Hi everyone.

It is easy determine which firewall is good at leaktest because many people test that. But there is hard (for me) to find evaluations/test on inbound protection of these firewalls. I assume it is also much harder to do then leaktests.

But for me as I learn here, and as old saying goes - Prevention is better than cure - firewall inbound protection is very very importand and that IMHO supposed to be his main strenght.

Can somebody direct me to some tests of firewalls inbound protection or advise me which firewalls are top one in that and why?

What should I look for in firewall capabilities, what is needed for secure inbound protection?

Possibly some experts advise? :)

AFAIK, there aren't any tests which evaluate inbound/packet filtering abilities of firewalls.
Most people are happy that their firewall gets a Stealth checkmark at grc.com

Here is a previous thread on inbound protection (http://www.wilderssecurity.com/showthread.php?t=177233) if you wish to give it a read over.

-{ Quote: "Here is a previous thread on inbound protection (http://www.wilderssecurity.com/showthread.php?t=177233) if you wish to give it a read over." }-

Thank you for the read but it did not answer the questions I have. partially maybe but also the discussion is a little old if get about mentioned firewalls.

I am not talking about closing port or stealth ability. That is standard. Like Stem said:

-{ Quote: "The ability of a firewall to give "Stealth" in no way shows its ability to give inbound protection.

OK, I admit, the TCP/IP stack in the OS is now more protected due to patching/ updates from microsoft, but you need time to check of possible inbound attack. We can go through many. I personally have found all others know better than I (as they put forward) so I will leave this to them (for now)." }-

I do not agree with the last part of your statement Stem about "them".

So I still have both of my questions actual and not answered.

I can not personally vouch for this, but some of the members around here like the inbound filtering on CHX-1 (no longer supported), Look'n'Stop, 8Signs, Jetico and Injoy.

All of these I have run at one time or another, and they are not the easiest bunch of fellas to get along with. If you use eMule, forget about 8Signs as it does not work right with Kademila. CHX-1 if you can scrounge up a copy requires a completely new way of making rules. LnS is a bit strange as well. Jetico throws more pop ups than anything I can remember. I only took a quick look at Injoy, but it seems interesting.

Of this bunch only LnS and Jetico have outbound filtering.

This area is much more difficult to evaluate than leak testing, which is probably why information is hard to come by.

-{ Quote: "I do not agree with the last part of your statement Stem about "them"." }-Bad mood day. I was/am tired of users giving pref to firewalls that actually expect the user to be compromised (leak prevention), rather than putting in place filter on inbound.(no insult intended to anyone,.. but should I care?)

For me, a firewall should give minimal full SPI. This for me is interception of TCP to sequence number,..... for such as UDP, a state table of outbound (record the outbound packet, with a timeout for reply), the same for such as ICMP but more logic is needed (as outbound ping could give reply as "reply" or "timout" etc).

There are a number of firewalls that say give such, to what degree is of question.

As example:
Diver mentions CHX-I, this is quite an excellent packet filter (no application control), there is actually very little config needed, as there are rulesets available (simply:-- allow out and filter, and works well)

My opinion that the benchmark firewall (esp. in regards to inbound filtering) is Sygate 5.x Pro. Despite being no longer supported (as Sygate was bought by Symantec), firewalls age much less than other security software and is still the benchmark firewall when it comes to inbound filtering.

Why? Well lets take Comodo Firewall Pro, the most leaktest obsessed firewall on the planet. Yet if you go to Security>Define a new trusted network, all traffic from the ip range specified will be allowed! Yet for a home network you only need ports 135,137,138, 139 and 445 open. What this means is that if another computer on your network is compromised with a worm it can easily compromise any computer running Comodo as it allows any traffic (good/bad) from a trusted network.

Sygate meanwhile, has an extensive inbound filtering system: For example you can set it to allow you to browse the file shares of other computers on a lan without them being able to browse you. I dont know many firewalls that give you that level of control. And that is just the beginning. See the screenshot attached for examples of all the features. What firewall today offers OS fingerprint masquerading for example? In the above example, Comodo doesn't even have a proper IPS. Just simple port scan / DOS detection

And the icing on the cake is that Sygate is lightweight and fast. Probably the current industry leading firewalls like Outpost and ZoneAlarm Pro might have some of the features of Sygate but they have a lot of junk such as Anti-Spyware and AV-Monitoring that is not required in a firewall and make the firewall and RAM and CPU hogging behemoth it shouldn't be.

I am not trying to advertise Sygate, but rather pay tribute to one of the best software firewalls ever made, one that I continue to use today. However I now sadly recommend Comodo knowing full well it is rubbish, feeding of leaktest paranoia that surrounds software firewalls today.

On a final note many leaktest authors struggle to give examples of in the wild malware that utilises their method to bypass firewalls. You are more likely to be attacked with an unpatched software exploit such as those in IE. Here leaktest firewalls fail and those with IPS signatures pass.

Screenshot (found on internet)

-{ Quote: "Screenshot (found on internet)" }-All looks very nice. Are you able to explian and show the protection?

Simple example:
DOS protection: against what? (please name). Most as said by users on this forum are "outdated", which I agree, most are. But as with Viri, attacks by method change. I do know various methods of DOS (and various) which will bypass a lot of firewalls.
Anti-mac spoofiing: This I find amusing. From all the firewalls I see, there is no protection here (out of the box~ a need to create rules),.. simply because no binding is first made to gateway. I see a number of attempts by firewalls,... such as OP pro, that will block the mac of gateway when spoof attempt is made (it sould be IP within packet, not mac), the user is then blocked (DOS`ed) anyway.

dmenace-

What is that a screen shot of? I am going to guess it is Sygate Pro. At any rate the IDS signatures are wayout of date if you want to use Sygate. The technology is in use in Symantec Endpoint 11.

Also, I don't think it matters much if all traffic is allowed or just the netbios ports. If there is a worm, its going to to look for the netbios ports first in all likelyhood. You don't have to use the default rules made by the wizard either. Comodo will work with tighter netbios rules. I just have not figured out how to get tighter rules to work with allowing a VMware guest to access the host.

Stem-

I seem to remember there was a simple CHX-1 rule set that would do the job for most. Its so elegant that it is baffling.

What I mainly remember is with that list of firewalls (except for Injoy which I only briefly looked at) I spent way too much time playing around with the rules. I probably spent way too much time messing with Kerio 2.15 as well. I would likely set up much looser rules if working with any rule based firewall today.

---

There is probably a bunch wrong with Comodo 2.4, but it is so easy to deal with. True, it was designed with leak testing in mind, but I would hardly say the authors were obsessed with that one factor because they really got the user friendly part right.

I'm certainly no security expert, but I'll comment anyway.

It doesn't require much security savvy to install a NAT router with SPI protection for very good inbound protection:
- Select one.
- Read the manual.
- Install, update the latest firmware and configure the router.

It's a first-layer approach that offers good inbound protection - regardless of whatever software firewall you select.

I'd also suggest that you should expand your requirements for a software firewall to include both inbound and outbound connection protection. Often, a user's first indication of malware presence is a software firewall alert about an outbound-connection-attempt by a suspicious program.

An excellent suggested software firewall for the novice is Comodo 2.4. It passes 'Shields Up' and combines good inbound and outbound protection, plus limited HIPS functions.

And never forget that inbound protection is highly dependent on the user's discretion to be careful about the sites you visit and the 'free' downloads the user authorizes.

Hope this helps!

-{ Quote: "
And never forget that inbound protection is highly dependent on the user's discretion to be careful about the sites you visit and the 'free' downloads the user authorizes.
" }-

I don't see how inbound protection can be dependent on surfing habits when everything downloaded by the browser are outbound connections.

-{ Quote: "I don't see how inbound protection can be dependent on surfing habits when everything downloaded by the browser are outbound connections." }-

Not all connections are outbound:

Three Way Handshake (http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm)

-{ Quote: "

Stem you are firewall expert and you like inbound quality. Can you tell me which of the above have best inbound protection with minimal hassle. If they have it at all (more then just stealth etc.), or do I have to look for something else?

" }-

There are five beautiful girls in Stem's office. You come in and ask him, Can you tell me which is the most beautiful girl in this office.
^_^

Exactly;D

Unreasonable questions-everyones preferences are different.

So choose the one that best suits you-they are all GOOD,maybe one is a bit naughtier than another,but there wouldnt be much in it.

-{ Quote: "There are five beautiful girls in Stem's office. You come in and ask him, Can you tell me which is the most beautiful girl in this office.
^_^" }-

Yes, that would be not polite. :)

How shuld I ask this question, take Stem on side out of the office? :)

Maybe he can PM me? Would be that possible and proper? :)

Well maybe I ask wrong way, maybe I should ask - can you describe me the inbound protection qualities of these beauties?

Well I need to know if they have SPI (I only find out that ESS and WDF have for sure) and how about its implementation?

Does any of these 5 have full SPI?

Or there is no way for me to get expert advise on the 5 firewalls? Not some fan of one of them recommendation. Kind of honest comparison/benchmark of inbound protection capabilities of these five.

Fenik-with all due respect-you are unlikely to get more deep and meaningful information-you have enough.

This is already your second thread on the same type of subject,plus numerous posts.

You keep on asking the same questions!

Dont you think its time to take the plunge and make a decision-the risk really isnt big.

-{ Quote: "Exactly;D

Unreasonable questions-everyones preferences are different.

So choose the one that best suits you-they are all GOOD,maybe one is a bit naughtier than another,but there wouldnt be much in it." }-

Hi, Hairy Coo.

So are you saying that there no significant difference between them? (in inbound prot.)

I know they are stealth etc. But windows xp firewall too and it has SPI.

What about their SPI or some problems or advantages/disadvantages that I even do not know about, but are important in inbound protection?

When I start the thread I ask for inbound tests as leak tests are widely available.

Looks like there are not any, so maybe (hopefully) I get the answer here.

Actually I need to know about these 5 I mentioned obove.

Feniks

What can I say-the fact that you dont have all the info you personally want indicates that its either not available-not considered relevant or important-has been previously posted or more to the point-an expert isnt going to broadcast his top choice,as he just doesnt want to-so just leave it alone!

As I said you cant keep on asking the same questions forever.:)

Make a decision ,you have enough knowledge:thumb:

Feniks

My last post on this.

You seem to have good knowledge-just experiment with your new firewall or whatever other app. interests you.

Then you can help someone with advice ;D

Cheer up!

-{ Quote: "Stem-

I seem to remember there was a simple CHX-1 rule set that would do the job for most. Its so elegant that it is baffling." }-There are a number of rulesets, it is really down to what you require/ need on your setup.
I know a lot of users like to sit behind a router, then not use a software firewall, why pay for a router when CHX-I will protect as well, if not better. An HIPS with application control for internet access can be added.

There have been a number of threads concerning CHX-I, which would give the basics, and also links. Or start a new thread if info is required, there are other users of CHX-I

-{ Quote: "I don't see how inbound protection can be dependent on surfing habits when everything downloaded by the browser are outbound connections." }-It is the filtering of the returned packets. Do remember, that everything you see on your PC monitor when browsing as been downloaded to your PC. (so you do need to filter this inbound)

-{ Quote: "Stem said that he is here for help. But I think it does not apply to beginners." }-I will help any member (time permitting), but I will not get caught up in a "which firewall is best" thread. It just leads to flame wars.

CHX is the best inbound packet filter I ever found. I ran it as my
only firewall for the last two years I was on dial-up. I'm on DSL
behind a router now, but I still run it anyway, as it allows me to
create rules for ports, protocols, and IPs. It's SPI is about as good
as it gets, and logging is fantastic. It's one the lightest firewalls I
know of. It works on XP.

There is a great deal of information in past threads at Wilders, as
Stephan R, one of its developers used to post here to provide guidance.

The is also a forum here:

http://www.sscnetwork.net/

See also these Wilders threads (there are others):

http://www.wilderssecurity.com/showthread.php?t=65266&highlight=CHX-I

http://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

http://www.wilderssecurity.com/showthread.php?t=139457

If you try it, I'll bet you'll get help from some really expert forum
members. I learned it by reading every post about it at Wilders that
I could find.

-{ Quote: "I will help any member (time permitting), but I will not get caught up in a "which firewall is best" thread. It just leads to flame wars." }-

Stem please accept my apologies. That was overreaction caused by my ignorance about forum rules or etiquette. I have to learn not only security matters. The post was deleted.

I know I keep asking the same questions. Maybe somebody can direct me to answers?

For what I understand from your posts these subjects are importand and many days search does not bring my answer. I am to small to test the applications myself. The producent sites do not tell that much.

As you seems to be expert in both subjects (firewalls and etiquette) can you tell me if these questions below also are not proper to ask?

I will accept any answer.

1. Well I need to know if they have SPI (I only find out that ESS and WDF have for sure) and how about its implementation?

2. Does any of these 5 have full SPI?

3. Some problems or disadvantages that I even do not know about, but are important in inbound protection?

I am talking about ZA, OA, WDF, ESS as Outpost do not like my system.

-{ Quote: "CHX is the best inbound packet filter I ever found. I ran it as my
only firewall for the last two years I was on dial-up. I'm on DSL
behind a router now, but I still run it anyway, as it allows me to
create rules for ports, protocols, and IPs. It's SPI is about as good
as it gets, and logging is fantastic. It's one the lightest firewalls I
know of. It works on XP.

There is a great deal of information in past threads at Wilders, as
Stephan R, one of its developers used to post here to provide guidance.

The is also a forum here:

http://www.sscnetwork.net/

See also these Wilders threads (there are others):

http://www.wilderssecurity.com/showthread.php?t=65266&highlight=CHX-I

http://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

http://www.wilderssecurity.com/showthread.php?t=139457

If you try it, I'll bet you'll get help from some really expert forum
members. I learned it by reading every post about it at Wilders that
I could find." }-

Thank you very much that this looks encouraging and interesting.

I already download version 2.8 and 3.0 which should I start to use?

Is there any place to get 3.0 manual as the links here on wilders are mostly not working now. And fluxgfx have manual for 2.8.

Is the http://www.fluxgfx.com/ssc/ the same as sscnetwork?

Are these downloads and drivers from this thread most actual? http://www.wilderssecurity.com/showthread.php?t=166264&highlight=chx-i+drivers

-{ Quote: "Thank you very much that this looks encouraging and interesting.

I already download version 2.8 and 3.0 which should I start to use?
[/URL]" }-

Version 2.8 required an activation key after 30 days, which is no longer
available for new users. Use version 3, as it requires no activation.
Version 3 mostly just added payload filtering, which is unnecessary
for the average home user.

There is an uploaded file which includes the v.3 installer, the WAN starter
rule set & the version 3 manual here:

http://rapidshare.com/files/71075321/CHX3.zip.html


Initial setup info can be found in this thread:

http://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

For version 3, import the WAN start rules, not the workstation rules.

Remember, CHX allows all until you import or create a rule set.

If you create you own rules, always remember to set "allow" rules
at the lowest priority. It's all in the manual and in previous threads
here at Wilders. You will need to do lots of reading.


Good luck

-{ Quote: "
For version 3, import the WAN start rules, not the workstation rules." }-

I am behind router if that change anything. But well I start reading. ;)

-{ Quote: "It's all in the manual and in previous threads
here at Wilders. You will need to do lots of reading.

Good luck" }-

Dont worry about that - I am very inquisitive person. Some may say even to much. ;D

I start to suspect that CHX-I with decent HIPS as aplication layer will not made concession to any of well known and popular application/rule based software firewalls and maybe is what I am looking for...

PS. Downloaded without problems, thank you.

I know what I like when I run firewall & AV, Look n' stop works for me, it is rule based & let's 'me' be in control of my system also advises what is calling out, I don't know about others but all the tests in the world including leak tests doesn't help me feel in control. I know others are suppose to be better at leak test but I like control over leaktests...

-{ Quote: " An HIPS with application control for internet access can be added.

TCHX-I" }-

Can Stem or anyone give the names of any HIPS with application control for internet access. This would appear to be less trouble than a HIPS that restricts all applications not white listed.

Stem is also very lucky to have five beautiful girls in his office.

AppDefend, SSM, and ProSecurity *I think*.

ThreatFire using custom rules, listed here (http://www.wilderssecurity.com/showthread.php?t=191802) also. Uses no extra resources using ruleset from post 5-7

Monty-have you customised TF and is it a good idea ?

-{ Quote: "Monty-have you customised TF and is it a good idea ?" }-
Yes, I did the modifications from post 5-7, and left a couple apps. off the list. When I opened them I got 1 pop-up, allowed and remember, no problems. A couple of reboots, a bit of games and surfing, no slow-down. TF is still using less than 8MB/ram. For the 5 mins. it took to add the rules I'd say it's definitely worth the effort. The rest of the custom rules, well, I'll read up a bit more before tackling them. *****:thumb: :thumb:

-{ Quote: "Stem please accept my apologies. That was overreaction caused by my ignorance about forum rules or etiquette. " }-I was not refering to forum rules or etiquette, but on the fact that when involved in a thread with "which one is better" then flame wars happen.


-{ Quote: "I will accept any answer.
I am talking about ZA, OA, WDF, ESS as Outpost do not like my system." }-
First, I do not use (or install on users PC`s I support) any firewall that provides application access control then gives hard_coded rules to its own applications to allow them access, regardless of if it make unknown connections or not (as it could anyway~ without users allowing this), so from that I will (in my reply) discard ZA and ESS.

WDF? what is that?

OA, no, it only makes state table, it will not check flags/sequence etc of TCP

WDF = Webroot Desktop Firewall

-{ Quote: "I was not refering to forum rules or etiquette, but on the fact that when involved in a thread with "which one is better" then flame wars happen." }-

Fully understand and accept. And I see specific questions about feature etc. are accepted. :)

-{ Quote: "
WDF? what is that?
" }-

Yes like WSFuser said Webroot Desktop Firewall. You tested Privatefirewall but I did not find there my answer. (about inbound protectcion as SPI (full?) SPI implementation etc.) On other post you said about Privatefirewall "I still have to check the packet filtering, so my opinion could change"

But you said on the test thread that you kind of pleased with outcome of the test and wait for some improvements. Webroot Desktop Firewall is version 6.0 of Privatefirewall, maybe you will like to test it and check if they fix what you did not like? :)

Would a person who has just say AV and SAS Pro and does not use P2P and such be safe just using Vista or XP FW?

-{ Quote: "Would a person who has just say AV and SAS Pro and does not use P2P and such be safe just using Vista or XP FW?" }-

I don't use bi-directional (inbound/outbound) firewalls because I
believe they provide a false sense of security. To my way of thinking,
the very existence of leak tests proves that. Others will disagree I'm
sure. My preference is to combine solid inbound firewalling with separate
internal detection such as HIPS & IDS which is not part of the firewall
software.

To answer your question, I would feel safe with your setup for general
use, but if I were visiting my bank online, I'd want a HIPS or IDS
in the mix.

-{ Quote: "Yes like WSFuser said Webroot Desktop Firewall. You tested Privatefirewall but I did not find there my answer. (about inbound protectcion as SPI (full?) SPI implementation etc.) On other post you said about Privatefirewall "I still have to check the packet filtering, so my opinion could change"" }-WDF, right,... I have not had time to look at that yet.
With Privatefirewall, I held off, as there where a couple of bugs, and the fact the firewall did not intercept localhost.

As I read this the question comes to mind, are the typical application oriented software firewalls being breached by inbound attacks? If so, which ones are the weakest?

If you have your computer behind a router you are not directly connected to the internet. Are there any brands of models of routers that are being breached by inbound attacks more so than others? Does it help to use open source firmware like Tomato or DD-WRT?

Even when I take my notebook on the road, it will be behind a router or wireless access point. There are going to be other users, but not more than 100 as compared to a direct internet connection with millions of users. Why isn't a typical application oriented firewall going to cut it?

I hear these concerns, but as I look around in various forums and tech news sites, I find a lack of tales of any of these problems happening. In all fairness I find a lack of tales of folks having a application oriented firewall save the day when it catches a bot phoning home that got on there via a drive by download and was missed by the AV because it was zero day.

It seems to me there is neither a compelling case for a sophisticated inbound packet filter nor an application oriented firewall that does not leak, within the bounds of Matousec's world.

-{ Quote: "It seems to me there is neither a compelling case for a sophisticated inbound packet filter nor an application oriented firewall that does not leak, within the bounds of Matousec's world." }-
Diver, I think you have a good point, and one which I completely agree with. Especially regarding inbound. I would bet that perhaps 1 home user in 100,000 has ever seen any kind of real "attack" on either his router or firewall. To my mind, talking about the quality of inbound protection is pretty much a waste of time. Stick a simple cheap NAT router in front of your PC and call it a day. That's all you need....

From the Matousec site:

"A good personal firewall offers both inbound and outbound protection. The inbound protection means that packets sent from the Internet or local area network to your computer are filtered and only ports that you want to be open are accessible. This protection is standard and is very good and reliable in almost all personal firewalls. On the other hand is the outbound protection which cause problems to all vendors nowadays."

That's his opinion. If he is right, except for a few exceptions all software firewalls get the inbound filtering job done.

-{ Quote: "It seems to me there is neither a compelling case for a sophisticated inbound packet filter" }-Do you think that full SPI is sophisticated, and beyound correct implimentation by firewalls?
Realise, that a good SPI firewall will filter out bad packets/ spoof attempts etc, without a need for user interaction.

-{ Quote: "That's his opinion. If he is right, except for a few exceptions all software firewalls get the inbound filtering job done." }-What do you think that "Inbound filtering" actually is?

Stem,

I can't answer your questions on inbound filtering because I don't understand the technology the way you do. All I know is that is what Matousec, a supposed expert says. Because of my legal training there is a suspect aspect to a guy who makes his living testing outbound leak performance making such a statement. There is a difference between a packet getting through that shouldn't and that packet doing any damage.


Most of the successful attacks today are coming via http from cracked websites or downloaded Trojan games and screen savers. As far as I know, the default firewall in XP stops the worms floating around the internet even on a direct connection. I have not seen any advisories that say otherwise. For a directed attack I don't know, but do I really have to worry about that?

The question is, are the typical personal firewalls that most of us use actually being breached by inbound attacks, not are they theoretically subject to an attack?

My hunch is when an attack is not detected (after the fact) by a so called leak proof firewall it is probably a result of the user misinterpreting the pop up warning and allowing the connection because they were concentrating on something else.

Diver,
-{ Quote: "I can't answer your questions on inbound filtering because I don't understand the technology the way you do. All I know is that is what Matousec, a supposed expert says." }-At one time, "Matousec" site was concerned with coding/stability of firewalls, but now it appears mainly to be a "leaktest" site, using "leaks" taken from various other sites.
-{ Quote: "There is a difference between a packet getting through that shouldn't and that packet doing any damage. " }-I have seen firewalls fail due to various types (or a combination) of illigal/bad packets, which should be dropped by a good SPI

Stem,

I am not trying to pull your leg or anything. For me interpreting the available information and making personal cost to benefit calculations is the problem.

As I have indicated before, for Matousec, the temple of leak testing, to dismiss the inbound performance differences of all firewalls in a single sentence is suspect.

On the other hand, It is very difficult to obtain meaningful objective information on inbound performance, and on the practical benefit of either improved inbound or outbound (leak) filtering. It would be very interesting if a few novices were put in front of Matousec's computers while they were being tested and told to respond to the firewall prompts whole browsing or doing some other work. They would get it wrong most of the time.

Someone like yourself will know the technical benefits of different designs, and the possibilities for things to go wrong, but that is not the same as things actually going wrong at a rate that one must be concerned about. An XP SP1 machine will last about 20 minutes with no firewall and a direct connection. How long does a patched SP2 box go with the Windows firewall on with a direct connection and just sitting there without browsing? It must be indefinitely, or we would be hearing about it all the time. Believe me, I will not be running a patched SP2 box with just the windows firewall on a direct internet connection, or any other computer on a direct internet connection.

When I mention cost to benefit ratios, it is not so much the difference between a $40 firewall and one that is free as the amount of trouble it is to deal with the program. Just look at the thread on the free Comodo 3.0 and see how many members of this board are overwhelmed by it. The same could be said for several HIPS or firewalls with HIPS features.

It is unfortunate, but the most serious threats are from packets being passed properly by proper firewalls. Those are trojan downloads and drive by attacks.

Diver,
-{ Quote: "It is unfortunate, but the most serious threats are from packets being passed properly by proper firewalls. Those are trojan downloads and drive by attacks." }-I have seen various definitions of "Drive by attacks", from attacks on routers / attempt to spoof/poison the DNS cache /exploit browsers / redirect browsers, etc, so it would depend of your definition of "Drive by attack".

If we are looking at "drive by attacks"~ "download", then I agree that most firewalls will not filter to such a level, we would need to move on to "deep packet inspection" (or "Payload Filtering" as put by CHX-I). But this does come at a cost of CPU time, and I know users of P2P clients would not be happy with the CPU taken for the processing.(certainly with "Injoy"~,... CHX-I, I have not really made much testing with the "payload filters", as it was a little buggy at times).

Bottom line, for me, if there was only one possible bypass/problem due to lack of full SPI, then this is enough for me to chase vendors to impliment full SPI.
Take a look at Outpost pro "attack plugin", would you consider this outdated/not needed?

Stem-

A drive by attack, according to an article I saw recently involves using a security flaw in the browser to cause an executable file in downloaded into the cache of the browser to execute when it should not.

I am not familiar with the Outpost plug-in that you mentioned. Perhaps you can give us more details.

It would be helpful to all of us if you would give more details in general. You know a lot more than most of us. I, for one, would like to know about the inbound capabilities of more firewalls, and just what the real world benefits of these capabilities are. Matousec's statement that nearly all of them have the inbound side worked out is a bit frustrating.

-{ Quote: "Stem-

It would be helpful to all of us if you would give more details in general. You know a lot more than most of us. I, for one, would like to know about the inbound capabilities of more firewalls, and just what the real world benefits of these capabilities are. Matousec's statement that nearly all of them have the inbound side worked out is a bit frustrating." }-

Can I also have same request? :)

Stem You did test Privatefirewall but in the thread about it there is no answer to my question and you did not answer it here. May I try again? :)

The question was:

You tested Privatefirewall but I did not find there my answer. (about inbound protection as SPI (full?) SPI implementation etc.)

Also it is blocking many http and https in/out while browsing what it is SPI filtering like CHX-I or something else?

In CHX-I the log is more detailed and by the nature of this program is easy assume what is the reason for blocking. However in PF the log is not so detailed. ???

Diver-
-{ Quote: "A drive by attack, according to an article I saw recently involves using a security flaw in the browser to cause an executable file in downloaded into the cache of the browser to execute when it should not." }-There are many articles, such as "Drive-by on routers" (http://www.informationweek.com/blog/main/archives/2007/02/new_driveby_att.html). So are you refering to actual browser exploits?


-{ Quote: "I am not familiar with the Outpost plug-in that you mentioned. Perhaps you can give us more details." }-

195372

-{ Quote: "Stem You did test Privatefirewall but in the thread about it there is no answer to my question and you did not answer it here. May I try again? :)

The question was:

You tested Privatefirewall but I did not find there my answer. (about inbound protection as SPI (full?) SPI implementation etc.)" }-See post #40

-{ Quote: "Also it is blocking many http and https in/out while browsing what it is SPI filtering like CHX-I or something else?

In CHX-I the log is more detailed and by the nature of this program is easy assume what is the reason for blocking. However in PF the log is not so detailed. ???" }-Sorry, bad week,.. please explain more.

-{ Quote: "Take a look at Outpost pro "attack plugin", would you consider this outdated/not needed?" }-

What are your thoughts on Outpost's Attack plug-in, Stem. Effective or ineffective?

-{ Quote: "What are your thoughts on Outpost's Attack plug-in, Stem. Effective or ineffective?" }-They are effective on what they are intended for, (but they introduce extra process for each packet,.. and do slow down connections. Correct/full SPI would drop most without a need for external process)

-{ Quote: "See post #40
See post #40" }-

Sorry my bad english, held off = stop testing = did not test it yet. :-[

-{ Quote: "See post #40

Sorry, bad week,.. please explain more." }-

I mean something like this:

http://www.wilderssecurity.com/showpost.php?p=1111050&postcount=145

So I was wonder if that is some SPI filtering?

In CHX-I with wan start rules and all inspections (arp, tcp, udp, icmp) checked also the same entries and the reason was "out of connection" flags ACK RST.

So can I assume that Webroot have some SPI filtering similar to CHX-I and that is the reason for blocking?

Stem,

I thought it was clear that I was referring to browser attacks.

As far as the router attack you link to goes, anyone who does not change the default password on their router is making a mistake. I have walked into businesses with free wifi for customers and accessed their router via the default password, then called the manager and explained the situation to them just to see the expression on their face. This often happens at scuba diving shops where they are more focused on life underwater than above.

Thanks for the screen shot, but what does the plug in do? Does it dimply identify the attack? Does Outpost or the typical personal firewall repel these attacks? What is a Nestea attack, is it like Long Island ice tea?

-{ Quote: "Sorry my bad english, held off = stop testing = did not test it yet. :-[ " }-Dont worry, my english is bad, I only fully understand binary/hex

-{ Quote: "I mean something like this:

http://www.wilderssecurity.com/showpost.php?p=1111050&postcount=145

So I was wonder if that is some SPI filtering?" }-Dont know without further info.(header info_ current connection etc)

-{ Quote: "In CHX-I with wan start rules and all inspections (arp, tcp, udp, icmp) checked also the same entries and the reason was "out of connection" flags ACK RST." }-
"Out of connection" - This can represent either a non-SYN scan or a packet arriving after a particular timeout value has caused the tear down of a connection. The same applies to an unsolicited UDP/ICMP packet.

-{ Quote: "
Dont know without further info.(header info_ current connection etc)
" }-

Unfortunately nothing like that in the log. >:(

Is there any way I can test/check it? I mean SPI implementation.

Or it is something beyond regular user like me?

-{ Quote: "Unfortunately nothing like that in the log. >:(

Is there any way I can test/check it? I mean SPI implementation.

Or it is something beyond regular user like me?" }-If you are having probems or concerns, then install a sniffer, then at least we can see the full packets.
example: Use Ethereal (http://www.ethereal.com/) or wireshark (http://www.ethereal.com/) both free.

Hi Stem. Thank you very much for answers. I consider them carefully and my bank of questions gradually become more empty. :)

I hope you not become impatient with me yet.

While I read this replies in this thread and Wilders at large I come to some conlusions (which please - can you confirm/reject/answer):

1. CHX-I is really decent int income filtering and protection and is not inferior to any of the popular firewalls today in this area of protection.

2. What I only need is decent outbound control and I will have quite good firewall solution (CHX-I + outbound controled with something)

3. You suggested HIPS and I am familiar with OA and DSA. Will that give me sufficient outbound control? Maybe there is something like HIPS and give me control over application connections (rules restricted where can go, maybe even IP control not just ports).

4. I observe that if I use Webroot firewall with CH-I together than nothing is show in WDF logs for - all is in CHX-I logs. Is that mean that CHX-I filtering is before webroot firewall?

I hope you can answer these questions. I wiil be really thankful and satisfied. ;D

EDIT: PS. This wireshark you mean I guess: Wireshark (http://www.wireshark.org/about.html) because your both links are to Ethereal . Do I need download Ethereal or only Wireshark will be fine to play with?

Diber,
-{ Quote: "I thought it was clear that I was referring to browser attacks." }-It was not clear (please point to post of clarity)

-{ Quote: "As far as the router attack you link to goes, anyone who does not change the default password on their router is making a mistake. I have walked into businesses with free wifi for customers and accessed their router via the default password, then called the manager and explained the situation to them just to see the expression on their face. This often happens at scuba diving shops where they are more focused on life underwater than above." }-Would this be the same of your statement of users in front of of "Matousec" computers on test of leaks?

-{ Quote: "Thanks for the screen shot, but what does the plug in do? Does it dimply identify the attack? Does Outpost or the typical personal firewall repel these attacks? What is a Nestea attack, is it like Long Island ice tea?" }-What is "Long Island ice tea", is this a related attack, or simpy ******** as I am finding your posts

-{ Quote: "*

What is "Long Island ice tea", is this a related attack, or simpy ******** as I am finding your posts" }-


A cocktail..., including many ingredients :)

-{ Quote: "A cocktail..., including many ingredients :)" }-LOL;D

-{ Quote: "They are effective on what they are intended for, (but they introduce extra process for each packet,.. and do slow down connections. Correct/full SPI would drop most without a need for external process)" }-

Thank you Stem. Without elaborating on how, I will bring this up with Agnitum's developers.

Stem,

My posts are not BS, and I feel sorry for you if you think that. My impression is that you are so immersed in the technology that you are loosing site of its practical implications and how ordinary computer users may benefit from it. That is not unlike the publishers of some of the very noisy and inconvenient to use HIPS programs or HIPS enabled firewalls. I am not sure if you are being a knowledge snob, lack written communications skills, or have become so comfortable with the technology that you have lost site of how little everyone else understands, but you tend to dance around the answers and don't provide much usable information in the end.

From what I can distill from your fragmented answers it appears that the Outlook plug-in does no more than alert one to the type of attack, but does nothing to block it as you say a good packet filter will do that. The unanswered question is whether Matousec's statement that nearly all firewalls are effective at blocking undesirable inbound communications is true. I would expect there are differences in performance and that would be particularly desirable if many machines were behind a single firewall/gateway, but for the ordinary Joe, it probably does not matter.

Perhaps you did not understand my statement about users in front of Matousec's test computers. Simply, if the average Joe was faced with an actual exploit based on the concepts in the leak tests that Matousec uses he would receive some cryptic warning from the firewall or HIPS in question and more likely than not give the wrong response because he is concentrating on something else and has not a clue as to what is really going on to start with. Some products would give the user a better idea of the severity of the situation and thus the user would have a better chance of making the correct decision. However the less that the user is called upon to interact with the firewall or HIPS the less likely he is to do something wrong. A HIPS or firewall that never shuts up under safe conditions conditions the user to say yes to everything, thus undermining its purpose. For these reasons I believe many popular products will not accomplish their intended goal. In real life these will not perform as they do in the lab with experts manning the controls.

As for Long Island Iced Tea, its the real deal, no BS:

1 jigger Vodka
1 jigger Gin
1 jigger Triple Sec
1 jigger Tequila
1 jigger White Rum
2 jiggers Sour Mix
Add Coke until it is the color of Iced Tea and serve over ice in a tall glass.

Two of these and you will not care about anything. Do not attempt to drive a car. Now, if you can provide that level of detail in your answers, the members around here might get educated, no BS.

"The ability of a firewall to give "Stealth" in no way shows its ability to give inbound protection." ... Stem statement is so very true, and nicely said too!

Kerodo; There's good reasons why many wouldn't see any kind of 'real attack' on either their routers or software firewalls. In regards to routers, not every router contains SPI capability, and the ones that do requires the user to be capable of accessing its settings, and visit the logs without getting lost. You may have a router and with SPI capability but not activated, or activated but not set to log. If the user could locate the Logs section, how long are entries kept with it? How often the users take visits to the routers logs area? And would the user simply glance over some of the logging entries? Would the user even know what they looking for? Not every router SPI shares the same implementation and logging characteristics. What you think boots the router devices? ... software of course. And exactly what its SPI implementation is based upon? Does the router detail its SPI technical details, does it have full or stateful like SPI implementation? ... much of this applies the same for installed software firewalls.


Diver; So it's simply ignorance on the subject which prevents you from determining if a strong stateful software firewall product is of importance? I would also like to think that ignorance would be also what prevents most from stating something is useless and of no importance... I do recall several firewall experts, whom most likely studied the subject on technical level, stating the importance of SPI capability. So what's there to discuss or argue about? Seeking technical information about this capability is okay..., of course, but debating over and over again whether it's of importance or not, I find very much waste of time.


There's several reasons that makes stateful packet inspection a very important firewall feature to have, it can handle malformed, invalid, traffic and other malicious / unsolicited packets. For full / complex SPI, the router/software can drop different packets 'such as' Denial of Service (DoS) attacks, Ping of Death, Port Scanning, SYN Flood, LAND Attack, and IP Spoofing.



Bests Regards,
Phant0m``

-{ Quote: "
Kerodo; There's good reasons why many wouldn't see any kind of 'real attack' on either their routers or software firewalls. In regards to routers, not every router contains SPI capability, and the ones that do requires the user to be capable of accessing its settings, and visit the logs without getting lost. You may have a router and with SPI capability but not activated, or activated but not set to log. If the user could locate the Logs section, how long are entries kept with it? How often the users take visits to the routers logs area? And would the user simply glance over some of the logging entries? Would the user even know what they looking for? Not every router SPI shares the same implementation and logging characteristics. What you think boots the router devices? ... software of course. And exactly what its SPI implementation is based upon? Does the router detail its SPI technical details, does it have full or stateful like SPI implementation? ... much of this applies the same for installed software firewalls.

" }-
I guess all I'm saying is, for all practical purposes, all these technical details make no difference anymore to me. I buy a cheap $40 NAT router, I don't even know if or what kind of SPI capability it has, nor do I care. I slap the router in place, plug it in, and I have no further troubles as far as inbound protection goes. I use it for years, never giving it a 2nd thought. And no further thought required.... ;)

Diver, as Stem said, i also think that -{ Quote: "a good SPI firewall will filter out bad packets/ spoof attempts etc, without a need for user interaction" }-
To give a different perspective, Alphalutra1 showed here some time ago his OpenBSD's pf ruleset, and how simple it is, yet how advanced it is.
-{ Quote: "Simply, if the average Joe was faced with an actual exploit based on the concepts in the leak tests that Matousec uses he would receive some cryptic warning from the firewall or HIPS in question and more likely than not give the wrong response because he is concentrating on something else and has not a clue as to what is really going on to start with. " }-
The average joe never heard of HIPS or tried any firewall, any conclusion derived from this is wrong. I know maybe 1 person that has heard of Comodo, Jetico, SSM etc.
They are lucky if they use an up to date AV.
-{ Quote: "
However the less that the user is called upon to interact with the firewall or HIPS the less likely he is to do something wrong. A HIPS or firewall that never shuts up under safe conditions conditions the user to say yes to everything, thus undermining its purpose. For these reasons I believe many popular products will not accomplish their intended goal. In real life these will not perform as they do in the lab with experts manning the controls.
" }-
The HIPS will alert of something about to start, or something set in motion. Not having it is the same or worst than not having, never better (excluding whatever CPU it uses etc.).
A good one should be silent after configured. SSM free is silent here (most of the time disconnected) and i can now understand the big picture of its policies, pop-ups and GUI.
One that does not go silent after being setup, is one that isn't finished (i have a hunch that's the case with D+).

I think that that people and the makers of firewalls are so focus on leaking and outbound because of two sites - matousec and firewallleaktester. They are there and that for average people is some authoritative source of knowledge about firewalls.

Of course many people find their knowledge from some reviews which I found ridiculous at list and they not prove anything. (How nice the GUI is :) etc.)

But can somebody direct me to tests on firewall inbound protection. Maybe where they testing even only SPI filtering implementation?

NO.

Then if somebody is more inquiring/digging then maybe start reading forums. Look here on Wilders - how much you can find about it? Such and such firewall this and this about inbound.

General theory yes - but nothing practical like which firewall should I buy if I need good inbound protection?

So people choose firewall based on matousec. Here Diver is right that for average user it will be useless because of lack of knowledge what to do. By the way I think you guys do not understand his point but maybe that is me and my english.

So I believe that inbound can be less troublesome in mintenance for average user and is important. But no maker of firewall will care about it if they do not have to. People even do not ask about it. But if ask they do not get answer.

I asked on Comodo forum about that aspect of CF and no answer. Look what happened to Comodo firewall but they change anything about inbound, spi? Why and who ask for that?

Here you can see how many answers I get about the specific firewalls I asked.

So the forum seems useless as such source of such information. I can live with that maybe I will dig on my own but average user?

So unless you experts start answering questions or start some test site with inbound testing we will be in matousec leak testing realms. And makers will ignore inbound site (I read Stem and Mike discussion about OA) Finally the firewall will end up as anything but no firewall.

I am close to go Kerodo way because it start to be to frustrating to be so helpless. And I do not plan to change profession to be firewall expert/tester.

-{ Quote: "
The average joe never heard of HIPS or tried any firewall, any conclusion derived from this is wrong. I know maybe 1 person that has heard of Comodo, Jetico, SSM etc.
" }-

I do not agree with that. All my friends are using Comodo 2/3 or OA becaue of Matousec. And they spread the word. :) They are the local experts because they know english and read matousec. :) And in my country people do more care about the price of the software so...

Same way I found Comodo and OA but they simply not working for me so I dig further.

If they are the local experts, that's not exactly a good sample is it?

-{ Quote: "If they are the local experts, that's not exactly a good sample is it?" }-

I did mean local in where they are, but I have many such friends all over country.

Well I will put it that way I know very few people with computer who did not hear about Comodo. And everybody I know have AV and windows xp firewall at list.

I did not say that is general situation just my experience do not agree with yours. :)

Yours sample was not good either just one man experience - yours.

i am talking about average person who is using internet, search before buy and you are talking abot people below average for me. I agree - such people do not have even AV. But people with AV soon start looking for firewall etc. And they will find matousec and download Comodo. And become local experts. :)

So inbound protection have hard time.

Edit: Maybe average joe mean somebody below average? Like blonde chick in my country?

Perhaps someone would like to tell us if any of the widely used firewalls have a proper SPI implementation or not. Will any of them be breached by malicious inbound packets? By widely used I mean the build in windows firewalls in XP and Vista, various versions of Zone Alarm, Comodo 2.4 (3.0 is too new), Sunbelt/Kerio and Sygate. Judging from polls on Matousec's site and DSLR, these account for a major share of what is in use.

There are advocates of CHX-1, Jetico, Look'n'Stop, 8Signs, Injoy and perhaps Ghostwall. How do these compare against each other and do they really (not in theory) provide better inbound protection than the widely used firewalls. Altogether, not very many people use these even though several are free.

Popularity may not prove quality, but it certainly measures impact and relevance. I can safely say that the popular products excel in ease of use. The surveys don't tell the whole story either. I bet there is a lot of NIS 200X around because it comes on many new computers. Those are not the same people that hang out here, at DSLR or Matousec.

Where is the real difference, or is Matousec right when he says most of them have the inbound side right. Frankly, I cant seem to disprove this, nor has anyone else around here taken a good shot. Furthermore I cant seem to find anything that says a typical (Linksys, Buffalo, Netgear, D-Link) router or wireless access point that costs $50, give or take, does not keep the bad stuff out, save for morons that don't change the default password.

Don't get me wrong, I don't think any of the products in the list starting with CHX-1 are bad. They are just harder to use, only two have outbound filtering, and 8Signs does not work correctly with eMule. I have tried them all...

Firewall developers and its users got hyped on outbound filtering and to have it cover known leak methods demonstrated by different leaktests loooong before matousec came into the picture... Just now they have common grounds, to learn and improve and be competitive with their implementations.

SPI shouldn't be treated as if it's something that just recently came into existence, and we having little understanding of, it has been in existence since the early 1990's. So now you can just imagine how much time was available to understand fully everything technical about SPI. Like it or not, the best, the security/firewall experts have already spoken, static packet filtering is no match.

feniks; you can agree all you like with anyone, thing remains is ignorance, and ignorant remarks. Most SPI implementations are already set and forget, no special knowledge is required to be running and behind SPI.


Regards,
Phant0m``

Hello,

There seems to be quite an argument going on in this thread!

I haven't read every post but this is what I understand the question being asked is:

Which firewalls offer good inbound filtering? What do you look for / how can you tell?

Most people here know that SPI is an essential feature. But is there anything else apart from SPI that will give a firewall better inbound filtering?

Earlier on I posted about Sygate. Why? Well have a look at the various inbound filtering techniques it uses in addition to SPI. Note "Smart DNS, Smart WINS and Smart DHCP" (See attachment)

These are the features that you should look for in addition to SPI that will improve the inbound filtering of your firewall. :thumb:

Attachment here:
http://www.geocities.com/zeroday_software/sygate.rtf

Edit: Merged

-{ Quote: "
feniks; you can agree all you like with anyone, thing remains is ignorance, and ignorant remarks. Most SPI implementations are already set and forget, no special knowledge is required to be running and behind SPI.

Regards,
Phant0m``" }-

Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?
Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

Why I should not look for such answer? Or nobody here knows the answer?

EDIT. Well I read it again and I have to admit I do not understand what are you talking about. About with whom I agree with what? And you talking about my ignorance and my ignorant remarks? Where I said that special knowledge to be protected by spi is required? So what if SPI is from 1990 - does OA have it and in full, deep packet inspection, pseudo UDP and ICMP or only TCP syn (all out is allowed in)? Sorry for my english you are expert so you know what I mean.

feniks, I agree that many places people decides to go and take advise from is so very ridiculous, there's so many amateurs out there who discusses things they have little to no knowledge of. Trying to find reliable sources can be difficult at times, it isn't impossible, but does require self dedicated investigations.

I don't think many will be-able to answer which is the best firewall for inbound, there's not even much technical details from product developers on their implements. I agree it isn't easy to get technical details when asking the product developers, but you shouldn't at least try.

I find it really sad that Comodo PF or any developer wouldn't respond happily with technical details regarding their product features implementations, ... like for SPI. I have been even curious at a far about exactly their SPI implementation. I guess one going to have to download and install and run extensive tests to get the answers.


Diver, that's a very good question "any of the widely used firewalls have a proper SPI implementation or not", I think it would be very reliable to get product technical details of their SPI implements, I think each user of different firewall should contact their product developer and ask for technical details. Then posting it all in one location would be very appreciative... :)

Matousec must have been in reference to products static packet filtering capabilities... and up against online web scanners....


dmenace; It's also very good to know, even more so for some how their products SPI works, and I really cannot complain.

Yet another very good question "But is there anything else apart from SPI that will give a firewall better inbound filtering?". :)


Regards,
Phant0m``

Hi feniks,

You are of course right, it's important to find out how different software products implement SPI, before we can really make opinions even.

You surely aren't doing any wrong by seeking such answers, I'm actually excited to see people ask questions about firewall products inbound filtering capabilities. Good job!

-{ Quote: "Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?

Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

Why I should not look for such answer? Or nobody here knows the answer?" }-
feniks, you are right to ask questions like this, and you are not ignorant either. With all due respect to our local experts here like Stem and Phantom, who are both quite knowledgeable, I think nobody has any really good and *practical* answers for you.

You can try to obtain tech specs from the developers if you like, and research further, it's up to you. If you do, please share your findings..

My personal take on all this is that there isn't much point in getting buried in a lot of tech details. I used to install and test and experiment with all the various software firewalls available a year or two ago. It was fun. Then I got a router, dropped the software firewalls, and have been happy ever since. I believe that for any home user, that's all one needs. In fact, for any normal home user, almost *any* bug-free software firewall will be good enough too, including the Win firewall if you like. Remember, we're talking inbound here.

Now I'm sure people can and will argue with this, but put it to the test and see. That's what really matters and counts, not 1000 technical details and/or expert opinions.

Again, just my humble 2 cents....

-{ Quote: "Hi feniks,

You are of course right, it's important to find out how different software products implement SPI, before we can really make opinions even.

You surely aren't doing any wrong by seeking such answers, I'm actually excited to see people ask questions about firewall products inbound filtering capabilities. Good job!" }-

Please read my edit in here:

post 76 (http://www.wilderssecurity.com/showpost.php?p=1124367&postcount=76)

And I think you answered here. :)

I don't use Online Armor, never used Online Armor, and the official product website doesn't seem to 'mention' any sort of SPI. A firewall developer would definitely want to advertise this if it has it.... so at first glance, I say it doesn't.


Regards,
Phant0m``

-{ Quote: "A firewall developer would definitely want to advertise this if it has it....

Regards,
Phant0m``" }-

That is something to start with... Very good tip and very logical. :)

And if the developer do not answer that is suspicious, right? :)

-{ Quote: "That is something to start with... Very good tip and very logical. :) " }-

Don't forget the support forums...


-{ Quote: "And if the developer do not answer that is suspicious, right? :)" }-

Indeed.

People ignore proper packet filtering and inbound protection then why we have so many questions like:

I lost my connection
I have very slow connection speed
My transfer is so slow
My browser open pages so slow

If I understand correct what I read simple ICMP blind attack can harm our connection throughput. One is when attacker is sending constant messages "fragmentation needed and DF bit set" what force PMTUD to lower MSS maximum segment size for connection and practicly unable communication.

This is one example of attack maybe we are already safe from that but I read many Cisco routers were vulnerable to this attacks. And I am sure there are many other forms of attacks not malware or spyware but "only" messing up with our internet connection, slow down, break connections for some time etc. etc.

So the question is are we protected from that?

-{ Quote: "That is something to start with... Very good tip and very logical. :)

And if the developer do not answer that is suspicious, right? :)" }-

I've answered this question to death already :)

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release.

-{ Quote: "I've answered this question to death already :)

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release." }-

Yes you are right. I read that somewhere I guess with your discussion with Stem.

I simply forget. Please forgive me. I think I have problem with remembering all that. To much reading in last weeks. ;D

Mike I really (I think not only me) respect your work and honest approach.

And I wish you and your baby OA all the best. :)

OK,

Do I check firewalls SPI implimentation, yes, but this is time consuming, and to check correctly I use 3 PC`s, and believe it or not, I do use my PC`s other than just for checking firewalls.

As example, the last firewall I looked at was PCtools firewall which stated "full SPI", when I checked, I questioned this, as it allowed invalids etc through,.. the description of SPI by the vendor was then changed.

One of the problems is the fact of the term "SPI" and the way this is used by vendors. As I have put forward before, I expect an SPI firewall to check TCP down to sequence number, anything else, for me, is not SPI. This was one of the reasons I asked about the implimention of SPI in routers.

Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.

I will still press vendors to impliment full SPI, regardless of if users think this is needed or not (I know it is).
Do realise, SPI is not like an HIPS, you will not get popups to ask if a certain packets should be allowed or not, invalid/bad etc packets should simply be dropped.

-{ Quote: "I've answered this question to death already :)

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release." }-


MikeNash, I apologize for my ignorance on the subject.

Keeping state table is done for even connectionless protocols like UDP and ICMP, so far all this tells me is there's possibly stateful-like mechanisms in OA, and to what extent remains to be seen... And then there's stateful packet inspection and then there's 'deep packet inspection'.

Is this already been detailed? Please could you or someone else poster me up some links?

-{ Quote: "MikeNash, I apologize for my ignorance on the subject.

Keeping state table is done for even connectionless protocols like UDP and ICMP, so far all this tells me is there's possibly stateful-like mechanisms in OA, and to what extent remains to be seen... And then there's stateful packet inspection and then there's 'deep packet inspection'.

Is this already been detailed? Please could you or someone else poster me up some links?" }-

Hi Phant0m,

I think by your measures, SPI in OA is minimal at the moment... we keep state tables for all connections (I believe including udp/icmp but I would have to check on Monday). Other than that - we don't currently do so.

We do plan some enhancements in this area in the future - particularly I've discussed implementing Snort rules.

Cheers

Mike

Hi MikeNash,

By my measures, ... accurate measures.. :)

Thank you for the clarity, and I'll be looking forward to seeing your next post confirming if OA does state table for connectionless protocols like UDP and ICMP. Also enhancements in these areas are always much appreciated. :)

OA:

I thought there was an issue where network discovery and file/printer sharing were hard wired on. OK if you always want them on in a home or SOHO network, bad if otherwise. Anyone know if this has been fixed.

Stem:

You should publish your results fanboys or not. No point in treating hard won knowledge as some mysterious thing.

On a lighter note, Diver is about to head out tomorrow to go scuba diving.

-{ Quote: "OK,
As example, the last firewall I looked at was PCtools firewall which stated "full SPI", when I checked, I questioned this, as it allowed invalids etc through,.. the description of SPI by the vendor was then changed.

One of the problems is the fact of the term "SPI" and the way this is used by vendors. As I have put forward before, I expect an SPI firewall to check TCP down to sequence number, anything else, for me, is not SPI. This was one of the reasons I asked about the implimention of SPI in routers." }-

I think you questioned it here in forum ans see that vendors are reading the forum and care if that is public.

-{ Quote: "
Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go." }-

But think how much good will come out from this. Look for PcTools and Mike example. :)

I thing great numbers of people will benefit from such information. Many people here accept you as expert not because of the title, but from reading your posts. And you do not have go in details as not many even understand all of that. If get about fanboys you can just ignore them or answer. People read and think believe me. Well there is always price but the discussion begins and many people became aware of the subject, start asking vendors etc. Vendors will forced to stop ignore this subject.

How many people understand how leaktest works? They just read there is something that need to be and become interested if their firewall have it.

-{ Quote: "
I will still press vendors to impliment full SPI, regardless of if users think this is needed or not (I know it is).
Do realise, SPI is not like an HIPS, you will not get popups to ask if a certain packets should be allowed or not, invalid/bad etc packets should simply be dropped." }-

Believe me you alone will not mean to vendors as much as many users. And to them you are not even user of their product. Money counts.

But of course feel free to do whatever you decide to do. :) ;) ;D

I became aware of the SPI and fitering becuse of you mention it many times. Thank you.

But still I do not know much if get down practically to firewalls and that what I know was achieved Indiana Jones way searching for hidden treasure. :)

-{ Quote: "I became aware of the SPI and fitering becuse of you mention it many times. Thank you.
" }-

Likewise with me too :) Before if I saw "SPI" advertised for any pc firewall I would think: "wow, that is impressive!" but after seeing that Stem has exhausted time and effort in testing for this and seeing less than impressive results which he has stated many times in this forum, I now will take it very seriously and do whatever I can to press vendors (at least with regards to products I use) to properly implemement it, in spite of those who declare it is unnecessary because in "their experience" they have never been burned by it. It is like saying: "I only require seatbelts for my safety while driving a car because the airbag has never actuated in my few fender benders. The seatbelt always prevented serious injury." Of course the airbag actuates at higher impacts, preventing one's face from smashing into the steering wheel or dash. This may seem like a lame analogy, but it is the best I could conjure up.

A firewall and security expert is stating the importance of SPI (airbag), yet there are some who refute it! Baffling to say the least ???

-{ Quote: "
Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.
" }-
I take many things for granted, some of that is what vendors say.
I would prefer to know what is true or not with your tests, whether the firewall is my favourite or not. Just try to give details as far as your can, and forget anything else. I value information and facts.

Cheers

-{ Quote: ".... if OA does state table for connectionless protocols like UDP and ICMP" }-Yes, it does.

Hello.

-{ Quote: "You should publish your results fanboys or not." }-

-{ Quote: "I thing great numbers of people will benefit from such information." }-

-{ Quote: "Just try to give details as far as your can" }-

There is no need for Stem to post a detailed report on his findings. He already does much on this subject (from time to time), you would just need to pay a little attention. ;) Publishing that kind of info is not a trivial matter...

Cheers,

I think Comodo Firewall set to "Training Mode" and with Network Rules applied could also do it. This way it will automatically set everything for applications while still use inbound filter/attack detection engine.

On an additional note, there's something I simply would like to point out...

Stateful inspection and Stateful filtering aren't quite the same thing, and apparently there is much confusion on all sides, when discussing SPI.

Stateful Inspection provides highly efficient traffic inspection with full application-layer awareness, where-else stateful filtering doesn't have application-layer awareness... This is how it was coined from the beginning, so for instances CHX-I, 8Signs and Look 'n' Stop referring using 'stateful inspection' labeling isn't accurate by original coined terms...


... Please not the face?!?! :shifty:


Regards,
Phant0m``

-{ Quote: "On an additional note, there's something I simply would like to point out...

Stateful inspection and Stateful filtering aren't quite the same thing, and apparently there is much confusion on all sides, when discussing SPI.

Stateful Inspection provides highly efficient traffic inspection with full application-layer awareness, where-else stateful filtering doesn't have application-layer awareness... This is how it was coined from the beginning, so for instances CHX-I, 8Signs and Look 'n' Stop referring using 'stateful inspection' labeling isn't accurate by original coined terms...


" }-I think it is the vendors that have most confusion on this point.

Such as CHX-I does perform SPI (stateful packet inspection), this is a check on the state of the TCP packet (flag check).
Stateful filtering, this would descibe a firewall that only checks IP/port for TCP, (as with protocols such as UDP)

-{ Quote: "The definition of stateful filtering seems to vary greatly among various product vendors and has developed somewhat, as time has gone on. Stateful filtering can mean anything, from the ability to track and filter traffic based on the most minute of connection details to the ability to track and inspect session information at the application level

Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and lower. Under this definition, stateful filtering products exhibit no knowledge of application layer protocols. At the most basic level, such products use the tracking of the IP addresses and port numbers of the connecting parties to track state. This is the only way that connectionless protocols can be tracked, but at best, this is only "pseudo-stateful." What about using this same method of stateful filtering for the tracking of the connection-oriented TCP? This method does not in any way track the TCP flags. TCP's flags define its connection states; therefore, although this method might be tracking some information from the various communication sessions, it is not truly tracking the TCP connection state." }-

-{ Quote: "I think it is the vendors that have most confusion on this point.

Such as CHX-I does perform SPI (stateful packet inspection), this is a check on the state of the TCP packet (flag check).
Stateful filtering, this would descibe a firewall that only checks IP/port for TCP, (as with protocols such as UDP)" }-

Hi,Stem,I wanted to ask you if ZA Pro 7.0.462.000 has full Stateful Packet Inspection for application filtering and all other things...?
I mean their website claims that it has SPI(after all Checkpoint invented SPI,as far as I know,and the same Checkpoint bought ZoneAlarm)???

And what about it's Anti-Mac spoofing and ARP protection?

Thanks a lot.

What about configurability?
I tried to configure some things in ZA Pro,but it seems to me that I can't do it manually???
Maybe there was thread about this???
Thanks.

I think inbound protecton is something that should be rated just like the leaktests are. All known exploits tested against each firewall. I am sure such a website will emerge just as the leaktest websites have.

I have contacted Melih of COMODO and although the current help file for CFP does not go into in-depth details of the inbound protection such as ARP filtering, they are working on an "under the hood kind of manual" that I look forward to.

I think all software firewall developers should do this.

Stem,

Stateful inspection is a term originally coined by the security product manufacturer Check Point in 1993. Clearly detailed by Check Point ... sometime down the road, It comprises both the tracking of state using Layer 4 and lower protocol information and the tracking of application-level traffic commands.

Now the term Stateful filtering has been originally used to define the stateful tracking of protocol information at Layer 4 and lower. Under this definition, stateful filtering products exhibit no knowledge of application layer protocols.

... You understand stateful filtering terminology, stateful filtering does not in any way track the TCP flags, so it's not considered truly tracking of TCP Connection state. But there's advanced forms of stateful filtering that can also track sequence and acknowledgment numbers and the TCP packet flags. Now that's truly stateful connection tracking for TCP, although 'we still lack the ability to differentiate traffic flows at the application level'.

And whether you care to admit or not, CHX-I 'stateful inspection' feature implement lack the ability to differentiate traffic flows at the application level'... ;)

Phantom,
-{ Quote: "

Stateful inspection is a term originally coined by the security product manufacturer Check Point in 1993." }-If we went by the exact description, then we would need to look at:-
Communication Information
Communication-derived states
Application-derived state
Information Manipulation

All of which is put forward by checkpoint as part of Stateful Inspection. Do I see any point in going down this road, with a need to disguss this. I do not think it is needed/ wanted.


-{ Quote: "And whether you care to admit or not, CHX-I 'stateful inspection' feature implement lack the ability to differentiate traffic flows at the application level'... " }-If we look at checkpoint, and as to how they performed the SPI, we are only (basically) looking at a set of filters. As with CHX-I traffic flow filters can be added and any data within the packet can be manipulated with payload filters.

So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection by vendors firewalls for the security of members ;) . Myself, I prefer the later, as this will actually give needed info to members.

-{ Quote: "
So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection by vendors firewalls for the security of members ;) . Myself, I prefer the later, as this will actually give needed info to members." }-

Yes, yes, yes the later.

I have headache already from all this statefull, stateless, static filtering, dynamic filtering, deep, shallow, state table etc. :)

Coming down to info for members can you tell if Windows XP firewall and Ghostwall have SPI or what filtering exactly. As these two are basic level for incoming protection and I read different statements.

Stem; Well if it's shared opinion, not just specific to your needs and wants... then I'll refrain from posting information / FAQs in the future.

However, I thought it was useful and informational, something that individual(s) could appreciate.

We using SPI word pretty loosely here, and this leaves room for confusion. If the users doesn't know their options, then they really don't know what they asking for or wanting and the degree of protections offered / available... For instance, when you talking about 'full SPI' you really just talking about an implement capable of tracking sequence and acknowledgment numbers and the TCP packet flags and not something more? :P

I know about CHX-I v3 Payload Filter Module, weren't we before discussing firewalls SPI implementation? Now that you mentioning it, I'm curious are you going to be the one that provides filters for users to achieve "stateful inspection" to the degree that Check Point and some other firewalls offers?

-{ Quote: "Stem; Well if it's shared opinion, not just specific to your needs and wants... then I'll refrain from posting information / FAQs in the future.

However, I thought it was useful and informational, something that individual(s) could appreciate." }-I asked a question, to see how you would like to continue.-{ Quote: "So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection" }- Currently you have put forward only a need for correct wording/definition. Why dont you instead perform some tests on firewalls to see what implimentation of packet filtering is being made on various firewalls?

-{ Quote: "We using SPI word pretty loosely here, and this leaves room for confusion. If the users doesn't know their options, then they really don't know what they asking for or wanting and the degree of protections offered / available... For instance, when you talking about 'full SPI' you really just talking about an implement capable of tracking sequence and acknowledgment numbers and the TCP packet flags and not something more?" }-I have already put forward the definition of my term "full SPI".

-{ Quote: "I know about CHX-I v3 Payload Filter Module, weren't we before discussing firewalls SPI implementation? Now that you mentioning it, I'm curious are you going to be the one that provides filters for users to achieve "stateful inspection" to the degree that Check Point and some other firewalls offers?" }-I would be interested is seeing a software firewall for the home "windows" user produced by check point or any other vendor that performs SPI to the degree of what "checkpoint" put forward as actual "SPI"

As for CHX-I, if this was still being updated, to remove some bugs, then I would take time to produce filters(maybe I could then set up a website and sell them :P )

Hi Stem,

I'm not sure what you meant exactly by "Currently you have put forward only a need for correct wording/definition.", if you implying my only participation on this topic involved this, then may I suggest re-reading starting from the beginning.. post #62. And as for my post #105, it was to explain where I'm coming from...

If my participations isn't up to your standards or offends you even, then I'll simply avoid further topics you involved in.


I have an old machine that's XP capable, I don't however have an operating system. And as for this here system I'm working with, it has to be on Internet stand-by, so I can't be running installations reboots, tests, uninstalls, reboots and repeated with next firewall. Therefore, even though I'm interested in doing such tests and publishing, I first need to buy OS such as XP that's abouts $165CAD for OEM version. And momentarily, I cannot afford it, besides I thought you were originally doing the tests for the people? :-\

-{ Quote: "If my participations isn't up to your standards or offends you even," }-What standard? and I am not offended.

It is just my thought that: We could certainly discuss what SPI actually is (as put forward by check point) and go through misunderstandings on this point, but how would it actually help a user decide on a firewall?. Yes, they may understand the terms used, but it would then be a case of if vendors use the correct terms. I have seen firewalls that state "SPI", and they only check IP/port of TCP. So, if we put forward "SPI" is "as descibed by checkpoint", then the user goes to a firewall vendor that states the firewall has "SPI" (and it is actually only a check on IP/port), this would lead to a false sense of security for the user.

So how can we put forward SPI/ packet filter with descriptions of the layers filtered etc, without also the vendors being acurate of the firewalls ability of this?
As I said~ just my thought

-{ Quote: "............, besides I thought you were originally doing the tests for the people? :-\" }-I will be setting up again, and go through the firewalls again. I do have a couple of projects on already, so it will need to wait a few days.

I think the best thing to do would be for both of you to collaborate on publishing a webpage rating different software firewalls against your own definitions (or CheckPoint's) of SPI and other aspects of packet filering in a manner similar to the way Matousec handles leaktests.

So, if Phant0m were to obtain a legit copy of Windows XP then what do you two think about this?

-{ Quote: "I think the best thing to do would be for both of you to collaborate on publishing a webpage rating different software firewalls against your own definitions (or CheckPoint's) of SPI and other aspects of packet filering in a manner similar to the way Matousec handles leaktests.

So, if Phant0m were to obtain a legit copy of Windows XP then what do you two think about this?" }-Hello AJohn,
The fact of 1 extra PC will probably not help in such testing. I know most look at "Leaktests", which can be run on the host, then the firewall will catch this or not, a simple test.

When looking at a firewalls filtering, then different methods are needed.

Example:
For leaktests: 1 PC needed
For scanning: 2 Pc needed (normally the second PC is a website such as shieldsup)
For packet filtering: this is possibly debatable. As you need a PC to install the firewall to be tested, you then need a PC to send the packets (that the first PC as made connection to~ to check filtering on open connection), you then need to check on what is not filtered out,.. this could be a sniffer on the first PC, but, this could be incorrect, as it would not be correct to presume that the firewall did not block/drop the packet after sniffed (and that the firewall did not log this blocked packet)
So I normally check with 3 PC`s, a sort of piggy in the middle,.. the middle PC being installed with the firewall to check.
I do need to find better ways to check, as I do not always have 3 spare PC`s.

Regards,

EDIT,
I have also considered that filtering should be done in both directions, and that I could simply send out invalids etc,.. but I would think that this would be incorrect for such tests/checks.

Yes 2 or 3 computers seems best. Maybe this is part of why there are no such inbound firewall ratings as readilly available as the leaktest ratings are.

Maybe Phant0m would be able to work something out with what he has though, so lets see what he has to say.

Maybe between the two of you something could be done... if neither of your ISPs filter connections then that may be a start.

As I said before, there is only the one thing I need...


Regards,
Phant0m``

-{ Quote: "As I said before, there is only the one thing I need...


Regards,
Phant0m``" }-If it was as cheap here in the UK to purcahse an XP, then I would purchase and give you a lisense. As it is, it is twice the cost you mention.

If you know of a better way to test firewalls filtering, please advise.

We will see how time treats Mr.Phant0m :D

In the mean time you too should collaborate as much as possible :)

-{ Quote: "We will see how time treats Mr.Phant0m :D

In the mean time you too should collaborate as much as possible :)" }-This may be a mute point, as I work from my findings of installing firewalls and directly checking these. From what I see, Phantom works from white papers and published support/help files. Please correct me if incorrect.

Stem, I'm not about to play your silly games...

feniks, I apologize for how things turned out, I'll refrain from posting any further on this topic, and hopefully the topic will get back on track.


Bests Regards,
Phant0m``

-{ Quote: "Stem, I'm not about to play your silly games...

feniks, I apologize for how things turned out, I'll refrain from posting any further on this topic, and hopefully the topic will get back on track.


Bests Regards,
Phant0m``" }-

No apologies necessary as I learn a lot on protocols, terminology etc. And you were friendly to me. However all that theory does not help me on practical level which firewall has what and how to decide which one I want. Also I need to find something basic and good for my non technical friends or even kids and something really good for somebody willing to learn more and spend more time on that. Learning any of them is some work to do and first I will like to know if it is worthy that effort, see my point?

And maybe layered approach is better solution good inbound + good outbound. So far in terms of easy and good factor I see very good solution CHX-I + OA free without or with firewall.

Maybe one application if has it in/out quality on decent level?

See so many questions - and good answers only on outbound/leaking factor if the out/in info will be on same level - decision will be much easier to make and also it will be much wiser decision. For now I see many people are not even aware that inbound protection can be on different levels same like outbound/leak.

I was expecting practical info at list (the vendor are really skimpy in info and their "features" can mean everything or nothing) as to what features what firewall really has.. at list because I see real testing is not easy thing even for experts what to talk about me.

Well I feel to be a little ignored but well nobody pay you guys to answer. :)

Practically not many question I get answered and search give also skimpy results. :thumbd: Most info on that subject I found about CHX-I so far.

I did try to start from bottom (Windows firewall and Ghostwall) but no results yet. See the posts:

http://www.wilderssecurity.com/showpost.php?p=1126008&postcount=104

http://www.wilderssecurity.com/showpost.php?p=1125997&postcount=86

http://www.wilderssecurity.com/showpost.php?p=1126003&postcount=87

http://www.wilderssecurity.com/showpost.php?p=1125824&postcount=1

Well I know I go easy way of learning by asking but that is forum and experts for or is not? :)

And I feel maybe something useful finally will come out of that all... ;D :P

-{ Quote: "
Well I feel to be a little ignored but well nobody pay you guys to answer. :)
" }-

you've had numerous responses to your questions, but you never seem completely satisfied with them.

Why not just stay with CHX-I? It seems to offer excellent inbound protection and alphalutra already informed you that Ghostwall does not include SPI. I certainly saw no mention of it on the website. There also does not seem to be any reports on which firewalls offer the best inbound protection.

-{ Quote: "you've had numerous responses to your questions, but you never seem completely satisfied with them." }-

Do you know somebody completely satisfied? You know what Jagger from Rolling Stones is still singing about his satisfaction? :)

But seriously better word will be I am disappointed. Before I thought wow "big firewall" reading all these advertisements, but after I learn a little I suspect that in reality most popular firewalls are very poor as church mouse in inbound filtering, thus in this kind of protection. :)

Why popular firewalls does not have application level SPI/filtering? We have 2007 and computers capable to handle it but the firewalls are still in 1990 in SPI?

I am talking about firewall function - as the word come from fire doors or exits.

-{ Quote: "
Why not just stay with CHX-I? It seems to offer excellent inbound protection
" }-

Yes look like nobody from big and popular guys can beat CHX-I. I thought it is maybe outdated but looks like not yet.

-{ Quote: "
and alphalutra already informed you that Ghostwall does not include SPI. I certainly saw no mention of it on the website. There also does not seem to be any reports on which firewalls offer the best inbound protection." }-

I accepted his answer I just do not understand the way Ghostwall decide what is allow in. I know it is not real SPI but the term is so confusing at list. For example closing ports is in SPI definition and processing TCP (three way handshake) can be also understand as SPI. Or static filtering do this? Well but I am still learning. :)

Is it forbidden here?

Maybe some day I will know more, for now please forgive me.

EDIT: PS. And for sure yes/no answer from somebody I do not really know - will not satisfy me. I need more then that to understand and to accept it.

And in fact alphalutra did not answer my question (and I was not asking if Ghostwall have SPI as I read his statement before) - he just try to tell me what scanning and protocols are.

-{ Quote: " I just do not understand the way Ghostwall decide what is allow in. I know it is not real SPI but the term is so confusing at list. For example closing ports is in SPI definition and processing TCP (three way handshake) can be also understand as SPI. Or static filtering do this? Well but I am still learning. :)

Is it forbidden here?

Maybe some day I will know more, for now please forgive me.

PS. And for sure yes/no answer will not satisfy me. I need to understand more to accept it." }-

Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.

Also, you have every right to understand more and, hopefully, your questions will be answered to your satisfaction. As I mentioned earlier, I never gave SPI too much thought until Stem has frequently questioned how effectively many of the pc firewalls and home routers implement it. Thankfully someone is asking questions and pushing firewall vendors to implement it correctly, especially when they advertise SPI as one of the features of their product. It is very easy to say: "our product has SPI", so those who are misinformed and do not want to question will think: "wow, this is such a great product because it features SPI", yet little do we know it may not be full SPI.

Unless someone with technical "clout" asks these questions and pushes vendors, it is very easy for them to take the lazy approach and offer a half-as*ed feature.

-{ Quote: "Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.
" }-

I get it! At list I think so. :) But I feel I am closer. I did confuse just packet filtering with SPI which is more than filtering is additional packet inspection. THANK YOU!

Now I understand how Ghostwall can decide what to allow based on outgoing traffic. SPI is similar but more active complex and "inteligent" filtering.

That is why even similar rules with CHX-I (allow all outgoing) when I force allow incoming some port in CHX-I there were still packet dropped but in case of Ghostwall not.

With better filtering is harder to fool firewall. Do I get it now correct?

-{ Quote: "
Packet Filtering

All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. All your file downloads, Web page retrievals, emails -- all these Internet communications always occur in packets.

A packet is a series of digital numbers basically, which conveys these things:
The data, acknowledgment, request or command from the originating system
The source IP address and port
The destination IP address and port
Information about the protocol (set of rules) by which the packet is to be handled
Error checking information
Usually, some sort of information about the type and status of the data being sent
Often, a few other things too - which don't matter for our purposes here.

In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.

Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.

Packet filtering policies may be based upon any of the following:
Allowing or disallowing packets on the basis of the source IP address
Allowing or disallowing packets on the basis of their destination port
Allowing or disallowing packets according to protocol.

This is the original and most basic type of firewall.

Packet filtering alone is very effective as far as it goes but it is not foolproof security. It can potentially block all traffic, which in a sense is absolute security. But for any useful networking to occur, it must of course allow some packets to pass. Its weaknesses are:
Address information in a packet can potentially be falsified or "spoofed" by the sender
The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access.

An advantage of packet filtering is its relative simplicity and ease of implementation. " }-

-{ Quote: "
Early Firewalls, Packet Filtering Firewalls and "Stateful Firewalls"

The first firewalls were based on either a proxy design or a simple packet filtering ruleset. The proxy firewall operates by interposing itself in the middle of the application protocol and interpreting it while applying security controls to the application commands and data, where appropriate. The original value proposition of a proxy firewall is that the proxy is essentially a security-oriented reference implementation of the application protocol – in some cases omitting dangerous operations entirely, or providing additional controls on certain security-critical commands. Proxies have always been considered a conservative security design because the proxy reduces the likelihood of protocol backdoors or side-effects since the proxy’s designer is effectively performing a security assessment of the application protocol’s features prior to implementing them. Early packet filter firewalls implemented a simple policy-table lookup based on { source-ip, destination-ip, source-port, destination-port, SYN-seen yes/no } permit or deny. Consequently, packet filters were extremely fast since they did very little computation. They were also extremely easy to implement since they required virtually no security expertise. The simple compute requirements of packet filters, and the fact that they required no security knowledge-base, made them easy to implement in silicon so they quickly became a feature of most routers. From the beginning, proxy firewalls were recognized as being more secure, because they effectively are implementing a correctness check upon the application protocols they gateway. This is still an important property of proxy firewalls. For example, when the author first implemented the FTP proxy in the DEC SEAL firewall, he simply left out unused FTP protocol commands that allowed users to issue remote commands to the FTP server. Years later, when hackers discovered those commands and attempted to exploit them, they simply did not work against proxy-protected networks because the proxy refused to gateway the command through to the target. Sites behind packet filtering firewalls were vulnerable, if the reachable systems behind the firewall were themselves vulnerable.

In 1993, "stateful" firewalls appeared on the market. The first popular stateful firewall, Checkpoint’s Firewall-1, implemented a simple connection-origin table that tracked whether a connection had originated behind the firewall and permitted response packets for that connection. A layer-7 hook to parse FTP PORT commands and update the state table allowed FTP to work transparently through the firewall. Subsequent versions of the stateful firewall added TCP sequence number interpretation, and DNS query/response matching to ensure that return packets were only allowed in response to queries that had originated from the inside. It is important to note that stateful firewalls added these features to overcome vulnerabilities in their design – attacks such as TCP RST flood attacks and DNS cache poisoning. Proxy firewalls never had these kinds of vulnerabilities. Stateful firewalls have continued to evolve; often in response to new types of hacking techniques as they have been discovered. Proxy firewalls have evolved, as well, but mostly in response to ever-higher requirements for performance and transparency.
" }-
-{ Quote: "
What does "Stateful" mean?

"Stateful" basically means "remembers things that came before." Something that is "stateful" knows about the current "state" of things -- what's going on at that moment, and what went on before that.

A "stateful" firewall knows not only about the packet it's looking at, but also about packets that came before that one.

Why is that useful in a firewall?

Imagine that you had no memory. At any moment, all you knew about was that moment, and you had to figure everything out just from what you could see. This is how old firewalls worked -- they knew only about the current packet they were looking at. They couldn't "remember" packets they had seen before.
" }-

I add these quotes as they explain a lot to me and maybe it will be helpful to somebody also. Now will be good to know how in firewalls who claim they have SPI this remembrance is achieved and how deep, "smart" and complex it is. :)

Thank you for those quotes feniks. It makes for some good reading. A member at the Outpost forum was kind enough to provide this Checkpoint PDF document (http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf) download.

I haven't read it yet but will when time permits. It looks very comprehensive.

-{ Quote: "Thank you for those quotes feniks. It makes for some good reading. A member at the Outpost forum was kind enough to provide this Checkpoint PDF document (http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf) download.

I haven't read it yet but will when time permits. It looks very comprehensive." }-

Yes comprehensive enough to answer my question. You make me satisfied. For now... :P ;)

Now I see that I did not knew how to ask. Maybe even I make Alphalutra1 confused. Maybe he was thinking - what this guy want, I answered already... :)

There is saying - first you have to learn to listen nicely if you want to speak nicely... :)

But I am to impatient sometimes to read and dig and search more before ask. ;D

And the luck to find correct readings... If I knew the Checpoint document before...

That is the problem of beginners... ;D

Anyway thank you very much for patience and help. :thumb:

Here's another document that you might want to read. Basically you can use this as a benchmark for testing inbound filtering of firewalls. It provides a comprehensive list of inbound attack types:

http://www.agnitum.com/support/kb/article.php?id=1000193&lang=en

_________

Regarding the Checkpoint Document:-

If ZoneAlarm is created by Checkpoint and Checkpoint INVENTED SPI (from the document) therefore ZoneAlarm has the best / most complete implementation of SPI there is.

Am I correct? Is that why ZoneAlarm is so highly regarded / award winning?

Edit: Spelling

-{ Quote: "

Regarding the Checkpoint Document:-

If ZoneAlarm is created by Checkpoint and Checkpoint INVENTED SPI (from the document) therefore ZoneAlarm has the best / most complete implementation of SPI there is.

Am I correct? Is that why ZoneAlarm is so highly regarded / award winning?
" }-

I saw no mention of SPI in the ZA Pro feature list. Checkpoint uses their version of SPI in their hardware appliances. Also, didn't Checkpoint purchase ZA from Zonelabs? I'm not sure why ZA is award winning, though I think it has something to do with establishing themselves worlwide long ago, similar to the way Norton/Symantec did.

-{ Quote: "I saw no mention of SPI in the ZA Pro feature list. Checkpoint uses their version of SPI in their hardware appliances. Also, didn't Checkpoint purchase ZA from Zonelabs? I'm not sure why ZA is award winning, though I think it has something to do with establishing themselves worlwide long ago, similar to the way Norton/Symantec did." }-

Well,ZA does have SPI. On this website there are the feature lists.
http://www.zonealarm.com/store/support/zaas/generalFAQs.jsp#3

I honestly doubt that Checkpoint wouldn't put full SPI inside ZA since they bought them.

Regarding awards:I'm not sure if they were established themselves,but if you look in every review of them,you'll see that ZA blocks almost everything to get installed on your computer-and I don't believe they fake test results.
It seems to me that other security testers who don't like ZA hate ZA and they want shutdown ZA's production...

And again if you don' believe that take me as an user of ZA Pro and Nod32 antivirus(with Outpost Pro and Nod32 on the second computer and Jetico2 on the 3rd computer).

Since I got ZA Pro I was testing its inbound protection (of course, you need to configure it to get maximum protection) against malware-loading websites.
I don't want to name them,because i believe it's forbidden to post such links, however if you don't have adequate protection you will be infected.

The main problem with these websites is that as long as you're connected they'll try to install malware...
From my personal experience,I've never been infected while using ZA Pro (at maximum protection).
The reason why I know this is because I had for extra case Spyware Doctor (but I deactivated its real-time protection while using ZA Pro's real-time spyware protection), Lavasoft Ad-Aware, Super-Antispyware and a few other antiviruses to check if there are any malware samples inside my computer,I found nothing,ZA found nothing, and my computer has never been compromised/zombified.

So these awards mean something,it's not just awarding with no reason.
You can believe or you don't have to believe me,it's your choice,but with ZA Pro I was the most secure (even more secure than with Outpost Pro).

That's why, despite all marketing and establishment,yes ZA's techies are doing their job excellent.
If ZA is bad I would already have malware samples installed on my computer, but I don't have them-any of them.
The only problem is that right now ZA's techies are having problems with Vista compatibility.

Cheers!

Good points,CoolWebSearch.

Obviously ZA has Stateful Inspection as outlined in the ZA document.

As regards awards-OK some reviews are probably not credible,but they cant all be wrong;

http://www.zonealarm.com/store/content/company/aboutUs/awards.jsp?dc=12bms&ctry=US&lang=en&lid=about_awards

It seems fashionable to bash ZA(as with Microsoft),but in my experience,cant really understand this.

-{ Quote: "Good points,CoolWebSearch.

Obviously ZA has Stateful Inspection as outlined in the ZA document.

As regards awards-OK some reviews are probably not credible,but they cant all be wrong;

http://www.zonealarm.com/store/content/company/aboutUs/awards.jsp?dc=12bms&ctry=US&lang=en&lid=about_awards

It seems fashionable to bash ZA(as with Microsoft),but in my experience,cant really understand this." }-

Thanks for the support.
Your answer has reminded me on something.Basically the more powerful this software gets (or any other software for that matter), it becomes less usable,however again in this area I never had any problems except with the version 7.0.302.000,but than I uninstalled it and installed 6.5.737.

Thanks CoolWebSearch, Hairy Coo, and Wat0114 for your detailed replies!
So ZoneAlarm was made by ZoneLabs before being acquired by Checkpoint but:

-{ Quote: "I honestly doubt that Checkpoint wouldn't put full SPI inside ZA since they bought them.
" }-

Hmm so you're saying that ZA has "full SPI" ;D

Edit: Quote.

-{ Quote: "Thanks CoolWebSearch, Hairy Coo, and Wat0114 for your detailed replies!
So ZoneAlarm was made by ZoneLabs before being acquired by Checkpoint but:



Hmm so you're saying that ZA has "full SPI" ;D

Edit: Quote." }-

It's still a great doubtful if they integrated the full SPI into ZA.
I'll leave that to firewall experts to examine more thoroughly.

-{ Quote: "
Since I got ZA Pro I was testing its inbound protection (of course, you need to configure it to get maximum protection) against malware-loading websites.
I don't want to name them,because i believe it's forbidden to post such links, however if you don't have adequate protection you will be infected.

The main problem with these websites is that as long as you're connected they'll try to install malware...
" }-

I wonder how testing against these websites can test the inbound protection of a firewall. That is going to bypass every SPI as since the moment the browser send a request to load the page it's a outbound connection and the server is going to send the malware in perfect packets, not in malformed ones.

-{ Quote: "It's still a great doubtful if they integrated the full SPI into ZA.
I'll leave that to firewall experts to examine more thoroughly." }-

It seems only Stem is willing or capable of this testing.

-{ Quote: "

It seems fashionable to bash ZA(as with Microsoft),but in my experience,cant really understand this." }-

I wasn't bashing them (not implying you were accusing me, just clarifying my stance :) ), especially since I don't even use the product. I was only stating a theory and one that i'm sure is quite credible. Let's face it, ZA was on the frontier of providing pc firewalls to home users and they have, over the years, done a splendid job of taking hold of the market - much the same way as Norton/Symantec/McAfee has.

Actuially, I have noticed that those who bash ZA are those who have used the product and simply did not like it due to one or more of a number of reasons.

-{ Quote: "I wonder how testing against these websites can test the inbound protection of a firewall. That is going to bypass every SPI as since the moment the browser send a request to load the page it's a outbound connection and the server is going to send the malware in perfect packets, not in malformed ones." }-

Yes,if malware wants to install itself it has nothing to SPI.
This is similar when you download an file who is infected.
For example,I used to download files from www.download.com, however I remember when ZA blocked the installation of an supposed trusted application (actually, it was an firewall if I remember correctly), however ZA stopped the installation.
ZA Anti-spyware basically blocked that installation-now this is really strange, since it has detected Trojan.Downloader Win32 inside that file-I thought ZA's Anti-Spyware only blocks spywares,so how is it suppose to block Trojan installation?
That's something,none has ever explained me, yet.

For extra safety, I tested NOD32 Antivirus when I tried to download the same file if it will detect it as Trojan or spyware-just to make sure if ZA Anti-Spyware had or hadn't false positives.

And trust me Nod32 detected the same Trojan,so it can't be be false positive-since when ZA's anti-spyware blocks the installation of Trojans?
That should be antivirus's function,not anti-spyware's function.

-{ Quote: "Yes,if malware wants to install itself it has nothing to SPI.
This is similar when you download an file who is infected." }-Filtering of malware would need to be done (by a packet filter) within content, so such a firewall would be classed as DPI (Deep Packet Inspection), but this could be classed as similar to an AV web filter. As with DPI, certain strings need to be checked for. Example: I have just had a quick look at the latest version of Injoy,... you will see various (default) protection in place on various levels:-

A default level I place on my geteway:-

195512

[I have used version3 for quite a while, but the screenshots are for version 4.1]

I put arrows (in above capture), first to to "Virus checking", this is by default basic, but shows the DPI. This is the default filtering:-

195514

The second was to "Reject all UDP traffic - except DNS lookups", from such a setting, with a default windows installation, alerts will show the blocking of such as netBIOS:-

195515

-{ Quote: "Stem, I'm not about to play your silly games..." }-In which respect,.. to actually install/check firewalls? or the fact I do not like word definitions which only add to confusion?

At the end of the day, with respect to members here, most do not know what SPI is, and yes, could agree than specific defination is needed, but as I ask before, with no reply from yourself, how would it help members/users when firewall Vendors just state they have "SPI"?

As I have seen from the last posts, members can certainly look up definitions, but it really means nothing if vendors are not acurate in own implimentation of such.

-{ Quote: "
As I have seen from the last posts, members can certainly look up definitions, but it really means nothing if vendors are not acurate in own implimentation of such." }-

I totally agree. I have looked up definitions in an attempt to gain a little more understanding about what SPI is and also because this subject now interests me a great deal, but, like you, I am now skeptical about SPI claims these software firewall vendors are making.

Maybe something like this they make about HIPS would be good to start about firewalls inbound, maybe some sticky post here on Wilders about inbound comparison?

HIPS - Comparison (http://wiki.castlecops.com/HIPS/IDP_programs/services)

Look how poor is firewall comparison:

Firewall - Comparison (http://wiki.castlecops.com/Firewall_-_Comparison)

Your posts were fairly good up-to the point when it seems you have implied I don't know about testing stateful packet-filters and also that I cry facts based on what I read on white-papers and published support/help files.

Regarding testing stateful packet-filters, all that is needed is two machines, if you think you need an requirement of total three computers - in order to perform utmost top quality tests, then perhaps you the one confused here.

That being said, please let me point you off to the right direction... You simply need two computers, a single cross-over cable and two Ethernet devices. Also If both Ethernet devices are new, then you probably be-able to use an straight-thru cable instead. You shouldn't use an router, and/or Internet to perform these tests, there's some possible cases which simply makes either of the two situations not advised.

Now that you know...., should be bit easier to run your tests on stateful packet-filters... Or do I need to continue with making 'Testing stateful packet-filters for dummies' book. :)

I believe you can be very observant person ... at times, I think your post #115 was from 'mainly' reading couple of my previous posts on this here topic.

My post #81;
"I don't use Online Armor, never used Online Armor, and the official product website doesn't seem to 'mention' any sort of SPI. A firewall developer would definitely want to advertise this if it has it.... so at first glance, I say it doesn't."

I don't and have never used OA, it is very logical that if firewall has 'any sort of SPI' capability that it would mention it on the product official website and/or its manual. Is there anywhere in that post that I claimed or indicated that if there was some mentioning, that it's surely an properly implemented full SPI?

Then there's my posts #88, #90... These here posts should tell you that I'm not familiar with OA and that I'm an curious person. It seems to me you act like firewall developers outright lies, and I know, they surely don't all tell the entire truth, and they even use fancy wording to make it seem something is more than what it really is... And if you ask simple questions then you'll likely get 'smart' answers .. from them that's really next to nothing. This all taking into consideration, there's also product advertising, regardless how they work it, if they indicate on how an feature is performed, and the product feature isn't performing to what's been advertised, I'm fairly certain this is subject to lawsuit. If you asked properly the right questions, before making an purchase of the product, they claim it performs in a certain manner and it doesn't, this spells lawsuit!

There's no law I'm aware of that decides how developers labels particular features, even though improper labeling can likely be traced back to lost terminologies, and also not taking the time to-do full researches. And how you guys are acting now, not giving a damn about different terminologies, ... how you expect the product developers do anything differently?

Don't waste your time worrying about how developers labeling particular features, put up your page, list the terminologies used and define them clearly and accurately... I'm pretty sure as the site become populated, different developers will make label corrections or provide more details about how their feature implements performs in their products.

And don't waste your time trying to convince me that different terminologies are pointless, when those who interested reads the different terminologies, they become wary, when this happens they begin to know what and how to look for, and begin to ask the right questions.

Is there anything more needing to be said about terminologies? Stem, how would you like to proceed?



Regards,
Phant0m``

-{ Quote: "
Since I got ZA Pro I was testing its inbound protection (of course, you need to configure it to get maximum protection) against malware-loading websites.
I don't want to name them,because i believe it's forbidden to post such links, however if you don't have adequate protection you will be infected.

The main problem with these websites is that as long as you're connected they'll try to install malware..." }-
How do those websites challenge your incoming protection? Just curious.

Cheers,

Alphalutra1

-{ Quote: "I don't use Online Armor, never used Online Armor, and the official product website doesn't seem to 'mention' any sort of SPI. A firewall developer would definitely want to advertise this if it has it.... so at first glance, I say it doesn't.


