Comodo Wishlist
Below is my wishlist for Comodo. To be sure, Comodo is an essential component in the security of my familiy’s systems, but could use some improvements. I have separated what would be simple to add from the highly desirable major desirable functionalities.
[U]Changes to default mode of operation[/U]
Firewall Rules:
Firewall rules created when allowing an application access to the network are far too lax (allow TCP or UDP from any address and any port to any address and any port). I find myself going back every time - after allowing an application - to correct the rule to follow the “least privilege” security principle.
Ideally, as a result of allowing an application to access the network I need to be able to view/edit the rule(s) that Comodo creates before accepting them. Second best, would be to apply more restrictive rule(s) when the user chooses to let Comodo take care of things. The rule created should by default be for the specific protocol that is being requested (TCP or UDP or ICMP or other to be specified), source port to default to dynamic (1023-65535 range) in the case of TCP or UDP) and destination port to default to the specific destination port of the connection. It should also default to the MAC address of the Ethernet interface for a source address (in case of DHCP assigned address). In summary, the automatically created rule should look like this:
Example for outgoing TCP or UDP connections:
- Protocol…: Only the protocol that applies to the connection in question.
- Source Address…: MAC address of network interface the request is going out from.
- Source Port…: Dynamic (1023-65535 range).
- Destination IP…: Single IP the application is trying to connect to.
- Destination Port…: Single port the application is trying to connect to.
Inability to sort or search through lists:
The inability to sort lists or search through them is a handicap. The longer the lists the harder it gets to locate the specific item one is looking for. I end up spending more time looking for a specific item to edit than I do editing it. This is a needless waste of time.
policy Reporting:
The ability to export the Comodo policy to a human-readable report format (csv, plain-text, pdf, doc) for policy review and audit purposes is missing.
Missing Security Functionality:
- Location awareness (not all locations are equal from a security standpoint)
- User awareness (not all users are equal from a security standpoint)
- NIDS/NIPS (an additional layer of security)
- Proxy/URL-filtering/Malware-scanning of HTTP traffic (another additional layer).
Location Awareness:
The policies should have a network location component with the ability to specify the criteria that automatically classifies the computer’s location to a user-defined parameter. Different locations may require different policies, today there is NO practical way to implement such a model in Comodo.
User Awareness:
The requirement is two-fold.
i) The policy rule sets should also have a “user” component. As with location awareness, the policy should have user awareness that specifies which policy applies to which logged-on user (or group).
ii) In addition, when an application is authorized whether in the Firewall or in Defense+, the authorized user, group or system account that is allowed to run that application should also be specifiable, including the ability to name system accounts like “NT AUTHORITY/SYSTEM”, “NT AUTHORITY/NETWORK SERVICE” and “NT AUTHORITY/LOCAL SERVICE”. This is needed to restrict applications in case in spite of all the security measures the system does get compromised (it is not an “if”, but a “when”).
NIDS/NIPS:
Adding a snort-rule based network intrusion detection and protection component would add an additional layer of security in the “defense in depth and breadth” concept.
Proxy/URL-Filtering/Malware-scanning:
Squid, privoxy and dansguardian are open-source apps which are available for Windows and greatly enhance web browsing security (individually or in any combination). I use all three of them in my system (separately) and would love to have them integrated in Comodo with a nice management front-end. I personally have no problem editing the Unix-style config files used by these apps (my main desktop O/S is Linux), but for a novice the task can be overwhelming.