Hints on using Online Armor FW-a Learning Thread 4

For thread information only, OA's list of new and fixed items for V3 is at:

http://support.tallemu.com/vbforum/showthread.php?p=58826#post58826

 

Stem/Mike Nash:

Here is another of my infernal never ending questions.

I have the following ports blocked both for TCP and UDP in both directions in a single ALL rule.

The Spy

​

40412 Yes as an all rule
Masters Paradise

​

40421 Yes as an all rule
Masters Paradise

​

40422 Yes as an all rule
Masters Paradise

​

40423 Yes as an all rule
Masters Paradise

​

40426 Yes as an all rule
Schoolbus

​

43210 Yes as an all rule


I have put these 6 ports in the OA restricted ports list 1 by 1 of course (which is laborious to say the least) what is the difference in the two methods, yes I know one is in a deny rule based, the other uses the term "restricted" but for me I want to know the security benefit one over the other. It's clear that the word "restricted" doesn't equal the word "denied" but what does OA mean by it? Does restricted mean that the PC can use these ports within the Local setup but not outside to the bug bad www?

 

Here is the next security feature / Hint thread users can try is :

1) > FW>Computers
2) > bottom of screen tick ARP Protection

Does it work you ask, I can't confirm it independently, but I am assuming it works until shown otherwise.

 

Quick question: when I tried OA (v.2.xx) last time it supports CIDR, is it still here in V.3?

 

Best to ask this at their forum. I don't remember or know! Sorry

 

Yep, CIDR support is still here.

 

Thanks, great feature.
What about IPv6? can it filter?

CIDR - Classless Inter-Domain Routing
Can be used for making IP ranges, instead of subneting e.g.: "wilderssecurity.com" domain have IP range: "65.175.38.0-65.175.38.255" or with subnet mask: "65.175.38.0/255.255.255.0" or simple CIDR: "65.175.38.0/24"

 

It seems that the answer to my question is YES on what "restricted port" means:

Now if I place the same ports in a 2 way all protocols deny rule what will happen then if the PC tries to use one.

I will do a test to find out. I think I'll pick my email ports.

More later

Okay, test completed. The deny all rule with those 2 ports denied in both directions had zero impact on my email client in or out.
The reason I suspect is the following principle at work

I did have a rule allowing these ports to be used by Outlook! But I think I'll leave my new rule in place anyway as it should prvent other applications from sending email.

Take it easy

 

Further to meaning and use of restricted ports in OA:

 

For Mike Nash or Stem:

In OA , in advanced mode >FW tab> ICMP there are currently 14 entries in OA's table. For full disclosure I have all 14 as not allowed and my PC runs fine.

Here is an expanded list with 12 more entries for a total of 26.
No 4 and number 8 have identified trojans which used them yet number 8 is defaulted as allowed.

I suggest that the defaults be blocked. Yes I know I can do that and I have but 99%of users don't work in advanced mode at this level of detail:

0 Echo Reply Ping
3 Destination Unreachable
4 Source Quench Ping Attack
5 Redirect
8 Echo Request Ping Nachi, W32Welchia
9 Router Advertisement
10 Router Solicitation NIS ICMP message type
11 Time Exceeded
12 Parameter Problem
13 Timestamp Request
14 Timestamp Reply
15 Information Request
16 Information Reply NIS ICMP message type
17 Address Mask Request
18 Address Mask Reply
30 Traceroute
31 Datagram Conversion Error
32 Mobile Host Redirect
33 IPv6 Where-Are-You
34 IPv6 I-Am-Here
35 Mobile Registration Request
36 Mobile Registration Reply
37 Domain Name Request
38 Domain Name Reply
39 SKIP
40 Photuris



My question is:

What is OA doing about the other 12 entries?

1) Nothing? Seems unlikely
2) Something, seems very likely but then the question is WHAT?

Food for thought or respectful discussion.

 

Hello: I have obtained OA permission to post their response to this ICMP question:

 

Hello:

For everybody's information, I'm not going to be posting Hints on OA till sometime in January or February 2009. I'm currently testing a different FW so it is inappropriate to comment / or provide hints on OA during this testing.

No, I will NOT post about what I'm testing, anyone who wants to know will have to PM or email me privately and use their WSF id/name.

 

Does OA offer any virtualising/sandboxing?

 

Nope.
OA offers HIPS protection.

 

OA has no sandboxing/virtualising, but its Run Safer function can automatically "step down" the rights that any program you run has to a "limited" user.

 

Would Online Armor and DefenseWall complement each other well?

 

I had both of them and works well.
If you enable HIPS protection in OA and use Safe Run for application which you dont trust then i think DW is not a must have software.

 

Hello:

Just to update the thread I have now put a OA beta back on my setup using the clean install method. (recommended)

THE PURPOSE OF THIS POST IS NOT TO INDICATE PUBLIC RELEASES OF OA. THAT IS THE JOB OF THE OA SUPPORT FORUM.

The second purpose fwiw is to let the thread "know" I have put OA back on my set up. For a few weeks I was using a different FW product. (only one pc for testing)

THIS IS A HINTS THREAD. EVERYBODY FOLLOWING THE THREAD HERE AT WSF SHOULD NOTE ANY REFERENCES TO BETA VERSIONS ARE ONLY BY WAY OF SHOWING HOW THE HINT WORKS. IN THIS CASE THE HINT DEALS WITH CLEAN INSTALLS. BUT TO AVOID CONFUSION I HAVE NOW EDITED OUT THE REFERENCE TO A BETA VERSION.

Clean Install I did a clean install of Build X.n.n.n {xp sp3}.

By clean I mean:

1) un-installed Build X.n.n.n using OA 's un-install feature
2) ran utility programs CCleaner v.... 815
3) ran Registry Mechanic to clean up there
4) ran Perfect disk 2008 for a defrag
5) rebooted
6) installed Build X.n.n.n
7) ran SCW
did as much updating of SW tools during the 2 minute LM
9) turned on LM again to finish all my updates mostly UDP rules
10) loaded my black lists
11) set my country restrictions
12) set my run safers, IE 7 and FF, plus MS outlook, word and excel.
13) added specific ip's and ports to MS outlook due to my ISP's non standard use of outgoing ports.


The one thing I haven't done is try the settings restore for now I am holding til testing is completed.

 

A feature of OA is the use of trusted and protected web sites.

This is intended to minimize/prevent DNS poisoning. The unwary user is tricked when looking up a site by name to "go to" a fake or invalid site simulating their bank or a security software update site.

Normally, we think only of banking but I also use it for key update sites. Example are SAS and OA itself. I don't want updates for these from poisoned DNS look ups.

superantispyware.com
updates2.superantispyware.com
www5.tallemu.com

So these I added to the WebSites list as protected.

OA checks "your" update ip against their trusted server lookup for same name and if they don't match, no connect.

Some users will say this slows my speed of connects by 2X and does double packet sends this is true. It's like car racing, you can go fast and crash or arrive in one piece. Your call.

 

For thread reader information, the wildcard character ? inserted into a site addy is NOT intended for use with Protected sites or in Banking Mode.

 

As mentioned here :

https://www.wilderssecurity.com/showpost.php?p=1383322&postcount=1

OA has a public beta available 3.1.0.12. Any hints I post from this point will be using this version. Note it is a beta so "buyer" beware.

I just did a CLEAN install and the tasks I did first are:

1) Untrust the interface on my shared router
2) Turned off auto con figuration of OA trusted programs
3) Added my usual list of blacklists from BlueTack plus my own tailor made list
4) Blocked spoolsv.exe from www access (it doesn't need it)

I'll do some more work latre for you guys but enough for now.

 

Due to technical issues with the very newest betas that I have experienced over at the beta testing forum I am suspending comments on
the public beta 3.1.0.12 in this thread.

I have reinstalled V3 3.0.0.190 which is the last "production" release and the same one that many OA users will "come" from when the next public release emerges.

The important thing for OA IMHO to do is to get 100% of the listed/ advertised features in their releases working and the help files in step with those.

The ability to reliably restore settings from the last release 190 to the next 3.1.0.xxx is mandatory.


More later.

 

Hi Escalader, and everyone.

Just to bring a bit of clarity: settings restore didn't work for one single past beta build, and that build was released to our beta team, not to the public.

We test carefully upgrades from production release to production release carefully, but between beta builds we do not guarantee forward or backward compatibility.

Here's what happened: In our dev process we are constantly looking for optimisations to Online Armor to make it smoother, faster, lighter, better - or all of the above.

If you backed up from a beta 18 backup it is possible that FW rules didn't get saved because we did some optimisations in the data structures used to store configs and went too far. This optimisation was then corrected - but an "18" backup will not be any good.

Of course - most people would not know anything about build 18, because that has not been released to a public beta.



Mike