Full Disclosure mailing list archives
Re: Re[2]: Personal firewalls.
From: Dude VanWinkle <dudevanwinkle () gmail com>
Date: Sat, 21 Jan 2006 17:11:51 -0500
On 1/20/06, Eliah Kagan <degeneracypressure () gmail com> wrote:
Z sends spoofed packets coming from the DNS server of X even more interesting..When Sygate PRO "blackholes" a host, does it block only unsolicited packets (bad), or does it block *all* incoming packets from that host (worse)?
It blocks all traffic from the IP address, you can verify this by looking in the advanced rules section after being scanned. Watch out for Proventia/RSDP as well as BlackIce. Even though their xml file for distributing rules and policies is one of the best I have seen, their effect on performance is one of the worst I have seen, and they dont protect your machine from disgruntled employees (ahem..Witty), nor the determined attacker. One good way to test a firewall to see if it will hold its mettle is by nmapping a machine with -p 1-65353. Then see how your network performance is degraded. Also an intense nessus scan against the firewalled machine will help show you how the server/workstation will perform while under an attack. My experience with proventia/realsecure/blackice is that it grinds your machine to a halt (or at least _really_ slows it down) for up to 30 min from an intense nessus scan. One reason I did not go with ZoneAlarm at the workplace was due to the fact that (given this was a year ago) it kept forgetting settings. Also my employer had a site license for ZA, but if you use it for business, you are supposed to pony up a lic. fee. ZoneAlarm is free for _personal_ use only. One reason I did not like Sygate was, if you enabled application protection then 1 month later installed hotfixes from MS that updated a system file, after your machine rebooted, then Sygate would block (eg:kernel32.dll) as an "untrusted app". You can re-scan your system files after installing the patch, but when you have an automated patching solution, this can sometimes be hard. Booting in safe mode and disabling Sygate was the resolution for that issue. On second thought, I would advise against running application protection (in its current form) on any software firewall. The technology is just not mature enough for production environments (or wasnt 4 months ago, that could (should ;-) have changed by now. -JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Personal firewalls. Soderland, Craig (Jan 20)
- Re: Personal firewalls. Eliah Kagan (Jan 20)
- Re[2]: Personal firewalls. Thierry Zoller (Jan 20)
- Re: Re[2]: Personal firewalls. Eliah Kagan (Jan 20)
- Re: Re[2]: Personal firewalls. Dude VanWinkle (Jan 21)
- RE: Re[2]: Personal firewalls. William DeRieux (Jan 20)
- Re[2]: Personal firewalls. Thierry Zoller (Jan 20)
- Re: Personal firewalls. Eliah Kagan (Jan 20)
- Message not available
- Re: Personal firewalls. Nancy Kramer (Jan 20)
- <Possible follow-ups>
- Re: Personal firewalls. Eliah Kagan (Jan 23)