… to be or not to be ? , by Phant0m - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Sep 8^th, 2008, 10:04am

   Mischel Internet Security Forum
   Internet Security
   Firewalls (Moderators: Helena, Gavin_Coe, Magnus)
   … to be or not to be ? , by Phant0m

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: … to be or not to be ? , by Phant0m (Read 785 times)

mozar
Highly Honored Mass-Poster

Posts: 1524

… to be or not to be ? , by Phant0m
« on: Feb 14^th, 2005, 8:35am »

Quote

Modify

Hello ,

A very interesting article by Phant0m concerning FW's Application Filtering component :

" ... Question is… to be or not to be? Stateful

Regardless what’s being thrown around for last couple of years, what makes a true software firewall is its packet filter. Began with ZoneAlarm, the definition of a firewall had been manipulated / expanded to include now application filtering.

ZoneAlarm has quite a few bells and whistles but let’s not forget why ZoneAlarm is required, to secure you from the OUTSIDE / INTERNET threats and attacks. When we re-install Microsoft Windows do we hurry to put ZoneAlarm on protect us from malicious activities generating from local/our own systems? No our concerns are for protections against outside / internet threats and attacks.

Let’s think of number one thing we do on an Internet-ready computer, BROWSE! Normally we do quite a bit of surfing around the Internet for knowledge and interesting downloads, so we aren’t exactly “trying” to stay hidden are we? Don’t worry even if you were trying, the threats and attacks all ends up finding you even if you merely idling on the internet with no client applications connecting/connected to internet.

Knowing packet-filtering is very critical, what is it about application filtering? My opinion and observations, when ZoneAlarm put out application filtering, many of Microsoft Windows clients and servers were triggering ZoneAlarm application filtering and popping with user choice to accept or deny. So there been so many questions whether this program (SVCHOST for instance) is legit and should be allowed. Because there been so much discussions it moulded means to be recognized by the public as becoming and become most popular Firewall used, and others curiosity and don’t wanting to be left out jumps to the more popular thang where a entire databases of questions/answers are found on the Internet with little to nothing searching. Now this made way for successful marketing, we don’t expect them to stop there, marketing is a boom! We have to keep improving and adding further additions to application filtering and draw in more and more and make it even more successful product out there, now other developers gets interested and begins to compete and add more stylish application-filtering. First thing that we come to see are everyone everywhere doing it, and everything seems to all be focussed on application filtering and died away from packet-filtering.

Now what we have? Application filtering is today’s technology; packet-filtering was yesterday’s technology so obviously you know being today’s technology means better then yesterday’s technology…

Now you see confusion is very likely when you aren’t knowledgeable in software security, so one can easily be taking for a ride.

This all being said, the standard packet-filtering gets designed but the real focus gets towards application-filtering, and who cares? Nobody except us few who are knowledgeable to software security and aware of what has been taking place for many years now.

And so now while application-filtering being improved to cover more outbound leaks, you all forgot what is more beneficial in the long run (packet-filter – Inbound threats/Attacks). And guess what? You who all using and supporting application filtering based software firewall are missing out on strong and properly maintained packet-filtering system which is a foundation of true software firewall.

I really hope some of the readers will begin showing some awareness and do some researching and start showing more concerns for packet-filtering improvements, more likely soon firewall developers will have too, but I’m sure not before it is to late for many of you! ... "

« Last Edit: Feb 14^th, 2005, 8:44am by mozar »

IP Logged

mozar
Highly Honored Mass-Poster

Posts: 1524

Re: … to be or not to be ? , by Phant0m
« Reply #1 on: Feb 14^th, 2005, 8:49am »

Quote

Modify

As an user of a *true* SPI FW ( 8Signs FW ) *without* application filtering component in its design , I couldn't agree more with you , Phant0m .

Regards ,

mozar

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: … to be or not to be ? , by Phant0m
« Reply #2 on: Feb 14^th, 2005, 9:10am »

Quote

Modify

It's one of the reasons why I also ran Sygate alongside ZA (a pairing that still works, BTW) - I can let ZA allow the generic host processes through, but Sygate would stop stuff that was not even questioned by ZA (like why the mouse.exe file needed to access the Internet)

I'd also add that my pet peeve is when a FW regards localhost (127.0.1) as 'Internet' - ZA icon here is merrily indicating traffic, but it's all going to my iPAQ via ActiveSync and USB... It seems that all application-filtering FWs need to brush up on this!

IP Logged

... but crap arrives pretty much straight away.

claire
Stole All the Forum Stars

carpe diem

Gender: female

Posts: 3476

Re: … to be or not to be ? , by Phant0m
« Reply #3 on: Feb 14^th, 2005, 10:39am »

Quote

Modify

Hey Ian,

Sorry this is OT but a few monthes ago you started (or planned to start) a firewall comparaison work

Is it finished?Can we have the results?

Please accept my apologies if you already posted a thread about it and I missed it

Have a great day

PS sorry Mozar for hijacking your thread I hope you don't mind(too much Wink

)

IP Logged

Claire

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: … to be or not to be ? , by Phant0m
« Reply #4 on: Feb 15^th, 2005, 8:39am »

Quote

Modify

Hi Claire,

That little project was one of the ones I never found time to complete - it was a school-based thing that has been overtaken by technology, by which I mean it was easier by far to use the XP SP2 built-in firewall. I had all sorts of snags getting the systems to recognise the school's WiFi system as friendly (if you recall, one even blocked the Windows logon box), along with the hardwired alternative, but to regard all other connections and networks as untrusted. We had one guy trying to hook his home router up to the laptop, and another who managed to create a connection via the Firewire port to his home PC which then happily shared it's ADSL connection. Too many 'fiddlers' to deal with, so we just blocked the lot, apart from WiFi.

Maybe the new Network Manager post will free up time, but for now the firewall test laptops have been reimaged and pressed into active service.

IP Logged

... but crap arrives pretty much straight away.

Randy_Bell
Global Moderator

TrojanHunter is the Best!

Gender:

Posts: 2883

Re: … to be or not to be ? , by Phant0m
« Reply #5 on: Feb 15^th, 2005, 5:13pm »

Quote

Modify

Well, even the Windows firewall is a decent packet filter which provides adequate inbound protection. Most of the threats use social engineering to get on your box from the inside, after which you need outbound protection or you will be toast. A good realtime AntiVirus and of course AntiTrojan is needed to compliment firewall, IMHO .. Grin

IP Logged

mozar
Highly Honored Mass-Poster

Posts: 1524

Re: … to be or not to be ? , by Phant0m
« Reply #6 on: Feb 15^th, 2005, 7:09pm »

Quote

Modify

on Feb 15^th, 2005, 5:13pm, Randy_Bell wrote:

A good realtime AntiVirus and of course AntiTrojan is needed to compliment firewall, IMHO .. Grin

Completely agree .

I have 8Signs + KAV + TH + AdAware + SpyBot + MS AS + SpywareBlaster + IESpyad + e-mail client with HTML disabled + Browser well configured + OS patched/updated + some common sense and sporadic use of SSM .
Well , I don't miss any type of application filtering in my FW indeed . But I always recomend a FW with this component to all my lots of nephews - I think that the late ZA PLUS 4.5 was the best , for this kind of user .

P.S. : BTW , a cracker who is smart enough to bypass all my defenses has a great chance of bypassing a FW with application filtering also , I think

IP Logged

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2907

Re: … to be or not to be ? , by Phant0m
« Reply #7 on: Feb 16^th, 2005, 9:13am »

Quote

Modify

on Feb 15^th, 2005, 5:13pm, Randy_Bell wrote:

Ture - we use Sophos AV site-wide, including te laptops.

The main reason for having a FW in place on the laptops was to let folk use them at home on a dial-up account that we would set up for them (like getting a bulk lot with some ISP or other). I had a time before the WiFi network was fully operational, and also before the principal put his foot down about this, that several laptops came back to school fully stuffed with viruses and the like. These same users are the ones who claim to 'know what they're doing, so why has the modem been disabled?' etc. Usual cluelessness. Even after educating them, the only option was to look to firewalls to protect the school network on their return from home. Therefore, inbound filtering was fine, so long as it stealthed the PC and stopped remote connections. We also ran a Hosts file and used IE-SpyAD, but it was the issue with logging on to the school network that several FWs couldn't cope with.

I might add that 8Signs was looking favourable, especially since it could be configured individually for each of the possible connection types - it recognised the dial-up modem, the LAN port, the FireWire port and, when plugged in, the tri-band WiFi PC card. I could happily block the FireWire for all processes, restrict the LAN to our IP range and rely on the WiFI configuration set to use 802.1x (so unless it found our RADIUS server nothing worked over it) as well as limit the IP range - each laptop was given a fixed IP for the WiFi network. I just never got round to trying the dial-up options because the time wasn't available.

IP Logged

... but crap arrives pretty much straight away.

mozar
Highly Honored Mass-Poster

Posts: 1524

Re: … to be or not to be ? , by Phant0m
« Reply #8 on: Feb 16^th, 2005, 9:28am »

Quote

Modify

" ... I might add that 8Signs was looking favourable, especially since it could be configured individually for each of the possible connection types - it recognised the dial-up modem, the LAN port, the FireWire port and, when plugged in, the tri-band WiFi PC card. I could happily block the FireWire for all processes, restrict the LAN to our IP range and rely on the WiFI configuration set to use 802.1 ... "

Claire , I think that Ian has answered your question

« Last Edit: Feb 16^th, 2005, 9:29am by mozar »

IP Logged