Regards,
Phant0m``" }-Can anybody explain what is SPI for and how it can be found FW doesn't have SPI and, especially, what reproducable danger does it bring. I have a time, I have a lot of computers and I have a wish to test my FW. Just tell me what should I do and I'll be glad to report my results.

-{ Quote: "Can anybody explain what is SPI for and how it can be found FW doesn't have SPI and, especially, what reproducable danger does it bring. I have a time, I have a lot of computers and I have a wish to test my FW. Just tell me what should I do and I'll be glad to report my results." }-
Read some of the very recent threads that go quite deep into the subject, use google to find info, google about testing firewalls (not leak testing, but real packet filter testing), learn about TCP/IP, then use the tests to collect a large amount of objective data stating specifically every single thing involved in the testing (down to all of the components of the pc, ethernet cable, NIC, RAM, CPU, Harddrive, OS, etc.), and publish it on the forum for us to enjoy ;)

Cheers,

Alphalutra1

-{ Quote: "Read some of the very recent threads that go quite deep into the subject, use google to find info, google about testing firewalls (not leak testing, but real packet filter testing), learn about TCP/IP, then use the tests to collect a large amount of objective data stating specifically every single thing involved in the testing (down to all of the components of the pc, ethernet cable, NIC, RAM, CPU, Harddrive, OS, etc.), and publish it on the forum for us to enjoy ;)

Cheers,

Alphalutra1" }-
This would be unfair. You want me to do all the work without any help ? :)
I'm ready to spend some time to make a real testing, but let somebody provide me with at least brief algorithm. For exmple: create ethernet frame of type x, fill it with data y, send it to z, look for responce r - if any - your firewall failed the test. You, boys, spend a lot more time arguing of nothing. So I think my request is not too demanding :)

Hi, alex_s

-{ Quote: "So I think my request is not too demanding " }-
IMO, it reads more of a troll :lurking: .

Take Care,
TheQuest 8)

-{ Quote: "Hi, alex_s


IMO, it reads more of a troll :lurking: .

Take Care,
TheQuest 8)" }-Does it really matter how it does "reads" ? We can check quite fast how it "really is". Still I see nobody who could audibly state a principle that exploit could be built on. C'mon, I'm still waiting :)

-{ Quote: "This would be unfair. You want me to do all the work without any help ? :)
)" }-
No, people have done it all for you in these forums in other posts and on other internet webistes. But I do not believe anyone will take any of you tests as credible sources if you don't understand the matter at all and learn and take the time to master it. Just doing what someone tells you would make it so I could skew the results to favor my personal favorite firewall or the one that gave me a material incentive.

Cheers,

Alphalutra1

-{ Quote: "No, people have done it all for you in these forums in other posts and on other internet webistes. But I do not believe anyone will take any of you tests as credible sources if you don't understand the matter at all and learn and take the time to master it. Just doing what someone tells you would make it so I could skew the results to favor my personal favorite firewall or the one that gave me a material incentive." }-If people already have done it, then there must be exploits accessible. Let us take a look at the Matousec. You can value his project or not, but there is published methology and there is a set of tools that _ANYBODY_ can take and check every test result. Unlike Matousec leaktesting there is neither a methology nor a set of tools to measure SPI/DPI quolity, there is just a set of talks about it. I do not care either somebody will take my results to his heart or not, I just was going to make a tool for everybody. If I'm wrong and such tools already exist, then I would be glad to get myself pointed out to them. But instead of this I continue to get the words and words and words ...
The only one person that acts respectfully is Stem. He was short in words and just pointed me to a tool. Then the question was closed pretty fast.

-{ Quote: "Regarding testing stateful packet-filters, all that is needed is two machines, if you think you need an requirement of total three computers - in order to perform utmost top quality tests, then perhaps you the one confused here.

That being said, please let me point you off to the right direction... You simply need two computers, a single cross-over cable and two Ethernet devices. Also If both Ethernet devices are new, then you probably be-able to use an straight-thru cable instead. You shouldn't use an router, and/or Internet to perform these tests, there's some possible cases which simply makes either of the two situations not advised. " }-I have looked at a number of setups, and as I mentioned in post 110, it is debatable, certainly with checking on what as, or as not passed through filtering. I have before setup just using 2 PC`s, but found some firewalls silently drop packets even though the installed sniffer logged these. We are looking at inbound here, not to see if a firewall will filter the outbound packets, or should we presume that the same filtering is performed in both directions? if we did, then it is a very simple test.

-{ Quote: "Now that you know...., should be bit easier to run your tests on stateful packet-filters... Or do I need to continue with making 'Testing stateful packet-filters for dummies' book." }-Well, talking about a setup is easy, but actually setting up and getting correct results is more demanding. Have you actually set up and checked a firewall using your method? Please do explain, as I could show the the pitfalls in such a setup.

-{ Quote: "
I do need to find better ways to check, as I do not always have 3 spare PC`s.
" }-

vmware

Hi alex_s,
-{ Quote: "Can anybody explain what is SPI for and how it can be found FW doesn't have SPI and, especially, what reproducable danger does it bring. I have a time, I have a lot of computers and I have a wish to test my FW. Just tell me what should I do and I'll be glad to report my results." }-Well, Phantom is willing to create a post to explain:-
-{ Quote: "Or do I need to continue with making 'Testing stateful packet-filters for dummies' book." }-

You would also need to look at packet creation programs.
examples (both free):-

Excalibur (http://www.securitybugware.org/excalibur/)

Colasoft (http://www.colasoft.com/packet_builder/)

-{ Quote: "I have looked at a number of setups, and as I mentioned in post 110, it is debatable, certainly with checking on what as, or as not passed through filtering. I have before setup just using 2 PC`s, but found some firewalls silently drop packets even though the installed sniffer logged these. We are looking at inbound here, not to see if a firewall will filter the outbound packets, or should we presume that the same filtering is performed in both directions? if we did, then it is a very simple test.

Well, talking about a setup is easy, but actually setting up and getting correct results is more demanding. Have you actually set up and checked a firewall using your method? Please do explain, as I could show the the pitfalls in such a setup." }-

According to the website I'm going to give you it says that proxy firewall technologies have proven time and again to be more secure than "stateful" firewalls and will prove to be more secure than "deep inspection" firewalls.
http://www.ranum.com/security/computer_security/editorials/deepinspect/index.html

-{ Quote: "According to the website I'm going to give you it says that proxy firewall technologies have proven time and again to be more secure than "stateful" firewalls and will prove to be more secure than "deep inspection" firewalls." }-

Excellent reference. It even mentions the exotic SNORT rules. ;)

For some reason, these are never discussed in this forum, even though they are more relevant to firewalls than "leak tests". Maybe because "leak tests" are easier to understand? Maybe because modern "leak test" firewalls don't do SNORT?

-{ Quote: "Excellent reference. It even mentions the exotic SNORT rules. ;)

For some reason, these are never discussed in this forum, even though they are more relevant to firewalls than "leak tests". Maybe because "leak tests" are easier to understand? Maybe because modern "leak test" firewalls don't do SNORT?" }-I agree, and I have mentioned before.

Let me attempt to compare:-
Leaktests: all can download, then run if wanted, this actually causes no problem to user, this is an option, yes?
Inbound: We need to look at direct filtering/ possible filtering, So if anyone would show such bypass/problem,.. then this is a major problem as this is a a possible attack. It is why I have no problem with anyone showing these leaktests,.. but I would have serious problems with anyone showing attack vectors(inbound attack compromise)

I have been talking with Mike @ OA for quite some time on implimentation for inbound protection,.. he did indicate the possibility of adding snort rules,
How would users react to this inclusion (if made)?

I agree with another poster that said you will never get a concrete answer to this question because everybody's preferences are different. It is my belief that there isn't much difference (in most cases, none at all), in the inbound protection from one software firewall to another.


-{ Quote: "I'm certainly no security expert, but I'll comment anyway.

It doesn't require much security savvy to install a NAT router with SPI protection for very good inbound protection:
- Select one.
- Read the manual.
- Install, update the latest firmware and configure the router.

It's a first-layer approach that offers good inbound protection - regardless of whatever software firewall you select.

" }-

... This however, is sound advice that I believe most would agree with. If you find a good hardware based solution to your inbound the rest is a moot point.

-{ Quote: "I agree with another poster that said you will never get a concrete answer to this question because everybody's preferences are different. It is my belief that there isn't much difference (in most cases, none at all), in the inbound protection from one software firewall to another.
" }-
I perfectly accept that opinion, but just like my opinion it is based on my beliefs, not what i know.
What i do know is a more restrictive firewall (SPI, pseudo SPI for non TCP p. etc.), with more control over the different aspects of a packet, is preferred.

Take SPI: outgoing packets must match your rules, and incoming packets must match as replies to the outgoing ones (not just match user rules).

-{ Quote: "I agree with another poster that said you will never get a concrete answer to this question because everybody's preferences are different." }-

Well, preferences aside, there is a 'good' inbound protection and then there is 'not-so-good' inbound protection. I somehow think that everybody will go for the former.

-{ Quote: "It is my belief that there isn't much difference (in most cases, none at all), in the inbound protection from one software firewall to another." }-

Oh yes, there certainly is. Please reread the thread...

-{ Quote: "If you find a good hardware based solution to your inbound the rest is a moot point." }-

afaik, a router is a software firewall as well. It is just off-shore (if I may use such loose term), packed in a chip in a small plastic box ;D So, everything that is said about software firewalls' inbound here (regarding SPI) is valid for hardware ones too.

-{ Quote: "As I said before, there is only the one thing I need...


Regards,
Phant0m``" }-

Perhaps that would be to lose the ego?

-{ Quote: "I have been talking with Mike @ OA for quite some time on implimentation for inbound protection,.. he did indicate the possibility of adding snort rules,
How would users react to this inclusion (if made)?" }-
Hi Stem,
It is interesting that you should mention OA in this context, as it is designed for inexperienced users.

IPS is for experienced users, I think. You have to handle false positives, possibly by disabling rules, if they block important traffic. You should also update your ruleset regularly in order to block new threats and clean out obsolete rules.

Nobody seems to be using any of the existing SNORT-based firewalls, or they just don't see any issues?

-{ Quote: "Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?
Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

Why I should not look for such answer? Or nobody here knows the answer?

EDIT. Well I read it again and I have to admit I do not understand what are you talking about. About with whom I agree with what? And you talking about my ignorance and my ignorant remarks? Where I said that special knowledge to be protected by spi is required? So what if SPI is from 1990 - does OA have it and in full, deep packet inspection, pseudo UDP and ICMP or only TCP syn (all out is allowed in)? Sorry for my english you are expert so you know what I mean." }-

Hi, Feniks, could you give me the link where Stem and Melih discussed about SPI in Comodo, and also could you giv eme the link where MikeNash and Stem also discussed about about SPI in OnlineArmor.

-{ Quote: "Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.

Also, you have every right to understand more and, hopefully, your questions will be answered to your satisfaction. As I mentioned earlier, I never gave SPI too much thought until Stem has frequently questioned how effectively many of the pc firewalls and home routers implement it. Thankfully someone is asking questions and pushing firewall vendors to implement it correctly, especially when they advertise SPI as one of the features of their product. It is very easy to say: "our product has SPI", so those who are misinformed and do not want to question will think: "wow, this is such a great product because it features SPI", yet little do we know it may not be full SPI.

Unless someone with technical "clout" asks these questions and pushes vendors, it is very easy for them to take the lazy approach and offer a half-as*ed feature." }-

Than what software firewall does have true SPI?

-{ Quote: "Than what software firewall does have true SPI?" }-

Good question :) I don't know, but I have seen many posts in this forum citing CHX-I Packet filter as having quite possibly the best inbound protection, so this could mean very good SPI. From my experience I have seen log evidence (Block all not processed protocol packets) in Jetico 2 that could mean it has strong SPI, at least with TCP protocol. Its UDP SPI is very basic. There are probably a few others strong in the SPI department, such as Injoy firewall, but, again, I don't know.

-{ Quote: "Than what software firewall does have true SPI?" }-What would be the point? The "packet-level" SPI (as defined here (http://www.wilderssecurity.com/showpost.php?p=299171&postcount=27)) that virtually all personal firewalls currently implement is good enough for non-enterprise use.

-{ Quote: "What would be the point? The "packet-level" SPI (as defined here (http://www.wilderssecurity.com/showpost.php?p=299171&postcount=27)) that virtually all personal firewalls currently implement is good enough for non-enterprise use." }-

But what about rootkits?
I truly don't know why there is so huge interest in leak-testing, but I do have some complex questions:

Can you tell me which of those leaktests really exist in the real world and are not just extreme situation hypothetical maybe this could happen but there is no real threat been made for this.
It' nice to know the ZA/Za Pro or Outpost Pro or Comodo Pro will withstand the hard drive killer virus and not be shut down, but on the other hand a hard drive with a rewritten and unuseable file system is almost self defeating - sure the firewall passed, but the PC and all it's files are lost for ever. Kind of nice to know the firewall will last anyways?


Since no firewall checks the BHO and toolbars, any test with this in mind would on any firewall would fail. No firewall checks BHO and toolbars. Yes there are real BHO and rogue toolbars, yet not tests are available for this very much real threat. Yet the rogue BHO and rogue toolbars are acitvely connecting out unrestricted. Why is that? Why do users allow rogue BHO and rogue toolbars installs the first place? Do they know better or just rely on the anti- something to stop it's install and protect them? Should the user know any better and not install these and lock down the browser to stop these unwanted installs? Or spend their money and hope they found the best protection?

Some malware will install it's own TCP/IP stack and then will do any connections both incoming and outgoing absolutely unrestricted. Yes this malware is very real. And no firewall would catch this because it will not examine the new stack. Yet no leak tests are made for this.
Why is this?
Should the user rely on the security applications or just use safe hex and avoid the traps which will install dreck like this?

Rootkits will install virtual drivers or virtual TCP/IP stacks. Yet no leaktests for this either. This is a real threat which does exist. Yet the firewall does not check for virtual drivers or virtual stacks. So a firewall would fail this leaktest as it does in the real world.
Should the use continue to spend more money or just use safe hex and avoid it in the first place?

Oh just remembered another real world exploit - the trojan injected into the stack. Yup all firewalls miss this one too, but no leaktest is made for this either. Why is that?

If someone could answer me that I'd be grateful.

what exactly is snort rules?

-{ Quote: "
Rootkits will install virtual drivers or virtual TCP/IP stacks. Yet no leaktests for this either. This is a real threat which does exist. Yet the firewall does not check for virtual drivers or virtual stacks. So a firewall would fail this leaktest as it does in the real world.
[...]
Oh just remembered another real world exploit - the trojan injected into the stack. Yup all firewalls miss this one too, but no leaktest is made for this either. Why is that?
" }-
First of all, a firewall's job is not to check the drivers, but to block network packets according to a set of rules. But let's assume that a firewall has incorporated HIPS too (because these days nobody cares to separate their functions).
If an application (a rootkit for instance) tries to load a protocol driver into the stack, in order to communicate with the attacker, a normal "pure" firewall will not be able to detect it, because the driver will run at a level "below" the firewall. Now let's assume there is a HIPS installed. The HIPS also has very little possibility to see what the rogue driver is doing, But it will intercept the instalation of that driver, so the computer will be protected.
In other words, I could create a proof of concept driver which would be loaded in the TCP stack, but it would be stopped before I would try to load it. In my opinion, this is the reason nobody bothered with doing it.

-{ Quote: "But what about rootkits?" }-Firewalls, like any other security software, cannot guarantee to detect an installed rootkit though some may be able to detect and block any attempted installation. Dealing with rootkits is very much beyond the scope of the product suggested in this thread though.-{ Quote: "Can you tell me which of those leaktests really exist in the real world and are not just extreme situation hypothetical maybe this could happen but there is no real threat been made for this." }-See the Firewallleaktest In the Wild (http://www.firewallleaktester.com/malwares.htm) page for a few examples. It is dated now but you can be sure that more recent malware will have improved in this area.
-{ Quote: "It' nice to know the ZA/Za Pro or Outpost Pro or Comodo Pro will withstand the hard drive killer virus and not be shut down," }-Malware that disables systems completely isn't a likely threat simply since it doesn't spread well. A greater danger is those that capture private financial data - this is a focus of major malware producers (increasingly organised crime) so there are plenty of examples and doubtless far more to come.

In any case, file protection is already handled quite well by Windows' own NTFS as long as users don't run as Admin by default.-{ Quote: "Since no firewall checks the BHO and toolbars, any test with this in mind would on any firewall would fail. No firewall checks BHO and toolbars. Yes there are real BHO and rogue toolbars, yet not tests are available for this very much real threat." }-BHOs/toolbars can be detected and removed by most anti-spyware scanners (and a couple of firewalls do have this function integrated).-{ Quote: "Some malware will install it's own TCP/IP stack and then will do any connections both incoming and outgoing absolutely unrestricted. Yes this malware is very real. And no firewall would catch this because it will not examine the new stack. Yet no leak tests are made for this." }-Any firewall working at driver level (monitoring access to network hardware) should intercept this - since packet sniffers using WinPCap have been doing something similar, it isn't a new phenomenom by any means.-{ Quote: "Rootkits will install virtual drivers or virtual TCP/IP stacks. Yet no leaktests for this either. This is a real threat which does exist. Yet the firewall does not check for virtual drivers or virtual stacks. So a firewall would fail this leaktest as it does in the real world.
Should the use continue to spend more money or just use safe hex and avoid it in the first place?" }-Outbound (http://www.firewallleaktester.com/leaktest5.htm) and MBTest (http://www.firewallleaktester.com/leaktest10.htm) are leaktests using the "direct to network" method to bypass firewalls.-{ Quote: "Oh just remembered another real world exploit - the trojan injected into the stack. Yup all firewalls miss this one too, but no leaktest is made for this either. Why is that?" }-Could you be more specific about this? (i.e. include a name for this trojan). Virtually all firewalls will detect changes in executable files, most will detect process code/memory injection. That leaves driver installation which a few firewalls address but that is more in the area of system/process control software like SSM and its ilk.

-{ Quote: "what exactly is snort rules?" }-

http://www.snort.org/

Read all about it, and let us know. ;)

This is real firewall stuff - unlike leak stuff.

