Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re[2]: Personal firewalls.
From: Dude VanWinkle <dudevanwinkle () gmail com>
Date: Sat, 21 Jan 2006 17:11:51 -0500

On 1/20/06, Eliah Kagan <degeneracypressure () gmail com> wrote:
Z sends spoofed packets coming from the DNS server of X even more
interesting..

When Sygate PRO "blackholes" a host, does it block only unsolicited
packets (bad), or does it block *all* incoming packets from that host
(worse)?

It blocks all traffic from the IP address, you can verify this by
looking in the advanced rules section after being scanned.

Watch out for Proventia/RSDP as well as BlackIce. Even though their
xml file for distributing rules and policies is one of the best I have
seen, their effect on performance is one of the worst I have seen, and
they dont protect your machine from disgruntled employees
(ahem..Witty), nor the determined attacker.

One good way to test a firewall to see if it will hold its mettle is
by nmapping a machine with -p 1-65353. Then see how your network
performance is degraded. Also an intense nessus scan against the
firewalled machine will help show you how the server/workstation will
perform while under an attack.

My experience with proventia/realsecure/blackice is that it grinds
your machine to a halt (or at least _really_ slows it down) for up to
30 min from an intense nessus scan.

One reason I did not go with ZoneAlarm at the workplace was due to the
fact that (given this was a year ago) it kept forgetting settings.
Also my employer had a site license for ZA, but if you use it for
business, you are supposed to pony up a lic. fee. ZoneAlarm is free
for _personal_ use only.

One reason I did not like Sygate was, if you enabled application
protection then 1 month later installed hotfixes from MS that updated
a system file, after your machine rebooted, then Sygate would block
(eg:kernel32.dll) as an "untrusted app". You can re-scan your system
files after installing the patch, but when you have an automated
patching solution, this can sometimes be hard. Booting in safe mode
and disabling Sygate was the resolution for that issue.

On second thought, I would advise against running application
protection (in its current form) on any software firewall. The
technology is just not mature enough for production environments (or
wasnt 4 months ago, that could (should ;-) have changed by now.

-JP
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault