OA Firewall (review)

Discussion in 'other firewalls' started by Stem, Mar 19, 2007.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have seen and used earlier versions of this firewall, and was going to wait until a final release, but due to PM`s, and the open release (although not final) I will make a post.

    First lets look at the settings.

    Standard mode

    From default installation the firewall is set at "Standard mode"
    ~screenshot taken during installation~
    01.jpg

    from this, if we check the firewall options
    02.jpg

    At the top there is the option "Automatically allow Trusted programs to access the internet". This of course does as it states, and will allow applications that are trusted to be allow internet access, and any rules for that application will be automatically created.
    Below this are the logging options, then the "Content control", the later being how the firewall will check the applications, by ethier Hash(checksum), or by Hash and Path.
    The "Notify me when programs are autotrusted" will make the firewall give a popup when an application is first (automatically) allowed internet access.

    The "uninstall Firewall" is there if you are installing, and already have a firewall installed, or simply do not want to install this firewall.

    All applications that have been allowed internet access, and the rules created for these can be reviewed at any time.

    Select Firewall:- "Program access" tab for the programs allowed internet access
    03.jpg

    the "Rules" tab, which will show the rules created
    04.jpg
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Advanced Mode

    Now, this is the setting I personally would use. The mode of the firewall can be changed at any time, by going to "Options"
    05.jpg

    If we then go to the "Firewall" tab, there are a couple of extra options

    06.jpg

    Again, at the top there is the "Automatically allow Trusted programs to access the internet, but with an extra option below "Autoconfigure trusted programs". Depending on how you have these selected, you could for instance, uncheck the "Automatically allow Trusted...." so that you are given the warning popup, but once a trusted program is allowed internet access, then any rules required will be made automatically. Or of course, you can uncheck both, and create rules from popups, or manually enter them (we will look at that a little later)
    The other option to note is the "Intercept Loopback interface". Now this will intercept comms on the localhost, this is needed particularly if you are using a loclhost proxy such as "Proxomitron"

    The main difference can be seen between "Standard" and "Advanced" mode when we go back to to the "firewall" settings/option.

    07.jpg
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    First, the ICMP tab, this, as you may of guessed, is for the ICMP settings

    08.jpg

    We then have the "Restricted Ports" tab. This will block ports from being available to the internet. These can be added to, edited or deleted, depending on need.

    09.jpg
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    "Restrictions / Blacklists" tabs.

    I left these until now, as these options are also within the "program rules"

    Under the tabs shown, these are global rules, and can be added to a programs rules which I will show a little later, first,

    Restrictions.
    This allows you to set what country, or single/range IP(s) are allowed or disallowed to be connected to. As you can see from the options:-

    10.JPG

    Blacklists,

    This enables you to load a "blacklist". I personally download my blacklists using the "Blocklist Manager". This will download the selected blacklists, the lists do not need to be converted, they can simply be loaded into OA. They can then, if needed, be edited. I dont normally have so many lists installed, I added these as I wanted to see how OA would handle large lists.

    11.JPG
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Program rules

    As mentioned, all program rules can be found: Firewall / rules / rules tab.
    To edit the rule, either double left click the rule, or select and press "Edit Rule":-

    14.JPG

    An example of a program rule: this is for firefox HTTP (remote port 80)

    12.jpg

    Now, I was a little concerned with this at first, as there is no "local port(s)" entry. But as there is the inclusion of the "restricted ports" I can see possibly why this was not included.

    You will note the other tabs on this rule,
    Endpoint Restrictions.
    Here you can leave as "Global Restrictions" (as you may of entered) or, you can use restrictions per rule, an example could be for DNS lookups, where you want to allow only comms to your DNS servers

    15.jpg

    Then the Blacklists tab,
    Again, you can leave as global, or you can select just certain lists, or have none, depending on the application

    16.jpg
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have probably missed some settings (and will add if/when found), but I must move on.

    Now before I continue, I must say, that I am set up on W2K. I know from the release shown that OA2 is not compatible due to bugs/conflict with this OS, but, there as been a release (build 160) to resolve this issue, which I currently have installed, and running without issue, so,...

    Memory usage.
    I have had OA2 installed for around 18 hrs, the memory usage as varied. There are 2 processes running:-
    oasrv.exe: 8,000k - 10,000k
    oaui.exe 8,000k - 9,500k

    So on average, below 20mb

    I did expect a large increase in memory usage when I loaded the blacklists, as these between them are approx 12.8mb (txt files). There was a quick increase in memory usage of about 5mb when I loaded these, but this then went back down to normal.

    Surfing speed,.. no noticeable decrease in browsing, even with the blacklists (I shown) loaded.

    Now, kills/leaks

    I would of prefered to test this on full release, and certainly not on W2K (due to possible bugs still present). But, I did some basics,

    APT4
    I ran the basic 12 kills againts oaui.exe, OA passed all that I could run (kill 10 would not run on my seup (terminal service))

    SPT
    Again I ran the basics (16 tests)
    OA failed on:-
    KILL 4 (terminate process by instruction pointer (IP) modification)

    Stopped, but with auto restart notification on KILL 16

    I still prefer to run these againts OA on XP, or when final.
    Leaks,

    I did/do not have time to run the full batch of leaktests, but did a quick test with leaktest 1.2 (just to check hash checking) which it passed. Out of interest, I did run the PCFlankleaktest, which it did intercept (I was a little surprised,.. and I will need to find time to check out the rest of the protection)

    I hope this answers the questions I have been asked. Please do post to thread any findings you find yourself, or if you have other questions.

    Stem
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I´ll keep an eye on this firewall, it seems to get better each day :eek:
    Questions:
    - I also expect the local range to be included.
    - How to add remote IPs per app (mail servers, HTTPS, DNS servers).
    - How are handled DNS lookups (per app or global setting for svchost) and DHCP?
    Thanks Stem for your tests.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, as I mentioned, I would prefer for local ports to be included in rules. The restricted ports does give some compensation to this.
    Endpoint restrictions, check post 5. I can/will post examples if wanted (I know I should of given more detail, but spare time was/is short, sorry)
    No problem,..

    Stem
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    So, "Endpoint restrictions" always refer to remote IPs? Sounds like the "Custom addresses" of Kerio 2.1.5.
    Thanks again Stem.
     
  10. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,400
    Location:
    California - USA
    Stem, thanks for your excellent overview of this new FW (and HIPS?). Would you please let us know how much memory OA's processes use? ~pv
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Post #6
     
  12. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Thank you for your trialing and evaluating this firewall, Stem. :D

    Regarding this:

    I'm looking forward (as I'm sure others are as well) to hearing your results once you've had time to put it through all the tests. Hopefully you'll be able to keep it around for a while afterward and put it through even more extensive testing, and keep readers like myself up-to-date on any developments as well as your opinion of it from your experiences (either positively or negatively).

    Thanks again :thumb:
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi JR,
    I did intend to setup and perform full leaktest "tests" ASAP, but as I have been informed that OA does block these,.. how can I not fully test. I will "pull`n`test"(so to say) tomorrow, with results as I find (both on W2k and XP)
     
  14. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    very nice review Stem :thumb:

    also would you mind testing OA FW with online games or p2p. I want to see how it well it handles the connections and what not.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I want to ask, can u use just the firewall without use of OA HIPS?

    Also one Q from MikeNash, is there any future plan of FW alone without HIPS?

    Thanks
     
  16. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi Aigle,

    Yes, you can disable the HIPS features selectively if desired - lots of configuration options. However, without some of the HIPS features enabled (for example, process tampering detection) then the firewall would fail the leaktests (if you care about such things).

    With OA2 it is possible to get rid of most of the HIPS things without sacrificing these features. For example, you can deselect "alert when an unknown program tries to run" which will still give you the other facilities but will not prompt on unknown EXE.

    Similarly, you can turn off the webshield popups (silently block) or turn off webshield all together.

    I'm not sure it would be worthwhile releasing a standalone firewall for the reasons I mention above.


    Mike
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Mike!

    You are right that disbling HIPS will let the FW fail against leak tests.
    But I am concerned from marketing point of view. Many users might not like a full HIPS-like popups but will still like to use OA with less pop ups( related to anti-leak test functionality).
    I think there should be a one click option that will diasble all HIPS functionality which is not related to FW and leaktsets while at the same time keeping FW and part of HIPS which are necessary for leak tests enabled.

    I hope I am able to make my point clear.
     
  18. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi Aigle,

    I agree it's a nice idea - but on this release, I must draw a line somewhere. For the last 8 months I've been adding "one more feature" to OA. We were ready long before Christmas with the firewall, but then I had to go and make it Kernel Mode... and now its March :)

    So for this release - no more feature changes are going in. The slate is wide open for later versions of OA, of course.


    Mike
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ofcourse I am not suggesting for now, just a suggestion for future versions.

    Thanks
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi WSFuser,
    I can set up for a torrent client, and will download one of the large linux(or whichever) iso files. I do want to see performance and memory usage of OA with many connections, but also with the large blacklist in place.
    I will do this after running through the leaktests (which I am setting up for now)
     
  21. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    I appreciate it Stem.
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    leaktest1.2 ...........pass

    PCFlankLeaktest .......pass

    Wallbreaker v4.0
    1 .....................pass
    2 .....................pass
    3 .....................Wallbreaker error "cannot create file"
    4 .....................Wallbreaker error "cannot create file"

    Tooleaky ..............pass

    Surfer ................pass

    pcaudit ...............Failed
    pcaudit2 ..............Failed
    (PCAudit uses DLL injection to inject it's code (as a DLL) into authorized application instead of launching it's aim directly.)

    GHOST .................pass

    jumper ................pass

    firehole ..............pass

    thermite ..............pass

    dnstester .............pass

    Up to now, OA fails only on blocking dll injection. I can find no settings for this.
     
  23. Bio-Hazard

    Bio-Hazard Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    529
    Location:
    Cornwall, UK
    Thanks Stem, nice work again. :thumb:
     
  24. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Hi Stem, thanks for testing and providing the results of your findings (below):

    Very much appreciated. Thanks again, Stem :thumb:

    Interestingly enough.....your test results are a little different from the test results that Mike Nash posted at the Tall Emu/Online Armor forums (I hope Mike doesn't mind, and that this doesn't "breach" some sort of "cross-forum posting/referrencing" rules):

    In Mike's testing, PC Audit passed...but with your's it didn't. But yet in Mike's testing, Wallbreaker failed but in your testing it passed (well, passed on 2 attempts, couldn't execute on the other 2). While Mike admits that his "personal" testing is done on an informal basis....each of you have very similar results with just a couple of discrepancies. I notice that you didn't include "Breakout" in your test results, Stem....just wanted to mention that because that is one test that had not "passed" previously for Mike. Otherwise, it's looking pretty good right now :thumb:

    I hope that both you and Mike will please keep up the good work....:D

    * And IF....the above post of Mike Nash is in violation of some sort of forum T.O.S., I hope that both Mike and Wilders Forums will accept my apologies in advance.....
     
  25. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hi Stem,

    Maybe we have a different version of pcAudit? I donwloaded mine from firewall leaktester a few months ago.

    When I run the test here, OA gives me a set global hook warning, and then error 0 on step 5. When I look in avdnaced options in program guard I see that set global hooks is not allowed by OA - I'd be interested to see (offline/via PM) what you have seen.

    @JR - I have no problems with people copying an pasting comments I've made from the public areas of our site.
     
Loading...
Thread Status:
Not open for further replies.