Why use a third party software Firewall?

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

Why use a third party software Firewall?

Post by ssj100 on 26/12/2010, 00:45

I've never quite fully understood why the Software Firewall is so important. I ran a third party software firewall (Online Armor/Comodo) for at least 3 years before I decided on my current setup in 2009. Why did I run a software firewall? Simpy because I was advised to - "make sure you have a good software firewall and an antivirus".

For the record, I never use "automatic updates". The main reason is not to do with fear of exploitation. It's because updating too quickly can lead to bugs being introduced - I generally like to read what others experience before updating my software (meaning I end up waiting an extra day or two) - remember not so long ago the Windows XP update which hosed Sandboxie? Well, I wasn't affected, because I waited a couple of days.

With regards to "trusted" applications calling home, has anyone found out anything of REAL concern? I mean, does the "trusted" application actually try to read your passwords or steal your personal identity? I wouldn't care if they "stole" the information that I use Windows XP for instance. But I would care more if they tried to read "My Documents" folder etc.

I think we all have to have some level of trust, otherwise we won't be installing any software at all (or using Windows or a computer for that matter). With my security setup/approach, I really don't see any advantage (from a real-world point of view) of controlling outbound traffic with a Software Firewall. And even if I did, I'd need to have a second third party security software installed, since Windows XP's Firewall gives no outbound control. Is that worth it?

Anyway, if someone would like to be helpful, perhaps they could give a tutorial (create a new thread) on their general and specific recommendations of setting up a Software Firewall - that's one area I have nearly no knowledge/experience in.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by p2u on 26/12/2010, 10:46

ssj100 wrote:I've never quite fully understood why the Software Firewall is so important.
That's too bad, and I would ask you to consider changing your opinion. Egress filtering *may* save your system from disaster. I don't believe in the Matousec hysteria either (you can't stop already installed malware with a firewall), but if you have set default deny rules in your egress application/stateful packet filter firewall and there's not already a rootkit installed, most of the time you *may* very well be able to block the download of an executable after a successful exploit.

A couple of situations where this may be true:
1) you have plugins disabled or removed in your browser and there are no 'Allow All Out' rules yet for the exploited application (as opposed to the nightmare of "Trusted computing", where security providers decide what is good for you, based on their signatures).



2) there are no 'Allow All Out' rules yet for the default browser. (sounds crazy, huh? But that's how I did it; IE is browser by default, but not allowed to get out)

3) you have a firewall that checks hashes for outgoing applications and blocks traffic if the hash changes

Preventing the download of an executable is always preferable to trying to block an already downloaded executable with some kind of behavior blocker or anti-executable (you may always be bypassed a second time). I don't trust HIPS if they don't belong to my wife. Wink

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 26/12/2010, 14:43

p2u wrote:That's too bad, and I would ask you to consider changing your opinion.
It's not really an opinion of mine - it was me admitting that I don't really understand it haha. Seriously, whenever I installed Comodo Firewall or Online Armor Firewall, I'd pretty much just use the default rules - I have never quite understood how to configure individual applications "properly".

p2u wrote:you can't stop already installed malware with a firewall)
Are you sure that statement is definitive? I'm thinking of a scenario where you unknowingly download a piece of malware and it silently installs. Following this, it tries to call out (as it turns out to be a keylogger), but your firewall stops this. Wouldn't that be the firewall stopping the (already installed) malware from achieving its goal?

p2u wrote:but if you have set default deny rules in your egress application/stateful packet filter firewall...
See, this is the problem for me - I have no idea what you've just written! My Firewall knowledge is poor.

p2u wrote:Preventing the download of an executable is always preferable to trying to block an already downloaded executable with some kind of behavior blocker or anti-executable (you may always be bypassed a second time). I don't trust HIPS if they don't belong to my wife. Wink
What would be a good way to prevent the downloading of an executable? Sorry if I've missed an explanation somewhere in your post - as I said, I am very blur when it comes to Firewalls.

I have always believed that the chances of an executable bypassing SRP (default-deny execution) as well as (even partially) jumping out of the sandbox (Sandboxie) to infect my REAL system or perform malicious actions is nearly zero. Also, I like to browse wherever and whenever without being "blunted". This means I may want to see all those "silly ads" and click on all those "silly pop-ups". I believe that with Sandboxie + LUA + SRP (+ sandboxed VirtualBox) and with a decent security approach, I will not get burned. Seems to have held true for the last 1-2 years, despite the fact that I've visited numerous high-risk malicious web-sites on purpose and allowed countless potentially malicious scripts/executables to run.

So the question still remains for me - is the use of a third party software firewall realistically and significantly going to increase my current level of protection? Even if it did, I can see myself spending hours trying to figure out exactly what I'm doing - sounds good haha, since I've already spent countless hours reaching my current setup - what's a few more hours? But keep in mind that I will need to install a third party software firewall, and hence potentially risk conflict.

Anyway, I'll probably be needing your help and advice p2u. First off, please feel free to respond to the above musings/questions. Then, start by telling me which third party software firewall you would use. I'm guessing you are using Windows Vista's firewall to control outbound traffic? But what if you were still on Windows XP?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by p2u on 26/12/2010, 23:13

ssj100 wrote:
p2u wrote:That's too bad, and I would ask you to consider changing your opinion.
I have never quite understood how to configure individual applications "properly".
You could start by reading A Guide to Producing a Secure Configuration for Outpost. This is about Outpost Firewall, but actually it applies to any good application/packet rule firewall. Disabling the DNS Client service is very important. You thus force every application to make a DNS query itself (usually the first stage in a connection). Rmus used to have a very good guide for Kerio Firewall, but unfortunately he removed it.

ssj100 wrote:
p2u wrote:you can't stop already installed malware with a firewall)
Are you sure that statement is definitive? I'm thinking of a scenario where you unknowingly download a piece of malware and it silently installs. Following this, it tries to call out (as it turns out to be a keylogger), but your firewall stops this. Wouldn't that be the firewall stopping the (already installed) malware from achieving its goal?
The times that a trojan would introduce itself politely and ask permission to get out in its own name are long over; it will try to do that through other (already permitted) applications and your firewall might not even notice, even if it passes all of Matousec's leaktests. Let's say you open a PDF exploit with Adobe PDF Reader in your browser or on your desktop. If that reader already has permission in the firewall, it will download the dropper itself, based on instructions in the code.

ssj100 wrote:What would be a good way to prevent the downloading of an executable?
Not giving very vulnerable applications (like Adobe) access to the Internet is certainly one of them. There is no good reason to open any PDF document in your browser, especially if it comes from an unknown source. Blocking (by default) EVERY application that really doesn't have anything to do in the Internet would be another. Reducing allowed remote ports to 3 or 4 is also a good strategy.

ssj100 wrote:I may want to see all those "silly ads" and click on all those "silly pop-ups".
In that case you should uninstall NoScript; it blocks a huge percentage of all the silly ads and silly pop-ups.

ssj100 wrote:I believe that with Sandboxie + LUA + SRP (+ sandboxed VirtualBox) and with a decent security approach, I will not get burned.

If you are sure that the system is clean, you might be right. But let me tell you that the laptop my wife gave me for my birthday came with two firmware rootkits and a Trojan (!). LUA and SRP don't care about that. It's my firewall that alerted me about suspicious traffic.

ssj100 wrote:So the question still remains for me - is the use of a third party software firewall realistically and significantly going to increase my current level of protection?
I think that if you configure it correctly, you won't be sorry. Even an exploit analyst like Rmus from wilderssecurity uses Kerio as part of his setup. Ask him why. Wink

ssj100 wrote:Anyway, I'll probably be needing your help and advice p2u. First off, please feel free to respond to the above musings/questions. Then, start by telling me which third party software firewall you would use. I'm guessing you are using Windows Vista's firewall to control outbound traffic? But what if you were still on Windows XP?
I'll have a look into that and reply later. Don't like advertising too much. I use the in-built firewall in Vista, because that's probably the only one that handles Microsoft's implementation of IPv6 well, and it's probably the best packet filter for Windows.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 27/12/2010, 00:18

p2u wrote:The times that a trojan would introduce itself politely and ask permission to get out in its own name are long over; it will try to do that through other (already permitted) applications and your firewall might not even notice, even if it passes all of Matousec's leaktests. Let's say you open a PDF exploit with Adobe PDF Reader in your browser or on your desktop. If that reader already has permission in the firewall, it will download the dropper itself, based on instructions in the code.
It's interesting that you mentioned Rmus. From my readings in the past, Rmus himself stated repeatedly that such droppers in-the-wild always turn out to be PE executables (take note Binky). If this is the case, wouldn't the software firewall which strictly controls outbound traffic block this new PE executable from calling out?

p2u wrote:Not giving very vulnerable applications (like Adobe) access to the Internet is certainly one of them. There is no good reason to open any PDF document in your browser, especially if it comes from an unknown source. Blocking (by default) EVERY application that really doesn't have anything to do in the Internet would be another. Reducing allowed remote ports to 3 or 4 is also a good strategy.
That pretty much sounds like how I've configured my Sandboxie. For example, my "explorer.exe" sandbox doesn't allow any application to connect to the internet. This is the sandbox I use to open any newly introduced file. Also, for example, in my IE 8 sandbox, only "iexplore.exe" can run.

What are the "remote ports"?

p2u wrote:In that case you should uninstall NoScript; it blocks a huge percentage of all the silly ads and silly pop-ups.
No, I simply temporarily allow scripts when I feel the need to view sites "fully". Also, my Firefox sandbox doesn't get deleted much, so it's nice to get some added protection (apparently). Furthermore, remember that I mostly use NoScript to speed up browsing. A lot of the time, I don't want to see those silly ads and pop-ups, but it's nice to have the option to enable them conveniently.

p2u wrote:If you are sure that the system is clean, you might be right. But let me tell you that the laptop my wife gave me for my birthday came with two firmware rootkits and a Trojan (!). LUA and SRP don't care about that. It's my firewall that alerted me about suspicious traffic.
Good point, but I'm fairly certain my system is clean. By the way, I thought you said the firewall doesn't help with already installed malware?

p2u wrote:I think that if you configure it correctly, you won't be sorry. Even an exploit analyst like Rmus from wilderssecurity uses Kerio as part of his setup. Ask him why. Wink
I think I have - he wasn't able to convince me haha. Don't get me wrong - if I didn't use Sandboxie like I do etc, a third party software firewall may be more worth-while. For now, I remain unconvinced.

p2u wrote:I'll have a look into that and reply later. Don't like advertising too much. I use the in-built firewall in Vista, because that's probably the only one that handles Microsoft's implementation of IPv6 well, and it's probably the best packet filter for Windows.
That's also what I've heard, but "packet filtering" is an inbound function right? I'm pretty sure Windows XP's firewall has that too (which I happily use).

I'm also pretty sure Rmus uses Kerio. In fact, I think he still uses Windows 2000 haha. In any case, I'm pretty sure Rmus doesn't use Sandboxie (the way I do), so perhaps his setup warrants a third party software firewall. From memory, Rmus uses Opera + Faronics AE + Faronics Deep Freeze.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 27/12/2010, 00:43

Sorry, can't work out how to move individual posts, so I've quoted p2u's last off-topic post for now:

p2u wrote:
ssj100 wrote:It's interesting that you mentioned Rmus. From my readings in the past, Rmus himself stated repeatedly that such droppers in-the-wild always turn out to be PE executables (take note Binky). If this is the case, wouldn't the software firewall which strictly controls outbound traffic block this new PE executable from calling out?
Maybe, maybe not. If a rootkit gets installed, it may lie to the system and you can't trust the data you see.

ssj100 wrote:That pretty much sounds like how I've configured my Sandboxie. For example, my "explorer.exe" sandbox doesn't allow any application to connect to the internet. This is the sandbox I use to open any newly introduced file. Also, for example, in my IE 8 sandbox, only "iexplore.exe" can run.
In that case, Sandboxie works like an outbound firewall and you probably don't need anything else, although it can't differentiate ports, I think. It's everything or nothing.
P.S.: GeSWall can also be used in this way. Only some system services won't be blocked. I don't remember how you do that. I'll have to look that up in my notes.

ssj100 wrote:What are the "remote ports"?
I'd say that a browser, for example, needs only UDP 53 (remote) and TCP 80 (HTTP) and TCP 443 (HTTPS). Anything more should be avoided. If really necessary (for example an FTP download), you can set the required ports (21 + the high ports without exception) for a limited number of addresses, where you really need such connections.

ssj100 wrote:
p2u wrote:If you are sure that the system is clean, you might be right. But let me tell you that the laptop my wife gave me for my birthday came with two firmware rootkits and a Trojan (!). LUA and SRP don't care about that. It's my firewall that alerted me about suspicious traffic.
Good point, but I'm fairly certain my system is clean. By the way, I thought you said the firewall doesn't help with already installed malware?
Did I say the firewall BLOCKED the connections? No. It couldn't; one rootkit had created a device that the firewall didn't have control over. But since the firewall was set to log ALL outgoing traffic, even if not configured with rules, I was still able to spot some very strange traffic. The rest was a matter of mechanics so to speak.

ssj100 wrote:but "packet filtering" is an inbound function right? I'm pretty sure Windows XP's firewall has that too (which I happily use).
No, not necessarily. Let's talk about firewalls in another topic when the time comes.
P.S.: One advantage of the in-built firewall in Vista and Win7 is the "hardening" of services. Svchost is handled per separate service now (you can allow one service but deny another), while in other firewalls you allow svchost "all" and then you have to hope for the best...

Paul

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 27/12/2010, 00:50

Thanks for the information p2u. Yes, Sandboxie generally can't differentiate ports, although tzuk has recently put in my some basic "port filtering":
http://ssj100.fullsubject.com/t275-sandboxie-version-350-released#2144
http://www.sandboxie.com/index.php?BlockPort

Anyway, thanks for the clarifications, and I look forward to reading more about software firewalls.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by wat0114 on 31/12/2010, 08:31

For essentially the same reasons p2u gives Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 2/6/2012, 16:14

wat0114 wrote:For essentially the same reasons p2u gives Smile
I know this is an old thread, but I feel it's a good time to re-visit this question.

Currently, I still remain unconvinced that a firewall (for outbound control) is of any significant use against malware with a setup and approach like mine. I recently came across this post from "DaveUK", which pretty much sums up how I feel about outbound control:
A lot of people believe outbound filtering to be next to useless in the situation you have described because once your computer is infected with malware/viruses, those evil applications usually have access to your system with administrator permissions and will be able to disable (or reconfigure) your firewall regardless of what you set your outbound filtering policy to. If you think that outbound filtering will keep you safe from malware/viruses...think again!

That's not to say that outbound filtering isn't useful - it can be, but just not for the scenario you have described. It's useful for an admin to prevent certain types of outbound communication on the network, or for a local administrator to prevent certain apps from accessing the internet to get updates etc.

Primarily though, i think people like outbound filtering because they like to see pop-up's telling them when application X is trying to connect to the Internet. They like to see this information and to know what that application is trying to do. This isn't really a justification for outbound filtering, it's more of a justification for better monitoring/logging so that users can see what their firewall is doing. Just my 2c.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by blues on 2/6/2012, 19:30

Probably a lot of truth in that assessment by DaveUK. I often wonder about the ultimate effectiveness of our system protections.

As far as outbound firewall control is concerned, my main concern is the prevention of any financial data or passwords from being compromised.

I do also use it to prevent apps like java from updating or reaching out even when they are set not to do so. (I have seen them do so in the past, even when such behavior was toggled off.)

blues
Member
Member

Posts : 42
Join date : 2010-11-25

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 3/6/2012, 02:02

blues wrote:I often wonder about the ultimate effectiveness of our system protections.
I think the 2 key things for me are that:
1. I use a LUA by default - this means that no installed program is able to update or modify itself without explicit permission from me.
2. I run a system-wide anti-executable (SRP) as well as Sandboxie's anti-executable mechanism in threat-gates (like web browsers etc) - this means that nothing new is able to start/run without explicit permission from me.

Also, I have effectively disabled all automatic updates for all installed programs anyway. With this setup/approach, I just don't see how outbound control can help improve the situation - all I can see is the potential for more work/configuration (computer "house-work") for no real security gain.

I know p2u mentions extreme situations like being given a laptop which already has rootkits installed. In my opinion, this is a bit of a "way out there" reason for having outbound control/logging. Whoever installed those rootkits (with malicious intent) were obviously not "leet" enough to hide their rootkits well enough to prevent detection by a firewall's log! If a hacker has physical access to your system, it should be all over. Similarly, if a hacker is able to get code on to your REAL system (eg. by social engineering) and run executable code in your REAL system, it should be all over. I suppose I have to admit that there is the potential for a small security gain when utilising a firewall with outbound control - if you cared to analyse the firewall logs (assuming you have logging enabled for allowed outbound connections), you could pick up that something doesn't "look right" and investigate further. However, I would like to know who would actually take time to regularly manually analyse their firewall logs for suspicious allowed outbound connections in the first place. You can see that this potential for the small security gain is arguably irrelevant - firstly, your system is already compromised anyway, and all you're doing is recognising this. Secondly, most people (including myself) would struggle to manually recognise what "suspicious" activity is in a firewall log that consists of hundreds/thousands of legitimate entries.
blues wrote:As far as outbound firewall control is concerned, my main concern is the prevention of any financial data or passwords from being compromised.
Again, if code can't start/run, how can it send out information from your computer?

One security use that I'm still currently contemplating on for outbound control is in the context of sensitive browsing like online transactions. I already use a form of outbound control (with IPSec) when accessing my bank account. During a banking session, I enable an IPSec rule which basically says that all internet connections are prohibited except those connecting to the bank's sole IP address via Port 443. This works extremely well for my bank, mainly because I can pretty much do everything with just one IP address connection. However, I do recognise that for many other eg. online transactions, multiple IP addresses are often required to be connected to. Therefore Windows' built-in IPSec would be insufficient. The main reasons for doing this are to prevent phishing (which is basically very clever "social engineering") or eg. in-browser hijacks via malicious scripts which may try to call out to the "hacker's" IP address. Now I know people basically disable many scripts by default (eg. by using NoScript or simply by not having Java or Flash installed), but what about text-based scripts? I think even p2u allows text to be displayed in his browser (otherwise he wouldn't be able to read this!). Of course, this is quite outrageous and probably not even possible, but who really knows for sure when it comes to the world of computer software?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 3/6/2012, 02:32

I am also wondering whether a firewall can actually help block malicious scripts within applications which are allowed to connect out. If the firewall can only recognise the application itself (and not the "leet" malicious scripts within the application), surely it won't make a sound?

The only way I can think of to defeat this is by employing system-wide IP address restriction during periods of sensitive browsing (see above with my IPSec rule).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by wat0114 on 3/6/2012, 06:10

I did a little bit of malware testing within the past few years, maybe only 20 samples or so, and all those that attempted to connect outbound were stopped by the firewall. DaveUK has a point, but I get the feeling malware disabling a firewall is mostly theoretical and less so reality.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 3/6/2012, 08:29

wat0114 wrote:I did a little bit of malware testing within the past few years, maybe only 20 samples or so, and all those that attempted to connect outbound were stopped by the firewall. DaveUK has a point, but I get the feeling malware disabling a firewall is mostly theoretical and less so reality.
What I struggle to understand is why one would need this outbound control in the first place when they are:
1. installing "trusted" software only
2. having some form of execution control, preferably default-deny

Also, I remain uncertain that a firewall can recognise and/or block outbound connections when eg. scripting code is involved within the already "trusted" application. What I mean by "trusted" is that the application is allowed to connect out. Any thoughts specifically on this wat0114?

Again, the only significant use of outbound control that I can think of right now is to restrict a specific sensitive browsing session. However, that may be more trouble than its worth. Right now, a banking session for me is not much trouble at all with this setup/approach, but this is because I only need to connect to one possible IP address during such a session.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by wat0114 on 3/6/2012, 10:08

ssj100 wrote:
What I struggle to understand is why one would need this outbound control in the first place when they are:
1. installing "trusted" software only
2. having some form of execution control, preferably default-deny

I just see it as an added insurance policy, and then using the inbuilt Win7 fw there's no introduction of 3rd-party software, so no slowdowns or conflicts.

Also, I remain uncertain that a firewall can recognise and/or block outbound connections when eg. scripting code is involved within the already "trusted" application. What I mean by "trusted" is that the application is allowed to connect out. Any thoughts specifically on this wat0114?

Well I'm not too sure of this either, but at least the trusted application can be restricted, as I do, to specific remote ports. With browsers, for example, I restrict them to: 80, 443, 554, 1755 & 1935. I often saw malicious applications attempting to connect remotely to, for example, port 82. this is not to say no malware will attempt connections to the common ports I restrict browsers to, but at least the scripting code should, at least theoretically if I understand this correctly, be prevented from connections to other than those ports one has assigned their applications to.


wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 3/6/2012, 11:06

wat0114 wrote:I just see it as an added insurance policy, and then using the inbuilt Win7 fw there's no introduction of 3rd-party software, so no slowdowns or conflicts.
That's true, utilising what's built-in is always good - as I said, I do that with IPSec and banking.

My understanding of my IPSec rule is that ALL connections are prohibited (including internal LAN and remote access connections) except the connection to one specific IP address via Port 443 with TCP protocol. As far as I understand, it is a universal rule that applies to any code running in the system, even if it has Administrator access. That is, it doesn't just apply or base its rule on an application level - it does it at a universal (network) system level, if that makes sense. It's sort of like disabling the network card - this would cut off all connections totally, and not just cut off connections for certain applications. I think my IPSec rule effectively does this, but allows that solitary connection. This means that even "malicious scripting code running in memory" should not be able to connect out anywhere except to this specific IP address. Can Windows 7's built-in firewall be configured like this?
wat0114 wrote:but at least the scripting code should, at least theoretically if I understand this correctly, be prevented from connections to other than those ports one has assigned their applications to.
Yes, that would be nice if that was the case. I wonder if anyone can confirm this. My concern is if scripting code could be programmed to run as an "independent enough entity" so that it is separate from the eg. browser (perhaps this could be achieved via a wicked browser exploit with text code), then this entity should be able to call out freely to any IP address via any port. If the firewall can recognise and alert the user of such code, it wouldn't be a problem. However, something tells me firewalls can only recognise PE executables, and in fact only some of them. If this is true, I see this as a rather large hole in firewalls and it's no wonder why just about every company is combining them with Classical HIPS.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 4/6/2012, 02:43

p2u does make a valid point about setting eg. IE as the default browser and disallowing any internet access through it. Check out this test:
http://mark0.net/soft-leakout-e.html
The test demonstrates that if you have a browser open (which is set as default) and which you use to browse the internet, a malicious code could use it as a vessel to connect to the internet and send out your personal information.

But this only becomes relevant if the malicious code could start/run in the first place. If one has a default-deny policy in place, I don't see how this would make it through, unless the malicious code is operating outside the scope of the default-deny policy. This could occur if the malicious code is not a typical PE executable and is instead some esoteric executable code. However, if this was the case, I don't see how even a "properly configured" firewall can help, unless the firewall can recognise this esoteric executable code as an "application".

As far as I can tell, all firewalls appear to only function at an "application" level. It's sort of like how Sandboxie's start/run restrictions pretty much only apply to ".exe files" (classic PE executables).

I note that Blues uses PrivateFirewall - when I tested it some time ago, it had some sort of HIPS functionality built into it. As I've implied in my previous post, perhaps this is because the firewall component only functions at an application (PE executable) level - the HIPS component is to stop more esoteric executable code from running in the first place, although something tells me PrivateFirewall's HIPS component is no where near as solid/comprehensive as eg. Malware Defender. By stopping the executable code from running in the first place, it obviously will prevent any outgoing connections from the code - the "if it can't execute, it can't infect" mantra.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by blues on 4/6/2012, 03:18

I can't speak to that, SSJ, as I'm no expert when it comes to the minutiae under the hood with HIPS or firewalls...that said, Bellgamin did mention on Wilders that PF reported every single instance that NoVirusThanks Exe Radar Pro (a standalone anti-executable) alerted to.

You can look at the features of PF here:
https://www.privacyware.com/personal_firewall.html

And if you contact them with a question, Greg Salvato, the CEO, usually responds extremely quickly. If he doesn't have the answer he'll get one from his development team.

Perhaps worth exploring.

blues
Member
Member

Posts : 42
Join date : 2010-11-25

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by wat0114 on 4/6/2012, 03:28

ssj100 wrote:
My understanding of my IPSec rule is that ALL connections are prohibited (including internal LAN and remote access connections) except the connection to one specific IP address via Port 443 with TCP protocol. As far as I understand, it is a universal rule that applies to any code running in the system, even if it has Administrator access. That is, it doesn't just apply or base its rule on an application level - it does it at a universal (network) system level, if that makes sense.

Yeah, that makes sense. The same thing can be done with the Win7/Vista w/advanced security. In my setup it's only those programs I define in each rule that are allowed access to only specific defined ports and/or ip addresses, and protocol. One could easily setup a rule to govern universally such as eg:

Program: any
remote port: 443
remote ip: user-defined
protocol: TCP

ssj100 wrote:p2u does make a valid point about setting eg. IE as the default browser and disallowing any internet access through it. Check out this test:
http://mark0.net/soft-leakout-e.html
The test demonstrates that if you have a browser open (which is set as default) and which you use to browse the internet, a malicious code could use it as a vessel to connect to the internet and send out your personal information.

But this only becomes relevant if the malicious code could start/run in the first place. If one has a default-deny policy in place, I don't see how this would make it through, unless the malicious code is operating outside the scope of the default-deny policy. This could occur if the malicious code is not a typical PE executable and is instead some esoteric executable code. However, if this was the case, I don't see how even a "properly configured" firewall can help, unless the firewall can recognise this esoteric executable code as an "application".

As far as I can tell, all firewalls appear to only function at an "application" level. It's sort of like how Sandboxie's start/run restrictions pretty much only apply to ".exe files" (classic PE executables).

Yes, a default-deny policy would first have to be circumvented before this type malware becomes an issue. Applocker stopped the test easily, so I ran it as administrator. As the site implies, it doesn't do anything too special, other than direct the browser to it's designated site, and probably reveals information found in a typical tcp packet header upon the initial outbound connection. As for firewalls working only at application level, again, most can be set up to restrict specific applications or all applications. Scripts would certainly pose a potential issue as you allude to, although I suppose with a plug-in like NoScript for Firefox, or scripting control available in a default-deny policy, this threat can be mitigated if not eliminated easily with the correct knowledge and approach. BTW, I can't say for sure, but I think x-site scripting attacks are probably a greater concern than malicious scripts launched locally.

I note that Blues uses PrivateFirewall - when I tested it some time ago, it had some sort of HIPS functionality built into it. As I've implied in my previous post, perhaps this is because the firewall component only functions at an application (PE executable) level - the HIPS component is to stop more esoteric executable code from running in the first place, although something tells me PrivateFirewall's HIPS component is no where near as solid/comprehensive as eg. Malware Defender. By stopping the executable code from running in the first place, it obviously will prevent any outgoing connections from the code - the "if it can't execute, it can't infect" mantra.

Indeed, a very important motto (if it can't...) to remember Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 4/6/2012, 07:02

wat0114 wrote:Yeah, that makes sense. The same thing can be done with the Win7/Vista w/advanced security. In my setup it's only those programs I define in each rule that are allowed access to only specific defined ports and/or ip addresses, and protocol. One could easily setup a rule to govern universally such as eg:

Program: any
remote port: 443
remote ip: user-defined
protocol: TCP
I'm not sure if that's equivalent to the IPSec rule I described. Here you are still defining a "program", meaning it is applied at an application level. So the question is what exactly the firewall means by a "program". With IPSec (at least with the rule I have), there is no way to restrict a particular program or to define it as restricting "any program". Instead, the restrictions are applied at the system network level. As I implied before, it's like a non-discriminatory form of restriction, akin to unplugging one's network cable from the wall. So even if a "leet" hacker managed to run eg. esoteric code in memory and somehow this code was able to make outbound connections, there would be nothing it can connect out to, because the electrical wiring is physically unplugged. That's how I understand the IPSec rule anyway.

I did briefly read that you can employ some "snap-in" function into Windows 7's firewall and you can utilise IPSec too. I'd play around with it, but I just don't have any motivation now since I don't ever plan on moving to Windows 7.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by wat0114 on 4/6/2012, 08:55

ssj100 wrote:
I'm not sure if that's equivalent to the IPSec rule I described. Here you are still defining a "program", meaning it is applied at an application level. So the question is what exactly the firewall means by a "program". With IPSec (at least with the rule I have), there is no way to restrict a particular program or to define it as restricting "any program". Instead, the restrictions are applied at the system network level.

My example may not be the best to use. With Win7 firewall anything not defined in a rule is denied by default. Sure, I guess it's still application level, but this means any rogue app is denied outbound comms. The only issue that might arise, however, is a malicious script scenario you've alluded to, but of course I'm not sure about that.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 4/6/2012, 09:00

I suppose we need to know what level of outgoing communication is possible in the first place. For example, is it even possible for non-PE executables to make outgoing connections? If it's not possible, then the firewall controlling application outbound connections should be sufficient. The only scenario where it would be bypassed is in the case of a rogue executable hijacking an allowed PE-executable (eg. iexplore.exe) and using this allowed process to make outgoing connections back to the hacker's IP address. Of course, this rogue executable would obviously need to get on to your system first, and secondly, be able to execute.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by wat0114 on 4/6/2012, 09:06

ssj100 wrote: The only scenario where it would be bypassed is in the case of a rogue executable hijacking an allowed PE-executable (eg. iexplore.exe) and using this allowed process to make outgoing connections back to the hacker's IP address. Of course, this rogue executable would obviously need to get on to your system first, and secondly, be able to execute.

True enough (with regards to your last sentence). In reality the firewall is not enough. It's more of a way to restrict comms of both trusted applications as well as untrusted ones that might somehow make it past the initial defenses of default-deny, LUA, antivirus, etc...

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by D1G1T@L on 4/6/2012, 09:11

The real reason that 3rd party firewalls exist is just the marketing hype. The way they get people is by convincing them that since Windows is insecure, anything on it is not up to the task. I know this is how I felt in the beginning before I read up on this.

However as time went by and I've seen one bloated suite too many, I came to the conclusion that is was a load of baloney. Sometimes the best options are the ones in front of us all the time.

D1G1T@L
Moderator
Moderator

Posts : 13
Join date : 2012-06-04

View user profile

Back to top Go down

Re: Why use a third party software Firewall?

Post by ssj100 on 4/6/2012, 09:28

wat0114 wrote:In reality the firewall is not enough. It's more of a way to restrict comms of both trusted applications as well as untrusted ones that might somehow make it past the initial defenses of default-deny, LUA, antivirus, etc...
That's an interesting one. I've seen many people mention this over the years - the firewall (for outbound control) is an important part of a layered security setup. I suppose this is valid. Let me go through a possible real-world scenario in my case:
1. I visit a compromised web-site.
2. The site serves up some executable code which spontaneously executes, bypassing Sandboxie's start/run restrictions and SRP, and also bypasses NoScript.
3. The code now resides in memory only and is acting as a keylogger.
4. Logged keys are sent out to the hacker's IP address.

Now I suppose a software firewall controlling outbound traffic would be able to recognise this memory only process (or would it?) attempting to send out connections. The firewall would therefore be able to give the user an alert or silently deny this traffic. But if the keylogger is using the browser to send out the logged keys to the hacker's IP address, wouldn't this defeat the firewall? And if the firewall is restricted "too much", wouldn't this be inconvenient? I guess what I'm getting at is that perhaps the best use of "outbound control" is to apply it to sensitive browsing sessions only. I mean, I wouldn't care if a hacker was keylogging this post as I type it haha. On the other hand, one could argue that being alerted by the firewall (or somehow sifting through the firewall logs and recognising "malicious activity") would be useful at least to eg. inform you to "empty the sandbox and start your browsing session again".

I know this is all speculation. It's something that I've never had a good understanding on.

EDIT:
In any case, my security approach is to use a "banking sandbox" which basically has no third party add-ons associated with it and is basically "freshly installed" and at its default configuration (eg. absolutely no history/cookies etc in it). As many of us know, with Sandboxie, this is very easy to achieve. Since the last few months, for banking, I've taken it to the next level and restricted all network connections during such a session to only the bank's IP address. This means that even if my system was full of actively running logging malware, my banking session would be safe. It also defeats all forms of phishing.


Last edited by ssj100 on 4/6/2012, 09:38; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Why use a third party software Firewall?

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum