Results 1 to 18 of 18

Thread: Re: Best Firewall?? - follow-up

  1. #1
    Kulin Remailer
    Guest

    Re: Best Firewall?? - follow-up

    On 10 Aug 2009 17:29:01 -0500, Nelson
    <replies-to-newsgroup-only@thank.you> wrote:

    >>

    >
    >Here's what I decided, then replies:
    >
    > I chose Comodo. It does what ZoneAlarm used to do but does it even
    >better. Other firewalls did the general job well enough but didn't
    >have the fine-grain control desired.
    >
    >To G and Volker Birk: There's good reason to control apps. Example:
    >My newsreader is permitted to access my ISP's DNS server and my news
    >service's servers. That's all. No longer do I find it trying to
    >access various applications' servers to report who-knows-what to their
    >publishers, because those apps (even though blocked from access) have
    >used other apps (such as my my newsreader) to access the Internet.
    >
    >In an experiment with the current ZoneAlarm Pro (yes, purchased), it
    >still tries to access the Internet and reach ZA servers even when all
    >of the access-related options are turned off. Also, ZA refuses to
    >allow its firewall or program-control settings to prevent Internet
    >access by its own programs or components. Further, when effectively
    >blocked by a hardware (router) firewall from reaching its home
    >servers' IP addresses, ZA enlists various other apps including
    >operating system components to silently try to reach its home servers.
    >And they call this a security program???
    >
    >Comodo may or may not be the only firwall that's really good at this
    >aspect. If you know of others, do tell.


    Exactly!

    I run into the same crapola all the time.

    I'm tired off arguing about why I need a firewall that doesn't let
    anything out.



  2. #2
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Best Firewall?? - follow-up

    Kulin Remailer <remailer@reece.net.au> wrote:
    > I'm tired off arguing about why I need a firewall that doesn't let
    > anything out.


    Because you have no arguments to back your opinion, I suppose? Oh, well,
    what do you expect from anonymous trolls ...

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. #3
    Nelson
    Guest

    Re: Best Firewall?? - follow-up

    On 11 Aug 2009 01:32:40 -0000, Kulin Remailer <remailer@reece.net.au>
    wrote:

    >On 10 Aug 2009 17:29:01 -0500, Nelson
    ><replies-to-newsgroup-only@thank.you> wrote:
    >
    >>>

    >>
    >>Here's what I decided, then replies:
    >>
    >> I chose Comodo. It does what ZoneAlarm used to do but does it even
    >>better. Other firewalls did the general job well enough but didn't
    >>have the fine-grain control desired.
    >>
    >>To G and Volker Birk: There's good reason to control apps. Example:
    >>My newsreader is permitted to access my ISP's DNS server and my news
    >>service's servers. That's all. No longer do I find it trying to
    >>access various applications' servers to report who-knows-what to their
    >>publishers, because those apps (even though blocked from access) have
    >>used other apps (such as my my newsreader) to access the Internet.
    >>
    >>In an experiment with the current ZoneAlarm Pro (yes, purchased), it
    >>still tries to access the Internet and reach ZA servers even when all
    >>of the access-related options are turned off. Also, ZA refuses to
    >>allow its firewall or program-control settings to prevent Internet
    >>access by its own programs or components. Further, when effectively
    >>blocked by a hardware (router) firewall from reaching its home
    >>servers' IP addresses, ZA enlists various other apps including
    >>operating system components to silently try to reach its home servers.
    >>And they call this a security program???
    >>
    >>Comodo may or may not be the only firwall that's really good at this
    >>aspect. If you know of others, do tell.

    >
    >Exactly!
    >
    >I run into the same crapola all the time.
    >
    >I'm tired off arguing about why I need a firewall that doesn't let
    >anything out.
    >


    Yes, people who have actually monitored what their software is doing
    come away very disturbed about this. On the other hand, those who buy
    security software and look no further, assuming that their security
    software is protecting them, can be blissfully (if ignorantly) happy.

    The single worst offender is the MS Windows operating system. Again
    and again, Windows components that perform a local task and have no
    reason whatsoever to access the Internet are busy doing just that.
    Further, if blocked, they try multiple IP targets and try to hijack
    other apps on your computer and connect through them. They keep
    trying repeatedly, filling up your log with thousands of rapid-fire
    attempts and slowing down your system while doing so. Ugh!










  4. #4
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Best Firewall?? - follow-up

    Nelson <replies-to-newsgroup-only@thank.you> wrote:
    > On 11 Aug 2009 01:32:40 -0000, Kulin Remailer wrote:
    >> I'm tired off arguing about why I need a firewall that doesn't let
    >> anything out.

    >
    > Yes, people who have actually monitored what their software is doing
    > come away very disturbed about this.


    BTDT. After configuring the chatty programs appropriately, only update
    routines are connecting outbound. I fail to see why one would be
    disturbed about that.

    > On the other hand, those who buy security software and look no
    > further, assuming that their security software is protecting them, can
    > be blissfully (if ignorantly) happy.


    "ignorant" being the operative word. Particularly about personal
    firewalls creating additional security holes.

    > The single worst offender is the MS Windows operating system. Again
    > and again, Windows components that perform a local task and have no
    > reason whatsoever to access the Internet are busy doing just that.


    Name one that can't be configured to not do that.

    > Further, if blocked, they try multiple IP targets and try to hijack
    > other apps on your computer and connect through them.


    Name one.

    Besides, if the manufacturer of your operating system decided to have
    the operating system phone home, no software running on top of said
    operating system could actually prevent it from doing so. You do realize
    that, don't you?

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  5. #5
    Nelson
    Guest

    Re: Best Firewall?? - follow-up

    On 11 Aug 2009 22:02:03 GMT, Ansgar -59cobalt- Wiechers
    <usenet-2009@planetcobalt.net> wrote:

    >Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >> On 11 Aug 2009 01:32:40 -0000, Kulin Remailer wrote:
    >>> I'm tired off arguing about why I need a firewall that doesn't let
    >>> anything out.

    >>
    >> Yes, people who have actually monitored what their software is doing
    >> come away very disturbed about this.

    >
    >BTDT. After configuring the chatty programs appropriately, only update
    >routines are connecting outbound. I fail to see why one would be
    >disturbed about that.


    It may not disturb you (and probably many others), and that's fine.
    But it does bother me (and at least a few others) when software
    establishes communications with remote servers without my knowledge or
    consent.

    People can have various good reasons for not wanting such
    communications. Some have sensitive financial, technical, or personal
    information that might be compromised. Some may not want inventories
    of the software on their drives reported because they haven't paid for
    it all. Some may have signed nondisclosure contracts which cannot be
    fulfilled if outflow of information from their computers is no longer
    within their control.

    And some (including me) find it in principle obectionable. How would
    you react if you hired someone to do some work in your home only to
    find them rummaging through your file cabinet and faxing copies of
    your information to confederates unknown to you?

    >> On the other hand, those who buy security software and look no
    >> further, assuming that their security software is protecting them, can
    >> be blissfully (if ignorantly) happy.

    >
    >"ignorant" being the operative word. Particularly about personal
    >firewalls creating additional security holes.


    Yes.

    >> The single worst offender is the MS Windows operating system. Again
    >> and again, Windows components that perform a local task and have no
    >> reason whatsoever to access the Internet are busy doing just that.

    >
    >Name one that can't be configured to not do that.


    Sure. See below. Also, if you do block their external access, they
    go nuts trying to get around the block, and some desired tasks may not
    work. And it's hard to spot such activity if they go through
    svhost.exe or other apps.

    >> Further, if blocked, they try multiple IP targets and try to hijack
    >> other apps on your computer and connect through them.

    >
    >Name one.


    Sure. Here are three (all in WinXP-SP2 and SP3):

    userinit.exe
    wininit.exe
    winlogon.exe

    These are multipurpose apps, but they sometimes can be found
    initiating external communications when none should occur.

    >Besides, if the manufacturer of your operating system decided to have
    >the operating system phone home, no software running on top of said
    >operating system could actually prevent it from doing so. You do realize
    >that, don't you?


    That's why we have hardware routers with built-in firewalls. By
    blocking the target IP addresses of the persistent offenders within
    the router's firewall, you can indeed stop it.

    A suggested strategy is to permit the legitimate communications for
    your tasks (including your own ISP's DNS server IP addresses rather
    than permitting all traffic on port 53) and blocking other target IPs
    in the router's firewall.

    >cu
    >59cobalt


  6. #6
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Best Firewall?? - follow-up

    Nelson <replies-to-newsgroup-only@thank.you> wrote:
    > On 11 Aug 2009 22:02:03 GMT, Ansgar -59cobalt- Wiechers wrote:
    >> Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >>> On 11 Aug 2009 01:32:40 -0000, Kulin Remailer wrote:
    >>>> I'm tired off arguing about why I need a firewall that doesn't let
    >>>> anything out.
    >>>
    >>> Yes, people who have actually monitored what their software is doing
    >>> come away very disturbed about this.

    >>
    >> BTDT. After configuring the chatty programs appropriately, only
    >> update routines are connecting outbound. I fail to see why one would
    >> be disturbed about that.

    >
    > It may not disturb you (and probably many others), and that's fine.
    > But it does bother me (and at least a few others) when software
    > establishes communications with remote servers without my knowledge or
    > consent.


    Disable the update routines as well. Problem solved. Still nothing to be
    disturbed about.

    > People can have various good reasons for not wanting such
    > communications. Some have sensitive financial, technical, or personal
    > information that might be compromised. Some may not want inventories
    > of the software on their drives reported because they haven't paid for
    > it all. Some may have signed nondisclosure contracts which cannot be
    > fulfilled if outflow of information from their computers is no longer
    > within their control.


    Ummm... what makes you believe that some program's update routine would
    transmit any other information that its own software version (and
    perhaps the operating system's version)?

    > And some (including me) find it in principle obectionable.


    You find keeping your software up-to-date objectionable in principle?
    Then why are you wasting any thought at all on computer security?

    > How would you react if you hired someone to do some work in your home
    > only to find them rummaging through your file cabinet and faxing
    > copies of your information to confederates unknown to you?


    I would most certainly *not* lock him into my office and try to somehow
    prevent him from communicating. Instead I would do what I do with any
    software behaving that way: remove the culprit from my premises.

    >>> On the other hand, those who buy security software and look no
    >>> further, assuming that their security software is protecting them, can
    >>> be blissfully (if ignorantly) happy.

    >>
    >> "ignorant" being the operative word. Particularly about personal
    >> firewalls creating additional security holes.

    >
    > Yes.


    *sigh*

    >>> The single worst offender is the MS Windows operating system. Again
    >>> and again, Windows components that perform a local task and have no
    >>> reason whatsoever to access the Internet are busy doing just that.

    >>
    >> Name one that can't be configured to not do that.

    >
    > Sure. See below. Also, if you do block their external access, they
    > go nuts trying to get around the block, and some desired tasks may not
    > work. And it's hard to spot such activity if they go through
    > svhost.exe or other apps.
    >
    >>> Further, if blocked, they try multiple IP targets and try to hijack
    >>> other apps on your computer and connect through them.

    >>
    >> Name one.

    >
    > Sure. Here are three (all in WinXP-SP2 and SP3):
    >
    > userinit.exe
    > wininit.exe
    > winlogon.exe
    >
    > These are multipurpose apps, but they sometimes can be found
    > initiating external communications when none should occur.


    - What kind of connections did those processes supposedly try to
    establish for no good reason?
    - What's the path of those executables?
    - Did you verify that they're in fact the system files supplied by
    Microsoft and not some malware disguising itself as a system file?

    Besides, userinit.exe for one has (among other things) the purpose to
    establish network connections, so it actually does have business
    accessing the network.

    >> Besides, if the manufacturer of your operating system decided to have
    >> the operating system phone home, no software running on top of said
    >> operating system could actually prevent it from doing so. You do
    >> realize that, don't you?

    >
    > That's why we have hardware routers with built-in firewalls. By
    > blocking the target IP addresses of the persistent offenders within
    > the router's firewall, you can indeed stop it.


    True. What does that have to do with personal firewalls?

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  7. #7
    Nelson
    Guest

    Re: Best Firewall?? - follow-up

    On 12 Aug 2009 12:51:27 GMT, Ansgar -59cobalt- Wiechers
    <usenet-2009@planetcobalt.net> wrote:

    >Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >> On 11 Aug 2009 22:02:03 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>> Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >>>> On 11 Aug 2009 01:32:40 -0000, Kulin Remailer wrote:
    >>>>> I'm tired off arguing about why I need a firewall that doesn't let
    >>>>> anything out.
    >>>>
    >>>> Yes, people who have actually monitored what their software is doing
    >>>> come away very disturbed about this.
    >>>
    >>> BTDT. After configuring the chatty programs appropriately, only
    >>> update routines are connecting outbound. I fail to see why one would
    >>> be disturbed about that.

    >>
    >> It may not disturb you (and probably many others), and that's fine.
    >> But it does bother me (and at least a few others) when software
    >> establishes communications with remote servers without my knowledge or
    >> consent.

    >
    >Disable the update routines as well. Problem solved. Still nothing to be
    >disturbed about.
    >
    >> People can have various good reasons for not wanting such
    >> communications. Some have sensitive financial, technical, or personal
    >> information that might be compromised. Some may not want inventories
    >> of the software on their drives reported because they haven't paid for
    >> it all. Some may have signed nondisclosure contracts which cannot be
    >> fulfilled if outflow of information from their computers is no longer
    >> within their control.

