Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

  1. #11
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod!

    1.I'm grateful you have answered me on these questions.
    However, I must note that you might misunderstood me.
    I'm using ZA Pro and Nod32 antivirus-to me this is the is the best combination you can get.
    Since the first time I came in the first contact with computers, when I was a total newbie, my friends have advised me get ZA Pro or ZA Internet Security Suite.
    I might say that I become a ZA fanboy, I trust the company and have never experienced computer slowdowns except when ZA 7.0.302.000 was buggy.
    That's why I will never use an hardware firewall or router or anything like, there is no need to.

    The question I asked you for opinion regarding that ZA doesn't protect from these internet worms is because I was extremely suspicious about this thing.
    I was using ZA for over 2 years, I've been visiting ALL KINDS OF WEBSITES, BECAUSE I decided that this was the best way to test ZA's inbound protection-nothing could pass through ZA, literally notihing.
    My friend Tony who basically recommended ZA to me, has asked his cousins who are supposed hackers and supposedly they have developed a program for breaking in into any computer.

    Now, my friend said to me that this was great opportiunity to test ZA's version 6.5.737.
    He gave them his IP address, and tried to break into his Windows XP for over an hour.
    Guess what?
    Not only ZA blocked about 1000 intrusions of whatever malware they tried to sneak inside his computer, but also computer was 100% invisible and all ports were closed.
    Now, please take into the count that these attacks and attempts to install these malware
    were REAL, not some leak-tests.

    That's why I'm extremely suspicious about what poster named Santucci on CNet.com said that ZA is vulnerable to Internet worms-honestly I don't know what he was talking about at all.

    Simply put:ZA has never failed me or my friend, that's why we use it.


    2.Regarding leak-tests. I completely agree with you. There are other serious security vendors as well who said these same thing about leak-tests and who test the real malware.
    I think that whole leak-test histeria is responsible about why many vendors have left inbound protection.
    Many vendors and leak-testers don't realize that when you buy PC it's 100% clean-which means you need inbound protection much more than outbound protection.
    This is my view.

    Also regarding website you gave the link is "blind".
    http://www.personalfirewall.**bleep**.com/leaktest.html

    It seems to me that some of the words can't be written in this message boards.


    3.One question regarding users having problems with ZA (computer slowdowns, incmpatibility with other security softwares, CPU and memory usage and etc...).
    Oldsod, I've read many of the users or some of them at least are having problems with installations/uninstallation with ZA, CPU and memory usage, or they are thinking ZA is buggy.
    Here is what is weird here-I HAD NEVER ANY PROBLEM WITH ZONE ALARM-never, that's why I can't understand other users what they are talking about.
    Since you're one of the moderators, you might know what are the main reasons.

    4.I don't know how much you read PC magazine's reviews, but ZAISS is always on the top more or less, but it seems to me that Neil Rubenking only uses defalut settings to test ZA, that's why some of the malware he tests enter isnde this computer-like the performance blocking/preventing the installation of 17 malwares samples of 20 of them.

    Or ZA Anti-Spyware blocked 6 of 8 spyware samples-again I think it's on default level.


    P.S.:
    I just hope you'll be around here in about 2 months when I ask you how to configurate ZA Pro.


    Thank you for your time and patience, again.
    I just hope I didn't take too much time from you since thread is quite big.

  2. #12
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi Monster-Z

    First, I have to say I am not a Moderator (employed by ZA) , just a Guru (helper for free).

    ZA has been a very reliable firewall for years. The driver has excellent self protection or unstoppable by malware infections or attacks. Even if the ZA is attacked and the GUI does not work, the vsmon.exe still keep on working. The ZA in this situation will either do a complete lockup (nothing will get in or out) or the GUI will not appear and the firewall will not allow any new entries and continue to do firewalling duties. It is that solid.

    Routers? I use two routers chained together both doing SPI/NAT.
    Some do not like/use routers and some do. I have always at least one one router and find the home network is a lot quieter with just one in front of the PC

    Internet worms should be easily blocked by any firewall for any home user - either by any hardware or software firewall. Even Windows built-in firewall will stop internet worms.

    Hacker attempts only succeed if there are open ports and something is responding to the open port (if there is an application using the open port). Or if the user has installed malicious software or if there was some driveby/self install from either the email or web-browsing.

