Does a firewall exist, that shows "whois" info for ALL new connections that are attempted? Or even better, "smartwhois" info?

New connections meaning, connections to IP blocks never connected to before.

So you go to a site that belongs to owner A, and if an attempt is covertly made to connect to another site that belongs to owner B, an alert is shown and you choose if you trust this owner. So you build a white list of trusted ip owners.

I'd even pay for such a product.

It might on the other "OS"? It'll be deity-awful slow having to stall the connection while pulling up the information.


OK, so what about connections made to other sites from behind say their proxy?
And what does WHOIS information convey in terms of security in these days of proxy registrations?


Trust based on what? Whose expert knowledge?

It's only done the first time.

Much like training comodo firewall, but instead of per-application allows you define per-ip-owner allows as you go along.

If you mean that a web page can load scripts from other sites through a proxy of their own, you can't do much about it. If it's a proxy of someone else, then that can be detected and blocked.

My concern is more about an infected pc connecting covertly to places that are not expected. I would have the firewall on another pc, I do this already with a vyatta VM but their firewall is just iptables, no GUI interaction or training.

So can someone register as Amazon Inc and no one would check?

One rule of thumb, a site should work without help from other sites.

Second, if the previous rule is broken, the other sites should be registered to the same owner.

Third, if the previous rule is broken, it's probably stuff like googlesyndication and adware that I have disabled already with the NoScript addon of firefox, most sites that use them work without them also.

So the final rule of thumb is, if in doubt, disallow. And watch if the site you want works, it probably will.

If a machine is (perceived) infected then the last thing it needs is a working network connection: address on the cause, not the symptoms.


I'm sure you can register a typosquat like Amaazon Inc or Amazonn Inc but even without DNS hijacking or whatever else tricks some people wouldn't be able to distinguish between amazon.secure.cat/books, amazon.org/buynow or paypal.amazon.com.gq/secure/online/payment anyway. Of course I meant the other way around: there's a lot of official-sounding domain names that have no meaningful WHOIS record, so "trusting" WHOIS seems like a flawed idea to begin with.


With all due respect but these and the next sound like we're back in the NCSA Mosaic era ;-p

Long gone are the days when it was enough to only think about prevention.

Cool. Then we'll keep our eyes open, innit. You do that already when you're typing url's. Or reading url's in the address bar before filling in private data in a form.

That's easy to counter, you set the adsl router to use google's 8.8.8.8 instead of the default automatic dns server discovery which ends up with the isp's possibly poisoned dns server.

That's the issue we already are supposed to be careful with when typing url's or filling in forms. A firewall returning whois info before going to amazon.secure.cat/books does not need any more carefulness but the same or less.

Haha. Maybe you've just had a psychic moment, I was writing yesterday about my use of Mosaic in 1993 and 1994, which I never have mentioned before. The Wave is approaching, psychic phenomena are getting more common. Returning to technical issues, why don't you open 10 random sites from google and see how many thought it was wise to rely on scripts from other sites. And then find 10 sites using other sites and see how many work with the other sites disabled with NoScript.

I have found that almost all sites work alone by design or with the scripts from elsewhere disabled with NoScript. The real issue is not helper sites that NoScript can block, but backdoors attempting to connect to malicious places independently of any browsing you do.

No matter what you will not be able to discern from WHOIS information alone that something indeed is "safe" or "trustworthy". Holding such a view of the 'net as you do and trying to impose your own "rules" can only lead to white-listing.

I bet you didn't read to the end. Anyway, the NoScript author clearly does not agree with your opinion, and neither do I, so the question for us remains:

What's a comodo-like firewall that integrates smartwhois lookups during its GUI-based training?

I'm going to ask you to back that up by posting links to specific and relevant documents.

You can conduct analysis on firewall logs without needing to resolve IPs to names. If your investigations depend on that, you're doing it wrong.

Seeing as to how argumentive you are with unSpawn, I really don't see why you're even asking questions...it seems you know it all already. Are you asking for help or just looking to debate?

I'm not asking "what do you recommend should or shouldn't be done", even though any input in this area is welcome too. I'm asking "do you know any software that can do this?". Any opinion against such software, eg against NoScript, is welcome. Just allow people to disagree, maybe they have a lot of specific experience with NoScript that you do not have.

NoScript is firefox-specific, I am asking for system-wide implementation of the same thing.

NoScript does NOT ask you "connect to this?", "connect to this?", "connect to this?". It just blocks everything be default, you only see the content at the url in the address bar, minus the scripts from that url. If the site doesn't work, you right-click an icon at the bottom and it shows a list of blocked domains to choose which one to unblock first, if any. Judgement is asked for here from the user, should they trust "googlesyndication" say, in order to read some blog? That's where the author of NoScript disagrees with you, unspawn. He asks for judgement to be exercised from the user. Here's the list his addon shows at ebay.com:

http://img814.imageshack.us/img814/3750/noscript.gif

EDIT: I've visited ebay before and enabled both entries, but by default they were all in the blocked state.

NoScript comes with TOR-preconfigured firefox'es like xbBrowser or xbMachine, and considered essential for TOR. It also comes with the firefox in the hacker-favorite backtrack CD. I've been using NoScript for some two or three years.

The next logical step would be to make this system-wide, instead of getting a comodo firewall popup like this:

http://www.labnol.org/assets/images/...dofirewall.gif

I'd prefer a popup that shows the best whois info for this IP. Inverse dns might be something too, but ideally I'd like to see smartwhois info at such popups.

1. Install a HIDS or a host-based FW/IPS.
2. Leverage a proxy...there are several out there.
3. Have you contacted NoScript's developer? If not, maybe you should. If you have and are still stuck, you might want to look at #1 & #2 again.

Basically, layer your security so that your security risks are mitigated/lessened. A LOT of current OSS security software can perform DNS resolution, but again, just knowing who it is that your host/software is blocking doesn't really result in much. So, you know who attacked you...do you know why? Do you know how? Do you know what he/she is doing, in detail? NoScript certainly won't provide that level of detail.

I could care less if you agree or disagree...you just need to be clear on what you want. Also, disagreeing with someone who's trying to help you ends up with you not getting help and it tends to waste people's time. Experience with NoScript? You act like NoScript is some highly placed, best-of-breed, enterprise tool or something. While NoScript works well, it's not doing something that can't be manually done (or not done).

Can you address what unSpawn last asked of you?

The proof for unspawn is in the pictures. Haven't you looked at them? How on earth would the author of NoScript list "ebay.com" and "ebaystatic.com" in that popup, if they didn't expect the user to exercise judgement on domain names? Which is just like exercising judgment on ip owner names like "Ebay Inc".

From the NoScript site:

The key words are "only from sites you trust." How does it do that? You have to tell it to trust!

The user isn't expected to make judgement calls on domain names alone... You can still view a page that NoScript flags...it just won't execute scripts and such. I just viewed my own pages with NoScript, ensuring that NoScript had the website flagged. I was able to view ALL the content fine (my pages have minimal script), even when I saw that NoScript had it flagged.

So, it blocks ALL scripts and allows only what you tell it...sorta like a firewall, right? Are firewalls infallible? No! If you only use firewalls to secure your network, you're in trouble or will be, eventually.

I don't think you understand NoScript as well as you think you do...

What a shock it must have been, when you found this one out. As if you've just discovered what the hell NoScript does, despite all this repetition from myself. Maybe language was somewhat abstract and you missed much of what was said: I am expecting to see abstract ideas from NoScript like "block everything except what the user trusts and white-lists" transfered to another context, the one of the GUI-trainable firewall (not just any GUI firewall, but one like the one in the 2nd picture that trains as you go along), plus one new feature: whois info. So it doesn't matter if NoScript blocks scripts or images or bad words or frames, and I thought it was obvious NoScript only blocks scripts. The name is NoScript, not NoBaddies.

I'm here to tell you almost ALL scripts from helper sites are just scripts, not entire pages that say "check out this porn but it may damage your computer". To confirm helper sites offer just scripts and very minimal other content if any, you have to use NoScript in the real world for 2-3 years. Either that, or take a seasoned user's word for it.

We agree on this. I'm just adding that a GUI-trainable firewall that shows whois info is less fallible than a primitive wrapper for iptables.

I was using NoScript before it became popular. I elaborated on its purpose because you didn't appear to understand how it worked (which unSpawn hinted at).

You're just wasting this board's resources by not listening and being argumentive.