FirewallLeaktester and Sunbelt Kerio Firewall

I recently had to deal with a rooted box where I only became aware of the problem because someone reported abuse from that machine on a bit of network I'm responsible for. Some of the tools on the box remained usable to verify and identify the problem.

(The real source of the problem was a legacy route to the net that is not as well configured and monitored as it should be. I can't wait to be able to turn that route off.)

I agree with q_q_anonymous here. Just because something is broken in principle, doesn't mean that it will always be broken in practice. Policy, of course, should be designed around knowing what is broken in principle, but that is part of the concern for costs and risks one is willing to bear.

I'm not a big fan of these "personal firewalls", and it can be argued that they cause more harm than good (by giving admins a false confidence), but that point has to be argued. It can't just be declared.

In practice, if someone had a machine directly connected to the Internet with no NATing or other network firewall device between it and the big bad world, I would be jumping up and down saying things like ZoneAlarm are not good enough. I would insist (depending on my influence in the matter) that they get some other device. But that is different from saying that PFWs are entirely pointless. All it's saying is that they can't be relied upon to do a job that I think needs to be done.

-j

Volker: Tom is the cat!! you didn't watch enough Tom and Jerry ;-)

(though I admit I actually had to google to check before I gave the tom and jerry example!)

I guess you can always fight. But when there's a conceptual problem, Tom is 3 times the size(all muscle by the way), with longer sharper teeth and claws! It's not a fair game.

And you can still win or not lose, without playing that game.

Why do you keep using capitals for words to emphasise? it's actually very off putting. I actually had to reread what you wrote a few times because of it. (like british news readers nowadays that emphasise all the wrong words of a sentence!!!)

Asterisks would be better - but still unnecessary.

that's a cool log(though doesn't list process names)!

Also, creating an abbreviation like SKPF is dangerous. It's not getting much on google. And nobody calls ZA ZAPF. I suggest following current conventions and avoiding marketting. "Kerio 4" seems to be concise and googlable.

not *such* a good log !! it's host based, why doesn't it mention process names?!

Maybe that entry for 10:51 was svchost or maybe not, but if it is then it seems like you've got malware on your computer, trying to access some comp that currently hasn't got port 80 open. I wouldn't expect svchost.exe to access any old computer. Perhaps you should wipe the HDD and reinstall windows.

Or if you want to play one of the tricky games, get some better malware removal programs and use them better.

"without losing connectivity" ? I don't think that idea was argued. You will be connected to the internet -still, you won't lose connectivity to it from that.

If you receive an incoming to an unused port on your computer then it is sort of blocked, you're safe from it.

Unfortunately, it is true.

The cat and mouse game is unfair here, too. If you want to get security against a specific threat

- the provision must work by concept (deterministic)

- may not being circumvented (indeterministic)

If there is only one single possibility to circumvent, it's not secure.

This is why I like the distinction into different threats (aka "attack vectors"): You can make exactly clear, where can be security, and where it's not possible.

Yes. But if that should work, at least the logger needs high privileges, the malware may not have higher privileges, and there must be shaping of the use of system resources (like higher computing priority for the logger).

I.E. boot Knoppix on a PC or Mac.

Yours, VB.

An host based IDS is not broken by concept, if it's running with high privileges, while all processes to watch are not, and the use of system resources for all such processes are shaped.

In cleartext:

A "Personal Firewall", which should be useful here as an IDS, must require the user not to work as administrator. It must configure the operating system to limit use of CPU and I/O for all user processes. Then it's able to watch them.

Of course, the "Personal Firewall" must not add possibilities for privilege elevation.

Yours, VB.

Of course Tom (the "Personal Firewall") is the cat.

And he never wins.

Yours, VB.

OK, I won't use capitals to emphasize anymore

OK, I used to use "Kerio" but I saw KPF also but searching Google I find a lot of reference to other topics, only using "KPF firewall" gave results I wanted. I wanted to use KPF but as Sunbelt has taken over I guessed it should become SKPF. But I'll talk about Kerio in future, allthough I realize Kerio 2 exists as well, but as that is "old" I guess people talking about that should specify it and not while talking about the actuall version

Yes, that's what I thought too, but it is everything gathered in "network.log" from Kerio.... can't help it

I run HitmanPro regurlarly so at least a lot of spyware should be off, I just installed Prevx1 as well to test. But I think I will remove that one. Tried Cyberhawk before, but that won't install causing a crash on

I run HitmanPro regurlarly so at least a lot of spyware should be off. I installed Prevx1 2 days ago as well to test. But I think I will remove that one. Tried Cyberhawk before, but that won't install causing a crash on *that* pc... I'm investigating it as Cyberhawk *does* work on 2 other PCs

I'm not sure for now... i "did" block all 'in to unopened ports' but at that moment I couldn't surf anymore. Maybe for another reason... but today I do have some time and will look into it

a few more arguments

against- this is a lot of work for blocking/logging malware on a compromised system. And if they silently attack the firewall's blocking of outgoing itself then all the tests fail.

for- It seems like it's a lot of work for both tom and jerry.

maybe that "firewall leak tester" guy is doing most of the work for jerry. Nobody is writing tom's code for him. Knowing a bit about writing code, it may be more hassle for Tom to attack in 12+ different ways or target many individual firewalls!

Tom may well decide that since only 10% of mice are putting up all these endless defences, he will leave the 10% and attack only the 90% .

maybe those tests log/block most malware - without causing problems for legitimate programs anymore than the traditional blocking outgoing at an uncompromised external machine would cause problems.

I considered "kerio". if you call it "Kerio" then people will get kerio.com when they google (they do at the moment), which is the wrong site.

"Kero 4" is so new. And apparently quite different to the "old freeware kerio". "Kerio 4"/ "SB kerio" isn't even advertised as free.

Maybe "SB Kerio" will catch on. I agree with you that people should be able to specify without stating the version number. (though 4 is a unique version number for kerio, as is 2.1.5 !).

I never heard of those. standard ones are spybot,adaware, webroot(demo at least). Run them in safe mode. And maybe use power button to turn off (or shutdown -f -s or something) so they don't write stuff in when you do a start...shut down/restart. But all these things are so much hassle. And If you're so concerned with really being safe(what with the firewallleaktest site), then be willing to reinstall. If not to remove the spyware, then to clean the system generally.

have you tried that on a computer that hasn't got malware? it could be the malware is attacking you for attacking it (rather than the malware being broken).

the first malware i ever got (and almost the last), seemed to be broken, and cut me off from the internet. if malware is causing odd behaviour, then while you're cotninuing your investigation(knowing that you have it), it could be sending your data out(past the firewall), or setting your computer up as an email server and being used to SPAM others.

if you call Tom the firewall, then you have the mouse chasing the cat!!

in britain, our mice aren't that tough, the cat chases the mouse! And judging by how often cats drag in dead mice, cats usually win. The only super smart mouse is in tom and jerry. I see you took the analogy to the point where the mouse wins. But I didn't mean that, because of who chases who.

When you said it's not a fair game, I didn't realise you were sympathising with Tom!! Nobody sides with that cat!!!! He deserves everything he gets!

interesting - so, malware running limited, that compromises the host, can't attack the IDS

so then they can't switch off or change logs or reconfigure a PFW or the Windows FW either. But with the host based FWs, they can just find ways to make outgoing.

(unless the malware finds a way to escalate itself to administrative priv - which is always possible).

what about the attack vector of blocking svchost with a whitelist. (the whitelist including the LAN and perhaps various windowsupdate sites)

If the host based FW or PFW is well written, then it can't be attacked/broguht down/manipulated by a "limited" malware process. And for that attack vector, it can't be circumvented.

just like the IDS you describe that that won't be compromised when a host is compromised. (unless the malware finds a way to escalate itself !! so it can be circumvented and isn't really secure)

and what aabout the threat of netstat being targetted. surely if you're running as limited and the malware doesn't escalates to privileged, then you're safe. So it's no more vulnerable than the IDS you describe.

thanks

I used hitman pro (including the ones you mentioned) , but not in safemode. I hesitated reinstalling everything because I have a lot of other programs installed and "those" will take most of the time. But I agree, the system will be clean afterwards if nothing will be installed with those programms. So I will make time but it will take a few days before I can do it

To make the process easier for next time a)have all installation files in one directory on another drive or partition, called it "backup" (I'd put data there too).

b)have a system backup, an image of the whole drive in decent form. So, after you install all the programs, make an image of it with Ghost(e.g. Ghost 9) or Acronis. So installing all those programs will have been a one off. Stick the image in that directory you called "backup", along with the program installation files and the data. And have a list of all the useful programs (you probably have that already)

This also avoids the pain of having to go browsing the web to download some of the useful programs . Along with obvious other pains you have in mind that will take days. It should only take days the first time. Once you have a system organised, you should be able to do it in hours

- given no hardware or disc problems.

This is not an attack vector - what is the attack?

Yes. The problem is "don't work as administrator, or nothing helps".

Yours, VB.

JackRnl wrote: [endless recitating]

"JackRnl", could you please cut off all what you don't need, so I have a chance to read what you wrote, too?

Quoting so many lines leads me to stop reading before I'm detecting, if you wrote anything, too.

Yours, VB.

q_q snipped-for-privacy@yahoo.co.uk wrote: [endless recitating]

"q_q_anonymous", could you please cut off all what you don't need, so I have a chance to read what you wrote, too?

Quoting so many lines leads me to stop reading before I'm detecting, if you wrote anything, too.

Yours, VB.

You said to run the IDS as privileged(administrator?) But if you work as "limited", and do "run as" the IDS to administrator(escalating it), then malware could see how that is done, and escalate itself.

You say it has to be privileged to control CPU usage of other processes. But if the IDS is "run as" Administrative that allows more than necessary, and there are those mentioned issues.

Yes.

Yes. Therefore you shouldn't do that. Windows has the concept of using another Desktop, and you could use fast user switching for that purpose.

Sorry, I don't understand your point here.

Yours, VB.

the attack was-

malware uses svchost.exe to make an outgoing connection.

The idea of whitelisting svchost.exe to prevent abuse of it, is that it'll be easier to Investigate whether outgoing connections are legitimate, if svchost.exe can't be abused. (I know, one could use process explorer or prcview, but this way those programs aren't necessary).

I guess if you're in a limited account, the firewall or sniffer or port monitoring program shouldn't be compromised. (since you say there are IDSs that aren't comrpomised when the host is compromised, the same should go for other programs too).

I think i misunderstood you before.

Did you mean that the OS should limit cpu usage for various processes. and give the IDS some CPU usage priority. And the IDS on installation would configure the OS to do that, but the IDS would run as limited - in a limited account, and so wouldn't have that power when running.

I initially thought you were talking about letting the IDS run as Administrator, or somehow giving it privileges to adjust CPU usage priority. It's possible in windows xp to run as limited, but have some processes run as Administrative. But that looks to me like it could be abused.

Maybe an IDS should detect this. After detecting malware, the IDS should shutdown the malware, lock the user account and inform the administrator.

I cannot see this.

The OS should be configured like this, if an host based IDS should be used.

Then usually the IDS cannot do its job.

Yours, VB.