I am using a wireless D-Link (is that the router you bespeak of)?
I do run
I only posted what I considered the unasked for messages (not the obvious ones).
I am using a wireless D-Link (is that the router you bespeak of)?
I do run
I only posted what I considered the unasked for messages (not the obvious ones).
Generally I do two obvious things each time I get a NEW message.
Should I do more? I'm hoping others can find THIS THREAD, for example, when they get the messages I just posted and therefore they'd get the advice we all so desperately need.
Where would YOU go when you received any one of the messages previously posted when you didn't explicitly ask for that IP address to connect to you?
THAT's THE WHOLE POINT OF THIS THREAD! With Sygate Personal Firewall (and I suspect all software firewalls), you can tell the program to silently ignore and simply LOG all these connections! My question was really WHICH OF THESE WOULD YOU IGNORE?
Is there any other choice? These requests were made to my machine and I must respond to them. Of course, I could simply say "Accept All Requests" but that would be folly. The question really becomes two questions:
I generally use
In defence of the Sygate Personal Firewall, there is a DETAILS button which spits out a huge amount of cryptic (to a novice) information about something called a "packet" so the remote port MIGHT be in that listing.
I could post the DETAILED information if it would help (caution, it's cryptic at best).
Is the D-Link wireless/wired box connected to the DSL modem set up in the default configuration sufficient?
Or is there something ELSE I should purchase to get this "hardware firewall"?
I've been using this setup for more than a year and this is the FIRST time that particular server contacted me (for whatever reason). That is what startled me and made me suspicious.
That's only HALF the answer. All it tells you is WHO made the request. That doesn't tell you if the request is valid.
For example, the posted DNS address has NOT contacted me ever in the more than a year that my DSL to D-LINK setup has been in existance. So, WHY should a machine which purports to be a DNS machine all of a sudden contact me today?
On the other hand, many of the requests happen every day all day. That STILL doesn't make them innocuous; it just makes them "probably" not suspicious. That would include, for example, the NDIS User mode I/O Driver, the NDIS Filter Intermeidate Driver, the Generic Host Process for Win32 Services, etc. All I'm asking is for these events, none of which are explicitly user initiated, is it reasonable to tell the Sygate Personal Firewall to ACCEPT all these requests without complaint?
Since NOBODY has mentioned the problem that this is only HALF the story, I wonder if I understand this correctly.
Knowing the machine "name" and "owner" is only HALF the story (isn't it)? The other half is for what PURPOSE did the machine contact my machine.
For example, when Adobe Acrobat 6.0 (Acrobat.exe) [206.13.31.12] contacts me on local port 1880 (VSAT-CONTROL - Gilat VSAT Control), I can find the name of the machine contacting me from
Knowing ONLY the name of the server contacting you, would YOU want to allow this program to access the network?
Of course not!
If I had another machine on the same tiny home network with that IP address (which would be highly unlikely in a 192.168.0.XXX network), then I would NOT have posted that specific request in the list above as it would have been an obvious innocuous request.
Again, knowing the machine name & owner is only HALF the story. Actually, it's only 1/3 the story as the following is important:
Is this information available somewhere?
Note that the WHO part is trivial to obtain, e.g., we can obtain that from:
The WHAT part, albeit often highly technical, is not too very difficult to obtain, e.g., we can use any of the following which describe the ports:
The WHY part is the key question.
For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp tdp/udp port 1258 named the Open Network Library?
The question becomes:
That advice was the purpose of the original question.
Unfortunately, I don't know what a POC (point of contact?) is nor do I have a c compiler.
What does the breakout.c program do for us? Does it slip past the Sygate Personal Firewall somehow secretly and silently?
I think there are 3 parts to the problem, one of which is trival, the other of which is technical, and the third of which is the crux of the matter:
For example, WHY would Adobe Acrobat 6.0 (Acrobat.exe) be contacted from an SBCGlobal DNS machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT Control)?
What could it possibly want? Why doesn't anything bad happen when I deny the request?
Since the remote machine is gonna try to contact us anyway, wouldn't we have the same three problems no matter which personal firewall solution we used?
For example, if I used Windows XP Firewall, or ZoneAlarm (
And then, if it did, wouldn't we STILL have the THREE QUESTIONS:
This seems, to me, to be such a common need for virtually every one of the millions of computer users out there, that the ANSWER to these three questions SHOULD be somewhere very easy to locate for we novice users?
I can't believe there is a single person out there on the Internet who doesn't have this very same problem. That's why it's so frustrating to me to not be able to find the all-important WHY information so desperately needed by millions of us users.
GS
If Adobe Acrobat 6.0 (Acrobat.exe) is going to be contacted from a remote machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT Control), what would Windows Firewall do differently from what Sygate, ZoneAlarm, Kerio, Outpost, etc. would do?
I don't expect the user to know that. But I expect the firewall to include that information in the error message, for situations like this one where the user copies and pastes the error message to their firewall support or to a newsgroup for assistance. Not having those details really cripples whoever is trying to help the user. If necessary, the vendor can hide this information under a "Details" button on the message, and put them into the log file for posterity.
I do the same things I suggested in my post.
I think the best firewall configuration is one that doesn't give you any popups whatsoever. Corporate firewalls don't give the firewall administrator popups and ask him or her questions. They just work. The same thing is true of hardware firewalls used in homes. Firewalls should have just two situations: packets it knows are bad and it blocks without question, and everything else that it lets through.
Yes... I don't have the latest version of Sygate, but I believe most software firewalls have a configuration choice that does not cause any popups. If Sygate doesn't, there's also
All of them.
The problem is all you've got is what the firewall tells you, and it hasn't told you everything you need to know. Very often, you will not be able to
100% determine the cause. You'll have to make a best guess, go with a gut feeling, and move on. Even professionals who monitor computer networks for intrusions do this as well.Another possibly strategy would be to deny any packets you have questions about. If something breaks, then you know it was probably something you needed to allow. This is also the safest strategy.
I believe it is more likely that this was a reply to a connection your computer made. The reply took too long to come back, and your firewall stopped watching that connection, was surprised when the reply came back and considered it a new connection. DNS servers should never be contacting you. This situation can happen when you look up the IP address for a host name where the DNS server is troubled or down and does not respond, and the request times out 45 seconds or more later. It's happened to me.
Ah, that might help us a little. But I'm still leaning towards ignoring this one, moving on, and pursuing a silent firewall configuration.
Sure, go ahead.
See my other post. More likely, this was a reply to your computer, but the reply took so long, your firewall wrongly considers this a new inbound connection. DNS especially does this due to having timeout values that are greater than the timeout values in many stateful firewalls.
It's not really that easy. If it was, someone would have done it already. One problem is that each firewall reports things in different ways. Another problem is that some Firefox traffic is good, and some might not be so good. These sorts of things are very variable and conditional. However, you can find some informative resources by searching
Not specifically, but it qualifies. I'd OK the NDIS messages.
Unasked for... You weren't visiting a secure web page when you got the HTTPS message? Weren't looking at a PDF when the DNS server tried to contact Acrobat? That would be odd indeed. As for some of the others, is it possible a web page you were visiting pulled an advertisement or graphic from a different address? Have you looked at the relevant transactions in context in the firewall logs? Do you understand that local ports 1024-5000 are typically ones YOUR system uses to connect to a remote system? And that once a connection is made, the remote system communicates FROM the destination port TO the port your system has connected from?
Next time you get a prompt referring to any of those local ports, try opening a command prompt and typing 'netstat -a' and see if the port's currently connected to something. I suspect the references to 'Open Network Library' and 'NetBill Authorization Server' are bogus (pulled from the list of 'registered ports'). But then, I'm no expert.
Ask on the Sygate forum.
nf
Nothing. And why should it do so?
If you're trusting in Adobe and like their products, just use them. Before you use them, configure them as you like. The online update feature can be switched off (and should not BTW).
Your "Personal Firewall" is only making a show to "stop" this "perhaps malicious" connect() to make _you_ feel good and safe. Your computer is not more secure because of this in any way. This is, why I'm calling it a placebo software.
(BTW: Acrobat is contacting to the outside host, not vice versa).
If Adobe would want to do someting really bad, they would do it in a way, your "Personal Firewall" does not recognize, and it would not show any popus, just like with my POC.
This is what I'm trying to tell - if the application want's to be controllable, usually because it's not malware, then and only then your "Personal Firewall" is able to control.
But this has nothing to do with security.
There is one exception: the malware, which is programmed as dumb as the "Personal Firewals" themselves ;-) But, believe me: this is not the malware which is dangerous and you should frighten ;-)
For fighting malware, there is only one way, which really works: do not run it on your computer. How to achieve this, is a good topic for a discussion about security.
Yours, VB.
It is.
Yours, VB.
Oh, sorry ;-) A POC is a proof of concept, some code, which shows, that it's working what I'm saying. In this case, it's some code which is "phoning home".
No, it does it visible and obvious ;-) Because it's a POC, I didn't want to hide what it does.
Anyway, on
All what you're discussing here, is not the topic. We're not talking about applications on hosts in the Internet, which try to contact your host, but about applications running on your host trying to contact hosts in the Internet.
Nothing happens if you deny that. But: why are you asked such questions by your "Personal Firewall", if that has nothing to do with security?
BTW: sorry, that I have to remove the microsoft.* hierarchy, because my news server does not have it.
Yours, VB.
No.
Inbound connections can be filtered by any host based packet filter, like the Windows-Firewall or any "Personal Firewall", too.
The difference is with outbound connections.
Yes, with inbound connections. But: why should your "Firewall" inform you about that with a popup the user usually does not understand?
Why not blocking, and that's all?
If you don't want to be contacted any way, just like most of the home users, why not just denying anything, and that's it? It's not your problem then.
This is not possible.
The 1st question, you will not be able to answer, because you don't know the person (if any), who triggered the contact, and you will not be able to localize her/him.
The second question is not interesting, if you don't want to offer any services at all, as most of the home users do (usually, they want to use the web, email, perhaps some games or IM, or the usenet ;-) and that's it).
The third question usually you never will find out any way.
So what?
I personally think,
millions of users just want to use their PC for using email and web, some work, and playing games.
And they want doing this in a safe way. They want reliable systems, which they can use for doing this, and they don't want to have such problems at all.
Good and secure systems have to be designed this way. This means the opposite of opening such useless popups with such confusing texts and questions, which a regular user cannot decide, because she/he not only is missing the background information about it, but also does not want to decide and to deal with anyway.
I think, you might be an exception here ;-)
If you're interested in computing security, then there is only one way to learn: learn about how all is working with this computer stuff and the networking things ;-)
A good start is Craig Hunts book "TCP/IP", published by O'Reilly. And then lern to program yourself. For learning, how the TCP/IP protocol family really works, try Richard Stevens Book "UNIX Network Programming", read at least the first volume. For understanding this, you sould first learn (if you didn't yet) how to use the programming language C.
Yours, VB.
True, but you can catch lots of outbound malware traffic that exists because machines were taken out of the defence perimeter, then brought back into the network, with outgoing IDS at the gateway. It happens, unless you take extreme measures on the PC's. Even if, it gives you a second line of defence and/or warning when something does go wrong with a PC.
With regards to tunnels, you can also only permit tunnels to appropriate destinations and block the rest.
-Russ.
I think, you're misinterpreting this message completely. I assume, that the Acrobat program is running on your own host, and if you're reciting correctly, then 206.13.31.12 was your own IP address.
Perhaps you first should try to understand what an IP address is, what a port is (it's not a "door" or even a "harbour", but only a maintainance number), and how sockets are working and what they're used for.
Perhaps you could start with Craig Hunt's book, as I mentioned already.
First you should understand, how classical operating systems work, like
*NIX systems or Windows.They have to parts, a kernel and the userland, in which programs, which are running, are called "processes".
The kernel is a program, which controlles anything which is going on, including the other programs, the processes.
To make a stable system, code of processes may not influence memory of the other processes at all - this the kernel is asserting with a technic called "protection". This means, if code of a process tries to do any I/O itself, or tries to influence the memory of other processes, then the kernel just stops this process immediately - on Windows systems, "Dr. Watson" arrives ;-)
But sometimes it's necessary, that two processes can communicate. For example, you want to have results of your spreadsheet in your wordprocessor. Technics, which are allowing this as exceptions from the protection, are called "Inter-Process Communication", IPC.
(IPC has to be controlled by the kernel, BTW. It is a big design flaw in Windows, that uncontrolled IPC with Windows messages is possible between processes which open Windows on the same Desktop.)
Sometimes, IPC has to be done through the network. For example, if the process, which represents/implements your webbrowser should show information from a webserver, which is represented by another process, perhaps on another machine, then this will be implemented with IPC also: IPC through the net.
Usually, it's implemented with network protocols like TCP, and with an API like the BSD socket API (this is i.e. with Linux, BSDs and Windows, with commercial UNIXes you'll have XTI as an alternative to the socket API).
With Internet Protocol and TCP it is so, that any network interface in the network has a unique number, the IP address. This is a 32bit number, unfortunately usually written in a very strange way (writing decimal numbers for each single octet, separated by dots like "206.13.31.12").
TCP sockets are a technic to have a bidirectional communication connection from one process running on one machine to a second process running on the same machine or another one in the network.
It is possible, that more than one process can communicate through one network interface with a TCP socket at one time; so we need a second maintainance number to identify one connection from one process to another.
This is done by adding a port number. The protocol, TCP, the interface number, the IP address, and third the port number are identifying one endpoint of a TCP connection; two sets of those three numbers (also the protocols are numbered, TCP is number 6) identify one single connection.
The port number is a 16bit number, which is not 0.
With TCP, all communication is following the client/server pattern. That means, one process has the role of the server, and one process has the role of the client.
For example, a webserver has the role of the server, and a webbrowser has the role of the client.
To initiate a TCP connection, first the server has to "listen" on a port. That means, it opens one endpoint with the system call listen(), which means, that the process tells the kernel, that if there will be information arriving on this network interface (or any network interface, if the endpoint is opened for interface 0.0.0.0), which leads into initiating a TCP connection, then the kernel should send this information to the server process, which called listen() for this type of connection, say: for this port number.
If a webbrowser now wants to open a TCP connection to our webserver (in this example), then it sends a speacial IP packet, which is called a SYN cookie, see RFC 793, together with the information, on which port it wants to send this information. To do this, also the webbrowser has to open an TCP endpoint first on it's own machine and on one interface there. It does this by using the system call connect(), which opens such an endpoint from the process, in which the webbrowser is running, to the network kernel, and second such a TCP syncookie is being sent to the other machine by the kernel (you remember, only the kernel code is allowed to do I/O ;-)
If the other kernel is answering with SYN,ACK, then it want's to communicate and is trying to establish the TCP connection with it's webserver. The kernel with the webbrowser then answers with ACK, which means, that now all is clear, and the connection is established (see
3.4 in RFC 793).Since then, when one of both processes is writing data to its endpoint of the TCP connection, its kernel is sending this in a reliable way to the other kernel, which is transmitting this data to the other process, which can read it and vice versa.
This is how TCP works.
Perhaps you now can start to interpret the message of your "Personal Firewall" ;-)
Hint: you only know the names of the files, in which the programs are stored, which are building processes when run, like "acrobat.exe", for your own machine.
About processes of other machines you know nothing like that. You only know, with what maintainance number - port number - their network connection to you is being managed by the kernel of the other machine.
Yours, VB.
Gerard Schroeder wrote in news: snipped-for-privacy@40tude.net:
Well that's true and Sygate is really not telling you either.
I don't know why you'll have to figure it out. For me when the ISP's DNS servers wanted to contact the public or external WAN IP used by the FW appliance, it was due to me configuring a static IP on one of the machine's NIC on the LAN. I set the machine's NIC back to using DHCP IP and I have not seen the DNS servers trying to initiate contact with my network.
You must have a Win XP machine as you're talking about NDIS User mode where in my case the wireless NIC driver was using NDIS User Mode to phone home to several sites. So at the time I set BlackIce to not allow communications by the NDIS User Mode driver. I am not using wireless anymore, so I disable Wireless Zero Configuration Service on XP to close that door.
It comes down to you knowing what's happening and who is doing it and not using Sygate like a crutch because Sygate is not giving you the true picture. You talk about NDIS User Mode and whatnot SVChost.exe (Generic Host Process), which are just doing their jobs and that is to communicate on the network LAN or WAN. It's not those processes that are initiating the communication as they only do it on the behalf of other processes that are making the requests. You need to determine what those processes are that are doing it and make determinations if it's legit or not and take the appropriate action.
One uses the proper tools like Process Explorer to look at processes and see what processes hidden ones are using a particular process and not use Sygate like some kind of a crutch.
Long version
Short version
Long version
Short version
I don't have any solutions such as BlackIce with its Application Control running on my machines, because personal FW solutions that are using it are a worthless feature IMHO.
I have BlackIce running on my laptop, but the Application Control feature is disabled as I don't need it asking me the ridiculous questions as I got a good take on what's happening or I know how to use the proper tools and find out what is happening.
Some other tips and there is one for Win 2K too.
Duane :)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.