Using older version of Firewall (is it Ok)?

Discussion in 'other firewalls' started by darpa999, Feb 14, 2011.

Thread Status:
Not open for further replies.
  1. darpa999

    darpa999 Registered Member

    Joined:
    Feb 12, 2011
    Posts:
    9
    Hi,

    Is it Ok to use an older version of firewall kije for instance the Mcafee Desktop Firewall 8.5 for XP?

    I know it does not work for Windows 7, but will it be OK use this old version?

    Thanks.
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    question back: can you imagine why someone improves its security-program?

    (i hope you can - the opposit ist the answer to your question)
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Firewall by itself is not obsolete since, except for IPv6, internet hasn't changed.
    Ports and protocols and how MD5 is calculated, still are the same in XP as they were years ago.

    What changes are the additions to firewalls - behavior blockers, HIPS, spyware watchers, things of that sort, where some of them require updates and improvements. They're suites really. They need to be current.
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    you missed "bugfixes" and "other leaks" as major improvements.
    features are not relevant and can be disabled.

    BTW McAfee Desktop Firewall started in 2005 - 6 years are really old and not state of the art
     
    Last edited: Feb 15, 2011
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    If the version you are using doesn't have any major bugs that would compromise the security level, then yes, it is OK to use.
    I use Kerio 2.1.5 that was released in 2003 - it's doing it's job as it did 7 years ago :)
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Me too. On Win 2K and XP.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Normally not if the software suffers from undisclosed vulnerabilities...
     
  8. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    many people often rightly state that, just because its newer, doent generally mean its better :cautious: if it works on your system, then go ahead and use it
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The newer is better argument is based on 2 often faulty assumptions.
    1, That older software is buggy and vulnerable.
    2, That newer software is not.

    Single purpose apps like the above mentioned Kerio 2.1.5 often do the specific job they were designed for better than the equivalent components in the newer combined suites. Kerio for instance allows you to tightly control loopback traffic, permitting it for one app while denying it for another. Many of the newer suits don't give you that control. If you're setting up TOR and want to eliminate data leaks, loopback control is important.

    Yes, older firewalls can have unfixed bugs, but so can the new ones. Kerio 2.1.5 for instance has a problem with network/mask rules, explained in the Kerio learning thread. Workaround: use network range instead. As combined and integrated suites, the newer security products can have a lot more bugs and potentially serious vulnerabilities, known and unknown. Know the app you're using and its limitations. True, Kerio 2.1.5 doesn't have a built in HIPS and can't detect DLL injection, etc. There's no reason that HIPS has to be part of the firewall. Use a separate one if HIPS is important to you. There's pros and cons for both separate and integrated HIPS.

    The question shouldn't be which is better or is it OK. The only question that matters is which fits your needs and skills, and is compatible with your system.
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Security wise serious companies are dealing with internal breaking tests on a routine bases, paid external consultants audits and user reporting vulnerabilities. These are not reported publicly due to marketing reasons, image and safeguard of users of the product (i.e. you would not like to see at each version a list of fixes related to broken design security and you would not like kiddies to exploit a bug based on the description of the issue).

    By running an old software or an abandonware you are exposing yourself to much higher security risks than running a new software. Yes new version may have introduced new bugs but also new fixes. The probability of having vulnerability in older version is normally much higher than in new versions. New version may also bring improved protection and increase scope.

    In the security domain running outdated tools is like running no tools. Experienced users knows anyway how to deal with the risk but for novice users you are sending a wrong message. :)

    Fax
    P.S. There are other firewalls with good control of 0.0.0.0 and 127.0.0.1.
     
    Last edited: Feb 19, 2011
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Kerio 2.1.5 also has the infamous fragmented packet vulnerability, as discussed endlessly at DSLR and here at Wilders many years ago. It has been proven that you can fire fragmented packets at Kerio and they will go right thru the firewall. Workaround: None. Sometimes there are good reasons not to use older software.
     
  12. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Kerio 2.1.5
    Used it on my Windows 98SE and on my XP system before I had a router,never had an issue.

    Just because it's old,does not mean it wont work on your system.
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    nevertheless it is still vulnerable for those attacks even when those
    attacks passes but didnt found any target.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    These packet fragments are just that, fragments. There is no workable exploit that successfully uses this vulnerability, even though it's been known for many years. If your PC is behind a router/modem, those fragmented packed will never reach your firewall. Workaround: unneeded. Even if it did work, a separate HIPS like DW or SSM would prevent any code assembled from these fragments from executing.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Kerio may or may not have been exploited yet (who knows really?), but that doesn't mean it can't or won't be. Who knows what's possible, or what someone may come up with. The fact that the vulnerability exists is enough to make me use something else. If you're behind a router, then why use Kerio at all? It's not particularly effective at catching possibly outbound traffic compared to the newer firewalls. At any rate, I hear you, and the choice would of course be up to each individual user as to whether or not they want to use a firewall with known imperfections that will never be fixed or addressed.
     
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Few interesting outbound catches to local host and remote IPs just been posted by Rmus
    https://www.wilderssecurity.com/showthread.php?t=293463
     
    Last edited: Feb 20, 2011
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    ZA - all versions watch local host like a hawk, Kerio2.1.5, Sunbelt 4.6, Outpost ... just to cite a few
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I think Kerodo won't mind if I speak for him -- we've discussed firewalls many times over the years, going back to the old Kerio Forum at DSLR.

    The original firewall leaktests changed forever the way people look at firewalls. Kerio 2 failed them miserably. Why? Because Kerio 2 (which was no longer supported) did not have the newer HIPS-like protection to monitor injection and all of that other stuff.

    So, as was pointed out by many, the newer firewalls no longer resembled the original concept of a firewall, and the vendors, in order to keep up with the competition, began to make their firewall into something more. It's these firewalls that I assume Kerodo is referring to.

    Now, there is nothing inherently wrong with the way firewalls have evolved -- that's the nature of change.

    However, it's a cat-and-mouse game because cybercriminals are always looking for different ways to let their malware connect out. The Conficker worm, for example, created an entire new playing field:

    Conficker Analysis
    http://mtc.sri.com/Conficker/
    Except for Conficker, you don't find malware with such esoteric methods. Have there been many examples of malware using the techniques that appear in the leaktests?

    All of this assumes, of course, that malware has installed/infected the system -- an assumption that not many I know are willing to concede!

    Nonetheless, to tie this in to the OP's question: Most people I know who help others set up a system will naturally install the latest type of products -- there is no reason not to, since you want them to be continually supported. Also, you want everything to be as easy as possible for them, and older products may need experienced people to tweak and secure them.

    Now, the outbound catches you refer to in my other thread are made before the malware executable has been installed, and they are standard outbound connections which Kerio has no problem with.

    What would you do if you were using a search engine and were redirected by means of an SEO exploit, to a malicious website like the one I showed in that other thread, and suddenly saw this firewall alert:

    [​IMG]

    You might know that Svchost.exe is a Windows application.
    You might know that it does need certain access to the internet.
    Would you permit this prompt?

    What if this were the alert?

    kerioalert1.gif

    Now, put yourself in the position of Mrs. Smith next door. What would you expect her to do?

    It's a dilemma for the not-so knowledgeable, especially the average home user who, if mimicking the way people just OK'd the original UAC prompts, will probably OK a firewall prompt.

    (Unless they have been instructed with firm policies/procedures, which is another topic)


    ----
    rich
     
    Last edited: Feb 20, 2011
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Yes, exactly. Thanks Rich...
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Given the age of the firewall, its unsupported status, and the fact that most are using something more recent, it's a safe bet that if it hasn't happened by now, no one is likely to bother with it.
    A software firewall is for specific control over traffic (port, protocol, IP address/range, direction) on a per application basis. My setup for instance does require me to allow some specific inbound traffic. Except for UPnP, which I don't use or trust, routers are not application aware. Software firewalls give the user very specific control over legitimate traffic. Kerio is one that is very good at this. As for malicious outbound that exploits a legitimate process for its internet access, a separate HIPS can fill that role, as can software restriction policies and any other method that can enforce a default-deny policy, which would prevent that malicious code from executing to begin with. For me, this task is handled by SSM.

    Even though vendors are combining these components, there's no reason that the internet firewall and application control software (HIPS) have to be a single package. It's a trend, not a requirement. While some will argue that the integration is an advantage, I would argue that combining an internet firewall and HIPS exposes the HIPS as part of the attack surface. When separate, the firewall protects the HIPS from attacks from the net while the HIPS protects the firewall from unwanted termination and code injection. Separate also allows you to update or replace the components of your choice. When separate, it's far less likely that an exploit or coding flaw will crash or defeat your entire security package than if it's one combined package. Given the choice, I'll always choose separate.

    Rmus,
    Regarding those alerts, the first gets a "no" answer. The 2nd gets that file erased. That's malware.
    regarding:
    I would not give Mrs. Smith a rule based firewall to begin with. That violates what I consider to be the most important criteria for choosing security apps.
    "The application must be compatible with the system, software, and the users abilities. Rule based software isn't suitable for the average user. That said, most of the readers here are not average users. Those that are come here to learn and to get better than average.

    No one can say that you're biased on this subject. You discuss the advantages of the newer firewalls and your images of the prompts are from my old favorite, Kerio.
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Rmus,
    I hear you. Points well taken. And interesting. As usual.
    But many firewalls, plain, like Kerio, or fancier with HIPS, will have default, wide open rules, permitting svchost or \temp\applications or system to call out anyway unless a tighter setup is done. So we the users are cooked regardless.

    But the practical impact of what you and Kerodo are saying I do understand and the advantage of some system watch on top of a firewall certainly would pay off if the browser, permitted out to port 80 in a rule, hits a bad site. But such protection need not be bundled with the firewall. Kerio clearly can catch outbound, and to handle the crapware, more than a firewall is needed.

    That's what I learn here anyway :)
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I would have to agree with you there. For all practical purposes, it's safe enough....
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I learned from experience that the best way to work with a rule set firewall is to delete all of the default rules and start with a blank slate.

    This requires you to read and learn about networking protocols, for if you don't have a basic understanding, you won't know how to set things up properly.

    Kerio (and I assume newer firewalls) will prompt for everything, and you just set your rules accordingly. You have the control over which applications can connect out, and what can be permitted inbound; so, there need not be any "wide open rules" and no need to be "cooked regardless!"

    That's why the two svchost alerts in my previous post.

    The first is the legitimate svchost, but it's attempting to connect to an unauthorized IP, so Kerio prompts.

    [​IMG]

    Here, the user must have knowledge of what's really going on so as not to be fooled. Not the situation for "Mrs. Smith next door."
    Hence, noone_particular:

    The second alert is because it's not a legitimate svchost,

    [​IMG]

    and Kerio prompts for two reasons,

    1) wrong directory (...\temp\)

    2) bogus, spoofed application -- doesn't match the MD5 Hash that Kerio has recorded for svchost.

    kerio-md5.gif

    As noone_particular writes, it's malware.

    Note that the malware had to install (as I permitted for the test) before that outbound connection could be initiated:

    In which case in my example, a spoofed svchost.exe cannot be created in /temp:

    ae-block.gif

    End of exploit.

    ----
    rich
     
    Last edited: Feb 21, 2011
  24. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Even in its day McAfee Desktop Firewall wasn't one of the top choices. Its creation of advanced rules was cumbersome and (like Sygate) it didn't control a local proxy securely.
     
  25. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Yep, I remember that. It suffered the same issue as Sygate on loopback...
     
Loading...
Thread Status:
Not open for further replies.