|
|
|
发表于 2007-10-21 16:04
|
世界著名防火墙最新测评报告的详细解读Outpost篇(原版翻译)
来自:MACD论坛(bbs.macd.cn)
作者:govyvy
浏览:2209
回复:2
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
感谢大家有兴趣浏览这篇翻译的文字,我想先说明一下:该篇文章取自www.matousec.com,由于该公司是专业的安全性产品评估测试公司,因此其发表的结论性报告有一定的参考价值,同时该公司还是一家测试并出售Bug产品的商业公司,其对送测安全类产品的标准相当的严格,评论近乎严苛,所以不管您是哪款防火墙产品的拥护者,阅读本文请以平和的心态面对,说到底,防火墙的实际应用和实验室测试还是有比较大的区别,一款产品是否好用,只有使用者心里最清楚,世界上没有完美的防火墙,只有最适合自己的防火请,发表这些文字只是希望对大家在选择该类产品时提供必要的参考资料。原文地址http://www.matousec.com/projects/windows-personal-firewall-analysis/results.php,感兴趣的朋友可以浏览。
该测评项目的所有防火墙测试报告译文已经汇总发布,请到http://bbs.hypost.cn/read.php?tid=116235查阅
Outpost Firewall PRO 4.0 (964.582.059) - Review
Outpost Firewall PRO version 4.0 is a modern personal firewall product with a lot of imperfections. It offers pleasant interface to its users, on the other hand it tends to be very unstable and can have many compatibility issues with other software. The performance is also a con of this product. Its protection is able to stop inexperienced attackers only, skilled hackers would not have problems to bypass its mechanisms.
Outpost Firewall PRO 4.0 (964.582.059) –概览
OustPost(以下简称OP)个人防火墙专业版4.0是一款尚有不少遗憾的现代防火墙产品,凭借出色的界面,OP获得很多用户的青睐,但从另一个角度看,该产品的表现缺乏稳定性,并经常存在与其他软件不兼容的问题。OP的防护机制仅仅能防守缺乏经验的攻击者,而面对一些技术高超的黑客,则显得力不从心。
Tested version
When we were close to start our tests for Outpost Firewall PRO 3.5 months ago, we were asked by Agnitum Ltd., the vendor of Outpost Firewall PRO, to wait with our analysis until the version 4.0 is out. This version was supposed to highly improve the security of this product. We have agreed to wait because we were interested in the best version of Outpost Firewall. The expected release date of the fourth version was changed many times and finally it came out on September 27th. We have received a testing licence from the vendor and started with our analysis. Three weeks later we are here with our review of Outpost Firewall PRO 4.0 (964.582.059). Outpost is currently on the fourth place in our survey about personal firewall products.
The single licence of Outpost Firewall PRO with 1 year of updates and support costs $39.95, 2 years costs $54.95, the 1 year family licence is available for $79.95 and the business for $39.95.
测试版本
当我们在数月前即将开始对OP专业版3.5的测试的时候,接到了来自Agnitum公司—OP的开发者的信息:希望能够等到OP4.0释放后,提供关于该版本的分析报告,因为该版被认为在安全性方面较前版有了比较大的改善。我们同意了这个请求,因为我们同样对这个所谓最佳版的OP报有很大的期望。OP4.0跳票了数次并最终在9月27日公布,我们从开发者处得到了测试授权从而开始了我们的分析。3周后我们公布了对Outpost Firewall PRO 4.0 (964.582.059)的评论。在此前的一次针对个人防火墙的调查中,OP位居第四。
附带一年更新和服务支持权限的个人版OP售价39.95美金,2年权限的产品售价54.95美金,而一年权限的家庭装价值79.95美金,商业版39.95美金。
Installation and initialization
Outpost is delivered in almost 14 MB installation package downloadable from the vendor's website. The installation process is very standard and easy even for basic users. At first, you are asked to specify the security level you want Outpost to provide. If you really care about the security choose 'Advanced security level' or 'Custom configuration'. We chose the 'Advanced security level' because it provides the highest level of security this product can offer. Then you can choose whether you want to join 'ImproveNet'. Simply said this is a way how to help the vendor to improve their products and also a tool that can sometimes make it easier for you to manage your local rules. You are also asked whether you want to enable so called 'Rules Autocreation'. This is good to eliminate firewall queries about recognized software which is believed to be harmless. For example, 'Agnitum Update' is automatically allowed to access Agnitum update servers if you enable 'Rules Autocreation'. The installation process then performs the initialization of network components, 'Component Control database' and the installation of files and services. Then it requires the system to be restarted. After the reboot 'Startup Configuration Wizard' allows you to install 'Quick tune Plug-In' for Internet Explorer. This plugin assists you to manage content filtering features in your Internet browser. Unfortunately, this feature is available only for Internet Explorer, other popular browsers like Opera or Mozilla browsers are not supported. Finally, the 'Anti-Spyware Protection' can be disabled here, which is what we had done because we were interested in personal firewall features only. Altogether, the installation is pleasant, fast and easy. The only thing we missed during the installation was a possibility to enter a password to protect firewall's settings. However, this password can be set up immediately after the installation. Default settings of Outpost were well defined for common use, this is very important for basic users. Outpost received no penalty for the installation process.
