IAC - Internet Access Certificate, how to make a CFP beter...

General Category Which Product do you want Comodo to develop next?
#1

Well i was struck by this weird idea in the middle of the night, thous it forced me to stay awake and write it. It’s not a product idea rather a new feature to the comodo firewall (so if this is not the proper place for it:P sorry) So what was it all about?

IAC - Internet Access Certificate, the fastest way to automatically configure firewall rules for programs.

How would it work and what it really is.

IAC would be a small and simple text file containing basic information about the program (such as it name, version, publisher, and it’s MD5 sum) and a set of informations that would allow firewall to set up filtering rules ( like set of ports used by the application, the direction of the standard connections IN/OUT, what modules/dll are used by the program to connect to the Internet) or even the rules itself. The contents of this file could be secure by (ex.) PGP signature, that would inform if the file is original or that it was modified.

Now, when a new program would try to contact the Internet for the first time, the firewall would pop up to ALLOW / BLOCK / AUTO. The last option would allow to set up the rules in a few simple steps.

1.Firewall will check if the program is listed in the internal base of programs with predefined rules (the most common ones used world wide)
2.If not found in the database, the firewall will look for the IAC file in a predefine folder on the local machine and setup rules according to the information obtain from the file
3.If file not found the user will be asked to choose from

download the file from IAC server ( normal web/ftp server on which certified IAC files are stored).
look for the file in a different location supplied by the user
4.the final step is the review of the rules create accordingly to the IAC, user will decide if he want to ADD the rules, MODYFI them or to CANCEL the rule creation proses.
5.In case of error ( file not found / not exist on server / user aborted the rule creation) user will be again ask to allow or block the activity…

that’s the basic idea behind IAC. Now what’s left, a few technical aspects of it.

IAC file structure and it’s creation process.

The best, but also the most unlikely to happen way of creating IAC files would be that the software vendors would create them, then send them in for certification, then the IAC file would be stored on the IAC server and the copy of the certified file would be returned to the software vendor so it could be included in the installation package. (safe & secure)

Another way, that should prove the most effective one is to allow, and encourage the most advanced users to create this files for the software they are currently using. Then they would send them in for certification. ( an option like exporting a specific program filtering rule to the IAC file would be sufficient. The informations like the ever used modules names, version and Name, etc. Would be added automatically) Unfortunately this solution raises some security issues. Such as hackers making fake rules allowing them to exploit bugs found in certain software. (this could be be eliminated by the use of some content filtering software, but the final file, before certification should be checked by some one with enough knowledge to ascertain that the certified rules are safe.

The structure of this file would be divided into three sections
1.informations about the program that the IAC is for
2.the informations needed to created filtering rules or rules itself
3.the PGP certificate area ( which does not exist in user made files )
Also the ability to add comments to the file is very vital, as they would help in many cases.

In ex. :
############

header of the IAC file

#containing informations

name=testapp.exe;
ver=1.0.0;
md5= dfghjk3e4567hjmk98756789ikj;

#and sooo on :slight_smile:
#-------------------------------------------
#now the rules

@allow
port=53,80;
protocol=tcp/ip;
direction=out;

#and so on… whatever option you like to place

limitconect=50;
COFF=yes / no;
#cut off from network if modified by another application… hehe not implemented but might be useful
&_allow

#end of rule

@block;

#and another rule for the same application but this one will block the specified

&_block

#-----------------------------------------
#and the last part

the certificate

which is missing since this is not a certificated file :]

#eof

This simply an example but in theory the IAC file might look alike.

What are the other advantages of this system?

the rules for application is created automatically, the user doesn’t have to be an expert to be protected by well set up firewall
the flexibility is gained, the rules can be updated any time with minimum effort
after re installation the firewall can be automatically pre-set from the IAC files gathered locally. No more time consuming setup efforts
and many more…

oh, well if anyone is interested in the idea I may continue with the explanation of this idea later.