Author Topic: Made the switch to Nod32. Any firewall suggestions (Read 1113 times)

Vulcan · « **Reply #30 on:** April 16, 2007, 04:58:52 AM »

Quote

Originally posted by 715
Note: That web page tests for outgoing leaks only, i.e. you already have a Trojan or other nastyware on your machine and it is attempting to surreptitiously connect to the internet. It wasn't reviewing protection against incoming bad things.

Windows firewall does nothing to protect you against incoming threats over and above what most AV software will do (ie buffer overflows).

Vulcan · « **Reply #31 on:** April 16, 2007, 05:06:07 AM »

Quote

Originally posted by MrRiplEy[H]
So then with all probability 80% of also your apps have called home - and are calling home with no knowledge from you. It might be as simple as automatic registration or update search, I don't want any of that happening without my approval.

Err no you do not get it do you? First I turn off autoupdates as a matter of habit with all apps. Second I can produce at any moment a complete run down of my PC activities for example, my gaming rigs web actitivies this month:

VULCAN 53 1.133
10/10 records are shown as detailed information
Site Hits MBytes Category
http://www.codepuppet.co... 14 0.952 N/A
CSC3-2004-crl.ver... 1 0.056 N/A
kaykahosting.com 12 0.047 N/A
abuse.teamspeak.o... 5 0.029 N/A
webpost.teamspeak... 4 0.023 N/A
oka.wwiiol.net 4 0.011 N/A
http://www.teamspeak.org 5 0.006 N/A
kaitak.coop.4play... 5 0.006 N/A
visit1.geo.vip.sc... 2 0.002 N/A
crl.verisign.com 1 0.002 N/

Tunneling? Tunneling is blocked and appears in my filtering reports. As are proxy's

MrRiplEy[H] · « **Reply #32 on:** April 16, 2007, 08:21:50 AM »

Quote

Originally posted by Vulcan
Err no you do not get it do you? First I turn off autoupdates as a matter of habit with all apps. Second I can produce at any moment a complete run down of my PC activities for example, my gaming rigs web actitivies this month:

VULCAN 53 1.133
10/10 records are shown as detailed information
Site Hits MBytes Category
http://www.codepuppet.co... 14 0.952 N/A
CSC3-2004-crl.ver... 1 0.056 N/A
kaykahosting.com 12 0.047 N/A
abuse.teamspeak.o... 5 0.029 N/A
webpost.teamspeak... 4 0.023 N/A
oka.wwiiol.net 4 0.011 N/A
http://www.teamspeak.org 5 0.006 N/A
kaitak.coop.4play... 5 0.006 N/A
visit1.geo.vip.sc... 2 0.002 N/A
crl.verisign.com 1 0.002 N/

Tunneling? Tunneling is blocked and appears in my filtering reports. As are proxy's

Yep but that won't do diddly about a trojan downloader that sneaks into your box for one example. So instead of 1 you need to get rid of 20 bugs.

Vulcan · « **Reply #33 on:** April 16, 2007, 02:35:00 PM »

Quote

Originally posted by MrRiplEy[H]
Yep but that won't do diddly about a trojan downloader that sneaks into your box for one example. So instead of 1 you need to get rid of 20 bugs.

Oh really?

Well....

Top Spyware Categories for January 17, 2007 - April 17, 2007
No Data Available

As you can see it does edge spyware detection and blocking (it also detects and blocks spyware phoning home). I can get a report from a box that protects a 500 user network, that has a quite a few spyware hits

Maybe you should look here: http://www.sonicwall.com/us/4232.htm

MrRiplEy[H] · « **Reply #34 on:** April 16, 2007, 03:06:05 PM »

Quote

Originally posted by Vulcan
Oh really?

Well....

Top Spyware Categories for January 17, 2007 - April 17, 2007
No Data Available

As you can see it does edge spyware detection and blocking (it also detects and blocks spyware phoning home). I can get a report from a box that protects a 500 user network, that has a quite a few spyware hits

Maybe you should look here: http://www.sonicwall.com/us/4232.htm

Hmm.. trojan downloader is hardly spyware.

Vulcan · « **Reply #35 on:** April 16, 2007, 04:04:54 PM »

The Trojan downloader would be blocked too. Heres some one of my clients logs, it does virus's as well (I've removed the juicy details):

Top Spyware Categories for 1 March 2007 - 17 April 2007
Category Attempts % of Attempts

1 SearchSquire 38 52.1%
2 Bundled-Software 28 38.4%
3 Comet-Cursor 3 4.1%
4 CoolWebSearch 2 2.7%
5 About-Blank 2 2.7%
Total 73 100.0%

Top Virus Attacks for 1 March 2007 - 17 April 2007
Virus Attempts % of Attempts
1 Netsky.P#fsg (Worm) 731 64.6%
2 Netsky.P.2 (Worm) 134 11.8%
3 Netsky.d (Worm) 77 6.8%
4 Suspicious.2#upack (Worm) 39 3.4%
5 Password-protected ZIP file 34 3.0%
6 Netsky.b (Worm) 27 2.4%
7 Suspicious#mew (Worm) 16 1.4%
8 Netsky.Z (Worm) 12 1.1%
9 Pay-16 (HTML.Phishing) 11 1.0%
10 Suspicious.4#upack (Worm) 7 0.6%
11 W32.Blackmal.E@mm_1 (Worm) 7 0.6%
12 Netsky.Q (Worm) 7 0.6%
13 Netsky.Z@m (Worm) 5 0.4%
14 Suspicious#nspack (Worm) 5 0.4%
15 Suspicious#petite (Worm) 5 0.4%
16 Mytob.AF@mm (Worm) 4 0.4%
17 Sality.Q-1 (W32) 3 0.3%
18 SubSeven.215 (Trojan) 3 0.3%
19 Mydoom.AD (Worm) 2 0.2%
20 Mydoom.M#upx (Worm) 2 0.2%

Total 1131 100.0%

Top Intrusions for 1 March 2007 - 17 April 2007

Category Intrusions % of Intrusions

1 IM 4875 34.0%
2 WEB-IIS 3674 25.7%
3 MISC 2366 16.5%
4 WEB-FRONTPAGE 1349 9.4%
5 MULTIMEDIA 1033 7.2%
6 WEB-MISC 300 2.1%
7 PROXY-ACCESS 234 1.6%
8 P2P 134 0.9%
9 EXPLOIT 99 0.7%
10 WEB-CLIENT 84 0.6%
11 DNS 71 0.5%
12 TELNET 35 0.2%
13 WEB-ATTACKS 18 0.1%
14 WEB-CGI 14 0.1%
16 VIRUS 8 0.1%
17 WEB-PHP 7 0.0%
18 DOS 5 0.0%
19 NETBIOS 2 0.0%
20 MS-SQL 1 0.0%

Total 14319 100.0%

DREDIOCK · « **Reply #36 on:** April 17, 2007, 04:07:14 PM »

So this isnt a software solution. this is a hardware solution?

BTW they lost any hope of me with this statement

"SonicWALL® Enforced Client Anti-Virus and Anti-Spyware provides comprehensive gateway-enforced virus and spyware protection for desktops and laptops using a single integrated client. Developed in partnership with McAfee®, "

LOL I just got rid of Mcafee.
Rather not go back

Vulcan · « **Reply #37 on:** April 17, 2007, 05:26:32 PM »

Quote

Originally posted by DREDIOCK
So this isnt a software solution. this is a hardware solution?

BTW they lost any hope of me with this statement

"SonicWALL® Enforced Client Anti-Virus and Anti-Spyware provides comprehensive gateway-enforced virus and spyware protection for desktops and laptops using a single integrated client. Developed in partnership with McAfee®, "

LOL I just got rid of Mcafee.
Rather not go back

Correct. Hardware, not software.

BTW the enforced AV is a different optional component. And yes it is the crappy .net mcafee version. The gateway AV is sonicwalls own.

The security service layers are:
- SPI Firewall
- Layer 7 Intrusion Prevention (detects worms, attacks, IM, P2P etc)
- Layer 7 Antivirus (propritery in the wild AV set)
- Layer 7 Antispyware (with inbound and outbound phone home detection)
- content filtering.
- AV Enforcement (using the above McAfee). It checks whether a client PC has up to date AV before letting it go to the net. I don't use this because the .net client sucks donkey balls.

