Firewall Cocktails: Packet Filter + what

There seems to be some interest around here on taking something like CHX-1, a very nice packet filter (free for personal use) and finding something to run with it that provides some application control.

The function of a firewall is to keep bad stuff out. Only lately did the focus seem to turn to keeping private information in and possibly acting as a back up to the antivirus software by sounding an alarm when a trojan attempts to connect out.

Finally, the fear is that the trojans will impersonate trusted applications in order to call out undetected.

Thre are many reasons why a trojan will connect out, but there is only one that most of us should be afraid of. Keyloggers that might steal banking log on information are the most dangerous. Everything else is ultimately an annoyance. I suppose a trojan could search for other personal information, but that sort of intelligence seems far fetcted to me. Anyone know any differently?

AT any rate I have found that CHX-1 is rather elegant and is capable of establishing a reasonably good policy with only a few rules. That is, if you really think about what you are doing. There is no way that I am the CHX-1 rule guru of the Western world, or even Texas. But I am picking it up.

So the question is, what else needs to be in the mix? Definitely one possibility is to run from a non admin account. Not that convenient? Well it might discourage one from changing things on a daily basis, which could extend the time between OS reinstalation....

So, is it going to be Process Guard, Prevx, Winsonar, LnS with only the app control enabled, or something else no one has heard of? If it is free, all the better.

 

Diver..CHX-1 can be used with a firewall? Precisely at the moment Kerio 2.15?

 

Diver - I love CHX-I and just updated my rules tonight. I do however like to know when something connects out, so my solution is JPF for now. However, if someone comes up with a little program that just watches apps for internet access and let's you allow/deny, then I'd probably go with CHX-I and that program combo.

Most likely I'll waver back and forth between CHX-I and JPF for a while now... LNS is nice, but I don't think it's as good as the other two.

 

CHX-I runs as a kernel service, and while it may or may not conflict with Kerio, it's probably best to just run one or the other.

 

K-

Things have been quiet from Jetico for 3 weeks now. Its still a work in progress. Who knows, it will be out when it is ready.

I noticed with CHX-1 that I could write a deny rule that just let things in from a few service ports:

inbound deny tcp remote ports not 80, 443, 110 21...

It was not necessary to allow inbound tcp traffic from large ranges of ports. The FTP options on the thingie with stateful inspection takes care of part of that. Also I ealized that the p2p apps conect out on various ports in the 1024 to 5000 range, but the tcp traffic comes back to a designated server port. eMule is a bit unique in that it connects out on UDP 1024 to 5000 udp and the connection returns to the same ports, but that is handled well with CHX-1's stateful UDP. The UDP server port in eMule does something else entirely and does not do much unless the Kad protocol is enabled.

Perhaps, all there is to being able to run CHX-1 is to run non admin, but then I need to research what other policy changes are needed and how to live with the system. For example, the run box on the start menu does not seem to be able to operate with a run as command. My gut feeling is too many folks are looking for a patch to allow them to run as admin and are also failing to take responsibility for what they do that can compromise a system.

 

I log on as Administrator here by default. It's just too much trouble to do otherwise.. While that's probably not secure, it's practical for me.

CHX-I - I'm not sure why you want to write a deny rule for all other inbound remote ports(?). All you have to do is allow all inbound TCP/UDP and let stateful take care of what's allowed in, right? Then write a few force allow rules for inbound not handled by stateful, for example, I have to force allow my dhcp server reply since it comes from a 2nd server (not the same server that I request from).

Yeah, Jetico is up to something. Perhaps they're taking your suggestions into account and reducing the need for prompts somehow. We shall see soon enough.

 

Are there any programmers out there? Anyone care to write a simple app control program for use with CHX-I?

 

K-

The reason for denying ports, at least in my mind, is that there are a lot of trojans that use all sorts of ports. Go over to Gibson Research and browse through the port database. Are we just getting to think eveything happens on port 80 because all the leatkests are written to use that port? Also, I have recently discovered that TCP ports 82 and 90 are being used to get around pop up blockers. Perhaps it does not matter. But all it took was one well written rule to do it.

Just keep in mind that normal internet activity is for ports 1024 through 5000 to connect out to a server that talks on a port in the 1-1023 range. P2P I described above. And, anything that uses UDP seems to be on its own planet.

Are you outside the USA, or are are you just a night dweller?

Jetico, who knows, it needs some things before it can be called great. It wil be out when it is ready.

 

Am I outside the US? Nope, I'm in California. I am a night dweller though. My usual hours are: up by 11am and down by 5am.

I'm NOT what you would call an early riser...

I see what you're doing with the CHX-I ports now.. Ok...

 

First of all it's important which of these you (might) want to achieve:

1. Control traffic for any application, with little emphasis on what network access is given.
2. Control traffic outbound and inbound with no regard to application only the port numbers, protocol etc.
3. Allow or stop applications from running, regardless of whether they try to get network access.
4. Have extensive control over which applications and what process calls are allowed to execute, regardless of their network access status.
5. Have detailed control of network traffic by application (regardless of whether it is allowed to run)
6. A combination of some of these.

It should be noted that it is quite possible with a full-application sandbox (which doesn't take into account network access) to defeat nearly all malware completely, if full control is deferred to you and you know what is or what isn't normal behaviour. (How 'silent' such a sandbox will be is a different story. Of course how often you make the right decision is also something else...)

Now the tricky part:
Determining what the security application actually does.

Let's start with Process Guard. Originally the sole purpose of this program was to protect a list of applications from termination. Then keylogging detection and now ...?
Even still, I would not classify this as a 'application-control' program.

Next, you mentioned Prevx.
Choose whatever security phrases you like to describe the 'system' it uses. It seems like part definition scanning technology and anomaly-based IPS protection which encompasses partly application and partly network components. I would not classify this as an 'application-control' program either.

Winsonar - no idea. I believe it is an network active IDS with some program control tacked on. Is it a 'application control' program? Yes, but what control is involved I do not know.

LnS - an applcation which can be devided into completely separate functions apparently. The 'program-only' component could be classified as 'application control'.

Now I add my own:
Abtrusion Protector - Stops new executables (excluding .bats) from being run. Is it application control? Somewhat....
SSM - full application sandbox, including process calls. 'Application-control' but perhaps far too much control than you are after.
Windows Group Policy - Choose which program can run or not. No prompts. Basic 'application-control'.
Not free:
Tiny Personal Firewall - full application sandbox with semi-process-call control, with full firewall capabilities tied to application.

Pick a number...

 

Ghost,

That is a very thought provoking post.

By way of background I have been trialing/testing a variety of firewalls. Some with other security features, some without. About the only ones that I like at this point are CHX-1 and Kerio 2.15.

The first question is really to define the goal. What are we trying to protect against against and what are going to have to give up to obtain that protection.

For example, CHX-1 does the traditional job of a firewall by keeping unsolicited connections and worms out. The user gives up very little in the way of resources. It is ideal in that it does its job invisibly, so the user gives up nothing unless you count the amount of time it takes to learn how to use CHX-1. It is a brain teaser, as its power is not obvious at first. A lot of the same things can be said of Kerio 2.15.

Note that I am trying to not think along the lines of the the 6 numbered items you have above. The objective is to guard against threats beyond those addressed by the traditional firewall function and AV/AT.

Obviously, this calls for a definition of the term "threat". This is far harder to define than it seems at first.

The first specification is that it is something that has more than a slight chance of not being detected by an AV/AT. After all, if it is picked up at that layer, what else do you need.

Next, is the item must be truly harmful. Thing that send pop-ups, redirect to otherwise harmless sites to get click through revenue are not truly harmful. It is just annoying. A back door that sends out spam or DDOS attacks is worse, but does not do irreversable damage to the owner of the infected system, other than the cost of removal, which may include reinstalling from a back up. Monitoring web surfing could be bad depending on the circumstances. A keylogger is truly harmful. It could steal a banking password. Dialers are very harmful, but I have an easy fix for that one. I never use dial-up and have no modem installed.

If anyone can think of other things that are really harmful as opposed to annoying please let me know.

On the cost side of the equation there is resource usage and user interaction. Also to be considered is the degree of customization required to configure the solution.

Finally, it is better to prevent something bad from getting on your computer than to discover it after the fact. This appears to be the driving principle in enterprise security, rather than attempting to catch the thief on the way out the door, which seems to be a strong desire in user computer security forums.

Obviously, something that uses techniques other than signature based scanning is needed because the boundries of the problem specify it was not in the signature database. Beyond that I do not know what would work best. The objective is to stop threats with as little user interaction as possible. Everything I have tried so far required excessive interaction.

I believe that part of the solution is to narrow down the definition of threat so that the antidote does not have to check too many things. It is nice if the antidote has some inteligence so the user does not have to be bothered too often.

Your statement that it is tricky to determine what the application does is very important. At this point I believe that targeting keyloggers/spy applications (including the ones that also take screen shots and record surfing habits) is the most efficient thing to do.

 

A few more thoughts. Full application sandboxing is too much for me right now. Likewise for any solution that needs to sign off on every possible program that can run on the PC. It is never done. Unfortunately, most of these programs lack the level of intelligence needed to cut down on user interaction.

The next best compromise is to only look at things that contact the internet. That cuts it down, but the checking to make sure one program is not trying to load another continues to represent a PITA for me.

 

I agree that sandboxing is a little too much, at least for me anyway.

I don't mind a firewall checking for outbound connections, and I don't even mind it checking dll's or to see if one program loads another. The reason is that most of the prompts will go away once the firewall "learns" which programs are allowed to do what. So for me, it's no big deal after you run it for a day or two.

You're going to have to have some level of user interaction, especially at first, if you want these features. There's no way any firewall can be intelligent enough to make decisions for you.

 

K- No firewall is intelligent enough to do the job the way I would like it done yet. Although the numbr of warnings does wane after a while it never completely goes away. Also, the standard I have set is that pre configuration must be possible with very little custom set up effort.

I tried running LnS without packet filtering. Turned it off on the internet filtering page and unchecked the driver in the Windows network connection properties page (not part of the LnS interface). CHX-1 was not installed on that machine. I was a bit disturbed to find that when the gui was terminated in windows task manager, application filtering did not work. As I consider termination of the firewall GUI to be easier than other ways around it, the abillity to shut down the connection or enforce rules when the gui is down is a must have for me.

I continue to puzzle over what seems to be a giant disconnect between corporate policies and the kind of solutions that folks find interesting here and at DSLR. Is this just the lunatic fringe? Most of these products or combinations of products would be unacceptable in a work enviornment due to the required levels of user interaction and IT involvement. The cure is worse than the disease.

 

Diver - I'm not really familiar with what they do in the corporate environment, although that's where I come from, but I'm not involved in that type of thing (IT), so I'm just a corporate user, or used to be before my recent change in work and career a few years ago. For sure, you can't ask for any user interaction in a corporate environment. People are just too uneducated to be asked questions about what can and cannot run on their machines and so on.

Here this weekend, I'm puzzling over which of about 4 firewalls to use, and I'd kinda like to settle on one and stop changing things all the time. Right now I can't decide between LNS, Kerio 2, Jetico and CHX-I. Each has it's pluses and problems. At the moment, I'm thinking I might just revert to Kerio 2 and ignore the fragmented packet thing. It's not likely to matter anyway.

For you (I don't pretend to know what you need though) I would think Kerio 2.1.5 might be best also. CHX-I is truly appealing, however, I think that both of us don't quite want to run without ANY app control whatsoever. I used to, but prefer now to have something. Jetico has lots of prompts, and LNS has some quirks also. Kerio is one that simply does it's job and asks whenever something wants to connect out. That's it. And I find that I can accomplish all I need with the rules in Kerio. And it's also very light with an excellent interface. It's hard to beat.

I really think you have to ask yourself "what do I need on my machine?", based on my usage habits and so on. Some people need a sandbox. Others don't and could care less. I personally don't mind reformatting (not an option for most though), so for me it's not the end of the world if something unsavory gets installed on my machine. The only thing I worry about mainly is what might get thru incoming. I store no personal data on my computer, and I don't think people really should either. One easy way to remove that risk is to just not do it.

Anyway, lots of questions and considerations...

 

Define in what context? A basic definition or defining what poses a risk based on your security needs/policy? The latter is going to vary for everyone. What you may consider a threat/risk may be a non issue for me. That is where the numbered items, and other considerations, come in. Users should do a proper assessment of their needs/risks as part of the process of determining what they need (software/hardware) and defining what their security policy will be.

Regards,

CrazyM

 

The more I try out other firewalls, the more I grow attached to Kerio. Sometimes, it is best not to tinker with a good program to start with and Kerio is a classic example of this. Everything was right about this program and by version 2.15, it was near-about perfect if combined with a good rule-set like BZ's, if they wouldn't' have abandoned its development, by now, it would be the best FW program out there, it still is very good. For app control, I would rather have a firewall independent program.

 

Alright. So now we know what you're after. Of those I mentioned, the only thing that sort of fits in the set and forget category would be Abtrusion Protector (free), if you're after a seperate application. I believe it has very little in the way of prompts. It is in the deny unknown app category.