    I really doubt the ZA would allow a hacker in unless the user really tried hard to help the hacker. Or got fooled by the hacker and did something silly.


    oops sorry about the link. I thought you might have guessed it.

    http://www.personalfirewall.c****o.com/leaktest.html

    My gripe with the magazines- they only use 20 samples, whereas a proper test wpuld use thousands. Twenty is too selective - it can either make a scanner look good or bad depending on the choices of samples. Plus often they are swayed by money - the usual sponsors or regular advertisers will get good reviews. Some of the independant blogs and small time reviewers may get some sort of fiancial incentive from vendors to show favorable reviews for their products.

    Bad ZA issues start with bad downloads (not the proper download site or used web acceleraors/ download managers), bad installs (remmants of other uninstalled fws or networking applications), too many security applications (two fws or two av or too many active spyware scanners) running, windows is mismanaged or has been abused (files damaged or missing) by either the user or from malware, bad hardware (failing hdd or bad memory cards, failing vide/audio cards, etc), old or outdated drivers (these need to get updated from time to time) and even from running an applications while installing or some not even letting the installation finish properly. It is usually a user error or windows issue.
    FWs in general work intensely at certain levels in the OS and if there is something wrong there, then the firewall will have issues as a result.

    Read any forum and see there are always issues - for either the fw or the av or both. Forums are sometimes the worst place to see if a product is good or bad - all the users posting usually post because they have some sort of problem, not because they have no issues.

    These replies do not take too much time and if it did take time, I would still reply in full.

    Okay back to your first post:

    block these by both TCP and UDP in the ZA | Main | Internet Zone Security | Custom, if you still need to permanently close ports in the firewall:

    7 (echo)
    9 (discard)
    13 (daytime)
    17 (qotd)
    19 (chargen)
    23 (telnet)
    37 (time)
    70 (golpher)
    79 (finger)
    88 (kerberos)
    113 (ident)
    119 (nntp)
    135 (epmap)
    137 (netbios-ns)
    138 (netbios-dgm)
    139 (netbios-ssn)
    194 (irc)
    389 (ldap)
    445 (microsoft-ds)
    500 (isakmp)
    515 (printer)
    530 (courier)
    531 (chat)
    554 (rtsp)
    604 (tunnel)
    631 (ipp)
    647 (dhcp-failover)
    1067 (instl_boots)
    1068 (instl_bootc)
    1900 (ssdp)
    2689 (fastlynx)
    3389 (ms-wbt-server)
    4500 (ipsec-nat-t)
    5000-65535 (blocks all unneeded, including some P2P, the rest of the IRC and some games, and the 5000 is commplex-main or UPnP)

    The above list is a paranoid list.
    If there is no application(s) to respond to the port(s) or using the port, then there never was a risk to begin with.
    The ZA always keeps all port stealthed and closed by default.

    Plus I am guessing these ports are ok for you to block. If something goes wrong ( does not connect ) then check the ZA logs in the Log Viewer and see what got blocked. Then make the appropiate changes to allow the needed port.
    Also this is almost a backwards attempt, because the Expert of the Firewall should be used to allow the required port ranges for the destination and/or sources. Along with the internet servers IPs, in many of the Expert rules of the Firewall.

    Oldsod.

    Message Edited by Oldsod on 03-03-2008 05:27 AM
    Best regards.
    oldsod

  3. #13
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod.
    1.Big thank you for this configuration help.
    However, one thing bothers me if I do this configuration, would this block my NOD32 antivirus automatic updating?

    2.I just found your very interesting post regarding leak-tests:
    http://forum.zonealarm.com/zonelabs/...ssage.id=35077

    In this post you specifically said this:
    Fifth Much is beaten by the host list.Host list in PC is huge. By this simple/free/no resources required/ not software approach easily defeats a lot of malware sites. List varies in size, as I change the updates but is usually a minimum 3 meg to 5.5 meg maximum. Also, the lack of spy cookies and ads is nice and does give faster browsing.

    I apologize for my little knowledge, but what did you mean by host list?

    3.You also said that you use a lot more tricks, but these are the most common ways to beat leak-tests.
    What are other tricks that you use, if you don't mind?


    4.On the following website you'll see that it is possible to terminate some of the ZoneAlarm's self-protection processes, if you could comment it:
    http://www.matousec.com/projects/fir...ge/results.php

    ZoneAlarm fails Kill2, Kill3f, Kill4, Kill7, Suspend1, Kill9, Suspend2, Crash1,2,3,Kill11 and some other were failed:
    here is the explanation of all these tests and what exactly they do:
    http://www.matousec.com/projects/fir...evel.php?num=1

    One thing what I don't understand is what does Matousec means by "using the handle stealing method"???

    What do you think about these termination tests (Kill and Crash tests)?
    Do they really represent true threat for an firewall like ZA or not?


    5.I read some excellent reviews regarding ZoneAlarm freeware-reviewer on CNET.com basically says that ZA freeware acts like a brick wall which doesn't let anything through on the computer without proper authorization and besides it's still the most widely used firewall on this planet.
    If ZA freeware doesn't let anything through without proper authorization does it mean it also has full STateful Packet Inspection?


    6.One more question:
    Many posters on Wilders Security forums doubt that there is no software firewall has true, advanced Stateful Packet Inspection (they say supposedly Checkpoint's ZoneAlarm doesn't have SPI).
    The only true SPI firewall is supposed to be CHX-1 or soemthing like that.
    http://www.wilderssecurity.com/forumdisplay.php?f=31

    Here is the direct link to the thread:
    http://www.wilderssecurity.com/showthread.php?t=191873
    http://www.wilderssecurity.com/showt...873&page=5 (some explanations what SPI really is)

    And here is the detailed explanation what full SPI really is by Checkpoint:
    http://www.checkpoint.com/products/d...Inspection.pdf
    Shouldn't ZA have this kind of SPI like shown in this Checkpoint's pdf. text?

    Basically, what I found out is that they don't believe that any software firewall possesses fully-featured SPI. Unfortunately there is nobody on the forum who can actually prove that ZA has SPI.
    They also say that just because Checkpoint (or any other company/firewall vendor) said that they put fully implemented SPI in ZA (or any other software firewall) doesn't mean they did, since these are only words.
    Maybe you should drop in and answer, if you know correct reply.

    Accorind to Stem, firewall moderator, and SPI should have interception of TCP to sequence number,..... for such as UDP, a state table of outbound (record the outbound packet, with a timeout for reply), the same for such as ICMP but more logic is needed (as outbound ping could give reply as "reply" or "timout" etc).
    There are a number of firewalls that say give such, to what degree is of question.

    Thank you for your time and patience.

  4. #14
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    <blockquote><hr>Monster-Z wrote:
    Hi, Oldsod.
    1.Big thank you for this configuration help.
    However, one thing bothers me if I do this configuration, would this block my NOD32 antivirus automatic updating?

    2.I just found your very interesting post regarding leak-tests:
    http://forum.zonealarm.com/zonelabs/...ssage.id=35077

    In this post you specifically said this:
    Fifth Much is beaten by the host list.Host list in PC is huge. By this simple/free/no resources required/ not software approach easily defeats a lot of malware sites. List varies in size, as I change the updates but is usually a minimum 3 meg to 5.5 meg maximum. Also, the lack of spy cookies and ads is nice and does give faster browsing.

    I apologize for my little knowledge, but what did you mean by host list?

    3.You also said that you use a lot more tricks, but these are the most common ways to beat leak-tests.
    What are other tricks that you use, if you don't mind?


    4.On the following website you'll see that it is possible to terminate some of the ZoneAlarm's self-protection processes, if you could comment it:
    http://www.matousec.com/projects/fir...ge/results.php

    ZoneAlarm fails Kill2, Kill3f, Kill4, Kill7, Suspend1, Kill9, Suspend2, Crash1,2,3,Kill11 and some other were failed:
    here is the explanation of all these tests and what exactly they do:
    http://www.matousec.com/projects/fir...evel.php?num=1

    One thing what I don't understand is what does Matousec means by "using the handle stealing method"???

    What do you think about these termination tests (Kill and Crash tests)?
    Do they really represent true threat for an firewall like ZA or not?


    5.I read some excellent reviews regarding ZoneAlarm freeware-reviewer on CNET.com basically says that ZA freeware acts like a brick wall which doesn't let anything through on the computer without proper authorization and besides it's still the most widely used firewall on this planet.
    If ZA freeware doesn't let anything through without proper authorization does it mean it also has full STateful Packet Inspection?


    6.One more question:
    Many posters on Wilders Security forums doubt that there is no software firewall has true, advanced Stateful Packet Inspection (they say supposedly Checkpoint's ZoneAlarm doesn't have SPI).
    The only true SPI firewall is supposed to be CHX-1 or soemthing like that.
    http://www.wilderssecurity.com/forumdisplay.php?f=31

    Here is the direct link to the thread:
    http://www.wilderssecurity.com/showthread.php?t=191873
    http://www.wilderssecurity.com/showt...=191873&page=5 (some explanations what SPI really is)

    And here is the detailed explanation what full SPI really is by Checkpoint:
    http://www.checkpoint.com/products/d...Inspection.pdf
    Shouldn't ZA have this kind of SPI like shown in this Checkpoint's pdf. text?

    Basically, what I found out is that they don't believe that any software firewall possesses fully-featured SPI. Unfortunately there is nobody on the forum who can actually prove that ZA has SPI.
    They also say that just because Checkpoint (or any other company/firewall vendor) said that they put fully implemented SPI in ZA (or any other software firewall) doesn't mean they did, since these are only words.
    Maybe you should drop in and answer, if you know correct reply.

    Accorind to Stem, firewall moderator, and SPI should have interception of TCP to sequence number,..... for such as UDP, a state table of outbound (record the outbound packet, with a timeout for reply), the same for such as ICMP but more logic is needed (as outbound ping could give reply as "reply" or "timout" etc).
    There are a number of firewalls that say give such, to what degree is of question.

    Thank you for your time and patience.
    <hr></blockquote>


    Nope the NOD will still update as it uses http from it's servers and the block list does nto include http (or https or ftp).

    Host list is what you alreay have - a block list in the host file. By the sounds of it, over 3 M is a good sized list.
    Note only sites in the block list will block and if a malware is not in that list, it still can "phone home" to it's server, if allowed out.
    I stopped using a host block list and long moved on to a dedicated IP blocking (customized list) and url blocking (with wild cards) in desktop proxy filtering.

    Industrial firewalls such as checkpoint do offer ICMP and UDP filtering with SPI. The majority of desktops do not. Usually the business class of desktops will offer this feature, however this falls off the consumer market and these firewalls have other added features with the usually or normally available configurations.

    ICMP and UDP SPI is important for server and enterprise and business, but not really needed for the private user. See below.

    CHX-1 does offer limited udp and icmp SPI besides the usual tcp SPI , but it is very out dated and is just for inbound connections. It would fail all if not most of the leaktests and kill tests, if you place any merit in these.

    Leaktests are a backwards and trendy way of doing firewall comparisions. A leaktest just assumes the thief is allowed easy access into the house, was never arrested by the security or allowed access by the system to any part of the system and then stopped from leaving.
    Seems to me the antivirus and antispyware and what not should have caught the thief before entering the house or attempting to fill his looting sack and then leave?
    Maybe leaktests are more a systems test and security test and not a firewall test?
    Run KAV Proactive or SSM or some advanced HIPS and not any kind of firewall and the leaktest results rival any that of any firewall or come close to the "perfect" firewall.

    Firewalls control port, protocol and IP and not the system itself. Even though it is now a selling point or collecting laurels, it is still not what a firewall is specifically designed to do.

    Zone Alarm has SPI. Not the full ICMP and UDP, but full TCP. This is sufficent for home users and many business users.
    Why you ask?

    UDP is commonly set up and used for the dns and the dhcp. Little else. These are watched by the ZA and any other attempts by the hijacker using other dns and dchp would be detected and alerted.
    This is in the default settings. It can be enhanced with expert rules - see below.

    The vast majority of internet connections are TCP over IP, not UDP over IP - the usual updaters, browser connections, web mail and others are using TCP, not UDP nor ICMP.

    ICMP is seldom used. Pings, tracert, internet address is out of reach and internet address is unavailable are the most common uses of ICMP for a home user. In the default settings of the Zone Alarm. the unwanted ICMP types and unwanted directions are blocked.
    This can be enhanced using expert rules- see below.

    OK The basic configuration in the ZA | Firewall | Main | Advanced for the ICMP is the accepted to be secure regarding the ICMP.
    I actually set up an Expert rule for the ICMP for both incoming and outgoing, yet is almost reduntant since it mimics the default setting. But I set the Experts with Log and Alert, so any ICMP attempts and events are closely watched.
    In so many ways, once a desktop is set up and is behind a router, the ICMP is not even needed. Unless you wish to do a ping or tracert or nslookup or arp or ipconfig or have a nice browser connection (or lack of connection). You are probably the same as most users and have the Reply to Pings disabled in a router. Home users should have really no fear of icmp. Servers and businesses do need to have the other ICMP types allowed and even the usually not allowed directions allowed.
    They have to or else they could not be pinged or reached and would be out of business in no time.

    Ping... Echo Request Out ( type 8) and Echo Reply In (type 0) incoming pings (Echo request) are not allowed in to hide the presense of your computer, but any internet server need to allow these two plus it needs extras to allow the Echo Reply Out (type 0) and Echo Request (type 8) In to allow any response to pings and be seen by any computer or server.

    Messages with Internet address is unavailable...Destination Unreachable (type 3) In and Out. The only IP sending legit incoming Destination Unreachable is your DNS server and often P2P servers - delays and time outs will be seen in the PC if the incoming is blocked. Any other direction is not really needed for a home user. Usually the incoming is needed and the outgoing is needed and not used.
    Internet server need to allow both incoming and outgoing Destination Unreachable Exceeded to be functional.

    Tracert and messages showing an Internet address is out of reach is done.... Time Exceeded for a Datagram (type 11). Allow incoming and not out. But if tracert breaks, then allow outgoing too (then unsolicited tracerts will be allowed).Again internet servers need to allow both directions.

    My ICMP rules and these are actually a bit loose (I do some unusual things), but have alert and log for each rule - keep the finger on the pulse:

    State: Enabled
    Action: Allow
    Track: Alert and Log
    Name: ICMP out
    Comments: Echo Request (8) (Pings), Destination Unreachable (3) (Internet Address unavailable), Time Exceeded (11) (Internet Address is out of reach and for tracert)
    Source: Any
    Destination: Any
    Protocol: Types 8, 3, 11

    State: Enabled
    Action: Allow
    Track: Alert and Log
    Name: ICMP in
    Comments:Echo Reply (0) (ping). Destination Unreachable (3) (Internet Address is unanavailable), Time Exceeded (11) (Internet Address is out of reach and tracert)
    Source: Any
    Destination: Any
    Protocol: Types 0, 3, 11

    Now if you say there is no true SPI for the ICMP, then keep in mind I have yet to see any unexpected alert or entry in the log regarding any of the ICMP types. It just does not happen.
    Tracert and arp and ipconfig do not go anywhere unusual - just the dhcp and the dns servers. Pings have to occur outside the dns and the dhcp, yet the real need to do SPI is not needed for a home user. An internet server I understand would need SPI for ICMP, but a home user, not very likely!

    Now to the TCP and UDP rules:

    State: Enabled
    Action: Allow
    Track: Alert and Log
    Name: Common
    Comments: Browsers and Updaters
    Source: My Computer
    Destination: Internet Zone
    Protocol: HTTP, HTTPS, FTP

    Note I called it common for lack of better label. HTTPS, HTTPS are just TCP and no UDP is involved. No need for SPI of UDP if it does not exist. Protocols involved are Destination port of 80 for HTTP and Destination port of 443 for HTTPS and in both cases just the 1020-5000 source port range is applied. FTP is the remote port 21 and it is still basically TCP over IP not UDP over IP.

    Now the only two main UDP connections are the DNS and the DHCP - both rules and to the specific servers and specific ports. All by dns and bootps and bootpc and the correct PC port(s) and the correct IP. The DHCP is "MAC'd" with the correct MAC number. The block all rule in the end of my expert means no other DHCP or DNS connections other than what is specified.

    Hmm I do have just one other specific rule for the UDP - the Time server. But it is locked in to the specific IP range and specific ports. Is there a need for SPI when simple packet filtering for a .gov server is all that is needed and no other server is involved or better said as just one server and no associated servers?

    State: Enabled
    Action: Allow
    Track: Alert and Log
    Name: Time Server
    Comments: time-a.nist.gov time updaters
    Source: My Computer, time-a.nist.gov
    Destination: My Computer, time-a.nist.gov
    Protocol: One rule with destination port of 123 UDP and allow source from 1000-5000 and one rule with source port of 123 UDP and allow destination of 1000-5000.

    Last rule is blockall - this means the unwanted connections are blocked off. This includes any unwanted UDP and unwanted ICMP connections by port or IP.

    Oldsod.

    Message Edited by Oldsod on 03-27-2008 12:25 PM
    Best regards.
    oldsod

  5. #15
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    The zlclient.exe is a component which can be defeated and shut down. However, the zlclient.exe is not the firewall and is just the GUI.

    The vsmon.exe is the firewall.
    If the vsmon.exe is shutdown or attempted, it will do a lockup and stop any or all connection attempts.
    There is only one option available a lockup page with instructions for the user on how to release his PC from the ZA lockup and have the internet connections returned.

    Keep very in mind the old adage of fish and hunger and teaching - give a man fish and he will be fed for a day. Teach him to fish and he will always be fed. Too many of the web blogs and sites are pretending to show you how to fish when in fact they are just fedding themselves. They make lots of money from web blogs and sites and the more readers that show up, the more they get fed!

    Very few offer to actually teach the user how to catch fish and be fed. If they did, they would not have any more "services" to provide and get fed so well. Or have any new readers.
    Some security sites used to teach fishing and how to be an expert fisherman, yet these days it's all talk, hot air and misconceptions and mistakes. And how to spend money or do unneeded testing or use an exorbiant number of security applications or go over board and use too much security on a single system.

    If matousec was so great, he would teach you how to fish and not keep you in suspense. His initial introduction to the internet and vendors was "pay me for the exploits in your software or else I will sell them to anybody who asks for them". He still does that. Is this ethical or moral or is it teaching how to fish or just getting himself well fed?

    Message Edited by Oldsod on 03-27-2008 12:39 PM
    Best regards.
    oldsod

  6. #16
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    "3.You also said that you use a lot more tricks, but these are the most common ways to beat leak-tests.
    What are other tricks that you use, if you don't mind?"

    TODAY YOU ARE GOING TO LEARN HOW TO FISH!!!

    This is where you start to learn and think for yourself and become familiar with windows and internet and all of the other dreck!!

    First.
    Harden you system. Yup set the OS to be less vulnerable.
    Closing off ports and network events by disabling unneeded services and aspects.

    Second.
    Use the firewall to your advantage not let it just run and do it for you. If you are really serious about firewalls, just keep in mind they are all bascially the same. Yup one is about the same as the other, as far as the home user is concerned. Oh some offer different features or aspects or better configuration or even nice GUIS, but the port, protocol and IP control is basically all the same. And I mean firewall with application control, not just simple filters or inbound firewalls.

    Okay. Now you look at the leaktests. Tell me and describe each windows application involved and what happened. I know of a few and make rules accordingly in the firewall. The extreme tests, I never even worry about - it would be the same as leaktesting my house from a nuclear explosion or bio warefare - it is not going to happen and if it does, I would assume I would be dead anyways (with a house still intact). Just the reasonable ones - take a look and tell me what is actually happening.

    End of first lesson. More to be explained.

    Oldsod.
    Best regards.
    oldsod

  7. #17
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    BTW

    Can you tell me which security vendors actually give advise how not to get infected and prevent infections. And not just upgrade and update and renew the subscription? If the vendors did a good job of informing it's clients, would the clientile stilll need the security software?

    Can you tell me which of those leaktests really exist in the real world and are not just extreme situation hypothetical maybe this could happen but there is no real threat been made for this.
    It' nice to know the ZA will withstand the hard drive killer virus and not be shut down, but on the other hand a hard drive with a rewritten and unuseable file system is almost self defeating - sure the firewall passed, but the PC and all it's files are lost for ever. Kind of nice to know the firewall will last anyways?


    Since no firewall checks the BHO and toolbars, any test with this in mind would on any firewall would fail. No firewall checks BHO and toolbars. Yes there are real BHO and rogue toolbars, yet not tests are available for this very much real threat. Yet the rogue BHO and rogue toolbars are acitvely connecting out unrestricted. Why is that? Why do users allow rogue BHO and rogue toolbars installs the first place? Do they know better or just rely on the anti- something to stop it's install and protect them? Should the user know any better and not install these and lock down the browser to stop these unwanted installs? Or spend their money and hope they found the best protection?

    Some malware will install it's own TCP/IP stack and then will do any connections both incoming and outgoing absolutely unrestricted. Yes this malware is very real. And no firewall would catch this because it will not examine the new stack. Yet no leak tests are made for this.
    Why is this?
    Should the user rely on the security applications or just use safe hex and avoid the traps which will install dreck like this?

    Rootkits will install virtual drivers or virtual TCP/IP stacks. Yet no leaktests for this either. This is a real threat which does exist. Yet the firewall does not check for virtual drivers or virtual stacks. So a firewall would fail this leaktest as it does in the real world.
    Should the use continue to spend more money or just use safe hex and avoid it in the first place?

    Oh just remembered another real world exploit - the trojan injected into the stack. Yup all firewalls miss this one too, but no leaktest is made for this either. Why is that?

    Four real time or real world exploits and some actually some of the most common (toolbars, bho and trojan injection) and yet no leaktest?? But the nuclear explosion and bio-chemical warefare there are tests? Why is that?

    OH BTW, what firewall does matousec use himself? I seriously doubt he uses any one that is on his public test list? Probably some packet filter?

    Can you explain why experts like Steve Gibson and some others never use an antivirus and antispyware and just a software firewall for all their security needs?

    Oldsod.

    Message Edited by Oldsod on 03-27-2008 05:25 PM
    Best regards.
    oldsod

  8. #18
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod.
    I just wanted to tell news about ZoneAlarm regarding testing against real malware.
    In the following link there is a thread which describes how ZoneAlarm (freeware) blocked all 10 of 10 active Trojans done by AV-test org.
    Interesting thing is that Co**do Firewall Pro 3.0.21.329 blocked only 8 active Trojans of 10.

    http://www.wilderssecurity.com/showthread.php?t=206492
    Here it is what it says:
    The Co**do Firewall Pro v3 and Zone Alarm Free v7 was tested also.

    The PC-Welt Crew have bypassed the Co**do Firewall with a very old Trick. They have stolen the Access Rights from a Allowed Programm (for example IE) and go with a New Application with the stolen rights online.

    The same Test with ZoneAlarm (freeware was NOT successful...ZoneAlarm have Blocked this Attempt.

    Another Test was bypass the Firewalls with a Trojan. 8 from 10 Atempts was blocked by **bleep**, 2 Trojans have succsessfull bypass the Firewall. ZoneAlarm has blocked all 10 Trojans.

    How exactly and wich Techniks the PC-Welt Crew use, they don't have written.
    Everyone who interesting the Artikel it stand in &quot;PC-Welt 05/2008 Site 82 - 90&quot; Language is German.


    2. Also, regarding SPI, Paranoid on Wilders Security forums said that there are 4 types of SPI:
    http://www.wilderssecurity.com/showp...p;postcount=27

    Question: In what type of SPI ZoneAlarm belongs?

    3. One more thing:
    You said that rootkits create their own TCP/IP stacks.
    Well, I found this very interesting info on You Tube.com:
    http://www.youtube.com/watch?v=Gm7WNcNPLKs

    It appears that if enlarge to full screen that rootkit's installation bypassed ZoneAlarm Pro 7.0, as well as you can see in the end as it bypasses NOD32 2.7 and creates it's own virtual TCP/IP stack.

    At leas there is a good music.
    What do you think?

    Also, a question:
    Does ZoneAlarm protect from the installation of kernel-mode drivers/rootkits?


    4.Regarding rootkits, I picked up this information from Paranoid on Wilders Security forums:
    http://www.wilderssecurity.com/showt...873&amp;page=7

    First of all, a firewall's job is not to check the drivers, but to block network packets according to a set of rules. But let's assume that a firewall has incorporated HIPS too (because these days nobody cares to separate their functions).
    If an application (a rootkit for instance) tries to load a protocol driver into the stack, in order to communicate with the attacker, a normal &quot;pure&quot; firewall will not be able to detect it, because the driver will run at a level &quot;below&quot; the firewall. Now let's assume there is a HIPS installed. The HIPS also has very little possibility to see what the rogue driver is doing, But it will intercept the installation of hat driver, so the computer will be protected.
    In other words, I could create a proof of concept driver which would be loaded in the TCP stack, but it would be stopped before I would try to load it. In my opinion, this is the reason nobody bothered with doing it, as far as I know.

    Firewalls, like any other security software, cannot guarantee to detect an installed rootkit though some may be able to detect and block any attempted installation. Dealing with rootkits is very much beyond the scope of the product suggested in this thread though.
    Any firewall working at driver level (monitoring access to network hardware) should intercept malware's installation of TCP/IP stacks - since packet sniffers using WinPCap have been doing something similar, it isn't a new phenomenom by any means.
    In any case, file protection is already handled quite well by Windows' own NTFS as long as users don't run as Admin by default.

    I'd like to hear your opinions on this subject if you don't mind.

    Big thank you.

  9. #19
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    First a few things. Read these carefully and then draw your own conclusions:

    http://www.grc.com/oo/aureate.htm

    http://www.cexx.org/aureate.htm

    http://www.cexx.org/newnet.htm

    http://www.wilderssecurity.com/showthread.php?t=142806


    These pay special attention for your ongoing discussion in the thread about "Inbound firewall" at wilderssecurity forum:

    http://neworder.box.sk/newsread.php?newsid=3957

    http://www.securityfocus.com/infocus/1839

    http://www.securityfocus.com/infocus/1840

    http://www.securityfocus.com/infocus/1701



    As far as the pcwelt test goes, it was done with ZA free??
    Kind of dubious approach to testing. Why not the ZA Pro with it full features?
    Kind of doubtful these tests results are actually accurate, if not fully and properly disclosed for further examination and discussion.

    Yes nice music. Unfortunately not legible and no narration.
    Kind of makes one wonder - no self respecting hacker would be issue a video on youttube. Seriously do not believe in this, what ever it is supposed to be.

    ZA will protect from rootkits, IF the user follows the alert properly.
    Example - the ZA would detect the sony rootkit and give an alert. If the alert was allowed is entirely up to the user. Allowing it meant yes the rootkit installs and end of story.
    If the rootkit has a service or a run/start registry key associated with it , then the ZA will detect the change asking the user in the alert. If the user accepts the rootkit install, then it will install. If the rootkit has a virtual driver or virtual tcp/ip stack, then as with any software firewall, the firewall will be bypassed and miss any activity by the virtual driver or tcp/ip stack.
    This as far as I know applies to all software firewalls, not just the ZA.

    As I said before the job of a firewall is to control the packets, protocol and IP and ports . Once hips is added or one such as the triple defense firewall of the ZA (with it's osfirewall), the firewall is no longer a packet filter (or stately packet filter). Instead it has become something else.
    If a HIPS is needed, then either use a good HIPs integrated with the antivirus or use a stand alone HIPS. Really - the standalone dedicated HIPS is superior to what a firewall or antivirus HIPS can provide in terms of security.

    In that thread the answer for rogue bho and other spyware activities missed by the firewall was to use the protection of a full time antispayware. This apparently stops the spyware and thus protects the windows/user from such activity.
    Yet at the same time it is advised not to use your antivirus to detect and deter the troyans and malware that the firewall is supposed to guard against these unwanted outbound conections.
    So apparently it is ok to use a spyware scanner along side the firewall for best protection , but not an antivirus? I fail to see the logic.
    I was under the impression the antivirus would detect and deter all of the troyans and related malware, thus rendering possible troyans (and the need for the leak test) uselss and inert.

    Oldsod.
    Best regards.
    oldsod

  10. #20
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod one more.
    I read some of the articles you gave me. But this reading only opened some new questions I have to ask you.

    Few things I've found out:
    Network Intrusion Detection and Prevention and SPI are conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones.

    Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense.

    And as far as I remember ZoneAlarm's products at least in near past had problems with unknown malware I read this post by Paranoid somewhere on Agnitum Firewall forums.

    Also, let's suppose you have 100% clean PC:
    1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected.

    2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures:

    Lets assume a known or unknown malware is going to be transferred:

    - If the malware is tranfered over an encrypted channel, you are vulnerable
    - If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable
    - If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large.
    - If the malware comes from another source than network, you are vulnerable

    At the network layer, you are quite limited in terms of detection capabilities(you have a couple of packets and that all). Consider AV programs having everything(emulation, unpacking, heuristics etc) failing to detect malware. Never mind a fragment of malware inside a packet.

    If your IDS does not know the malware, it can not detect it and even after the signature updates. Unlike an AV, it can do nothing after signature updates.

    So an N-IDS, is a nice, additional layer of security. But it is not comparable to an H-IPS and can not be trusted as the main line of the defense. Would you trust a firewall only as your main line of defense?

    So, how can ZoneAlarm Pro/Internet Security Suite protect from malwares when it comes to inbound protection?
    If that's true what I wrote above, it means it's useless to have ZoneAlarm or any other firewall, unless you have HIPS.
    I'm not sure if OSFirewall can really catch all of the malwares, unless it's pure HIPS, than it should ask you if an completely unknown malware from the Internet is going to install while you're surfing through the Internet.
    Your opinions highly needed.

    Big thanks, again!!!
    Cheers!

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •