******short Explanations Firewalls******

[casper99]

Healtheworld, while checking out firewalls, I suggest looking at Outpost from www.agnitum.com . It's worked great for me and there's a free version. It doesn't use as much resources as others I've tried. It has plug-ins too; pop-up stopper, add blocker and is easy to configure. Check it out.

[healtheworld]

Gone thru some chats with some security experts,,,

Some Facts Revealed...Ur opinion Error Required...


Bad Things Abuot Home Firewall's:
****************************
1. They slow your PC.
2. If they're free they're not as good as expensive one's, if they're expensive - I can't afford them
3. Trojans/Worms/Spyware can easylly use my default browser/IM/other communication thing as a communication app, so no chance to block that.
4. They really can't stop a advanced hacker, becouse a wannabe would stop and cry, when he sees that my ports are clossed and that have enabled XP firewall, i'm patched and there's nothing to exploit, but a real hacker would finish it if he wished so.

Good Things About Home Firewall's:
*****************************
1. They Protect You Anyway.
2. They would catch all the simple trojans/spyware/worms.
3. They would block any "i am going to hack u" wannabe.
4. They make you feel a little bit more secure.
So what do you think...? Do you personaly use a firewall, if you do which one ? Did it help you anytime ?
P.S. Once opun a time a had a ZA, and it keepet warning me that my ISP is hacking me...;p and left me a wery bad memory.

Quote
"Personaly, I think too much emphasis is placed on firewalls ...

No firewall even comes close to making your machine secure ... Most of the security holes that a hacker will use are in applications you ALREADY allow access through your wall ... take for example something lame like the rather old 'Godmessage' exploits ... email bugs, MSN and ICQ exploitable overflow conditions ... What will your firewall do about these?

NOTHING, thats what ... simply log the packets for later analysis (If your wall even supports logging - many don't)

Turning to trojans... sure, a process based firewall will detect some of the poor public malware currently being pushed in the media as the biggest threat on the net - but ONLY if they are not modified - for that matter so will your AV solution. But these are just toys.

Other trojans use IPC techniques to get your default browser to do the communication for them ... and guess what, your firewall is probably all set up to allow it.

Although I may sound negative about walls (And don't even get me started on AV) I still suggest you have them because it keeps the less-capable wanabes away from your system for a while ... and lets face it, there are about a 100,000 wanabes to hacker ratio.

But, please, dont for one second think that your choice of firewall/AV solution is going to make a damn bit of difference if anyone with a degree of skill decides to crack your box for fun or profit. Security rhetoric is a multi-billion dollar industry and thats all it is, rhetoric.

Personaly, I've never met a local software firewall that can detect or packet log a VxD Layer-0 trojan ... and many can't even detect semi-available LSP/SPI trojans that wrap the base layer. And I've never met even a big-box or corporate solution that can do anything about socketless trojanware using promiscuous or parasitic quoted techniques.
"

[healtheworld]

ANOTHER ONE FROM A TOP SECUIRTY EXPERT...
A local firewall (As opposed to gateway or hardware) sits either as low in the TCP/IP protocol stack as possible (and nievely hopes the OS makes apps behave) ... or it sits as low as it can in the OSI model generaly by wrapping the interface functionality.

The first is ridiculous and the second is highly questionable

First ...

The first can be got around by tapping the Layered Service Provider's Transport Provider Interface for example... which is essentialy one half of the protocol stack (The other being the Namespace Provider Interface) .. this is done by simple inclusion of a .DLL exporting an SPI (Service Provider Interface) at both its upper and lower edges and thus sitting in the middle. By aggressively holding the lowest position in the stack by claiming to all above it to be the base layer etc ... this DLL can not only use ports parasiticaly but can generate phantom ports that dont show up on netstat and other socket enumeration ... it can also fake in both directions presenting non-network data to applications as though it were regular traffic - and presenting traffic as though it were formed in an application.

This on its own can present significant problems exploiting inherrent trust in a process-based-firewall environment ... and can even be used to promiscuously listen for quoted commands on ANY port or protocol (And strip such sections before presenting up the stack to the app) ... similarlt messages can be quoted into a legitimate stream and passed OUT through the converse method, at least as trusted as the application who apparently generated the traffic.


The second is FAR nastier ...

Not only will it NOT show up on any local firewall (Process based or not) due to being on the OTHER side of the firewalls hooking and thus already from OUTSIDE of the machine (In a TCP/IP context) ... it also is running INSIDE the machine in a code context ... The best of both worlds !

