A.I. News Lessons Learned on How to Use Google Gemini AI

Victor M

Level 10
Thread author
Verified
Well-known
Oct 3, 2022
452
AI can find you things that you do not know the search term for. You must have already come to this conclusion when searching on Google - if you don't know the proper/popular term, then you won't find what you are looking for.



Enter AI. Just use ordinary english and explain what you are looking for. And there's a good chance that AI will successfully find it, or it will tell you why it failed because it was looking for specifically this and that. This explanation it gives you of why it failed is crucial. And is not available previously using Google Search.



When you know why exactly the search failed, you will be able to think of other things for Google Gemini to focus on.



-------------------------------------------------------------------------------------



I was trying to compare the strengths between OpenBSD's pf firewall and regular Linux's iptables firewall. So with Gemini AI, I simply asked : "list the strengths of pf and how it deals with firewall bypassing techniques"



And it came back with this:



Strengths of pf and its Approach to Bypassing Techniques​

pf is a popular open-source firewall known for its flexibility, efficiency, and robust security features. Here's how it tackles common firewall bypass techniques:

  • Stateful Packet Filtering: pf excels at stateful inspection. It tracks connections, identifying legitimate two-way communication and filtering out unauthorized attempts. This makes techniques like port scanning or fragmented packets less effective.
  • Advanced Matching Capabilities: pf allows matching on various packet attributes beyond just source and destination IP addresses and ports. It can inspect flags, options, and even packet content to identify suspicious activity. This helps counter techniques like port manipulation where attackers piggyback on common service ports.
  • Normal State Pattern Matching: pf can define normal traffic patterns for specific applications and services. It can then detect deviations from these patterns, potentially uncovering attempts to tunnel malicious data within legitimate protocols.
  • Packet Scrubbing: pf can fragment and reassemble packets on the fly, rendering techniques like fragmentation that aim to bypass deep inspection ineffective.
  • Geo-IP Blocking: pf can integrate with GeoIP databases to restrict access based on geographical location, helping mitigate targeted attacks.
Additional Advantages:

  • Open-source nature: pf benefits from a large community that contributes to its development and actively identifies and patches vulnerabilities.
  • Lightweight and efficient: pf has a reputation for being efficient on system resources, making it suitable for various deployments, even on resource-constrained systems.
  • Highly configurable: pf offers a granular level of control over firewall rules, allowing administrators to tailor security policies to their specific needs.
Remember:

While pf offers a strong defense against bypass techniques, it's crucial to maintain a layered security approach. This includes keeping pf software updated, using intrusion detection/prevention systems (IDS/IPS), and segmenting your network to minimize the impact of a potential breach.





======================

I didn’t understand what Normal State Packet Maching is, so I asked



“explain pf's Normal State Pattern Matching”



And it replied:

-------------------------------------pf's Normal State Pattern Matching (NSPM) is a powerful technique for identifying suspicious traffic by analyzing established connections and their behavior. It goes beyond simple stateful inspection (tracking connections) and focuses on the expected characteristics of legitimate communication for specific applications.

Here's how NSPM works:

  1. Defining Normal Patterns:Administrators define patterns for "normal" traffic associated with specific applications or services. These patterns can include:
    • Expected source and destination ports
    • Allowed protocols (TCP, UDP, etc.)
    • Sequence and acknowledgment numbers in TCP connections
    • Flags used in packet communication (SYN, ACK, FIN, etc.)
    • Expected packet size ranges
  2. Monitoring Established Connections: pf continuously monitors established connections and compares their behavior to the defined normal patterns.
  3. Detecting Deviations:If pf detects significant deviations from the expected pattern, it might indicate an attempt to bypass the firewall. Examples include:
    • Unexpected data packets outside the allowed size range
    • Misuse of flags (e.g., sending data without proper acknowledgement)
    • Traffic originating from unexpected sources or ports
  4. Taking Action:Based on the severity of the deviation, pf can take various actions:
    • Log the suspicious activity for further investigation
    • Drop the suspicious packets
    • Terminate the connection
Benefits of NSPM:

  • Enhanced Security: NSPM helps identify sophisticated attacks that attempt to mimic legitimate traffic patterns.
  • Reduced False Positives: By focusing on application-specific behavior, NSPM can differentiate between legitimate traffic variations and malicious activity.
  • Improved Efficiency: By dropping suspicious traffic early on, NSPM reduces the load on network resources and protects internal systems.
Limitations of NSPM:

  • Configuration Complexity: Defining accurate normal patterns for complex applications can be challenging.
  • Evolving Threats: Attackers might adapt their techniques to bypass NSPM by mimicking normal patterns.
Overall, NSPM offers a valuable layer of security within pf, but it should be used in conjunction with other security measures for a comprehensive defense strategy.



------------------------------------------------------------

Then I asked “Is there any evidence that pf does better stateful inspection than netfilter (iptables) “



And Gemini said several things, but also said

-----------------------------------------------------------------

Design philosophy: OpenBSD, where pf originates, has a strong emphasis on security throughout its design. This might translate to more secure defaults and implementation choices in pf's stateful inspection compared to iptables, which is part of a larger kernel project with broader priorities.



---------------------------------------------------------------------------------------------------

Which is the assumption that if one starts out focusing on a particular thing, the results will be better and another product which had broader product focus will be worse. So I challenged Gemini and said “You repeatedly bring up OpenBSD pf's benefit as secure defaults and implementation choices in pf' Show me evidence”



And she replied:

------------------------------------------------------

You're right, it's important to be critical and look for evidence to support claims. While it can be challenging to find definitive benchmarks solely focused on secure defaults and implementation choices in firewalls, here are some approaches to gather evidence and make an informed decision:

1. OpenBSD Security Philosophy:

  • OpenBSD documentation: The OpenBSD documentation itself emphasizes a strong security focus throughout the project. You can explore their philosophy on OpenBSD: Security. This focus on security likely translates to security-conscious defaults and implementation choices in pf as well.
2. Code Review and Comparisons:

  • Open source nature: Both pf and Netfilter (iptables) are open-source projects. This means you can access and review the source code for both firewalls. While a full code review might require significant expertise, you can look for resources from security professionals who have analyzed the code and identified potential security implications in one project compared to the other. There might be blog posts, articles, or presentations that discuss these comparisons.
3. Security Audits and Bug Bounties:

  • Audit reports: Look for independent security audits of OpenBSD and Netfilter (specifically the Linux kernel where iptables resides). These audits often identify security vulnerabilities and the project's response to addressing them. A project with a faster patching process or more secure defaults identified in audits might indicate a stronger security posture.
  • Bug bounty programs: Both OpenBSD and some Linux distributions have bug bounty programs that incentivize security researchers to find vulnerabilities. Analyzing the types of vulnerabilities reported and how quickly they are addressed can provide some insights into the security focus of each project.


----------------------------------------------------------

Well Gemini is repeating that OpenBSD’s strength is in their philosophy. But she helpfully added ways to find evidence and solve my problem:. Code Review and Comparisons, Audit Reports and so on. When she said “you can look for resources from security professionals who have analyzed the code and identified potential security implications in one project compared to the other. There might be blog posts, articles, or presentations that discuss these comparisons. “



I find that Gemini sometimes tells you to go explore more. But I want her to search and gather things for me. So I copy and pasted part of what she brought up and said: “find blog posts and articles and presentations by security professionals who have analyzed the code of pf and iptables and identified potential security implications. “



And that led to several articles and sites where I am continuing to find supporting evidence. I think a very strong point in Google Gemini's favor is that she helps you find WAYS to solve your problem, thinks of problem solving methods applicable to your problem.


----------------------------------------------------------------------

However, Gemini is not without problems. I asked her to do a comparison between Kaspersky Plus and ESET Premium, and she omitted that K Plus has a firewall and claimed it is an ESET advantage that they have one. I pointed out the mistake and she corrected herself. And suggested I consult their documentation for better comparison. So I said search their documentation for me and tell me which is better. And she came back listed all the features of both and concluded ESET's firewall is stronger.
 
Last edited:
  • Like
Reactions: Sunshine-boy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top