Statefull Packer Inspection Against all kind of Malware!

Lets assume that i do not want to run critical security updates (patches)
by Micro$oft.

a) I was wondering if just a firewall can save my ass without even using
AV. Is there a WinXp firewall tool with stafefull packet inspection that
i will configure it to accept inbound traffic only as a respond to mine
previous outbound connection?

b) If there is one, then i would like it also that firewall to inspect
each incoming packet to my network interface and if the data portion of
the packet matches a virus/trojan/worm/ or anykind of malware packet then
simply it will have to drop it of.

That way even if i deliberately choose to open a virus infected link or a
worm infected attachment my OS still be in no danger at all even without
running an AV or Pacthes!

I think this is a logical demand and we dont have to search every day for
pacthes to secure our holes in our OS instead will leave the firewall to
update his database automatically.

Antivirus Packages after all dont work as they should in my opinion!.
They wait for your machine to get infected with a virus which is stored
in a hdd file and then because they have a scannable object in their
hands, only then, they can delete the damn thing....

I beleive Statefull Packer Inspection by examining the contents of the ip
packets data portion against a malware(trojan/worm/virus) database that
would update it self periodically would be a far more secure approach.
No?!?!

What you guys think of of it? Am i asking too much?

Can it be done by the use of iptables?

--
Just because I can, doesnt mean I will.
Just because I dont, doesnt mean I cant.
Just because you say so, doesnt mean Ill change.
And above all, just because you want it, doesnt mean I care.

On Fri, 13 Aug 2004 07:32:36 +0000 (UTC), beatnik wrote:
> Lets assume that i do not want to run critical security updates (patches)
> by Micro$oft.

Before anyone replies to this post, you may want to read this thread
http://groups.google.com/groups?selm=cfdcpj$sgi$(E-Mail Removed)
so not to repeat and get a good feel for what beatnik wants.

Bit Twister <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> http://groups.google.com/groups?selm=cfdcpj$sgi$(E-Mail Removed)

I know i just want to hear your opinion on this as well and also if it can
be done with iptabels and how.

thats why i asked.

--
Just because I can, doesnt mean I will.
Just because I dont, doesnt mean I cant.
Just because you say so, doesnt mean Ill change.
And above all, just because you want it, doesnt mean I care.

beatnik wrote on 13.08.2004 09:32:

> Lets assume that i do not want to run critical security updates (patches)
> by Micro$oft.

What does this have to do with Linux networking?

>
> a) I was wondering if just a firewall can save my ass without even using
> AV. Is there a WinXp firewall tool with stafefull packet inspection that
> i will configure it to accept inbound traffic only as a respond to mine
> previous outbound connection?

Ask a Microsoft group.

>
> b) If there is one, then i would like it also that firewall to inspect
> each incoming packet to my network interface and if the data portion of
> the packet matches a virus/trojan/worm/ or anykind of malware packet then
> simply it will have to drop it of.

This is what on-demand virus-scanners are for.

> That way even if i deliberately choose to open a virus infected link or a
> worm infected attachment my OS still be in no danger at all even without
> running an AV or Pacthes!

Now it's getting weird. I you're running your computer with this
attitude it surely is infected.

>
> I think this is a logical demand and we dont have to search every day for
> pacthes to secure our holes in our OS instead will leave the firewall to
> update his database automatically.

Where do you see the difference between updating your "firewall" and
updating your OS?

> Antivirus Packages after all dont work as they should in my opinion!.
> They wait for your machine to get infected with a virus which is stored
> in a hdd file and then because they have a scannable object in their
> hands, only then, they can delete the damn thing....

Get yourself some logic thinking.

>
> I beleive Statefull Packer Inspection by examining the contents of the ip
> packets data portion against a malware(trojan/worm/virus) database that
> would update it self periodically would be a far more secure approach.
> No?!?!

Scanning each IP packet for content is quite a hassle.

>
> What you guys think of of it? Am i asking too much?

Asking as such is good, but asking without thinking first is at least
impolite because thei tells the others "I'm just too lazy, you do the
thinking for me".

>
> Can it be done by the use of iptables?
>

By stateful inspection is meant the state of the connection. If you
initiate a connection, all answers to this connection are accepted. If a
remote machine initiates a new and unanswerd for connection it will be
rejected.
Do yourself a favour and do some resaerch and get your vocabulary clear
before posting.

--
Walter

Sorry for ranting, but this was just the last straw.

On Fri, 13 Aug 2004 09:53:47 +0200, Walter Schiessberg wrote:
> Do yourself a favour and do some resaerch and get your vocabulary clear
> before posting.

> Sorry for ranting, but this was just the last straw.

You would have ranted more had you known he has posted the same
message in
comp.security.firewalls
local.linux.greek.users
alt.hacker

Bit Twister wrote on 13.08.2004 10:07:

> On Fri, 13 Aug 2004 09:53:47 +0200, Walter Schiessberg wrote:
>
>>Do yourself a favour and do some resaerch and get your vocabulary clear
>>before posting.
>
>
>>Sorry for ranting, but this was just the last straw.
>
>
> You would have ranted more had you known he has posted the same
> message in
> comp.security.firewalls
> local.linux.greek.users
> alt.hacker

Somehow I suspected this :-))

--
Walter

Bit Twister <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Fri, 13 Aug 2004 09:53:47 +0200, Walter Schiessberg wrote:
>> Do yourself a favour and do some resaerch and get your vocabulary clear
>> before posting.
>
>> Sorry for ranting, but this was just the last straw.
>
> You would have ranted more had you known he has posted the same
> message in
> comp.security.firewalls
> local.linux.greek.users
> alt.hacker
>

I told you in previous post why i did it. read it.

--
Just because I can, doesnt mean I will.
Just because I dont, doesnt mean I cant.
Just because you say so, doesnt mean Ill change.
And above all, just because you want it, doesnt mean I care.

Walter Schiessberg <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> beatnik wrote on 13.08.2004 09:32:

>
>> That way even if i deliberately choose to open a virus infected link
>> or a worm infected attachment my OS still be in no danger at all even
>> without running an AV or Pacthes!
>
> Now it's getting weird. I you're running your computer with this
> attitude it surely is infected.

What i am asking is why.

>> I think this is a logical demand and we dont have to search every day
>> for pacthes to secure our holes in our OS instead will leave the
>> firewall to update his database automatically.
>
> Where do you see the difference between updating your "firewall" and
> updating your OS?

I just want the simplest and more "little needed" way to do it

>> Antivirus Packages after all dont work as they should in my opinion!.
>> They wait for your machine to get infected with a virus which is
>> stored in a hdd file and then because they have a scannable object in
>> their hands, only then, they can delete the damn thing....
>
> Get yourself some logic thinking.

Well actually i did. why dont you tell me your logic thinking about it?

>> Can it be done by the use of iptables?
>>
>
> By stateful inspection is meant the state of the connection. If you
> initiate a connection, all answers to this connection are accepted. If
> a remote machine initiates a new and unanswerd for connection it will
> be rejected.

Iam asking if its possbile for iptables except from SPI to also check
each ip packet against malware. thats what i am asking.



--
Just because I can, doesnt mean I will.
Just because I dont, doesnt mean I cant.
Just because you say so, doesnt mean Ill change.
And above all, just because you want it, doesnt mean I care.

beatnik wrote:

> Lets assume that i do not want to run critical security updates (patches)
> by Micro$oft.
>
> a) I was wondering if just a firewall can save my ass without even using
> AV. Is there a WinXp firewall tool with stafefull packet inspection that
> i will configure it to accept inbound traffic only as a respond to mine
> previous outbound connection?
>
The standard xp firewall (what the heck has this question to do with linux?)
will do it. As well as iptables.
Now a firewall cannot save your ass from malware received and opened on the
inside (mail or warez download or whatever).

> b) If there is one, then i would like it also that firewall to inspect
> each incoming packet to my network interface and if the data portion of
> the packet matches a virus/trojan/worm/ or anykind of malware packet then
> simply it will have to drop it of.
>
Ah. Yes. Sounds like a good idea. Now what about malware coming zipped or
otherwise compressed? How can iptables collect all the parts of a multipart
rar, extract it, scan it and resubmit them with the same tcp checksums and
session numbers, without timing out and forcing resends by the requesting
client in between, causing buffer overflows and breakdown of the whole tcp
stack?

> That way even if i deliberately choose to open a virus infected link or a
> worm infected attachment my OS still be in no danger at all even without
> running an AV or Pacthes!
>
Dreamer.
Well, there is such a thing as clamav-squid, which - when running as
transparent proxy and blocking direct www/ftp outgoing connections via
iptables - might come close to what you want, in conjunction with a mail
proxy (postfix-amavis). Needs a lot of configuration though.

> I think this is a logical demand and we dont have to search every day for
> pacthes to secure our holes in our OS instead will leave the firewall to
> update his database automatically.
>
Now there are still other ways to insert malware. You cannot make a network
foolproof, there are always better fools.

> Antivirus Packages after all dont work as they should in my opinion!.
> They wait for your machine to get infected with a virus which is stored
> in a hdd file and then because they have a scannable object in their
> hands, only then, they can delete the damn thing....
>
The on-access-scanners running in the background (there is clamd with
dazuko/clamuko in linux) do inhibit the storage of a virus, at least in
executable (unpacked) form.

> What you guys think of of it? Am i asking too much?
>
Yes.
--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**Reactivate*your*MS*software.
Linux woodpecker.homnet.at 2.6.8-rc2-bk9pkt*[LinuxCounter#295241]

Op Fri, 13 Aug 2004 09:53:47 +0200 schreef Walter Schiessberg:

[crap snipped]

His name is "beatnik", right?

Nomen est omen:

When the term 'Beat Generation' began to be used as a label for the
young people Kerouac called 'hipsters' or 'beatsters' in the late 1950s,
the word 'beat' lost its specific references to a particular subculture
and became a synonym for anyone living as a bohemian or acting
*rebelliously* or appearing to advocate a revolution in manners.

In 1958, a few months after Russia launched their 'sputnik' satellite,
San Francisco Chronicle columnist Herb Caen coined the word 'beatnik'.
He wrote condescendingly that "Look Magazine hosted a party for 50
Beatniks... and over 250 bearded cats and kits were on hand... They're
only Beat, y'know, when it comes to work ..."

Holmes wrote that "... the Beatniks and the Mass Media succeeded in
beclouding most of what was unsettling, and thereby valuable, in the
idea of Beatness..."


PLOINK

--
There's no place like 127.0.0.1
Gerard Wassink http://linux.family.filternet.nl
http://freeware.family.filternet.nl
Linux counter #360967, "In a world without fences, who needs gates?"