Not only this ... but external firewalls and gateways can be fooled by the same quote/dequte scheme as before. And traced back to ... the legitimate app.

This makes every port on your system a trojan, and any log that shows a LEGITIMATELY FORMED transaction could be a trojan command that was stripped prior to the firewall seeing the packets.


Not only this ... from the VxD layer we can intercept any API call, any registry call, and any Disk access (Even sector reads/writes) ... and filter them and/or remap them and/or return a lie. We've even beaten IDS into submission with this and managed to propagate holes into several layers of backup.

Anyway ... This means that our VxD based trojan is transparent, socketless, promiscuous and has no window/task/thread ID's ... It also may (depending on coding) be impossible to see in a memory scan, drive scan and its registry storage may be invisible to all ... or even different depending on the process doing the asking.

DaVinci Group wrote The MiniBaug LSP trojan in 1999 and several variations of VxD wrapper based trojans for concept over recent years.

Combine these low level tools with some pretty basic exploits and you have a reason not to trust AV/FW solutions as far as you can comfortably spit a horse.

Linux *spit* *spit* is not above this either ... in fact, it can often be easier to install this type of code into the abstract machine representation in a linux based environment that even the windows systems depending on the specific configuration... certainly, IDS systems like Tripwire have never been much of a problem on either system.

Personaly, I believe the much hyped Magic Lantern software probably uses such techniques with the added advantage of good co-operative relations with the governments bedpartner, microsoft... And, if it doesn't ... well, theres no excuse.

Luckily LSP and VxD development are not so openly documented that the lamer can easily exploit these techniques. And DaVinci are a members only non-publishing organisation ... both with code and exploits, by a strictly enforced disolvement policy. However, anyone with coding experience and a copy of the MSDN DDK (VxD) or the MSDN SDK Subscription (LSP) should find their way given a little determination.

[healtheworld]

Another excerpt from security expert
******************************
"I've never found an effective AV solution.

Heuristic detection methods on all are comical and the detection of KNOWN virii makes the whole deal a lottery ... before you are protected a number of things happen :

1. A large number of people are infected
2. Someone reports it
3. They take the time to find a signature and include it in the VirDefs
4. You take time to DL the VirDefs

Meanwhile ... yet more people infected.

So, for every definition (And there are absolutely thousands) in your VirDef file a very large number of people have been infected. Altogether the numbers are quite staggering.

Thing is ... security should NOT be a lottery ... Signature based AV is not the best solution... of course, the best solutions SOLVE problems and thats not in the vendors interest either.

Want to do a test?

Take a virus, split it into three sections 'start-50%' '25% to 75%' '50% to 100%' ... run your AV over them ... find the one that flags as a virus and repeat ....

Till you get down to a small file, perhaps only 14 bytes - of which removing just one byte from either end prevents its recognition.

Now, look at it ... If its text, change it in a sane way ... if its instructions, swap two that seem order independent... Now paste that back into the original virus and boom ... theres a new version that will evade your AV and wipe out at least few thousand people before it hits someone savvy enough to catch on and report it to the AV vendors.

And thats without a great deal of skill.

Want less skill? Try exepacking a trojan, and then hexing out the 'Packed using BLAHPACKER' and anything else obvious. Gee, a trojan that doesn't show on AV scans ... when its released it will soon become recognised, but what if its not released, what if it becomes a personal variation for some miscreant? Hes potentialy gonna get YEARS of use !

AV may prevent the apocalypse ... but it certainly doesn't prevent disasters, and it won't keep you safe.

So, what do we learn? That AV requires a virus to have already been widely SUCCESSFULL before the AV has any potency?

Poor state of affairs.


So yes, load up your AV and your firewall - Argue about which is the best till your face goes blue... but for gods sake please dont put any faith in any of them for they are all poor at best.

They protect the whole ... not the individual !
"

[fink]

Healtheworld...

You seem to have made more of an effort in your web searches than you would have if you'd just read the manuals you refered to in your first post.

You have enough info to make up your own mind. Rather than just posting articles to try and start a debate, the kind of which usually only ends in either an argument or flames, why not just make up your own mind if it isn't already?

[healtheworld]

Got It Fink....



I m diving in to too much details to early..

BUT THANKS FOR EVERY BIT OF INFO U GUYS HV PROVIDED....