Applications connecting out --->

Author	All Replies
Rmus join:2005-03-26	Applications connecting out ---> If the last rule in your ruleset blocks all other outgoing traffic, what is the need for an application-based firewall? Thanks, -rich
	to forum · permalink · · 2005-06-09 15:18:16 ·
PetePuma How many lumps do you want Premium,MVM join:2002-06-13 Arlington, VA	How do you block a worm from talking out TCP port 80 but still allow web browsing on TCP port 80?
	to forum · permalink · · 2005-06-09 15:26:09 ·
Rmus join:2005-03-26	Can you describe the worm: how is it talking out? -rich
	to forum · permalink · · 2005-06-09 15:30:04 ·
PetePuma How many lumps do you want Premium,MVM join:2002-06-13 Arlington, VA	An application-level firewall will let you discern between application "A" communicating over a specific port and application "B". In the theoretical example, the worm would do its own communication but over a port that is likely to be open (i.e. TCP 80).
	to forum · permalink · · 2005-06-09 15:44:06 ·
sbkansas Actual Example Premium,MVM join:2001-05-10 Hays, KS ·AT&T Southwest	reply to Rmus Even though this doesn't answer your question, it's of my opinion you should not use a 'Block-all Outgoing' rule, ('Block-all Incoming' as your last rule is fine). By using a 'Block-all Outgoing' rule, your firewall will not alert you when something not covered in the previous rules try's an outbound attempt. Myself, I perfer to be notified of such things. -- "You will find that the mere resolve not to be useless, and the honest desire to help other people, will, in the quickest and delicatest ways, improve yourself" - John Ruskin
	to forum · permalink · · 2005-06-09 17:36:26 ·
Rmus join:2005-03-26	reply to PetePuma said by PetePuma : An application-level firewall will let you discern between application "A" communicating over a specific port and application "B". In the theoretical example, the worm would do its own communication but over a port that is likely to be open (i.e. TCP 80). But if Port 80 is designated in the rule for your browser, wouldn't your firewall alert you if something else tried to connect out on that port? (and I agree, sbkansas, about a final block-all-out rule: I used to use it, then stopped, then back on - I'm going to uncheck it ) -rich
	to forum · permalink · · 2005-06-09 20:49:03 ·
PetePuma How many lumps do you want Premium,MVM join:2002-06-13 Arlington, VA	said by Rmus : But if Port 80 is designated in the rule for your browser, wouldn't your firewall alert you if something else tried to connect out on that port? I'm confused then, since now I'm not sure what you're trying to ask.
	to forum · permalink · · 2005-06-09 21:03:38 ·
TheWiseGuy Dog And Butterfly Premium,MVM join:2002-07-04 Yonkers, NY	reply to Rmus said by Rmus : If the last rule in your ruleset blocks all other outgoing traffic, what is the need for an application-based firewall? Thanks, -rich The application firewall controls what applications can connect with the allow rules. Blocking can be done either with individual rules or a block all as the last rule. The purpose of a Block, ALL, Outbound is to Block anything that doesn't have permission and keep anything that doesn't already have a rule from prompting for permission. You can write individual block rules for each application that you do not want to have access or if you are confident that you have allowed everything that needs permission use a Block, ALL, OUT to keep these applications from prompting. While I've never used a block all outbound rule, there can be advantages in certain situations. Imagine playing a Multiplayer game and having to deal with prompts. -- Dog and Butterfly
	to forum · permalink · · 2005-06-09 21:36:44 ·
INHCNN join:2001-12-15 Lansing, MI	reply to PetePuma said by PetePuma : How do you block a worm from talking out TCP port 80 but still allow web browsing on TCP port 80? Packet inspection -- "Pressure makes diamonds." --General George S. Patton
	to forum · permalink · · 2005-06-09 22:18:12 ·
PetePuma How many lumps do you want Premium,MVM join:2002-06-13 Arlington, VA	said by INHCNN : Packet inspection Very true.
	to forum · permalink · · 2005-06-09 22:28:50 ·
Rmus join:2005-03-26	reply to TheWiseGuy said by TheWiseGuy : The application firewall controls what applications can connect with the allow rules. But I can do this with Kerio 2 - why would I need an application based firewall? I'm evidently not grasping something -rich
	to forum · permalink · · 2005-06-09 22:48:34 ·
TheWiseGuy Dog And Butterfly Premium,MVM join:2002-07-04 Yonkers, NY	I think we are all on different pages. I think of Kerio 2 as a rules based firewall, but it is also application based. In fact I consider a pure application based firewall to have less flexibility then a rules/application based firewall. Many firewalls are a mixture of the two. ZAP and Sygate and NPF can all make rules restricting ports and protocols for different applications. I believe that normally, a pure application based firewall, will only allow one rule per application, which removes the granularity of a rules/application based firewall. Kerio is not simply a packet filter, IMO it is a full blown rules based, application firewall/packet filter. -- Dog and Butterfly
	to forum · permalink · · 2005-06-09 23:04:05 ·
Rmus join:2005-03-26 1 edit	said by TheWiseGuy : Kerio is not simply a packet filter, IMO it is a full blown rules based, application firewall/packet filter. Thanks! You and Ghost have said this before, and I thought I had it understood, but there is so much hype going around about app-based firewalls... I just wanted to clarify; in reading between the lines, one selling point of app-based firewalls seems to be that it is easier to set up than a full-blown rules-based firewall. -rich
	to forum · permalink · · 2005-06-09 23:10:17 ·
ghost16825 Use security metrics Premium join:2003-08-26	said by Rmus : I just wanted to clarify; in reading between the lines, one selling point of app-based firewalls seems to be that it is easier to set up than a full-blown rules-based firewall. -rich Going by the definition below: said by TheWiseGuy : I believe that normally, a pure application based firewall, will only allow one rule per application, which removes the granularity of a rules/application based firewall. you could say that ZA free is close to a pure 'application-based' firewall. Typically with the such a firewall when an application is allowed the implicit rule is : Outbound any local port any remote port any address and with "Server rights": the above plus Inbound any local port any remote port any address With a move towards some more control whilst keeping ease-of-use, some vendors have 'classes' to include certain ports but not others. eg. Browser class- allow remote port 80, 21 -- Admin of the Kerio 2x-like open source project: http://sourceforge.net/projects/kerio/ http://kerio.sourceforge.net/
	to forum · permalink · · 2005-06-10 00:54:05 ·
ghost16825 Use security metrics Premium join:2003-08-26	reply to Rmus On the other hand, if you're talking about vendor definition abuse, 'application firewall' may mean controlling which applications can and cannot run, with nothing to do with network traffic whatsover. In which case it's time to also abuse the vendor for making such misleading claims... -- Admin of the Kerio 2x-like open source project: http://sourceforge.net/projects/kerio/ http://kerio.sourceforge.net/
	to forum · permalink · · 2005-06-10 00:58:35 ·


Thursday, 26-Nov 08:56:32	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF