Matousec - Leak-testing update

Perhaps, but a browser hijack is still not a firewall breach. However the monitoring of live process or services is a rather specialized task wouldn't you agree?

Making those decisions as to what process is legit and safe and those that are not ending in failure is usually not due to a weakness in the firewall but in the detection or accurate white-listing ability of the product. When this fails the user is responsible to make that decision. (usually the wrong one in my experience).

That is why I think Firewalls and HIPS as well as anti spyware or anti virus should remain modular and continue to be specialized... Besides my experience over the years with products that attempt to do it all has never really impressed me...

 

Well, that depends on your definition of firewall breach. Some might argue that it's a firewall breach if data gets off your PC regardless of the method.

If we look at the leaktests that are out there, they try to use a trusted process in some way to gain access to the internet. Injecting something into Internet explorer. Replacing a trusted exe with an untrusted one (e.g replace firefox.exe with evil.exe) - switching processes in memory, and so on.

Changing the IE homepage is no less of a breach (if you use the criteria above) than injecting a DLL into IE or using DNS.

Personally (and probably obviously, given what I do) I consider the all-in-one approach superior for the non-specialist user.

As for leaktests in general - for me the jury is out are they valuable or not. We're compelled to join in this race - since it's very difficult for people to judge the quality of a product. Matousec Security (and firewall leaktester) produces a nice list of products, ranked - and people take that at face value - so we have to play to win in that game, as does everyone else to be rated near the top.

Overall, I think it improves the quality of the products of those that choose to participate - but sometimes there are side effects of more complex products that people just don't get... which is possibly why some of the big boys just ignore it.

@Peter2150's --

Everyone has to earn a crust Pete - would you rather he offered it up for sale to malware authors instead? I reckon he'd make a lot more money if he did...

 

No
Ghost Security Suite is AppDefend+RegDefend. Ghostwall is a simple packet filter, like XP SP2 firewall but lighter and more advanced.

 

The problem with tests is that one must use common sense in order to correctly regard/apply their results. Those who disdain common sense will object to this, of course.

Ah well -- Those unable to raise the bridge must, perforce, seek to lower the water.

 

well his useless tests improved some products already ...
so much for being useless then ...

maybe You dislike the tactic he uses to fund the project but it's better than selling each hole to malware authors or to 'zero day security firms'
(ofc he can do that too and get way more $

anyway point of whining about these tests is typical troll scenario ...
if You dislike that then do it self and better

 

Somehow it seems that voices of the lowest denominator always screech louder than most... This is probably why engineers are often forced to "Dumb" out their products to satisfy those who would rather be plowing by hand than with technology...

 

It may be. I agree to call it "network security application". This is what I really need as a user. And also I'd prefer that it was a single application just because "all in one" pack reduces required system resources, possible conflicts and has centralized setup.
Seems like the current moment demands new short term to jump out. "Internet Security Suite" is too long to say and write

 

I dont usually post to such threads,

But a question as always been in the back of my mind with these tests.

"Are we looking at all attacks/problems from internal?" (Internal attacks are simple IMHO)

For me, personally, I look at attacks from external (internet), do we have any results/charts from this possiblity?

 

This is interesting, are you referring to DoS attacks? or some other attacks that target the firewall itself?

 

Pete: For what is worth free is the last factor for me as well. Of course some here are not able to pay out much for SW and selecting the "best" from among the free one is their only choice.

I also agree on the alpha and beta testing but for selfish reasons , you know let someone else debug it first! I just don't have the time to test what should already work.

Leak tests, sure why not use them as one more assessment tool. But not the only one. I have a feeling that the vendors build in code to pass leak tests but what we need is really world performance information.

 

thank you
good job comodo firewall

 

Hello Nubiatech,
As I mentioned, I dont normally involve in such threads, so sorry for the delay in reply (I did not watch the thread)

Both.
First, please do look at what a "DOS" attack is, this is normally a packet (or sequence of packets) directed at the TCP/IP stack (the internals of windows), I know over the years some protection as been put in place by M$, but some simple DOS is still possible, so a need for filtering is needed. A lot of filtering can be done by deep inspection of packets, but this inspection is rare in firewalls, some will include such as "Attack detection" which to me is actually an SPI function (such as malformed/illegal flag packets), but most do not look at this. The reports you see from such as a web site being DOS, are normally due to DDOS (distributed DOS) this is actually where many inbound (half) connections are made to overload the ability of the server.

As for direct attacks against the firewall, yes this is still possible with a number of firewalls, if I find any links to show this I will post with links (I will not post my own findings, as proof/example would be needed, and I will not open post such info)

I personally feel too much is put on what could connect out, and the various possibilities of this (via the "leaktests" etc), rather than the possibilities of what can get in (possibly via a browser outbound connection (as simple example))

We also see many posts on forum stating the protection of a router with SPI. I see no reports on the protection given by routers, but so much trust is given to these,..... as to what SPI is included, will the router SPI block/drop invalid/illegal packets? Has anyone tested this? does anyone really know?

 

Hello Stem,

hopefully you are still giving this thread at least a cursory glance From your above statement, are you referring to what could happen inbound because of browser vulnerabilities, drive-by downloads, dos attacks or other attack vectors? Personally, I like outbound control because it allows me to stop those few "unnecessary" attempts by legitimate processes such as, for example, svchost and a few others, and because the mental effort required in creating these rules and others helps keep me better immersed in networking principles; I feel I can absorb it better this way, thus helping me learn it more effectively

Anyways, my perception from what you stated above is that you place more importance on inbound traffic than you do on outbound. If this is the case, what filtering techniques do you feel are important for this in a firewall? Is it SPI, deep packet inspection (is that the same as SPI??) or are there other filtering techniques for inbound traffic that you feel should be part of an effective firewall?

Thanks in advance!

 

The inbound side of software firewalls does not get discussed enough, probably because it is more technical and is oft dismissed with "get a router". After all, it does not take a lot of smarts to run some leak tests and tally up the results. Most of the time I think all this leak test stuff is just a marketing ploy. When was the last time your AV (or anyone's that you know) missed something that was true malware and your firewall caught the nasty trying to phone home?

 

I would ask:- what actual protection does a router give?
Yes, I know there is NAT, but this is only route (allow inbound from outbound).
There is in many an "SPI", can someone show me results from a testing of this (invalids/spoofed/ etc packets).
We do see many who put forward "Have a router and forget about it", Do these users know the protection of the router? Would they know if the router is compromised? or the capability of the SPI included in the router?

 

Either that or Windows firewall is often the recommendation

As far as I know, they drop unsolicited packets?? My router logs show so many of those but, in reality, the entries are vague to me; they list the remote port and ip address. I really don’t know if they are malicious or harmless. They are random in content but many of the ip address’s first two octets are the same as mine (my router’s WAN port). Those I’m assuming are my ISP’s customers sharing the same server as I.

And I’ve been guilty on occasion of this too, but it is only when I perceive that the OP does not care to use a software firewall.

Maybe Matousec can spawn a project out of this and scam some $$ out of router vendors

 

With my router, it has advancd rule-setting and application filtering. The logging provides info on dropped packets, scans and attacks. With kerio installed for 2-3 weeks (I still notice a fair amount of inbound "noise") and both starting with default rulesets, I find kerio easier to "tighten" and figure out how to stealth. As far as testing for protection of inbound I'm not sure, other than stealth, how to test or if I'd even want to know the results. If I had to chose between one or the other, a software solution that runs as light as kerio (or a couple of other lightweight contenders) wins hands down, at least until I can get a decent (used) pc to set up with "untangle"...

 

Hi Monty:

If you ever get rolling on untangle let me know!

 

It takes more than common sense, although common sense helps.

 

I would put forth that 99.99999% of home users are never likely to see any external problems (real attacks etc) hitting them to begin with, so IMO, even a cheap NAT router with nothing else is fine for inbound... I have done just this for several years now with zero problems. $40 solved my firewall problems forever...

 

El Cheapo Router Challenge

 

Hi,

I can understand why a company wants good inbound and outbound control, simply because there are more users inside making dodgy decisions in regard to software and internet usage.

For me a 75 Euro router with Nat and SPI firewall build in, works fine. I more or less focus on the monkey behind the PC. With various types of users at home accessing the digital world from three computers, the simple AV + HIPS Policy Sandbox + HIPS Behavioral Blocker (as an extra check when a program is installed as trusted), works fine, with no software Firewalls on the PCs.

I think Matusec fulfills a market need and stimulates the competence race between the contenders. Ass for most things applies: competition and transparacy stimulates overall quality. It is fair he earns a living out of that.

Regards Kees

 

Exactly! leak tests are all about FUD and $$. In this forum I'd like to read about firewall issues and product reviews based on these. If I need to read about malware and HIPS, I'll go to another forum.

If you conclude that a firewall should not be a security suite, I'll agree with you. Thanks.

 

This actually shows nothing. This is just to say unsolicited inbound is dropped. Any of the free firewalls will do this.

My question about routers is the ability of these to filter packets, be it from an outbound service, or connections made by your browser.