RE: Potetial Outpost Conflicts?

["Tim V - DZ " <iceburn () dangerzone com>]

Colin-

Sorry for the book, but I typed a bit more on each question than I was
expecting....

There are a multitude of things that go wrong when running multiple
software firewalls.  Traditionally a firewall looks something like:

Internet --- firewall --- network or computer

The whole idea is to inpect traffic coming in, and only let "good" stuff
through.  (I'm speaking generally with the word "good" here).  The
firewall is some sort of barrier between two things, but same type of
information goes in and out (ie TCP/IP packets)

In a computer you have the network adapter that must bind to whatever
protocol you're using to communicate...so you get

Network adapter --- windows IP stack

So to emulate the firewall with software it looks something like

Network adapter --- inspect service ---windows ip stack

Where the service is performing the filtering, denying, dropping
whatever

But a more detailed diagram might look like this

NIC --- Protocol changer -- inspect service --protocol changer -- IP
stack

I'm using "protocol changer" for lack of a better term.  The Raw
information coming from the NIC is converted into something the inspect
service can understand, then the inspect service...inspects it..then the
information is changed back into a form the computer is expecting.  

ANYWAY, you can see, now all traffic is going through multiple layers
before the "computer" actually sees it.  If you are running two
firewalls, the layers basically double.  Now on a unprotect computer
going from 

nic--ipstack 

to 

NIC --- Protocol changer -- inspect service --protocol changer -- IP
stack

Is easy.  Just insert the 3 layers between the nic and ipstack.  But
what happens when you install a 2nd firewall.  Hopefully you get
something like:

Nic -- ProtoC -- IS  -- ProtoC -- ProtoC --IS --ProtoC -- IPStack

But what if the layers are inserted at the wrong spot / order?  You're
information will never get through to the ip stack and the computer will
never see the network.

A prime example of this is would be installing the PGP suite 7.something
on a computer running windows XP.  By default the PGP suite installed
whatever the PGP software firewall was, but the way the layers work in
XP are different than in previous MS OS's...so the last ProtoC was
converting the information into something that the computer could not
understand.

As for the second Question, multiple Virus scanners are bad because they
run at the same time...you can run into situations like them both
locking the same file at the same time for scanning erroring out, not
being able to download things because both AV's fight over the ability
to scan downloadable files, or for a real demo, install two AV engines
on a file server that scans both incoming and outgoing files....the
performance hit will kill you.

If you're really looking for layers in firewalls try:

Internet--HW firewall ---software firewall on computer ---computer

If you're really look for layers in AV

Internet -- Proxy (mail, http, whatever) w/ AV ---computer  w/ AV

These aren't that bad to set up...but do each require a separate
physical computer.  Grab an old PC and step up a good security
Distribution on it like Smoothwall (smoothwall.org) and connect to the
internet through that. 


All that said, besides obvious performance hits for running 4 services
instead of 2, _IF_  (big if) the software is written very very well,
then you should be able to run firewalls and AV's in tandem, but these
products are written with the assumption that each will be the only
product of it's kind on a given machine.

-t 




-----Original Message-----
From: Colin Rous [mailto:crous () sympatico ca] 
Sent: Wednesday, January 15, 2003 8:24 AM
To: security-basics () securityfocus com
Subject: Potetial Outpost Conflicts?

G'day, all,

I currently run two firewalls (Sygate and Tiny). I wanted to replace one

with Outpost to see if Outpost is as good as people tell me it is.
Agnitum 
warns you not to run more than one firewall, so I disconnected from the 
'net, shut down both my firewalls and started the Outpost install. The 
install process noticed the existence of the other non-running firewalls
on 
the sytem and gave me the following message:

"You will most likely have the following problems if you decide to run
more 
then one firewall on your computer:

- Blue screen fatal errors, system freezing or sudden system reboots.
- All access will be allowed for every application. Nothing will be
blocked.
- Every application will be blocked and you will be unable to connect to

any web site.
- Your computer system will be unable to boot up.
- Every other error imaginable!"

First, these claimed potential problems strike me as being somewhat 
over-the-top. Second, I run two AV programs (security in depth, and all 
that), one of which warns of dire consequences from running more than
one 
AV program. In fact, I have no problems whatsoever; they don't even trip

over each other's signature files. Neither do I get any conflicts
between 
my current two firewalls or problems from running two. (I pass all GRC, 
Sygate and other tests with either or both.)

So my question is: Has anyone experimented with running Outpost with 
another firewall? If so, what was your experience? If not, can anyone
think 
of anything to justify Agnitum's claims? Is this just a problem of 
Outpost's? (No other firewall I know of issues such a warning.)  Or is
this 
just a marketing claim to encourage usage of Outpost and only Outpost?
(My 
OS, BTW, is 98.)

Cheers,
Colin