Behind a router: HIPS+software firewall needed?

I'm sitting behind a router, so I wanted to know what additional software should I set up on my computer (I'm using windows 7 x64)?
Will a good lightweight HIPS (assuming, e.g., defensewall HIPS or geswall) be sufficient?
Or should I also install a good pure firewall as well (e.g., LnS)?

Of course suite of 2 in 1 also is an option (OA, OP etc.), but I would prefer minimalist approach

 

here is what members thought in general on subject
https://www.wilderssecurity.com/showthread.php?t=204567

Personally, I run a FW behind a router. In this case, you will be right whatever you decide. That doesn't happen often enough in life

 

I'll never understand why people still bother with hips.

Does those extra pop-ups make them feel more secure?
Or is it that matousec tests brainwashed everyone?

A good firewall (windows is very good, if not better than most of those firewall-hips suites), a default deny policy and common sense (never run something suspicious) is all that you need.

Panagiotis

 

A router gives good protection relative to inbound connections, but NOT for outbound.

Tight control of outbound connections is another protection against the keylogger family of exploits. If the keylogger cannot call home, it cannot compromise your personal information.

An infection of your computer is inconvenient. Compromise of your personal information can be downright disastrous.

I recommend you get a firewall with strong outbound protection.

 

+1

 

hi bellgamin,,,it doesn't matter that the router has many options for inbound and outboun?,i have a westell versalink 327w...and it has that possibility.

 

Using a router with NAT is enough for any hacking attempts towards you unless you make some exceptions in the router.

Firewalls on the inside of the router can be different. For example, the windows firewall in xp would only stop inbound data. If you started a game and you were the server, it would stop inbound but no outbound. Likewise, if you have a program that gets updated whenever it runs, you could use windows firewall to stop it from receiving outside comms. I think adobe products do this.

The firewall in vista/7 are now much like the other 3rd party firewalls (OP,OA,Kerio, etc) in that they will watch for any program attempting outbound connections, and they will ask you what to do or examine rules to see if that particular process is allowed specifically defined actions.

Using a firewall to monitor outbound connections is good if you don't know what will be running. It is good if you just want to know what is happening. It is good if you want to restrict something to only certain ips or ports or protocols. It can definately help to keep tabs on what is connecting. But, you do have to trust the program you are going to allow, and often need to learn a bit to make proper rules. Most of the firewalls these days also monitor the .exe itself to make sure that a file is not compromised, and warn or disallow if it finds it has changed.

For a minimalist approach you really don't need a firewall as long as you know what is installed or should run. I personally use SBIE instead of a default-deny approach. Either way, the goal is to ensure that after you install the programs, nothing can be allowed or can effect they real system.

Firewalls are not just firewalls it seems, more like suites. Some are easier to use because you can manipulate it easier than others. Most all will provide needed protection, regardless of what all the testing and review sites tell you, at least on the level of monitoring what processes get to do with connections.

Sul.

 

If you WANT to understand, then read "Chained Exploits: Advanced Hacking Attacks from Start to Finish (Paperback)" by Keatron Evans, President and Chief Security Consultant of Blink Digital Security, and Andrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp. The entire book applies to intrusion exploits. HIPS is one of the preventive measures -- see page 260. (The "IP" in HIPS is for "Intrusion Prevention.")

Yet another good reference is "Guide to Intrusion Detection and Prevention Systems (IDPS)" by National Institute of Standards and Technology. You could start by reading Chapter 2: "Intrusion Detection and Prevention Principles".

Also, THIS downloadable PDF, from a first year college course in computer security, should give you some additional insights as to why computer professionals recommend Intrusion Prevention software, but PRIMARILY only for those home systems that manifest high risk usage coupled with the need to protect extremely sensitive information.

There are many other resources for learning more about Intrusion Prevention software -- just do a Google. It's an interesting field. I am not suggesting that every home computer needs a HIPS installed. However, HIPS software does have its uses for specific situations & circumstances.

In a well-configured HIPS, pop-ups should be rare and those which DO occur (after the HIPS learning period) should merit careful attention. If they do NOT merit such attention, then one or more of the following factors may exist:

(a) the HIPS is wrongly configured, or hasn't been sufficiently trained
&/OR
(b) the HIPS is a crappy version, or an overly complex/convoluted version, such that its use by an *average user* is inappropriate.

As to Matousec's tests & selling tactics -- they are beneath contempt. It would be foolish to let a bottom feeder's skewed tests be anything of a serious factor in selecting software for the protection of one's computer security.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Even with NAT routers, computers DO sometimes get infected.

Software firewalls can watch for trojans, viruses, keyloggers, or unauthorized legitimate software, trying to connect out. Software firewalls have the advantage that they know what is going on inside your computer, they can see WHICH program is trying to get out, and whether that specific program has changed since the last time it tried to get out. External firewalls and NAT routers generally do not do that.

IMO software firewalls provide valuable additional protection in areas NOT generally covered by home-grade NAT routers and SPI firewalls.

 

I do know about those.
And I would suggest that you also read the "Attacking Host Intrusion Prevention Systems" by Eugene Tsyrklevich.
And to take a look at this.

Software restriction policies is far more secure than any hips. (Or a hips that disallows execution alltogether and not execute a part of the code and then ask you what to do.)

