Firewall with these features??

Paranoid200, I tested latest build Outpost 2.5 recently and I have a also full PG v3. The couple passed almost all leaktests, which is really good result. But it failed some of Wallbreaker tests. I mean Wallbreaker v4, because with v3 it's all OK. It's not the fault of PG, because Wallbreaker does not inject ddl's, rather try to spawn your browser in different manners. Outpost does detect spawning, but not always. In my case test nb 2 was not blocked, for example. If you have better experience, let me now.
In my eyes, application spawning control is really important. It works perfectly with Tiny, and perhaps also with SSM. I would like Outpost or other lightweight firewall implement it properly - it would give me agood alternative solution.

Isnogood

 

*rubs hands gleefully in anticipation of a good debate*

DRI,

Several points made here - leaktest performance should be one factor amongst many in choosing a firewall, that is true. However it is an indication of how a firewall would perform in a "worst case" scenario where malware is present and running on your system - having a firewall able to identify it and (a) warn about this activity, (b) give the option to block it becomes important here.

As for application filtering being "illusionary" I would have to disagree strongly. While Microsoft may make this difficult (by building functionality into Internet Explorer allowing it to be used as a data mule by any malware out there), the best firewalls now include an element of Windows process control allowing them to identify connection attempts, even via trusted applications. Indeed this is what some of the leaktests (TooLeaky, Ghost, etc) try to exploit, so if this is your concern then leaktest performance should assume a greater signficance.

As for the merits of "full" Stateful Packet Inspection, I would suggest that they are more theoretical than real and only of value for "first-line" firewalls used to secure networks against outside attack (and used in conjunction with personal firewalls for the application filtering). Since SPI is a term so widely used and poorly defined, I'd like to try to classify the different types that seem to be around...

Packet-level (or network-level) SPI keeps track of what network connections have been created and only permits packets that (a) belong to an existing connection or (b) open a new connection that is permitted by existing firewall rules. This is what virtually every personal firewall offers by default (except Look'n'Stop where it is an option that has to be enabled) and is the most important since it can identify unsolicited packets from legitimate responses.

Connection-level (or transport-level) SPI looks at what connections each application has and only permits new ones if they fit within the application context, e.g. for file transfer applications, a data connection should only be allowed to a host if a control connection already exists. Outpost v2 offers a very limited form of this level of SPI (where extra connections are allowed as long as the initial connection is maintained) but includes some specific rules for the File Transfer Protocol (see the Outpost forum Stateful Inspection FAQ for more details on this).

Full application level SPI (as pioneered by Checkpoint and detailed in this 8-page 1.3MB (*ugh*) PDF document Stateful Inspection Technology) means analysing the contents of each packet for an application to determine whether it is legal or not. So in the context of a protocol like HTTP (used in connecting to websites), a page containing an HTTP Redirect to another server would be intercepted by the firewall and used to create a rule allowing further HTTP requests to that server's IP address.

The downside of full application SPI is that the firewall has to have intimate knowledge of every protocol in use. If only a limited number have to be accounted for (e.g. web, email, file transfer and chat traffic for a corporate network) then this is feasible. However a home user running P2P software, online games (see the Gamespy Firewall Help for what is involved here) and lesser-known applications with proprietary protocols is highly unlikely to find these supported by a "full application SPI" firewall (if you know of one that handles GameSpy and its ilk properly, please do supply details ).

This is where I would have to disagree. Full SPI may provide incomplete protection for the home user as mentioned above - but also consider the case of a trojan that tries to disguise its traffic as a legitimate web request (for instance, using your browser to connect to a URL like www.i-0wn-u-d00d.com/index.html?data="all-your-private-data". This would breeze through any SPI firewall - only one offering application (and interprocess) control would alert you to a new process trying to use your browser to make a connection.

An even more insidious example is using recursive DNS (see DNSTester for an example) - virtually all firewalls allow DNS by default and even restricting DNS traffic to your ISPs DNS servers will not work for this (Outpost can be configured to block this as per the Application DNS settings in section D1(b) of A Guide to Producing a Secure Configuration for Outpost but it's not an easy option).

While these techniques may be "leading edge", they are possibilities that need to be accounted for - in fact, many websites are already using HTTPS URLs to send private data as detailed in the The dangers of HTTPS thread but that's a separate issue.

Isnogood,

I'd suggest reporting any leaktest failures to Agnitum directly (Agnitum Online Support Form).

 

Even Kerio v4 stops wallbreaker cold.... It uses the "dumb" way that if u don't trust an ap, it can't spawn another without your confirmation. What scares me is if a trojan (like CodeRed worm) writes to a trusted app's memory space and spawns another process like IE... this would be "trusted" behaviour for apps like, say, Windows Explorer, which otherwise may NOT access the net, but this way, they circumvent the process.
I believe that ANY app control should be able to handle ALL such cases.

 

Exacltly, no13. Thats why I don't trust any firewall with so called application control, if it doesn't reliably handle all kind of process spawning, ddl or exe injection or direct memory access. I already uninstalled my Outpost trial, so I can't easily repeat my tests. What surprised me about Wallbreaker in regard with Outpost that's the second test which failed. That one is really the most dumb one. Description:

I may report it to Agnitum directly, but I'm not their customer, not even trial user actually. Perhaps other Outpost users could confirm this or report their objection. By the way, judging by results in www.firawallleaktester.com, Outpost 2.5 does not pass Wallbreaker.

Isnogood

PS.
100% agree with Paranoid2000 about SPI firewalls vs Application control.
All depends on the use you make of the net. Server application or network gateways don't surf anywhere, dont use P2P, don't download any kind of applications every day. So the risk of a trojan infection is close to zero. On the contrary, they must have strong protection from inbound forms of attack, which is provided by true, low level stateful packet inspectionl firewalls. They must be configured by skillful admins in general.
Home user is just the opposite.

 

Paranoid2000, you are taking most of these examples from the Agnitum forum where they use the excuses of WHY they don't include full SPI in their firewall, especially with p2p or FTP software! So in the same token, I will post something from James Grant, the Author of 8Signs, to counteract your opinion--

http://www.8signs.com/firewall/software_firewalls.cfm

Which is a good example of why application filtering is 'illusionary' in the world of an otherwise leaky OS!

I believe that SPI (just like with FW-1) is very important, but NOT a total solution to security. One still has to incorporate other security factors, such as an AT/AV. So, I am back to where I stand before, that I would rather have a SPI firewall then an Application based firewall any day!

DRI-

 

DRI
a simple counter to your posts....
Application firewalls (that have network firewalling or not) like SSM, BlackICE, and Tiny protect from trojan-like threats that are ITW. while AT programs depend on Signatures and (to some extent) Heuristics, an application firewall prevents ANY sort of phoning home, effectively blocking CodeRed and its ilk. If you want SPI, get a router... it doesn't "crash" or "hang" in the face of heavy attacks.

Edit2:Also, application firewalls need not be updated daily to prevent threats... they already are designed to prevent such mishaps like dll or memory injections - methods of commom trojans/spyware that even AVs and ATs tend to ignore...voluntarily or involuntarily.

Edit: Also, what paranoid mentioned earlier was a simple injection into a browser's URL field that many trojans may attempt to do... and its damn easy to replicate... SPI won't be of much use then, would it? Then you'd need content filtering of the NIS/ZA kind...

 

I've not taken any examples from the Outpost forum (aside from the Stateful Inspection FAQ link) and I'm not making any excuses. If you actually bothered to read the link though, you'd have found that full SPI was offered for FTP (Outpost intercepts the PORT command and uses it to create a new rule for the data connection).

Nothing in that article counters or even relates to the statements made above. The only criticism made is that trojans can attempt to terminate software firewalls - which is true but many firewalls now include some form of termination protection and for those that don't, there's Process Guard. This by the way, has no bearing on the previous posts since a "full application SPI" firewall could also be terminated (unless you were actually talking about a firewall running on a separate system).

Some level of SPI is important, but for an end-user application filtering is more important than "application-level" SPI. Luckily the vast majority of personal firewalls offer both.

 

Of course you didn't mention anything to do with P2P! So we can debate this till the end of time, but like I said before most of the users here or else where are BLINDED and bombarded by this illusion. So, I agree that most 'malware' writers are also aware of this. so what firewall do you think they would try to target most? If you have a leaky bucket and try to patch up most of the holes, will it still leak? You figure it out. I use a SPI firewall and trust it's security more than an application firewall that is 'statefull like'!

My cents again!

 

I have to be one of the heaviest surfers and downloader online, I spend pretty much the entire day and nights surfing and finding things possibly interesting to download and installing/execute. And places where I go, which I will not mention on here, are places more acceptable of being Trojans, or embedded Trojans. And I have many variety of p2p software which I use on regular bases, and to say all these factors, that SPI doesn’t benefit, really show how much one knows about SPI really

To actually hit the ball back over to you, I can easily say application filtering-base software firewalls serves little next to nothing use unless one does become infected with Trojan. At least with a strong & true stateful packet-filtering system you capable of detecting and stopping many forms of attacks, threats, and malformed packets being thrown on a day-to-day bases and I can’t say that for application-filtering base software firewalls.

To say SPI implementation crashes or hangs software firewalls, I would first say show me a strong & true stateful packet-filtering system which does those things you claim. Please don’t confuse stateful-like SPI implemented in application-filtering base software firewalls with the real deal, application-filtering base software firewalls would be acceptable to those things, even the stateless application-filtering base software firewalls out there `crashed` or ` hanged` upon slightest heavy loads.

It is really amusing though to see a lot of you on here who actually knows very little about SPI and attacks, threats and malformed packets and yet belittling SPI and strong packet-filtering systems.

Anyways… there are two many anti-strong&stateful_packet-filtering users in this community to even bother with it…

 

OK, I have entered this forum to express my opinions, but also to learn in the first place. Phant0m, if you say that because others have different point of view so you won't even bother to share your knowledge, its really a pity.
I just can't believe that if you use P2P frequently, visit doubtful sites and download doubtful software you don't use any application control.

I may agree that an SPI firewall gives you superior inbound attack protection, but how do you handle these apps you are trying ? For me it's really first line of defense against embedded trojans, viruses, rootkits and others. I have never been infected only because of this kind of protection. And nobody has ever broken into my system inspite of my lack of SPI firewall.

It's not only my 2 cents, it's also a question.

Isnogood

 

Well if opinions include absurd remarks about SPI implementations and strong packet-filtering systems, yea that is definitely not a shared view, and waste of time trying to explain anything to “many” closed-minded users who’ll make assumptions and talk **** about things they really have no clue of.

If you followed my posts you’d see I haven’t disagreed that application-filtering of some form even like what Look ‘n’ Stop offers, is comforting and beneficial, at times. I merely disagree to the idea that application-filtering is critical to everybody.

And as for what are more critical, an opinion of mine is, depending on persons activities, really even mere idling, attacks and threats and malformed packets happens on day-to-day bases. I can sit here idling online and at the end of the day attempt to count high enough the all that had happened this day, for those. I personally prefer using strong & stateful packet-filtering system over application-filtering base software firewall and feel comfort knowing what is happening I wouldn’t like being stopped stone cold instead of being leaked into my system.

However, you can’t really recommend one or the other, damn if you do and damn if you don’t. If people were determined enough they could find standalone application-filtering software, or how I do it, reg up Look ‘n’ Stop (or another) firewall to allow me to use Application-filtering along side my strong & true stateful packet-filtering system. Of course you’d need guidance, and since I’m not about just yet to offer guidance, I wouldn’t recommend it to anybody. Installing two or more third-party software firewalls are always acceptable for conflicts without proper attendance.

Thing is, even if I weren’t capable of using the two things together, I would still pick strong & true stateful packet-filtering system over application-filtering based software firewall any-day… That is me, I know…. (Especially AROUND message board Communities).

 

SPI based firewalls themselves may or may not fail under load... but what of poor old Windows? Also, are we trying to decide for EVERYONE what's best for them? certainly not. I thought the thread was there to establish a good defense system, rather than pick one category of firewalls over another.
Hence, a Question: what happens when an SPI protected system gets a backdoor installed, leaking info through a proxy that you have allowed to be used? Note that backdoors are often like BackOrifice...demanding server access...and while they're ITW threats, not many AVs or ATs can stop them (sometimes, even WITH signatures)... Who is to say that the data being sent is a malformed packet?
PS: AFAIK, SPI may leak out your private LAN Ip...
http://www.auditmypc.com/
Do you have any way to stop this place?
Anyways, I'm taking either Tiny or Outpost and both have SPI (or SPI - like features).

 

No13, you are going in loops, what have I said again and again about advantages and disadvantages of using application-filtering bases software firewall?

As for your PS, I don’t find that amusing, even with application-filtering based software firewall, the browser will leak this information anyways unless it filters web contents.

As for poor old Windows and PC systems, how about Windows 95 running on 486/20mhz 8MB of RAM, I have this setup at home which I do use to run a lot of thorough tests on packet-filters. And I know from experience that, many strong & stateful packet inspection firewalls functions perfectly on older setups also. If they didn’t I wouldn’t recommend it anyways, In-fact I can use software firewalls like 8Signs, CHX-I and many alike on these old systems without any problems, but moment I try to use application-filtering based software firewall, everything becomes affected. Anyways.......

 

But i like loops...
Anyway... I like to run 3 firewalls simultaneously, BEHIND a router, and that's JUST to stop UNWANTED APPS FROM USING MY PC.... is that so bad?
can SPI stop ZoneAlarm or PrevX or McAfee from sending usage statistics (even anonymous stats) if I want to?

 

You like loops, that’s fine but I’m not going to be toggled by you or anyone else.
And going in loops just shows you have no concern for clean topics, or are I’m mistaken?

If you want to run 3 or more third-party application-filtering based software firewalls, that is your decision to make, but you wouldn’t see me supporting that idea.

If you have to ask such an SPI question like that, it really does show how ignorant you are to SPI.

 

In addition; if you have privacy issues, nothing I couldn't stop by using a hostfile....

 

you mistake a joke for a fact... my fault i guess... I do have a weird sense of humour

Never asked for support.

I was being sarcastic... Of Course SPI can NEVER stop it...
[Joke}
BTW... if you use a hosts file to block anon usage stats (for say PrevX), will you disable the file while you update your SW (by connecting to www.prevx.com), or will you never update?
[/Joke]

 

You keep arguing, Phantom, but you never answered precisely a simple question I have asked at least twice, and No13 also. I never asked you what firewall to choose, but just that:

what do you do with all the apps that you pretend to download frequently from different more or less frequentable sources in the net. How d'you control their install and behaviour without a thight control.

If you say you scan them with all sort of AV/AT, the anwer is that it is NOT SUFFICIENT and you take at least the same inconscious risk than we, less knowledgeable people by not using a full SPI firewall.

I don't even mention using P2P, where you must allow nearly unrestricted in/out TCP/UDP traffic for example. The problem here are not fragmented/malformed packets. No way to have much control of IP adresses, and even ports, because all default local and remote ports may always be overriden by users. But this is another history.

No offense intended, just answer at least the first question question please.

Isnogood

 

Are you saying that a SPI such as 8Signs cannot stop another program from calling home, or where you kidding? You can simply not allow access to w.e ip they send information to.

 

And how do you intend on first finding (and then banning) IPs that are trojan/backdoor connected?
You know, there is a good chance that this traffic may not be consisting of malformed packets AT ALL... what happens when an SSL app like pcAnywhere is attacked by a memory injection trojan like Slammer... (ok bad example, slammer sent out malformed packets over UDP to initiate buffer overflows)... what about BackOrifice? a trojan server app on my pc... wow!! If i block ALL incoming, its bye bye to messaging clients and other such stuff...
Anyway... to each his own, I say...
If non SPI is actually bad, then we'll come round to the correct POV soon... Either way, I feel that a strong firewall config is AS MUCH important as the method of control.
My $0.02.

 

Well 8Signs blocks everything by default, so by default the trojan would not be able to phone home. As for messaging clients, you would simply make rules to allow them. I never said I was against Application Protection and if you read my other posts you will see that I am for it.

I think both a full SPI and application protection are very important, but that is just my opinion.

 

I'm not fighting a war ya know...
Anyway, you guys are getting too serious.. let's all calm down and have chocolates...
And in return, I'll give you a round of Carbonated beverages...

 

First of all you can PM me for address to send beverages to
Second of all I am just participating in this thread and never noticed a "war".
Third of all who are "you guys"?

 

err.. OK...
the beverages are valid only in this thread, so I'm sorry, no home deliveries
The "war" is between SPI and non-SPI groups.
"you guys" refers to all the active participants in the thread... politically incorrect, yes...
So I'll change it to "you peeps"...OK?

 

I’m not sure what software firewalls SPI implementation you in reference too; there are implementations which SPI are applied to all traffic traversing the interface, Initiating connections being made from local machine out, and also In from the remote machines, and thus offering protection for existing connections. And packets doesn’t appear to be legit initiating connections from remote machines, they will be terminated stone cold unless you make explicitly allowed static rules that passes the packets through the SPI implementation to be, not filtered.

It makes it easy for you to put fault, make presumptions about p2p software to better persuade yourselves over in the opposite direction, I know of some very well coded p2p software which up-from-point-of-creation hadn’t been shown to be vulnerable as of yet, and if and when the time arises the developers more than quick enough to fix. Actually it would be interesting to see you mention a couple of known vulnerabilities in some of the popular p2p software like KaZaa/Direct Connection and so forth for instance.

Now let’s theorize for a second; even if software firewalls SPI implementation you possibly in reference too, functioned in that manner, It still would be of great value to use, you act as if, ‘well it can’t secure specific port or two, SPI should be ditched entirely’… In any case, I don’t expect people or ignorant to the ways of SPI to understand all the functions and benefits.

PS: AJohn, SPI wouldn’t have no part when creating specific rule to block packets to specific IP, the benefits of Application-filtering which no13 is trying to show is that if security software perhaps with definitions leaks in the meanwhile you can’t merely ban that IP or the definitions updates would not be kept up-to-date, basically connection any form of connection attempt would fail to that IP. And this is an Advantage of Application-filtering….