 

K- You may not pretend to know, but you knew. I am back to Kerio 2.15. My conclusion is that CHX-1 is a fine program, but that I do not have the networking skills to make it do exactly what I want. Jetico is simply not finished yet, as the amount of user interaction required is too much. LnS is a diamond in the rough. It is much further along than Jetico, but my sense is it needs some work on the packet filtering side. I do not have the means to test and verify that, but the release of a beta driver says volumes to me.

The attraction of Kerio 2.15 is that it does a lot with very little trouble. It may be vunerable to perhaps half of the leak tests, but these things are not in general circulation as trojans.

Looks like there will be no cocktail for now, except the conventional adult beverage kind.

CrazyM-

Your comments are right on target. That is why I said it is difficult to define the term "threat" and also why the available leading edge sandboxing products are only going to be useful to a very small segment of the general PC using population.

 

Abtrusion Protector is a good program. When you install it, it scans your HD and records everything. Then later when anything new attempts to run, I believe it can either prompt you or simply deny without prompting. I'd have to double check on the no prompts to know for sure, but I'm fairly certain that you can silence it if you want to.

 

Diver - I'm back to Kerio 2.1.5 also. Kinda nice for a change. I think maybe I'll stick with it for a while now...

 

Abtrusion protector appears to set a baseline and then respond to exceptions. Hmmm.... Not bad if things do not get changed around too much. I suppose after installing a complex application package from a trusted source a new baseline could be established. I think Black Ice has something like that built in.

In a sense, Kerio and other application aware firewalls hare a baseline of zero and add apps that will communicate out one by one. The big question is how likely is it that something will come along and use a trusted app, the whole leaktest thing.

 

I'll have to try it myself, but I think Abtrusion allows you to install new apps and add those to it's database as needed. I may check it out tomorrow and see. It will also sense if any trusted app has changed I believe.

I read a short review on it on some site, and the guy said he thought it was a good program/idea, but he worried that it didn't have any termination protection. I thought about that, and then realized that it couldn't be terminated since it wouldn't allow an untrusted program to run in the first place, so how could anything terminate it? Silly.. unless I miss something here..

By the same token, no program would be able to run and use a trusted app to do anything, since it would require that the unknown program execute. Abtrusion would not allow it. So it would seem pretty good protection.

But I know not much of this kind of thing, so maybe I miss some obvious weaknesses?

 

The problem with having two separate programs (packet filter plus application filter) is that they cannot cover the situation of the "partially trusted" software, where you wish to allow restricted access. Examples of this could include web browsers (restricting them to ports 80 and 443 only to limit popup/popunder tricks or limiting them to an anonymizing proxy to prevent any direct connections revealing your real address), email clients (access to pop3/imap and smtp only to prevent web-bugs/HTML graphics downloads) and that great bugbear of Windows XP, svchost.exe (restricting DNS to ISP servers only, blocking uPnP and DCOM, etc).

I'd suggest that the focus on outgoing filtering started with the first adware (Aureate/Radiate) and Steve Gibson's Leaktest back in 1998-9. Things did seem a lot simpler back then though.

Using your computer's storage and bandwidth for illicit or illegal purposes (see The Giant Wooden Horse Did It!) would seem equally dangerous - and a compromised system would make a useful launchpad for attacking others.

Well there is an equally large disconnect in the situation between uniform corporate installations where users can have their privileges tightly restricted and the home user world where each system/software setup is unique and XP Home sets new users up with Owner (Administrator) privilege by default. However most security products can be pre-configured and locked-down for corporate use.

Well there is the possibility of being hit with a trojan. These tend to be hidden within "legitimate" software so you would typically choose to allow them to run (placing Abtrustion Protector in Install mode to do so). If you never install anything new then this situation would not arise, but how many people can actually take this course?

 

P2K, interesting thoughts.

Definitely, the reference to Gibson is on target. Things were simpler only 2 years ago.

Part of the problem as I have mentioned before is that MS has made it difficult to run without administrative priviledges, as compared to Linux. Also, I believe that some kind of out of the box thinking is needed to come up with a next generation solution to these problems.

Granting permission to a trojan to run is exactly what I have in mind when I complain of too much user interaction being required.

I took a look at Tiny 6.5 pro yesterday evening on my test rig. It needed 5 services and over 30 MB, and did not look like it would swap out anytime soon. Tons of alerts and config info in a lot of different places