Opinions from firewall experts highly needed...

Hail, everbody!
I'd like to hear some opinions regarding inbound protection of each firewall.
For example, I have 3 firewalls on 3 different computers.
I have ZA Pro, Outpost Pro and Jetico2.
However, I've seen on Jetico's own forums that Jetico1 and Jetico2 are vulnerable to SYN flood attack(whatever it means).Tommy one of Jetico's mderators says that Jetico's protection against SYN flood is only basic.
http://www.smokey-services.eu/forum/viewtopic.php?f=51&t=8889

Also, how secure are the newest versions of the 3 firewalls I mentioned above-has anyone tested their inbound protection against all kinds of attacks.

Questions and regarding inbound protection:
Stem said something that Comodo's checksum which itself is not a protection at all.
Here is the thread:
https://www.wilderssecurity.com/showthread.php?t=190289

However, Egemen, from Comodo's forums said his opinions about full Stateful Packet Inspection and Deep Packet Inspection- that they do not cover UNKNOWN MALWARE or something like that.
Here is the entire thread from both Melih and Egemen, they have answered why they think full Stateful Packet Inspection and full Deep Packet Inspection is not enough or it's not good for your inbound protection or please, simply drop inside the in the link I'm going to give you.
Here is the link:
http://forums.comodo.com/leak_testi..._basicfor_melih_and_egemen_also-t18296.0.html
Any firewall expert of moderator, help, please!!!


If anyone wants to answer and give his opinion, and if anyone has tested Comodo's inbound protection, please enter to see if Comodo (newest version) is vulnerable to any attack or anything else that has with either INBOUNF OR OUTBOUND protection.

Thanks for all help and opinions you can give me.

 

Do you really expect a firewall to detect and prevent malware?

They're effective against network worms, yes, but that's another different topic altogether from executable malicious code.

 

Hello,
The chances of you getting swamped in home environment are minimal. This means something for servers but not home users.
Mrk

 

Well, Melih and Egemen's main concept of Comodo 3.0 was and is prevention.
Basically, they suggest HIPS (like in Comodo and OnlineArmor).

 

A HIPS isn't a firewall though. It can, however, be used in malware prevention along with other recognised technologies.

 

Hello CoolWebSearch,

I dont like to get involved with possible A vs B threads, so I will only comment.

A SYN flood will only affect a firewall with open ports with an application taking the inbound packets.
Example:
If you run a P2P client, you will probably have an open port to allow unsolicited inbound to that application, this could come under attack from a SYN flood. This basically is where an unsolicited inbound connection attempt is made, your PC then responds to this, then it will wait for the continue of the connection (This is know as "Half open connection"), as the connection does not continue, then the PC continues to wait, many of these connection attempts are made to a point where your PC cannot handle any more, so you are then flooded.

This is not a failing but a fact.
A checksum of a packet could be seen as a checksum of a downloaded application. So, you download an application, download the checksum to verify, the result of this check, if it is correct or not will not tell you if that application is good or bad, only a fact if it is corrupted or not.

The implementation of SPI that we see in home type firewalls are designed only to check on current connection, not what is actually within that connection. A firewall will allow you to download malware.(unless it is supported with AV web filter etc)
Deep packet inspection will check within the packet contents, so this can catch some threats, but these are caught via signature, Deep packet inspection can also filter malformed. But unknown, no, Use HIPS or similar.

 

There doesn't seem to be any rule in Jetico 2 to block unsolicited inbound TCP scans, so I got an idea from "someone" in the Jetico forum to create a "block" rule and placed it at the top of the ip table: Reject | TCP | inbound | syn flag = on | ack, psh, urg flags = off

This rule - instead of the default "Block all not processed protocol packets" - now does all the blocking when I run a scan from Shield's Up.

 

~Removed full quote~

Hi,Stem!
I have to thank you that you have answered. My intention, actually curiosity was basically are SPI and DPI firewalls enough against malware installation.

What firewall technology or an other kind of technology do you recommend to have, basically if malware wants to install on your computer SPI and DPI won't
help you here, so is HIPS the right answer?
Or simply you have to have antivirus/antispyware solution-but how is this going to help you against the installation of UNKNOWN MALWARE?
This is the one thing that really torchers me.
Again, thank you and I apologize if this looked like A vs. B thread.

 

That's good to know, thanks.

 

Also allow me this opportunity to ask you what do you think about fake mouse clicks attack-do you consider it as a potential threat in order to disable firewall's self-protection.
Are there any other ways to kill off the firewall?

 

Hi CoolWebSearch,

For clarification, we are talking of current home firewalls ability to filter packets (network traffic) correctly. This is in no way going to prevent anything being installed on the PC.

That is really a very broad question, really because what is used would also depend on the users knowledge of that product, certainly if we look at such HIPS where a lot of user input may be/ is needed.
Execution prevention can in itself stop malware, but the main problem can be that malware can be hidden within what is thought of as a legitimate application, so a user will allow the installation even to a point of disabling the HIPS or engaging some form of installation/ learning mode, so it cannot be said that HIPS (in itself) is a definite answer to the problem (certainly not for ALL users).
Some vendors now follow a path of whitelists which is (IMHO) a good path to take, mainly for users who are not always sure of what they are installing, but I would also say that there is also a need for blacklists to be used (as with an AV sig base), but saying that, users even given 1 or 2 popups will just press OK/allow regardless, so unknowns can still be allowed by the end user.

This is why we also see now AV`s adding some form of HIPS/ anomaly checking.

 

This, if I am reading it correctly is similar to post made with ProcessGuard. The concern was due to possible malware simulating legit user input to shutdown an application (firewall/AV etc), PG answer was introduction of a confirmation popup, with a need to enter a code from popup (as we see sometimes when registering to a forum (to prevent bots etc)) to confirm the shutdown.
As for today, well, it does depend on security installed, a number of HIPS will have the options to prevent direct termination, they also have options to re-start an application if terminated, so for me personally, it is not a threat.

There are many ways to terminate an application, most HIPS (or firewalls with HIPS) do contain self protection from this, but, saying that, if you allow malware to install with its own low level drivers, then the chances are it will kill off whatever it wants.

 

A firewall should not be able to be shut down with just mouse clicks, fake or real. A password should be required, otherwise anyone can shut it down from the desktop, including kids, unauthorized users, etc. Any firewall that doesn't give you the option to require authorization to shut it down is defective by design.
Rick

 

Thanks for the tip!

 

Hi, Stem!
I apologize for being annoying, but I really need to ask you something. I've just been on Comodo's forums and actually read their replies in details regarding checksum verification.

The only reply regarding SPI, Checksum verification and DPI I saw there was this:
"If we can be shown from which practical attack we don't protect, we will be more than happy to improve our firewall to cover that angle immediately."

But I'd really like to know your opinion here on this subject.

Also, I'm planning to try the newest version of Kerio Winroute Firewall (this has nothing to do with Sunbelt Kerio).
The main reason why I'd like to try it is because it has full SPI, DPI plus McAfee VirusScan.
What do you think about it?
That's all for now.
And thanks for your time.