Two kinds of rules-set - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Sep 6^th, 2008, 11:27pm

   Mischel Internet Security Forum
   Internet Security
   Firewalls (Moderators: Helena, Gavin_Coe, Magnus)
   Two kinds of rules-set

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: Two kinds of rules-set (Read 752 times)

mozar
Highly Honored Mass-Poster

Posts: 1524

Two kinds of rules-set
« on: Oct 31^st, 2003, 10:26pm »

Quote

Modify

Hello ,

I have a doubt about the two most usual kinds of rules-set approaches .

With the FW I have I can use a very minimalist rules-set where everything that is not explicitly allowed is implicitly denied , and it works with around 15 specific rules .
But I can also opt for a more detailed rules-set , which includes rules like “NetBios , 137-139, in&out,Block” etc , and a “ Block All , in & out “ at the very end of the rules-set ,with around 32 specific rules in this case .

I think that the only advantage I have using a more complex rules-set is related to my FW Log : to avoid log’s pollution or to search for specific logs’ lines .
Excluding that , what other advantage would I have using a more detailed rules-set if with the simplest rules-set * everything * is blocked if not previously allowed ?

Obs : I’m not talking here about applications’ rules – my FW doesn’t have this feature .
It’s about TCP , UDP , ICMP , ARP ,RARP and MAC .

Regards ,

mozar

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: Two kinds of rules-set
« Reply #1 on: Nov 1^st, 2003, 1:29pm »

Quote

Modify

The order of the rules also affects what happens, so putting the specific rules at the beginning, then the 'block everything else' one at the end would work better than putting the 'total block' at the beginning.

Most rules-based FWs can also create a specific application rule, but too many of these have a downside - slow processing (too many rules to check) and huge logfiles.

IP Logged

... but crap arrives pretty much straight away.

mozar
Highly Honored Mass-Poster

Posts: 1524

Re: Two kinds of rules-set
« Reply #2 on: Nov 1^st, 2003, 1:44pm »

Quote

Modify

Yes , Ian . The " Block All Rule " at the end of the rules-set , the last rule .

But - not talking about apps' rules , as my FW doesn't have them - why to create a large and very specific rules-set when you implicitly have the same security level with a simple "deny everything not explicitly allowed " approach ?

It is the KISS Principle , isn't it ?

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2038

Re: Two kinds of rules-set
« Reply #3 on: Nov 1^st, 2003, 3:07pm »

Quote

Modify

In a way it is, but then consider that if you have to allow every single product (like I do), some cannot stand that level of interaction. I however, like it. Cool

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

Phant0m``
Guest

Re: Two kinds of rules-set
« Reply #4 on: Nov 1^st, 2003, 5:49pm »

Quote

Modify

Remove

There basically two types of Rule-sets; Stealthed & Paranoid and difference between the two is Stealthed rule-sets focuses mainly on the Inbound and therefore uses very few rules to deal, Paranoid rule-sets focuses on the Outbound nearly as much as the Inbounds to mainly avoid privacy issues.

One can easily convert Stealthed rule-sets into Paranoid rule-sets by disabling the Master TCP Allow rule, typical design for the Master TCP rule is it offers no restriction to destination ports (0-65535) and Temp-range for source ports (1024-5000). Disabling the Master TCP Allow rule you must proceed to create a rule per Application Outgoing packet, normally with IP and Port specifications. And the rule-set can be quite lengthily this way but what’s important is the user not experiencing comfortless.

Rule Ordering in ALL rule-sets is crucial, more than most knows.
For a very small example; you wouldn’t want to place UDP block rules which deals with invalid packets below UDP authorizing rules such as DNS, DHCP… And I surely don’t have to tell you why you definitely don’t want to keep them up on the very top of the rule-set as first priority. People think as long as they keep the block rules in the vicinity of the other block rules that it’s not important, but even here the Rule Ordering is crucial. Common sense for me; you don’t put an UDP Block rule that blocks invalid packets below an UDP Block rule that blocks typical UDP Inbound. But I’m not going to get into further details, either you begin understand or you don’t…

IP Logged

mozar
Highly Honored Mass-Poster

Posts: 1524

Re: Two kinds of rules-set
« Reply #5 on: Nov 1^st, 2003, 7:52pm »

Quote

Modify

Hello , Phant0m

Nice introduction . In my case , using 8Signs FW 2.1.2 , which doesn't have outbound protection , I have two rules-set choices : a basic deny all not allowed and a more detailed one with specific blockings and ordering ( in fact I had created also two others rules-set just for testing & learning , they are saved ) .

