Jetico Personal Firewall

Discussion in 'other firewalls' started by Kerodo, Sep 2, 2004.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    5 seconds sounds pretty good. The only UDP I deal with here is DNS and DHCP I think, oh, and also a time sync util uses UDP on port 37 also. So for those purposes I would think that 5 seconds is good enough. Hopefully anyway.. :)
     
  2. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Back to CHX-I this evening. I had to pull the nic and put it in another slot to get XP to generate a new connection because a bunch of stuff was not working right due to too many FW installs and removals.

    I am reaching the conclusion that trying to watch processes or run an application to prevent termination of a firewall when the firewall is charged with some sand boxing function like Jetico is too much trouble for any normal person. However, that is exactly where we are, and I think the same situation applies with Outpost. CHX-1 and 8Signs are not terminated by the APT utility from Process Guard but have no app control. I am hearing the new Tiny resists termination, but those guys have nasty business plan.

    I am beginning to think that the best way (for me) is to run CHX-1, KAV, Firefox and other non MS apps to eliminate as many built in vulnerabilities as possible. The other easy one is spywareblaster as it is passive. Other than that, high levels of awareness, and keep a system image handy.

    This whole business of trying to use software watch every little thing going on in the box (plus a second program to prevent terminating the first program) makes less sense over time. Besides, all it tells you is the machine has been compromised.
     
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    I've found that too many firewall installs and uninstalls messes things up in short order. I reformat/reinstall Win2k regularly here. More often that I'd care to admit...

    Yeah, Tiny seems to be doing something rude these days with their pricing and upgrade policies.. It's an interesting product, but I'm not even so sure about the firewall. I tried to disable DNS in Tiny 6.0.140 and 6.5 and no matter how hard I tried, I couldn't do it. That's crazy...

    It IS rather amusing how much stuff some people run. No offense to anyone, but I get the feeling that some people have so many security programs running that their machines are brought to their knees doing nothing but watching the machine and the programs on it. Gets a little ridiculous...

    I'd rather go light and if something happens, then just reformat and reinstall. Takes a few hours. No big deal for me... But maybe that isn't practical for some people...
     
  4. harrywong

    harrywong Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    20
    "I'd rather go light and if something happens, then just reformat"

    Not really a good option if you have any financial info of value that can be lifted, and if you don't want a trojan/keylogger to transmit what you are doing with online transactions.

    Currently I'm running KAV personal 5, Jetico, and Prevx Pro. Looking at my CPU use, all 3 are nill. For RAM use, KAV is at 8500K, Jetico at 3500, and Prevx Pro at 4500. As some firewalls alone will take up more RAM, I feel pretty comfortable with this protection (haven't had any spyware on my system in months, KAV is superb vs viruses/trojans/worms, and Prevx will protect against Rootkits which most AV's can't).
     
  5. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Harry-

    Does Prevx prevent termination of the firewall? I have come to the conclusion that all the process watching stuff that is in Jetico to help it pass the leak tests is not worth anything if the firewall can be easily terminated, and it is easy to terminate Jetico.
     
  6. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    From what I know Prvx does not prevent termination. You need something like ProcessGuard to do this.

    Someone please correct me if I am wrong.

    Hope this helps,

    Chris
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Process Guard is the best option for protecting programs from termination from malware. System Safety Monitor can intercept some (but not all) termination techniques also.
     
  8. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    P2K-

    I have not tried process guard, but that one may be next in line. It seems to me that a firewall which attempts to prevent process attacks, such as Jetico, should be resistant to termination as it is no more than another form of process attack. I wrote them about this today, in about as many words. I believe in return they will send me a cupon that I can use to buy a cup of coffee for $2.

    Using the Diamond CS termination utility Jetico FW could even be paused. I do not know if its rules remained in effect during that time. Actually, all security apps should be resistant to termination. This runs along the lines of how I feel about anti trojan programs. They should not be needed. Every AV out there, not just the best two or three should detect nearly every one of them.
     
  9. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Regarding my question to Jetico about UDP stateful:

    Our UDP SPI implementation doesn't have any timeouts.UDP SPI matches
    packet
    if an application
    listens destination UDP port. So if destination port is closed, UDP SPI
    does
    not match such packet.
    This is possible because we have additional information about port
    listening
    from application (TDI) level.

    I think this means a range of ports must be kept open for open for eMule as it listens on a random port. Well, I did exactly that and tested it at grc. The results were pretty good. Everything stealth, except for the KAV mail proxy ports which were fixed with a rule adjustment. If you look back, I have posted about the KAV mail ports and their sometimes strange behavior on port scans. I wonder if that needs further investigation. I probably should not be too concerned as I am behind a NAT. If I had a laptop going on some public wireless network my approach might be different.
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Not so long ago, I would have agreed here - and some software (e.g. Kaspersky) does protect itself completely. However providing effective termination protection does require intercepting Windows system calls and given the complexity of handling some types (e.g. the WM_CLOSE method which closes an application's window - Process Guard can block this with its Secure Message Handling option but this does not work for all applications), I now consider it better to have one program providing effective termination protection for everything else rather than each program using its own method, some of which may not work completely or even cause conflicts and system instability.
    Well, that's an interesting statement. If CHX-I is monitoring the TDI level then it can easily provide full application-filtering. However while this seems straightforward for when CHX-I is running on a client PC, the case of CHX-I on a gateway/proxy receiving UDP traffic from a client PC and forwarding it would seem a different situation, since no application would be involved in opening the port on the gateway itself.
     
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    P2K-

    Your point about termination is well taken. I guess what you are saying is that adding all these low level functions increases the possibility of conflicts. Of course there is the snow flake effect. Every machine is different so you do not know until you try. I have noticed that 8Signs resists termination. The Diamond CS utility will not work on CHX-1 because the utility can only terminate services that show up in the task manager, and CHX-1 is not there.

    I do not understand your comments about CHX-1 and TDI. The quote in my post is from the developers of Jetico. I received it in an email from them this morning. Thdir support level is nothing short of amazing. Were you thinking about CHX-1 while reading about Jetico?
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Oops, my mistake. :p Still remembering those CHX-I SPI discussions...
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    I have absolutely nothing of value on my HD that could be lifted by anyone, which would never happen anyway. I don't think I'd ever have any trojans or keyloggers on my system. I just don't download dubious stuff. Never had any problems yet in years. Only thing I do here is install a lot of firewalls, which eventually messes one thing or another up, thus necessitating a reformat..
     
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Diver -

    I was playing a little with Prevx just the other day. I don't think that it can absolutely prevent firewall termination. It will protect areas of the registry and system files (I think) and so on. It's an interesting program, but I came to the conclusion that I don't really need it.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    That's very amusing.. and probably true...
    I would think that if Jetico's execution could be paused, then it's rules would then be useless and traffic would flow perhaps bypassing the firewall. Not sure though...
     
  16. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    It is not financial info that I am worried about. If you bank on line and your password and logon are known, someone can impersonate you and set up a bill pay system that will transfer your entire bank balance to them. Your only protection is that it is fairly difficult to set up an entity that will receive electronic payments under bill pay without leaving a lot of traces. Much more difficult than setting up a phishing website.

    I have never heard of any trojan that searches a drive looking for social security numbers and the like. Besides, there are easier ways to get them.

    Non the less, key loggers have been used on their victims with amazing results. Students have changed their grades and obtained exam questions on teachers computers. The most celebrated cases seem to involve hardware key loggers, implying that there was physical access to the victim's machine. These are the bad guys who got caught. Is it that planters of software key loggers did not get found out?

    The exact nature of the FBI Magic Lantern is not known. It discovered the PGP passphrase of a mobster that was previously untouchable. Most articles on the Internet speculate that it was a software keylogger, delivered as a trojan, and it sent out its data over the Internet. My personal belief is that it was a hardware keylogger.

    There is a lot of news about ID theft and phishing. Hackers do not need to come up with complex trojan to steal a banking log on when folks give this up through social engineering. Social security numbers are stolen by looking at personnel and medical records. Why try to attack one user at a time when it is possible to hack into corporate data bases and steal 100,000 credit card numbers or SSN's at once. It is kind of like thinking that you will be the victim of a complex mission impossible style operation to steal $10,000 when there are much more attractive targets worthy of the effort. I have never seen a news article where a software keylogger delivered as a trojan ovr the Internet was used to effect an ID theft or obtain a banking logon. If anyone knows of such a situation, I would love to know about it. Even the author of the firewall leak test website says that these exploits are rare and were targeted at specific persons.

    One thing I have realized from using Jetico firewall is its tremendous sensitivity. It throws up an alert every time an application checks any network component, and long before an attempt is made to send out data over the web. It is highly likely that this would take place before an attempt was made to terminate the firewall, let alone use some exotic technique to masquerade as a trusted application. This sensitivity drives me nuts, but it just may be the real stregnth of Jetico PF.

    We must all temper that which is technicologically possible against that which is likely to happen, and human nature in general. All that most spyware spys on is Internet usage. Most of the crap ware just delivers advertising and redirects the victim for commercial purposes. A spam relay or a DDOS trojan are annoying, but I find it hard to see how someone would miss one for more than a very short time. And finally, these things do not install themselves. 98% of the time the user installs it as a result of social engineering. It has to get past the user's awareness (and so many are clueless) and an AV.

    What is real life? My daughter brought home a laptop with an AV that was 4 years out of date. I installed a new AV with a good detection rate and updated it. There was not a single infection on board.

    I repeat, I hear a lot of the what is possible, but nothing about what is happening. I have seen some assertions that when the trojan makes outbound contact that is the first the user ever heard of it, but what I see in the forums regarding complaints about infections contradicts this. Usually the machine is slow or acting weird, or an AV update discovers the problem. Someone, show me a real incident where some of this more exotic stuff is needed. Show me where a software keylogger defeated a firewall with simple application control when it phoned home....
     
  17. Arup

    Arup Guest

    I for one truly love Jetico, compared to Zone Alarm Pro that I am currently running, the memory usage was 5mb max compared to Zone Alarm's whopping 22mb, however the problem with Jetico is that for a Gateway machine using ICS, the host machine has to disable its SPI protection flag thereby loosing out a very important feature, on Zone Alarm, SPI remains intact on both host and client under ICS.
     
  18. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Arup-

    Get a NAT and ditch ICS. I think mine cost $30, and that is with wireless access.
     
  19. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I was just just getting ready to do some research on Processguard. Over at their web site there is a free version that prevents process termination, but lacks some other bells and whistles.

    Then I tried something. I set Jetico FW to Block all and then terminated it using the Diamond CS termination utility. Guess what, the internet connection stayed off. I guess the thing in the task manager is just the GUI, and the driver just keeps going on at a lower level.

    These guys are better at making software than they are at telling folks what they are making.

    Try this at home, and do not blame me if you wake up in Iraq.
     
  20. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    ***Jetico is one the most efficient firewall recently relased.

    ***I tested ProcessGuard against many attacks (even advanced like API hooks).
    Conclusion: the Diamondsc's team is not pretentious at all and PG does exactly what it claims. ;)

    Chris12923 and Paranoid are in the right about PG's protection for firewalls.

    ***I've spent more time in order to hard my system (Windows) than to choose my firewall.

    I don't think that we have to concentrate our attention on firewalls: it's only a part of our line defense.
    And it's not the most important part, but not the less too.

    ***We're not 100% safe behind firewalls.

    They can be bypassed on the both side (incoming/ougoing).

    The weakness of personal firewalls is the weakness of TCP/IP protocols.
    With tunneling, script (vbs), massive spoofed packets etc...many firewalls could be bypassed.

    For anyone who has not restricted his policy on Windows, here an example of a method which is used by vbs to bypass firewall (products are patched since this alert):

    http://www.securiteam.com/windowsntfocus/5FP002KELE.html

    Personal firewalls does not support all protocols and are not be able to filter the very deep packets (see the OSI reference).

    ***If someone wants to evaluate a firewall, there is an interesting article about the subject.
    But in many cases, a good test is the one which integrates real attacks with agressive penetration test (scanners and spoofed methods) in order to bypass or to crash the firewall (DDOS).

    Have a nice read ;)

    http://www.informit.com/articles/article.asp?p=366698

    Regards
     
    Last edited by a moderator: Mar 2, 2005
  21. Arup

    Arup Guest


    Diver,

    Thanks for the advice, do you think I can do NAT with my GPRS mobile phone based connection?
     
  22. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Kareldjag, thanks for theinteresting link.

    Arup, I don't know a thing about GPRS Mobile.
     
  23. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    In my most recent email from Jetico they mentioned that they would password protect the settings after they install some kind of protection for the config files.

    They were not specific on giving it the ability to take a range of ip addresses, but said it was a long awaited feature. Fortunately, I think that I am getting to where I understand network/mask addressing well enough to use it, but this method does not seem to work well for some odd ranges like smtp servers.

    In actual usage, the big difference between Jetico PF and most others that I have used is that it detects network access ahead of and separately from an attempt to make a network connection. There are a lot more network aware applications than those that make connections, so there are a lot more pop-up warnings. Likewise, many ordinary applications set system wide hooks. Quite a few of which seem to come up when selecting a file to work on.

    The detection of network access would prevent a rouge program from sending mail out through an AV's outbound scanning without the firewall ever granting it access. I noticed this kind of behavior using Kerio 2.15 when first sending mail while KAV 5 was running. There was no rule for the mail client, but the mail went out because KAV was authorized to contact remote port 25. It is better security, but the price is less convenience. I believe it would be very difficult to configure Jetico for someone else, unless one was dealing with the roll out of a series of cloned machines.

    IMO, the average user is unable to make a correct response to a firewall pop-up, and I mean any, including the rather simple ZA free. Its fine if there is nothing bad on the machine. If there is some rouge program, they will probably say yes to get rid of the warning, and move on. This is a problem with all application oriented firewalls. Add more options and more types of protection and fewer users can deal with it correctly. This is why Microsoft designed their XP firewall the way they did. It is also why corporations do not put personal firewalls with any sort of application control on each desktop.

    I really like this firewall. I just wish it was possible to achieve the same goals without so much user intervention. Perhaps they could load it with more of the commonly used windows components like ipconfig, netsh and so forth.
     
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    When I first starting testing JPF, I got the impression from their web site and email with them that the firewall was more complicated for beta testing purposes than it would be when they finally released it. My understanding was that they wanted to make sure all was working right. Then once they nailed things down, they'd ease up and simplify things so there would be less detail for the user to have to deal with. But nothing seems to have changed from the beta versions at all. I think the main criticism of JPF is that it's overly complicated for the average Joe to use. They probably should have designed a simpler easier interface, with the ability to control all the details if desired for the advanced user.
     
  25. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Its not the interface that bugs me, it is the large amount of user intervention. They could probably do a list of windows components from the many versions of the OS along with their hashes and have the program grant network access to that list automaticly.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.