安装和初始化
从OP官方下载的安装包体积为14M,安装过程很程式化,即便对初级用户来说也很容易上手。首先您将被询问定义所需要的由OP提供的安全等级,如果您对安全性很在意的话,您可以选择“高级安全”或者“自定义设置”。我们选择了“高级安全”,因为该模块提供了OP所能提供的所有最高级的安全设置。然后您可以选择是否参加“改进网络”计划,简单说这是帮助开发商改进产品的一种途径,同时也方便您对本地规则进行管理。您也会被询问是否启用所谓的“自动创建规则”功能,这有助于消除对那些被信任的无害程序的询问。比如说,如果您选择了“自动创建规则”,那么'Agnitum Update'将被允许自动连接到'Agnitum的更新服务器,并对网络组件“组件控制数据库”进行初始化,同时安装相关的文件和服务。之后,安装程序提示重新启动,重启后“启动设置模块”将允许您为IE安装名为“速查接口”的插件,该插件能够帮助您在IE中实现内容过滤功能。遗憾的是该功能仅支持IE,而对其他诸如Opera或Mozilla之类的流行的浏览器则无法实现。最后,“间谍软件防护”功能可以选择被禁用,并且我们也这样处理了,因为我们只对防火墙功能有兴趣。总体上,安装过程简单快捷,一切顺利,唯一没有实现的地方就是无法设置密码以对防火墙设定进行保护,但是这个功能可以在整个安装完成后实现。OP的默认设定已经能够很好的应付普通的用途,这点对初级用户很重要。OP不对安装中发生的可能性不良后果负责。
Hardware requirements
Hardware requirements is a big issue for Outpost. Measured values for disk space and memory requirements are quite big for a personal firewall but still ok for today's computers. About 30 MB usage of RAM and the same on the hard disk are numbers that will not cause any problems to end users of Outpost. However, 42% performance reduction while working with files, registry and processes can be very painful. This is probably caused by the extensive number of hooks that Outpost implements to fulfil its security design. Hardware requirements of Outpost Firewall PRO are bigger than requirements of competitive products.
硬件要求
硬件要求对OP来说是个大问题。对于一款个人防火墙产品来说,OP对于硬盘以及内存占用的测试参数都显得很高但是对于现在的主流计算机来说算不上问题。30M的内存以及30M的硬盘空间消耗对于OP的桌面用户来说不会有负担,但是当OP的相关文件、注册组件以及进程同时工作的时候,将会使系统效率降低42%,这对使用者来说是件痛苦的事。这可能是由于OP在运作中(对攻击者)设置了(许多防护上的)陷阱以达到其安全设计上的要求而造成的。与竞争对手产品相比,在硬件要求上,OP要明显大一些。
Common behaviour and control
Outpost offers pleasant but powerful user interface. The main window shows a basic view of activities on your computer. All Outpost settings are accessible through standard menus and this access can be protected by a password. Single queries can not be protected by the password. Basic users will not get lost in the labyrinth of settings, options panels are designed very well and displays only the basic settings with possibilities to show advanced settings. A basic help is available but for advanced topics you will have to look into the User's Guide that is downloadable from the vendor's website.
Outpost allows you to modify settings of every application in its database in a great detail and the same can be said about the settings of the network firewall. Additionally, Outpost has an interface for external plugins and by default it contains some. You are able to switch them off if you do not like them. For example, the anti-spyware protection is also implemented as a plugin and thus can be fully removed if you do not need it. The same holds for the Internet content filtering.
The user interface is accessible via the tray icon if the 'startup mode' is set to 'Normal', which is the default value. Using the tray icon you can also change the network policy. Five policy levels are available, the common policy after the installation is called 'Rules Wizard'. In this mode new rules are created based on user's decisions. Extreme modes are 'Disabled', when the protection of Outpost is disabled, and 'Stop All mode', which means that all network traffic is blocked. 'Allow most' and 'Block most' allows everything that is not explicitly blocked or blocks everything that is not explicitly allowed respectively.
