What does a leak proof firewall get you?

Hello,

1. How do you disguise a trojan as a funny video?
2. Why would you open something like that? Those are so annoying.
3. Bypassed by anti-virus, ok...
4. My documents? Who keeps their data there?

Now even better:
1. Company that disallows sending exe attachments.
2. The trojan actually deletes the files rather than sending, so the devastating destruction of personal data occurs.

Now the best:
1. Most companies do not use outbound firewalls or very very basic ones.

The problem begins with someone executing a file ... game over.

Mrk

 

I've had a few real infections (only 1 since joining here) and every one was a result of me being click-happy. Also, in every one of those instances my firewall did nothing because my AV was there to block it and tell me I was an idiot. HIPS would stop those malwares now, but I also don't execute unknown files anymore...

 

making the other protections perhaps a bit surplus to requirements ? and suggesting that a leak proof firewall gives some a sense of security but little more.

 

That's what I'm thinking...

 

Another vote for this little fellow, that denies any executables by default which is not on your whitelist. I think it will solve most of the "leak" problems.

/C.

 

A minor clarification about Anti-Executable: it's not really a HIPS, which implies behavior blocking, etc. It is execution protection only.

In the sense that it blocks the executable from running -- not that it blocks something from "leaking" through a firewall.

Using the example by wat0114 of the funny.exe video in an attachment: with a program that provides execution protection,
the file can't be extracted:


____________________________________________________

Note that the action is DENIED by default. There is no Permit|Deny prompt. This illustrates my point in other posts as to the difference between a simple execution prevention program, and a HIPS. The question was raised as to the complexity of making a Permit|Deny decision on the part of less-technically savvy users.

The Default-Deny solution is ideal in family situations, or other situations where there are several users, and the parents|administrators want to control what gets installed.

In the case of a single user with such a program, the user, upon receiving an executable by email, could not accidently run the file. She\he would have to disable the security, then run the file.

The scenario suggested by wat0114 of receiving the video by a "trusted" employee, which sneaks past AV, illustrates an all-too-common problem, where it's evident that there is no company policy about sending executable files by email.

As Mrk points out,

And suddenly an entire network is infected.


----
rich

 

Hello,

I don't know. You tell me. It can't be done? i'm not so sure about that.

I forgot, nobody ever opens those It seems you are assuming I open those? No, my scenario is not based on a personal experience, but I do know from experience what the average company employee is willing to open from their emails.

Are you kidding?

Of course, they all do

Apples to oranges scenario. We are talking about leaking data.

 

Regarding Rich comment on Anti-Executable:

Thats my point: why spend your time on hunting the "best anti-leaking firewall" when there are alternative ways of solving this "problem". Better that the firewall designers focus on the quality regarding how inbound blocking/filtering packets works on their firewall instead of implementing more tasks to solve = higher potential risk for bugs/exploits that can compromise the security without the user even is aware of it.

/C.

 

Leak protection is a marketing gimmick aimed at noobs to rob them of their well earned £.

 

This also can save them money and time. Money by no need to call emegrency support in case some destructive malware will find a way to their computer. Time by no need to spend a lot of time and forces for education, spending it instead to something they really like to do.

 

I have not yet seen this directly. What I have seen is links within an e-mail to a "funny"(or whatever) video, when attempt to view, there is the "codec needed" popup. The download/installation of the "codec" is normally the compromise (either the codec itself, or built/added in to this)

 

HIPS.
But nothing "unknown" ever executes on my PC

 

Another theme in security is your main defense is your brain. That said, if you are smart enough to give the right responses to pop ups from your firewall or HIPS, you are smart enough not to download the codec for the Video.

However, until a few weeks ago there was a security problem with Quicktime and Firefox. Code could be embedded in a Quicktime media file that could result in arbitrary code execution via the Firefox chrome type.

The problem I see with any security program that does not have built in intelligence is the effort to set it up and deal with exceptions is beyond that which anyone but a hobbyist will put up with.

 

Regards Diver,

I have no disagreement with this. I know some security progams now attempt to take out the user (whitelist etc)

It is actually an easy bypass. I know some who fall for this, and they think they are "clued up" I spoofed e-mail with links to my own server and 32 out of 71 installed (these where users I know, and the only problem they had was the fact of a popup that said (think better next time)

This is the plugins? With installed(dll) with browser?

Exceptions/ bypass/ possible incursions are not known untill shown.

 

The entire premise of my simple, hypothetical scenario is based on this. Trouble is, some people underestimate the awesome power of human error. They will then declare all you need is Firefox and the world famous Sygate firewall, and your network security problems will be solved.

 

LOL, I could of said more/

LOL again.

I do not simply look at this forum and its users, I look at what (all) users are like.

 

Very O.T. but...

Some members pique my interest more than others, including the one who triggered my rebuttals. You, Stem, have always provided the "voice" of knowledge, experience and reason.

Finally, A leakproof or leak resistant firewall will probably benefit only the few (most of the paranoid Wilders members) who know and care about what they are doing.

 

I put forward what I know. More is not possible. I learn as we all do.

I am gone now,..

see ya later

 

sorry for butting in, but i thot ur earlier example was about "average" people. and as a few members have pointed out, the "average" person who would execute "funny.exe" - wat chances would same person correctly config the firewall, and figure out wat those firewall pop-ups are about.

 

Don't sell us average people short Some of us are smart and alert enough to clue in to something that looks amiss. Admittedly, the leakproof fw will, however, benefit the more paranoid and geeky of those of us using it.

 

Looking at this thread it looks now pretty much done to death and as is usually the case there are those who take one view and those who take a completely different view.

In practical terms not having a leakproof fw has not been a problem. I must admit that years ago when I first ran leak tests I was concerned but after a little reflection I concluded that keeping nasties out was preferable to trying to stop them phoning home.

Anyway forget about me - I run with a hardware fw and no other recognized
security - But I'm still intrigued about "benefit the more paranoid and geeky"
could you explain ? are you saying that those who benefit are the ones more prone to visit dangerous sites or that having this protection gives a warm cuddly feeling ? or some other reason ? or simply that having lots of settings to set is fun in its own right ?

 

None of the above. Some of us like to learn.

 

learn what ? no pun intended. I assume that "some of us like to learn" is not meant to suggest that others of us don't. Any way I would like to learn - but what is there to learn with a leak proof firewall if there is nothing there to leak ?

 

Stem-

The only plug-ins required for the Quicktime/Firefox exploit were the plug-ins that Quicktime installs by default so that it will work with Firefox. This was fixed with Firefox 2.0.0.8 and a security update to Quicktime 7.2. I did not see any reports of this actually being used to install malware, but that's not definitive.