More Feature Requests

Could you specify ?
#1- limitations for p2p users ?
#2- UDP/ICMP ?
#3- Other

For #1, I don't understand how p2p and security can work together.
For me it's not good to let people think their PC are secure when they are using p2p applications, even if they have a firewall with TCP SPI. Using a p2p application is a high risk in term of security, and TCP SPI will change nothing to this, you will still open many ports to many unknown computers.

For #2, I would like to see specific cases where having UDP/ICMP stateful inspection will increase the security. Is there a scan test that shows the PC is vulnerable or not stealth ?

Thanks,

Frederic

 

Hi Frederic! There are a number of reasons why UDP/ICMP pseudo statefulness is important in a spi architecture! CHX-I, CP-FW1 and a few Linux packet filtering firewalls use this methode:
http://www.uwm.edu/People/ajyaeger/stateful.htm
I will let you be the judge of why or why not it is important. As far as p2p being secure, I agree with you partially about certaint p2p clients, such as Bit Torrent for one. I personally use Mirc with a server script, where the transfer is one to one (p2p) the way it should be in my eyes. And L'n'S does not like most scenaios like this. By blocking certaint traffic it shouldn't... I hate to say it, but the SPI implementation in LNS needs to be 're-vamped'. I have tested many fw's with 'Statefull' like or true statefull packet inspection schemes. And must say, 8signs and CHX-I have the concept down packed...
LNS is a good fw, but could use some refining around the rough edges so to speak...

Take Care
Jazzie

 

Hi,

As I see the things, a good C++ dev could do a LNS plugins to read the SNORT rules and to inspect the packets contents, and then, once something detected, it could add a line in the log such as "IDS plugin : alert name".

Actually the LNS plugins does not have the power to block traffic, althought it may change in the future (if Frederic wants to), but an IDS plugin can still in the meantime see the packets content.
All the part of reading SNORT rules is IMO a huge work (it is not just like matching a sentence of characters in the whole packet content, it's more difficult than that) and may be that a total independant LNS IDS plugins could be better (easier syntax, to start just seek a pattern in the full data field).

Already some possibilities if someone has time to write a plugin

regards,

gkweb.

 

Gkweb-- this has allready been done with 8signs and other fw's, using Snortsam.
www.snortsam.net
If LNS had command line blocking (which it doesn't) then it would simplify things! Maybe it Frederic decides to make a command line option that would fit into the LNS architecture, then it would be no problem to implement an IPS like with Tiny 6.0. (usijng SNort) I took Tiny through a spin many times with certaint exploits and triggers and it blocked every instance, using the newest rule set. I am sure that it wouldn't be a problem for Frederic to implement an IDS/IPS into L'n'S.

CU
Jazzie

 

The 8Signs plug-in uses IDSCenter, doesnt it? I was thinking something more like Tiny's build in IDS.

 

Hi Ajohn! ONE can use IDSCenter to simplify running Snort! Or run as a batch job (command line)! Tiny just incorporates it's own automated snort.conf, which in turn allows input to allow/dis-allow rules. (Most of the tedious work is done behind the scene!)
I also like the concept of moving rules from IDS mode (alerts only) to IPS mode (working in conjunction with the fw to BLOCK clients or ip ranges). They have a good, easygoing implementation of an IPS/IDS. But, I must say that the 8signs snortsam plug-in also works well, but requires user input. And allows for flexibility to cater towards the client/server needs.
Then again, the fw rules of tiny doesn't allow you to set flags, such as other statefull firewalls. As far as L'n'S goes, Frederic would have to change the architecture to allow 3rd party plug-ins OR go out on a limb and incorporate and IDS and IPS into L'n'S. IDS for alerts only and IPS to Block/Ban either clients/Ip's. Of course all of this is entirely up to Frederic.

CU
Jazzie

 

Hi Jazzie,

Thanks for the link.
Unfortunately it just talks about what is SPI, and how it can be implemented for connectionless protocols, but it doesn't tell us what are the cases it adds security for UDP/ICMP.
For instance, I still don't understand why it could be important to block incoming Ping answers when the PC didn't initiate the Ping request.
For me the packet will be simply discarded by Windows and that's it. Perhaps I'm wrong and there is a stealth issue there ? (the PC sending another additional ICMP packet signaling there was an error ?) If yes, no problem ICMP SPI is a must have.

Are you still talking about the limited number of simultaneous connections ? or something else ?
If it is not the number of simultaneous connections, I really would like to know what is the problem, there could be a bug there (one was fixed in 2.05).

Thanks,

Frederic

 

The limitation isn’t specific to p2p users; actually there are other cases where the limitation (128) of simultaneous entries can be of issue. In any case the SPI should be implemented properly and fully flexible, offer advanced controls through the Look ‘n’ Stop GUI or at minimum through the registry (as many strong & true stateful packet-filtering systems already do), where myself and others could easily make third-party app to tweak to our specific needs.

Having first hand experience with Look ‘n’ Stop customers, who actually participates over the official/Unofficial Look ‘n’ Stop forums, and through any means of contacting me (… E-mail, ICQ, MSN), and from that I know the statistics of p2p users and non-p2p users. And so it is shown (to me at least) there were much greater in numbers of p2p users. And those of who are forced to disable Look ‘n’ Stop’s SPI implementation and at the same time leaving themselves much more vulnerable against many threats and attacks, and the mere malformed packets.

To your knowledge your software firewall product is a security plug Only, while there are many which a firewall is an extensive and detailed logging security system, that is capable of detecting & blocking and providing controls over everything that comes in over the Internet and in through your device, whether it is packet belonging to a threat, attack or any malformed packets. If we the average users wanted mere security plug we would be using incredibly terrific (and more then capable) “True Application-filtering” base software firewalls like …Outpost, Sygate, ZoneAlarm, Kerio, Tiny which are stateful-like but not true stateful firewalls (unless anyone can find official documents/posts/e-mails that indicates SPI for any of the listed firewalls works at the lowest Network Layer, then I’ll refrain from mentioning that firewall in further discussions about it not being true stateful firewall).

A software firewall should be able to offer maximum security capabilities regardless the situation, it is a proving concept that true stateful packet-filtering systems are capable working fully functional and without interfering with the functionality of the software we run, whether it is p2p software or otherwise. To be capable of hearing our wounded cries months after months, knowing we have to make ourselves much more vulnerable then we have to, by being forced to disable Look ‘n’ Stop SPI Implementation, is entirely nonsense. You are right about something, that p2p software are high risk, but you are absolutely wrong to make assumption for ALL p2p software, I know some very well coded p2p software they hadn’t been exploited as of yet, and I’m sure if the time arises the developers will quickly release an patched version like most of them do anyways, that is the importance of using up-to-date p2p software.

Here is what I’ve known for a very long time;
* Look ‘n’ Stop is far from being “true” application-filtering base software firewall - so the need for a very strong & true stateful packet-filtering system is critical.
* Packet filtering is pathetically weak – the need for true application-filtering base software firewall is necessary, or much enhanced packet-filtering system.
* Its GUI hasn’t been made for ease.
* Look ‘n’ Stop has little to nothing detection/controls for malformed packets.
…

I would list also what I had come to realize but, it would be quite extensive list.

Listen, I really liked Look ‘n’ Stop, and at the time of my discovery of the product, I thought it had great potentials, and I have been beyond tolerant for the longest time, and sticking with the product as long as I had should speak volumes or at the minimum for anyone, show I really had liked the product. And I’m still here and voluntarily participating and trying to persuade to give it much further thought on this, but I’m afraid this will be my last attempt. And I personally know coding can be a bit time-consuming along with the research done, and handling technical support via E-mail and official forums are very hard thing to-do along side, and knowing there isn’t anyone (who belongs to the Soft4Ever team) except you qualified to really handle the technical support, and if I only had some insurance that voluntarily offering my services here would help you focus on improving Look ‘n’ Stop starting with some of the things I had mentioned, I wouldn’t even blink to give it. Anyways you don’t have to put up with me any longer, if you read this all, I thank you.

Sincerely,
Phant0m``

 

Could someone tell me why LnS SPI is not full, as suggested in this thread?

X.

 

i just read through this thread and now im wondering when these features will be implemented into LnS. if LnS had full IDS and SPI capabilities along with the other features mentioned, i would switch fw in a heartbeat.

 

Hi guys ! here's a feature request... the possibility to ban adresses (like let's say yahoo.com). This is usefull because i had a server and wanted to dissalow all conections incoming from a specific adress (a script connecting to my pc on an open port and performing sql injection). The problem is that i cannot ban the IP because the specific host has more then 1 IP's (or dynamic IP).

 

https://www.wilderssecurity.com/showpost.php?p=548228&postcount=2

Agreed.

 

Hi,

I think we are talking about 3 different features here:

1- A way to have DNS address known automatically by Look 'n' Stop (not sure this can be solved simply by a DNS resolution)

2- A way to specify a name instead of an IP inside a rule, when there is a unique association IP<->Name

3- A way to have several IP blocked using a single name

For the 3-, I'm not sure it is possible to know all the IP that are behind a name. In such a case it means the reverse resolution has to happen each time a packet is received by the packet filter and I don't think this will be very efficient (and even possible simply).

Frederic

 

I would also like to be able to put host names in internet rules and in application rules.

In my case, I have a user who connects to my server to use FTP, PC Anywhere, Rsync, etc. She has a dynamic IP address, so I have to change it in my firewall every time that she restarts her computer.

I've found a service at http://no-ip.com that would allow me to use a host name for her computer in my LnS rules, and then LnS could do a DNS lookup to get her current IP address to verify the connection request.

I understand that it would not be efficient to do a DNS lookup for every packet, but I wish that there was a way to do a DNS lookup only when she first requests to make a connection to my computer, and then LnS would allow all packets from her that are part of the current connection. Maybe this isn't possible?

For further efficiency, LnS could cache the host name and IP address in memory during the connection and for five minutes or so after she closes all connections (in case she wants to start a new connection to my computer using a different application).

 

For the Log Window, you could use red text for blocked things and black text for allowed things. That would make it easy to see the difference.

If people don't like red and black then you could put these color values in the Registry so that people could change them for compatibility with their color schemes in Windows.

 

a way to identify invalid/missing DLLs (options > advanced > dlls)

 

Hi,

This is not so easy to do, the problem is it would be very difficult, when receiving the first packet, to initiate the FTP connect to start a DNS query and to do that at the packet filter level.

Frederic

 

Most of the time only blocked things are in the log.
However, there is anyway the +/- in the first column.
Adding colors is possible, but this is part of the goodies that would make Look 'n' Stop not so light

Frederic

 

Do you mean the DLLs that no longer exists ?
It's true that for the application the ? icon allows to see quickly what are the exe no longer there on the PC, and there is no equivalent for DLLs.

Note that in the current version there is an automatic cleanup (for both Application and DLL) when the number of applications (or DLLs) is close to the max.

Regards,

Frederic

 

yes thats what i mean.

well i dont think im anywhere near the max, so it wont be automatically cleaned up. maybe a cleanup button?

 

I understand the hesitation but if we understand the people of today it’s that they swing where it is most comfortable and with clarity, visual with the sacrifice of requiring bit more resource would go without complaints by many people of today.

I think at minimum visual should be optional, I know many people would love to simply glance at packet entries and determine instantly whether or not they are authorizing or blocking entries and the direction of the entries.

 

when lns or the computer is restarted, internet and application filtering should both be (re-)enabled if necessary.

i recently turned off internet filtering to test if lns was blocking a program but i forgot to turn it back on. after seeing blank logs for a while, i found out why they were so.

 

Under Window XPSP2, normally when you do that you should have some Windows Security center alerts reminding you the firewall is not enabled.

Frederic

 

i dont use the security center.

 

I just tested this and it works. Very cool!