Non-technical users and server permission?

I have been a ZoneAlarm user since 2000 and it has been my recommended firewall whenever asked for an opinion. I settled on the ‘Plus’ version as a good firewall, and refused to go ‘Pro’ when they discontinued Plus in 2004 and started bundling AV in with the firewall.

I have recently installed CFP and am wondering if I can reasonably recommend it to non-technical computer users. My concern is alerts and specifically “server permission”.

My Experience – Netscape Mail (an authorized working application) asked for server permission and was denied. It no longer worked as a mail client. I found and deleted the Application Control Rule and restored functionality. Forum research informed me that the application wanted permission to communicate between processes on the local machine (local IP or loopback IP). AbsoluteTelnet also asked for server permission and I noted the IP address was private (192.168.0.2) and granted the request.

I have always guided ZA uses to answer NO to requests for server permission. How would I advise a non-technical potential CFP user to respond to the same request? If the question cannot be answered without knowing about public vs private IP addresses and the loopback, then perhaps CFP is not appropriate for the average PC user.

Are my conclusions wrong?

Welcome, Late2DM!

The thing to keep in mind is the difference in terminology. ZA does not mean (necessarily) the same thing as CFP when it talks about “server” permissions. In CFP that refers to internal communication (as you’ve noted) and/or the ability to be prepared for a connection (similar to “listening” on a port). ZA does not interact with applications the same way as CFP; as you’ve noted, when you deny the connection in CFP, the application is blocked, period.

Firewalls have different levels of complexity, and CFP is one that can be highly complex. It can also be very “set and forget” with a high level of security. Egemen, the lead developer for the FW, has said he keeps his set to Alert Frequency to Very Low (Security/Advanced/Miscellaneous) which will cause only one alert per application, and keeps Application Behavior Analysis turned on. He says this is no risk in security. You may find some more info in this thread: https://forums.comodo.com/index.php/topic,6167.0.html

You’ll note a reference to ABA alerts in the compilation thread. CFP v3 will have a much-expanded safelist, which will greatly minimize these alerts, helping the FW to be much more quiet.

Hope this helps,

LM

Little Mac,

Very helpful, thank you. Your time and knowledge are great assets for the forum.

I had already read a large portion of the thread you referenced and used those installation instructions for my initial install. I understand the points you make but I would like to pursue the topic a bit further. There is still no clarity even after reading the following posts. Please remember, I am trying to keep the perspective of a non-technical computer user and I assume the default installation options are in effect.

Thread indicating loopback not trustworthy (egemen’s final post):
https://forums.comodo.com/index.php/topic,1695.0.html

A long related thread which leaves the loopback topic unresolved:
https://forums.comodo.com/index.php/topic,6630.0.html

Another post and still no clear answer, only more explanation on the nature of internal connections:
https://forums.comodo.com/index.php/topic,1563.0.html

  1. First, am I correct in my belief that a computer behind a wired or properly secured wireless router performing NAT should still be running a personal firewall?

  2. Is the use of a proxy server (local or remote) the only time the loopback presents a security risk?

  3. Under what conditions should a trusted application ever be DENIED a TCP “server” connection for the loopback? For the machine’s IP address?

  4. Do egemen’s recommended settings (Alert Frequency: Very Low, ABA: On) prevent alerts for server connections for known applications?

With regard to CFP v3 and “a much-expanded safelist”, reducing the number of questions the user must answer, without compromising effectiveness, is great. Do you know how those improvements will handle the server question?

Thanks for your feedback.

Not wishing to interrupt LMs flow, I just want to add a comment regarding loopback and Mozilla products.

The loopback requirement for these products has nothing to do with the firewall, in fact you will receive the same requests for loopback on any personal firewall.

The reason you receive the prompts (on Windows and Macs only) is a feature of the product, to be precise it’s a feature of the NSPR (Netscape Portable Runtime API) Which allows mozilla apps, like firefox, to perform low level communications. In this case, it’s the firefox core talking to the SSL module.

Basically having to allow loopback is a kludge, it’s simply a way of emulating UNIX socket communication on Windows and Mac platforms. You can read some more about it here:

I appreciate that telling a non technical user that, will probably not help, I just wanted to point out that, it has nothing to do with the firewall.

Toggie

Sorry if there’s a lack of a clearly-defined, definitive answer. Computer security is largely a matter of personal opinion/comfort level. If you research in this area at all, you will see that the opinions are many, and varied… There is an old saying about opinions, but I shan’t relate it here… :wink:

I’ll try to answer your questions in order:

  1. In my opinion, yes. Hardware & software firewalls are designed differently, to do different things. It is best to have a layered defense.

  2. For a regular user, probably so. There are probably some theoretical areas in which there might be other risks, but I’m not specifically aware of any.

  3. If it’s “trusted” probably not unless the alert indicates some unexpected change to the application (ie, an ABA alert).

  4. I don’t think so. I’m not at a Windows machine at the moment, so I’m going from memory. I think (if I recall correctly) that Very Low is for Application, but includes the “act as a server” alert.

The safelist will only impact if a user is using it (ie, under Security/Advanced/Miscelleneous, that the 2nd box is checked - Do not show alerts for applications certified by Comodo, and that you’ve run the Scan for Known Applciations under Security/Tasks). Then it won’t show alerts for those, which would include the “act as a server” alert.

Just remember, this ‘act as a server’ with Comodo is not the same as with Zone Alarm. It does not mean the application is establishing an In/Out open connection…

LM