Leak Testing - Where is the Value

I think the problem is that firewalls now (Comodo for example) have evolved into much more than what we originally though of as a firewall. A few years ago, a software firewall was basically a packet filter with perhaps a few extra features that did simple outbound app control and perhaps a few other things. The real question seems to be just how far should the developers take all this leak-test plugging. Should they continue to add patches and code until eventually the product becomes one monstrous bloated mess of spaghetti code and becomes unmanageable and unmaintainable? I don't know the answer, but I can imagine how complicated some of these apps are getting now.. I am finally taking a look at Comodo 3 and it's pretty impressive at first glance. But at some point in it's development, I will be half tempted to call it something other than a firewall....

 

Does this mean that the firewall in Symantec's Endpoint Protection, which has no outbound notifications, is a bad firewall even though it is based on Sygate's technology? I would assume it would fail all leaktests with no outbound control, yet a huge company like Symantec use it in their corporate suite. Are they ahead of the pack by focusing on preventing malicious behaviour from running in the first place?

I agree with several comments here that many users (myself included) often will just click 'allow' when an application asks for internet access, making a complicated firewall pointless for me (although I use the latest Comodo, I have it set to ask me as little as often about outbound access). I often just want to use my PC without having to answer a questionnaire every time I open an internet application.

So do I use Comodo's excellent firewall and be asked many questions (I know I can ajust settings to change this, but for the point of discussion let's assume I have it set to ask me all the time) or Symantec's silent firewall/suite where I can just get on and actually enjoy my PC?

 

As best as I can determine, the Sygate derived firewall implemented by Symantec uses signatures to identify malicious outbound communication. That would probably identify malware that use the same ports and protocols but have been altered to avoid flat file scanning. The value of this product is some outbound protection is provided, that it does not need to be trained, nor will it throw random pop ups weeks after it has been trained when someone tries to print something from a seldom used program. What most around here like to forget is that pop up causes some secretary to stop working while she waits for a call back from the help desk, and the incident cost at least $100.

 

Yep, there is most definitely a difference between the home user and business environment. None of these other HIPS apps and few of the firewalls would fly in any business environment. You just won't see it.. SEP11 is nice cause it won't bother you, yet it would appear that it's somewhat configurable too.

 

Out of all this advanced security stuff SEP 11, Threatfire and Anti Bot are probably the only things that will work in a business environment. The behavior blockers are destined to be included in every major AV within a few years, although the implementations will vary greatly. It is definitely the new frontier.

Advanced firewalls will get smarter as well. I think the system scan that Online Access does is a good approach.

 

And how many average, home users compromise their (our) security each day by clicking the 'allow' prompt of a confusing firewall popup that we don't really understand?

 

That is what is called "lazy click". Its a big issue, although many around here are in love with very intrusive products. It is, unfortunately, a characteristic of every firewall with leak prevention features, whether through HIPS or otherwise. These otherwise excellent firewalls quiet down after a few days, but they never seem to totally shut up. The hope (for the home user) is you get through that initial period, and subsequent alerts may be taken seriously. However, in a business setting false alarms of any kind are unacceptable.

 

This only depends on your personall definition of the Firewall. There are people who value low-level network management as more essential task, other value protective and security aspects. As for me the word "Firewall" does mean something protective in the first place, something that blocks unauthorized network use. So to avoid confusion i'd split the term. There are Firewalls and there are Routers and low-level network managers. Failing leaktests doen't mean to be bad low-level network manager or Router and vice versa. But a really good firewall MUST (IMHO), be good in the both nominations.

 

This is true. But in a business environment security policy must be (and usually is) much more strict than at home. Mail is checked by corporate server first, outbound is restricted for a regular user. Some corporations even prohibit starting unknown applications by their policy and visiting the http sites outside strictly defined scope. Under such conditions the value of a HIPS and personal security software is reduced.

 

Over the last few days I have some new thoughts on the subject. The newer firewalls are achieving very high leak test performance by combining HIPS with network event based detection. Network based detection might not even be needed to stop most of the present generation of leak tests. Just look at how well Pro Security and SSM do on Matousec's chart.

Lets say the machine is set up for LUA/SRP. If a leak test is downloaded it will not run from the download directory. Even with the XP firewall such a machine will pass every leak test unless the user intentionally elevates to administrative privileges to run the leak test. This same result applies for anti executable. It would apply for drive by attacks as the browser is not able to write to areas where execution is allowed by user level privileges.

It appears the the mew firewalls like OA and Comodo 3 are blocking the tests very early by presenting the user with an "unknown program wants to execute" prompt. The problem is the user does not know the program is bad, and he wanted to run it in the first place to get that cool free game.

I am getting to the conclusion that there may be better protection relying on some form of execution control (LUA/SRP, anti executable or HIPS) plus network event based outbound filtering (Comodo 2.4 or ZA Pro) because the warning from the firewall is both a second shot at the problem and focused on the communication event which is much less frequent and less likely to evoke a lazy click.

 

They work that good simply because they detect and block the bad behaviour of malware that is not necesarilly related to the network.

The problem with any security solution is that it's impossible to completely exclude the user from the ecuation. If somebody tries very hard to execute some malware on his/her computer it will eventually succeed, no matter how many protection mechanism are in place