Hi everyone.

It is easy determine which firewall is good at leaktest because many people test that. But there is hard (for me) to find evaluations/test on inbound protection of these firewalls. I assume it is also much harder to do then leaktests.

But for me as I learn here, and as old saying goes - Prevention is better than cure - firewall inbound protection is very very importand and that IMHO supposed to be his main strenght.

Can somebody direct me to some tests of firewalls inbound protection or advise me which firewalls are top one in that and why?

What should I look for in firewall capabilities, what is needed for secure inbound protection?

Possibly some experts advise? :)

AFAIK, there aren't any tests which evaluate inbound/packet filtering abilities of firewalls.
Most people are happy that their firewall gets a Stealth checkmark at grc.com

Here is a previous thread on inbound protection (http://www.wilderssecurity.com/showthread.php?t=177233) if you wish to give it a read over.

{QUOTE-> Here is a previous thread on inbound protection (http://www.wilderssecurity.com/showthread.php?t=177233) if you wish to give it a read over. <-QUOTE}

Thank you for the read but it did not answer the questions I have. partially maybe but also the discussion is a little old if get about mentioned firewalls.

I am not talking about closing port or stealth ability. That is standard. Like Stem said:

{QUOTE-> The ability of a firewall to give "Stealth" in no way shows its ability to give inbound protection.

OK, I admit, the TCP/IP stack in the OS is now more protected due to patching/ updates from microsoft, but you need time to check of possible inbound attack. We can go through many. I personally have found all others know better than I (as they put forward) so I will leave this to them (for now). <-QUOTE}

I do not agree with the last part of your statement Stem about "them".

So I still have both of my questions actual and not answered.

I can not personally vouch for this, but some of the members around here like the inbound filtering on CHX-1 (no longer supported), Look'n'Stop, 8Signs, Jetico and Injoy.

All of these I have run at one time or another, and they are not the easiest bunch of fellas to get along with. If you use eMule, forget about 8Signs as it does not work right with Kademila. CHX-1 if you can scrounge up a copy requires a completely new way of making rules. LnS is a bit strange as well. Jetico throws more pop ups than anything I can remember. I only took a quick look at Injoy, but it seems interesting.

Of this bunch only LnS and Jetico have outbound filtering.

This area is much more difficult to evaluate than leak testing, which is probably why information is hard to come by.

{QUOTE-> I do not agree with the last part of your statement Stem about "them". <-QUOTE}Bad mood day. I was/am tired of users giving pref to firewalls that actually expect the user to be compromised (leak prevention), rather than putting in place filter on inbound.(no insult intended to anyone,.. but should I care?)

For me, a firewall should give minimal full SPI. This for me is interception of TCP to sequence number,..... for such as UDP, a state table of outbound (record the outbound packet, with a timeout for reply), the same for such as ICMP but more logic is needed (as outbound ping could give reply as "reply" or "timout" etc).

There are a number of firewalls that say give such, to what degree is of question.

As example:
Diver mentions CHX-I, this is quite an excellent packet filter (no application control), there is actually very little config needed, as there are rulesets available (simply:-- allow out and filter, and works well)

My opinion that the benchmark firewall (esp. in regards to inbound filtering) is Sygate 5.x Pro. Despite being no longer supported (as Sygate was bought by Symantec), firewalls age much less than other security software and is still the benchmark firewall when it comes to inbound filtering.

Why? Well lets take Comodo Firewall Pro, the most leaktest obsessed firewall on the planet. Yet if you go to Security>Define a new trusted network, all traffic from the ip range specified will be allowed! Yet for a home network you only need ports 135,137,138, 139 and 445 open. What this means is that if another computer on your network is compromised with a worm it can easily compromise any computer running Comodo as it allows any traffic (good/bad) from a trusted network.

Sygate meanwhile, has an extensive inbound filtering system: For example you can set it to allow you to browse the file shares of other computers on a lan without them being able to browse you. I dont know many firewalls that give you that level of control. And that is just the beginning. See the screenshot attached for examples of all the features. What firewall today offers OS fingerprint masquerading for example? In the above example, Comodo doesn't even have a proper IPS. Just simple port scan / DOS detection

And the icing on the cake is that Sygate is lightweight and fast. Probably the current industry leading firewalls like Outpost and ZoneAlarm Pro might have some of the features of Sygate but they have a lot of junk such as Anti-Spyware and AV-Monitoring that is not required in a firewall and make the firewall and RAM and CPU hogging behemoth it shouldn't be.

I am not trying to advertise Sygate, but rather pay tribute to one of the best software firewalls ever made, one that I continue to use today. However I now sadly recommend Comodo knowing full well it is rubbish, feeding of leaktest paranoia that surrounds software firewalls today.

On a final note many leaktest authors struggle to give examples of in the wild malware that utilises their method to bypass firewalls. You are more likely to be attacked with an unpatched software exploit such as those in IE. Here leaktest firewalls fail and those with IPS signatures pass.

Screenshot (found on internet)

{QUOTE-> Screenshot (found on internet) <-QUOTE}All looks very nice. Are you able to explian and show the protection?

Simple example:
DOS protection: against what? (please name). Most as said by users on this forum are "outdated", which I agree, most are. But as with Viri, attacks by method change. I do know various methods of DOS (and various) which will bypass a lot of firewalls.
Anti-mac spoofiing: This I find amusing. From all the firewalls I see, there is no protection here (out of the box~ a need to create rules),.. simply because no binding is first made to gateway. I see a number of attempts by firewalls,... such as OP pro, that will block the mac of gateway when spoof attempt is made (it sould be IP within packet, not mac), the user is then blocked (DOS`ed) anyway.

dmenace-

What is that a screen shot of? I am going to guess it is Sygate Pro. At any rate the IDS signatures are wayout of date if you want to use Sygate. The technology is in use in Symantec Endpoint 11.

Also, I don't think it matters much if all traffic is allowed or just the netbios ports. If there is a worm, its going to to look for the netbios ports first in all likelyhood. You don't have to use the default rules made by the wizard either. Comodo will work with tighter netbios rules. I just have not figured out how to get tighter rules to work with allowing a VMware guest to access the host.

Stem-

I seem to remember there was a simple CHX-1 rule set that would do the job for most. Its so elegant that it is baffling.

What I mainly remember is with that list of firewalls (except for Injoy which I only briefly looked at) I spent way too much time playing around with the rules. I probably spent way too much time messing with Kerio 2.15 as well. I would likely set up much looser rules if working with any rule based firewall today.

---

There is probably a bunch wrong with Comodo 2.4, but it is so easy to deal with. True, it was designed with leak testing in mind, but I would hardly say the authors were obsessed with that one factor because they really got the user friendly part right.

I'm certainly no security expert, but I'll comment anyway.

It doesn't require much security savvy to install a NAT router with SPI protection for very good inbound protection:
- Select one.
- Read the manual.
- Install, update the latest firmware and configure the router.

It's a first-layer approach that offers good inbound protection - regardless of whatever software firewall you select.

I'd also suggest that you should expand your requirements for a software firewall to include both inbound and outbound connection protection. Often, a user's first indication of malware presence is a software firewall alert about an outbound-connection-attempt by a suspicious program.

An excellent suggested software firewall for the novice is Comodo 2.4. It passes 'Shields Up' and combines good inbound and outbound protection, plus limited HIPS functions.

And never forget that inbound protection is highly dependent on the user's discretion to be careful about the sites you visit and the 'free' downloads the user authorizes.

Hope this helps!

{QUOTE->
And never forget that inbound protection is highly dependent on the user's discretion to be careful about the sites you visit and the 'free' downloads the user authorizes.
<-QUOTE}

I don't see how inbound protection can be dependent on surfing habits when everything downloaded by the browser are outbound connections.

{QUOTE-> I don't see how inbound protection can be dependent on surfing habits when everything downloaded by the browser are outbound connections. <-QUOTE}

Not all connections are outbound:

Three Way Handshake (http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm)

{QUOTE->

Stem you are firewall expert and you like inbound quality. Can you tell me which of the above have best inbound protection with minimal hassle. If they have it at all (more then just stealth etc.), or do I have to look for something else?

<-QUOTE}

There are five beautiful girls in Stem's office. You come in and ask him, Can you tell me which is the most beautiful girl in this office.
^_^

Exactly;D

Unreasonable questions-everyones preferences are different.

So choose the one that best suits you-they are all GOOD,maybe one is a bit naughtier than another,but there wouldnt be much in it.

{QUOTE-> There are five beautiful girls in Stem's office. You come in and ask him, Can you tell me which is the most beautiful girl in this office.
^_^ <-QUOTE}

Yes, that would be not polite. :)

How shuld I ask this question, take Stem on side out of the office? :)

Maybe he can PM me? Would be that possible and proper? :)

Well maybe I ask wrong way, maybe I should ask - can you describe me the inbound protection qualities of these beauties?

Well I need to know if they have SPI (I only find out that ESS and WDF have for sure) and how about its implementation?

Does any of these 5 have full SPI?

Or there is no way for me to get expert advise on the 5 firewalls? Not some fan of one of them recommendation. Kind of honest comparison/benchmark of inbound protection capabilities of these five.

Fenik-with all due respect-you are unlikely to get more deep and meaningful information-you have enough.

This is already your second thread on the same type of subject,plus numerous posts.

You keep on asking the same questions!

Dont you think its time to take the plunge and make a decision-the risk really isnt big.

{QUOTE-> Exactly;D

Unreasonable questions-everyones preferences are different.

So choose the one that best suits you-they are all GOOD,maybe one is a bit naughtier than another,but there wouldnt be much in it. <-QUOTE}

Hi, Hairy Coo.

So are you saying that there no significant difference between them? (in inbound prot.)

I know they are stealth etc. But windows xp firewall too and it has SPI.

What about their SPI or some problems or advantages/disadvantages that I even do not know about, but are important in inbound protection?

When I start the thread I ask for inbound tests as leak tests are widely available.

Looks like there are not any, so maybe (hopefully) I get the answer here.

Actually I need to know about these 5 I mentioned obove.

Feniks

What can I say-the fact that you dont have all the info you personally want indicates that its either not available-not considered relevant or important-has been previously posted or more to the point-an expert isnt going to broadcast his top choice,as he just doesnt want to-so just leave it alone!

As I said you cant keep on asking the same questions forever.:)

Make a decision ,you have enough knowledge:thumb:

Feniks

My last post on this.

You seem to have good knowledge-just experiment with your new firewall or whatever other app. interests you.

Then you can help someone with advice ;D

Cheer up!

{QUOTE-> Stem-

I seem to remember there was a simple CHX-1 rule set that would do the job for most. Its so elegant that it is baffling. <-QUOTE}There are a number of rulesets, it is really down to what you require/ need on your setup.
I know a lot of users like to sit behind a router, then not use a software firewall, why pay for a router when CHX-I will protect as well, if not better. An HIPS with application control for internet access can be added.

There have been a number of threads concerning CHX-I, which would give the basics, and also links. Or start a new thread if info is required, there are other users of CHX-I

{QUOTE-> I don't see how inbound protection can be dependent on surfing habits when everything downloaded by the browser are outbound connections. <-QUOTE}It is the filtering of the returned packets. Do remember, that everything you see on your PC monitor when browsing as been downloaded to your PC. (so you do need to filter this inbound)

{QUOTE-> Stem said that he is here for help. But I think it does not apply to beginners. <-QUOTE}I will help any member (time permitting), but I will not get caught up in a "which firewall is best" thread. It just leads to flame wars.

CHX is the best inbound packet filter I ever found. I ran it as my
only firewall for the last two years I was on dial-up. I'm on DSL
behind a router now, but I still run it anyway, as it allows me to
create rules for ports, protocols, and IPs. It's SPI is about as good
as it gets, and logging is fantastic. It's one the lightest firewalls I
know of. It works on XP.

There is a great deal of information in past threads at Wilders, as
Stephan R, one of its developers used to post here to provide guidance.

The is also a forum here:

http://www.sscnetwork.net/

See also these Wilders threads (there are others):

http://www.wilderssecurity.com/showthread.php?t=65266&highlight=CHX-I

http://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

http://www.wilderssecurity.com/showthread.php?t=139457

If you try it, I'll bet you'll get help from some really expert forum
members. I learned it by reading every post about it at Wilders that
I could find.

{QUOTE-> I will help any member (time permitting), but I will not get caught up in a "which firewall is best" thread. It just leads to flame wars. <-QUOTE}

Stem please accept my apologies. That was overreaction caused by my ignorance about forum rules or etiquette. I have to learn not only security matters. The post was deleted.

I know I keep asking the same questions. Maybe somebody can direct me to answers?

For what I understand from your posts these subjects are importand and many days search does not bring my answer. I am to small to test the applications myself. The producent sites do not tell that much.

As you seems to be expert in both subjects (firewalls and etiquette) can you tell me if these questions below also are not proper to ask?

I will accept any answer.

1. Well I need to know if they have SPI (I only find out that ESS and WDF have for sure) and how about its implementation?

2. Does any of these 5 have full SPI?

3. Some problems or disadvantages that I even do not know about, but are important in inbound protection?

I am talking about ZA, OA, WDF, ESS as Outpost do not like my system.

{QUOTE-> CHX is the best inbound packet filter I ever found. I ran it as my
only firewall for the last two years I was on dial-up. I'm on DSL
behind a router now, but I still run it anyway, as it allows me to
create rules for ports, protocols, and IPs. It's SPI is about as good
as it gets, and logging is fantastic. It's one the lightest firewalls I
know of. It works on XP.

There is a great deal of information in past threads at Wilders, as
Stephan R, one of its developers used to post here to provide guidance.

The is also a forum here:

http://www.sscnetwork.net/

See also these Wilders threads (there are others):

http://www.wilderssecurity.com/showthread.php?t=65266&highlight=CHX-I

http://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

http://www.wilderssecurity.com/showthread.php?t=139457

If you try it, I'll bet you'll get help from some really expert forum
members. I learned it by reading every post about it at Wilders that
I could find. <-QUOTE}

Thank you very much that this looks encouraging and interesting.

I already download version 2.8 and 3.0 which should I start to use?

Is there any place to get 3.0 manual as the links here on wilders are mostly not working now. And fluxgfx have manual for 2.8.

Is the http://www.fluxgfx.com/ssc/ the same as sscnetwork?

Are these downloads and drivers from this thread most actual? http://www.wilderssecurity.com/showthread.php?t=166264&highlight=chx-i+drivers

{QUOTE-> Thank you very much that this looks encouraging and interesting.

I already download version 2.8 and 3.0 which should I start to use?
[/URL] <-QUOTE}

Version 2.8 required an activation key after 30 days, which is no longer
available for new users. Use version 3, as it requires no activation.
Version 3 mostly just added payload filtering, which is unnecessary
for the average home user.

There is an uploaded file which includes the v.3 installer, the WAN starter
rule set & the version 3 manual here:

http://rapidshare.com/files/71075321/CHX3.zip.html


Initial setup info can be found in this thread:

http://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

For version 3, import the WAN start rules, not the workstation rules.

Remember, CHX allows all until you import or create a rule set.

If you create you own rules, always remember to set "allow" rules
at the lowest priority. It's all in the manual and in previous threads
here at Wilders. You will need to do lots of reading.


Good luck

{QUOTE->
For version 3, import the WAN start rules, not the workstation rules. <-QUOTE}

I am behind router if that change anything. But well I start reading. ;)

{QUOTE-> It's all in the manual and in previous threads
here at Wilders. You will need to do lots of reading.

Good luck <-QUOTE}

Dont worry about that - I am very inquisitive person. Some may say even to much. ;D

I start to suspect that CHX-I with decent HIPS as aplication layer will not made concession to any of well known and popular application/rule based software firewalls and maybe is what I am looking for...

PS. Downloaded without problems, thank you.

I know what I like when I run firewall & AV, Look n' stop works for me, it is rule based & let's 'me' be in control of my system also advises what is calling out, I don't know about others but all the tests in the world including leak tests doesn't help me feel in control. I know others are suppose to be better at leak test but I like control over leaktests...

{QUOTE-> An HIPS with application control for internet access can be added.

TCHX-I <-QUOTE}

Can Stem or anyone give the names of any HIPS with application control for internet access. This would appear to be less trouble than a HIPS that restricts all applications not white listed.

Stem is also very lucky to have five beautiful girls in his office.

AppDefend, SSM, and ProSecurity *I think*.

ThreatFire using custom rules, listed here (http://www.wilderssecurity.com/showthread.php?t=191802) also. Uses no extra resources using ruleset from post 5-7

Monty-have you customised TF and is it a good idea ?

{QUOTE-> Monty-have you customised TF and is it a good idea ? <-QUOTE}
Yes, I did the modifications from post 5-7, and left a couple apps. off the list. When I opened them I got 1 pop-up, allowed and remember, no problems. A couple of reboots, a bit of games and surfing, no slow-down. TF is still using less than 8MB/ram. For the 5 mins. it took to add the rules I'd say it's definitely worth the effort. The rest of the custom rules, well, I'll read up a bit more before tackling them. *****:thumb: :thumb:

{QUOTE-> Stem please accept my apologies. That was overreaction caused by my ignorance about forum rules or etiquette. <-QUOTE}I was not refering to forum rules or etiquette, but on the fact that when involved in a thread with "which one is better" then flame wars happen.


{QUOTE-> I will accept any answer.
I am talking about ZA, OA, WDF, ESS as Outpost do not like my system. <-QUOTE}
First, I do not use (or install on users PC`s I support) any firewall that provides application access control then gives hard_coded rules to its own applications to allow them access, regardless of if it make unknown connections or not (as it could anyway~ without users allowing this), so from that I will (in my reply) discard ZA and ESS.

WDF? what is that?

OA, no, it only makes state table, it will not check flags/sequence etc of TCP

WDF = Webroot Desktop Firewall

{QUOTE-> I was not refering to forum rules or etiquette, but on the fact that when involved in a thread with "which one is better" then flame wars happen. <-QUOTE}

Fully understand and accept. And I see specific questions about feature etc. are accepted. :)

{QUOTE->
WDF? what is that?
<-QUOTE}

Yes like WSFuser said Webroot Desktop Firewall. You tested Privatefirewall but I did not find there my answer. (about inbound protectcion as SPI (full?) SPI implementation etc.) On other post you said about Privatefirewall "I still have to check the packet filtering, so my opinion could change"

But you said on the test thread that you kind of pleased with outcome of the test and wait for some improvements. Webroot Desktop Firewall is version 6.0 of Privatefirewall, maybe you will like to test it and check if they fix what you did not like? :)

Would a person who has just say AV and SAS Pro and does not use P2P and such be safe just using Vista or XP FW?

{QUOTE-> Would a person who has just say AV and SAS Pro and does not use P2P and such be safe just using Vista or XP FW? <-QUOTE}

I don't use bi-directional (inbound/outbound) firewalls because I
believe they provide a false sense of security. To my way of thinking,
the very existence of leak tests proves that. Others will disagree I'm
sure. My preference is to combine solid inbound firewalling with separate
internal detection such as HIPS & IDS which is not part of the firewall
software.