-{ Quote: "Firewalls, like any other security software, cannot guarantee to detect an installed rootkit though some may be able to detect and block any attempted installation. Dealing with rootkits is very much beyond the scope of the product suggested in this thread though.See the Firewallleaktest In the Wild (http://www.firewallleaktester.com/malwares.htm) page for a few examples. It is dated now but you can be sure that more recent malware will have improved in this area.
Malware that disables systems completely isn't a likely threat simply since it doesn't spread well. A greater danger is those that capture private financial data - this is a focus of major malware producers (increasingly organised crime) so there are plenty of examples and doubtless far more to come.

In any case, file protection is already handled quite well by Windows' own NTFS as long as users don't run as Admin by default.BHOs/toolbars can be detected and removed by most anti-spyware scanners (and a couple of firewalls do have this function integrated).Any firewall working at driver level (monitoring access to network hardware) should intercept this - since packet sniffers using WinPCap have been doing something similar, it isn't a new phenomenom by any means.Outbound (http://www.firewallleaktester.com/leaktest5.htm) and MBTest (http://www.firewallleaktester.com/leaktest10.htm) are leaktests using the "direct to network" method to bypass firewalls.Could you be more specific about this? (i.e. include a name for this trojan). Virtually all firewalls will detect changes in executable files, most will detect process code/memory injection. That leaves driver installation which a few firewalls address but that is more in the area of system/process control software like SSM and its ilk." }-

Hi, Paranoid. I want to thank you for your answer (I didn't think that you'll answer). I must say that my problem with leak-tests is the following:
I have recently reinstalled my computer from scratch.
Now I have 100% clean PC-what's the point of leak-tests if you have 100% clean PC, I only need inbound protection.

And besides, can all leak-tests really show the power and effectiveness of the true malware samples, only a few leak-tests show that on the link you give me, but these samples are passed by almost all firewalls-if you assume that computer is already infected (just look what Sunbelt Kerio firewall creators answered to Matousec).



It seems that malware these days are so advanced that leak-tests are useless, once you get malware on your computer the game is literally over.

-{ Quote: "(just look what Sunbelt Kerio firewall creators answered to Matousec).
It seems that malware these days are so advanced that leak-tests are useless, once you get malware on your computer the game is literally over." }-
Exactly. So why do you guys keep on posting about leak tests?

This thread started as a genuine firewall discussion (one of very few), but again, somebody managed to turn it into yet another leak thread.

-{ Quote: "So why do you guys keep on posting about leak tests?" }-Agreed,

Lets please get back to and stay on topic.

I will have some time this weekend to set up and check a few firewalls for packet filtering. It will just be testing what level of filtering is made and what packets are dropped (illegal flagged packets etc).

-{ Quote: "I will have some time this weekend to set up and check a few firewalls for packet filtering. It will just be testing what level of filtering is made and what packets are dropped (illegal flagged packets etc)." }-

Don't forget those FWs that support SNORT rules. It adds an extra dimension to packet filtering, if you have the CPU power.

-{ Quote: "Don't forget those FWs that support SNORT rules. It adds an extra dimension to packet filtering, if you have the CPU power." }-I will only be looking at windows based firewalls, and will only have time to check about 6.

I do also want to check a router (I have a linksys that I can use)

-{ Quote: "I will only be looking at windows based firewalls, and will only have time to check about 6." }-

Perfect. I know that the Sunbelts and late Kerios do SNORT rules. Others too I think.

-{ Quote: "Perfect. I know that the Sunbelts and late Kerios do SNORT rules. Others too I think." }-I dont really want to go down a path of checking Enterprise/server firewalls. I will be looking at products for home use, as used by the majority of users on the forum, such as Jetico, outpost pro, comodo etc. If I was to look at Sunbelt, then it would only be the home product.

-{ Quote: " If I was to look at Sunbelt, then it would only be the home product." }-
I agree. This is what I meant to say. The personal Sunbelts and Kerios (for Windows) do SNORT rules. :)

-{ Quote: "I agree. This is what I meant to say. The personal Sunbelts and Kerios (for Windows) do SNORT rules. :)" }-Are these rules not already included with the default installation of Kerio? or is there a need to update the bad_traffic file? and if so, then what are users adding to that file, if indeed they are actually adding/using any.

-{ Quote: "Are these rules not already included with the default installation of Kerio? or is there a need to update the bad_traffic file? and if so, then what are users adding to that file, if indeed they are actually adding/using any." }-
The default installation contains some small rulesets, yes, but it is possible to download the full rulesets from snort.org in older versions and replace the default sets, and add new rulesets. This requires some work and decision making. One weekend might not be sufficient. :)

-{ Quote: "Now I have 100% clean PC-what's the point of leak-tests if you have 100% clean PC," }-If your system is clean and will remain so then there is almost no benefit in having a firewall with good leaktest performance (except for the small possibility of legitimate software trying to connect out surreptitiously).

For most users however, anti-virus/malware scanners will provide a good - but not 100% - defence. A leak-resistant firewall can provide a useful backup where a scanner has failed.-{ Quote: "It seems that malware these days are so advanced that leak-tests are useless, once you get malware on your computer the game is literally over." }-Not if you have software that provides process control - and this is what many firewalls have been expanding into.-{ Quote: "Don't forget those FWs that support SNORT rules. It adds an extra dimension to packet filtering, if you have the CPU power." }-I would suggest that SNORT support is less significant to most users than effective outbound control. A personal firewall should block unsolicited incoming traffic by default (so knowing if blocked traffic is a recognisable probe or attack is of little relevance).

Pattern-matching becomes useful for people running a server that has to accept unsolicited incoming traffic, which is why enterprise level firewalls tend to offer it. However even the best performers in this category can be easily bypassed by an attacker obfuscating their traffic.

-{ Quote: "But what about rootkits?
I truly don't know why there is so huge interest in leak-testing, but I do have some complex questions:

Can you tell me which of those leaktests really exist in the real world and are not just extreme situation hypothetical maybe this could happen but there is no real threat been made for this" }-

Some people tested HIPS against real rootkits and it appeared that good HIPS can succesfully resist rootkits to get control over your system. Unfortunately such attempts were not too comprehencive, though you can make some conclusions even from those amateur attempts:

http://membres.lycos.fr/nicmtests/

-{ Quote: "I dont really want to go down a path of checking Enterprise/server firewalls. I will be looking at products for home use, as used by the majority of users on the forum, such as Jetico, outpost pro, comodo etc. If I was to look at Sunbelt, then it would only be the home product." }-

Hi Stem,
By any chance will you be testing Look'n'Stop also?
Although I am interested in seeing your results from all tested.

Hello,

Sorry for delay, but family matters have taken my spare time. I will make tests as soon as I can.

Regards to all,

-{ Quote: " By any chance will you be testing Look'n'Stop also?" }-I currently have a list of:-

ZA (pro)
Commodo
Jetico 2
PC tools

I will add L,n,S

-

Somewehere in this thread it was stated that firewalls don't check toolbars and BHOs. And in another post someone stated that antispyware programs could check/detect these.

Question: you know what toolbars and BHOs you have on your system. They are not known as 'typical spyware'. Are the toolbars and BHOs able to receive and send data on their own/as instructed, not filtered by the firewall ? Any difference between Stateful Inspection and proxy-firewalls ?

-{ Quote: "I currently have a list of:-

ZA (pro)
Commodo
Jetico 2
PC tools

I will add L,n,S

-" }-
I'm waitting for the result!
Why don't you add CHX-I and 8signs?::)

-{ Quote: "Why don't you add CHX-I and 8signs?::)" }-
I would also very like to see the comparative results for those 2 veteran inbound fws!

BTW, there seems to be a rumor as 8Signs' development possibly being at a halt. It would be ashame... Does anyone have successfully exchange e-mails with those folks lastly? Linda C. has always been so dedicated and responsive to all support/request that her present silence is realy no good signs :(

Any news?

-{ Quote: "Any news?" }-

I'm curious myself, but i'm sure this type of testing may take some time.
Hopefully Stem will have some results posted soon. ;D

-{ Quote: "I'm curious myself, but i'm sure this type of testing may take some time.
Hopefully Stem will have some results posted soon. ;D" }-Its just a case of finding spare time.

I have a couple of hours now, so will test what I can in that time.

- Stem

Hi,

I have managed to look at 3. I will look at others when time available.


The tests are on TCP, just a case of checking to see the packet filtering made on an outbound connection (what packets are filtered out inbound)

So basically, I have a number of TCP packets, these consist of invalid flags, out of sequence and out of connection. These I send against the firewall to see what is logged/filtered out of a open connection.

CHX-I V3.
It filtered out and logged all packets.

8signs (build 3037)
It only logged 2 packets (null and xmas) but I did not see any packets pass, so looks like a lack of logging, but will check again on another setup

LnS (v206)
With SPI enabled.
It only filtered out the packets that are in the Internet filtering (such as null, xmas) and blocked the out of connection. But other packets (invalid flags/ out of sequence where not filtered out)

-{ Quote: "Hi,

I have managed to look at 3. I will look at others when time available.


The tests are on TCP, just a case of checking to see the packet filtering made on an outbound connection (what packets are filtered out inbound)

So basically, I have a number of TCP packets, these consist of invalid flags, out of sequence and out of connection. These I send against the firewall to see what is logged/filtered out of a open connection.

CHX-I V3.
It filtered out and logged all packets.

8signs (build 3037)
It only logged 2 packets (null and xmas) but I did not see any packets pass, so looks like a lack of logging, but will check again on another setup

LnS (v206)
With SPI enabled.
It only filtered out the packets that are in the Internet filtering (such as null, xmas) and blocked the out of connection. But other packets (invalid flags/ out of sequence where not filtered out)" }-

Well, that's highly technical !

I realy like this topic. I also think that the Outbound leaktests are getting out of hand. Every vendor is trying to pass these leaktest so there is less time to look at the inbound protection. A couple of years back i had a site to test my firewall for statefull inspection (i used Sygate at that time). I cannot remember the site but maybe someone else can remember it.


@Stem: Also if there is room left in your testing roundup i also would like to ask if you can test the firewall in Kaspersky KIS 2009. In this new version they have dropped the "stealth all ports" thing because of problems with P2P programm's. Well Stealth ports is ofcourse not everything.

Thanks Stem! I hope you can check Jetico 2 and Agnitum's latest.

Hi Netherlands,
-{ Quote: "@Stem: Also if there is room left in your testing roundup i also would like to ask if you can test the firewall in Kaspersky KIS 2009." }-Yes, I will try and fit that in tomorrow.


- Stem

Hi wat0114,

-{ Quote: "Thanks Stem! I hope you can check Jetico 2 and Agnitum's latest." }-I have just looked at Jetico2 (2_0_2_1). A little strange, it did filter out the null/xmas due to the packet filter rules, but it also filtered out (block all not processed) some on the invalid flagged packets such as syn/rst - fin/syn/psh. but it allow others such as all flags set. It did also allow out of connection, so it is not checking TCP sequence.

-Stem

-{ Quote: "Hi Netherlands,
Yes, I will try and fit that in tomorrow.


- Stem" }-

Great news. KIS 2009 isn't officialy released but u assume that you know where to get it.

-{ Quote: "KIS 2009 isn't officialy released but u assume that you know where to get it." }-I have V8 RC2, is that the latest?

-{ Quote: "Hi wat0114,

I have just looked at Jetico2 (2_0_2_1). A little strange, it did filter out the null/xmas due to the packet filter rules, but it also filtered out (block all not processed) some on the invalid flagged packets such as syn/rst - fin/syn/psh. but it allow others such as all flags set. It did also allow out of connection, so it is not checking TCP sequence.

-Stem" }-

Thank you for all your efforts, Stem :) This is a bit disappointing with J2. I expected better from it.

-{ Quote: "I have V8 RC2, is that the latest?" }-

No, its 8.0.0.357 (V8 TR, Technical Release)

Can you test windows firewall as well?

Hi,Stem.I am very surprise for the results.Although no longer updated, but CHX-I is still the best.Can you tell me more about the details of the test? For example, testing methods, test data records, etc.::)

-{ Quote: "No, its 8.0.0.357 (V8 TR, Technical Release)" }-Is there an open download. I need to be cautious, if it is closed/private then there will be restrictions on any reports/tests published.


- Stem

-{ Quote: "Is there an open download. I need to be cautious, if it is closed/private then there will be restrictions on any reports/tests published.


- Stem" }-

Well that is the case indeed. Until its officialy out of beta stage the product's test results may not be published. But if you like to test it internaly you can donwload it here:

http://dnl-eu2.kaspersky-labs.com/devbuilds/TR/KIS/

Another question. You mentioned Injoy Firewall earlier in this topic. Did you also test it's SPI capabilities? What did you think about it?

-{ Quote: "Can you test windows firewall as well?" }-I will on my next setup. (later tonight or tomorrow)

Hi Netherlands,
-{ Quote: "Another question. You mentioned Injoy Firewall earlier in this topic. Did you also test it's SPI capabilities? What did you think about it?" }-I have not yet tested the latest release.
I will do that when I check windows firewall (I may have a spare hour later)


- Stem

-{ Quote: "Hi,Stem.I am very surprise for the results.Although no longer updated, but CHX-I is still the best.Can you tell me more about the details of the test? For example, testing methods, test data records, etc.::)" }-The test is very basic (at the moment), just spoofed packets over a current (open) connection.
I do want to expand/improve on the tests and add various scans and filtering of UDP/ICMP.

I am starting to find a little more spare time, so I am hoping to sort out better testing and then re-check the firewalls, so at the moment, I am not keeping results etc.


- Stem

-{ Quote: "Well that is the case indeed. Until its officialy out of beta stage the product's test results may not be published." }-Open to verification, but,... If for example, I am allowed to download/install, then I would also be allowed to test the product, which then puts forward being allowed to post results openly of testing directly to vendor forum.

- Stem

-{ Quote: "Open to verification, but,... If for example, I am allowed to download/install, then I would also be allowed to test the product, which then puts forward being allowed to post results openly of testing directly to vendor forum.

- Stem" }-

Yes you can always post your results at the Kaspersky Beta forum ;D

I don't think its a problem if you post it here though.

-{ Quote: "Open to verification, but,... If for example, I am allowed to download/install, then I would also be allowed to test the product, which then puts forward being allowed to post results openly of testing directly to vendor forum.

- Stem" }-

I found the official tekst about testing there beta product:

"This software may not be used for comparative product testing, nor may it be used for product reviews or benchmark testing without the prior written consent of Kaspersky Lab."

-{ Quote: "Can you test windows firewall as well?" }-Windows firewall did log as dropped the invalid flagged TCP packet, but a sniffer installed was able to see/log the packets.
It did not filter out the "out of connection", so the firewall is not checking sequence numbers.


- Stem

-{ Quote: "You mentioned Injoy Firewall earlier in this topic. Did you also test it's SPI capabilities? What did you think about it?" }-I have made 3 installations of Injoy 4.1, the results on the first 2 installations was quite bad, in fact it did not filter any packets, the 3rd installation caused windows to hang on boot, so there is a conflict with Injoy 4.1 on my test system.

I will need to find time to check what the conflict is with, if it is with the NIC/driver then it is a major problem, as this problem can only be seen either due to the hang on boot, or with the lack of any filtering, which could leave a user (with the same setup/problem) with no actual firewall/filtering protection.


- Stem

-{ Quote: "Firewalls, like any other security software, cannot guarantee to detect an installed rootkit though some may be able to detect and block any attempted installation. Dealing with rootkits is very much beyond the scope of the product suggested in this thread though.See the Firewallleaktest In the Wild (http://www.firewallleaktester.com/malwares.htm) page for a few examples. It is dated now but you can be sure that more recent malware will have improved in this area.
Malware that disables systems completely isn't a likely threat simply since it doesn't spread well. A greater danger is those that capture private financial data - this is a focus of major malware producers (increasingly organised crime) so there are plenty of examples and doubtless far more to come.

In any case, file protection is already handled quite well by Windows' own NTFS as long as users don't run as Admin by default.BHOs/toolbars can be detected and removed by most anti-spyware scanners (and a couple of firewalls do have this function integrated).Any firewall working at driver level (monitoring access to network hardware) should intercept this - since packet sniffers using WinPCap have been doing something similar, it isn't a new phenomenom by any means.Outbound (http://www.firewallleaktester.com/leaktest5.htm) and MBTest (http://www.firewallleaktester.com/leaktest10.htm) are leaktests using the "direct to network" method to bypass firewalls.Could you be more specific about this? (i.e. include a name for this trojan). Virtually all firewalls will detect changes in executable files, most will detect process code/memory injection. That leaves driver installation which a few firewalls address but that is more in the area of system/process control software like SSM and its ilk." }-

Hi, Paranoid. I was too busy to post the reply about my opinion about leak-tests.
One thing about leak-tests: I saw what leak-tests have behaviors as the real malware on Firewall leak tester. But 98% of leak-tests are simply a waste of time, because they do not show or match what vast majority of malwares really do.
Example: Ok, let's suppose you have leak-test that is on your computer. Leak-test or malware on your computer means the your computer's security is already compromised by leak-test/malware.
When you run any leak-test/malware any firewall or HIPS will ask you that leak-test or malware is trying to modify registry or whatever else.
Instead of blocking in many leak-tests you have to grant access to leak-test do its job and than block any other action-in my opinion this is very bad approach since we assume that computer's security is already compromised when you allowed he first action.
I used to support leak-tests, but not anymore inbound protection against all kind of malwares is what I really prefer.

Also regarding antivirus/anti-spyware that all threats-that's true in theory. However, my experience showed otherwise If you use for example ZoneAlarm Pro or Outpost Pro with NOD32 it's the best combination you can get.
Despite my memory stick was always infected by worms, Trojans, spywares it never really infected my computer in 100% of cases.


I'd like to hear both Paranoid's and Stem's (and others') opinions about the following:
Some interesting notes I saw on Comodo's forums:
It would be too naive to claim that having a network based packet inspection can prevent malware from being downloaded and run.

Network Intrusion Detection and Prevention is conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones.

Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense.

What do you think?


There is more I found out:
you have 100% clean PC:

1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected.

