Comodo Wishlist from a security expert.

Comodo Wishlist

Below is my wishlist for Comodo. To be sure, Comodo is an essential component in the security of my familiy’s systems, but could use some improvements. I have separated what would be simple to add from the highly desirable major desirable functionalities.

[U]Changes to default mode of operation[/U]
Firewall Rules:
Firewall rules created when allowing an application access to the network are far too lax (allow TCP or UDP from any address and any port to any address and any port). I find myself going back every time - after allowing an application - to correct the rule to follow the “least privilege” security principle.

Ideally, as a result of allowing an application to access the network I need to be able to view/edit the rule(s) that Comodo creates before accepting them. Second best, would be to apply more restrictive rule(s) when the user chooses to let Comodo take care of things. The rule created should by default be for the specific protocol that is being requested (TCP or UDP or ICMP or other to be specified), source port to default to dynamic (1023-65535 range) in the case of TCP or UDP) and destination port to default to the specific destination port of the connection. It should also default to the MAC address of the Ethernet interface for a source address (in case of DHCP assigned address). In summary, the automatically created rule should look like this:

Example for outgoing TCP or UDP connections:

  • Protocol…: Only the protocol that applies to the connection in question.
  • Source Address…: MAC address of network interface the request is going out from.
  • Source Port…: Dynamic (1023-65535 range).
  • Destination IP…: Single IP the application is trying to connect to.
  • Destination Port…: Single port the application is trying to connect to.

Inability to sort or search through lists:
The inability to sort lists or search through them is a handicap. The longer the lists the harder it gets to locate the specific item one is looking for. I end up spending more time looking for a specific item to edit than I do editing it. This is a needless waste of time.

policy Reporting:
The ability to export the Comodo policy to a human-readable report format (csv, plain-text, pdf, doc) for policy review and audit purposes is missing.

Missing Security Functionality:

  • Location awareness (not all locations are equal from a security standpoint)
  • User awareness (not all users are equal from a security standpoint)
  • NIDS/NIPS (an additional layer of security)
  • Proxy/URL-filtering/Malware-scanning of HTTP traffic (another additional layer).

Location Awareness:
The policies should have a network location component with the ability to specify the criteria that automatically classifies the computer’s location to a user-defined parameter. Different locations may require different policies, today there is NO practical way to implement such a model in Comodo.

User Awareness:
The requirement is two-fold.
i) The policy rule sets should also have a “user” component. As with location awareness, the policy should have user awareness that specifies which policy applies to which logged-on user (or group).
ii) In addition, when an application is authorized whether in the Firewall or in Defense+, the authorized user, group or system account that is allowed to run that application should also be specifiable, including the ability to name system accounts like “NT AUTHORITY/SYSTEM”, “NT AUTHORITY/NETWORK SERVICE” and “NT AUTHORITY/LOCAL SERVICE”. This is needed to restrict applications in case in spite of all the security measures the system does get compromised (it is not an “if”, but a “when”).

Adding a snort-rule based network intrusion detection and protection component would add an additional layer of security in the “defense in depth and breadth” concept.

Squid, privoxy and dansguardian are open-source apps which are available for Windows and greatly enhance web browsing security (individually or in any combination). I use all three of them in my system (separately) and would love to have them integrated in Comodo with a nice management front-end. I personally have no problem editing the Unix-style config files used by these apps (my main desktop O/S is Linux), but for a novice the task can be overwhelming.

G’day and welcome to the forums,

Thanks for the wishes and particularly for the detailed explanation of the rationale behind them. :slight_smile:

Some of your points can be achieved currently in CIS, although it may not be immediately obvious how.

Firewall Rules
The current default rule creation is, IMHO, far too promiscuous (as you have stated) but the auto-generated rules can be tightened by altering the FIREWALL → ADVANCED → FIREWALL BEHAVIOUR SETTINGS → ALERT SETTINGS slider.

The default value is “LOW”, which will cause an ANY ADDRESS/ANY PORT/ANY PROTOCOL rule to be generated. Changing the slider up to “VERY HIGH” will cause alerts and corresponding rules to be ADDRESS-, PROTOCOL-, DIRECTION- and PORT-SPECIFIC. Settings in between “LOW” and “VERY HIGH” will produce rules of intermediate granularity.

Location Awareness
User Awareness

Here’s where we get to the lumpy part. :wink:

The Location Awareness can be managed by creating different configuration profiles to suit different geolocations. You could, for example, have one config for the work environment, one config for public wifi hotspots and another for home/private use, but the onus is on the user to select appropriately.

Similarly, you could create user specific variations on each config.

The lumpy bit is that there is currently no mechanism for CIS to detect the currently logged in user and load a config associated with that particular user. It would again need to be manually selected by the user.

Having said that, the concept of user specific configs would be particularly suitable for multi-user PCs and could be handled by CIS referencing the currently logged in username and loading a config associated with that username. The more I think on this, the more i like the concept. :slight_smile:

Could you please add this to the wishlist topic?

Again, thanks for the ideas and the detailed info underpinning each one. Much appreciated.

Ewen :slight_smile:

P.S. Since your entire post is wish related, it may be more appropriate for you to break the list down and repost in the appropriate sub-sections in the CIS Wishlist board.

The user awareness has two facets: the one you mentioned and a second one of no lesser importance: the ability to state user name in both Firewall and Defense+ rules.

A user application that suddenly runs in the context of a system account has in all likelihood been compromised, similarly a process that is normally run by a system account (such as NT Authority\System or NT Authority\Network Service or NT Authority\Local Service) and is run by a user account are definite signs of foul play. Similar scenarios apply to network access.

The user running the process is a determining factor in the legitimacy of that process. A user app should never be allowed to run as system, and vice-versa. AFAIK today such rules cannot be defined in Comodo.

For hints, please do take a look at what was Tiny Personal Firewall Pro (resurrected as CA HIPS). I believe you can download a 30-day evaluation of HIPS from CA’s web site.

Good points. Can you please add these to the wishlist.

Ewen :slight_smile:

P.S. Did the info about the granularity of the firewall rules clear things up?

Yes it did. I would still like to be thrown in a screen where the rule that is about to be created is shown, and I am given the option to modify it or to accept it “as is” if it suits my purpose. To be sure the right decision requires human intervention, I would be wary of software that makes security decisions on behalf of the operator or administrator with no further information. One size does NOT fit all, pre-setting rule granularity amongst several presets is better than no option, but is far from being the most practical solution for the security conscious.

BTW, over the years I have evaluated the endpoint security solutions from major vendors, at the time of the evaluation none of the solutions allowed the user to edit the rules created in response to allowing a function or connection, before finalizing the rule. This is a major usability issue.

This issue of dynamically adjusting the rules at the creation point has been raised several times on these forums. It is on the developers horizon, but the distance to that particular horizon is yet to be determined.

I believe (but don’t quote me on this as I’m reading between several lines here) that it will eventually be included and be accessible from an ADVANCED button (or similar) in the firewall alert.

Ewen :slight_smile: