Page 3 of 3 FirstFirst 123
Results 21 to 25 of 25

Thread: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

  1. #21
    Join Date
    Dec 2005

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    "Few things I've found out:
    Network Intrusion Detection and Prevention and SPI are conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones."

    Where is this said?
    NIPS is seperate from a software firewall on a desktop and the two should not considered to be doing the same function.
    NIPS detects or perhaps controls the connections on the LAN and a fw does the port, protocol and IP connections occuring ast the desktop.
    A pure NIP uses SPI ?
    Would not really recommend NIPS unless you have an enterprise network or a server.
    Which unknown packets? Did they create new packets not seen before?

    "Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense."

    If you allow malware to enter the PC and install it, it is naturally regardless of whether this is encrypted or plain taffic. A malicious file is not handled by the firewall, juist the bad packets.
    The packets sent or received are not compressed. Only the transferred file was compressed.Packets cannot be compressed.

    "And as far as I remember ZoneAlarm's products at least in near past had problems with unknown malware I read this post by Paranoid somewhere on Agnitum Firewall forums."

    Examples such as...? The fw itself or the antivirus scanner? Which scanner and which version? Which ZA? When? By whom? What is this agnitium- never been there- do they use the ZA there too?

    "Also, let's suppose you have 100% clean PC:
    1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected.

    2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures:"

    Which signatures? From what?
    This "intrusion detection system" is a HIPS or a NIPS?
    Does the NIPS actually have a blacklist from the vendor for distinctively bad packets or does this simply just reject or drop unacceptable/unallowed packets and allow only acceptable/allowed packets?

    "Lets assume a known or unknown malware is going to be transferred:

    - If the malware is tranfered over an encrypted channel, you are vulnerable
    - If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable
    - If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large.
    - If the malware comes from another source than network, you are vulnerable."

    And Yes...???
    And does not the firewall regulate the port, protocol and IP involved along with the connections of the applications? Would not the disallowed connections to disallowed ports and IP by disallowed protocols just be blocked anyways?
    By the way is this IDS the same as you were talking about before or is this something new?


    I am skipping further down, since these comments in between do not make any sense to me. I leave these for somebody else.

    "................. Would you trust a firewall only as your main line of defense?"

    A firewall is never the main line of defense. It is a utility that controls the port, protocol and IP and connection directions. Come to think of it, I have said this all along. I just said it again.

    As far as network intrusion protection is concerned, are you running an internet server or enterprise lan?? A server (file or email or whatever) with open ports on the line facing the internet and servers on the local area network with more open ports?
    I do not, so these issues you have mentioned do not apply to me or any other home user.

    You got a firewall in your router, correct?
    If so then there should be no network intrusions of any kind seen on your local area network?
    If the router or hardware firewall by default blocked off the intrusions or unwanted connections would there still be network intrusions behind it on the loacl area network? Yes or No?
    No open ports means no entry and hence no "intrusion".

    Therre are no open ports of the firewall of the desktop?
    It there are no open ports, then all unwanted inbound connections are automatically dropped by the firewall?
    If all of the unwanted connections are dropped, then why is still a threat?

    "So, how can ZoneAlarm Pro/Internet Security Suite protect from malwares when it comes to inbound protection?"

    See above.

    "If that's true what I wrote above, it means it's useless to have ZoneAlarm or any other firewall, unless you have HIPS."

    If a user downloads a malicious file and then lets it run or executes it, then the user is an *****. Simple point and the truth.

    Has not the user ever heard of something called safe hex?

    "I'm not sure if OSFirewall can really catch all of the malwares, unless it's pure HIPS, than it should ask you if an completely unknown malware from the Internet is going to install while you're surfing through the Internet."

    The OSFirewall is not a complete HIPS for the desktop, but a HIPS for the firewall. There is a difference. I think we covered this before.

    Malicious packets and unwanted connections and malicious files and allowed connections by port & protocol & IP & application should not be mixed up.
    I think this is a mistake to associate an antivirus with a software firewall and a desktop software firewall with a commercial network protection and malicious executible files with bad packets. None of these are the same, each is very differnet, and these should never be added together in the same sentence.

    Best regards.

  2. #22
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod.
    1.I apologize I couldn't respond earlier, I'm just too busy.
    I've seen some errors written in my last post.
    Just to inform you this has been taken from here:**

    Egemen responded about Como**do's approach about HIPS, NIDS, NIPS and etc...
    Basically, I wanted to hear your opinion.

    2.But I have some other questions like how configurable is ZA Pro more configurable than Agnitum, **bleep**2 and CFP 3.0(Co**do Firewall Pro 3.0), because more advanced users expressed skepticism if ZA Pro is configurable or not.

