Re: Best Firewall?? - follow-up

Nelson <replies-to-newsgroup-only@xxxxxxxxx> wrote:
On Tue, 18 Aug 2009 00:34:23 (CEST), Ansgar -59cobalt- Wiechers wrote:
Kyle T. Jones <KBfoMe@xxxxxxxxxxxxxx> wrote:
Seems like a personal firewall would be useful, for that.

No. You either configure the application to not establish outbound
connections, or you remove the application entirely (in case it won't
allow proper configuration). Everything else is plain stupid.

There are some additional things you can do which involve filtering
applications' target IP addresses for undesired outbound

Specifically, give permission for applications to access their
legitimate servers and block all others.

Define the "legitimate servers" for, say, a web browser.

Besides, if you'd take a closer look at how DNS works, you might
understand why restricting access to particular DNS servers will not
solve the problem.

For example, you can use firewall rules to permit your newsreader to
access your news servers and your ISP's DNS servers. If you use your
newsreader for e-mail, then permit that too. Then block all others.

You can reduce blocked programs' ability to hijack other programs to
gain external access by preventing application interaction (or acting
as a parent) if your firewall has that ability.

Or, you could simply remove the misbehaving software and fix the cause
of the problem instead of dealing with the symptoms. Which would have
the additional advantages of a) *not* wasting significant amounts of
system resources on trying to confine programs, and b) *not* opening
additional attack vectors for malware. I know what I'd choose.

"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich