Home › Forums › Discussions › Support › Emergency Level doesn’t stop all traffic !!!
- This topic has 4 replies, 2 voices, and was last updated 18 years, 4 months ago by alienlove.
-
AuthorPosts
-
July 26, 2006 at 7:30 pm #5042
Hi!
Here I am again. I have another question about NetFirewall.If I set “Emergency Level” (which should block all the traffic) not all the traffic is blocked. ๐ฏ
It blocks all the traffic except the one generated by the winpcap library.
In this particular case, the scan made with nmap hasn’t been blocked and also no traffic has been reported in the log.Why does the firewall do like this?
This problem is very serious because setting this level of security nothing should pass.
Which other programs can bypass the firewall in Emergency Level ?
Thank you
AndreaJuly 26, 2006 at 8:29 pm #6093NeT Firewall puts its packet filter between TCP/IP protocol driver and network interfaces. Winpcap installs its own protocol driver which works at the same level as TCP/IP (in parallel) and not intercepted by NeT Firewall. Basically, if you expect high security you should avoid having any other protocls (like winpcap) installed on the system. Primary purpose of NeT Firewall is protecting TCP/IP stack (not winpcap or any other custom protocol).
In general it is possible to intercept other protocols (like winpcap, ndisuio and etc..) in addition to TCP/IP protocol however this approach has some serious disadvantages (may break third-party NDIS intermediate drivers functionality, custom protocols and etc.) and since NeT Firewall is oriented on users who know what happens on their systems it is implemented on the current way.
July 27, 2006 at 2:23 pm #6094@SerpentFly wrote:
NeT Firewall puts its packet filter between TCP/IP protocol driver and network interfaces. Winpcap installs its own protocol driver which works at the same level as TCP/IP (in parallel) and not intercepted by NeT Firewall. Basically, if you expect high security you should avoid having any other protocls (like winpcap) installed on the system. Primary purpose of NeT Firewall is protecting TCP/IP stack (not winpcap or any other custom protocol).
In general it is possible to intercept other protocols (like winpcap, ndisuio and etc..) in addition to TCP/IP protocol however this approach has some serious disadvantages (may break third-party NDIS intermediate drivers functionality, custom protocols and etc.) and since NeT Firewall is oriented on users who know what happens on their systems it is implemented on the current way.
Hi!
thanks for your fast answer ๐
We’re bugging you only because we’re testing your software here at our university department…
If it were possible to know what really happens on a network, maybe firewalls would not have a reason to exist. If every firewall were written as NetFirewall is, it would be possible to create a trojan horse using Winpcap and there would be no way to stop it.Thanks a lot for your attention
AndreaJuly 27, 2006 at 3:16 pm #6095If every firewall were written as NetFirewall is, it would be possible to create a trojan horse using Winpcap and there would be no way to stop it.
Well, NeT Firewall is created to protect system from the external intrusion, not from the internal one. And trust me, it is not great problem to create a trojan which will bypass any firewall available on the market (such trojan still can be detected by analyzing infected system’s network traffic from another system). It requires strong skills in kernel development and not fast and easy to implement but still… It is 5 minutes to rebuild NeT Firewall to intercept winpcap, but it does not really makes sense. If you want to avoid installing trojan protocol just don’t work under admin account (without having admin rights non of the trojans can install a driver). In general don’t expect that if you install a firewall you can do anything and you are safe.
There is a separate set of products, so called kernel IDS targetted to protect your system from trojan software and system exploits. Firewall primary target is protecting your local network stack from external attacks and thats it. Implementing partial kernel IDS in the firewalls (like ZoneAlarm, an example) give you rather illusion of safety than real safety.
July 27, 2006 at 4:20 pm #6096@SerpentFly wrote:
If every firewall were written as NetFirewall is, it would be possible to create a trojan horse using Winpcap and there would be no way to stop it.
Well, NeT Firewall is created to protect system from the external intrusion, not from the internal one. And trust me, it is not great problem to create a trojan which will bypass any firewall available on the market (such trojan still can be detected by analyzing infected system’s network traffic from another system). It requires strong skills in kernel development and not fast and easy to implement but still… It is 5 minutes to rebuild NeT Firewall to intercept winpcap, but it does not really makes sense. If you want to avoid installing trojan protocol just don’t work under admin account (without having admin rights non of the trojans can install a driver). In general don’t expect that if you install a firewall you can do anything and you are safe.
There is a separate set of products, so called kernel IDS targetted to protect your system from trojan software and system exploits. Firewall primary target is protecting your local network stack from external attacks and thats it. Implementing partial kernel IDS in the firewalls (like ZoneAlarm, an example) give you rather illusion of safety than real safety.
Hi!
As usual, thanks for your quick answer! ๐ Actually the online support for your prodouct is very quick ๐
Don’t worry, this is the last time I bag you ๐
Actually, I think it’s very interesting and useful that NetFirewall runs on driver level. Just -in my opinion ๐ – it would be nice for your firewall a bigger target, implementing some more functionalities.Thanks a lot for your continuous attention,
Andrea -
AuthorPosts
- You must be logged in to reply to this topic.