    However on the second page of this thread you can see all what you can configure with ZoneAlarm Pro in an screenshot-it is posted by &quot;Dazed_and_Confused&quot;.

    This is why I don't understand why people say that ZA Pro is not configurable as Agnitum or **bleep**2.

    3. Regarding that ZA didn't block unknown malware-yes it is antivirus protection in the Mailfronter I think, that's what Paranoid said, not the firewall itself. Now this was perhaps 2 years ago.
    But again, it's hard to say...

    Another thing what really disturbed me are the self-protection test against ZoneAlarm Internet Security 7.0:
    Here are the testing methods (I must admit I really don't understand too much):

    And here are the results

    Please, take into consideration that it is worth mentioning ZoneAlarm Internet Security, which completely failed to block only four attacks, but received a low score because its unprotected antispam module from MailFrontier was disabled by most of the attacks.

    1) The product s self protection successfully blocked the attack (1.0 points)
    2) Self-protection from the attack is partially missing, but the main functionality was retained (or automatically restored) -0.5 points.
    3) The product lacks self-protection from a specific type of attack or the self-protection is present, but the product s main functionality was disabled (0 points).

    Question:What do you think?
    Also, if ZA failed to block 4 attacks, does it mean it didn't protect against them, or it did by simple shutdown of all network, program and Internet traffic-that's what happens when ZA's processes are terminated!?
    Big thanks.

    4. One last question, here is the copy of **bleep** **bleep** Personal Firewall vendor's response to Matousec- I would really like to know if you agree with him:
    Here it is:

    &quot;**bleep** Software is committed to providing the strongest possible security products to its customers, and we will be working to correct demonstrable issues in the **bleep** Personal Firewall. Users can expect these and other continuing enhancements for the **bleep** Personal Firewall in the near future.

    However, we have some reservations about personal firewall &quot;leak testing&quot; in general. While we appreciate and support the unique value of independent security testing, we are admittedly skeptical as to just how meaningful these leak tests really are, especially as they reflect real-world environments.

    The key assumption of &quot;leak testing&quot; -- namely, that it is somehow useful to measure the outbound protection provided by personal firewalls in cases where malware has already executed on the test box -- strikes us as a questionable basis on which to build a security assessment. Today's malware is so malicious and cleverly designed that it is often safest to regard PCs as so thoroughly compromised that nothing on the box can be trusted once the malware executes. In short, &quot;leak testing&quot; starts after the game is already lost, as the malware has already gotten past the inbound firewall protection.

    Moreover, &quot;leak testing&quot; is predicated on the further assumption that personal firewalls should warn users about outbound connections even when the involved code components are not demonstrably malicious or suspicious (as is the case with the simulator programs used for &quot;leak testing&quot. In fact, this kind of program design risks pop-up fatigue in users, effectively lowering the overall security of the system -- the reason developers are increasingly shunning this design for security applications.

    Finally, leak testing typically relies on simulator programs, the use of which is widely discredited among respected anti-malware researchers -- and for good reason. Simulators simply cannot approximate the actual behavior of real malware in real world conditions. Furthermore, when simulators are used for anti-malware testing, the testing process is almost unavoidably tailored to fit the limitations of simulator instead of the complexity of real world conditions. What gets lost is a sense for how the tested products actually perform against live, kicking malware that exhibits behavior too complex to be captured in narrowly designed simulators.&quot;

    What do you think?
    And big thanks for your answers!

  3. #23
    Join Date
    Dec 2005

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    I said before leak testing is for idiots and pr agents and for users who have no true understanding of safe hex or security pratices.
    Basically it is for losers and uninformed users.
    Intelligent, safe and experinced users have no real need for this as they never compromise the system.
    Vendors like it as a means to sell or espouse their firewalls.
    They already know it is a useless rating with no merit or any value.
    ... install malware and compromise the system and then wonder if the system can be contained even though the user just compromised the system?
    I dare you to shoot yourself in the feet to see if your boots are leak proof and do not leak any of your blood.
    Same logic and reasoning - you just compromised yourself and then need to see if you blood will now leak on the ground. Is that a just in case of what?

    Sorry, I do not bother with other forums or user other than the ones at this forum. Just as much as they have no interests with this forum or my posts in their own forums.
    If you have questions with other forums and users , then go there and post. Not here or with me.
    What my personal opinion is of other firewalls and forums and users is my private business and not for the public in anopen forum. I do have ethics and principles and often use these from time to time.

    Nowhere was it said the ZA can not be customized or further secured. Mine certainly are customized and for my own needs and security measures.
    Expert rules are easy enough to apply in the ZA as with almost any other firewall.
    This should not be an issue or a problem.

    I think the main problem is users instead of sermonizing/debating over some fantasy of possible pretend leaktests should instead learn about the internet and firewalls and how to use a firewall for it's own and their own advantages. Once some simple and basic things are better understood and learned, much of that useless and false security information is tossed away and the user can finally start to learn how to be a fisherman and catch his own fish instead of being the fish.


    Message Edited by Oldsod on 06-09-2008 04:16 AM
    Best regards.

  4. #24
    monster_z Guest

    Default thank you for your reply, I thought I crossed the line...

    Thank you, Oldsod for your replies, and I truly hope I didn't offend you. That was never my intention. Since you were an expert who had time to chat with me I'm honestly grateful.
    I just hope you and other more expert gurus will be here if something bad happens with ZA or my computer, so I can fix the problem.
    Regarding leak-tests:
    I completely agree with you when it comes to leak-tests. To support your and mine claims about leak-tests I contacted an poster named Huangker who basically said that at least 99% of real malware just use UDP to connect out. While most try to evade AV detection, 99%+ will stop at that and won't try to evade HIPS, virtualization etc.

    And to really test you security suite against malware-loading websites someone should take this for serious observation:

    Well, at least 10 of these malicious websites (of 77 of them) won't open however the rest of them should be easily opened-this is on what security vendors should really take care of.

  5. #25
    Join Date
    Dec 2005

    Default Re: thank you for your reply, I thought I crossed the line...

    Not just udp is used, but often the irc ports (both udp and tcp) or the hijacking of the browser/explorer will use the usual http ports (and connection attempts to unusual ports too).
    IRC is a favorite for bots and many troyans, as the connections are not very traceable. Blocking the usual IRC ports in the router alone stops some malware.
    Malware has been known to do cross -overs; leave as a possible http traffic and instead sneak off to remote mailports or vica versa.

    There are several blocks of IP used for malicious outfits and many server strictly for rent/lease to the bot masters/malware controllers/etc. These are (last I checked) in central america and south america and some in eastern europe/russia. These servers and IP offer a special feature that make them different from the rest - the connections behind the server cannot be traced.
    In other words, the sources behind the servers come to a dead end for tracing down the phisher/bot master/etc. The crooks can use the servers (for a good fee) and have access when they need it and cannot be traced to their IP.

    Software firewalls in any case should catch this traffic and immediately put a stop to it.

    The majority of troyans attempting enterance to a computer are usually tcp, although some are using udp ports.

    I usually use the list for testing. But the is also very worthwhile.
    I went to all the sites last week in both lists to check out my setup.
    Some sites were blocked off by the protowall (I disabled it protections for the test) as it basically only allows europe and north america and blocks many trackers/counters/ads/troyans sites/spysites/bad cookie sites/etc.
    Even the filter of privoxy caught one site and blocked it.
    Webwasher caught a few others.
    I think the custom .css and .js in the Opera stopped a few problems.
    Plus I visited the sites with scripts disabled and no cookies accepted while using the Opera. But as you found many sites simple do not load.

    Pages that do load blank are possible troyans pages. Pages that do not load or have error are not.
    Usually a safe browser and disabling the web scripts (js, activeX, etc) will not allow infections from the sites in the first place.

    Yes you are saying the simple truth. The AV will stop most of these (like the 99%) and the extra HIPS. virtualization is not really needed for prevention of the malware infection.
    Really the easiest method for security is use the antivirus and a software firewall with a hardware firewall (router) and always use the PC in the limited user account (not the admin account).
    This way there are no attacks on the lan seen by the PC as these are stopped by the router; virus/troyans/worms are stopped by the antivirus; the software firewall is a second line of defense for the incoming and provides outgoing control; limited user account stop malware infections (almost all spyware, adware, cws, some rootkits, etc) and any changes to the operating system.

    What many people seem not to understand that once malware is installed (and allowed by the user), the windows kernel is no longer the same and does not resemble the previous system. The operating system is usually that radically changed/altered that the previous concepts and ideas of prevention do not always apply any longer. Once windows has a new kernel from the malware, the previous rules have changed to a new area that is often unknown or unseen.

    Do not worry.
    I took no offense and often can be too blunt.
    I hope you took no offense.
    I had to make my statement to be properly understood.

    If your pc has issues or there are za issues or if you just like to chat a while (even though this is not a chat forum per sec), do not be afraid to post. We are all good people here and all good people are always welcome and considered to be a good friend.

    I do suspect you are at a young age.
    Your gaining of the knowledge for windows, internet, firewalls, security is impressive and a good thing.
    Keep it up!
    These are some of things needed to become a fisherman, not the fish.

    I on the other hand am often cranky and miserable (yup I am well in to middle age approaching the golden years).
    Oldsod is a suitable nick for me.

    Best regards.
    Best regards.

Page 3 of 3 FirstFirst 123

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts