Best Firewall??

There are some additional things you can do which involve filtering applications' target IP addresses for undesired outbound communications.

Specifically, give permission for applications to access their legitimate servers and block all others.

For example, you can use firewall rules to permit your newsreader to access your news servers and your ISP's DNS servers. If you use your newsreader for e-mail, then permit that too. Then block all others.

You can reduce blocked programs' ability to hijack other programs to gain external access by preventing application interaction (or acting as a parent) if your firewall has that ability.

And for those programs that are necessary for your OS to function or for certain apps to do needed tasks -- and which insist on accessing the Internet -- log their target IP addresses and, if they cannot be blocked by software firewalls, block them at the router (hardware) level.

Other tools can converge with these kinds of approaches to gain the degree of security you need (or want). Storing and/or transmitting sensitive data in encrypted form is one example.

Again, permitting only the target IPs you approve is *much* better than trying to detect and block all the unwanted communications.

Reply to
Nelson
Loading thread data ...

This is much harder than it sounds. Most "Personal Firewalls" are failing completely.

It is very easy to circumvent any filtering attempt by not sending directly, but making other applications to send. And if there is connectivity, there are applications which can send, like the web browser or your mail program.

People call that "leaks", and testing programs "leak tests". I wrote two. The first did cost me ten minutes of work, and any "Personal Firewall" was fooled at this time¹, then they patched (it's an unfair game - it is much easier for the attacker to chose the next available option to send, while the "Personal Firewall" programmers have to spend months of development time to prevent that from happening - and they have to destroy functionality of the operating system to get that to work).

After "Zone Alarm" was ready, and had patched, I spend just another half an hour while dinner on a Saturday evening with my laptop², and again every "Personal Firewall" failed.

I stopped that, because I think, problem was showed.

Trying to prevent applications from sending, which you're running on your system, is a b0rken concept anyways.

If you have code running on your system, and this code manages it to gain administrator rights, you lose³.

Usually, people are working as administrator on Microsoft Windows, so there is nothing to do for an attacker. The clever attacker is running code in kernel space then, ignoring any "Personal Firewall".

If people are careful enough to not work as administrator, then there are hundreds of tricks to gain administrator rights on a Windows box. Usually, it's enough to install a printer driver? or use the scheduling service.

But even if all that would work, trying to prevent applications from sending, which are running on your system, is a b0rken concept anyways.

This is, because deciding which communication should be prevented from happening and which not is not a computable problem. If you're preventing an application from "phoning home" to search for updates or for information about new security holes, you're lowering security instead of elevating it.

And because the "Personal Firewall" cannot decide, it is asking the only person, who should not be asked at all, the person who should be secured and not at all be responsible for security:

They're asking the user.

This makes the concept absurd, even if it would work.

Yours, VB.

¹
formatting link
formatting link
formatting link
formatting link
Reply to
Volker Birk

With what intention?

There is no such thing as "reduce ability" in IT security. Wether it is possible or not.

IT security does not work like security, say, in military.

Yours, VB.

Reply to
Volker Birk

Define the "legitimate servers" for, say, a web browser.

Besides, if you'd take a closer look at how DNS works, you might understand why restricting access to particular DNS servers will not solve the problem.

Or, you could simply remove the misbehaving software and fix the cause of the problem instead of dealing with the symptoms. Which would have the additional advantages of a) *not* wasting significant amounts of system resources on trying to confine programs, and b) *not* opening additional attack vectors for malware. I know what I'd choose.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

59cobalt and Volker Birk, your points about the inability of firewalls and other security measures to provide complete security (or anything close to it) are well taken. Who would argue with that?

But there are practical realities based on the fact that these measures do help. They can stop some of the leaks, especially with care to their settings.

Of course misbehaving apps should be removed and/or replaced where that is possible, but sometimes that isn't an option.

Sure, the tactic of restricting target IP addresses won't work for web browsers (at least the way most of us use them). But it does help where it can be applied, such as in the newsreader example.

I will keep and use the lock on my front door even though it can be defeated in various ways. I will not remove it as useless because it can be forced, picked, or bypassed. The lock does reduce vulnerability (if mainly through deterrence). Like firewalls, it improves security but does not assure absolute security. In this less-than-perfect world, I'll keep both thank you.

Reply to
Nelson

We are living in an age of botnets, millions of PCs are zombies. Maybe your PC, too.

I hope, there will be a change of paradigms in near future. Windows Vista and Windows 7 show, that Microsoft is working seriously on improving security of the Windows operating system.

They're doing well in many points. Unfortunately, they're missing some conceptional things yet.

"Personal Firewalls" cannot help us with such problems. Perhaps Microsoft will.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.