MrRiplEy[H] · « **Reply #38 on:** April 17, 2007, 06:06:04 PM »

Well Vulcan, what about applications pretending to be having legal traffic? Without dll injections monitoring and parent application leak detection your hardware firewall will think Skype is calling somewhere when in reality it's the worm loading data.

Edbert · « **Reply #39 on:** April 18, 2007, 10:45:20 PM »

For anti malware apps I've sort of decided on "Prevx1". I ran scans with about 6 top spyware scanners (all updated). Prevx1 was only one which did not claim the test drive to be clean only to have one of the others find malware that was missed. When it said it was clean I found nothing, not so the other tools although some were better (more agressive) than others. It does antivirus too but they're easy compared to the more general category of stuff-you-don't-want.

For firewall I beleive it should be hardware, and stateful. Perfect price/performance/reliability/security quotient for SOHO use would be the PIX506E, thats what I use. I've run software firewalls and prefer ZoneAlarm for that but am dubious about a SW firewall running on the box it is supposed to protect. Generally speaking I leave the SW firewalls off unless I am suspecting or troubleshooting something.

MrRiplEy[H] · « **Reply #40 on:** April 18, 2007, 11:13:39 PM »

Quote

Originally posted by Edbert
For anti malware apps I've sort of decided on "Prevx1". I ran scans with about 6 top spyware scanners (all updated). Prevx1 was only one which did not claim the test drive to be clean only to have one of the others find malware that was missed. When it said it was clean I found nothing, not so the other tools although some were better (more agressive) than others. It does antivirus too but they're easy compared to the more general category of stuff-you-don't-want.

For firewall I beleive it should be hardware, and stateful. Perfect price/performance/reliability/security quotient for SOHO use would be the PIX506E, thats what I use. I've run software firewalls and prefer ZoneAlarm for that but am dubious about a SW firewall running on the box it is supposed to protect. Generally speaking I leave the SW firewalls off unless I am suspecting or troubleshooting something.

Crappy solutions like zonealarm free are probably the reason why people think software firewalls are more of a nuisance. I thought so too when all I knew was ZA free.

Vulcan · « **Reply #41 on:** April 19, 2007, 06:29:06 AM »

Quote

Originally posted by MrRiplEy[H]
Well Vulcan, what about applications pretending to be having legal traffic? Without dll injections monitoring and parent application leak detection your hardware firewall will think Skype is calling somewhere when in reality it's the worm loading data.

Ohhh you mean looking at Layer 7 traffic for application specific exploits like say Instant Messaging traffic:

p.s. my McAfee AV would detect dll injections anyway.

MrRiplEy[H] · « **Reply #42 on:** April 19, 2007, 06:39:44 AM »

How does your sonicwall differentiate illegal traffic from legal if they use same ports specifically designed to fool firewalls?

I'm 100% sure your box will leak like a rusty bucket if tested. Try to run a few of the exploits from the anti-firewall site and see what happens.

If they can't connect through the sonicwall, then I take my words back.

It also seems the content monitoring is limited to a certain list of applications known to the manufacturer. Which represents maybe 0.1% of the total amount of possible traffic.

Vulcan · « **Reply #43 on:** April 19, 2007, 04:49:11 PM »

Quote

Originally posted by MrRiplEy[H]
How does your sonicwall differentiate illegal traffic from legal if they use same ports specifically designed to fool firewalls?

I'm 100% sure your box will leak like a rusty bucket if tested. Try to run a few of the exploits from the anti-firewall site and see what happens.

If they can't connect through the sonicwall, then I take my words back.

It also seems the content monitoring is limited to a certain list of applications known to the manufacturer. Which represents maybe 0.1% of the total amount of possible traffic.

It is not port based. It is Layer 7 based. Do you know what Layer 7 is? The are roughly 5000 heuristic signatures in the IPS database. The database automatically checks for signature updates.

This is seperate from the Antispyware and Antivirus signature databases.

Edbert · « **Reply #44 on:** April 19, 2007, 05:05:26 PM »

It's not able to read encrypted layer 7 info.

One one hand it would be cool to intercept and read some SSH, 3DES, or even SSL traffic, but then there's the reason for encrypted data anyhow.