What's your reaction on this... bout outbound?

Discussion in 'other firewalls' started by sweater, Jan 6, 2006.

Thread Status:
Not open for further replies.
  1. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Some says (some are even longtime posters here) that there's no need for that outbound protection thing in a firewall if we do a regular scans of Anti-trojan scanner/s. :rolleyes: :D

    What's your personal reaction on this? o_O

    Is it really true that an anti-trojan softwares can protects our pc from this outbound leak things? o_O
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Nope not at all. what if this Antitrojan doesn't have a signature for some Trojan X ... it would be our firewall to stop the leaking, or some application control program/HIPS ...

    a firewall, or a good protection program that also can control outbound connections .. on one machine I have no firewall (except my router) but I do have something like Appdefend to control outbound and I like this idea too .. prob is most of those application blockers aren't mature enough to handle the outbound connections. maybe in the near future? I sure hope so

    Cheers,
     
  3. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Do you literally mean that in order for a Trojans to make outbound connections that they must first have to modify something inside the system...:rolleyes: and that's what the HIPS programs can detects? o_O
     
  4. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    yep, that's how I see it. not all hips prg can detect outbound connections though like DefenceWall cannot, that's a totally different approach. appdefend/SafeNSec can control Outbound connections but like I said, it's not mature enough and not enough configuration possibilities.

    if some trojan doesn't get detected by your AntiTrojan / AntiVirus then there are some possibilities to stop some of the malware activities like firewall, hips, .. we call this Layered Security: if one fails, you got yourself covered.

    but saying there is no need for outbound protection if you scan your system every day is just ridiculous and irresponsible info ..
     
    Last edited: Jan 6, 2006
  5. I'm afraid I have to disagree with infinity about irresponsibility. Some people can and do surivive without the use of application control outbound firewalls.

    In any case, where people (and some highly skilled and qualified people have said this) say outbound protection is not that useful, typically they are talking about a security stance/ philisophy that concentrates on keeping malware off. They typically only advocate inbound protection with hardware firewalls.

    This view rightly observes that if you don't ever run malware, you are safe. Whether this is achievable (typically 'safehex' is advocated) or not, is a matter of opinion. And if you do run malware, they can damage your computer without the need of 'phoning home'.

    Much of the debate also resolves around whether leak tests in general are blockable

    One camp believes that once a malware is alllowed to run, it's too late, there are literally dozen of things they can do to bypass firewalls (and other precautions) and that nor matter how you try to patch them, there is inevitably another method that bypasses your firewall.

    It's much harder to guard against an insider job and any malware that works on your system is in that situtation against your firewall.

    It's better to concentrate on getting them off. So they argue
     
  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi DevilAdvocate (what's in a name right :) ),

    well, let's say if WMP is trying to phone home, don't they want to control that? or the update function, which svchost.exe can and can't phone home? I'd like to create rules, and no service can have all access, without that outbound control, every process can have all access to the net, that I don't like.

    Anyway, if something bypasses your firewall, if you got lucky some other program will stop some of the activity of that trojan.
     
  7. In any case, I'm hardly playing the role now.

    None of the two cases you mention are really dangerous. And they can be handled in other ways of course within the programs themselves.

    Wanting control is understandable, but that's hardly the same as saying someone is irresponsible if they don't care about them.

    Better never to run malware in the first place of course. But in any case, you are now *not* talking about the value of an outbound firewall.
     
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    It's all what you want for yourself, I like to control as much as possible ... that's why I use Tiny2005 on my main machine.

    It's hard for me to understand why people say it's not that needed to have a software firewall if you got a router, that's all ..

    but maybe if you're skilled enough .. it's possible to do it without .. but I won't, never.

    (p.s. I meant it's irresponsable if you suggest to others for not using any outbound control - what you do for yourself it's up to you, but telling others it's not necessary, I call that irresponsable)

    have a good weekend
     
  9. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    yes, if you only go to one site (let's say Wilders) and the site is ok, you'll never get any spyware/infection .. that's safe hex too I guess :D
     
  10. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    I travel between both camps periodically and I think deviladvocate's post above sums it up well.

    But since you ASKED...I think YOU should stick with firewalls that have outbound app control for now. Until you fully examine all the risks and
    feel comfortable making a decision for YOURSELF based on YOUR situation.

    There are lots of PERSONAL things to consider, such as:

    1. Your computer's performance capabilities (for example, CHX-I may run better for you than Norton Internet Security, although CHX-I has no outbound
    app control).
    2. The quality of your antivirus program, whether you run it active or on-demand, whether you keep it up to date, how often new definitions are available, etc., whether you use other security programs.
    3. What you use (browser, operating system, etc.), how well it is locked down.
    4. What you do (browsing, email, chat, P2P, etc.)
    5. Are your current programs well-behaved re phoning home...do you try new programs sometimes that may phone home?
    6. How much you follow current security situations.
    7. Whether anyone else has access to the computer.
    8. Whether you have good backup plan (drive imaging software) if something goes wrong.
    9. The consequences of problems (ie. are your credit card numbers and other personal information stored on your computer that malware could find and send out? Is your computer just used at home for web browsing or are hundereds of business contacts/customers at risk from your decision? etc. )
     
  11. Heh. I think you are way too paranoid. Learn to live a little.

    And the real devil's advocate these days is "sweater". But he's still at the newbie stage where he thinks there is only one correct answer to security setups, and gets confused when he sees what he thinks is contradicting advise from 'experts'.

