Firewalls - Simple is Sometimes the Best

Discussion in 'other firewalls' started by musicman, Dec 25, 2004.

Thread Status:
Not open for further replies.
  1. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    I just wanted to share my opinion on firewalls. As we all know there are numerous firewalls available on the web today. Some free some not! Some good some not. There are numberous opinions and suggestions on what is the best avaiable. Over the years I have come to the realization what suites ones needs is the best. Some of the top names are Outpost....Sygate.....Kerio....Look-N-Stop and many more. What I find that fits my needs is simple is best for me. I am licensed for Outpost....Bitguard.....Look-N-stop......these firewall in their own right are good firewalls. But what I have installed on my own pc is Kerio 2.15 version. It simply does the job and keeps the bad boys out!! Now this thread is not to persuade anyone to any specific firewall it simply is a pers choice on my part. There are many factors of course that play into what is best for you...thats your decision. Ok...just wanted to get this off my chest
    Happy Holidays Everyone:)
    :D
     
  2. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    But here's a problem...
    Leaktests use Windows and IE vulenrability to bypass firewalls very easily. They're proof-of-concept that hackers can run a 2kb trojan on your PCwithout you ever knowing it.
    Who stops these?
    The antivirus or the firewall? That's why firewall vendors included application firewalling to the original packet filter design (AFAIK)
     
  3. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    If you mean achieve Max Security, I say it's impossible
    If you mean expertise on security... well, I'll tell you when I get there.
    If you mean Max the security guard... I don'tknow him that well.
    Regards.
    no13.
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Actually Kerio 2x is not simple as some might think, while they make the configuration easy for the most part, you do need to have some knowledge, if not something like my default replacement to help setup the basics for the most part.

    As far as IE goes, iexplore.exe doesn't exist on my system, but I do have Maxthon installed for windows updates. That local security exploit is removed, and I'm very careful about what I run on my system. Those who believe in leaktests are believing FUD as the faults in reality are for the operating system, or IE, which can be dealt with using sandboxing software for the most part. If microsoft would really remove the exploits from the operating systems, and IE, leaktests would be dead in the water.
     
  5. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    <Quote>If microsoft would really remove the exploits from the operating systems, and IE, leaktests would be dead in the water.</Quote>

    That was what I was wondering about, coz many leaktests were calling iexplorer even though I have firefox as a default browser.
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    most of the leaktests are targetting IE because they are just demonstrations, not real trojans or exploits, and everyone has IE so the it's easier to code and faster.
    In reality (for most of them) it can without any problem target firefox, opera, or whatever, it is not necessarely linked to IE.
    For instance Copycat, Thermite, PCaudit, FireHole, etc... could target notepad, your video game, your movie player, your browser, or even Word or Excel, whatever.

    Leaktests are not trojans,

    that's all, do not expect them to circumvent all of your defense, they are just here to help you to test your security (moreover because for many of them the source code is available, it would be even more stupid to show to the kiddies how to write a real trojan).

    I answer to some quick questions on my site :
    http://www.firewallleaktester.com/faq.htm

    And if you do not know what to do against the leaktests, I give many advices there to protect yourself :
    http://www.firewallleaktester.com/advices.htm
    http://www.firewallleaktester.com/software.htm

    I personally do not see the leaktests as "FUD" as it is often a fashion thing to say, but instead a mean to improve your security, because at the end, no leaktest will be able to simply run on your computer.

    Hope this help,

    regards,

    gkweb.
     
  7. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Leaktests don't spread FUD... they actually cause FLUGging
    F: fear
    L: Loathing
    U: Uncertainty
    G: Guilt
    You fear for your system, Loathe the leaktest maker, are Uncertain about your PC's safety and feel Guilty for slipping up.
    If leaktests are open source, it means that someone is copying similar code.. even though currently it seems it is fashionable in the Underground to target open source projects like phpBB (Sanity worm) and Apache servers... pretty soon, Windows PCs are going to be under the scanner.
    At least that's what I feel.
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    I do not feel concerned by these points because contrary to other leaktest makers, I explain how to protect you so at the end there not anymore fear/uncertainty/unsecurity about your computer, see links above.

    regards,

    gkweb.
     
  9. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    well....
    FLUGing is just a knee-jerk reaction when your Pc goes down...
    I merely want to say that Leaktests are vital to know the health of your security apparatus and are not designed for misleading people... It is extremely critical to be able to block leaktests so that there is some theoretical security.
    I completely agree with you... I actually haven't seen eye to eye with BZ mainly on this point - how critical is program control - and I intended the post as a reply to his post only :)
    Again... this is my personal opinion and I can't say that I am totally right and all other POVs are wrong... I mean, no one has as yet designed any malicious program/script to use the flaws leaktests exploit... So maybe BZ is right, but I can't change my personal views without concrete evidence, and this is one of those things where evidence, when it comes, will be crushing...
    If my PC is unprotected from these kind of "attacks" like Process injection and [God only knows the name of]what PCAudit2 employs, I won't have much left once the invaders are through.
    So I vote for having more security than you currently need. I can't predict what I'll need tomorrow, but it's better I try something extra now..
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    said by no13 :
    That's not completly right ;)

    Below is a list quickly done and that I hope that people in the trojan/spyware area will be able to help me to fill. I have added per leaktest category at least one malware using it if I was knowing one.

    ################
    1) substitution
    leaktests : LeakTest
    malwares : "W32.Welchia.Worm" named "DLLHOST.EXE" (http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html)
    "The Beast" trojan (see below) by defaults is named "SVCHOST.EXE".

    2) launcher
    leaktests : Tooleaky, FireHole, WallBreaker, Ghost, Surfer
    malwares : "W32.Vivael@MM" (http://securityresponse.symantec.com/avcenter/venc/data/w32.vivael@mm.html).

    3) default rules using
    leaktests : Yalta
    malwares : none I know of

    4) direct network interfaces reaching
    leaktests : Outbound, Yalta (test avancé), MBtest
    malwares : none I know of

    5) DLL injection
    leaktests : PCAudit, FireHole, PCAudit v2
    malwares : "The Beast" trojan (http://lists.virus.org/dshield-0310/msg00337.html)

    6) process injection
    leaktests : Thermite, CopyCat
    malwares : "Flux" trojan (http://www.emsisoft.com/en/kb/articles/news041104/)

    7) Timing attack
    leaktests : Ghost
    malwares : none I know of

    8 ) Recursive request
    leaktests : DNStester
    malwares : none I know of
    ################

    My whole argumentation about the leaktests is not based on whether or not
    they are widely spread and used, but rather on the fact that some things are possible, and it's better to protect now (it's better to be safe than sorry).
    However if the only meaningfull argument for many are examples of malwares using them, why not, may be I should have this kind of page on my site.

    If anyone has anything to add to the list, please give links, it will be really appreciated :)

    Anyway I do not believe that tomorrow will see coming an explosion of leaktest exploits use, because why to do something rather hard (to try to trick a firewall) whereas on most computers you have admin privileges and you can simply connect to the internet directly (no firewall installed) ?
    But still it exits, and it's up to you to take that in count in your security or not.

    regards,

    gkweb.
     
    Last edited: Dec 27, 2004
  11. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Microsoft never really fixes anything, they just cover it with a band-aid which can be removed, which is obvious with IE in too many cases. In XP SP2 there is DEP which does prevent programs from invading the memory of other programs, however its only available in XP SP2, and only for system processes by default if you don't have one of the newer processors. So you see, Microsoft isn't patching anything here, just like they never patched the way that IE can be used as a software proxy.

    A firewall should not have to be a sandbox to prevent operating system exploits, and the few which really do test a firewall are easly defeated, and usually give false positives even when defeated. Also if your allow the program to run your sandboxing software usually doens't protect against it anyway.

    Saying a software firewall should protect you from IE/operating system exploits, which the desingers are not patching just shows that they are the ones at fault, not the software firewall makers.

    If it wasn't for Microsofts lack of foresight, sitting on their hands when a vulneraiblity/exploit was discovered, and poor design in the first place, there wouldn't be this much malware targetting their software.

    Case in point, Halo 2, Microsoft rushed Bungie, and they had to release something that wasn't up to their full standards, they even have a patch on xbox live for Halo 2.... Microsoft has frequently done this even with bugs still in the last release, and sometimes they even ignore problems, like how the xp sp2 firewall can allow programs to bypass the firewall without any user intervention.

    So I will say it again, don't blame the software firewall makers, blame the makers of the operating system that made them possible, especially when they don't actually fix it.
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi BlitzenZeus,

    I agree with your post, but if Microsoft never address (or at least not properly) his OS's flaws, doesn't the other security softwares have the duty to try to do something ? That's the question I asked myself many times.

    What has always astonished me is why in the first place, APIs such as CreateRemoteThread() (yes you read it fine, it's written remote) which allow DLL injection and Thread or direct code injection in others running processes, simply exists and are generously provided by Microsoft (there are others API as well but this is I think the main one).
    In this case we are not even talking of bugs or flaws, no, but of features and tools given by the OS itself.

    So in one side I agree with you, but on another if the firewalls can help, so be it. I do not request them to protect against any possible exploit (that's not possible), but at least to be aware of what is possible and to try to improve in this area (what has done recently Outpost for instance).

    Of course that doesn't in any way remove the need of a real sandbox software, always usefull and efficient.

    regards,

    gkweb.
     
  13. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I'm tired of those who rate firewalls based on so-called leaktest performance, but in reality don't consdier the pros/cons of each program either, likely don't really know how to configure them correctly either. You would think something like Tiny would be able to prevent most of them, nope, once you allow it to be ran, you have basically allowed it to function for the most part.

    Those who want leaktest protection are not being careful about what they run on their system as a majority...
     
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    I agree... There's a virtual obsession with leak tests among some people and I find it amazing. I run a packet filter (CHX-I) with NO outbound protection because I never run anything untrusted on my machine. And I know every program that I do run on it.
     
  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Two points :
    - tired of those who rate firewalls on leaktest performance
    - find that there is an obsession

    For the first point, I do not know who is aimed, but allow me to quote something from my site :
    For the second point, isn't there any so called "obsession" in any area of security ? So someone looking at an anti-trojan will be paranoid because if you do not allow to run anything you are safe ? same with AntiVirus ?

    I am done with this thread, it was starting interesting with good arguments, and it turns more to attacks against people.
    As usual I am trying to help, and as usual I receive kicks in the *ss.

    Happy holidays to everyone.
    Regards,

    gkweb.
     
  16. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Well, I do a lot of software installation/uninstallation every month... lotta trials/betas/shareware/demoware [there is some method to my madness... this PC is the only one for 5 kids ;) Me and some friends test a lot of stuff on my machine, all with different needs in porgrams and that's why my system is always filled with much crap running 16 odd hours a day]
    That is why I require a decent firewall w/ app control... LOTS and LOTS of crap out here...

    This means you are a good PC user... I get classified as a PC abuser. This is exactly why I need a good degree of control.
    buit anyway...
    To each his own I say... If my friends want a good Packet filter, I always direct them to CHX-I/8Signs/Kerio 2x, but I also say that there's NO outbound protection.
    If they want an app control firewall, again I tell them that TPF and outpost are greta, but they'll need to spend too much time on TPF,and sygate is a better option if you don't want to spend too much time configuring.
    --
    To each his own.
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Leaktest performance is important - but is also one factor amongst many for a firewall. Offering detailed but usable rules configuration and filtering incoming attacks are also significant
    This, unfortunately, is not much guarantee of security on its own. Even if a user is careful about what they run, Windows is (by default) pretty promiscuous about running programs without users' say-so (e.g. via RPC, IE ActiveX controls, numerous registry entries, scheduler, etc) so unless sandboxing software is being run (e.g. Process Guard's Execution Protection or System Safety Monitor's Application Watching), no-one can claim to have anything like full control over what their Windows system is doing.
     
  18. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Let's put it this way... I'm not going to lose any sleep over it.. :)

    Boy, I'm really gonna get it for that one aren't I? :D

    The only thing I'm concerned about really, is what's coming inbound to my system.. Perhaps I'm wrong though.. maybe I should be more concerned about what gets out, if anything.

    So I guess you would say that someone with a cable connection and just simply a router would not be very secure either? That's more or less the way my system is operating now.

    To be honest, I only run trusted programs here and I hate to concern myself with what programs execute. What's the use in monitoring which programs run? Even if I have SSM installed, or Tiny, the odds are I'm STILL going to respond with an "OK" to something because I think I'm running the program that I"m intending to run. If it spawns 10 other programs I won't know the difference if that's normal or not anyway. I'll have to assume it's normal.

    I know which programs connect outbound from previous experience with other firewalls. Same old ones. Nothing new. I use Firefox, not IE also, so no ActiveX. I think I'm in pretty good shape... ;)

    At any rate, that's my setup now, for this week. Next week who knows. I may be running any one of 10 firewalls, some with app control, some without. About the only experimenting I do here is with firewall software. And I trust most of them, so it isn't a threat or problem.

    I know that some people swear by leaktests and outbound control. But I think that if a program wants to get out, then it'll do it somehow regardless of what firewall you have or what it's leaktest results are...
     