    >
    >Ummm... what makes you believe that some program's update routine would
    >transmit any other information that its own software version (and
    >perhaps the operating system's version)?
    >
    >> And some (including me) find it in principle obectionable.

    >
    >You find keeping your software up-to-date objectionable in principle?
    >Then why are you wasting any thought at all on computer security?
    >
    >> How would you react if you hired someone to do some work in your home
    >> only to find them rummaging through your file cabinet and faxing
    >> copies of your information to confederates unknown to you?

    >
    >I would most certainly *not* lock him into my office and try to somehow
    >prevent him from communicating. Instead I would do what I do with any
    >software behaving that way: remove the culprit from my premises.
    >
    >>>> On the other hand, those who buy security software and look no
    >>>> further, assuming that their security software is protecting them, can
    >>>> be blissfully (if ignorantly) happy.
    >>>
    >>> "ignorant" being the operative word. Particularly about personal
    >>> firewalls creating additional security holes.

    >>
    >> Yes.

    >
    >*sigh*
    >
    >>>> The single worst offender is the MS Windows operating system. Again
    >>>> and again, Windows components that perform a local task and have no
    >>>> reason whatsoever to access the Internet are busy doing just that.
    >>>
    >>> Name one that can't be configured to not do that.

    >>
    >> Sure. See below. Also, if you do block their external access, they
    >> go nuts trying to get around the block, and some desired tasks may not
    >> work. And it's hard to spot such activity if they go through
    >> svhost.exe or other apps.
    >>
    >>>> Further, if blocked, they try multiple IP targets and try to hijack
    >>>> other apps on your computer and connect through them.
    >>>
    >>> Name one.

    >>
    >> Sure. Here are three (all in WinXP-SP2 and SP3):
    >>
    >> userinit.exe
    >> wininit.exe
    >> winlogon.exe
    >>
    >> These are multipurpose apps, but they sometimes can be found
    >> initiating external communications when none should occur.

    >
    >- What kind of connections did those processes supposedly try to
    > establish for no good reason?
    >- What's the path of those executables?
    >- Did you verify that they're in fact the system files supplied by
    > Microsoft and not some malware disguising itself as a system file?
    >
    >Besides, userinit.exe for one has (among other things) the purpose to
    >establish network connections, so it actually does have business
    >accessing the network.
    >
    >>> Besides, if the manufacturer of your operating system decided to have
    >>> the operating system phone home, no software running on top of said
    >>> operating system could actually prevent it from doing so. You do
    >>> realize that, don't you?

    >>
    >> That's why we have hardware routers with built-in firewalls. By
    >> blocking the target IP addresses of the persistent offenders within
    >> the router's firewall, you can indeed stop it.

    >
    >True. What does that have to do with personal firewalls?
    >
    >cu
    >59cobalt


    Yes, these OS components are the right ones and in the right paths.

    Of course the update options in Windows and in apps were turned off.
    And still they try to reach their publisher's servers. Sometimes,
    disabling a Windows service can stop it, but sometimes the services
    cannot be stopped or they cannot be stopped without losing needed
    functions.

    Various apps collect and report lots of data about your hardware and
    software, often extensive, often of little apparent relevance. Look
    at the dumps that are sent or attempted to be sent.

    Sure, userinit has legitimate functions, but my point that it
    initiates external communications with MS servers when none should
    occur stands. Look at the firewall logs, which will show lots of such
    entries if you either track all Internet access or block access to MS
    servers.

    "What doies that have to do with personal firewalls?" The router
    (hardware) firewalls are needed because, as you said, firewalls that
    sit on top of the OS cannot fully control OS communications. So an
    effective firewall system for outbound data requires both.

    My exploration of this topic was prompted not by any great secrets but
    by curiousity about unknown access entries appearing in firewall logs.
    I find the results of that exploration disturbing. You don't. I did
    something about it (selectively blocking external access using
    firewalls). Everyone here will individually decide how much of this
    fits their needs and preferences.









  8. #8
    Volker Birk
    Guest

    Re: Best Firewall?? - follow-up

    Nelson <replies-to-newsgroup-only@thank.you> wrote:
    > People can have various good reasons for not wanting such
    > communications. Some have sensitive financial, technical, or personal
    > information that might be compromised.


    No "Personal Firewall" can prevent that from happening. I fear, you
    cannot understand why. If that is the case, and you're interested, I
    will be happy to explain.

    Yours,
    VB.
    --
    "Du bist nur das, was ich genehmige."

    Sachbarbeiter im Sozialamt Mülheim/Ruhr zum "Kunden"

  9. #9
    annette@email.invalid
    Guest

    Re: Best Firewall?? - follow-up

    On Fri, 14 Aug 2009 15:15:04 +0200 (CEST), Volker Birk
    <bumens@dingens.org> wrote:

    >Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >> People can have various good reasons for not wanting such
    >> communications. Some have sensitive financial, technical, or personal
    >> information that might be compromised.

    >
    >No "Personal Firewall" can prevent that from happening. I fear, you
    >cannot understand why. If that is the case, and you're interested, I
    >will be happy to explain.
    >
    >Yours,
    >VB.


    Please do.

  10. #10
    Volker Birk
    Guest

    Re: Best Firewall?? - follow-up

    annette@email.invalid wrote:
    > On Fri, 14 Aug 2009 15:15:04 +0200 (CEST), Volker Birk
    > <bumens@dingens.org> wrote:
    >>Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >>> People can have various good reasons for not wanting such
    >>> communications. Some have sensitive financial, technical, or personal
    >>> information that might be compromised.

    >>No "Personal Firewall" can prevent that from happening. I fear, you
    >>cannot understand why. If that is the case, and you're interested, I
    >>will be happy to explain.

    > Please do.


    Information is transferred by encoding¹. Encoding means, that someone
    is transmitting data, which is seen as a message by sender and receiver,
    which contains that information as the meaning of the message.

    If there is connectivity between sender and receiver, they can transmit
    any information they want, if they've a common code. Connectivity means,
    that they have the possibility to send at least as many different
    messages as they need to discribe the words of the formal language they
    want to transmit, which is used to discribe the information they want to
    transmit.

    For example, if someone wants to transmit your Bank account PIN, and
    this PIN has four digits, which can be from 0 to 9, then they need to be
    able to transmit at least 10'000 different words.

    For that case, it does not matter at all, *which* words they're able to
    transmit, and it does not matter at all, *how* they're transmitting.

    For example, the first digit 1 can be transmitted by not transmitting
    anything at 12:00 o'clock, while transmitting the second digit as 2 can
    be done by requesting the software update on an odd hour of the day.

    The code is at will. It just has to be known by sender and receiver.

    So if a "Personal Firewall" enables connectivity in *any* way, it is
    possible to transmit *any* information. Because "Personal Firewalls" are
    filtering, they're preventing many codes from working.

    Others do work. So an attacker just will switch codes.

    The worst design flaw in a "Personal Firewall" I saw yet, was in Norton
    InSecurity: They were filtering your bank PIN out of any transmitted
    data.

    This way they're publicizing your bank PIN to anybody who wants to have
    it, and whose web server you're browsing; one just has to have the
    de Bruijn sequence for four digits² in a hidden field of an HTML form,
    and the digit combination which is filtered out is your bank PIN -
    filtering is used as code to transmit this data here.

    The only way to stop transmitting arbitrary information is to prevent
    connectivity. Just cut your cable with a knive ;-) And don't use WLAN...

    Yours,
    VB.

    ¹ http://en.wikipedia.org/wiki/Code
    ² http://www.hakank.org/comb/debruijn_k_10_n_4.html
    --
    "Du bist nur das, was ich genehmige."

    Sachbarbeiter im Sozialamt Mülheim/Ruhr zum "Kunden"

  11. #11
    Kyle T. Jones
    Guest

    Re: Best Firewall?? - follow-up

    Volker Birk wrote:
    > annette@email.invalid wrote:
    >> On Fri, 14 Aug 2009 15:15:04 +0200 (CEST), Volker Birk
    >> <bumens@dingens.org> wrote:
    >>> Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >>>> People can have various good reasons for not wanting such
    >>>> communications. Some have sensitive financial, technical, or personal
    >>>> information that might be compromised.
    >>> No "Personal Firewall" can prevent that from happening. I fear, you
    >>> cannot understand why. If that is the case, and you're interested, I
    >>> will be happy to explain.

    >> Please do.

    >
    > Information is transferred by encoding¹. Encoding means, that someone
    > is transmitting data, which is seen as a message by sender and receiver,
    > which contains that information as the meaning of the message.
    >
    > If there is connectivity between sender and receiver, they can transmit
    > any information they want, if they've a common code. Connectivity means,
    > that they have the possibility to send at least as many different
    > messages as they need to discribe the words of the formal language they
    > want to transmit, which is used to discribe the information they want to
    > transmit.
    >
    > For example, if someone wants to transmit your Bank account PIN, and
    > this PIN has four digits, which can be from 0 to 9, then they need to be
    > able to transmit at least 10'000 different words.
    >
    > For that case, it does not matter at all, *which* words they're able to
    > transmit, and it does not matter at all, *how* they're transmitting.
    >
    > For example, the first digit 1 can be transmitted by not transmitting
    > anything at 12:00 o'clock, while transmitting the second digit as 2 can
    > be done by requesting the software update on an odd hour of the day.
    >
    > The code is at will. It just has to be known by sender and receiver.
    >
    > So if a "Personal Firewall" enables connectivity in *any* way, it is
    > possible to transmit *any* information. Because "Personal Firewalls" are
    > filtering, they're preventing many codes from working.
    >
    > Others do work. So an attacker just will switch codes.
    >
    > The worst design flaw in a "Personal Firewall" I saw yet, was in Norton
    > InSecurity: They were filtering your bank PIN out of any transmitted
    > data.
    >
    > This way they're publicizing your bank PIN to anybody who wants to have
    > it, and whose web server you're browsing; one just has to have the
    > de Bruijn sequence for four digits² in a hidden field of an HTML form,
    > and the digit combination which is filtered out is your bank PIN -
    > filtering is used as code to transmit this data here.
    >
    > The only way to stop transmitting arbitrary information is to prevent
    > connectivity. Just cut your cable with a knive ;-) And don't use WLAN...
    >
    > Yours,
    > VB.
    >
    > ¹ http://en.wikipedia.org/wiki/Code
    > ² http://www.hakank.org/comb/debruijn_k_10_n_4.html


    What if all I want from my personal firewall is the ability to select
    which installed apps on my Com-Put-Or can access outside resources, and
    which can't?

    Seems like a personal firewall would be useful, for that. It kinda
    seems like that was what the OP wanted to be able to do, primarily.

    Cheers.

  12. #12
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Best Firewall?? - follow-up

    Kyle T. Jones <KBfoMe@realdomain.net> wrote:
    > What if all I want from my personal firewall is the ability to select
    > which installed apps on my Com-Put-Or can access outside resources,
    > and which can't?


    Since programs can communicate through other programs that won't help.
    Not as long as at least one program is allowed to communicate, that is.

    > Seems like a personal firewall would be useful, for that.


    No. You either configure the application to not establish outbound
    connections, or you remove the application entirely (in case it won't
    allow proper configuration). Everything else is plain stupid.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  13. #13
    Nelson
    Guest

    Re: Best Firewall?? - follow-up

    On Tue, 18 Aug 2009 00:34:23 +0200 (CEST), Ansgar -59cobalt- Wiechers
    <usenet-2009@planetcobalt.net> wrote:

    >Kyle T. Jones <KBfoMe@realdomain.net> wrote:
    >> What if all I want from my personal firewall is the ability to select
    >> which installed apps on my Com-Put-Or can access outside resources,
    >> and which can't?

    >
    >Since programs can communicate through other programs that won't help.
    >Not as long as at least one program is allowed to communicate, that is.
    >
    >> Seems like a personal firewall would be useful, for that.

    >
    >No. You either configure the application to not establish outbound
    >connections, or you remove the application entirely (in case it won't
    >allow proper configuration). Everything else is plain stupid.
    >
    >cu
    >59cobalt


    There are some additional things you can do which involve filtering
    applications' target IP addresses for undesired outbound
    communications.

    Specifically, give permission for applications to access their
    legitimate servers and block all others.

    For example, you can use firewall rules to permit your newsreader to
    access your news servers and your ISP's DNS servers. If you use your
    newsreader for e-mail, then permit that too. Then block all others.

    You can reduce blocked programs' ability to hijack other programs to
    gain external access by preventing application interaction (or acting
    as a parent) if your firewall has that ability.

    And for those programs that are necessary for your OS to function or
    for certain apps to do needed tasks -- and which insist on accessing
    the Internet -- log their target IP addresses and, if they cannot be
    blocked by software firewalls, block them at the router (hardware)
    level.

    Other tools can converge with these kinds of approaches to gain the
    degree of security you need (or want). Storing and/or transmitting
    sensitive data in encrypted form is one example.

    Again, permitting only the target IPs you approve is *much* better
    than trying to detect and block all the unwanted communications.














  14. #14
    Volker Birk
    Guest

    Re: Best Firewall?? - follow-up

    Kyle T. Jones <KBfoMe@realdomain.net> wrote:
    > What if all I want from my personal firewall is the ability to select
    > which installed apps on my Com-Put-Or can access outside resources, and
    > which can't?


    This is much harder than it sounds. Most "Personal Firewalls" are
    failing completely.

    It is very easy to circumvent any filtering attempt by not sending
    directly, but making other applications to send. And if there is
    connectivity, there are applications which can send, like the web
    browser or your mail program.

    People call that "leaks", and testing programs "leak tests". I wrote
    two. The first did cost me ten minutes of work, and any "Personal
    Firewall" was fooled at this time¹, then they patched (it's an unfair
    game - it is much easier for the attacker to chose the next available
    option to send, while the "Personal Firewall" programmers have to spend
    months of development time to prevent that from happening - and they
    have to destroy functionality of the operating system to get that to
    work).

    After "Zone Alarm" was ready, and had patched, I spend just another half
    an hour while dinner on a Saturday evening with my laptop², and again
    every "Personal Firewall" failed.

    I stopped that, because I think, problem was showed.

    Trying to prevent applications from sending, which you're running on
    your system, is a b0rken concept anyways.

    If you have code running on your system, and this code manages it to
    gain administrator rights, you lose³.

    Usually, people are working as administrator on Microsoft Windows, so
    there is nothing to do for an attacker. The clever attacker is running
    code in kernel space then, ignoring any "Personal Firewall".

    If people are careful enough to not work as administrator, then there are
    hundreds of tricks to gain administrator rights on a Windows box.
    Usually, it's enough to install a printer driver⁴ or use the scheduling
    service.

    But even if all that would work, trying to prevent applications from
    sending, which are running on your system, is a b0rken concept anyways.

    This is, because deciding which communication should be prevented from
    happening and which not is not a computable problem. If you're
    preventing an application from "phoning home" to search for updates or
    for information about new security holes, you're lowering security
    instead of elevating it.

    And because the "Personal Firewall" cannot decide, it is asking the only
    person, who should not be asked at all, the person who should be secured
    and not at all be responsible for security:

    They're asking the user.

    This makes the concept absurd, even if it would work.

    Yours,
    VB.

    ¹ http://www.dingens.org/breakout-en.c
    ² http://www.dingens.org/breakout-wp.cpp
    ³ http://www.bluepillproject.org/
    http://www.microsoft.com/whdc/archiv...?pf=true#usbp1
    --
    "Du bist nur das, was ich genehmige."

    Sachbarbeiter im Sozialamt Mülheim/Ruhr zum "Kunden"

  15. #15
    Volker Birk
    Guest

    Re: Best Firewall?? - follow-up

    Nelson <replies-to-newsgroup-only@thank.you> wrote:
    > Specifically, give permission for applications to access their
    > legitimate servers and block all others.


    With what intention?

    > You can reduce blocked programs' ability to hijack other programs to
    > gain external access by preventing application interaction (or acting
    > as a parent) if your firewall has that ability.


    There is no such thing as "reduce ability" in IT security. Wether it is
    possible or not.

    IT security does not work like security, say, in military.

    Yours,
    VB.
    --
    "Du bist nur das, was ich genehmige."

    Sachbarbeiter im Sozialamt Mülheim/Ruhr zum "Kunden"

  16. #16
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Best Firewall?? - follow-up

    Nelson <replies-to-newsgroup-only@thank.you> wrote:
    > On Tue, 18 Aug 2009 00:34:23 (CEST), Ansgar -59cobalt- Wiechers wrote:
    >> Kyle T. Jones <KBfoMe@realdomain.net> wrote:
    >>> Seems like a personal firewall would be useful, for that.

    >>
    >> No. You either configure the application to not establish outbound
    >> connections, or you remove the application entirely (in case it won't
    >> allow proper configuration). Everything else is plain stupid.

    >
    > There are some additional things you can do which involve filtering
    > applications' target IP addresses for undesired outbound
    > communications.
    >
    > Specifically, give permission for applications to access their
    > legitimate servers and block all others.


    Define the "legitimate servers" for, say, a web browser.

    Besides, if you'd take a closer look at how DNS works, you might
    understand why restricting access to particular DNS servers will not
    solve the problem.

    > For example, you can use firewall rules to permit your newsreader to
    > access your news servers and your ISP's DNS servers. If you use your
    > newsreader for e-mail, then permit that too. Then block all others.
    >
    > You can reduce blocked programs' ability to hijack other programs to
    > gain external access by preventing application interaction (or acting
    > as a parent) if your firewall has that ability.