2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures:

Lets assume a known malware is going to be transfered:

- If the malware is tranfered over an encrypted channel, you are vulnerable
- If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable
- If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large.
- If the malware comes from another source than network, you are vulnerable

At the network layer, you are quite limited in terms of detection capabilities(you have a couple of packets and that all). Consider AV programs having everything(emulation, unpacking, heuristics etc) failing to detect malware. Never mind a fragment of malware inside a packet.

If your IDS does not know the malware, it can not detect it and even after the signature updates. Unlike an AV, it can do nothing after signature updates.

So an N-IDS, is a nice, additional layer of security. But it is not comparable to an H-IPS and can not be trusted as the main line of the defense. Would you trust a firewall only as your main line of defense?

Your opinions highly needed?
Big thanks to everybody.

-{ Quote: "Hi,

I have managed to look at 3. I will look at others when time available.


The tests are on TCP, just a case of checking to see the packet filtering made on an outbound connection (what packets are filtered out inbound)

So basically, I have a number of TCP packets, these consist of invalid flags, out of sequence and out of connection. These I send against the firewall to see what is logged/filtered out of a open connection.

CHX-I V3.
It filtered out and logged all packets.

8signs (build 3037)
It only logged 2 packets (null and xmas) but I did not see any packets pass, so looks like a lack of logging, but will check again on another setup

LnS (v206)
With SPI enabled.
It only filtered out the packets that are in the Internet filtering (such as null, xmas) and blocked the out of connection. But other packets (invalid flags/ out of sequence where not filtered out)" }-

Hello Stem.

I am interested in the Looknstop firewall. I'm not an expert, and I don't quite understand the outcome of your test as you described it. I want firm inbound protection. To what extent do the 'other packets (invalid flags/ out of sequence where not filtered out)' matter, what does it mean ?

Yeah, LnS and CFP, but only if you find the time Stem.

Cheers

-{ Quote: "I have made 3 installations of Injoy 4.1, the results on the first 2 installations was quite bad, in fact it did not filter any packets, the 3rd installation caused windows to hang on boot, so there is a conflict with Injoy 4.1 on my test system.

I will need to find time to check what the conflict is with, if it is with the NIC/driver then it is a major problem, as this problem can only be seen either due to the hang on boot, or with the lack of any filtering, which could leave a user (with the same setup/problem) with no actual firewall/filtering protection.


- Stem" }-

Hi Stem:

On your inbound FW testing, have you got any results for OA 2 to share with the thread. If I have missed it here I appologize.:-\

Hi CWS,

I'll post as best I can, but for sure P2K, Stem or someone with similar qualifications can provide better info :)

-{ Quote: "
When you run any leak-test/malware any firewall or HIPS will ask you that leak-test or malware is trying to modify registry or whatever else.
Instead of blocking in many leak-tests you have to grant access to leak-test do its job and than block any other action-in my opinion this is very bad approach since we assume that computer's security is already compromised when you allowed he first action." }-

The first action is usually allowing the malware executable. Registry modification and so forth will happen later. I do agree that the system is probably already compromised after the initial "allow" action.

-{ Quote: "
Also regarding antivirus/anti-spyware that all threats-that's true in theory. However, my experience showed otherwise If you use for example ZoneAlarm Pro or Outpost Pro with NOD32 it's the best combination you can get. " }-

There are numerous best combinations. It comes down to user preference, where system stability, system performance and ease of use, amongst other criteria, should be considered.

-{ Quote: "Despite my memory stick was always infected by worms, Trojans, spywares it never really infected my computer in 100% of cases. " }-

Just a question because I'm curious: is this because your security software alerted on these viruses or because you did not transfer them off your memory stick to your computer?

-{ Quote: "It would be too naive to claim that having a network based packet inspection can prevent malware from being downloaded and run.

Network Intrusion Detection and Prevention is conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones." }-

This is an area I know very little about, but I believe it is firewalls, probably hardware only, that incorporate DPI (Deep Packet Inspection) than can do this.

-{ Quote: "Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense.

What do you think?" }-

Probably correct but I really have no idea. Hopefully someone else can elaborate.


-{ Quote: "There is more I found out:
you have 100% clean PC:

1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected.

2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures:

Lets assume a known malware is going to be transfered:

- If the malware is tranfered over an encrypted channel, you are vulnerable
- If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable
- If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large.
- If the malware comes from another source than network, you are vulnerable

At the network layer, you are quite limited in terms of detection capabilities(you have a couple of packets and that all). Consider AV programs having everything(emulation, unpacking, heuristics etc) failing to detect malware. Never mind a fragment of malware inside a packet.

If your IDS does not know the malware, it can not detect it and even after the signature updates. Unlike an AV, it can do nothing after signature updates.

So an N-IDS, is a nice, additional layer of security. But it is not comparable to an H-IPS and can not be trusted as the main line of the defense." }-

Regarding the last part about N-IDS not being comparable to H-IPS, sure they are two separate types of security measures, but HIPS generally require the user to have some knowledge about the O/S and such, whereas the N-IDS just kind of takes care of everything for you, making the decision itself on the nature of the data it's inspecting. At least this is the way I perceive it. Of course even a fully up-to-date signature database is no guarantee it will detect all threats.

-{ Quote: " Would you trust a firewall only as your main line of defense?" }-

Well, currently in the case of Linux which I've been using extensively for a month...yes, I would ;) With Windows, no, I also use an AV.

-{ Quote: "Hi CWS,

I'll post as best I can, but for sure P2K, Stem or someone with similar qualifications can provide better info :)



The first action is usually allowing the malware executable. Registry modification and so forth will happen later. I do agree that the system is probably already compromised after the initial "allow" action.



There are numerous best combinations. It comes down to user preference, where system stability, system performance and ease of use, amongst other criteria, should be considered.



Just a question because I'm curious: is this because your security software alerted on these viruses or because you did not transfer them off your memory stick to your computer?



This is an area I know very little about, but I believe it is firewalls, probably hardware only, that incorporate DPI (Deep Packet Inspection) than can do this.



Probably correct but I really have no idea. Hopefully someone else can elaborate.




Regarding the last part about N-IDS not being comparable to H-IPS, sure they are two separate types of security measures, but HIPS generally require the user to have some knowledge about the O/S and such, whereas the N-IDS just kind of takes care of everything for you, making the decision itself on the nature of the data it's inspecting. At least this is the way I perceive it. Of course even a fully up-to-date signature database is no guarantee it will detect all threats.



Well, currently in the case of Linux which I've been using extensively for a month...yes, I would ;) With Windows, no, I also use an AV." }-


Hi, Wat0114, big thank you for the answer.
I just remembered something reagarding firewalls, especially Jetico2 and Outpost Pro?
Does not the firewall regulate the port, protocol and IP involved along with the connections of the applications? Would not the blocked connections to blocked ports and IP by blocked protocols just be blocked anyways?

In this way unknown malware attack from the web could be stopped?
I'm sure Stem could agree with that.

I'm sure someone like you or Stem could easily configure Outpost Pro or Jetico2 to the level no malware can get in or out (I love the Block most mode, it's one of the reasons why I started to use Outpost Pro and especially nice GUI).
Unfortunately I still need to look to Paranoid's thread for safe configuration.
I need one more favor.
Do you use any antivirus with Outpost Pro?
The reason why I'm not using antivirus with Outpost Pro is the following:
Every time I want to use NOD32 or Avira antivirus with Outpost Pro, some of the Outpost's functions like Web Access are blind, or anti-spyware can't be used when I use Avira Antivirus with Outpost Pro-is there any reason I should be worried about if some of the Oupost's functions are blind just to be compatible with other security softwares?
Because, I must admit I do visit potentially dangerous, sometimes malware-loading websites.
However, Outpost Pro by itself handled them all, but with antivirus some of Outpost's functions don't really work...
Hmmm..., your opinions highly needed.
Big thanks.
And I hope moderators won't delete this message since it doesn't belong to this thread.

-{ Quote: "Hi, Wat0114, big thank you for the answer.
I just remembered something reagarding firewalls, especially Jetico2 and Outpost Pro?
Does not the firewall regulate the port, protocol and IP involved along with the connections of the applications? Would not the blocked connections to blocked ports and IP by blocked protocols just be blocked anyways?

In this way unknown malware attack from the web could be stopped?
I'm sure Stem could agree with that.
" }-

Comodo 3 also has advanced packet filtering rules where inbound traffic is only allowed to travel in/out on certain ports and protocols for each application etc.

However I don't believe this would stop all malware from coming in maybe some but not all, unless you had a Hardware firewall with "Deep Packet Inspection"

That said for my inbound Malware protection I use FF No Script and Admuncher which filters out a lot of Malware, there is also some AVs like Avast which scans all Inbound HTTP traffic for Malware.

And regards to general Dos and Ping attacks your Router Nat firewall takes care of that.

-{ Quote: "Comodo 3 also has advanced packet filtering rules where inbound traffic is only allowed to travel in/out on certain ports and protocols for each application etc.

However I don't believe this would stop all malware from coming in maybe some but not all, unless you had a Hardware firewall with "Deep Packet Inspection"

That said for my inbound Malware protection I use FF No Script and Admuncher which filters out a lot of Malware, there is also some AVs like Avast which scans all Inbound HTTP traffic for Malware.

And regards to general Dos and Ping attacks your Router Nat firewall takes care of that." }-


Hi, Arran and thanks for the reply.
Where can I download this FF No Script and Ad muncher?
Also, regarding hardware firewall with DPI-can it stop unknown, new generated malware samples-as far as I know only HIPS for inbound protection (and partially heuristics) can really handle new, completely unknown malware samples, since it will ask you this program is trying to install or whatever, even though it's unknown malware, but it's up to user if he will be smart enough block this installation?

-{ Quote: "Comodo 3 also has advanced packet filtering rules where inbound traffic is only allowed to travel in/out on certain ports and protocols for each application etc.

However I don't believe this would stop all malware from coming in maybe some but not all, unless you had a Hardware firewall with "Deep Packet Inspection"

That said for my inbound Malware protection I use FF No Script and Admuncher which filters out a lot of Malware, there is also some AVs like Avast which scans all Inbound HTTP traffic for Malware.

And regards to general Dos and Ping attacks your Router Nat firewall takes care of that." }-

Also, as far as I know, Comodo has identified about 60% of of unknown malware samples, I read this on Comodo's forums about 3 months ago...

-{ Quote: "
I just remembered something reagarding firewalls, especially Jetico2 and Outpost Pro?
Does not the firewall regulate the port, protocol and IP involved along with the connections of the applications? Would not the blocked connections to blocked ports and IP by blocked protocols just be blocked anyways?" }-

The current connection(s) will be regulated by the firewall's level of SPI (Stateful packet Inspection). As for blocked conections to slected ports and IP's, sure, anything not allowed in the firewall's rulesets will be blocked.

-{ Quote: "In this way unknown malware attack from the web could be stopped?
I'm sure Stem could agree with that." }-

If the IP address of a site harboring malware is blocked, then I'd agree the malware should be blocked. Otherwise, I can't see a firewall being able to block malware unless it has built-in DPI (Deep packet inspection) and has signatures that will block the specific malware in question. Also, if the malware is downloaded and installed, then Outpost or Jetico may or may not be able to do anything about it, especially if it is one of those nasty kernel mode rootkits.

-{ Quote: "I'm sure someone like you or Stem could easily configure Outpost Pro or Jetico2 to the level no malware can get in or out (I love the Block most mode, it's one of the reasons why I started to use Outpost Pro and especially nice GUI)." }-

Speaking only for myself, the only way for me to stop all possible malware is to simply not download any of it and to avoid all sites harboring malware. These firewalls can not really be configured to stop all malware from getting in/out, unless all ports and IP addresses are blocked, which, of course, is not a practical solution. Of course, if your custom ruleset does not contain the port(s) the malware is trying to connect to, then it might stop it. There are also other factors that could stop the malware such as checksum modules or HIPS-like functionalities, both of which are built into these firewalls.

-{ Quote: "Do you use any antivirus with Outpost Pro?" }-

Yes, NOD32, 2.7.

-{ Quote: "The reason why I'm not using antivirus with Outpost Pro is the following:
Every time I want to use NOD32 or Avira antivirus with Outpost Pro, some of the Outpost's functions like Web Access are blind, or anti-spyware can't be used when I use Avira Antivirus with Outpost Pro-is there any reason I should be worried about if some of the Oupost's functions are blind just to be compatible with other security softwares?" }-

Outpost Pro, including the latest version, can be used with antivirus/antispyware solutions, as long as Outpost's, built-in anti-malware option is disabled.

-{ Quote: "Because, I must admit I do visit potentially dangerous, sometimes malware-loading websites." }-

I see no legitimate reason for this kind of web-surfing behaviour, unless you are testing anti-malware solutions, as there are some members in this forum, for example, doing. You are only asking for trouble visiting these type of sites.

-{ Quote: "However, Outpost Pro by itself handled them all, but with antivirus some of Outpost's functions don't really work..." }-

Outpost's functions should work with antivirus solutions, but there have been problems reported by many who have tried using Outpost with antivirus apps, especially Kaspersky. Sometimes the web scanning functionality of certain av products will conflict with Outpost. As I've mentioned before, I'm not recently too impressed by some of these latest firewalls, since they are getting a little too buggy for my liking.

-{ Quote: "The current connection(s) will be regulated by the firewall's level of SPI (Stateful packet Inspection). As for blocked conections to slected ports and IP's, sure, anything not allowed in the firewall's rulesets will be blocked.



If the IP address of a site harboring malware is blocked, then I'd agree the malware should be blocked. Otherwise, I can't see a firewall being able to block malware unless it has built-in DPI (Deep packet inspection) and has signatures that will block the specific malware in question. Also, if the malware is downloaded and installed, then Outpost or Jetico may or may not be able to do anything about it, especially if it is one of those nasty kernel mode rootkits.



Speaking only for myself, the only way for me to stop all possible malware is to simply not download any of it and to avoid all sites harboring malware. These firewalls can not really be configured to stop all malware from getting in/out, unless all ports and IP addresses are blocked, which, of course, is not a practical solution. Of course, if your custom ruleset does not contain the port(s) the malware is trying to connect to, then it might stop it. There are also other factors that could stop the malware such as checksum modules or HIPS-like functionalities, both of which are built into these firewalls.



Yes, NOD32, 2.7.



Outpost Pro, including the latest version, can be used with antivirus/antispyware solutions, as long as Outpost's, built-in anti-malware option is disabled.



I see no legitimate reason for this kind of web-surfing behaviour, unless you are testing anti-malware solutions, as there are some members in this forum, for example, doing. You are only asking for trouble visiting these type of sites.



Outpost's functions should work with antivirus solutions, but there have been problems reported by many who have tried using Outpost with antivirus apps, especially Kaspersky. Sometimes the web scanning functionality of certain av products will conflict with Outpost. As I've mentioned before, I'm not recently too impressed by some of these latest firewalls, since they are getting a little too buggy for my liking." }-

Big thank you for the answer: One more short question.
I just went to download.com and saw and poster named Legjendat said that Outpost Pro is not as good as he thought it would be.
It supposedly doesn't block every attack.
He also said that ZA Pro blocked over 110 000 attacks in 2 months, and that if there was no ZA Pro his computer would be dead.
It seems to me, in my opinion Legjendat didn't use Block most mode for Outpost Pro which I always use, because as far as I know Block most mode blocks absolutely everything except the actions I allowed, that's why it's quite impossible to me how did he make this up!?
Here is the link:
http://www.download.com/3642-4_4-2995127.html

ZoneAlarm has a counter for the number of "attacks" blocked. Legjendat probably just took it too seriously.

-{ Quote: "BTW, there seems to be a rumor as 8Signs' development possibly being at a halt. It would be ashame..." }-
May 27, 2008
8Signs Firewall v3.0.37 Released!

What's New (http://www.8signs.com/firewall/newin3.cfm)

-{ Quote: "He also said that ZA Pro blocked over 110 000 attacks in 2 months, and that if there was no ZA Pro his computer would be dead." }-


Dead? LOL. Very radical statement.
Definition of an "attack" is different with different vendors. Some firewalls have the option to set the number of port scans that will trigger an "attack" alert. I'm not sure, but I think Outpost has it.
ZA obviously set this number to very low figure by default, so the legitimate traffic (i.e. server-type traffic (opened ports)) is being flagged as an attack.

These "attacks" in ZA are nothing more than a marketing bull. I can make a loose analogy with an AV flagging a FP with a BHO toolbar.

-{ Quote: "I see no legitimate reason for this kind of web-surfing behaviour" }-

Umm... porn perhaps?

-{ Quote: "
He also said that ZA Pro blocked over 110 000 attacks in 2 months, and that if there was no ZA Pro his computer would be dead.
" }-

ROFL! 110.000? Yeah, right. Is he a 5 star general of the Pentagon? No? I thought so. ;D

ZA is famous (or should i say infamous) for its "attack logging". If you don't make it show only "important" attacks, it fills the log with 50 "attacks" every 1 minute. 10 minutes later, the log is so crowded and useless, that it's not worth looking at anymore.

You wanna see 110.000 in 24 hours with ZA? Here is how. Run Emule without advanced rules. Just check at program settings to give complete server rights. By the end of 24 hours, you will have a gazillion "UDP attacks" because Zone Alarm even if you give complete rights, is (still after many years) unable to open the UDP port. You want 220.000? All you have to do is close Emule and don't change IP. You will have another flood of TCP packets to be added to the UDP packets. Each of these is counted as "attack". Random internet scans? They generate tons of "attacks" too.

Most of the other firewalls out there, don't even bother to log as "attack" the internet's "background noise" , because it is cluttering the log, which ends up with a log that you can't read. ZA on the contrary, is capable of logging any casual "sneeze" as attack from which it "saved" you. Good marketing ploy for firewall newbies i guess, totally crap for people who actually want to READ logs with REAL attacks.

-{ Quote: "May 27, 2008
8Signs Firewall v3.0.37 Released!

What's New (http://www.8signs.com/firewall/newin3.cfm)" }-

But still no Application filtering (control) ???

-{ Quote: "

Umm... porn perhaps?" }-

Sure, but some porn sites are safe, while many (probably most) are risky :P

-{ Quote: "But still no Application filtering (control) ???" }-Don't hold your breath on your call!

Being the original developper was James Grant, it would be surprising if they had a single tought about implementing this feature in their firewall...

It was built for servers.