software firewall recommendations?

Hi,

I have a router with some built-in firewall capability and I might look at linux firewalls, but I would also like to run a software firewall to stop programs from "phoning home".

I did try zonealarm, simply because I had read good reviews about it but it caused a conflict with other software I had installed and when I tried to contact zonelabs, they said they only support the pro version, not the free version. Well, I am hardly likely to register a program that is not working to get support am I? If they had given me support and fixed the problem, then I would have paid for the product. So I have deleted zonealarm from my system. I think their attitude is wrong.

There seems to be much hatred of Norton firewall. I know Symantec have abused the Norton name to sell their wares, and their programs seem to be very bloated. But what are the criticisms of Symantec's firewall? Is it just that people like to knock big companies, like Symantec and MS, or are there valid criticisms?

Thanks.

Reply to
nospam
Loading thread data ...

Only programs, which want to be controlled, can controlled by "Personal Firewalls", so this is completely useless.

Symantec Norton "Personal Firewall" as well as Symantec Norton In Security open popups with useless information while running.

They're vulnerable to the SelfDoS attack, just like Zonealarm.

Both failed with the test, if they could prevent applications from "phoning home", already with an easy hack like my POC on

formatting link
- together with the rest of the "Personal Firewalls".

In the default configuration, any running malware can witch off Symantec Norton products anyway.

Beside that the Symantec products are terribly bloaty (the "Personal Firewall" 2005 i.e. is installing 3556 registry keys with 5934 values,

34 directories with 417 files, and 8 drivers (!) as an addition to 8 (!) system services), the Symantec team apparently are understanding really nothing about data security:

The function to filter out PINs and other secrets out of outgoing data is resulting in publicizing your PINs to any webserver owner, you're using the webpages from.

This is because if you filter out data, what is missing, is what was filtered out. So just hidden form fields with all numbers from 0000 to

9999 are usually enough to get to know, what PIN the user entered into Symantec Norton "Personal Firewall" or In Security, because what is missing in the PUT back to the server is the PIN.

This is a gross error, because this breaches security.

Yours, VB.

Reply to
Volker Birk

Hi Volker, Could you please elaborate on that statement? This is one of the firewall flaws that I don't understand. Thank you, Casey

Reply to
Casey Klc

Yes, of course.

Usually, a program which wants to send information to another host in the internet, uses connect() to make a connection. The "Personal Firewalls" all implement a filter, which catches those connect()s.

But this is useless. The reason is, that a malicious software programmer of course knows that "Personal Firewalls" are doing this, and is hacking some kind of tunneling.

It's for example very easy to tunnel arbitrary information through HTTP with your regular webbrowser using Windows-messages.

I hacked a small proof-of-concept (POC) code for this, and we tried out with a set of the most common "Personal Firewalls".

Even this very easy approach is enough to fool _every_ "Personal Firewall" I know. It was not neccessary to implement somewhat more complicated than ca. 25 lines of code. Here you can find this POC:

formatting link
It is _NOT_ a problem of Internet Explorer, though. This works with any browser, so here you can find a POC i.e. for Mozilla Firefox:

formatting link
Alexander Bernauer hacked a small remote control software using this easy way of communication, the wwwsh:

formatting link
With this program you can have a remote shell on a Windows box without having your "Personal Firewall" even noticing that anything goes wrong.

We tested these "Personal Firewalls":

  • Kerio Personal Firewall 4.1.2 * Norman Personal Firewall 1.42 * Agnitum Outpost Firewall Pro 2.5 * Sygate Personal Firewall Pro 5.5 * Tiny Firewall 6.0 * Zone Labs ZoneAlarm Pro 5.5 * Symantec Norton Personal Firewall 2005

But this is a fundamental problem; to deny all sorts of tunneling just isn't possible without losing connectivity.

The "Personal Firewall" providers are promising also here, what they cannot keep. Just like with the "stealthing" nonsense.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.