To answer your question, I would feel safe with your setup for general
use, but if I were visiting my bank online, I'd want a HIPS or IDS
in the mix.

{QUOTE-> Yes like WSFuser said Webroot Desktop Firewall. You tested Privatefirewall but I did not find there my answer. (about inbound protectcion as SPI (full?) SPI implementation etc.) On other post you said about Privatefirewall "I still have to check the packet filtering, so my opinion could change" <-QUOTE}WDF, right,... I have not had time to look at that yet.
With Privatefirewall, I held off, as there where a couple of bugs, and the fact the firewall did not intercept localhost.

As I read this the question comes to mind, are the typical application oriented software firewalls being breached by inbound attacks? If so, which ones are the weakest?

If you have your computer behind a router you are not directly connected to the internet. Are there any brands of models of routers that are being breached by inbound attacks more so than others? Does it help to use open source firmware like Tomato or DD-WRT?

Even when I take my notebook on the road, it will be behind a router or wireless access point. There are going to be other users, but not more than 100 as compared to a direct internet connection with millions of users. Why isn't a typical application oriented firewall going to cut it?

I hear these concerns, but as I look around in various forums and tech news sites, I find a lack of tales of any of these problems happening. In all fairness I find a lack of tales of folks having a application oriented firewall save the day when it catches a bot phoning home that got on there via a drive by download and was missed by the AV because it was zero day.

It seems to me there is neither a compelling case for a sophisticated inbound packet filter nor an application oriented firewall that does not leak, within the bounds of Matousec's world.

{QUOTE-> It seems to me there is neither a compelling case for a sophisticated inbound packet filter nor an application oriented firewall that does not leak, within the bounds of Matousec's world. <-QUOTE}
Diver, I think you have a good point, and one which I completely agree with. Especially regarding inbound. I would bet that perhaps 1 home user in 100,000 has ever seen any kind of real "attack" on either his router or firewall. To my mind, talking about the quality of inbound protection is pretty much a waste of time. Stick a simple cheap NAT router in front of your PC and call it a day. That's all you need....

From the Matousec site:

"A good personal firewall offers both inbound and outbound protection. The inbound protection means that packets sent from the Internet or local area network to your computer are filtered and only ports that you want to be open are accessible. This protection is standard and is very good and reliable in almost all personal firewalls. On the other hand is the outbound protection which cause problems to all vendors nowadays."

That's his opinion. If he is right, except for a few exceptions all software firewalls get the inbound filtering job done.

{QUOTE-> It seems to me there is neither a compelling case for a sophisticated inbound packet filter <-QUOTE}Do you think that full SPI is sophisticated, and beyound correct implimentation by firewalls?
Realise, that a good SPI firewall will filter out bad packets/ spoof attempts etc, without a need for user interaction.

{QUOTE-> That's his opinion. If he is right, except for a few exceptions all software firewalls get the inbound filtering job done. <-QUOTE}What do you think that "Inbound filtering" actually is?

Stem,

I can't answer your questions on inbound filtering because I don't understand the technology the way you do. All I know is that is what Matousec, a supposed expert says. Because of my legal training there is a suspect aspect to a guy who makes his living testing outbound leak performance making such a statement. There is a difference between a packet getting through that shouldn't and that packet doing any damage.


Most of the successful attacks today are coming via http from cracked websites or downloaded Trojan games and screen savers. As far as I know, the default firewall in XP stops the worms floating around the internet even on a direct connection. I have not seen any advisories that say otherwise. For a directed attack I don't know, but do I really have to worry about that?

The question is, are the typical personal firewalls that most of us use actually being breached by inbound attacks, not are they theoretically subject to an attack?

My hunch is when an attack is not detected (after the fact) by a so called leak proof firewall it is probably a result of the user misinterpreting the pop up warning and allowing the connection because they were concentrating on something else.

Diver,
{QUOTE-> I can't answer your questions on inbound filtering because I don't understand the technology the way you do. All I know is that is what Matousec, a supposed expert says. <-QUOTE}At one time, "Matousec" site was concerned with coding/stability of firewalls, but now it appears mainly to be a "leaktest" site, using "leaks" taken from various other sites.
{QUOTE-> There is a difference between a packet getting through that shouldn't and that packet doing any damage. <-QUOTE}I have seen firewalls fail due to various types (or a combination) of illigal/bad packets, which should be dropped by a good SPI

Stem,

I am not trying to pull your leg or anything. For me interpreting the available information and making personal cost to benefit calculations is the problem.

As I have indicated before, for Matousec, the temple of leak testing, to dismiss the inbound performance differences of all firewalls in a single sentence is suspect.

On the other hand, It is very difficult to obtain meaningful objective information on inbound performance, and on the practical benefit of either improved inbound or outbound (leak) filtering. It would be very interesting if a few novices were put in front of Matousec's computers while they were being tested and told to respond to the firewall prompts whole browsing or doing some other work. They would get it wrong most of the time.

Someone like yourself will know the technical benefits of different designs, and the possibilities for things to go wrong, but that is not the same as things actually going wrong at a rate that one must be concerned about. An XP SP1 machine will last about 20 minutes with no firewall and a direct connection. How long does a patched SP2 box go with the Windows firewall on with a direct connection and just sitting there without browsing? It must be indefinitely, or we would be hearing about it all the time. Believe me, I will not be running a patched SP2 box with just the windows firewall on a direct internet connection, or any other computer on a direct internet connection.

When I mention cost to benefit ratios, it is not so much the difference between a $40 firewall and one that is free as the amount of trouble it is to deal with the program. Just look at the thread on the free Comodo 3.0 and see how many members of this board are overwhelmed by it. The same could be said for several HIPS or firewalls with HIPS features.

It is unfortunate, but the most serious threats are from packets being passed properly by proper firewalls. Those are trojan downloads and drive by attacks.

Diver,
{QUOTE-> It is unfortunate, but the most serious threats are from packets being passed properly by proper firewalls. Those are trojan downloads and drive by attacks. <-QUOTE}I have seen various definitions of "Drive by attacks", from attacks on routers / attempt to spoof/poison the DNS cache /exploit browsers / redirect browsers, etc, so it would depend of your definition of "Drive by attack".

If we are looking at "drive by attacks"~ "download", then I agree that most firewalls will not filter to such a level, we would need to move on to "deep packet inspection" (or "Payload Filtering" as put by CHX-I). But this does come at a cost of CPU time, and I know users of P2P clients would not be happy with the CPU taken for the processing.(certainly with "Injoy"~,... CHX-I, I have not really made much testing with the "payload filters", as it was a little buggy at times).

Bottom line, for me, if there was only one possible bypass/problem due to lack of full SPI, then this is enough for me to chase vendors to impliment full SPI.
Take a look at Outpost pro "attack plugin", would you consider this outdated/not needed?

Stem-

A drive by attack, according to an article I saw recently involves using a security flaw in the browser to cause an executable file in downloaded into the cache of the browser to execute when it should not.

I am not familiar with the Outpost plug-in that you mentioned. Perhaps you can give us more details.

It would be helpful to all of us if you would give more details in general. You know a lot more than most of us. I, for one, would like to know about the inbound capabilities of more firewalls, and just what the real world benefits of these capabilities are. Matousec's statement that nearly all of them have the inbound side worked out is a bit frustrating.

{QUOTE-> Stem-

It would be helpful to all of us if you would give more details in general. You know a lot more than most of us. I, for one, would like to know about the inbound capabilities of more firewalls, and just what the real world benefits of these capabilities are. Matousec's statement that nearly all of them have the inbound side worked out is a bit frustrating. <-QUOTE}

Can I also have same request? :)

Stem You did test Privatefirewall but in the thread about it there is no answer to my question and you did not answer it here. May I try again? :)

The question was:

You tested Privatefirewall but I did not find there my answer. (about inbound protection as SPI (full?) SPI implementation etc.)

Also it is blocking many http and https in/out while browsing what it is SPI filtering like CHX-I or something else?

In CHX-I the log is more detailed and by the nature of this program is easy assume what is the reason for blocking. However in PF the log is not so detailed. ???

Diver-
{QUOTE-> A drive by attack, according to an article I saw recently involves using a security flaw in the browser to cause an executable file in downloaded into the cache of the browser to execute when it should not. <-QUOTE}There are many articles, such as "Drive-by on routers" (http://www.informationweek.com/blog/main/archives/2007/02/new_driveby_att.html). So are you refering to actual browser exploits?


{QUOTE-> I am not familiar with the Outpost plug-in that you mentioned. Perhaps you can give us more details. <-QUOTE}

195372

{QUOTE-> Stem You did test Privatefirewall but in the thread about it there is no answer to my question and you did not answer it here. May I try again? :)

The question was:

You tested Privatefirewall but I did not find there my answer. (about inbound protection as SPI (full?) SPI implementation etc.) <-QUOTE}See post #40

{QUOTE-> Also it is blocking many http and https in/out while browsing what it is SPI filtering like CHX-I or something else?

In CHX-I the log is more detailed and by the nature of this program is easy assume what is the reason for blocking. However in PF the log is not so detailed. ??? <-QUOTE}Sorry, bad week,.. please explain more.

{QUOTE-> Take a look at Outpost pro "attack plugin", would you consider this outdated/not needed? <-QUOTE}

What are your thoughts on Outpost's Attack plug-in, Stem. Effective or ineffective?

{QUOTE-> What are your thoughts on Outpost's Attack plug-in, Stem. Effective or ineffective? <-QUOTE}They are effective on what they are intended for, (but they introduce extra process for each packet,.. and do slow down connections. Correct/full SPI would drop most without a need for external process)

{QUOTE-> See post #40
See post #40 <-QUOTE}

Sorry my bad english, held off = stop testing = did not test it yet. :-[

{QUOTE-> See post #40

Sorry, bad week,.. please explain more. <-QUOTE}

I mean something like this:

http://www.wilderssecurity.com/showpost.php?p=1111050&postcount=145

So I was wonder if that is some SPI filtering?

In CHX-I with wan start rules and all inspections (arp, tcp, udp, icmp) checked also the same entries and the reason was "out of connection" flags ACK RST.

So can I assume that Webroot have some SPI filtering similar to CHX-I and that is the reason for blocking?

Stem,

I thought it was clear that I was referring to browser attacks.

As far as the router attack you link to goes, anyone who does not change the default password on their router is making a mistake. I have walked into businesses with free wifi for customers and accessed their router via the default password, then called the manager and explained the situation to them just to see the expression on their face. This often happens at scuba diving shops where they are more focused on life underwater than above.

Thanks for the screen shot, but what does the plug in do? Does it dimply identify the attack? Does Outpost or the typical personal firewall repel these attacks? What is a Nestea attack, is it like Long Island ice tea?

{QUOTE-> Sorry my bad english, held off = stop testing = did not test it yet. :-[ <-QUOTE}Dont worry, my english is bad, I only fully understand binary/hex

{QUOTE-> I mean something like this:

http://www.wilderssecurity.com/showpost.php?p=1111050&postcount=145

So I was wonder if that is some SPI filtering? <-QUOTE}Dont know without further info.(header info_ current connection etc)

{QUOTE-> In CHX-I with wan start rules and all inspections (arp, tcp, udp, icmp) checked also the same entries and the reason was "out of connection" flags ACK RST. <-QUOTE}
"Out of connection" - This can represent either a non-SYN scan or a packet arriving after a particular timeout value has caused the tear down of a connection. The same applies to an unsolicited UDP/ICMP packet.

{QUOTE->
Dont know without further info.(header info_ current connection etc)
<-QUOTE}

Unfortunately nothing like that in the log. >:(

Is there any way I can test/check it? I mean SPI implementation.

Or it is something beyond regular user like me?

{QUOTE-> Unfortunately nothing like that in the log. >:(

Is there any way I can test/check it? I mean SPI implementation.

Or it is something beyond regular user like me? <-QUOTE}If you are having probems or concerns, then install a sniffer, then at least we can see the full packets.
example: Use Ethereal (http://www.ethereal.com/) or wireshark (http://www.ethereal.com/) both free.

Hi Stem. Thank you very much for answers. I consider them carefully and my bank of questions gradually become more empty. :)

I hope you not become impatient with me yet.

While I read this replies in this thread and Wilders at large I come to some conlusions (which please - can you confirm/reject/answer):

1. CHX-I is really decent int income filtering and protection and is not inferior to any of the popular firewalls today in this area of protection.

2. What I only need is decent outbound control and I will have quite good firewall solution (CHX-I + outbound controled with something)

3. You suggested HIPS and I am familiar with OA and DSA. Will that give me sufficient outbound control? Maybe there is something like HIPS and give me control over application connections (rules restricted where can go, maybe even IP control not just ports).

4. I observe that if I use Webroot firewall with CH-I together than nothing is show in WDF logs for - all is in CHX-I logs. Is that mean that CHX-I filtering is before webroot firewall?

I hope you can answer these questions. I wiil be really thankful and satisfied. ;D

EDIT: PS. This wireshark you mean I guess: Wireshark (http://www.wireshark.org/about.html) because your both links are to Ethereal . Do I need download Ethereal or only Wireshark will be fine to play with?

Diber,
{QUOTE-> I thought it was clear that I was referring to browser attacks. <-QUOTE}It was not clear (please point to post of clarity)

{QUOTE-> As far as the router attack you link to goes, anyone who does not change the default password on their router is making a mistake. I have walked into businesses with free wifi for customers and accessed their router via the default password, then called the manager and explained the situation to them just to see the expression on their face. This often happens at scuba diving shops where they are more focused on life underwater than above. <-QUOTE}Would this be the same of your statement of users in front of of "Matousec" computers on test of leaks?

{QUOTE-> Thanks for the screen shot, but what does the plug in do? Does it dimply identify the attack? Does Outpost or the typical personal firewall repel these attacks? What is a Nestea attack, is it like Long Island ice tea? <-QUOTE}What is "Long Island ice tea", is this a related attack, or simpy bullshit as I am finding your posts

{QUOTE-> *

What is "Long Island ice tea", is this a related attack, or simpy bullshit as I am finding your posts <-QUOTE}


A cocktail..., including many ingredients :)

{QUOTE-> A cocktail..., including many ingredients :) <-QUOTE}LOL;D

{QUOTE-> They are effective on what they are intended for, (but they introduce extra process for each packet,.. and do slow down connections. Correct/full SPI would drop most without a need for external process) <-QUOTE}

Thank you Stem. Without elaborating on how, I will bring this up with Agnitum's developers.

Stem,

My posts are not BS, and I feel sorry for you if you think that. My impression is that you are so immersed in the technology that you are loosing site of its practical implications and how ordinary computer users may benefit from it. That is not unlike the publishers of some of the very noisy and inconvenient to use HIPS programs or HIPS enabled firewalls. I am not sure if you are being a knowledge snob, lack written communications skills, or have become so comfortable with the technology that you have lost site of how little everyone else understands, but you tend to dance around the answers and don't provide much usable information in the end.

From what I can distill from your fragmented answers it appears that the Outlook plug-in does no more than alert one to the type of attack, but does nothing to block it as you say a good packet filter will do that. The unanswered question is whether Matousec's statement that nearly all firewalls are effective at blocking undesirable inbound communications is true. I would expect there are differences in performance and that would be particularly desirable if many machines were behind a single firewall/gateway, but for the ordinary Joe, it probably does not matter.

Perhaps you did not understand my statement about users in front of Matousec's test computers. Simply, if the average Joe was faced with an actual exploit based on the concepts in the leak tests that Matousec uses he would receive some cryptic warning from the firewall or HIPS in question and more likely than not give the wrong response because he is concentrating on something else and has not a clue as to what is really going on to start with. Some products would give the user a better idea of the severity of the situation and thus the user would have a better chance of making the correct decision. However the less that the user is called upon to interact with the firewall or HIPS the less likely he is to do something wrong. A HIPS or firewall that never shuts up under safe conditions conditions the user to say yes to everything, thus undermining its purpose. For these reasons I believe many popular products will not accomplish their intended goal. In real life these will not perform as they do in the lab with experts manning the controls.

As for Long Island Iced Tea, its the real deal, no BS:

1 jigger Vodka
1 jigger Gin
1 jigger Triple Sec
1 jigger Tequila
1 jigger White Rum
2 jiggers Sour Mix
Add Coke until it is the color of Iced Tea and serve over ice in a tall glass.

Two of these and you will not care about anything. Do not attempt to drive a car. Now, if you can provide that level of detail in your answers, the members around here might get educated, no BS.

"The ability of a firewall to give "Stealth" in no way shows its ability to give inbound protection." ... Stem statement is so very true, and nicely said too!

Kerodo; There's good reasons why many wouldn't see any kind of 'real attack' on either their routers or software firewalls. In regards to routers, not every router contains SPI capability, and the ones that do requires the user to be capable of accessing its settings, and visit the logs without getting lost. You may have a router and with SPI capability but not activated, or activated but not set to log. If the user could locate the Logs section, how long are entries kept with it? How often the users take visits to the routers logs area? And would the user simply glance over some of the logging entries? Would the user even know what they looking for? Not every router SPI shares the same implementation and logging characteristics. What you think boots the router devices? ... software of course. And exactly what its SPI implementation is based upon? Does the router detail its SPI technical details, does it have full or stateful like SPI implementation? ... much of this applies the same for installed software firewalls.


Diver; So it's simply ignorance on the subject which prevents you from determining if a strong stateful software firewall product is of importance? I would also like to think that ignorance would be also what prevents most from stating something is useless and of no importance... I do recall several firewall experts, whom most likely studied the subject on technical level, stating the importance of SPI capability. So what's there to discuss or argue about? Seeking technical information about this capability is okay..., of course, but debating over and over again whether it's of importance or not, I find very much waste of time.


There's several reasons that makes stateful packet inspection a very important firewall feature to have, it can handle malformed, invalid, traffic and other malicious / unsolicited packets. For full / complex SPI, the router/software can drop different packets 'such as' Denial of Service (DoS) attacks, Ping of Death, Port Scanning, SYN Flood, LAND Attack, and IP Spoofing.



Bests Regards,
Phant0m``

{QUOTE->
Kerodo; There's good reasons why many wouldn't see any kind of 'real attack' on either their routers or software firewalls. In regards to routers, not every router contains SPI capability, and the ones that do requires the user to be capable of accessing its settings, and visit the logs without getting lost. You may have a router and with SPI capability but not activated, or activated but not set to log. If the user could locate the Logs section, how long are entries kept with it? How often the users take visits to the routers logs area? And would the user simply glance over some of the logging entries? Would the user even know what they looking for? Not every router SPI shares the same implementation and logging characteristics. What you think boots the router devices? ... software of course. And exactly what its SPI implementation is based upon? Does the router detail its SPI technical details, does it have full or stateful like SPI implementation? ... much of this applies the same for installed software firewalls.

