Direct connection allowed

Discussion in 'LnS English Forum' started by tosbsas, Mar 8, 2003.

Thread Status:
Not open for further replies.
  1. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    hey there

    maybe a silly question - but what is the reason of the third option - direct connection allowed apart from just now und just in this session??

    Which apps would you allow a direct connection

    Ruben
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Ruben,
    To allow direct connection is to allow a program to directly connect to the net (whether only this one time or just for this session or permanently), whereas the other option would be to allow the program to launch programs which then in turn connect directly.
    Your browser uses direct connections. If you have an application launcher (e.g. with nice buttons, à la startmenu or with keyboard shortcuts), that will probably need to be allowed to launch programs which then connect (if you launch your browser with such a tool)
    In my application list, there are mostly
    - buggers that aren't allowed anything at all (iexplore.exe, winamp, media player etc.)
    - real client programs which need to connect directly, but which don't ever launch a third program that would connect (like Mailwasher, CuteFTP, Opera) and which are allowed direct connections only,
    - filemanagers which launch those application programs but which shouldn't ever need to communicate over the internet, so these are allowed indirect connections only (explorer.exe, TheWonderfulIcon),
    - finally, there are only some very few apps which do direct connections but which also occasionally launch third programs (or external modules) that in turn connect to the net. (e.g. TDS-3).

    HTHH,
    Andreas
     
  3. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Thanks I am getting to the ground on this :)--))

    Ruben
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    There are good reasons to allow Explorer to connect, such as if you use its built-in FTP functionality.
     
  5. Ph33r

    Ph33r Guest

    And there are reasons why you shouldn’t such like being a real security hole on NT Systems. Not to mention on XP specifically its Privacy issue, whenever accessing “Search \ for Files or Folders” and “Search for Computers”.
     
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    If you're that concerned about giving Explorer access, I think you should be using *nix in the first place. But in any event, I don't see a problem with letting Explorer talk to FTP sites.
     
  7. Ph33r

    Ph33r Guest

    I’m using Microsoft Windows because it's beneficial to my needs like it is probably for yours, but it doesn’t mean I’m going like and support the idea of Microsoft Privacy Violations. Would be cake-walk if Look ‘n’ Stop had “Rule-base Application Filtering” Feature…
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Exactly. Right now, I am struggling with that very issue. With Look 'n' Stop, you have very good, powerful control over what applications can make outbound connections in the first place, but if you do allow a particular application, it's "all or nothing". The best you can do at that point, as best I can tell, is to try to get tricky with your "Internet Filtering" rules, but there is no truly good way to handle it.

    I started out trying to create a bunch of port- and protocol-limiting inbound and outbound rules, and associating them with their various applications, but it soon became totally ridiculous. It was an exercise in frustration and futility.

    So now, I have a few rules to block the known "bad stuff" (i.e. NetBIOS, RDP, SSDP, etc.), then after that it's pretty much wide open. Maybe I'm missing something, but it seems to me the best one can hope for with LNS 2.0.
     
Thread Status:
Not open for further replies.