Outpost Firewall Pro 2009 Testing and Optimization Thread

Discussion in 'other firewalls' started by Escalader, May 3, 2009.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hello 2 way firewall users:

    This thread is NOT a learning thread, it is a testing and optimization thread.

    As before this thread is:
    1. Not a product X vs product thread these are a waste of effort
    2. Not offer a chance to "knock" OP or the vendor
    3. Support for OP is available in their user forum and direct from the vendor's technical support
    On my own systems setup, I have the firewall program that comes embedded with Outpost Firewall Pro 2009 ver. 6.5.4 (2525.381.0687) which is the paid version. Like so most 3rd party FW's, OP FW has other security features so if you like it is NOT a pure firewall.

    What is posted here may or may not apply to the new Outpost Firewall Free. There is a thread here on this one https://www.wilderssecurity.com/showpost.php?p=1454667&postcount=1

    As well, this thread is silent on the OP Security Suite.

    Here is a portion of OP's features description of the paid version of Outpost Firewall Pro 2009:

     
  2. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    Hello Stem:

    Attached are my settings for ARP Attack Protection:

    Question: Do they work?
     

    Attached Files:

  3. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    They didn't. I don't know now.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    I did check earlier, and yes they do now work correctly on my setup, and will block my ARP attacks and attacks from such as netcut.
    The only possible problem can be from the gateway ARP cache becoming poisoned. Normally when under ARP spoof attack I would start to ping the actual gateway to refresh the cache.


    - Stem
     
  5. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,133
    Location:
    R.I.P. Roger(roddy32)
    Escalader, Hello and Nice Idea..improve on a great peice of
    software...wonderful :thumb:
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hello Giddyup:

    Exactly.

    The more transparency and testing the better for everybody vendor and users. At least that is how I see it.:cool:

    Testing is the only way to uncover facts otherwise all we have is opinions.
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread


    Right,here are the default ICMP settings in jpg.

    What changes should or can be made to these to defeat your pinging refresh test?
     

    Attached Files:

  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread


    You misunderstand, or my description was not so good. The ping is part of the defense. When attacked from such tools as Netcut the ARP cache in an unprotected gateway can become poisoned (spoofed packets can also be sent direct to the gateway), this can cause connection problems even when the hosts ARP cache is correct. Pinging the gateway from the host can update the gateway cache.


    - Stem
     
  9. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,133
    Location:
    R.I.P. Roger(roddy32)
    Stem
    So what you are saying is, there are pro and cons to
    having 'ARP filtering' enabled?
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    In most cases ARP protection is not needed. It is doubtful that you will come under attack inside your own home LAN, but if the protection is there, then users want to enable it and it should work correctly.The quick tests I make for the ARP spoofing is based on the attacks I have seen from the various tools that are (or where) available to anyone who could use google (or similar), so I only check a firewall against these types of attacks. However, I can craft attacks that combine various protocols with ARP that will make the firewall think it is under attack from the gateway, and the firewall will then block the gateway and the firewall will DOS itself. It is even possible that a firewall will see a gateway as an attacker simply because of normal activity from the gateway, such as if it is updating its cache and scanning the LAN.

    - Stem
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    Hi Stem:

    I misunderstood and assumed that the ping was part of the test attack. I have next to nada knowledge of attack testing. :oops: but maybe not, never claimed any!

    At any rate, can you have a look at the OP defaults for ICMP and advise what changes you would suggest to maximize security?
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    [I presume you are on a LAN with only XP on all nodes(PCs) as I (personally) currently have issues with ICMPv6 and Teredo.]

    Personally I see no problem with the settings you have. there is a setting in the attack_plugin to block ICMP fragments, if that is not enabled, then I would enable that.

    - Stem
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    You presume correctly. All nodes/PC's are xp sp3 no ICMPv6.

    I will check the settings again in attack plugin for the fragments in fact I will confirm the enable and post the 2 sets of settings via jpg.

    The only one I blanked out was the single port scan.
     

    Attached Files:

  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    Disable the "Port scanning", it is not needed on your own setup. Disabling that will then stop a possible FP of attack from your router if it scans the LAN for cache update.



    - Stem
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread


    Ahhh, it was only the single port scan. All my other port scanning is enabled.

    Sort of like that that movie hunt for red october 1 "ping" and 1 "ping" only.

    Does your response remain the same? :doubt:


    note, I'm no longer on ARP attacks here so title is off a bit
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I just tested the blocked content feature. I choose my OLB client # and the psw.

    First step is entering the bank ip addy to the exclusion list so you can still do OLB.

    Next I entered the data to be protected

    The test I did related to email I tried to email the protected data to myself at my web email on my ISP using MS Outlook. Well 1 piece of data just evaporated the second was replaced with meaningless letters.

    Then I went to the ISP site to pick the eamil up and it was the same scambled

    However, when I used the ISP mail service Internet Explorer the whole attempt failed got a message IE unable to connect. In this test I tried to use the web mail to send the same data back to myself.

    There are 2 ways to prevent the data , block any packet containing the data from leaving the PC and the second way is the data is replaced by ****. This 1st test was with the whole packet being blocked option the next test is going to be the replaced by *** option.

    More later.
     
    Last edited: May 3, 2009
  17. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,133
    Location:
    R.I.P. Roger(roddy32)
    Very interesting
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    What happens when the private data is sent out encrypted?


    - Stem
     
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Stem:

    The quick answer is I don't know, BUT I intend to find out by asking the support folks at:

    http://www.agnitum.com/support/

    or the user forum.

    One way I have right now of testing encrypted "protected by OP" data is to create say an encrypted attachment containing this data and repeating the email send test. At this point, I was only trying to see if the feature worked at all. It does. On https well, the jury's out. Or I could remove the banks ip from the exclusion list and see if I can log in, that will be faster.

    This same issue came up on another product where the insertion of a license number in the protected data list showed that the vendor SW was "phoning home". They were caught on their own feature as their code tried to send the license number home each time product started up.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Question Stem, besides own network, does it also helps to protect against with 'man in the middle attacks' where the supposedly internal connection is in fact an external onea
     
  21. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    Escalader, it's been my understanding over time, that if you're the only machine on the network, you only need to enable the "smart arp filtering", the other options are more for machines that are on a network with many others. Also in the attack detection exclusions, you can add your dns servers, and your router ip (gateway). That's been my understanding, anyway, but stem or manny carvhallo (spelling?) can offer much more insight I imagine.

    Also under the lan settings, if you don't need them, you can uncheck netbios, nat zone, and trusted.

    Under the properties of your network adapter, you can disable the protocols you don't need (client, network load balancing, printer sharing etc).

    Hope this helps in some way
     
  22. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Uuuhm nope, this will not test the outpost capacity to read the e-mail before it gets into the SSL communication but the capacity to crack an attachment (not really possible).

    You could simply create a free gmail account to test. It uses SSL pop/smtp.

    Fax
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK

    It can only protected from within its own LAN, but even then there must be some check made and protection of possible DHCP/DNS spoofing.

    One of my concerns as always been where a user, who could probably be connecting through an ISP LAN is informed to use a router, and most home routers do not protect against ARP/DHCP/DNS spoofing, so any protection on the host is not effective against any attacks against the router, so traffic that leaves the PC going through the router could easily be redirected to "Man in the middle"


    - Stem
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ARP Attack Settings in Outpost Firewall Pro 2009 Testing and Optimization Thread

    Hi Chrome:

    Thanks a lot. I am sharing a router with other PC's one for sure I don't trust as it is a gaming machine. As you suggest I have already disabled netbios, nat zone and trusted. So that confirms that.

    On the ARP threat, I'm leaving that to those guys you listed as ARP is above my pay grade. All I want to do ( selfish I know) is optimize the OP security give the features of my set up.
     
  25. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    When data is encrypted nothing happens because it can not read encrypted data. Private data transfer only works for data sent clear.
     
Loading...
Thread Status:
Not open for further replies.