Firewall Guide and Info

All things related to Firewalls and Anti Virus.

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Firewall Guide and Info

Postby TeMerc » Sun Aug 07, 2005 10:13 am

This post was created and posted originally, over at Bluetack Internet Security Solutions, and created by Moore.

I have copied and pasted it here, with his permission.

Some of this may be a bit advanced for many users, but the info is so well written, I had to post it here.

=============================================


+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
---------------------------------------------------------------------------------------------------------------
-<>>FIREWALL GUIDE<<>-
--------------------------------------------------------------------------------------------------------------
------------------------------------------------------
Windows PC Software Firewalls:
--------------------------------------------------------------------------------------------------------------
------------------------------------------------------

The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location...and i'm not even too sure about that one --Dennis Huges, FBI.

"Defense in depth, and overkill paranoia, are your friends." (Quote Bennett Todd). Hackers are much more capable than you think; the more defenses you have, the better. And they still won't protect you from the determined hacker. They will, however, raise the bar on determination needed by hackers.


-------------------------------------------------------
--------------------------------------------------------------------------------------------------------------

PLEASE READ THIS ! :

Robert Grahams Firewall Forensics Guide:
http://www.dsinet.org/textfiles/faqs/Firewall-seen-FAQ.html

--------------------------------------------------------
--------------------------------------------------------

Data transfers on the Net are always in the form of packets -- relatively small packages of data.
These packets each carry an IP address and port number for their source and destination .
The port number is the mechanism which allows multiple applications to use the same network connection simultaneously.

Any application, such as your browser (or Back Orifice for instance),
which is using the network link, has one or more port numbers assigned to its exclusive use.
The port number is assigned two bytes (16 bits) in each packet.
There are therefore 65,536 (256) possible port numbers.
The Windows network software (Winsock) which manages network data exchange receives these packets, checks the port number in each, and passes them to the appropriate application.

--------------------------------------------------------------------------------

A firewall is an application that lets you control and filter packets flowing in and out of your computer or network.

Almost all PC's accept certain types of connections, and hackers can take advantage of this when probing for systems to attack.

Such techniques include:

Ping -
A method for determining whether a system is connected to the Internet at a particular address.
You ping a system by sending what's known as an ICMP Echo Request packet.
If the target is connected, you'll receive a 'pong' in response. Most operating systems, including Windows, have this program: just try running the command "ping foo.com" where foo.com is any domain name or IP address.

Operating System Fingerprinting -
By sending/receiving a single specially crafted packet, an attacker can both determine whether a system is connected to an IP address and what operating system it is running
(Windows XP, Windows 95, Red Hat Linux, etc).

Port scans -
It is possible to determine whether any server programs are active and listening for data on a system by sending a connection request to every single possible port number. If you and the attacker both have fast Internet connections, then thousands of ports can be scanned within seconds.

Firewalls are effective at blocking all of these kinds of probes as well as any other intrusion or denial of service attacks by immediately rejecting any incoming packets that weren't solicited from programs running on your computer. The attacker never receives a response, creating the illusion that there is no computer at your IP address.

This in turn prevents any further attempts to exploit security vulnerabilities and break into a system.

Outbound Filtering:
Some firewalls (such as the one included with Windows XP) only work in a single direction - they examine packets your computer is receiving, not those it sends. This is because in most cases, data originating from your computer, such as requests for web pages, is legitimate But hostile applications like trojan horses, worms, and viruses can use your Internet connection to send an attacker sensitive information such as your files, screen captures, or even keystrokes.

It is therefore crucial that your firewall has some mechanism for filtering outbound traffic from your computer.
This is usually done by building up a list of programs that are allowed to use your Internet connection.
If an unauthorized program makes a connection attempt, the firewall alerts you and lets you decide whether or not to give it permission to proceed.


What are "ports" and "protocols"?

Basically a port is an access channel and a protocol is a standardized way for computers to exchange information.

Your computer must send and receive data to participate on the Internet.
The data is sent and received by software that usually comes with your computer.

This software automatically organizes the data to be sent into packets. These packets are made in a standardized way (a protocol) so other computers can recognize them as data. Similar software is used at the receiving computer to automatically join the packets so the original message is duplicated.

The Internet is constructed so many different routes can be taken by the data traveling on it.
In this way, if part of a route is too busy or breaks down then the packets are simply sent on another route.
This routing is handled by equipment called routers, which are located throughout the Internet.
Each data packet is routed independently so a message broken into 10 packets could take 10 totally different routes over the Internet.
Routers know which computer on the Internet a packet is supposed to be sent to because each packet contains that computer's address, very similar to a letter going through the post office.

Your computer has different ports or channels for this data.
These ports are given standardized numbers so one port is used to send data and another port receives data.

In this way, the packets of data coming into and going out of your computer don't collide or get confused.
The port number is included as part of the address a packet is given.

Ports can have numbers from 1 to 65535.

Introduction to firewalls :
http://clan.cyaccess.com/?menusoft&firewall


Good Firewall Guide / Information:

Understanding and using Firewalls:
http://www.bleepingcomputer.com/forums/tutorial60.html

Great port - tcp/ip info site ;
http://www.chebucto.ns.ca/~rakerman/trojan...port-table.html

Why Internet Firewalls ? :
http://www.busan.edu/~nic/networking/firewall/ch01_01.htm

Personal Firewalls list:
- http://www.securitywizardry.com/firesoftpers.htm

Personal Firewalls :
http://www.securityfocus.com/infocus/1573

==============================================

What is a personal firewall:
http://www.theguardianangel.com/personal_firewall.htm

Comparison of top personal firewalls :
- http://www.agnitum.com/php_scripts/compare2.php

What is a firewall Win9x:
http://www.pc-help.org/www.nwinternet.com/...y/firewalls.htm

GRC - Firewalls:
http://www.grc.com/su-firewalls.htm

Tech TV - Firewalls Explained:

http://www.techtv.com/callforhelp/answerst...2436994,00.html

Just what the name says....FIREWALL GUIDE:
http://www.firewallguide.com/

------------------------------------------------------------------------------

Great Intrusion Detection / Anti Hacking guide :
http://www.infosyssec.com/infosyssec/intde...et1.htm#faq1177

-------------------------------------------------------------------------------

What does finding an opened port mean?

Finding an opened port does not necessarily mean that your computer's security has been compromised.

Remember that ports are designed to be opened so that communication between your computer and an Internet can take place.

Much more important than the fact that a port is open, is the question of who (i.e., what program) opened the port, and for what purpose. Most scanners will show what program they think opened a particular port.

This information though is normaly based on knowing what programs usually open a particular port.


Online Scans - What to do with Open and Closed Ports
http://www.outpostfirewall.com/forum/showthread.php?t=9992

Ultimate Port reference Guide:
http://www.bluetack.co.uk/forums/index.php?showtopic=777

------------------------------------------------------------------------------------------------------

Q: Which kind of packet filters will make a WUPS scan fail?

A: A packet filter that drops UDP packets from the scanner to the scanned system,
and also a filter that drops ICMP packets going from the scanned system to the scanner. (windows udp port scan)


------------------------------------------------------------------------------------------------------

Although firewalls have their strengths, and are an invaluable information security resource, there are some attacks that the firewalls cannot protect against, such as eavesdropping or interception of e-mail.

Furthermore, whereas firewalls provide a single point of security and audit, this also becomes a single point of failure ? which is to say, firewalls are a last line of defense.

This means that if an attacker is able to breach the firewall, he or she will have gained access to the system, and may have an opportunity to steal data that is stored in that system, or to create other havoc within the system.

Firewalls may keep the bad guys out, but what if the bad guys are inside?
In the case of dishonest or disgruntled employees, firewalls will not provide much protection.

Finally, as mentioned in the discussion of packet filtering, firewalls are not foolproof - IP spoofing can be an effective means of circumvention, for example.

For optimal protection against the variety of security threats that exist, firewalls should be used in conjunction with other security measures such as anti-virus software and encryption packages.

As well, a well-thought out and consistently implemented security policy is vital to attaining optimal effectiveness of any security software.

Beginners Guide to Firewalls:
- http://www.securityfocus.com/infocus/1182

For hardware security information please follow this link:
- http://www.securityfocus.com/infocus/1568

---------------------------------------------------------------------------------------------------------

Attacks Utilizing a Trojan Horse

A Trojan horse, like the Greek "gift" to Troy, looks like a useful and innocent program but actually contains a means of attacking your system.
A Trojan allows an attacker to perform almost the same actions on an infected computer as does its owner: copy, view and delete information from the hard drive, run applications, change configuration settings, control the infected computer's hardware and much more.

Typically Trojan horses are distributed over the Internet as small utility programs, screen-savers, wallpaper for desktops, etc. When a cracker gains access to a system, all manner of maliciousness is possible.

Also read the Bluetack Guide on Trojan Horses:
- http://www.bluetack.co.uk/forums/index.php...hp?showtopic=72

---------------------------------------------------------------------

Attacks Via Internet Applications:

Some Internet applications, such as browsers , personal messengers and Internet pagers, have security holes that can be taken advantage of by attackers to access data stored on your hard drive.

Depending on your application configurations, your computer can distribute confidential information about your system and your Internet operations (mostly applies to Web browsers).


If you use Microsoft Internet Explorer , you should know about these exisiting security vulnerabilities:
- http://www.pivx.com/larholm/unpatched/


Well the vulnerabilities list above has been taken down and replaced with this security patch prog:
http://www.pivx.com/qwikfix/download.html

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Attacks Using Specially Created Harmful Data Streams

There is software around that attackers use to send harmful data streams designed to disrupt your system and impair its efficiency on the Internet.
A computer receiving this data through its different ports might lose control and hang (freeze up). Beyond the bother of having to reboot your computer, current downloads are lost, phone calls are interrupted and so on.

Attacks Using Weaknesses in Your O/S SettingsAttackers can take advantage of free and open access made available by how your Operation System is configured.

For example, if your computer uses Microsoft Windows its NetBios settings can be set so your files are made available to attackers.


For more info on exploits:
http://www.iss.net/security_center/advice/...its/default.htm
http://www.robertgraham.com/pubs/firewall-seen.html

=============================================
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
------------------
Outpost Pro firewall:
------------------
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
=============================================

Agnitums Outpost Pro is my choice for a personal firewall .. :D

New 2.5 Version has been released:
-----------------
Outpost Pro V2.5:
-----------------
- http://www.agnitum.com/
- http://www.outpostfirewall.com/forum/

OP Pro 2.5 release:
http://www.bluetack.co.uk/forums/index.php?showtopic=6378

OP 2.5 review at PC Flank:
http://www.pcflank.com/review_ofp_25_1.htm


Flexbeta Outpost pro 2.1 guide/review:
http://www.flexbeta.net/main/articles.php?...&showarticle=54

For screenshots of OP Pro version 2.1 check the security tools section here:
http://www.bluetack.co.uk/forums/index.php...?showtopic=1455

===========================================
----------------------------------------------

Outpost firewall complete online guide
http://www.outpostfirewall.com/guide/index.htm

--------------------------------------------
===========================================

Outpost Personal Firewall Pro Features :

Security Features Include :

New:Improved Web Active Content Filtering feature provides for easier,
more flexible and effective way to control Web pages active elements (ActiveX, scripts, etc.) behavior;
Components Control (Anti-Leak) feature monitors components of each application you run;
Stateful Inspection firewall technology provides superior security to packet filtering;
Windows Boot-up protection defends your system before any malicious programs can be loaded;
System and application level filtering define broad and precise restrictions;
TCP, UDP and ICMP level filtering define access for data packet transmissions;
Internet attack blocking (nuke, etc.) averts attacks that can cause system crashes;
Port scan detection denies access to intruders;
Stealth mode Support makes your computer invisible to attackers;
MD5 authentication offers added protection for encrypted messages;
E-mail protection guards against dangerous attachments and worms;
Firewall engine resides on the lowest possible level of the operating system,
allowing Outpost filter RAW_SOCKET and direct packet sending into drivers, thus bypassing the TCP/IP stack.

Control Features
New:Improved Content Filtering plug-in allows to display custom messages for sites with objectionable content;
New:Outpost Firewall alerts you of the events that require your immediate attention so that you can provide quick and appropriate response;
New:Improved logging system maintains optimum log size for best performance;
Database-driven logging system gives you precise stats for every connection and event;
Network activity monitor provides a graphic overview of your system;
Content filtering lets parents control site access for children;
One click to block all traffic or disable the firewall;
Software runs as a service;
Custom settings are password-protected;
Trusted IP group maintains confidentiality;
Individual configurations allows customization by multiple users;
DNS caching speeds connection times.

Privacy Features
New:Improved banner blocking allows to replace banners with transparent images;
New:Trusted Sites list allows to personalize banner treatment for specific Web sites;
Banner ad blocking (including Flash ads) and pop-up window blocking keep frustrating ads off your screen;
Cookies blocking maintains Web privacy and protects personal information;
Web history (referrers) blocking conceals surfing habits;
Active elements blocking for ActiveX, Java, Visual Basic scripts, and Java applets protects your system from malicious programs.
Ease of Use and Compatibility
Auto-configuration sets up 95% of your applications, system and local network settings during installation;
Remote Desktop support;
Predefined system and application settings cover all common tasks such as browsing the web, allowing ICQ, allowing DNS or DHCP, etc;
Highly customizable user interface;
Individual configurations for multiple users.


======================================
Outpost Firewall free V1
======================================

#NOTE: Outpost FREE is good , but it's getting old and is not supported by Agnitum , so use at your own risk.

Make sure you make a back up of your configuration / ini files once you have set up your rules , in case a crash wipes out your personalised settings.

Outpost Firewall free V1:
http://www.agnitum.com/download/outpostfree.html
Agnitum Outpost is the first personal firewall that supports plug-ins.
Sample plug-ins are included to show how this revolutionary technology
can easily be employed for such tasks as Intrusion Detection, Advertisement Blocking,
Content Filtering, E-mail Guard and Privacy Control.

Agnitum Outpost is equipped with every feature a personal firewall should have.
It is the most functional firewall in the world.
Outpost supports all the latest security techniques and features such as:
Full Stealth Mode, Anti-Leak, and MD5 Authentication.

----------------------------
Outpost Free V1 review:
----------------------------
- http://www.scotsnewsletter.com/38.htm#review1
- http://clan.cyaccess.com/?menusoft&outpost- - http://www.techtv.com/callforhelp/freefile...3406480,00.html


-------------------------

- OUTPOST HELP LINKS -

-------------------------

Obviously the Outpost forum is the best place to find quality assistance , but heres some of the best help links:

FAQ = Forum Section :
http://www.outpostfirewall.com/forum/forumdisplay.php?f=64

http://www.agnitum.com/support/selfsupport.html
http://www.agnitum.com/support/outpost2faq.html

A Guide to Producing a Secure Configuration for Outpost :
http://www.outpostfirewall.com/forum/showthread.php?t=9858

Online Scans - What to do with Open and Closed Ports :
http://outpostfirewall.com/forum/showthrea...=&threadid=9992

Component Control Faq:
http://www.outpostfirewall.com/forum/showthread.php?t=12233

How to create rules in Outpost :
http://outpostfirewall.com/forum/showthrea...=&threadid=7189

Outpost Rules Processing Order
:
http://outpostfirewall.com/forum/showthrea...=&threadid=8394

Extended Zone Alarm Uninstall/Outpost Install Instructions :
http://outpostfirewall.com/forum/showthrea...=&threadid=7187

Extended Application or Firewall Uninstall/Install Instructions :
http://outpostfirewall.com/forum/showthrea...=&threadid=7186

----------------------------------------------

Blockpost Plugin IP blocklist Import Guide + Tips :

http://www.outpostfirewall.com/forum/showthread.php?t=9846
http://www.bluetack.co.uk/forums/index.php?showtopic=1515

------------------------------------------------

Outpost Firewall Presets: Idea and Format :

http://www.outpostfirewall.com/forum/showt...=&threadid=2404

Outpost Firewall includes presets for popular applications such as ICQ, Internet Explorer, Outlook Express and many others. When an application tries to connect to the Internet for the first time, Outpost searches its application database and suggests a set of rules worked out by our engineers that are optimum for this application. Even advanced users are recommended to use these presets and then tweak their settings as needed. This very powerful technique lets you create rules with one click and without any special knowledge of ports and protocols.

Application Specific Presets—for particular applications such as Internet Explorer, Microsoft Telnet or Outlook Express.

Common Activity Preset—for common activities such as browsing the Web, connecting via the Telnet protocol or receiving and sending e-mail.



Paranoid2000
Super Moderator
For maximum security I would also suggest removing the DNS rule from the Global rules - this means having to create a specific one for each application but does mean that a hostile application cannot even find an IP address without you permitting it (and does defeat certain leaktests). Having a Protocol TCP, Remote Port DNS, Deny as a Global rule would be a good idea in this case since it saves you from having to set up a second DNS rule to cover TCP for each application (normally UDP is used, but long queries switch to TCP - I have never noticed any ill-effects from blocking them though).


- http://www.outpostfirewall.com/forum/showt...=&threadid=3735
- http://www.outpostfirewall.com/forum/showt...p?threadid=7896

Maximum security rules :
http://www.outpostfirewall.com/forum/showt...p?threadid=7896

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

PC Flank Outpost Rules search function:
http://www.pcflank.com/fw_rules_db.htm

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

PLUGINS:
http://www.agnitum.com/products/outpost/pl...plugins3rd.html

Blockpost V2:
http://www.outpostfirewall.com/forum/showt...=&threadid=7229

Blockpost V1:
http://www.outpostfirewall.com/guide/the_o...s/blockpost.htm

http://www.outpostfirewall.com/forum/showt...p?threadid=7875

-------------------------------------------------

The AGNIS for Outpost block lists by Eric Howes , are updated regularly..

IE-SPYAD (the IE Restricted zone list) and the original AGNIS block lists (for AtGuard/NIS/NPF) and AGNIS for AdShield have also been updated.
AGNIS for Outpost contains a set of ad block lists for use with Agnitum Outpost.
These block lists are ports of the original AGNIS block lists for AtGuard, Norton Internet Security, and Norton Personal Firewall 2003 (see the AGNIS section above on this page).


AGNIS for Outpost :
https://netfiles.uiuc.edu/ehowes/www/resource.htm


=================================================
------------------------------------------------------------------------
--------------------------
Tiny Personal Firewall :
--------------------------
--------------------------

The most advanced Firewall / Sandbox application available.

There are two versions available , the Pro version offers the most extreme security features you could ask for including IDS/IPS and content filter , and its aimed at advanced users.

http://www.tinysoftware.com

http://www.tinysoftware.com/forum <- registration required.

Dslr Security forums : ? :D


http://www.tinysoftware.com/home/tiny2?s=9...g=solo_download

Tiny Firewall 6

Tiny Firewall 6 is the greatest security solution for the windows based host presented to general public to date. The suite of features covers the protection from various angles - from network security, file and registry protection, application launch control and management through signature based Intrusion detection and Prevention.

Most importantly - these security features are packed into user friendly tools - such as Track'n Reverse tool which allows to erase changes made to the computer by the applications. Whenever you are unsure about the application behavior - just put it into the Track'n Reverse mode knowing that all your files and registry will be protected and the changes including the deletions could be brought back


Tiny Firewall 6 Summary

SERVICES GUIDE :

Windows Security

The Windows Security engine protects the computer resources against unwanted and suspicious accesses and changes. The Windows Security engine allows you to set your own list of trusted application and their access rights to the system. The Windows Security engine isolates the applications minimizing their impact on system resources.

The most attractive features include:

  • code injection prevention prevents malicious processes to misuse trusted applications
  • process spawning control prevents malicious processes from starting other applications
  • complete file protection preventing unwanted changes to your file system
  • complete registry protection preventing unwanted changes to your registry
    system service installation control preventing trojans installing themselves as a system service
  • device protection preventing misusing of USB devices, COM ports, modems, and other devices
  • complete Dll loading control allows to specify which dlls may be loaded by which applications - no more undetectable trojans
... and many more

In other words it kicks ass... :P

**********************************

NOTE: The default firewall rules can be insecure as most connections are allowed by default and should be modified before you go onto the internet to avoid any possible attacks/exploits being let through.

**********************************

What is the limitation of trial version?

There is no functional limitation of trial version. The only limit is the time period which is 30 days.

Where can I get the license key?

You can purchase the permanent license to use TPF at our online store (follow up purchase link on top). Your key will be emailed to you within minutes after the purchase. This period may get longer if your credit card was chosen for random check (for your protection!).

How about Win98/ME version?

TF 6.0 and up does not support Windows 98/ME and there are no plans to support these platforms.

What platforms does TF6 support?

Windows 2000 SP3+ Pro / Server / Advnaced Server
Windows XP Home and Pro
Windows 2003 Server

Is TF6 any good on a server?

YES! TF6 was specifically designed to work well on the server causing minimum impact on the server performance.


==============================================
-------------------------------------------------------------------------------
-------------------
Sygate Firewall :-
-------------------
--------------------------------------------------------------------------------
==============================================

Sygate Personal Firewall
http://soho.sygate.com/products/shield_ov.htm

A powerful and easy-to-use PC firewall that protects against :
Trojans, spyware, and other malicious threats including those use their own protocol drivers.
It prevents unauthorized applications from passing through the firewall by inserting code into authorized ones,
and enables even the most inexperienced users to easily customize and fine-tune security policies.
Also provides best-in-breed logs for intrusion analysis.


sygate pro & free informational website
- http://personal.atl.bellsouth.net/i/k/ikpe/

Cool Sygate site:
- http://www.whitehat-security.com/SPF.htm

The SYGATE PRO users guide PDF:(4734Kb) - DOWNLOAD
SYGATE PRO Knowledge Base forum:RIGHT HERE

Sygate website support:
- http://soho.sygate.com/support/default.htm
- http://smb.sygate.com/support/documents/ps...spf/default.htm
- http://forums.sygate.com/vb/


Good install registration practice:

When you first boot up right after installing SPF it is a good idea to do the following to avoid an issues with SPF blocking your registration.
When you reboot if you get a "buy now" or "register" screen, just click "try now".
Then allow any and all popups that you may see for now, and then set SPF to "allow all" under the "security" tab on the SPF console.
It is a good idea to do this at first, since SPF's default state is "block all" and you do not want to block your registration by mistake.
So once set, then go under the "help" tab, click "register", then fill out all the fields using N/A for those that do not apply and register. Once registered, set SPF back to normal and configure SPF as needed.



---------------------------------
KERIO firewall -
---------------------------------

Regarded as a good firewall by many.

http://www.kerio.com/kpf_home.html

Sponges security site designed for Kerio users:
http://www.geocities.com/yosponge/
http://www.geocities.com/yosponge/faq.html



------------------------------------------------------------------------------------------------
--------------------------------------------------------------------
--------------------------------------------------------
-----------------------------------------------------
-------------------------------------------------------------------------------------------------------------

- PROTOWALL - BLUETACK Converter/BLOCKLIST MANAGER - IP ADDRESS Blocklists -

--------------------------------------------------------------------------------------------------------------
------------------------------------------------------

PROTOWALL

ProtoWall is a IP blocking program that will Block all connections made by tcp-ip/Udp/icmp/IGMP and raw ip , designed to run alongside other firewalls that lack IP blocking/importing capabilities

It is driver based , so it will Block the packets that are sent Before than most firewall's will ever see it.

ProtoWall is availably for windows XP , 2000 and 2003 server, as with the driver that it needs to install it will not work on windows 98 or ME

Bluetack forum:
http://www.bluetack.co.uk/forums/index.php?c=8

Help file:
http://bluetack.co.uk/pwhelp

What Protocol's will ProtoWall Block ?

IP/ICMP/TCP/UDP/HOPOPTS/IGMP/GGP/IPV4/ST/EGP/PIGP/RCCMON/NVPII/PUP/ARGUS/EMCON/CHAOS/MUX/MEAS/HMP/PRM/IDP/TRUNK1/
TRUNK2/LEAF1/LEAF2/RDP/IRTP/TP/BLT/NSP/INP/SEP/3PC/IDPR/XTP/DDP/CMTP/TPXX/IL/IPV6/SDRP/ROUTING/FRAGMENT/IDRP/RSVP/
GRE/MHRP/BHA/ESP/AH/INLSP/SWIPE/NHRP/MOBILE/TLSP/SKIP/ICMPV6/NONE/DSTOPTS/AHIP/CFTP/HELLO/SATEXPAK/KRYPTOLAN/RVD/
IPPC/ADFS/SATMON/VISA/IPCV/CPNX/CPHB/WSN/PVP/BRSATMON/ND/WBMON/WBEXPAK/EON/VMTP/SVMTP/VINES/TTP/IGP/DGP/TCF/IGRP/
OSPFIGP/SRPC/LARP/MTP/AX25/IPEIP/MICP/SCCSP/ETHERIP/ENCAP/APES/GMTP/IPCOMP/PIM/PGM/



[color=red]BLUETACK converter[/color]:
convert IP blocklists into various firewall formats for importing into your firewall:

http://www.bluetack.co.uk/convert.html

Further information on converting to BlackICE firewall.ini format
Further information on the Kerio Personal Firewall v2 persfw.conf format
Further information on the Kerio Personal Firewall v4 kpf.cfg format
Further information on Morpheus blacklists
Further information on Cisco ACLs

http://www.bluetack.co.uk/forums/index.php...hp?showforum=14


Bluetack Personal Blocklist Manager:
Blocklist Manager is an application which downloads blocklists from various sources and updates applications such as
Kazaa Lite K++, PeerGuardian, eMule, Gnucleus and Morpheus.

At the moment, the following firewall formats are also supported as a conversion only:
Blockpost for Agnitum Outpost v2
Sygate Advanced Rules
ZoneAlarm Pro 4 xml

- http://www.bluetack.co.uk/forums/index.php?c=3


-------------------------------------------

PEER GUARDIAN

-------------------------------------------

For windows 98/SE/ME users who cant [ or dont want to ] run protowall and do not have a firewall with IP import / blocking , also host a mirror for the Bluetack blocklists.

Peer Guardian Forum:
http://www.methlabs.org


=============================================================

Firewall leak tests comparison:
http://www.firewallleaktester.com/

Stealth Tests results:
http://www.pcflank.com/scanner1s.htm

PC Flank Leak test results:
http://www.pcflank.com/art21.htm
http://www.pcflank.com/art41c.htm

Outpost Leak Test results
(Advanced rules configured properly reduce the effectiveness of these leak tests with outpost.)[ Outpost 2.5 can now be configured to block all leak tests successfully ]

Firewall scoreboard (really old sorta interesting)
- http://grc.com/lt/scoreboard.htm

--------------------------------------------------------------------------------------------------

Read the following pages to learn more about internet protocols ;

http://www.protocols.com/pbook/tcpip1.htm
http://www.protocols.com/pbook/tcpip2.htm#IP

http://www.networksorcery.com/enp/topic/ipsuite.htm

-Network layer protocols
These protocols are assigned an Ethertype number.

-Transport layer protocols
These protocols are assigned an IP Protocol number

-Application layer protocols:
These protocols are assigned one or more SCTP, TCP or UDP port numbers.

TCP - Transmission Control Protocol :
- TCP provides a reliable stream delivery and virtual connection service to applications
through the use of sequenced acknowledgment with retransmission of packets when necessary.

UDP - User Datagram Protocol :
- provides a simple, but unreliable message service for transaction-oriented services.
Each UDP header carries both a source port identifier and destination port identifier,
allowing high-level protocols to target specific applications and services among hosts.

Internet Control Message Protocol :

ICMP redirect messages are almost always suspect. If used legitimately,ICMP redirects are used by a router to advice a host of a change innetwork topology. It just tells your host "don't send this to me, instead use this different router".However, while ICMP redirects are nice as a poor mans routing protocol,they are not exactly safe. They are in no way authenticated. ICMP redirects can be spoofed and used for 'man in the middle ' attacks.

These attacks allow a third party to listen in on your traffic (and in some cases modify it) by routing all your traffic through the attackers system.

ICMP and UDP tunnelling attacks are also used to wrap real data to the headers.
if youre system is compromised, firewalls and routers that allow ICMP ECHO, ICMP ECHO REPLY and UDP packets through will be vulnerable to this attack.



ICMP Protocol Overview:
Internet Control Message Protocol (ICMP), documented in RFC 792, is a required protocol tightly integrated with IP.
ICMP messages, delivered in IP packets, are used for out-of-band messages related to network operation or mis-operation. Of course, since ICMP uses IP, ICMP packet delivery is unreliable, so hosts can't count on receiving ICMP packets for any network problem.

Some of ICMP's functions are to:
Announce network errors, such as a host or entire portion of the network being unreachable, due to some type of failure.
A TCP or UDP packet directed at a port number with no receiver attached is also reported via ICMP.

Announce network congestion.
When a router begins buffering too many packets, due to an inability to transmit them as fast as they are being received, it will generate ICMP Source Quench messages. Directed at the sender, these messages should cause the rate of packet transmission to be slowed. Of course, generating too many Source Quench messages would cause even more network congestion, so they are used sparingly.

Assist Troubleshooting.
ICMP supports an Echo function, which just sends a packet on a round--trip between two hosts. Ping, a common network management tool, is based on this feature. Ping will transmit a series of packets, measuring average round--trip times and computing loss percentages.

Announce Timeouts.
If an IP packet's TTL field drops to zero, the router discarding the packet will often generate an ICMP packet announcing this fact. TraceRoute is a tool which maps network routes by sending packets with small TTL values and watching the ICMP timeout announcements.


--------------------------------------------------------------------------------


- for a complete listing of assigned ports and numbers ;
http://www.networksorcery.com/enp/protocol.../ports00000.htm

-Domain Names and Numbers Explained;
- http://www.cs.cf.ac.uk/Dave/Internet/node60.html
- Port descriptions and services..
- Block known trojan ports

- GIANT PORT LIST : http://keir.net/portlist.html

-Bluetack Guide to tracking IP addresses:
- http://www.bluetack.co.uk/forums/index.php...hp?showtopic=52

-Guide To Reporting Security Incidents to ISPs:
- HERE

Google directory on Firewalls

PC Flank security articles:
- http://www.pcflank.com/articles.htm
- http://www.pcflank.com/art19.htm


================================================
------------------------------------------------------------------------

The firewalls below are popular choices but i cannot recommend them personally: :D

------------------------------------------------------------------------
================================================

Norton Internet Security : :P

probably from http://www.symantec.com ;)

Rules Guides :
http://www.gpick.com/agnisrules/pages/trojan.html

===============================================
--------------------------
-------------
Zonealarm :
-------------
---------------------------
===============================================

ZoneAlarm protects automatically from the moment it's installed - no programming required.
ZoneAlarm barricades your PC with immediate and complete port blocking.
And, then runs in Stealth Mode to make your PC invisible on the Internet -
if you can't be seen, you can't be attacked.


- http://www.zonelabs.com/

zone alarm detailed guide:
- http://www.markusjansson.net/eza.html

zone alarm forums:
- http://forums.zonelabs.com/zonelabs
- [url=http://www.bobsfreestuffforum.co.uk/forum/viewtopic.php?t=60\]http://www.bobsfreestuffforum.co.uk/forum/....php?t=60\[/url]


A great Guide on Zone Alarm Pro Expert rules , originally posted by jonny at FTC forum:
- http://64.37.72.176/ZoneAlarmPro_Expert_Rules.htm


- http://www.virus.org/Review31.html
No matter what program expert rule you make there are a few things that need to be done and known.

First in program rules ALL rules will apply, whereas in a Firewall expert rule, only the first applicable rule applies. Second when you create an program Expert rule, there is one thing that needs to be added and another added depending on how you set up your zones.

The rule that should always come in last (the rules are applied in order from 1 to whatever) is a blocking rule. Create a new rule and name it blocking (or whatever) then select block for an action. You can leave everything else the alone. This blocks everything except what you have allowed in rules prior to this one.

Another rule that you may need is a rule for DNS lookup. If you add this rule to each program then you can control it to a single port and not put the DNS servers in the trusted zone, but in the internet zone. And for that, create a new rule, name it DNS (or whatever)as a destination add both (or all) of your DNS servers, then in the protocol section, open only the DNS port. This allows only DNS to go between your computer and your ISP's DNS servers.

The big thing to remember is that in the program expert rules, they are ALL looked at for permission from 1 to the last, and you have to add the blocking rule or all ports are open. This is real handy in email clients. No more junk coming thru (pictures and remote pages and objects).



A sobering experience for a novice is to block ports in Zone Alarm and watch them running wide open in CommView. :(



=================================================

Look and Stop Firewall :

its out there waiting for you : :D

http://www.google.com/

-------------------------------------------------
BLACK ICE -
-------------------------------------------------

An intrusion detector , dont rely on this as your only form of firewall protection , good luck , and may the force be with you . :ph34r:

- Black ICE 30 Day Trial -

http://blackice.iss.net/eval.php
http://blackice.iss.net/product_pc_protection.php

=========================
---------------------------
Kaspersky Anti-Hacker :
---------------------------
=========================

http://www.spychecker.com/program/kanithacker.html

Is a personal firewall, providing full-scale protection for personal computers running Windows operating systems. It prevents unauthorized access to data, as well as hacker attacks launched from both intranets and the Internet.

Full-scale Control Over Network Activity

Kaspersky Anti-Hacker is a personal firewall that checks all incoming and outgoing data streams only permits actions that are safe or have been authorized by you.
It runs at application level, allowing you to grant or deny specific behavior to selected programs.
The program uses easy to understand rule definitions, rather than complicated port and protocol configurations whenever possible.
You can choose from 5 different security levels that are available as presets and also customize the rules and create new ones according to your personal security requirements.
Like most personal firewalls, Kasperski Anti-Hacker also comes with a learning mode, that prompts the user each time an application uses the internet for the first time and based on your answers, it automatically creates the rules for you.
The low-level data interceptor allows information filtration before it is processed by other applications and provides intrusion protection from the latest forms of hacker attack, including Ping Of Death attacks, Land-attacks, TCP and UDP port scanning and DoS attacks.
SmartStealth protects your ports and makes the systems become fully invisible to the outside.
Additional features include a connection monitor, port monitor, detailed logging and more.

At this time Kaspersky Anti-Hacker is not compatible with ADSL modems.


-------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Firewall Guide and Info

Postby TeMerc » Sat Feb 02, 2008 1:17 am

Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Firewall Guide and Info

Postby TeMerc » Tue Mar 25, 2008 3:25 pm

Matousec
2008/03/18
Today, we present new projects called Firewall Challenge and Security Software Testing Suite to you and hope that it was worth waiting.

Firewall Challenge replaces our former project Windows Personal Firewall Analysis and its subproject Leak-testing. Firewall Challenge combines the depth of our analyses with the simplicity of leak-testing. The whole system of the new project is very extensible, we can and we will add new tests to it to get even more information about the protection of the tested products. If you are interested in the initial results of the challenge or in its rules, scoring system and methodology, just visit the Firewall Challenges pages!

Firewall Challenge testing highly relies on Security Software Testing Suite. This suite is a collection of simple tests with common interface. To make the testing as much transparent as possible we publish the suite with full source codes.
0-= Firewall Challenge
0-= Security Software Testing Suite

Source: Donna's Security Flash
Image


Return to “Firewalls and Anti-Virus\Trojans\Worms Related”

Who is online

Users browsing this forum: No registered users and 3 guests