* Home Help Search Login Register  

Welcome, Guest. Please login or register.
October 10, 2008, 09:48:51 PM

Login with username, password and session length

199098 Posts
22882 Topics
54912 Members
Latest Member: catstoluv

more news...
Search:     Advanced search | Tag Cloud
+  Welcome to the Comodo Forum
|-+  Desktop Security Products
| |-+  Comodo Firewall
| | |-+  Leak Testing/Attacks/Vulnerability Research
| | | |-+  A New-Simple Outbound Protection Test		 « previous next »
Pages: [1] 2 Go Down Print
Author Topic: A New-Simple Outbound Protection Test  (Read 8963 times)
egemen
Administrator
Comodo's Hero
*****
Offline Offline

Posts: 1737
« on: January 25, 2008, 04:57:10 PM »
Hi Guys,

Here is another BASIC outbound protection filtering test for testing firewalling functionality. It tests data transfer over ICMP and a firewall's reaction to it. Any average firewall should pass these basic ones though there are still many which cant.

Egemen
« Last Edit: January 25, 2008, 05:11:42 PM by Melih » Logged
Ragwing
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 3114


Sailor Warrior of Love and Justice
« Reply #1 on: January 25, 2008, 05:20:57 PM »
Downloaded and ran it. CFP 3 passed it, but my hardware firewall failed it, so now we got another reason to use CFP Grin
Logged


XP SP3 2 GHz 768 MB RAM
5 services / 12 processes
Melih
Comodo's Hero
Administrator
Comodo's Hero
*****
Offline Offline

Posts: 5677



WWW
« Reply #2 on: January 25, 2008, 05:29:55 PM »
Indeed!

this is a basic test that any decent firewall should be able pass.

Melih
Logged
Visit Melih's Blog
Ragwing
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 3114


Sailor Warrior of Love and Justice
« Reply #3 on: January 25, 2008, 05:36:39 PM »
Just want to add one thing. Disabling all ICMP-traffic with IPSec will make you pass the test.
With CFP you get Error: icmpEcho Status=11010, but with IPSec, you get Error: icmpEcho Status=11003.
What's the difference between 11010 and 11003?
Logged


XP SP3 2 GHz 768 MB RAM
5 services / 12 processes
Josh123
Guest
« Reply #4 on: January 26, 2008, 12:01:58 AM »
Considering I have Defense+, The "Firewall" alert did pop up, and I passed all tests.

Josh.
Logged
Soyabeaner
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 7438
« Reply #5 on: January 26, 2008, 12:07:51 AM »
Considering I allowed a lot of outgoing ICMP connection rules (for uTorrent), I still passed Thumb Up
« Last Edit: January 26, 2008, 12:12:15 AM by Soyabeaner » Logged
Leopard19
Comodo's Hero
*****
Offline Offline

Posts: 336


aka apache255
« Reply #6 on: January 27, 2008, 07:39:00 AM »
same good results here: first alert from Def+, I allow it, and then an alert from the firewall itself. Also in my case when I disable CFP, the router firewall doesn't pass the test.

By the way it's not the first time I notice that: when I allow or block something from Def+ or the firewall without checking the remember box, things are being remembered for the Windows Session. Like for that test, I didn't check remember and the ICMP traffic from it keeps being blocked with no alert, starting with the second test.
« Last Edit: January 27, 2008, 07:42:07 AM by Leopard19 » Logged
Soyabeaner
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 7438
« Reply #7 on: January 27, 2008, 10:46:57 AM »
Actually, I found it wasn't for the logon session.  I restarted the app and CFP alerted again.
Logged
Little Mac
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 6017
« Reply #8 on: January 29, 2008, 06:00:56 PM »
hey, if I can pass this test with v3 installed in Basic (ie, no D+) by blocking the executable trying to connect to the internet, how is there no outbound protection?  Wink

LM
Logged
date
dcfldd split=2G conv=noerror hashwindow=0 hash=md5 bs=32768 hashlog=/mnt/sda1/images/hash.log if=/dev/hda of=/mnt/sda1/images/LM.dd
date
cat LM.dd.* | md5sum > verify.log
date
Leopard19
Comodo's Hero
*****
Offline Offline

Posts: 336


aka apache255
« Reply #9 on: January 29, 2008, 06:11:01 PM »
Quote from: Little Mac on January 29, 2008, 06:00:56 PM
hey, if I can pass this test with v3 installed in Basic (ie, no D+) by blocking the executable trying to connect to the internet, how is there no outbound protection?  Wink

LM

same here, as i said in my post above, I allowed the process with Def+, and still got an alert from the firewall. Good news for those guys down there at Scott's newsletter!  Cheers

(also wanted to let you know I posted something there tonight: http://blog.scotsnewsletter.com/2008/01/22/comodos-ceo-attacks-scots-newsletter-product-decision/#comment-306 )
« Last Edit: January 29, 2008, 06:16:06 PM by Leopard19 » Logged
egemen
Administrator
Comodo's Hero
*****
Offline Offline

Posts: 1737
« Reply #10 on: January 29, 2008, 10:49:57 PM »
Quote from: Little Mac on January 29, 2008, 06:00:56 PM
hey, if I can pass this test with v3 installed in Basic (ie, no D+) by blocking the executable trying to connect to the internet, how is there no outbound protection?  Wink

LM

FYI:

That "so called recommended firewall" was failing this basic test in its most advanced mode. You can test yourself if they havent fixed yet. And people still compare it with CFP 3...

Egemen
Logged
ggf31416
Comodo Loves me
****
Offline Offline

Posts: 108
« Reply #11 on: January 30, 2008, 05:08:47 PM »
The reason many firewall have poor outbound protection for ICMP is that is rarely used to leak data.
Comodo should make a leaktest that sends data (a short string written by the user) using pings (e.g. using 16 different sizes of ping, each one representing 4 bits) to a comodo server with software able to decode the pings and show the strings in a website.
Logged
egemen
Administrator
Comodo's Hero
*****
Offline Offline

Posts: 1737
« Reply #12 on: January 30, 2008, 08:05:04 PM »
Quote from: ggf31416 on January 30, 2008, 05:08:47 PM
The reason many firewall have poor outbound protection for ICMP is that is rarely used to leak data.
Comodo should make a leaktest that sends data (a short string written by the user) using pings (e.g. using 16 different sizes of ping, each one representing 4 bits) to a comodo server with software able to decode the pings and show the strings in a website.

Here is a trojan that LEAKS data(personal information) over ICMP:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570

Never mind leaking data, there are various DDoS Attacks Tools that use ICMP protocol. It is not just leaking the data. A User's computer can be a zomby and his firewall may not be detecting this at all...  Another example: http://ca.com/us/securityadvisor/pest/pest.aspx?id=2776

I dont think most firewalls would fail this test. At least the decent ones... It is as basic as grc.com leaktest...

Egemen
Logged
hbobeck
Comodo's Hero
*****
Offline Offline

Posts: 203
« Reply #13 on: February 06, 2008, 07:15:22 AM »
hmmm

For some strange reason CFP 3.0.16.295 does not pass the ICMP2-test!!!  Angry

"Your firewall has FAILED the test"

ICMP1-test passed...

I'm confused!

Harry
Logged
Soyabeaner
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 7438
« Reply #14 on: February 06, 2008, 11:04:11 AM »
Harry, did you answer No to the firewall alert? 

Also, this is the incorrect thread to be posting about leak testing, so I'll be moving your and my post to the appropriate one. [Done]
« Last Edit: February 06, 2008, 11:09:53 AM by Soyabeaner » Logged
Tags:
Pages: [1] 2 Go Up Print 
« previous next »
Jump to:  

SSL Firewall
Page created in 0.398 seconds with 20 queries.
Powered by SMF 1.1.5 | SMF © 2006, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks 		Design by 7dana.com