Windows Software for Controlling Outgoing Packets? 51
non carborundum asks: "When using Windows I use Zonealarm because I like its ability to control outgoing packets. It's a good way to find out if some program is trying to call home. Zonealarm is much better than nothing, but 1 prefer open source solutions. Besides, it is overkill - I don't use it as a firewall, since I have a router, and it uses several megabytes of RAM. Better still would be a reverse honeypot - an app that catches outgoing requests, tests them against a database of known offending addresses and/or ports, and (optionally) tricks the offending application into thinking it has successfully phoned home. XP users in particular might be interested in such a tool."
Try Tiny Personal Firewall. (Score:5, Informative)
TPF used to be freeware. You can pick up the shareware version here [tinysoftware.com]. You can still find the old freeware version (which I use) here [tucows.com].
For the record, I use both Zone Alarm and Tiny Personal Firewall.
Re:Try Tiny Personal Firewall. (Score:2)
And under the name Kerio Personal Firewall (apparently the company split, or somesuch), it still is:
"Available FREE for home use. Business and institutional customers are encouraged to download this software for evaluation purposes."
As the OP said, it's quite good, doesn't leak memory as ZoneAlarm does (or did), and can be configured to the granularity of application, port, service, direction, and time.
It also can be configured to ask about connections not covered by its rule set, and to create new rules based on the answer.
Get it here [kerio.com]
Re:Try Tiny Personal Firewall. (Score:1)
Re:Try Tiny Personal Firewall. (Score:1)
Re:Try Tiny Personal Firewall. (Score:3, Informative)
For something like this you need not a firewall but an IDS, an Intrusion Detection System, with correct signatures of traffic you want to detect. I would suggest Snort [snort.org] (there's an MS Windows port [datanerds.net]), a great free software IDS released under the GPL 2+ [snort.org]. It won't change the traffic, but it will detect it (you have to use signatures matching traffic patterns of known spyware or even something very general, but disable Web attacks rules and other which you don't need to look for).
To fool application you would need not only some firewall/router rules to redirect the traffic somewhere else, like to your own machine, but you would also need this machine to speak the right protocol, which may be much harder than useful, or even impossible without altering the spyware binaries. I would personally rather not use spyware at all instead of mounting such attacks against their communication. If I wanted to write spyware, I'd use valid HTTP on port 80 to call home, which wouldn't differ from normal WWW traffic, or ICMP ECHO_REQUEST/ECHO_RESPONSE, etc. The problem is that if you have any network connection at all, the covert channels will always be possible.
But if you really want to try intercepting and altering the spyware traffic, which may be fun after all, you may want to take a look at such tools as ngrep, tcpdump, netsed, netcat, etc. If you want to look for open ports on your machine, use nmap. Use Nessus if you want to test for many different vulnerabilities [nessus.org].
These packages make your windows instable (Score:3, Informative)
Re:These packages make your windows instable (Score:4, Funny)
Re:These packages make your windows instable (Score:2)
Re:These packages make your windows instable (Score:4, Insightful)
If you don't know how to use power tools, then stop before you lose a finger.
Re:These packages make your windows instable (Score:2)
Re:These packages make your windows instable (Score:2)
> be a bug in Windows (or a misdesign...).
It could very well be a bug or misdesign in ZA and its easier for them to blame it on Microsoft?
Come on
Flame Bait (Score:3, Insightful)
Just packet filtering won't trivially allow you to fake conversations between client software and servers anyway; it's very likely that the application wants to do much more than 'ping' the server so each solution would have to be custom made. Filtering is easy, talking back is hard.
Most of these custom solutions would probably involve stuff like hacking EverQuest, running your own unofficial Blizzard game servers, blocking Carnivore and stopping Bill from snooping around on your hard drive.
Now here's a controversial solution - if you are concerned about callback features, why not stick with open source software and operating systems in the first place? :-) I don't mean formatting your hard drive, as your packet filtering doesn't have to happen on the host machine. Wouldn't most people run this kind of software on the router, anyway?
That's what people hacking EverQuest usually do, anyway. :-)
Jouni
Re:Flame Bait (Score:3, Insightful)
Perhaps you haven't had your morning coffee.
One word for you: Spyware. Spyware is any piece of software that attempts to "phone home" without my permission. By my definition spyware includes, but is not limited to, Windows XP (for several reasons - it's the worst offender), WinAmp, Kazaa and other P2P applications, etc. Besides this, it helps me the user know just what applications are accessing the network at a given time. If I can not determine why they're accessing the network, I smack 'em down.
In the future, outbound traffic control will be even more important to users. As far as a real firewall goes, I use an IPCop box in front of my (very small) home LAN. If you don't think that's a real firewall, I'd love to know your recommendations for home users.
Now, go get that coffee.
Re:Flame Bait (Score:2)
Re:Flame Bait (Score:2)
Secondly, it is a bandaid. Sometimes I'm just trying something out. Since I can't trust every piece of software without having tried it first, the personal firewall lets me know when something's up. I don't have to run the firewall all the time, only when I'm trying out something new that I don't trust yet.
Re:Flame Bait (Score:2)
Kerio Personal Firewall (Score:4, Informative)
Kerio Personal Firewall [kerio.com]
It's simple and gets the job done. Rules can be set to allow or block incoming and outgoing TCP/UDP traffic. It verifies the MD5 of the applications. Also eats several megabytes of RAM though...
Router? (Score:3, Funny)
As in "I just use the scroll wheel, I don't use my mouse as a mouse because I have a keyboard?"
Re:Router? (Score:4, Interesting)
In all due fairness (and with an extra heaping helping of nitpick on the side), none of the products (ZA, BlackIce, TPF, firmware *shudder* "routers") is a firewall. A firewall is an entirely different animal. Look, I have a "router" myself, and I love it - but it's not a router and it's not a firewall, it's a NAT device. It does NAT and proxies a few services if needed, but it doesn't do the same things routers and firewalls do. I know *why* we've started calling them routers, but that doesn't diminish the fact that the language is being lost here because LinkSys is not interested in explaining to Joe Homeuser what NAT is.
Now, having said that, I would also point out that my gripe here is almost entirely with the verbage. most home users do not need an actual firewall; NAT + PacketFilter + Don't-blindly-click-OK-on-EULAs is quite sufficient.
Ok, I got that off my chest -- bitch mode=off, and you can now all go back to trolling.
Re:Router? (Score:2)
Re:Router? (Score:3, Informative)
Seriously though, btw IANANG (Network Guy), a proper router will be capable of far more than a layer 3 switch will. A switch will only "see" what is directly connected to it, a router, once it does more than just route between a local network and "the rest of the world" is going to need a few clues not only about its own gateways, but also its gateway's gateways and so on.
I once read somewhere on the net "90% of all network problems are routing problems. Of the 10 remaining, 9 are routing problems, in the other direction and the other 1% are not routing related, but check the routing just in case." Says it all, really!
Re:Router? (Score:2)
"Firewalls" (Score:2)
Why is it that some people insist on saying that 'x' is not a firewall, but they can't clearly define what a firewall is without using marketing speak?
IMHO, if it sits between network A and network B and does anything from scan for viruses to block ports, and the guy who put together the network wants to call it a firewall, then it is a firewall. Not necessarily a good firewall or a bad firewall, but it is a firewall.
For a home user, a NAT device alone is a good firewall to block unexpected incoming connections. Personal Firewall software is a good firewall to block unexpected outgoing connections.
For all but the tiniest of corporate offices, this would of course be a laughable solution.
Re:Router? (Score:1)
And as for being a router, well, they DO route. They just don't route much
But ok, they do not by any means close to a heavy weight router. Sure.
Re:Router? (Score:1)
The best article on the subject (Score:5, Informative)
Re:The best article on the subject (Score:3, Funny)
Some ill-knowledged network admins do produce a lot of such 'frivolous' reports.
I'm not by job a network admin or specialist, but I do a lot of networking stuffs. One day I've got a mail CC to me saying that one of our network was under attack. The alleged 'hacker' was able to go thru their firewall and started scanning the rest of the boxes within.
Though not directly for my action, I took this case seriously, but 7 sec later I found out it's just a false alarm: the 'hacker' address in question is in fact a 169.254.x.x address, the ports the 'hacker' was scanning is 137/139.
169.254.x.x is the 'link local' [rfc-editor.org] block, and it could never get pass the firewall from outside(no matter how lame it is) from outside. Also, even a layman know 137/139 are the netbios scanning for windows file sharing. Deeper in the log I found this 'hacker' attempted to access a DNS which is owned by ASL. Then I immediately know that this must be a absent-minded ASL technican who came to perform technical support, carrying a laptop with 169.254.x.x address, and it attempted to re-established windows shared and internet connection when he powered up the laptop.
I told my boss about my foundings, but I'm sure he'd ignore it. The report has already went thru 7 layers of management(forwarded 7 times, some of them are network admin and specialists) and each layer vowed to take serious action. The topest layer already held meeting for further action dealing with this 'most serious security hazard ever'.
It's not really in my position to tell them they are bunch of morons.
Sygate (Score:2, Informative)
Obligatory Linux comment (Score:2, Insightful)
Taking this concept further, I am seeing that many Windows users are disgruntled with XP because it hides waay too much from them, and it becomes frustrating to use. It will be interesting to see how this plays out.
Re:Obligatory Linux comment (Score:2)
Re:Obligatory Linux comment (Score:2)
Running Windows is no excuse for being insecure.
personal firewall API? (Score:2)
--
Benjamin Coates
Re:personal firewall API? (Score:2, Interesting)
That's the catch with open source; people only work on projects they're interested in, and things (such as windows firewalls) that capable people aren't interested in, get passed up.
Re:personal firewall API? (Score:2)
But if you're writing application programs that pretty much stick to the standard operations, programming for the Win32 API is "just programming." Once you start getting into the alleged "helper" type wrappers, such as MFC, then you're way screwed, of course; but then again I don't see the Widget Tool Kit as being the single greatest feat of API engineering ever written, either.
Microsoft tools are very nice (but costly.) MSDN documentation is usually good (but certainly has its holes.) All in all it doesn't completely suck; it's just not quite as satisfying as accomplishing the same task on a machine with fewer (or at least more far-flung) resources.
ZoneAlarm and VisualZone are good. (Score:3, Informative)
It seems to me that, if you are using Windows XP and a hardware firewall, it is better to use the ZoneAlarm software firewall. Then you can run VisualZone [visualizesoftware.com], and quickly see whether anything has gotten through your hardware firewall. Don't worry about ZoneAlarm's RAM use. RAM is cheap.
ZoneAlarm works well with Windows XP. It is necessary to disable Microsoft's firewall, of course; you don't want the wolf to guard the henhouse. (See the section Windows XP connects to Microsoft's computers in at least 17 ways. in the article, Windows XP Shows the Direction Microsoft is Going. [hevanet.com].)
A lot of us need to run programs that don't have Linux or BSD versions. For us, Microsoft has an absolute monopoly. It's hopeless being involved in adversarial behavior with Microsoft. The company has $40 billion cash in the bank. I have
One way to cope with the situation is to use two computers connected to one keyboard, mouse and monitor. Run Mozilla on Linux on a computer that is connected to the Internet. Disable internet access on the other computer running Windows XP by removing the TCP/IP protocol. Use another protocol, such as NETBEUI, for file sharing. (IOGear [iogear.com] seems to make the best KVM switch. My experience has been that there is no video degradation with IOGear KVMs.)
My experience, and the experience of others, is that Windows XP doesn't crash, it just becomes less usable. Windows XP becomes shaky when enough programs are loaded that all of the installed memory is in use. There are other situations where Windows XP begins malfunctioning, but these are not well characterized. (Can anyone help me here?) The symptoms of the malfunction are slowness to respond to the keyboard, and disk thrashing caused by virtual memory use that sometimes takes 45 seconds or more.
The consensus seems to be, however, that Windows XP is Microsoft's best OS. The only other candidate is Windows 2000. Any comments?
The single biggest cause of instability in a system that was once stable is bad connections. Just open up the case, pull out all connectors and adapter cards a few millimeters, and push them back. That cleans the contacts.
(Download ZoneAlarm FREE for personal use. [zonelabs.com])
Ad-Aware [lavasoftusa.com] is excellent for use with Windows XP. It gives a list of all running processes, who made the software, and where it is located on the hard drive. It's main purpose is to check for spyware. (Virus program software does not check for spyware, so you need a separate program.)
In Portland, Oregon, USA, the best Internet connection is Hevanet DSL [hevanet.com] with a Cisco 675 router from the phone company, Qwest. The Cisco 675 can be put into mode in which it is a true hardware firewall, not just a NAT device. (My only connection with Hevanet is as a satisfied customer.)
Re:ZoneAlarm and VisualZone are good. (Score:2)
Not to start a flamewar or anything, but W2k - not bad; can be easily secured but XP - a sysadmin's nightmare; network connections and security cannot be reliably configured by script, as on identical machines, the same procedure can result in different priorities!!!
The interface to everything has been so 'dumbed down' that functionality suffers. Even my non-techy friends preferred the 'old way' then at least they could see what they had broken.
Thanks. (Score:2)
I very much need more information like this. Thanks.
Re:ZoneAlarm and VisualZone are good. (Score:2)
It's too bad there's not an administration interface theming system like the one for widgets - there could be selectable settings of, say, "Newbie", "Intermediate", and "Advanced".
Personal firewalls ... bah! (Score:2)
The network stack of any reasonably up-to-date Microsoft operating system (say, Windows 98 or 2K on up) is impervious to the OOBNukes and Pings of Death of days yore. If you are concerned about possible trojan horses you should actually invest in a virus scanner and also install something like ad-aware.
If somebody actually wants to take you offline, any reasonably sized DDoS will flood your pipe and kill your connection--firewall or not.
There is no plausible need for a "personal firewall", period.
Re:Personal firewalls ... bah! (Score:2)
By the way, what's your IP?
Wrap winsock or write a filter driver (Score:2)
If you want to filter any outgoing packets on your NIC - you'll need to look into writing your own filter driver. The DDK is freely available for download and the documentation should be enough to get an enterprising individual started.
That being said. Ditch ZoneAlarm (never worked correctly for me -- along with Norton Personal Firewall) and get Tiny Personal Firewall (v2.0 is free) or Kerio Personal Firewall. They are both free and provide pretty fine grained control via their ruleset on incoming/outgoing data.
Just my $0.07(US) worth (adjust for inflation)
Um... (Score:2)
- A.P.
A desperately needed solution (Score:1)