Re: Re[2]: [Full-disclosure] Personal firewalls.

On 1/20/06, Eliah Kagan <degeneracypressure@xxxxxxxxx> wrote:
> > Z sends spoofed packets coming from the DNS server of X even more
> > interesting..
>
> When Sygate PRO "blackholes" a host, does it block only unsolicited
> packets (bad), or does it block *all* incoming packets from that host
> (worse)?

It blocks all traffic from the IP address, you can verify this by
looking in the advanced rules section after being scanned.

Watch out for Proventia/RSDP as well as BlackIce. Even though their
xml file for distributing rules and policies is one of the best I have
seen, their effect on performance is one of the worst I have seen, and
they dont protect your machine from disgruntled employees
(ahem..Witty), nor the determined attacker.

One good way to test a firewall to see if it will hold its mettle is
by nmapping a machine with -p 1-65353. Then see how your network
performance is degraded. Also an intense nessus scan against the
firewalled machine will help show you how the server/workstation will
perform while under an attack.

My experience with proventia/realsecure/blackice is that it grinds
your machine to a halt (or at least _really_ slows it down) for up to
30 min from an intense nessus scan.

One reason I did not go with ZoneAlarm at the workplace was due to the
fact that (given this was a year ago) it kept forgetting settings.
Also my employer had a site license for ZA, but if you use it for
business, you are supposed to pony up a lic. fee. ZoneAlarm is free
for _personal_ use only.

One reason I did not like Sygate was, if you enabled application
protection then 1 month later installed hotfixes from MS that updated
a system file, after your machine rebooted, then Sygate would block
(eg:kernel32.dll) as an "untrusted app". You can re-scan your system
files after installing the patch, but when you have an automated
patching solution, this can sometimes be hard. Booting in safe mode
and disabling Sygate was the resolution for that issue.

On second thought, I would advise against running application
protection (in its current form) on any software firewall. The
technology is just not mature enough for production environments (or
wasnt 4 months ago, that could (should ;-) have changed by now.

-JP
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: An app is trying to get unauthorized access to the net.............a trojan??
    ... >>the close the port sequence has been interrupted by Sygate as it ... If it is not in the HOST file, ... making the connection may only be the host for the program that wants the ...
    (comp.security.firewalls)
  • Re: sbs2003 and Zone Alarm
    ... And do you consider R&RA's Basic Firewall to be more than a personal ... dnload Sygate and review it. ... The product runs on the host and is designed to protect the host. ... IMO, ISA ...
    (microsoft.public.windows.server.sbs)
  • Re: firewall advice
    ... Sygate has the features I'm looking for in their free ... packets will not reach the machine due to a port being blcoked by the usage ... of two host based FW. ...
    (comp.security.firewalls)
  • Re: What does a firewall do?
    ... Users Guide and Quick Start Guide: ... Are these products (Sygate Personal ... > Firewall Pro & Sygate Personal Firewall) very expensive? ... > Security Policy Customization sounds good, but, in practice, who's going to ...
    (comp.security.firewalls)
  • Re: Know anything about this? - JAcheck.dll
    ... I believe your firewall is misconfigured, your antivirus is not set to ... Since you have Sygate installed, ... intrusion, I might also recommend a file change checker like the free SIM ... You might use Strings-type programs from ...
    (microsoft.public.security)