    So he starts threads such as this one in hopes to see a big fight.

    But as Noway says the correct answer is 'it all depends'.....
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Interesting, but after listening to Jesper Johanson's talk on Anatomy of a Hack, the first weakness he exploited was no outbound protection on their firewall. Since he couldn't communicate inbound, he found a way to get the server to communicate outbound and copy his stuff unto the server. One of his 10 steps to getting hacked is no outbound protection.

    Links to those talks

    http://www.microsoft.com/australia/events/teched2005/mediacast.aspx

    Pete
     
  13. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Right now, I'm only using inbound protection because I still didn't found the best free program to use with CHX-I...

    Off course that it is better to have the outbound protection to "try" control what programs are connected to the Internet, but should be a real good program or than is better not to have it...

    And I agree with almost everything of this opinion: http://www.samspade.org/d/firewalls.html

    And I trust on my current security setup... ;)
     
  14. devilish

    devilish Guest

    Thank you for posting the same link several times on this forum, i bet it makes a big impression if you haven't seen something like this before. But it's otherwise a pretty much run of the mill hack exploiting errors in SQL processing, no input validation, to gain SA access with remote admin shelletc etc

    Pretty much game over at that point. Being able to directly upload netcat or whatever he is using makes things slightly easier, but hardly a surprise. I do agree that the SQL server should be filtered but that's pretty unique to people with internal networks.

    For most single homeuser setups, you can't, you invariably have permissions for web browsing, email what not... And any attacker can easily use this...
     
  15. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    at devilsadvocate or devilish:

    are you telling me there is no point in having any outbound control what so ever?
     
  16. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Yes, it can be handy, but don't count on it to catch all :)

    So it's just an another layer that may or may not help...
     
  17. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I must be stupid SSK, really what's the point about having layered security if you don't have any outbound control .. so you let everybody into your house but they can all stay in your kitchen? :p

    I hope someone did the dishes :D
     
  18. StevieO

    StevieO Guest

    I'd like to make some comments, without getting into personalities.

    Re samspade

    "(Maybe it'll block trojans from phoning home, but A) if you've run a trojan your system is completely compromised and B)"

    Yes a good firewall will block those outbounds, from trojans etc. It wouldn't mean that a system is compromised at all, infiltrated yes, compromised no.


    B written in 2000.

    Re cyberpunks

    "Some of the statements below are based on the asumption, that a Firewall product is installed by the same user, the same way as the user will install any software (clicking setup.exe), and that this means, that the user will also install the bad/sneaky software that way."

    That depends on the user, a careless user is just that. It doesn't mean we all are.


    DCOM Has been patched since 2000, and it's advisable to disable it anyway.


    "malware can simply modify the database of trusted applications, can add new rules or simply automatically press the "OK" button of personal firewalls authorize dialogs. They can even uninstall the personal firewall or alter its program code. This can be done at runtime in Memory or on Disk."

    "A protection against this, could be a Operating System which will actually protect itself and the installed applications from that kind of modifications."

    "So how do you stop that Software from messing with your Personal Firewall? You will not."

    "if you install malware on your system, your system is lost, regardless of what kind of protection software you install. So dont install every untrusted software."

    If they are talking about a computer with just an OS, Browser and a firewall, then yes it's possible. A fully patched system with decent security software, correctly configured along with the OS and Browser, can help prevent or even stop and/or remove all that junk. I think some people are only talking about mr and mrs ave surfer, without a lot of the measures some of us have in place. In those cases it's probably true.


    StevieO
     
  19. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    :rolleyes: :ninja:
     
  20. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Infinity,

    By that metric, I guess you've labelled me as irresponsible. Naturally, I beg to differ.

    For outbound protection to be useful as a security measure, a user needs to be able to interpret and act on the information a software firewall provides. The vast majority of users can't.

    I see a software firewall as useful in a purely control context in which a user decides that, regardless of the reason, only a predefined set of communications will be allowed. This can naturally have security implications, but it is not security per se, it is control. For example, I may decide that installed programs simply will not be allowed to call home as a matter of personal policy. It is not specifically a security measure since these are, assuming honest vendors, universally valid communications. However, I may wish to exercise that level of control.

    I generally recommend software firewalls to be the last added and first removed level of any security system. I also assume that a router is present (it is my first piece, even before an AV). In any event, either a router (preferred) or a software firewall (a distant second in my opinion), even if only the Windows ICF, is needed these days. My experience is that a simple NAT router provides more real security to the average user than a readily misconfigured and misunderstood software firewall. For most users, the same could likely be said for Windows ICF vs. a typical software firewall. Neither of these, in my view, preferred options afford outbound control of communications.

    This advice is not irresponsible, it's simply a rational suggestion based on the typical needs of a typical user. If you feel as though you need this type of added measure, that's fine, but the average user is likely better served expending their limited resources elsewhere.

    Blue
     
  21. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I understand what you are saying, I could follow DA's opinion very good.

    got three systems, one with a router and appdefend, one with tiny after a router and one with older Outpost Pro behind a router and the one without any software firewall is acting very responsive, with no popups and very newbie friendly. but still if something wants to phone home I like to know why, which process and where too .. maybe I'm paranoid, maybe I'm not but relying solely on a router is not good enough for me. most of the times I would be fine, I give you that but I remember some stupid stuff I did and I was glad I had outbound control, I didn't used a packet sniffer to check what all that traffic was all about but I knew I was infected and I was glad to have just that extra control.

    BlueZanetti, experienced you are I can believe you don't need that extra precaution, you got a router but I don't think that 50% of the surfers here @ Wilders have a router, so if they here/read that software firewall is not necessary .. I still call that irresponsable .. and that is nothing personal or whatever!

    Take care
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    While I am somewhat experienced - I've been using computers of all sorts for more than 30 years - I base my comments much less on expertise and more on field observation. I run a software firewall for the control aspect only, so I can perform a bit of a real comparison, I have the anecdotal experience of both worlds. The firewall has never provided a direct security alert that was real. On the other hand, the other security measures I use, including my router for inbound, have provided active and valid security alerts many times over. I realize that there could be a single lurking future event that only my firewall could conceivably handle waiting to pounce upon me, but I simply do not see that as a consequential likelihood at this time.

    Blue
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    OK, understood Blue! I do see it has more to do with control then with security but what would you do if you wouldn't have a router? software firewall in that case can improve security I guess.

    Can you believe that the question was:

    that's ridiculous and irresponsable to say to newbies! having a router with no software firewall I can understand if you got something like appdefend (minimalistic outbound control) or prevx/SnS/...without that I would feel naked and believe me, that's not funny :D

    at the moment I'm doing it with appdefend and USRobotics router and Nvidia Active Armor
    http://www.nvidia.com/object/feature_activearmor.html
    (NForce 4 hardware, built in into my motherbord chip AMD64) , you all should try that, impressive and works like a router .. so no software Firewall and that's ok but still I would like to know if some process needs access to the net, not much to do with security BUT BUT BUT

    like the question was: no need for outbound if you scan with AT regularly .. if you have so much faith in AT then it's ok but the day they don't have the sig for some trojan, it would be your firewall notifying you that some process or whatever is trying to phone home/some server, router or not ..

    Am I that wrong?
     
    Last edited: Jan 6, 2006
  24. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    If I had no router, I would certainly use a firewall, but inbound would be the focus.

    Let's think a moment about the two words - outbound protection - the fact that you need to protect against the establishment of outbound communications explicitly confirms that the security system has already failed. The firewall may contain the infection within your system, but the system is now compromised. The key is to safeguard against that failure, that is what layering is all about. Again, the comment is specifically concerning outbound communications, inbound is assumed handled by either a router (preferred) or software firewall - even if only Windows ICF.
    In my estimation it's not that you are wrong, but that you are focussing too far downstream for salvation. For a trojan to be operationally productive, a lot has to happen. As your own choices indicate, you can trap a trojan as it is launched by a process monitor. In order to be active for more than the current session, it will invariably attempt to create an autostart entry in the registry or elsewhere. If this activity is monitored for, it can be trapped at that point. If the trojan file signature has been obscured to avoid detection via a signature based AV/AT, the signature of the running process may be maintained, so trap by monitoring the process memory space. That is three levels of measures following your primary AV, each of which is likely to act prior to your firewall. The problem with relying on the firewall is what if a trusted application is hijacked? Sure, a number of current firewalls will alert you to some specific symptoms, say component X has changed, but what does an average novice make of that? Maybe it was an earlier update, who knows. I come back to the point that the novice you are concerned about has little rational basis to assess the information that they are presented. So my recommendation is to focus on upstream activity and action.

    Reliance on scanning with an AV is probably the last advice I would offer, that's a post mortem measure and, like monitoring outbound communication, reflective of an infection that is potentially already established and active. The measures have to be administered and monitored realtime. Part of that is the AV's realtime monitor, but there are a number of additional realtime guards and measures one can implement in a system, as you've already done as well.

    Cheers,

    Blue
     
  25. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    For what it's worth I use the Windows Firewall and keep a copy of TCPView handy to monitor my connections.

    With this combination I've been clean for quite a while now.
     
Loading...
Thread Status:
Not open for further replies.