus on ports only.
    For example, emailers use ports 25 & 110. As long as you restrict your client to mail servers ip's only, then no other app could try to piggyback on it as only the authorized ip's and these 2 ports are allowed.
    Not much sense to me either to authorize a blank authorization to port 80 to your browser ! As a true paranoid, each ip to port 80 has it's rule on this sys. Mind you i mainly surf to BB's and few very reputable sites, so that there was not that many rules to create. But you can't get tighter rules than that.
    Atewlier's firewall tester didn't have much chance to succeed even before Frederic came up with it's new driver.

    Fianlly, do yourself a favour a disable the rule tcp- authorize most common internet services and replace by appropriate rules for each client.
     
  7. Ph33r

    Ph33r Guest

    I personally don’t know why you find it so difficult to see the importance of this Feature, haven more efficient capabilities of securing your System to the near Maximum, restricting at an Application Level and not a Global Level, Specifying rule for Applications to only have capabilities of sending/receiving only to/from the specified source/destination port or ports.

    I’m going to be brief here; you must not do a whole lot of Exploring. There’s great deal of popular clients that offers Multi server Features which people don’t take for granted and p2p Transfer capabilities. Not everything is simple like a simple ol E-mail Client…

    This is bigger then you or I, I can’t see how you cannot see the benefits of this.
    But it doesn’t matter if you don’t applaud this Feature, and it doesn’t matter that I do, the secret word is Majority, they do…

    Not everyone revolves around your way of things, what you or I consider worse others may consider better.

     
  8. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,017
    There is nothing worse than a false sense of security. I'm not intertested in features that will provide just that and i understand Frederic's relunctance to implement that feature because of it.
    P2P ? I use it on occasion, but rules are made on the fly as needed and disabled or even deleted right after usage.
    Majority ?..............They choose ZA ! Popularity does not mean security conscious or awareness

    And just answer me this question, please :
    Is the rule TCP - authorize most common internet services active or disabled on your sys ? If it's active, then it's pointless to pursue any discussions with you on this subject.
     
  9. Ph33r

    Ph33r Guest

    Firstly it’s no worse implementing “Application Filtering” Feature into Software Firewalls; you’ve even said on many occasions that “Application Filtering” Feature gives false sense of security. However you choose to use a Software Firewall with that Feature, giving option you could use Look ‘n’ Stop Lite version but you don’t.

    But once again this isn’t about you or I, this is about the majority which had spoke in the past and in the present and will in the future which over weights your judgement on this.

    I personally get the instinct impression you only against this Feature with a hidden agenda whether it’s to score points with Frederic and/or to show how reluctant you can be in front of the public…

    Whether or not rules can be made on the fly and be Disabled and Deleted for you doesn’t matter, what matters is this Feature is more efficient which offers great enhancements in relations to Security and when it comes down to it, that’s all what matters… If you aren’t capable of seeing how beneficial this Feature is then step aside and don’t attempt to spoil it for the rest of us who been working so hard to get Frederic to implement this in from day #1.

    ZA was extremely popular type of Software Firewall, but like it or not it went under quite awhile ago, more people on Rule-based Software Firewalls then what they are on ZA type Software Firewalls.

    Besides I was in reference to Majority who was into Rule-base Software Firewalls, next time I’ll try to be quite so more detailed…

    Whether or not I use “TCP : Authorize most common Internet services” or something like has no bases, this is a Feature which will benefit widely, not only for paranoid rule-set styles but all rule-set styles. I’ll admit this Feature will be extremely beneficial in enhancing security for those who uses “TCP : Authorize most common Internet services” or something like, people who don’t have time spending making rules after rules per connection made by per client day after day after day… Copying and pasting, copying and pasting, configure, re-connecting… You may have time, but I’m sure not all has time to-do all that and so forth…

     
  10. Ph33r

    Ph33r Guest

    Here is my Idea of implementing “Rule-base Application Filtering (Rule Applies only when running/and-or/connecting with *.exe)” Feature

    #1. Only Authorized Client Applications will only be available for selection.
    #2. Adding Feature to select only 1 (starting point) Client Application in a List of Authorized Client Applications in “Rule Editing” dialog.
    #3. Rule with selected Authorized Client Application only applies to that of which had been selected and nothing more.
    #4. And of course Allowing/Denying Capabilities.
    #5. Possibly even “From” section to indicate what Application trigger the Rule (But I suppose using “Rule Description:” this might not be necessary Feature unless others find it a useful Feature…

    Now this is just my thoughts on the matter, I’m sure if anyone else has any other suggestions to add they will… ;)
     
  11. V

    V Guest

    Mickey, what if trusted site "x" is hosting a forum for security software that you use and the IP/rule used to update said software is also the one that connects to site "x" forum? What if a trojan was installed with your new update? Could happen!! ;)


    __________________

    Paranoia is complete awareness
     
  12. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,017
    This is behond any rule making or app filering abilities and has to deal with anti-trojan capabilities.

    However, for the feature that is requested in this topic, it is of utmost importance those asking for it realize the importance of the rule TCP - authorize most common internet services and that it is very much related to that request.
    Wether the feature is implemented or not, this rule does not make any sense whatsoever and should never be active .
    If there is a rule that should be disabled as soon as you install LNS, this is the one !
     
  13. V

    V Guest

    The issue isn't so simple as merits of Anti Trojan versus App Filtering there's a whole range of protection possible from adding the requested features..I previously given example how to easily bypass your IP/Port to IP/Port total security model. With requested features included in Application Filtering we would be protected from "in-the-wild" exploits that are well beyond the reach of A/T databases.

    I would rather have an A/F that protects against every imaginable way of information leakage, than totally trust after-the-fact signatures and leave the door wide open for any "new" exploit to leak out. Improved Application Filtering can only benefit all.

    __________________

    Paranoia is complete awareness
     
  14. Ph33r

    Ph33r Guest

    Well Said! ;)
     
  15. AN(t)ON

    AN(t)ON Guest

    Hi,

    I have had LnS installed for some time but discontinued using it because
    of irregularities which various contributers of this topic discribed in
    one or the other way.
    The first thing can described as what other FW makers call:
    Strong enforced application privileges. This has in my opinion something
    todo with a strong hash in both directions and other identifications.

    If the allowed applications appear in the rule only as:

    netscape.exe
    mozilla.exe
    opera.exe

    instead of:

    netscape nnnn.nnnn.nnnn
    mozilla nnnn.nnnn.nnnn
    opera nnnn.nnnn.nnnn
    opera xxxx.xxxx.xxxx

    then there is something not quite fake-save. :)

    It happened also to me, that IE sp1 was NOT identified as a new
    application.

    Another very important security layer is Stateful Packet Inspection.
    Not only to check if the packets belong to the established connection
    but also ,I guess, to the privileged application.

    It happened to me, that when DL Express was allowed the first time
    to enter the net, not one of the many connections a download manager
    establishes by natur was detected, which leaves me to believe that at
    that time the security-layer of SPI was totally deactivated.

    Occasionally I noticed also that after a disconnect after mail-fetching
    by OE, the connections-states remained as connected. As I read, SPI is
    done by caching the connection states for comparison. If something goes
    wrong there, the SPI cannot work properly anymore.
     
  16. Ph33r

    Ph33r Guest

    Nothing wrong with more Informatics, I’m open for that Enhancement. However, I don’t agree it’s an Enhancement of Security. I’m pretty sure Frederic had at one point mentioned that Look ‘n’ Stop uses MD5, has anyone ever heard of MD5 being unreliable? Anyone here thinks they have the capabilities of making a replica MD5 Signature of something else?

    Only reason Internet Explorer SP1 Executable wasn’t detected because it had the same Signature. Appears to me people would have to not Trust Applications own sources Upgrades…

    In any event I don’t believe one who attempts to go all through the work of masquerading an Application to leave out the current Version and Build and so forth Informatics.
    ++

    Absolutely, I’ve suggested ages ago to implement that Feature. Any Software Firewall with Stateful Packet Inspection Feature should also cover Trusted Applications Connections.

    TCP Stateful Packet Inspection Feature in Look ‘n’ Stop isn’t Enabled by Default of Installation…

    - Fixed unmatched quote tags that was causing page format problems - LWM
     
  17. AN(t)ON

    AN(t)ON Guest

    Hi Ph33r,

    what you are saying is to the normal person not quite clear and confuses,
    and also based on assumptions.

    I happen to use here a not very known but feature-rich legacy version
    of PGP and can by the snip of my fingers calculate the file hash
    of MD5, SHA1, SHA2 and RIPEMD160. Which I of course did for IE and IESP1.

    They ARE different; if LnS would use a decent one-way hash, it would
    have detected IE SP1.

    And as to SPI: IT WAS ENABLED!

    rgds
     
  18. Ph33r

    Ph33r Guest

    AN(t)ON I’m no normal person, I’m mentally insane person…
    I can see crystal clear, Look ‘n’ Stop sees the same Signature of MooSoft Live Update v1.5 - build 1052 as MooSoft Live Update v1.5 - build 1058 (""=dword:41b3040d), same as Signature of Opera 6.* as Opera 7.* Signature when I done comparison.

    As for SPI Feature, it’s still needs improvements. When Firstly Enabling it you must re-execute all your Client Applications, or if you Disable Internet Filtering Layer…
     
  19. Ph33r

    Ph33r Guest

    I suppose only one way to clear this up for once-and-for-all, is wait for Frederic to confirm what he’s using. ;)
     
  20. AN(t)ON

    AN(t)ON Guest

    Hi Ph33r,

    take it easy...:)

    What you have seen "crystal-clear", is proof enough, that LnS has NOT
    seen everything crystal-clear.:)

    In other words, or in the words of "bluenose"... poor checksumming.:)

    If a strong hash would have been used, also LnS would have seen the
    applications not so "foggy" through its goggles. :)

    rgds
     
  21. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    I already mentioned that the applications selected in the Internet filtering have to be allowed first in the Application filtering.
    So there is nothing bad here.

    I agree this relies on the Application Filtering checksums.

    Ok, I've understood that everyone is saying that the checksum used by LnS is not as strong as expected.

    Frederic.
     
  22. AN(t)ON

    AN(t)ON Guest

    Hi,

    just a short final from my side...

    Possibly some of the readers of this forum are asking themselves:

    Strong checksum...one-way hash? All good enough to check file-integrity?

    NO! Checksums like XORing, CRC etc. are all re-calculatable or breakable.

    A one-way hash like MD5, SHA1/2, Tandem Davies-Meyer etc. are as of
    today considered as irreversable. That's why they are also used for
    signing documents and files using PKI Structure (PGP) to check integrity.
    And of course in firewalls. ;-)

    rgds
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.