Opinions about pcInternet Patrol 2.0 Firewall!

Discussion in 'other firewalls' started by Firefighter, Jun 19, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Hi everyone! Have you got some experience about pcInternet Patrol 2.0 Firewall?

    http://www.pcinternetpatrol.com/downloads/pcip.php

    According to these Leak tests,

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/test.html

    my Outpost Pro 2.0 should pass the PCAudit test, but I couldn't pass that test when I used the "Component control level is MAXIMUM" position in my Outpost Pro 2.0. o_O

    I am now a bit of worried, because I am going to have a fast ADSL- internet connection (= continuous) today!

    This PCAudit firewall test is made by the same company that makes the pcInternet Patrol Firewalls!


    "The truth is out there, but it hurts!"

    Best Regards,
    Firefighter!
     
  2. Open Source

    Open Source Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    50
    Location:
    The Net
    Re:Opinions about pc-Internet Patrol 2.0 Firewall!

    Hello interesting question indeed.

    But if you are going to have a fast connection to the net and not dial up.

    Then you might consider a Hardware firewall.

    I feel that with a super fast connection and speed you should worry more about hackers as they can hack you faster and in real time.

    For dial up "fire wall software" is fine.

    Some people have a hardware fire Wall and a software fire wall together.

    Personally i think its over kill but better being safe then sorry.

    So if you have some money to spend and a little time on your hands id check into a nice hardware fire wall.
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I have to agree with OpenSource, either a hardware firewall or a dedicated host firewall is the preferred solution unless you have a laptop that you take around and even then I would recommend both the separate firewall as well as the Personal Firewall.

    I've no experience with the product you mentioned so I have no input in that regard.

    Hope this Helps and Drive Safe :D,

    Dan
     
  4. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Basically, an hardware FW is just a gateway machine with a build in software firewall which control the inbound connexions, not always outbound ones.

    If you have no LAN and are a home user, well set rules based software FW offers a fair protection.

    On a LAN, I would suggest a dedicated LINUX server as gateway (IPtables and/or Freesco) for the clients AND a rule based FW on each client controling outbond .

    An old PII 64 Mo RAM is enough.

    Rgds,
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    For a dedicated Host firewall I am running OpenBSD's pf on a Pentium 90 :D
     
  6. gkweb

    gkweb Guest

    A software firewall is still needed i think, at least to filter applications.

    regards,

    gkweb.
     
  7. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Hi,

    I may be wrong but I think that Firefighter ask for advise regarding not only indbound protection but also outbound protection (PCAudit).

    For that purpose, I think no hardware firewall is a solution.

    regards,
    Sisko
     
  8. gkweb

    gkweb Guest

    ZA 4 and OP 2 passes pcaudit, but it required max settings, hard to find indeed.

    Those who wants OP2 screenshots of settings email me at gkweb@wanadoo.fr

    regards,

    gkweb.
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    gkweb,

    Do the community a favor, and feel free to post them over here ;)

    regards,

    paul
     
  10. Open Source

    Open Source Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    50
    Location:
    The Net
    Re:Opinions about pc-Internet Patrol 2.0 Firewall!

    Yes pictures are always nice.

    If you don't have a web site to remote link them from just attach the file when you post.

    You will see attach file option when you post to-wards the bottom everytime you reply.

    Just hit browse locate the picture on your pc then hit post
     
  11. gkweb

    gkweb Guest

    Those settings are an example to pass pcaudit.

    Trusting application has nothing to do with the capability to block a leaktest or not, put them in "partially allowed" to tighten up your security:
    http://perso.wanadoo.fr/jugesoftware/conf1.JPG

    Component detection at MAX, but be sure to remove thel all in case that you allowed by mistake pcaudit dll :
    http://perso.wanadoo.fr/jugesoftware/conf2.JPG

    noting to do with pcaudit, but could be usefull if your are on LAN:
    http://perso.wanadoo.fr/jugesoftware/conf3.JPG

    Disable system global rules, prefer per application rules (in partially allowed)
    http://perso.wanadoo.fr/jugesoftware/conf4.JPG

    A very important thing !!
    http://perso.wanadoo.fr/jugesoftware/conf5.JPG

    I remove plugins to do tests, but i think of course that you can use it:
    http://perso.wanadoo.fr/jugesoftware/conf6.JPG

    just an example to show that OP2 can block leaktest but sometimes only log them, no popup warning:
    http://perso.wanadoo.fr/jugesoftware/conf7.JPG

    After that, i advice you to reboot, because it seems that OP2 doesn't apply all settings.

    With this, when pcaudit will try to inject his DLL, OP2 will ask you if you want to update components for the application accessed or block it.

    regards,

    gkweb.
     
  12. Open Source

    Open Source Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    50
    Location:
    The Net
    Re:Opinions about pc-Internet Patrol 2.0 Firewall!

    Gkweb That was some great posting and very nice pictures.

    I Applaud you.

    We are lucky to have such a promising new member.

    And thank you for that great post.
     
  13. gkweb

    gkweb Guest

    thanks you :)
     
  14. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To gkweb from Firefighter!

    Thank you very, very, very much for those Outpost Pro 2.0 settings! :D :D :D


    Best Regards,
    Firefighter!
     
  15. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I just noticed something that I think needs an extra comment.
    In the section with the pictures of Outpost where gkweb says
    , this is very true. The picture shows all the applications in the Trusted applications section and that is something we always recommend against. The reason is that any application in the trusted applications section is not governed by the Outpost rules, it is in effect ignored.
    It is sufficient in most cases to have your applications in the partially allowed section with the suggested preset rule list applied.
    This is not meant to criticise gk, it is just to clarify to anyone not familiar with Outpost rules that applications should not be placed in the trusted applications if rules can be made for it. :)
     
  16. gkweb

    gkweb Guest

    absolutly, i just gave my settings while testing leaktests, but of course it's better to put them in partially allowed with per application rules, what i said here:

    and

    i agree ;)

    regards,

    gkweb.
     
  17. DavidH

    DavidH Registered Member

    Joined:
    Nov 1, 2002
    Posts:
    40
    Location:
    Fort Worth, TX USA
    Hi gkweb,

    Excellent work. The more people that try to find holes through the major software firewalls, the better. That is my opinion. I just wanted to write to tell you that I tested WallBreaker and PCAudit with Outpost V2 tonight. Of course, I am running the latest public version of the firewall. And, although I feel that you have given outstanding general advice on how to configure Outpost, my results differ from yours slightly. And, here they are:

    PCAudit: Passes with Normal component control and default global rules.

    WallBreaker: Passes with Normal component control and default global rules.

    As I said, the advice you gave was very good. I just wanted to point out my experience with these two LeakTests. I keep a running scorecard at this URL:
    http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=7459

    I am not sure if it allowable to post links to other forums here, but I have posted the link above in good faith rather than trying to promote the OutpostFirewall forum.

    Lastly, I do want to say the following. ALL of my rules are custom made. I always choose 'Other' when a rules creation popup appears and create the proper rule. I say this because it is possible that users who have allowed rules to be auto-configured may not get the same results as I when performing the LeakTests. One of the major reasons for this is that explorer.exe is given TCP Outbound HTTP access by default and I have found this to be a problem in the past when performing some LeakTests. Currently, I have explorer.exe manually setup to ONLY communicate with ONE IP. That IP is associated with Windows Help. So, any user of Outpost may want to remove explorer.exe from their application list and manually choose when to allow or not allow access for this executable. In the case when a LeakTest is performed, it is sufficient to choose Block Once when a rules creation popup appears and to choose to Block when presented with a component control popup. This should take care of the Leak Test. In the case of a rule creation popup when using Windows Help, it would be OK to choose 'Other' and just create a rule for TCP Outbound HTTP to the SPECIFIC IP mentioned.

    Agnitum has added some entries to their INI files that may further protect explorer.exe from being exploited by a Leak Test for a user who is using an auto-configured rule list. But, I have not had a chance to test whether this will make a difference yet. So, I recommend that users of Outpost follow the instructions regarding explorer.exe that I noted above. As I do further testing, I will faithfully update the thread that I listed above to ensure that it is as accurate as possible.

    Thanks again gkweb and keep trying to poke holes in those firewalls.

    Have a good day. :D
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Not a problem at all, David. ;) And thanks for adding your information here.

    Best Wishes,
    LowWaterMark
     
  19. DavidH

    DavidH Registered Member

    Joined:
    Nov 1, 2002
    Posts:
    40
    Location:
    Fort Worth, TX USA
    Thanks LowWaterMark,

    By the way, I have checked out ZA4 and your posts regarding it here in the forum. You are right, ZA4 is a good comprimise between simplicity and configurability regarding rules configuration. At least, I hope it was you who said that. :D I used ZAP for years also recommend it to users on the OutpostFirewall forum having problems with Outpost. If I have learned anything in the past several years, it is that ALL firewalls do not work on ALL systems. It is really strange. And not being a developer, I do not understand all of the complexities. Anyway, I did not mean to ramble on too much here. I just wanted to say thanks for the reply and your thorough ZAP configuration threads.

    Have a good day. :D
     
  20. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    @DavidH

    _How_ did OP2 block pcAudit?
    Did you have a browser running (which is required for thorough pcAudit tests, although it isn't said by pcAudit... ;) )?
    (In gkweb's 'out of the box settings', the explorer.exe is allowed to communicate, so pcAudit should bypass OP2 in these settings, anyway.)


    Same question: _How_ did OP2 block it? At this point, I really can't imagine, how OP2 could block Wallbreaker... o_O
     
  21. gkweb

    gkweb Guest

    Thanks for your comments DavidH.

    About leaktest, for highest settings results (on my site), i don't try to find from what settings it can block a leaktest, i just setting it at max, and look if it can or not ;)

    About WallBreaker, I tested OP2, like all other firewall that i'm testing, and no one blocks it.
    But to do tests, i always fully trust explorer.exe and iexplore.exe, that is probably the difference, because an unvulnerable firewall should block it anyway, for instance "Tooleaky" (which launch IE) is detected even with IE fully trusted by most of firewall (OP2 too :)).

    This is just to test if the firewall is vulnerable to the exploit or not.

    After of course, it's by far better to improve security to prevent such exploit like deny explorer.exe and to add per application rules... i'm working on a new page that i will add and will be about "best guidance settings and behaviour" to improve security and cover firewall leaks.

    regards,

    gkweb.
     
  22. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    I just tested (again): 'explorer.exe' didn't need any rights for pcAudit ('normal' component control) and Wallbreaker to bypass OP2.
    This is quite logical, because in both cases, it isn't 'explorer.exe' which communicates.

    So the question to DavidH remains... ;)
     
  23. gkweb

    gkweb Guest

    For WallBreaker, it is depending on which OS...
    Indeed it doesn't have the same behaviour on XP and 2000 :
    XP -> explorer.exe which access the Internet
    2K -> iexplore.exe which access the Internet

    in both case explorer is the start, and an IE window is the result, but the following is not handled in the same way by the two OS.

    This is that I noticed.

    regards,

    gkweb.
     
  24. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Hmm, on 'my' WinXP machine, it is still iexplore.exe (IE), which connects... o_O
     
  25. gkweb

    gkweb Guest

    lol

    may be it's depend on services started or not, i will not try to define which :D
    It's the same exploit for all OS, but they handle it as they want :)

    regards,

    gkweb.
     
Loading...
Thread Status:
Not open for further replies.