    Last edited: Dec 28, 2004
  19. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Nope. You can keep securing your PC to the point YOU feel safe... no more... no less...
    But right now, running an unpatched WXP machine without a proper firewall [just proxo and FF to block web nasties...] I'm not losing any sleep either beause I haven't transferred my MAJOR backups to the machine yet.
    My data [actually, my crappy data] is valuable to me. Once I've reinstalled my things, I'll be doing the regular AS/AT/AV scans, the browser tests, the defrags.... what I don't want to worry about is.....
    If...If a rogue program... even a mini spyware or prank trojan... is NOT caught by my AS/AT/AV... and begins to leak ANY sort of info... then what?
    DID YOU KNOW? Yahoo! has Doubleclick stuff ON their webpages? Spybot's SDHelper shouts EVERY time I open my INBOX in IE. What if doubleclick decide a more "aggressive" advertising scheme is need for Yahoo!
    What if your favourite firewall company finds that it's shares are suddenly controlled by an Adware major?

    IT'S JUST AN EXTRA LAYER OF PROTECTION.. no more... no lesss...

    Careful. What you know to be true... may be just what they wanted you to think... Also, version changes may imply that new rules may be needed for outbound. Remember NIS 2002 vs 2003? 2003 had turned into a MONSTER because NIS wawsw wnow, in fact, a local proxy server. If I blocked net access to even ONE critical component of NIS, it wouldn't let me go online
    Pfft... It came free with my Motherboard... Worse deal than getting kerio 2x for $$$... [actually, people WOULD pay for Kerio 2x if Kerio makers start supporting it.]
    FF DOES use ActiveX... ;):D trygoing to Mozilla.org's FF page http://www.mozilla.org/products/firefox/
    Have fun ;)
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Actually, I lied a little bit.. ;) I'm using IE right now. I just did a fresh reformat and reinstall of Win2k yesterday and haven't installed FF again yet.

    I thought the ActiveX for FF was something you had to install as a plugin or extension? It doesn't use ActiveX out of the box does it?
     
  21. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    two minor thoughts...

    @BlitzenZeus - Maxthon is based on the ie core and im sure it requires ie to be installed.

    @no13 - im having the same thought as kerodo, and how does visiting the FF homepage prove anything about FF using ActiveX
     
  22. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Of coarse Maxthon requires IE to be installed, but if you remove the main excutable, you remove the main ability aka local exploit for programs to proxy through IE as if it really were IE traffic.

    Firefox does not have ActiveX, there is a plugin for hacktivex if you want to invite the fox to the hen house in a sense, otherwise Firefox doesn't use hacktivex.
     
  23. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Firefox supports activex to only a basic degree...
    the website says that it doesn't let you run "harmful" contents.
    Sorry, I can't back this claim up with evidence [I'll try to come back online in a few hours]
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Both directions are important - malware has to get onto your system so filtering out all inbound traffic except for that required for necessary activities (web browsing, email, etc) protects your system from many attack routes. You then need to look at those applications allowed access and limit their scope for compromise (e.g. virus scan all email attachments, filter out ActiveX/Java/Javascript from websites where possible). However the majority of malware needs to connect out to function so a tightly-configured firewall can alert you to such connection attempts letting you know if your defenses have been breached - for many people, this is the first indication they get that something is amiss on their system.
    If that router has a firewall and it is configured properly (i.e. blocking all unnecessary traffic) then it will provide a good first line of defense. However, most system compromises occur by visiting malicious websites with Internet Explorer so it is really the system setup rather than the Internet connection that determines your security.
    By running such software, you gain greater knowledge of what is "normal" activity on your system - if a new program suddenly requests access when you have not installed new software, then that can be a good indication of a problem.
    For malware to bypass a firewall, it has to take one of three routes:
    • Emulate "standard" network traffic (e.g. DNSTester);
    • Hijack a "trusted" program (most leaktests emulate this in various ways);
    • Terminate the firewall (e.g. Firewar).
    The first method can be tackled through proper configuration, the second can be blocked by firewalls offering good leaktest performance. The third option is best tacked using process protection software like Process Guard (which also blocks a number of leaktests).
    Perhaps I'm being a little dense here, but I can't see any attacks being made on people on this thread. For the record, I would consider your contributions here and elsewhere very useful and informative, even though I would disagree on some of the finer details. :) Bon courage!
     
  25. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Good points Paranoid.. I did actually enjoy playing with Tiny Firewall quite a bit, but thought it was perhaps a bit overkill for my needs. I may be back to a "normal" firewall with app control shortly.. I have to admit that I actually do prefer to be notified when something tries to connect out, but given my safe habits I felt I could do without this most of the time. But it is preferable.

    I do like trying many firewalls, so I'm likely to be running something different every other week. I have a few that I like best however, and stick mostly with them. My favorites are CHX-I, Kerio 2, Outpost, Jetico and 8Signs. :)
     
    Last edited: Dec 29, 2004
Loading...
Thread Status:
Not open for further replies.