Monday, April 28, 2008

Bake-off: NoScript and Firekeeper

I decided to mention Firekeeper on the security forums at LQ.org. One of the moderators there mentioned that NoScript was better at blocking malcode than Firekeeper. In order to understand what he was talking about (I'm confused about that comment), I decided to install both to see if one can layer and leverage both of these tools. I also wanted to see which was better at blocking and alerting on malcode in general.

It appears that NoScript is specific to javascript, although it looks to detect cross-site scripting, flash, and MS' version of Flash. It also works via whitelists and blacklists and not pattern matching (other than focusing on the word "script" and occasionally focusing on "ath.cx" (I haven't determined why it does this yet).

Both tools work in conjunction with another fine, though (so far).

I'm partial to Snort because an efficient and focused rule will always beat someone adding a site to a whitelist. I've seen trusted sites be hacked before, so if a trusted site is violated and begins serving malware, you're going to be visiting that site and that site will be in your white list...with Firekeeper, it will alert and block any malicious traffic.

The bad thing about Firekeeper is that someone always has to maintain the ruleset (be it the user or the developer or a combination of both).

I'll continue to comment as I learn both tools.
Post a Comment