<-QUOTE}
I guess all I'm saying is, for all practical purposes, all these technical details make no difference anymore to me. I buy a cheap $40 NAT router, I don't even know if or what kind of SPI capability it has, nor do I care. I slap the router in place, plug it in, and I have no further troubles as far as inbound protection goes. I use it for years, never giving it a 2nd thought. And no further thought required.... ;)

Diver, as Stem said, i also think that {QUOTE-> a good SPI firewall will filter out bad packets/ spoof attempts etc, without a need for user interaction <-QUOTE}
To give a different perspective, Alphalutra1 showed here some time ago his OpenBSD's pf ruleset, and how simple it is, yet how advanced it is.
{QUOTE-> Simply, if the average Joe was faced with an actual exploit based on the concepts in the leak tests that Matousec uses he would receive some cryptic warning from the firewall or HIPS in question and more likely than not give the wrong response because he is concentrating on something else and has not a clue as to what is really going on to start with. <-QUOTE}
The average joe never heard of HIPS or tried any firewall, any conclusion derived from this is wrong. I know maybe 1 person that has heard of Comodo, Jetico, SSM etc.
They are lucky if they use an up to date AV.
{QUOTE->
However the less that the user is called upon to interact with the firewall or HIPS the less likely he is to do something wrong. A HIPS or firewall that never shuts up under safe conditions conditions the user to say yes to everything, thus undermining its purpose. For these reasons I believe many popular products will not accomplish their intended goal. In real life these will not perform as they do in the lab with experts manning the controls.
<-QUOTE}
The HIPS will alert of something about to start, or something set in motion. Not having it is the same or worst than not having, never better (excluding whatever CPU it uses etc.).
A good one should be silent after configured. SSM free is silent here (most of the time disconnected) and i can now understand the big picture of its policies, pop-ups and GUI.
One that does not go silent after being setup, is one that isn't finished (i have a hunch that's the case with D+).

I think that that people and the makers of firewalls are so focus on leaking and outbound because of two sites - matousec and firewallleaktester. They are there and that for average people is some authoritative source of knowledge about firewalls.

Of course many people find their knowledge from some reviews which I found ridiculous at list and they not prove anything. (How nice the GUI is :) etc.)

But can somebody direct me to tests on firewall inbound protection. Maybe where they testing even only SPI filtering implementation?

NO.

Then if somebody is more inquiring/digging then maybe start reading forums. Look here on Wilders - how much you can find about it? Such and such firewall this and this about inbound.

General theory yes - but nothing practical like which firewall should I buy if I need good inbound protection?

So people choose firewall based on matousec. Here Diver is right that for average user it will be useless because of lack of knowledge what to do. By the way I think you guys do not understand his point but maybe that is me and my english.

So I believe that inbound can be less troublesome in mintenance for average user and is important. But no maker of firewall will care about it if they do not have to. People even do not ask about it. But if ask they do not get answer.

I asked on Comodo forum about that aspect of CF and no answer. Look what happened to Comodo firewall but they change anything about inbound, spi? Why and who ask for that?

Here you can see how many answers I get about the specific firewalls I asked.

So the forum seems useless as such source of such information. I can live with that maybe I will dig on my own but average user?

So unless you experts start answering questions or start some test site with inbound testing we will be in matousec leak testing realms. And makers will ignore inbound site (I read Stem and Mike discussion about OA) Finally the firewall will end up as anything but no firewall.

I am close to go Kerodo way because it start to be to frustrating to be so helpless. And I do not plan to change profession to be firewall expert/tester.

{QUOTE->
The average joe never heard of HIPS or tried any firewall, any conclusion derived from this is wrong. I know maybe 1 person that has heard of Comodo, Jetico, SSM etc.
<-QUOTE}

I do not agree with that. All my friends are using Comodo 2/3 or OA becaue of Matousec. And they spread the word. :) They are the local experts because they know english and read matousec. :) And in my country people do more care about the price of the software so...

Same way I found Comodo and OA but they simply not working for me so I dig further.

If they are the local experts, that's not exactly a good sample is it?

{QUOTE-> If they are the local experts, that's not exactly a good sample is it? <-QUOTE}

I did mean local in where they are, but I have many such friends all over country.

Well I will put it that way I know very few people with computer who did not hear about Comodo. And everybody I know have AV and windows xp firewall at list.

I did not say that is general situation just my experience do not agree with yours. :)

Yours sample was not good either just one man experience - yours.

i am talking about average person who is using internet, search before buy and you are talking abot people below average for me. I agree - such people do not have even AV. But people with AV soon start looking for firewall etc. And they will find matousec and download Comodo. And become local experts. :)

So inbound protection have hard time.

Edit: Maybe average joe mean somebody below average? Like blonde chick in my country?

Perhaps someone would like to tell us if any of the widely used firewalls have a proper SPI implementation or not. Will any of them be breached by malicious inbound packets? By widely used I mean the build in windows firewalls in XP and Vista, various versions of Zone Alarm, Comodo 2.4 (3.0 is too new), Sunbelt/Kerio and Sygate. Judging from polls on Matousec's site and DSLR, these account for a major share of what is in use.

There are advocates of CHX-1, Jetico, Look'n'Stop, 8Signs, Injoy and perhaps Ghostwall. How do these compare against each other and do they really (not in theory) provide better inbound protection than the widely used firewalls. Altogether, not very many people use these even though several are free.

Popularity may not prove quality, but it certainly measures impact and relevance. I can safely say that the popular products excel in ease of use. The surveys don't tell the whole story either. I bet there is a lot of NIS 200X around because it comes on many new computers. Those are not the same people that hang out here, at DSLR or Matousec.

Where is the real difference, or is Matousec right when he says most of them have the inbound side right. Frankly, I cant seem to disprove this, nor has anyone else around here taken a good shot. Furthermore I cant seem to find anything that says a typical (Linksys, Buffalo, Netgear, D-Link) router or wireless access point that costs $50, give or take, does not keep the bad stuff out, save for morons that don't change the default password.

Don't get me wrong, I don't think any of the products in the list starting with CHX-1 are bad. They are just harder to use, only two have outbound filtering, and 8Signs does not work correctly with eMule. I have tried them all...

Firewall developers and its users got hyped on outbound filtering and to have it cover known leak methods demonstrated by different leaktests loooong before matousec came into the picture... Just now they have common grounds, to learn and improve and be competitive with their implementations.

SPI shouldn't be treated as if it's something that just recently came into existence, and we having little understanding of, it has been in existence since the early 1990's. So now you can just imagine how much time was available to understand fully everything technical about SPI. Like it or not, the best, the security/firewall experts have already spoken, static packet filtering is no match.

feniks; you can agree all you like with anyone, thing remains is ignorance, and ignorant remarks. Most SPI implementations are already set and forget, no special knowledge is required to be running and behind SPI.


Regards,
Phant0m``

Hello,

There seems to be quite an argument going on in this thread!

I haven't read every post but this is what I understand the question being asked is:

Which firewalls offer good inbound filtering? What do you look for / how can you tell?

Most people here know that SPI is an essential feature. But is there anything else apart from SPI that will give a firewall better inbound filtering?

Earlier on I posted about Sygate. Why? Well have a look at the various inbound filtering techniques it uses in addition to SPI. Note "Smart DNS, Smart WINS and Smart DHCP" (See attachment)

These are the features that you should look for in addition to SPI that will improve the inbound filtering of your firewall. :thumb:

Attachment here:
http://www.geocities.com/zeroday_software/sygate.rtf

Edit: Merged

{QUOTE->
feniks; you can agree all you like with anyone, thing remains is ignorance, and ignorant remarks. Most SPI implementations are already set and forget, no special knowledge is required to be running and behind SPI.

Regards,
Phant0m`` <-QUOTE}

Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?
Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

Why I should not look for such answer? Or nobody here knows the answer?

EDIT. Well I read it again and I have to admit I do not understand what are you talking about. About with whom I agree with what? And you talking about my ignorance and my ignorant remarks? Where I said that special knowledge to be protected by spi is required? So what if SPI is from 1990 - does OA have it and in full, deep packet inspection, pseudo UDP and ICMP or only TCP syn (all out is allowed in)? Sorry for my english you are expert so you know what I mean.

feniks, I agree that many places people decides to go and take advise from is so very ridiculous, there's so many amateurs out there who discusses things they have little to no knowledge of. Trying to find reliable sources can be difficult at times, it isn't impossible, but does require self dedicated investigations.

I don't think many will be-able to answer which is the best firewall for inbound, there's not even much technical details from product developers on their implements. I agree it isn't easy to get technical details when asking the product developers, but you shouldn't at least try.

I find it really sad that Comodo PF or any developer wouldn't respond happily with technical details regarding their product features implementations, ... like for SPI. I have been even curious at a far about exactly their SPI implementation. I guess one going to have to download and install and run extensive tests to get the answers.


Diver, that's a very good question "any of the widely used firewalls have a proper SPI implementation or not", I think it would be very reliable to get product technical details of their SPI implements, I think each user of different firewall should contact their product developer and ask for technical details. Then posting it all in one location would be very appreciative... :)

Matousec must have been in reference to products static packet filtering capabilities... and up against online web scanners....


dmenace; It's also very good to know, even more so for some how their products SPI works, and I really cannot complain.

Yet another very good question "But is there anything else apart from SPI that will give a firewall better inbound filtering?". :)


Regards,
Phant0m``

Hi feniks,

You are of course right, it's important to find out how different software products implement SPI, before we can really make opinions even.

You surely aren't doing any wrong by seeking such answers, I'm actually excited to see people ask questions about firewall products inbound filtering capabilities. Good job!

{QUOTE-> Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?

Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

Why I should not look for such answer? Or nobody here knows the answer? <-QUOTE}
feniks, you are right to ask questions like this, and you are not ignorant either. With all due respect to our local experts here like Stem and Phantom, who are both quite knowledgeable, I think nobody has any really good and *practical* answers for you.

You can try to obtain tech specs from the developers if you like, and research further, it's up to you. If you do, please share your findings..

My personal take on all this is that there isn't much point in getting buried in a lot of tech details. I used to install and test and experiment with all the various software firewalls available a year or two ago. It was fun. Then I got a router, dropped the software firewalls, and have been happy ever since. I believe that for any home user, that's all one needs. In fact, for any normal home user, almost *any* bug-free software firewall will be good enough too, including the Win firewall if you like. Remember, we're talking inbound here.

Now I'm sure people can and will argue with this, but put it to the test and see. That's what really matters and counts, not 1000 technical details and/or expert opinions.

Again, just my humble 2 cents....

{QUOTE-> Hi feniks,

You are of course right, it's important to find out how different software products implement SPI, before we can really make opinions even.

You surely aren't doing any wrong by seeking such answers, I'm actually excited to see people ask questions about firewall products inbound filtering capabilities. Good job! <-QUOTE}

Please read my edit in here:

post 76 (http://www.wilderssecurity.com/showpost.php?p=1124367&postcount=76)

And I think you answered here. :)

I don't use Online Armor, never used Online Armor, and the official product website doesn't seem to 'mention' any sort of SPI. A firewall developer would definitely want to advertise this if it has it.... so at first glance, I say it doesn't.


Regards,
Phant0m``

{QUOTE-> A firewall developer would definitely want to advertise this if it has it....

Regards,
Phant0m`` <-QUOTE}

That is something to start with... Very good tip and very logical. :)

And if the developer do not answer that is suspicious, right? :)

{QUOTE-> That is something to start with... Very good tip and very logical. :) <-QUOTE}

Don't forget the support forums...


{QUOTE-> And if the developer do not answer that is suspicious, right? :) <-QUOTE}

Indeed.

People ignore proper packet filtering and inbound protection then why we have so many questions like:

I lost my connection
I have very slow connection speed
My transfer is so slow
My browser open pages so slow

If I understand correct what I read simple ICMP blind attack can harm our connection throughput. One is when attacker is sending constant messages "fragmentation needed and DF bit set" what force PMTUD to lower MSS maximum segment size for connection and practicly unable communication.

This is one example of attack maybe we are already safe from that but I read many Cisco routers were vulnerable to this attacks. And I am sure there are many other forms of attacks not malware or spyware but "only" messing up with our internet connection, slow down, break connections for some time etc. etc.

So the question is are we protected from that?

{QUOTE-> That is something to start with... Very good tip and very logical. :)

And if the developer do not answer that is suspicious, right? :) <-QUOTE}

I've answered this question to death already :)

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release.

{QUOTE-> I've answered this question to death already :)

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release. <-QUOTE}

Yes you are right. I read that somewhere I guess with your discussion with Stem.

I simply forget. Please forgive me. I think I have problem with remembering all that. To much reading in last weeks. ;D

Mike I really (I think not only me) respect your work and honest approach.

And I wish you and your baby OA all the best. :)

OK,

Do I check firewalls SPI implimentation, yes, but this is time consuming, and to check correctly I use 3 PC`s, and believe it or not, I do use my PC`s other than just for checking firewalls.

As example, the last firewall I looked at was PCtools firewall which stated "full SPI", when I checked, I questioned this, as it allowed invalids etc through,.. the description of SPI by the vendor was then changed.

One of the problems is the fact of the term "SPI" and the way this is used by vendors. As I have put forward before, I expect an SPI firewall to check TCP down to sequence number, anything else, for me, is not SPI. This was one of the reasons I asked about the implimention of SPI in routers.

Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.

I will still press vendors to impliment full SPI, regardless of if users think this is needed or not (I know it is).
Do realise, SPI is not like an HIPS, you will not get popups to ask if a certain packets should be allowed or not, invalid/bad etc packets should simply be dropped.

{QUOTE-> I've answered this question to death already :)

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release. <-QUOTE}


MikeNash, I apologize for my ignorance on the subject.

Keeping state table is done for even connectionless protocols like UDP and ICMP, so far all this tells me is there's possibly stateful-like mechanisms in OA, and to what extent remains to be seen... And then there's stateful packet inspection and then there's 'deep packet inspection'.

Is this already been detailed? Please could you or someone else poster me up some links?

{QUOTE-> MikeNash, I apologize for my ignorance on the subject.

Keeping state table is done for even connectionless protocols like UDP and ICMP, so far all this tells me is there's possibly stateful-like mechanisms in OA, and to what extent remains to be seen... And then there's stateful packet inspection and then there's 'deep packet inspection'.

Is this already been detailed? Please could you or someone else poster me up some links? <-QUOTE}

Hi Phant0m,

I think by your measures, SPI in OA is minimal at the moment... we keep state tables for all connections (I believe including udp/icmp but I would have to check on Monday). Other than that - we don't currently do so.

We do plan some enhancements in this area in the future - particularly I've discussed implementing Snort rules.

Cheers

Mike

Hi MikeNash,

By my measures, ... accurate measures.. :)

Thank you for the clarity, and I'll be looking forward to seeing your next post confirming if OA does state table for connectionless protocols like UDP and ICMP. Also enhancements in these areas are always much appreciated. :)

OA:

I thought there was an issue where network discovery and file/printer sharing were hard wired on. OK if you always want them on in a home or SOHO network, bad if otherwise. Anyone know if this has been fixed.

Stem:

You should publish your results fanboys or not. No point in treating hard won knowledge as some mysterious thing.

On a lighter note, Diver is about to head out tomorrow to go scuba diving.

{QUOTE-> OK,
As example, the last firewall I looked at was PCtools firewall which stated "full SPI", when I checked, I questioned this, as it allowed invalids etc through,.. the description of SPI by the vendor was then changed.

One of the problems is the fact of the term "SPI" and the way this is used by vendors. As I have put forward before, I expect an SPI firewall to check TCP down to sequence number, anything else, for me, is not SPI. This was one of the reasons I asked about the implimention of SPI in routers. <-QUOTE}

I think you questioned it here in forum ans see that vendors are reading the forum and care if that is public.

{QUOTE->
Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go. <-QUOTE}

But think how much good will come out from this. Look for PcTools and Mike example. :)

I thing great numbers of people will benefit from such information. Many people here accept you as expert not because of the title, but from reading your posts. And you do not have go in details as not many even understand all of that. If get about fanboys you can just ignore them or answer. People read and think believe me. Well there is always price but the discussion begins and many people became aware of the subject, start asking vendors etc. Vendors will forced to stop ignore this subject.

How many people understand how leaktest works? They just read there is something that need to be and become interested if their firewall have it.

{QUOTE->
I will still press vendors to impliment full SPI, regardless of if users think this is needed or not (I know it is).
Do realise, SPI is not like an HIPS, you will not get popups to ask if a certain packets should be allowed or not, invalid/bad etc packets should simply be dropped. <-QUOTE}

Believe me you alone will not mean to vendors as much as many users. And to them you are not even user of their product. Money counts.

But of course feel free to do whatever you decide to do. :) ;) ;D

I became aware of the SPI and fitering becuse of you mention it many times. Thank you.

But still I do not know much if get down practically to firewalls and that what I know was achieved Indiana Jones way searching for hidden treasure. :)

{QUOTE-> I became aware of the SPI and fitering becuse of you mention it many times. Thank you.
<-QUOTE}

Likewise with me too :) Before if I saw "SPI" advertised for any pc firewall I would think: "wow, that is impressive!" but after seeing that Stem has exhausted time and effort in testing for this and seeing less than impressive results which he has stated many times in this forum, I now will take it very seriously and do whatever I can to press vendors (at least with regards to products I use) to properly implemement it, in spite of those who declare it is unnecessary because in "their experience" they have never been burned by it. It is like saying: "I only require seatbelts for my safety while driving a car because the airbag has never actuated in my few fender benders. The seatbelt always prevented serious injury." Of course the airbag actuates at higher impacts, preventing one's face from smashing into the steering wheel or dash. This may seem like a lame analogy, but it is the best I could conjure up.

A firewall and security expert is stating the importance of SPI (airbag), yet there are some who refute it! Baffling to say the least ???

{QUOTE->
Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.
<-QUOTE}
I take many things for granted, some of that is what vendors say.
I would prefer to know what is true or not with your tests, whether the firewall is my favourite or not. Just try to give details as far as your can, and forget anything else. I value information and facts.

Cheers

{QUOTE-> .... if OA does state table for connectionless protocols like UDP and ICMP <-QUOTE}Yes, it does.

Hello.

{QUOTE-> You should publish your results fanboys or not. <-QUOTE}

{QUOTE-> I thing great numbers of people will benefit from such information. <-QUOTE}

{QUOTE-> Just try to give details as far as your can <-QUOTE}

There is no need for Stem to post a detailed report on his findings. He already does much on this subject (from time to time), you would just need to pay a little attention. ;) Publishing that kind of info is not a trivial matter...

Cheers,

I think Comodo Firewall set to "Training Mode" and with Network Rules applied could also do it. This way it will automatically set everything for applications while still use inbound filter/attack detection engine.

On an additional note, there's something I simply would like to point out...

Stateful inspection and Stateful filtering aren't quite the same thing, and apparently there is much confusion on all sides, when discussing SPI.

Stateful Inspection provides highly efficient traffic inspection with full application-layer awareness, where-else stateful filtering doesn't have application-layer awareness... This is how it was coined from the beginning, so for instances CHX-I, 8Signs and Look 'n' Stop referring using 'stateful inspection' labeling isn't accurate by original coined terms...


... Please not the face?!?! :shifty:


Regards,
Phant0m``

{QUOTE-> On an additional note, there's something I simply would like to point out...

Stateful inspection and Stateful filtering aren't quite the same thing, and apparently there is much confusion on all sides, when discussing SPI.

Stateful Inspection provides highly efficient traffic inspection with full application-layer awareness, where-else stateful filtering doesn't have application-layer awareness... This is how it was coined from the beginning, so for instances CHX-I, 8Signs and Look 'n' Stop referring using 'stateful inspection' labeling isn't accurate by original coined terms...


<-QUOTE}I think it is the vendors that have most confusion on this point.

Such as CHX-I does perform SPI (stateful packet inspection), this is a check on the state of the TCP packet (flag check).
Stateful filtering, this would descibe a firewall that only checks IP/port for TCP, (as with protocols such as UDP)

{QUOTE-> The definition of stateful filtering seems to vary greatly among various product vendors and has developed somewhat, as time has gone on. Stateful filtering can mean anything, from the ability to track and filter traffic based on the most minute of connection details to the ability to track and inspect session information at the application level

Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and lower. Under this definition, stateful filtering products exhibit no knowledge of application layer protocols. At the most basic level, such products use the tracking of the IP addresses and port numbers of the connecting parties to track state. This is the only way that connectionless protocols can be tracked, but at best, this is only "pseudo-stateful." What about using this same method of stateful filtering for the tracking of the connection-oriented TCP? This method does not in any way track the TCP flags. TCP's flags define its connection states; therefore, although this method might be tracking some information from the various communication sessions, it is not truly tracking the TCP connection state. <-QUOTE}

{QUOTE-> I think it is the vendors that have most confusion on this point.

Such as CHX-I does perform SPI (stateful packet inspection), this is a check on the state of the TCP packet (flag check).
Stateful filtering, this would descibe a firewall that only checks IP/port for TCP, (as with protocols such as UDP) <-QUOTE}

Hi,Stem,I wanted to ask you if ZA Pro 7.0.462.000 has full Stateful Packet Inspection for application filtering and all other things...?
I mean their website claims that it has SPI(after all Checkpoint invented SPI,as far as I know,and the same Checkpoint bought ZoneAlarm)???

And what about it's Anti-Mac spoofing and ARP protection?

Thanks a lot.

What about configurability?
I tried to configure some things in ZA Pro,but it seems to me that I can't do it manually???
Maybe there was thread about this???
Thanks.

I think inbound protecton is something that should be rated just like the leaktests are. All known exploits tested against each firewall. I am sure such a website will emerge just as the leaktest websites have.

I have contacted Melih of COMODO and although the current help file for CFP does not go into in-depth details of the inbound protection such as ARP filtering, they are working on an "under the hood kind of manual" that I look forward to.

I think all software firewall developers should do this.

Stem,

Stateful inspection is a term originally coined by the security product manufacturer Check Point in 1993. Clearly detailed by Check Point ... sometime down the road, It comprises both the tracking of state using Layer 4 and lower protocol information and the tracking of application-level traffic commands.

Now the term Stateful filtering has been originally used to define the stateful tracking of protocol information at Layer 4 and lower. Under this definition, stateful filtering products exhibit no knowledge of application layer protocols.

... You understand stateful filtering terminology, stateful filtering does not in any way track the TCP flags, so it's not considered truly tracking of TCP Connection state. But there's advanced forms of stateful filtering that can also track sequence and acknowledgment numbers and the TCP packet flags. Now that's truly stateful connection tracking for TCP, although 'we still lack the ability to differentiate traffic flows at the application level'.

And whether you care to admit or not, CHX-I 'stateful inspection' feature implement lack the ability to differentiate traffic flows at the application level'... ;)

Phantom,
{QUOTE->

Stateful inspection is a term originally coined by the security product manufacturer Check Point in 1993. <-QUOTE}If we went by the exact description, then we would need to look at:-
Communication Information
Communication-derived states
Application-derived state
Information Manipulation

All of which is put forward by checkpoint as part of Stateful Inspection. Do I see any point in going down this road, with a need to disguss this. I do not think it is needed/ wanted.


{QUOTE-> And whether you care to admit or not, CHX-I 'stateful inspection' feature implement lack the ability to differentiate traffic flows at the application level'... <-QUOTE}If we look at checkpoint, and as to how they performed the SPI, we are only (basically) looking at a set of filters. As with CHX-I traffic flow filters can be added and any data within the packet can be manipulated with payload filters.

So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection by vendors firewalls for the security of members ;) . Myself, I prefer the later, as this will actually give needed info to members.

{QUOTE->
So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection by vendors firewalls for the security of members ;) . Myself, I prefer the later, as this will actually give needed info to members. <-QUOTE}

Yes, yes, yes the later.

I have headache already from all this statefull, stateless, static filtering, dynamic filtering, deep, shallow, state table etc. :)

Coming down to info for members can you tell if Windows XP firewall and Ghostwall have SPI or what filtering exactly. As these two are basic level for incoming protection and I read different statements.

Stem; Well if it's shared opinion, not just specific to your needs and wants... then I'll refrain from posting information / FAQs in the future.

However, I thought it was useful and informational, something that individual(s) could appreciate.

We using SPI word pretty loosely here, and this leaves room for confusion. If the users doesn't know their options, then they really don't know what they asking for or wanting and the degree of protections offered / available... For instance, when you talking about 'full SPI' you really just talking about an implement capable of tracking sequence and acknowledgment numbers and the TCP packet flags and not something more? :P

I know about CHX-I v3 Payload Filter Module, weren't we before discussing firewalls SPI implementation? Now that you mentioning it, I'm curious are you going to be the one that provides filters for users to achieve "stateful inspection" to the degree that Check Point and some other firewalls offers?

{QUOTE-> Stem; Well if it's shared opinion, not just specific to your needs and wants... then I'll refrain from posting information / FAQs in the future.

However, I thought it was useful and informational, something that individual(s) could appreciate. <-QUOTE}I asked a question, to see how you would like to continue.{QUOTE-> So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection <-QUOTE} Currently you have put forward only a need for correct wording/definition. Why dont you instead perform some tests on firewalls to see what implimentation of packet filtering is being made on various firewalls?

{QUOTE-> We using SPI word pretty loosely here, and this leaves room for confusion. If the users doesn't know their options, then they really don't know what they asking for or wanting and the degree of protections offered / available... For instance, when you talking about 'full SPI' you really just talking about an implement capable of tracking sequence and acknowledgment numbers and the TCP packet flags and not something more? <-QUOTE}I have already put forward the definition of my term "full SPI".

{QUOTE-> I know about CHX-I v3 Payload Filter Module, weren't we before discussing firewalls SPI implementation? Now that you mentioning it, I'm curious are you going to be the one that provides filters for users to achieve "stateful inspection" to the degree that Check Point and some other firewalls offers? <-QUOTE}I would be interested is seeing a software firewall for the home "windows" user produced by check point or any other vendor that performs SPI to the degree of what "checkpoint" put forward as actual "SPI"

As for CHX-I, if this was still being updated, to remove some bugs, then I would take time to produce filters(maybe I could then set up a website and sell them :P )

Hi Stem,

I'm not sure what you meant exactly by "Currently you have put forward only a need for correct wording/definition.", if you implying my only participation on this topic involved this, then may I suggest re-reading starting from the beginning.. post #62. And as for my post #105, it was to explain where I'm coming from...

If my participations isn't up to your standards or offends you even, then I'll simply avoid further topics you involved in.


I have an old machine that's XP capable, I don't however have an operating system. And as for this here system I'm working with, it has to be on Internet stand-by, so I can't be running installations reboots, tests, uninstalls, reboots and repeated with next firewall. Therefore, even though I'm interested in doing such tests and publishing, I first need to buy OS such as XP that's abouts $165CAD for OEM version. And momentarily, I cannot afford it, besides I thought you were originally doing the tests for the people? :-\

{QUOTE-> If my participations isn't up to your standards or offends you even, <-QUOTE}What standard? and I am not offended.

It is just my thought that: We could certainly discuss what SPI actually is (as put forward by check point) and go through misunderstandings on this point, but how would it actually help a user decide on a firewall?. Yes, they may understand the terms used, but it would then be a case of if vendors use the correct terms. I have seen firewalls that state "SPI", and they only check IP/port of TCP. So, if we put forward "SPI" is "as descibed by checkpoint", then the user goes to a firewall vendor that states the firewall has "SPI" (and it is actually only a check on IP/port), this would lead to a false sense of security for the user.

So how can we put forward SPI/ packet filter with descriptions of the layers filtered etc, without also the vendors being acurate of the firewalls ability of this?
As I said~ just my thought

{QUOTE-> ............, besides I thought you were originally doing the tests for the people? :-\ <-QUOTE}I will be setting up again, and go through the firewalls again. I do have a couple of projects on already, so it will need to wait a few days.

I think the best thing to do would be for both of you to collaborate on publishing a webpage rating different software firewalls against your own definitions (or CheckPoint's) of SPI and other aspects of packet filering in a manner similar to the way Matousec handles leaktests.

So, if Phant0m were to obtain a legit copy of Windows XP then what do you two think about this?

{QUOTE-> I think the best thing to do would be for both of you to collaborate on publishing a webpage rating different software firewalls against your own definitions (or CheckPoint's) of SPI and other aspects of packet filering in a manner similar to the way Matousec handles leaktests.

So, if Phant0m were to obtain a legit copy of Windows XP then what do you two think about this? <-QUOTE}Hello AJohn,
The fact of 1 extra PC will probably not help in such testing. I know most look at "Leaktests", which can be run on the host, then the firewall will catch this or not, a simple test.

When looking at a firewalls filtering, then different methods are needed.

Example:
For leaktests: 1 PC needed
For scanning: 2 Pc needed (normally the second PC is a website such as shieldsup)
For packet filtering: this is possibly debatable. As you need a PC to install the firewall to be tested, you then need a PC to send the packets (that the first PC as made connection to~ to check filtering on open connection), you then need to check on what is not filtered out,.. this could be a sniffer on the first PC, but, this could be incorrect, as it would not be correct to presume that the firewall did not block/drop the packet after sniffed (and that the firewall did not log this blocked packet)
So I normally check with 3 PC`s, a sort of piggy in the middle,.. the middle PC being installed with the firewall to check.
I do need to find better ways to check, as I do not always have 3 spare PC`s.

Regards,

EDIT,
I have also considered that filtering should be done in both directions, and that I could simply send out invalids etc,.. but I would think that this would be incorrect for such tests/checks.

Yes 2 or 3 computers seems best. Maybe this is part of why there are no such inbound firewall ratings as readilly available as the leaktest ratings are.

Maybe Phant0m would be able to work something out with what he has though, so lets see what he has to say.

Maybe between the two of you something could be done... if neither of your ISPs filter connections then that may be a start.

As I said before, there is only the one thing I need...


Regards,
Phant0m``

{QUOTE-> As I said before, there is only the one thing I need...


Regards,
Phant0m`` <-QUOTE}If it was as cheap here in the UK to purcahse an XP, then I would purchase and give you a lisense. As it is, it is twice the cost you mention.

If you know of a better way to test firewalls filtering, please advise.

We will see how time treats Mr.Phant0m :D

In the mean time you too should collaborate as much as possible :)

{QUOTE-> We will see how time treats Mr.Phant0m :D

In the mean time you too should collaborate as much as possible :) <-QUOTE}This may be a mute point, as I work from my findings of installing firewalls and directly checking these. From what I see, Phantom works from white papers and published support/help files. Please correct me if incorrect.

Stem, I'm not about to play your silly games...

feniks, I apologize for how things turned out, I'll refrain from posting any further on this topic, and hopefully the topic will get back on track.


Bests Regards,
Phant0m``

{QUOTE-> Stem, I'm not about to play your silly games...

feniks, I apologize for how things turned out, I'll refrain from posting any further on this topic, and hopefully the topic will get back on track.


Bests Regards,
Phant0m`` <-QUOTE}

No apologies necessary as I learn a lot on protocols, terminology etc. And you were friendly to me. However all that theory does not help me on practical level which firewall has what and how to decide which one I want. Also I need to find something basic and good for my non technical friends or even kids and something really good for somebody willing to learn more and spend more time on that. Learning any of them is some work to do and first I will like to know if it is worthy that effort, see my point?

And maybe layered approach is better solution good inbound + good outbound. So far in terms of easy and good factor I see very good solution CHX-I + OA free without or with firewall.

Maybe one application if has it in/out quality on decent level?

See so many questions - and good answers only on outbound/leaking factor if the out/in info will be on same level - decision will be much easier to make and also it will be much wiser decision. For now I see many people are not even aware that inbound protection can be on different levels same like outbound/leak.

I was expecting practical info at list (the vendor are really skimpy in info and their "features" can mean everything or nothing) as to what features what firewall really has.. at list because I see real testing is not easy thing even for experts what to talk about me.

Well I feel to be a little ignored but well nobody pay you guys to answer. :)

Practically not many question I get answered and search give also skimpy results. :thumbd: Most info on that subject I found about CHX-I so far.

I did try to start from bottom (Windows firewall and Ghostwall) but no results yet. See the posts:

http://www.wilderssecurity.com/showpost.php?p=1126008&postcount=104

http://www.wilderssecurity.com/showpost.php?p=1125997&postcount=86

http://www.wilderssecurity.com/showpost.php?p=1126003&postcount=87

http://www.wilderssecurity.com/showpost.php?p=1125824&postcount=1

Well I know I go easy way of learning by asking but that is forum and experts for or is not? :)

And I feel maybe something useful finally will come out of that all... ;D :P

{QUOTE->
Well I feel to be a little ignored but well nobody pay you guys to answer. :)
<-QUOTE}

you've had numerous responses to your questions, but you never seem completely satisfied with them.

Why not just stay with CHX-I? It seems to offer excellent inbound protection and alphalutra already informed you that Ghostwall does not include SPI. I certainly saw no mention of it on the website. There also does not seem to be any reports on which firewalls offer the best inbound protection.

{QUOTE-> you've had numerous responses to your questions, but you never seem completely satisfied with them. <-QUOTE}

Do you know somebody completely satisfied? You know what Jagger from Rolling Stones is still singing about his satisfaction? :)

But seriously better word will be I am disappointed. Before I thought wow "big firewall" reading all these advertisements, but after I learn a little I suspect that in reality most popular firewalls are very poor as church mouse in inbound filtering, thus in this kind of protection. :)

Why popular firewalls does not have application level SPI/filtering? We have 2007 and computers capable to handle it but the firewalls are still in 1990 in SPI?

I am talking about firewall function - as the word come from fire doors or exits.

{QUOTE->
Why not just stay with CHX-I? It seems to offer excellent inbound protection
<-QUOTE}

Yes look like nobody from big and popular guys can beat CHX-I. I thought it is maybe outdated but looks like not yet.

{QUOTE->
and alphalutra already informed you that Ghostwall does not include SPI. I certainly saw no mention of it on the website. There also does not seem to be any reports on which firewalls offer the best inbound protection. <-QUOTE}

I accepted his answer I just do not understand the way Ghostwall decide what is allow in. I know it is not real SPI but the term is so confusing at list. For example closing ports is in SPI definition and processing TCP (three way handshake) can be also understand as SPI. Or static filtering do this? Well but I am still learning. :)

Is it forbidden here?

Maybe some day I will know more, for now please forgive me.

EDIT: PS. And for sure yes/no answer from somebody I do not really know - will not satisfy me. I need more then that to understand and to accept it.

And in fact alphalutra did not answer my question (and I was not asking if Ghostwall have SPI as I read his statement before) - he just try to tell me what scanning and protocols are.

{QUOTE-> I just do not understand the way Ghostwall decide what is allow in. I know it is not real SPI but the term is so confusing at list. For example closing ports is in SPI definition and processing TCP (three way handshake) can be also understand as SPI. Or static filtering do this? Well but I am still learning. :)

Is it forbidden here?

Maybe some day I will know more, for now please forgive me.

PS. And for sure yes/no answer will not satisfy me. I need to understand more to accept it. <-QUOTE}

Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.

Also, you have every right to understand more and, hopefully, your questions will be answered to your satisfaction. As I mentioned earlier, I never gave SPI too much thought until Stem has frequently questioned how effectively many of the pc firewalls and home routers implement it. Thankfully someone is asking questions and pushing firewall vendors to implement it correctly, especially when they advertise SPI as one of the features of their product. It is very easy to say: "our product has SPI", so those who are misinformed and do not want to question will think: "wow, this is such a great product because it features SPI", yet little do we know it may not be full SPI.

Unless someone with technical "clout" asks these questions and pushes vendors, it is very easy for them to take the lazy approach and offer a half-as*ed feature.

{QUOTE-> Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.
<-QUOTE}

I get it! At list I think so. :) But I feel I am closer. I did confuse just packet filtering with SPI which is more than filtering is additional packet inspection. THANK YOU!

Now I understand how Ghostwall can decide what to allow based on outgoing traffic. SPI is similar but more active complex and "inteligent" filtering.

That is why even similar rules with CHX-I (allow all outgoing) when I force allow incoming some port in CHX-I there were still packet dropped but in case of Ghostwall not.

With better filtering is harder to fool firewall. Do I get it now correct?

{QUOTE->
Packet Filtering

All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. All your file downloads, Web page retrievals, emails -- all these Internet communications always occur in packets.

A packet is a series of digital numbers basically, which conveys these things:
The data, acknowledgment, request or command from the originating system
The source IP address and port
The destination IP address and port
Information about the protocol (set of rules) by which the packet is to be handled
Error checking information
Usually, some sort of information about the type and status of the data being sent
Often, a few other things too - which don't matter for our purposes here.

In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.

Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.

Packet filtering policies may be based upon any of the following:
Allowing or disallowing packets on the basis of the source IP address
Allowing or disallowing packets on the basis of their destination port
Allowing or disallowing packets according to protocol.

This is the original and most basic type of firewall.

Packet filtering alone is very effective as far as it goes but it is not foolproof security. It can potentially block all traffic, which in a sense is absolute security. But for any useful networking to occur, it must of course allow some packets to pass. Its weaknesses are:
Address information in a packet can potentially be falsified or "spoofed" by the sender
The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access.

An advantage of packet filtering is its relative simplicity and ease of implementation. <-QUOTE}

{QUOTE->
Early Firewalls, Packet Filtering Firewalls and "Stateful Firewalls"

The first firewalls were based on either a proxy design or a simple packet filtering ruleset. The proxy firewall operates by interposing itself in the middle of the application protocol and interpreting it while applying security controls to the application commands and data, where appropriate. The original value proposition of a proxy firewall is that the proxy is essentially a security-oriented reference implementation of the application protocol – in some cases omitting dangerous operations entirely, or providing additional controls on certain security-critical commands. Proxies have always been considered a conservative security design because the proxy reduces the likelihood of protocol backdoors or side-effects since the proxy’s designer is effectively performing a security assessment of the application protocol’s features prior to implementing them. Early packet filter firewalls implemented a simple policy-table lookup based on { source-ip, destination-ip, source-port, destinat