Re: Personal firewalls.

[Eliah Kagan <degeneracypressure () gmail com>]

> However I do wish it had the feature that Sygate PRO has, which will
> blackhole a IP if it detects a ports scan coming to it. it then blocks all
> activity from the offending IP for approximately 10 minutes.

Well, it's a feature if the probes are really coming from the computer
Sygate PRO thinks they're coming from.

Suppose X is running Sygate PRO and Y is a legitimate client
connecting to a server running on X. Then Z comes along and sends a
bunch of SYN packets to X, spoofed to have the source IP of Y, waits
10 minutes, and repeats ad infinitum. Now Y can never connect to X.
This seems more like a DoS vulnerability than a feature to me. Am I
missing something?

-Eliah

On 1/20/06, Soderland, Craig wrote:
> Time to thrown my .02 cents in.
>
> Zone - Good product, though it requires much thought and proper
> configuration for successful installs. does not, always save your
> configurations settings when you shutdown. This I find occurs most often
> when you upgrade Zone from one version to another and not use the "clean
> install option." If this occurs you have 2 options.
>
> 1. re-install zone, utilizing the clean install option and then re-enter
> your rules.
> 2. do not re-install zone but when you have made firewall rules changes,
> exit out of the program after making the aforementioned changes, when Zone
> exits, not as part of a shutdown it seems to correctly flush the
> configuration to disk.
>
> Another issue with zone, is that they have not yet fixed the bug in the true
> vector engine. I can can cause true vector, to regularly crash out and leave
> the system unprotected from a remote client. I have notified Zone's
> engineers, specifically how this was done and to date no response from their
> side. To their credit, when this occurs now the system loses all network
> connectivity (with recent update.) and the VSMON service now restarts. So
> even though the bug in True Vector still exists they have worked around it
> so as to not leave your system completely vulnerable as in the 5.x versions.
>
> But other than this it is a good package, very flexible, and powerful though
> requiring a certain level of sophistication to configure it properly.
>
> However I do wish it had the feature that Sygate PRO has, which will
> blackhole a IP if it detects a ports scan coming to it. it then blocks all
> activity from the offending IP for approximately 10 minutes.
>
> It however had a similar problem to zone in that we could easily get the FW
> to crash out, however when it did crash out all connectivity was lost. To
> date this also has not been fixed.
>
> the other firewalls I've played with, all had their own set of feature
> issues, With Black Ice being the worst piece of Garbage, I have had my
> displeasure of ever installing. Just too damn easy to defeat.
>
> in all cases, I would recommend a firewall software, especially if you are
> on a laptop, and might ever be out on he wild wild internet without being
> behind a hardware firewall. Preferably something that will also check on
> programs attempting to make outbound connections. But I would not rely on
> just a software one either.
>
> And with hardware many users/companies make the same mistake, layering
> firewalls all of the same vendor/brand. So that in the event of an exploit
> weakens they're all penetrated.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/