Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Personal firewalls.
From: Eliah Kagan <degeneracypressure () gmail com>
Date: Fri, 20 Jan 2006 17:52:37 -0500

However I do wish it had the feature that Sygate PRO has, which will
blackhole a IP if it detects a ports scan coming to it. it then blocks all
activity from the offending IP for approximately 10 minutes.

Well, it's a feature if the probes are really coming from the computer
Sygate PRO thinks they're coming from.

Suppose X is running Sygate PRO and Y is a legitimate client
connecting to a server running on X. Then Z comes along and sends a
bunch of SYN packets to X, spoofed to have the source IP of Y, waits
10 minutes, and repeats ad infinitum. Now Y can never connect to X.
This seems more like a DoS vulnerability than a feature to me. Am I
missing something?

-Eliah

On 1/20/06, Soderland, Craig wrote:
Time to thrown my .02 cents in.

Zone - Good product, though it requires much thought and proper
configuration for successful installs. does not, always save your
configurations settings when you shutdown. This I find occurs most often
when you upgrade Zone from one version to another and not use the "clean
install option." If this occurs you have 2 options.

1. re-install zone, utilizing the clean install option and then re-enter
your rules.
2. do not re-install zone but when you have made firewall rules changes,
exit out of the program after making the aforementioned changes, when Zone
exits, not as part of a shutdown it seems to correctly flush the
configuration to disk.

Another issue with zone, is that they have not yet fixed the bug in the true
vector engine. I can can cause true vector, to regularly crash out and leave
the system unprotected from a remote client. I have notified Zone's
engineers, specifically how this was done and to date no response from their
side. To their credit, when this occurs now the system loses all network
connectivity (with recent update.) and the VSMON service now restarts. So
even though the bug in True Vector still exists they have worked around it
so as to not leave your system completely vulnerable as in the 5.x versions.

But other than this it is a good package, very flexible, and powerful though
requiring a certain level of sophistication to configure it properly.

However I do wish it had the feature that Sygate PRO has, which will
blackhole a IP if it detects a ports scan coming to it. it then blocks all
activity from the offending IP for approximately 10 minutes.

It however had a similar problem to zone in that we could easily get the FW
to crash out, however when it did crash out all connectivity was lost. To
date this also has not been fixed.

the other firewalls I've played with, all had their own set of feature
issues, With Black Ice being the worst piece of Garbage, I have had my
displeasure of ever installing. Just too damn easy to defeat.

in all cases, I would recommend a firewall software, especially if you are
on a laptop, and might ever be out on he wild wild internet without being
behind a hardware firewall. Preferably something that will also check on
programs attempting to make outbound connections. But I would not rely on
just a software one either.

And with hardware many users/companies make the same mistake, layering
firewalls all of the same vendor/brand. So that in the event of an exploit
weakens they're all penetrated.
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]