There is also a special mode called 'Entertainment mode' that is handy when you play games or watch movies. In these situations you usually do not want to be disturbed by your firewall and Outpost respect this. The Anti-Leak and Component controls are disabled by default in this mode and the policy is set to 'Block most'. The same holds if your Outpost starts in the 'Background startup mode'.
Firewall queries could be implemented better in Outpost. The problem is that the information on which you should decide whether or not to allow some action is not sufficient. You have no chance to see a full path of the application that causes the query. If the description is available in the images of that application it is displayed. Malicious applications can change their icon and their description to look like e.g. Agnitum Update. Moreover, in such case of fake Agnitum Update, Outpost does not verify the application and offers you to create rules using a preset for Agnitum Update. This looks very convincingly and can mislead even advanced users. And the 'Smart Advisor', your assistant with Outpost queries, is very superficial, its hints can hardly help you to make a good decision. This is why we gave only 90% in Easy of use classification to Outpost Firewall PRO.
习惯性应用和控制
OP为用户提供了靓丽而功能强大的操作界面。主窗口显示了关于您计算机当前的活动的基本信息。OP的所有设置都可以通过标准菜单实现,并可以设置密码进行保护。密码可以保护任何设置。初级用户不用担心因为设置的复杂而迷惑,因为选择面板的设计非常的合理,只显示了一些基本的设置信息并预留了显示高级设置信息的可能性选项。OP只提供了基本的使用指南,而关于OP的一些高级使用说明需要到官方网站进行下载。
用户可以在OP的数据库中对可执行程序以及网络防火墙的大量细节化设置进行更新。此外,OP还提供了一个外部插件界面,里面已经默认包含了一些已经安装的插件,您可以在这个界面选择关闭一些您不喜欢的插件,比如“反间谍软件保护”是作为一个插件来运作的,如果您觉得没有必要,您可以在这个界面中将它完全移除。该操作对网络内容过滤插件同样适用。
OP的用户界面也可以通过系统托盘图标打开,前提是将“启动模式”设置为“正常”,也就是OP的默认设置。您也可以通过该图标修改您的网络策略,共计5个级别的网络策略供使用者选择。安装后最普遍使用的策略“规则导向”,也就是说由使用这来决定新规则的定义;当OP的防护功能被关闭的时候,就会导致极端的策略模式“禁用”;“阻止全部”模式是指阻止网络的所有活动,而“允许多数”以及“阻止多数”分别是指允许没有被明确定义为阻止的所有活动以及阻止没有别明确定义为允许的所有活动。
还有一类比较特殊的模式叫“娱乐模式”,这是一种在您进行娱乐活动比如玩游戏或者欣赏电影的时候所提供的简便模式。OP充分考虑到您在进行上述活动时不愿意被防火墙打扰的意愿,因此,漏洞防护以及组件控制在该模式下将默认关闭,同时网络策略将被设置为“阻止大多数”。如果您的OP是在“后台启动模式”下运作,那么防火墙的诸元设置与“娱乐模式”设置相同。
OP的防火墙的询问提示实际上可以表现的更好,问题在于提供给您以决定某些活动是否允许或者禁止的参考信息量并不充足。(而根据这些信息)您无法察看到引发询问的相关应用程序的全貌。如果应用程序的影像有描述信息,那么OP将予以显示,而恶意软件可以改变自己的图标和描述,从而使它们看起来象比如Agnitum Update之类的可信任程序。另外,还是以恶意软件伪装成Agnitum Update为例,OP对这个程序不会做任何的更改,并且还会参照对Agnitum Update的原先设置为该恶意软件创建规则!面对如此“可信”的操作,即便一些高级用户也会被OP所误导。至于所谓的“智能咨询助手”(您遭遇OP疑问时的辅助工具)其功能非常简单,它的提示对您的做出正确决定帮助不大,这也是为什么我们在易用性环节给于OP90%评分的原因。
Security
The security design of Outpost 4 is quite good but it still have major holes. Its vendor put stress on Anti-Leak protection that we do not test in this phase of our project. However, we have found many vulnerabilities that can be exploited by attackers to easily bypass this Anti-Leak protection as well as all other security mechanisms in Outpost. Not only the design but also its implementation is imperfect in Outpost. We have found components of Outpost that are more buggy than working. All these results in a very unstable application that is likely to have compatibility problems with common security software. Because of this, we can not recommend using Outpost. Vendors of widely used security products should have security level betatesters not only testers on the application level. It is clear that the development of Outpost missed this kind of testing. You can see public information about bugs we found in Outpost Firewall PRO in the following sections below.
安全性
OP4的安全设计还是比较值得称道的,但是仍然存在一些主要的漏洞。它的开发者大力改进了OP的漏洞防护能力,但是这些改进不在我们这轮项目的测试范围内。反而我们已经发现了许多能够为攻击者利用,从而绕过OP的漏洞防护以及所有其他的安全防护机制的漏洞。OP不仅仅在设计上出了问题,在运作上也存在缺陷。我们已经测试出OP的问题组件数量要比其正常工作的组件数量多,这些问题将导致OP缺乏稳定性并可能与一般的安全软件产生冲突。因此,我们不推荐使用OP。对于那些专门从事大众应用型安全产品的开发者来说,在将产品推向市场前,他们不仅仅需要针对程序应用性的测试人员,更需要针对程序安全性的试验人员。很显然,OP的开发忽略了这类人员的测试。您将在下面的部分看到我们在OP上发现的相关Bug的公布信息。
Open public bugs
The following list contains open bugs that are public. This means that a full name, description, testing method and testing program is available for every bug in the list. The list is sorted by the bug penalty, the higher penalty means the more dangerous the bug is.
公布的公共信息Bug
下面的列表列出的是具有公共信息的Bug,也就是说表上的每一个Bug的全名、描述、测试方式以及测试项目都是可用的,列表按照Bug的危害性进行了归类分级,级别越高意味着这个Bug的危害性越高。(略掉细节,仅仅罗列Bug名称和危害等级,下同)
Bypassing Self-Protection using file links 利用文件连接迂回自我保护功能漏洞
Risk:Critical bugs 关键性Bug
Bypassing Self-Protection via Advanced DLL injection with handle stealing 手动窃取高级DLL注入迂回自我保护功能漏洞
Risk:Critical bugs 关键性Bug
Insufficient validation of 'SandBox' driver input buffer “Sandbox”驱动输入缓冲区有效性缺失漏洞
Risk:Serious bugs 严重性Bug
Open private bugs
The following list contains open bugs that are private. This means that their names, descriptions, testing methods and testing programs are not available for free. You can buy private information about a single bug or you can buy the full analysis. The following list is sorted by the bug penalty, the higher penalty means the more dangerous bug.
公布的隐私信息Bug
下面的列表列出的是具有隐私性质的Bug,也就是说表上的每一个Bug的名称、描述、测试方式、测试项目都不是免费使用的。您可以选择购买单个Bug的分析信息或者购买全套的分析信息。列表按照Bug的危害性进行了归类分级,级别越高意味着这个Bug的危害性越高。(略掉细节,仅仅罗列Bug名称和危害等级)
BUG00014P004AO BUG00015P004AO
Risk:Critical bugs 关键性Bug Risk:Minor bugs 微小型Bug
BUG00013P004AO BUG00011P004AO
Risk:Critical bugs 关键性Bug Risk:Critical bugs 关键性Bug
BUG00007P004AO BUG00006P004AO
Risk:Critical bugs 关键性Bug Risk:Critical bugs 关键性Bug
BUG00009P004AO BUG00017P004AO
Risk:Critical bugs 关键性Bug Risk:Critical bugs 关键性Bug
BUG00010P004AO BUG00008P004AO
Risk:Critical bugs 关键性Bug Risk:Critical bugs 关键性Bug
BUG00016P004AO BUG00002P004AO
Risk:Minor bugs 微小型Bug Risk:Minor bugs 微小型Bug
BUG00004P004AO BUG00005P004AO
Risk:Minor bugs微小型Bug Risk:Unimportant bugs 非重要Bug
Fixed bugs
The following list contains fixed bugs. This means that these bugs were fixed by the vendor and that there exists a new version of the reviewed product where these bugs do not appear or there exists a patch for the bug for the reviewed version of the product.
已确认Bug
下面罗列的都是已经被OP官方承认的Bug。目前已经释放了修正了这些Bug的新版本OP预览版或相关补丁包。
Multiple insufficient argument validation of hooked SSDT function SSDT钓鱼功能参数有效性复合性缺失漏洞
Risk:Serious bugs 严重性Bug
Insufficient validation of 'SandBox' driver input buffer “Sandbox”驱动输入缓冲区有效性缺失漏洞
原帖转自绅博论坛
[ 本帖最后由 govyvy 于 2007-10-21 16:15 编辑 ] |
|
|
楼主|
发表于 2007-10-21 16:12
|
陕ICP19026207号—2 陕ICP备20004035号
