Help understanding LnS please (I am evaluating it)

Discussion in 'LnS English Forum' started by SirDracula, Oct 17, 2004.

Thread Status:
Not open for further replies.
  1. SirDracula

    SirDracula Registered Member

    Joined:
    Oct 10, 2004
    Posts:
    70
    Hi,

    I've just started evaluating LnS and I have a few questions:

    1) I don't understand whether I need to run the LnS service. I downloaded 2.05p2, do I need to download the service separately and run it? Why isn't it part of the 2.05p2 download?

    2) Cisco VPN over UDP: I allowed the Cisco VPN client full access under "Application Filtering" Yet, when I try to connect LnS still blocks UDP packets to port 500. I have to put another rule under "Internet Filtering" to allow UDP 500 both ways for Cisco VPN client only. Why is that? It doesn't look like I have to do it for IE, I just allow it access in "App Filtering" and it works, it doesn't need extra rules for TCP 80, etc. I even tried specifying port 500 for the VPN client in the "Application Filtering" but it doesn't work without the extra rule in "Internet Filtering". Is this how it's supposed to work for UDP packets or is this a bug?

    3) DLL monitoring: I have the Yahoo toolbar in IE but it certainly doesn't prompt me whether I want to allow that dll to access the Internet. The dll doesn't even appear in the list even though I have "Enable DLL detection" checked.

    4) Does LnS support executable change detection? I've seen other firewalls that keep an MD5 of the executables and dll's and they warn you when they are updated. If not, what app would you recommend for this functionality together with LnS? Is it even an useful feature?

    5) It does not look like LnS has the concept of trusted vs. non-trusted networks. Is the way to do it by adding custom rules in "Internet Filtering"?

    6) What is this advanced option "Network interface autodetect, IP to exclude"? The help is not very ... helpful.

    Thank you for your help.
     
  2. SirDracula

    SirDracula Registered Member

    Joined:
    Oct 10, 2004
    Posts:
    70
    Re #2 above: I think I discovered a bug: If I set a dummy UDP port restriction (e.g. 345) in the "Application Filtering" rule for Cisco VPN client, the port restriction is ignored, the client can stiill send/receive packets on UDP ports 500 and 4500.
     
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi SirDracula,

    Please find below the answers to your questions.

    Regards,

    Frederic

    The service is not needed to use Look 'n' Stop in the standard way.
    The service is just an additional feature to have Look 'n' Stop active before a user session is open under Win2000/XP.
    It is not included in the 2.05p2 download because it's still in beta, since there is still some issues under XP.

    Look 'n' Stop contains two parts, an Application Filtering layer and an Internet Filtering layer (which is a true packet filter).
    The packet filter needs to be configured separately when some specific ports like UDP 500 need to be open.
    You can import an UDP 500 rule from the following file:
    http://looknstop.soft4ever.com/Rules/NortelVPN.rie (since the Nortel VPN also requires the UDP 500 to be open).

    For standard application (TCP 80...) the standard ruleset provided with Look 'n' Stop already open the necessary ports.

    Are you sure the Yahoo toolbar connects directly ?
    Usually this kind of DLLs just adds some extensions to IE but it is still IE (and its own DLLs) that does the connection.

    Yes, Look 'n' Stop detects signature changes.

    If you want to allow a trusted network, you simply have to add a rule that will allow packets for a set of IPs (a range, a sub-network...).

    This helps Look 'n' Stop to find the correct network interface to be monitored. The automatic selection is based on the IP address. If the IP address is in this exclude list, Look 'n' Stop considers the corresponding network interface is not the correct one and looks for another one. That's why you find be default address like 127.0.0.1, 192.168.0.1, 169.254.x.y, which are normally not used for the Internet connection.
     
  4. SirDracula

    SirDracula Registered Member

    Joined:
    Oct 10, 2004
    Posts:
    70
    Frederic,

    Thank you very much for your prompt reply.

    I don't think 10 and 192.168.0.1 should be there. For example Netgear (wireless) routers use 192.168.0.x by default and it's certainly possible for someone to use 192.168.0.1 as the IP of the computer rather than the IP of the router. Same for the 10.x.x.x network, Apple and D-Link routers use it by default.

    I think the default should only include 127.0.0.1 and 169.254 but of course it's not a big deal once you know where to look and what to fix, but initially for someone who's just getting started with LnS it may be strange.

    What about this possible bug? Can you please confirm it is a bug and it will be fixed or if it's not a bug, what am I doing wrong?

    As for the Yahoo toolbar question:

    I am not sure how it works, maybe you can help me understand how the dll detection is done. I know that when IE starts the toolbar appears in it's uninitialized state and then when IE sends the first request to any site (or if you click Refresh in the Yahoo toolbar) the toolbar will connect to the Yahoo servers and update itself.

    Thank you once again for your help.
     
  5. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi SirDracula,

    There is no known issue there so far. Are you sure you specified the port for the right protocol (UDP or TCP) ? Are you sure it is really the application you configured that is using these ports ?
    Sometimes with VPN applications, there are several executable connecting.

    The DLL detection only informs the DLLs that are involved directly in the connection. If the DLL is just loaded by IE, and the connection to the Yahoo server is done by IE and its own DLLs, it is normal that LnS doesn't detect it.

    Regards,

    Frederic
     
Thread Status:
Not open for further replies.