Penetrationtest Outpost Firewall englisch

Penetration test Outpost Desktop Firewall V 2,0 (V 2.0.225) pro of Agnitum
a report/test by ©2003 Mixter & M.Rogge

It's now already the second time, that the Outpost Firewall of Agnitum is test target object of Mixter and me.
This time, we tried to use special attack techniques and scans in order to compromise the Firewall accordingly in its effectiveness.
In the second version, the Outpost Firewall pro offers some improvements, which are not, however, to great importance for most users.
Some other functions are quite useful, which quite prove for the better security of the computer or also the network.
The Outpost offers among other things in this new version a Logviewer, which supplies data externally in more detail.
One should make certain however that one deinstalls cleanly the Outpost of the version 1.xx.xx and also the completely deletes the listings.
Among other things it is important to be certain that also the existing Registry Entries are completely deleted, since these are not removed cleanly with the routine of the Deinstallation.
(details specified to the Outpost Firewall will at the end of the test, the first test can be reread here)
The target object:

On other security sites, "tests" had been done, which however couldn't be practically reproduced, so Mixter and I decided
to do another test in such a way.
The test by us was accomplished is a simulated attack from the Internet by means of simple scans, extended scans as well as DDoS attacks by means of TFN2k (ICMP/Ping Flooding) and Targa3 attacks.
The test system:
WindowsXP Professional SP1, 512 MT RAM, 1.8 Ghz Pentium4, OfficeXP complete one, Firebird, IE etc.!
The aggressor-used system in this case was gentoo Linux.
We had the test system 30 minutes on identification, open ports, etc.. scanned and undertook various attempts to compromise that
target system.
First of all the sytem was examined with the security scanner NMAP and scanned.
Following scans were accomplished and could achieve however no success, since the Firewall Outpost signaled only a network traffic
however no packets assumed:
-sS, accomplishes a so-called half-open syn scan,
-T Insane, with the -T option the rate of scanning can be adjusted properly matching to the target system to adjust,
with -S spoofed IP addresses were simulated.

The Scans were discovered by the Outpost Firewall and occupied and indicated with 0 bytes.
Many Firewalls would register a message nor activity with half-open Scans within this range neither.

However the system in extent of utilization was substantially loaded by such Mass Scans, but it could not be noticeably throttled thereby the work.
At the same time various applications ran, which were to that extent not impaired that they continued to run.

The processor load was partly accelerated to 96%.
In the further process of the Scans by NMAP one could state that the log function of the Outpost Firewall was impaired and no more could work with the Massenscans 100%.

As recognizable in the upper picture from the scroll bar very beautifully that a very large quantity of Scans by the Outpost were
registered and a abscrollen was occasionally no longer possible.
Thus no real-time monitoring could be made possible and an evaluation is then in the Zusatztool Logviewer only possible.
An accordingly fast reaction by an administrator in the network (with a network attack) would be to be nearly excluded here.
To be mentioned it should that no Scanpaket was registered by the Outpost as attack attempt or call attempt by the IDS.

A further test point was the attack on the system by means of a DDoS attack by the Outpost the Firewall to be repelled should.
Here the Outpost left a quite good impression, since the aggressor IP blocks did not take place, but the attack for a time of approx..
remained 5-6 minutes unsuccessful.
Subsequently, however the Kernel module of the Firewall broke down and could not to be protected the computer/network any longer as expected.
Coincidentally and coded packets could the Outpost provided repel in addition, only during a short period, since then the work of the
entire system impairs so strongly that a further work is impossible.
UDP of package attacks were not recognized of the Outpost Firewall pro 2,0.
Thus a UDP Flood is quite executable by means of a strong line on a host.

like here in the picture, Outpost of services are not recognizable any longer

Result: A such attack formation is absolutely practically realizable and also not at all unusual.
In the private sector however such an attack is with parasits is proceeded rather more rarely there mostly there.
Clearly however this test also points out the fact that a schutzmauer quite makes sense, since the test system without this appropriate Outpost Firewall did not stand would have held, even if under under Windows2000 or WindowsXP the RawSockets were modified and/or worked.

The Outpost quite offers a first good protective wall against such substantial attacks from the InterNet.
Consider however here, it concern not a worm, a virus or a Trojaner separate around an attack with a large range on the target system were implemented.
A range like these is absolutely attainable with double DSL an achievement (approx. 1.5 Mbit).

The first penetration test Outpost Firewall

Packetstorm user PAGE Mixter: " Using distributed more client/server functionality, stealth and encryption techniques and A variety OF functions, TFN can be used to control any number of remote machines ton gene-guesses/advises on that and, anonymous to Denial OF service attacks and remote shell access.
The new and improved features in this version include remote one way commands execution for distributed execution control, mix attack aimed at weak routers, Targa3 attack aimed at systems with IP stack having vulnerabilities, Compatibility ton many UNIX of system and Windows NT, spoofed source of addresses, strong CAST encryption of all more client/server traffic, one way
communication protocol, messaging via random IP protocol, decoy packets, and extensive documentation " Tribe Flood network 2000.

Article by Mixter and me about DDoS attacks/TFN2k
Outpost Firewall in the InterNet: http://www.agnitum.com

This test as well as excerpts from it may not be copied without permission!
©2003 by M.Rogge & Mixter