    Or, you could simply remove the misbehaving software and fix the cause
    of the problem instead of dealing with the symptoms. Which would have
    the additional advantages of a) *not* wasting significant amounts of
    system resources on trying to confine programs, and b) *not* opening
    additional attack vectors for malware. I know what I'd choose.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  17. #17
    Nelson
    Guest

    Re: Best Firewall?? - follow-up

    On Tue, 18 Aug 2009 12:32:21 +0200 (CEST), Ansgar -59cobalt- Wiechers
    <usenet-2009@planetcobalt.net> wrote:

    >Nelson <replies-to-newsgroup-only@thank.you> wrote:
    >> On Tue, 18 Aug 2009 00:34:23 (CEST), Ansgar -59cobalt- Wiechers wrote:
    >>> Kyle T. Jones <KBfoMe@realdomain.net> wrote:
    >>>> Seems like a personal firewall would be useful, for that.
    >>>
    >>> No. You either configure the application to not establish outbound
    >>> connections, or you remove the application entirely (in case it won't
    >>> allow proper configuration). Everything else is plain stupid.

    >>
    >> There are some additional things you can do which involve filtering
    >> applications' target IP addresses for undesired outbound
    >> communications.
    >>
    >> Specifically, give permission for applications to access their
    >> legitimate servers and block all others.

    >
    >Define the "legitimate servers" for, say, a web browser.
    >
    >Besides, if you'd take a closer look at how DNS works, you might
    >understand why restricting access to particular DNS servers will not
    >solve the problem.
    >
    >> For example, you can use firewall rules to permit your newsreader to
    >> access your news servers and your ISP's DNS servers. If you use your
    >> newsreader for e-mail, then permit that too. Then block all others.
    >>
    >> You can reduce blocked programs' ability to hijack other programs to
    >> gain external access by preventing application interaction (or acting
    >> as a parent) if your firewall has that ability.

    >
    >Or, you could simply remove the misbehaving software and fix the cause
    >of the problem instead of dealing with the symptoms. Which would have
    >the additional advantages of a) *not* wasting significant amounts of
    >system resources on trying to confine programs, and b) *not* opening
    >additional attack vectors for malware. I know what I'd choose.
    >
    >cu
    >59cobalt



    59cobalt and Volker Birk, your points about the inability of firewalls
    and other security measures to provide complete security (or anything
    close to it) are well taken. Who would argue with that?

    But there are practical realities based on the fact that these
    measures do help. They can stop some of the leaks, especially with
    care to their settings.

    Of course misbehaving apps should be removed and/or replaced where
    that is possible, but sometimes that isn't an option.

    Sure, the tactic of restricting target IP addresses won't work for web
    browsers (at least the way most of us use them). But it does help
    where it can be applied, such as in the newsreader example.

    I will keep and use the lock on my front door even though it can be
    defeated in various ways. I will not remove it as useless because it
    can be forced, picked, or bypassed. The lock does reduce
    vulnerability (if mainly through deterrence). Like firewalls, it
    improves security but does not assure absolute security. In this
    less-than-perfect world, I'll keep both thank you.















  18. #18
    Volker Birk
    Guest

    Re: Best Firewall?? - follow-up

    Nelson <replies-to-newsgroup-only@thank.you> wrote:
    > But there are practical realities based on the fact that these
    > measures do help.


    We are living in an age of botnets, millions of PCs are zombies. Maybe
    your PC, too.

    I hope, there will be a change of paradigms in near future. Windows
    Vista and Windows 7 show, that Microsoft is working seriously on
    improving security of the Windows operating system.

    They're doing well in many points. Unfortunately, they're missing
    some conceptional things yet.

    "Personal Firewalls" cannot help us with such problems. Perhaps
    Microsoft will.

    Yours,
    VB.
    --
    "Du bist nur das, was ich genehmige."

    Sachbarbeiter im Sozialamt Mülheim/Ruhr zum "Kunden"

Similar Threads

  1. Need xp64 software firewall
    By GiantWaffle in forum Network Security
    Replies: 5
    Last Post: 05-21-09, 10:40 AM
  2. Richard's Firewall Rule Set - getting it to work (0/1)
    By Ian Cowan in forum comp.security.firewalls
    Replies: 0
    Last Post: 03-27-09, 09:00 AM
  3. No firewall home network setup
    By SRO_dude in forum Wireless Networks & Routers
    Replies: 3
    Last Post: 10-13-07, 06:30 AM
  4. Router: Software firewall not Hardware firewall.
    By JMedley1 in forum Broadband Tweaks Help
    Replies: 1
    Last Post: 01-10-07, 06:49 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •