Inbound firewall

Well that is the case indeed. Until its officialy out of beta stage the product's test results may not be published. But if you like to test it internaly you can donwload it here:

http://dnl-eu2.kaspersky-labs.com/devbuilds/TR/KIS/

Another question. You mentioned Injoy Firewall earlier in this topic. Did you also test it's SPI capabilities? What did you think about it?

 

I will on my next setup. (later tonight or tomorrow)

 

Hi Netherlands,

I have not yet tested the latest release.
I will do that when I check windows firewall (I may have a spare hour later)


- Stem

 

The test is very basic (at the moment), just spoofed packets over a current (open) connection.
I do want to expand/improve on the tests and add various scans and filtering of UDP/ICMP.

I am starting to find a little more spare time, so I am hoping to sort out better testing and then re-check the firewalls, so at the moment, I am not keeping results etc.


- Stem

 

Open to verification, but,... If for example, I am allowed to download/install, then I would also be allowed to test the product, which then puts forward being allowed to post results openly of testing directly to vendor forum.

- Stem

 

Yes you can always post your results at the Kaspersky Beta forum

I don't think its a problem if you post it here though.

 

I found the official tekst about testing there beta product:

"This software may not be used for comparative product testing, nor may it be used for product reviews or benchmark testing without the prior written consent of Kaspersky Lab."

 

Windows firewall did log as dropped the invalid flagged TCP packet, but a sniffer installed was able to see/log the packets.
It did not filter out the "out of connection", so the firewall is not checking sequence numbers.


- Stem

 

I have made 3 installations of Injoy 4.1, the results on the first 2 installations was quite bad, in fact it did not filter any packets, the 3rd installation caused windows to hang on boot, so there is a conflict with Injoy 4.1 on my test system.

I will need to find time to check what the conflict is with, if it is with the NIC/driver then it is a major problem, as this problem can only be seen either due to the hang on boot, or with the lack of any filtering, which could leave a user (with the same setup/problem) with no actual firewall/filtering protection.


- Stem

 

Hi, Paranoid. I was too busy to post the reply about my opinion about leak-tests.
One thing about leak-tests: I saw what leak-tests have behaviors as the real malware on Firewall leak tester. But 98% of leak-tests are simply a waste of time, because they do not show or match what vast majority of malwares really do.
Example: Ok, let's suppose you have leak-test that is on your computer. Leak-test or malware on your computer means the your computer's security is already compromised by leak-test/malware.
When you run any leak-test/malware any firewall or HIPS will ask you that leak-test or malware is trying to modify registry or whatever else.
Instead of blocking in many leak-tests you have to grant access to leak-test do its job and than block any other action-in my opinion this is very bad approach since we assume that computer's security is already compromised when you allowed he first action.
I used to support leak-tests, but not anymore inbound protection against all kind of malwares is what I really prefer.

Also regarding antivirus/anti-spyware that all threats-that's true in theory. However, my experience showed otherwise If you use for example ZoneAlarm Pro or Outpost Pro with NOD32 it's the best combination you can get.
Despite my memory stick was always infected by worms, Trojans, spywares it never really infected my computer in 100% of cases.


I'd like to hear both Paranoid's and Stem's (and others') opinions about the following:
Some interesting notes I saw on Comodo's forums:
It would be too naive to claim that having a network based packet inspection can prevent malware from being downloaded and run.

Network Intrusion Detection and Prevention is conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones.

Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense.

What do you think?


There is more I found out:
you have 100% clean PC:

1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected.

2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures:

Lets assume a known malware is going to be transfered:

- If the malware is tranfered over an encrypted channel, you are vulnerable
- If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable
- If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large.
- If the malware comes from another source than network, you are vulnerable

At the network layer, you are quite limited in terms of detection capabilities(you have a couple of packets and that all). Consider AV programs having everything(emulation, unpacking, heuristics etc) failing to detect malware. Never mind a fragment of malware inside a packet.

If your IDS does not know the malware, it can not detect it and even after the signature updates. Unlike an AV, it can do nothing after signature updates.

So an N-IDS, is a nice, additional layer of security. But it is not comparable to an H-IPS and can not be trusted as the main line of the defense. Would you trust a firewall only as your main line of defense?

Your opinions highly needed?
Big thanks to everybody.

 

Hello Stem.

I am interested in the Looknstop firewall. I'm not an expert, and I don't quite understand the outcome of your test as you described it. I want firm inbound protection. To what extent do the 'other packets (invalid flags/ out of sequence where not filtered out)' matter, what does it mean ?

 

Yeah, LnS and CFP, but only if you find the time Stem.

Cheers

 

Hi Stem:

On your inbound FW testing, have you got any results for OA 2 to share with the thread. If I have missed it here I appologize.

 

Hi CWS,

I'll post as best I can, but for sure P2K, Stem or someone with similar qualifications can provide better info

The first action is usually allowing the malware executable. Registry modification and so forth will happen later. I do agree that the system is probably already compromised after the initial "allow" action.

There are numerous best combinations. It comes down to user preference, where system stability, system performance and ease of use, amongst other criteria, should be considered.

Just a question because I'm curious: is this because your security software alerted on these viruses or because you did not transfer them off your memory stick to your computer?

This is an area I know very little about, but I believe it is firewalls, probably hardware only, that incorporate DPI (Deep Packet Inspection) than can do this.

Probably correct but I really have no idea. Hopefully someone else can elaborate.

Regarding the last part about N-IDS not being comparable to H-IPS, sure they are two separate types of security measures, but HIPS generally require the user to have some knowledge about the O/S and such, whereas the N-IDS just kind of takes care of everything for you, making the decision itself on the nature of the data it's inspecting. At least this is the way I perceive it. Of course even a fully up-to-date signature database is no guarantee it will detect all threats.

Well, currently in the case of Linux which I've been using extensively for a month...yes, I would With Windows, no, I also use an AV.

 

Hi, Wat0114, big thank you for the answer.
I just remembered something reagarding firewalls, especially Jetico2 and Outpost Pro?
Does not the firewall regulate the port, protocol and IP involved along with the connections of the applications? Would not the blocked connections to blocked ports and IP by blocked protocols just be blocked anyways?

In this way unknown malware attack from the web could be stopped?
I'm sure Stem could agree with that.

I'm sure someone like you or Stem could easily configure Outpost Pro or Jetico2 to the level no malware can get in or out (I love the Block most mode, it's one of the reasons why I started to use Outpost Pro and especially nice GUI).
Unfortunately I still need to look to Paranoid's thread for safe configuration.
I need one more favor.
Do you use any antivirus with Outpost Pro?
The reason why I'm not using antivirus with Outpost Pro is the following:
Every time I want to use NOD32 or Avira antivirus with Outpost Pro, some of the Outpost's functions like Web Access are blind, or anti-spyware can't be used when I use Avira Antivirus with Outpost Pro-is there any reason I should be worried about if some of the Oupost's functions are blind just to be compatible with other security softwares?
Because, I must admit I do visit potentially dangerous, sometimes malware-loading websites.
However, Outpost Pro by itself handled them all, but with antivirus some of Outpost's functions don't really work...
Hmmm..., your opinions highly needed.
Big thanks.
And I hope moderators won't delete this message since it doesn't belong to this thread.

 

Comodo 3 also has advanced packet filtering rules where inbound traffic is only allowed to travel in/out on certain ports and protocols for each application etc.

However I don't believe this would stop all malware from coming in maybe some but not all, unless you had a Hardware firewall with "Deep Packet Inspection"

That said for my inbound Malware protection I use FF No Script and Admuncher which filters out a lot of Malware, there is also some AVs like Avast which scans all Inbound HTTP traffic for Malware.

And regards to general Dos and Ping attacks your Router Nat firewall takes care of that.

 

Hi, Arran and thanks for the reply.
Where can I download this FF No Script and Ad muncher?
Also, regarding hardware firewall with DPI-can it stop unknown, new generated malware samples-as far as I know only HIPS for inbound protection (and partially heuristics) can really handle new, completely unknown malware samples, since it will ask you this program is trying to install or whatever, even though it's unknown malware, but it's up to user if he will be smart enough block this installation?

 

Also, as far as I know, Comodo has identified about 60% of of unknown malware samples, I read this on Comodo's forums about 3 months ago...

