Archived from groups: comp.security.firewalls (More info?)

Hi,

I have a router with some built-in firewall capability and I might
look at linux firewalls, but I would also like to run a software
firewall to stop programs from "phoning home".

I did try zonealarm, simply because I had read good reviews about it
but it caused a conflict with other software I had installed and when
I tried to contact zonelabs, they said they only support the pro
version, not the free version. Well, I am hardly likely to register a
program that is not working to get support am I? If they had given me
support and fixed the problem, then I would have paid for the product.
So I have deleted zonealarm from my system. I think their attitude is
wrong.

There seems to be much hatred of Norton firewall. I know Symantec have
abused the Norton name to sell their wares, and their programs seem to
be very bloated. But what are the criticisms of Symantec's firewall?
Is it just that people like to knock big companies, like Symantec and
MS, or are there valid criticisms?

Thanks.

Archived from groups: comp.security.firewalls (More info?)

nospam@nospam.org wrote:
> I have a router with some built-in firewall capability and I might
> look at linux firewalls, but I would also like to run a software
> firewall to stop programs from "phoning home".

Only programs, which want to be controlled, can controlled by
"Personal Firewalls", so this is completely useless.

> But what are the criticisms of Symantec's firewall?

Symantec Norton "Personal Firewall" as well as Symantec Norton
In Security open popups with useless information while running.

They're vulnerable to the SelfDoS attack, just like Zonealarm.

Both failed with the test, if they could prevent applications from
"phoning home", already with an easy hack like my POC on
http://www.dingens.org/breakout.c - together with the rest of the
"Personal Firewalls".

In the default configuration, any running malware can witch off Symantec
Norton products anyway.

Beside that the Symantec products are terribly bloaty (the "Personal
Firewall" 2005 i.e. is installing 3556 registry keys with 5934 values,
34 directories with 417 files, and 8 drivers (!) as an addition to 8 (!)
system services), the Symantec team apparently are understanding really
nothing about data security:

The function to filter out PINs and other secrets out of outgoing data
is resulting in publicizing your PINs to any webserver owner, you're
using the webpages from.

This is because if you filter out data, what is missing, is what was
filtered out. So just hidden form fields with all numbers from 0000 to
9999 are usually enough to get to know, what PIN the user entered into
Symantec Norton "Personal Firewall" or In Security, because what is
missing in the PUT back to the server is the PIN.

This is a gross error, because this breaches security.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

In article <43292af9@news.uni-ulm.de>, bumens@dingens.org says...
> snip....
> Only programs, which want to be controlled, can controlled by
> "Personal Firewalls", so this is completely useless.
> snip....

Hi Volker, Could you please elaborate on that statement?
This is one of the firewall flaws that I don't understand.
Thank you,
Casey

Archived from groups: comp.security.firewalls (More info?)

Casey Klc <casey@notspecified.net> wrote:
> In article <43292af9@news.uni-ulm.de>, bumens@dingens.org says...
> > snip....
> > Only programs, which want to be controlled, can controlled by
> > "Personal Firewalls", so this is completely useless.
> > snip....
> Hi Volker, Could you please elaborate on that statement?

Yes, of course.

Usually, a program which wants to send information to another host
in the internet, uses connect() to make a connection. The "Personal
Firewalls" all implement a filter, which catches those connect()s.

But this is useless. The reason is, that a malicious software programmer
of course knows that "Personal Firewalls" are doing this, and is hacking
some kind of tunneling.

It's for example very easy to tunnel arbitrary information through HTTP
with your regular webbrowser using Windows-messages.

I hacked a small proof-of-concept (POC) code for this, and we tried out
with a set of the most common "Personal Firewalls".

Even this very easy approach is enough to fool _every_ "Personal Firewall"
I know. It was not neccessary to implement somewhat more complicated than
ca. 25 lines of code. Here you can find this POC:

http://www.dingens.org/breakout.c

It is _NOT_ a problem of Internet Explorer, though. This works with any
browser, so here you can find a POC i.e. for Mozilla Firefox:

http://www.dingens.org/breakout-mozilla-firefox.c

Alexander Bernauer hacked a small remote control software using this
easy way of communication, the wwwsh:

http://copton.net/vortraege/pfw/wwwsh.tar.bz2

With this program you can have a remote shell on a Windows box without
having your "Personal Firewall" even noticing that anything goes wrong.

We tested these "Personal Firewalls":

* Kerio Personal Firewall 4.1.2
* Norman Personal Firewall 1.42
* Agnitum Outpost Firewall Pro 2.5
* Sygate Personal Firewall Pro 5.5
* Tiny Firewall 6.0
* Zone Labs ZoneAlarm Pro 5.5
* Symantec Norton Personal Firewall 2005

But this is a fundamental problem; to deny all sorts of tunneling just
isn't possible without losing connectivity.

The "Personal Firewall" providers are promising also here, what they
cannot keep. Just like with the "stealthing" nonsense.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"