I think that with a FW like 8Signs ( and only with this kind of FW , with no outbounds/apps control ) a " deny all not explicitly allowed " rules-set style works fine and equally safe .
Do you agree with me ?

BTW , I discovered a book which describes some of those mysterious attacks included in yours " Phant0m"s Rule-set " .

" Network Intrusion Detection - An Analyst's Handbook " ,
Stephen Northcutt , New Riders , 1999 .

It is very hard to me fully understand everything in the book , but there are some types of attacks really very well conceived .

IP Logged

Phant0m``
Guest

Re: Two kinds of rules-set
« Reply #6 on: Nov 1^st, 2003, 8:28pm »

Quote

Modify

Remove

Hey Mozar

Thanks!

Apparently you misunderstood. To clear things up I was not in reference to Application Filtering Layer, I was in reference to Packet Filtering Layer. Wink

IP Logged

Phant0m``
Guest

Re: Two kinds of rules-set
« Reply #7 on: Nov 1^st, 2003, 8:28pm »

Quote

Modify

Remove

Hey Mozar

Thanks!

Apparently you misunderstood. To clear things up I was not in reference to Application Filtering Layer, I was in reference to Packet Filtering Layer. Wink

IP Logged

mozar
Highly Honored Mass-Poster

Posts: 1524

Re: Two kinds of rules-set
« Reply #8 on: Nov 1^st, 2003, 8:45pm »

Quote

Modify

No , I did understand but probably I didn't know how to explain that in English .
  See , with the 8Signs FW I only have what in LOOKnSTOP's jargon is the " Internet Filtering " feature - no "Application Filtering " here .
  So my question is : What is the difference , in terms of security , between a "deny all ... rules-set " versus "a rules-set with lots of detailed/specific rules ".

For example , I can include rules like "“NetBios , 137-139, in&out,Block” etc , and a “ Block All , in & out “ at the very end of the rules-set " . But , if they are not included and I use a "deny all not explicitly allowed" rules-set , I think I would have the same level of inbound protection .

  So , I think that there is no real difference , am I wrong ?

   ( Excluding the Log's aspect of the question - more control with a more detailed rules-set , of course )

« Last Edit: Nov 1^st, 2003, 9:12pm by mozar »

IP Logged

Phant0m``
Guest

Re: Two kinds of rules-set
« Reply #9 on: Nov 1^st, 2003, 11:28pm »

Quote

Modify

Remove

Hey Mozar

Look ‘n’ Stop Personal Firewall (PRO) does have Application Filtering Layer; it just doesn’t have Rule-base Application Filtering, which means no Control of Inbounds and Outbounds To/From a specific Client/Server Application. ConSeal PC Firewall had Rule-base Application Filtering (Rule applies only when running *.exe), shame James Grant didn’t implement that feature in his today’s product.

As for your question, I’m very confused.
You say "deny all not explicitly allowed", aren’t most of today’s rule-sets like that?
Use EnhancedRulesSet.rls for an example; you have the Master BLOCK-ALL rule at the very bottom of the rule-set, from there it builds up the authorizing list with few additional blocks of course that’s needed because of the authorizing rules.
|
Here is where people have difficulties comprehending; because of those authorizing rules you generate possible leaks, and this is where my rule-set comes into big play along with the SPI Feature.

Of all the popular Software Firewalls out there, Look ‘n’ Stop Personal Firewall is the Only Personal Firewall with strong Packet Filtering Layer that offers incredible features needed to stop much malicious attacks and unnecessary packets in general. No surprise that I’m saying this because I’m supporter of Look ‘n’ Stop but I’m not saying this because of that but because it’s true. And that’s one of many reasons why I choose Look ‘n’ Stop Personal Firewall…

IP Logged

maxqnz
Newbie

Walekam salaam, noho ora mai!

Posts: 26

Re: Two kinds of rules-set
« Reply #10 on: Nov 2^nd, 2003, 10:21am »

Quote

Modify

on Nov 1^st, 2003, 11:28pm, Phant0m`` wrote:

Of all the popular Software Firewalls out there, Look ‘n’ Stop Personal Firewall is the Only Personal Firewall with strong Packet Filtering Layer that offers incredible features needed to stop much malicious attacks and unnecessary packets in general.

OK, I'm interested. Could you explain to me the difference between the packet filtering offered by LnS, and that offered by Sygate Pro?

IP Logged

ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register