 

The current connection(s) will be regulated by the firewall's level of SPI (Stateful packet Inspection). As for blocked conections to slected ports and IP's, sure, anything not allowed in the firewall's rulesets will be blocked.

If the IP address of a site harboring malware is blocked, then I'd agree the malware should be blocked. Otherwise, I can't see a firewall being able to block malware unless it has built-in DPI (Deep packet inspection) and has signatures that will block the specific malware in question. Also, if the malware is downloaded and installed, then Outpost or Jetico may or may not be able to do anything about it, especially if it is one of those nasty kernel mode rootkits.

Speaking only for myself, the only way for me to stop all possible malware is to simply not download any of it and to avoid all sites harboring malware. These firewalls can not really be configured to stop all malware from getting in/out, unless all ports and IP addresses are blocked, which, of course, is not a practical solution. Of course, if your custom ruleset does not contain the port(s) the malware is trying to connect to, then it might stop it. There are also other factors that could stop the malware such as checksum modules or HIPS-like functionalities, both of which are built into these firewalls.

Yes, NOD32, 2.7.

Outpost Pro, including the latest version, can be used with antivirus/antispyware solutions, as long as Outpost's, built-in anti-malware option is disabled.

I see no legitimate reason for this kind of web-surfing behaviour, unless you are testing anti-malware solutions, as there are some members in this forum, for example, doing. You are only asking for trouble visiting these type of sites.

Outpost's functions should work with antivirus solutions, but there have been problems reported by many who have tried using Outpost with antivirus apps, especially Kaspersky. Sometimes the web scanning functionality of certain av products will conflict with Outpost. As I've mentioned before, I'm not recently too impressed by some of these latest firewalls, since they are getting a little too buggy for my liking.

 

Big thank you for the answer: One more short question.
I just went to download.com and saw and poster named Legjendat said that Outpost Pro is not as good as he thought it would be.
It supposedly doesn't block every attack.
He also said that ZA Pro blocked over 110 000 attacks in 2 months, and that if there was no ZA Pro his computer would be dead.
It seems to me, in my opinion Legjendat didn't use Block most mode for Outpost Pro which I always use, because as far as I know Block most mode blocks absolutely everything except the actions I allowed, that's why it's quite impossible to me how did he make this up!?
Here is the link:
http://www.download.com/3642-4_4-2995127.html

 

ZoneAlarm has a counter for the number of "attacks" blocked. Legjendat probably just took it too seriously.

 

May 27, 2008
8Signs Firewall v3.0.37 Released!

What's New

 

Dead? LOL. Very radical statement.
Definition of an "attack" is different with different vendors. Some firewalls have the option to set the number of port scans that will trigger an "attack" alert. I'm not sure, but I think Outpost has it.
ZA obviously set this number to very low figure by default, so the legitimate traffic (i.e. server-type traffic (opened ports)) is being flagged as an attack.

These "attacks" in ZA are nothing more than a marketing bull. I can make a loose analogy with an AV flagging a FP with a BHO toolbar.

Umm... porn perhaps?

 

ROFL! 110.000? Yeah, right. Is he a 5 star general of the Pentagon? No? I thought so.

ZA is famous (or should i say infamous) for its "attack logging". If you don't make it show only "important" attacks, it fills the log with 50 "attacks" every 1 minute. 10 minutes later, the log is so crowded and useless, that it's not worth looking at anymore.

You wanna see 110.000 in 24 hours with ZA? Here is how. Run Emule without advanced rules. Just check at program settings to give complete server rights. By the end of 24 hours, you will have a gazillion "UDP attacks" because Zone Alarm even if you give complete rights, is (still after many years) unable to open the UDP port. You want 220.000? All you have to do is close Emule and don't change IP. You will have another flood of TCP packets to be added to the UDP packets. Each of these is counted as "attack". Random internet scans? They generate tons of "attacks" too.

Most of the other firewalls out there, don't even bother to log as "attack" the internet's "background noise" , because it is cluttering the log, which ends up with a log that you can't read. ZA on the contrary, is capable of logging any casual "sneeze" as attack from which it "saved" you. Good marketing ploy for firewall newbies i guess, totally crap for people who actually want to READ logs with REAL attacks.

 

But still no Application filtering (control)