Panagiotis

 

Agreed, that can be true. However, to get through a common NAT router, with the proper settings, from an unsolicited source, might be possible, but very very remote. Inbound requests are denied, quite simple.

I know, software firewalls can watch for outbound comms. The should simply be called outbound network process monitors really, because that is most of what they do when you are behind a NAT router. Inbound, even solicited, is minimal in most setups. If you are holding ports open for inbound comms, then all bets are off anyway, as now you have a potential hole to the world, and it would be wise to make sure it is under control. But then, the simplistic windows firewall could do that. So could firewalls like SoftPerfect that are not aware of applications, and also you could use IPSec to control inbound. Application aware firewalls are better because they offer much better fine tuning... but still, you have to actually be serving a port before they are truly needed.

I agree too, that many people would be better off with a firewall, to at least know what is going on, especially for trojans and keyloggers etc. But... you are making an assumption that one would get a keylogger/trojan in the first place. The idea I embrace is that I don't want those things in the first place. I don't want them, and if I do things correctly, I don't get them. And if I don't get them, I don't need AV or Firewall. Why do I want to make rules and scan files that I trust?

Granted, how you go about ensuring that you don't get any of those undesirables differs, and differs greatly. Some use HIPS and some default-deny, and some in-between. Truthfully, not everyone can do it, or maybe some can but don't want to, they would rather play with a firewall. I used to do that a few years ago.

I am not disregarding what you say or anything, but it is never as clean cut as it seems, there is always another way. Sometimes you just have to get some ideas to figure out which way you personally want to go. That is why I love this place, most of us remain polite and get to share our viewpoints, and there is plenty of ideas that can be found if you are open to it.

Sul.

 

yes online armor and many hips fail against many buffer exploit. very simple. But bellgamin like to use hips. That his problem. And nice to see you use SRP. I find this funny because I remember when you like Outpost as if it best way to protect you. When you start use SRP by way? And yes Sully right. But best way protect is default deny + contain like ssj say. So SRP/Applocker and sandboxie work nice.

 

An interesting article. He builds a paper tiger then shreds it. The HIPS methodology that he says doesn't work has largely been abandoned by modern HIPS such as Defense Wall & Online Armor.

Software restriction is simply a form of sandboxing. It's been around a long time. NOT a Windows invention by any means.

Both OA & DW each employ their own unique form of software restriction (in addition to their other intrusion prevention methods). So also do GesWall and D+ and (so I am told) BufferZone.

As to LUA, HIPS, or any singular security approach. . .
There never was a horse that couldn't be rode.
There never was a rider that couldn't be throwed.

Ergo, there is no perfect security. Layering is the way to go IMO.

 

Good show you no understand what software restriction policy is. you only read what kees say and he only use SRP for reduce to basic user. Very fun. please read more on it. It is not sandboxing. It more default deny or reducing rights. And yes we know you like OA and DW. Nice money for them.

 

So I decided to go with light pure firewall (LnS) to know what is going where
Looking and testing some HIPS to complement this set-up currently, although not yet decided if I'll use HIPS at the end of the day

 

( Quoting all bellagamin posts here ). HIPS are designed to protect from different thread what firewalls are. A lot of complex malwares - first the rootkits - can attempt a system coming from trusted web pages and web sites, port 80, " trusted " download etc....HIPS function is also control and supervise all happens in your pc. Surely even HIPS are invulnerable, so layering is the way as bellgamin said.

 

Yes ,you need a software firewall.

 

I like outpost as a firewall not as a hips (I always disabled its sandbox.sys driver); since I never liked hips.[/QUOTE]

In Windows from 2001 when I bought a windows 2000 license.

Default deny was always the way to go; if only microsoft have not instructed everyone to run their pc as admins....

Panagiotis

 

Do you have evidence for that assertion other than a 6 year old presentation?

 

It depends of how you implement it. I prefer using it as an antiexecutable.
Never said that microsoft invented it.

As I said you cannot first run a code and then try to restrict it.
It is like inviting a thief to stay in your house and expect him not to steal from you, because you lock the safe box.

Panagiotis

 

Easy task. A 14 years old vulnerability that defeates them all. http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php

Panagiotis

 

Just a bit contradictory, is it ?

 

You was the one that asked about "recent" evidence, or not?

The whole matousec case is a bit contradictory, is it not?

Panagiotis

 

Not only that, but simply answering a pop-up incorrectly (PEBKAC syndrome) will defeat a HIPS. With default deny the potential of human error is eliminated.

 

You right! Hope more person find this and learn. We repeat many time. Hope we get message finally.

 

Yes... and no. The problem still remains that (especially with UAC) people don't understand that elevating to root then does nothing to control an executable that is rogue. One could argue that if you use only default-deny, you either implicitly trust the executable before elevating, or you use some sort of scanner on it first to give some measure satisfaction that you can elevate it without fear. In one respect, HIPS should be the first thing novice users employ, because they will begin to (hopefully) learn what happens when they execute, what the program is trying to do. Just slapping them with LUA or default deny is great, until they elevate a process that is malicious.

How can you teach this stuff to people who are un-interested really? Either way, HIPS or default-deny, the real threat lies in tricking them into allowing execution or elevation. How many here really started to grasp the bigger picture of security by using something like a HIPS that forced them to see so many popups, and learn what they said? It is a royal pain to use one now, but it was a great teaching tool at first.

Sul.