best inbound protection firewall question

hello members...thanks for allowing me to join this great forum....
this is my first post in the form of a question to any firewall experts....
i have read all the impressive outbound leak teats..
do firewalls have different abilities in stopping inbound threats?
i have read that spi ability offers some protection...
do members take inbound protection on blind faith or is there some tried and tested formula?
which is the best software firewall for inbound protection?
if there are better firewalls for inbound....how do you know they are better?
i would imagine stopping the nasty getting in is far better than tracking it once its in?

 

Use a hardware firewall / router

 

I agree with the above statement. I'm running a pretty decent one right now.

interested I personally don't know which software firewall offers the best inbound protection, which is why I opted for a hardware firewall, after doing some research of course, but hey I take it all with a grain of salt. If I'm unaware of anything thats going on with my CPU then in my mind nothing is going on....so maybe for me it could be blind faith and personal experience of a few nastys-malware, viruses, RKs....I agree with you about stopping the nastys from getting in is definitely far better than tracking it but theres others that would be elated to have a rare nasty on their box for forensics. Start clean stay clean..

 

hardware firewall / router

dear members...my question relates to a software firewall...
i do understand that a hardware firewall / router would be the best option..
i would be really interested in an informed answer..
thanks everybody..

 

Yeah i don't know what would be considered the best for inbound protection, or if theres is even much of a difference. As long as it stealths my ports i'm happy.

 

Well, my fave kerio 2.1.5 passes fragmented packets in, so I guess others are better in that way. Any firewall though should pass a portscan test like Shields Up!

All current firewalls have SPI (stateful packet inspection) with TCP protocol, AFAIK.
As an example I need only to allow TCP outgoing connections with Trillian using yahoo IM with any firewall.

For UDP, the newer ones keep also some book keeping on outgoing UDP connections. As an example you don't need a rule on incoming connection from time server to port 123 udp because allowing traffic out to timeserver the SPI UDP will allow a connection inbound too when it matches the bookkeeping.
Older firewalls would block it, so with newer firewalls one has to be more carefull what to allow out in UDP.
But since SPI has been a long time in use in TCP, I would not consider it a security risk. Allows you to not specify too wide incoming connection rules.

Yes, I guess excluding the portscan tests, we are leally in the blind. And excluding what windows services the fw is protecting us. With firewalls like kerio 2.1.5 one can be very specific what to allow for DHCP, DNS, loopback, and running services. Some firewalls are more like black boxes.
But IMO all software FW's should suffice, unless they are some new releases with possible "beta" bugs.

 

Well, the SPI of Jetico is quite strong. Not sure about others, though.

 

The Windows XP SP2 firewall has also good inbound protection.

 

Hello interested, Welcome to Wilders.

Yes.

This depends on the implementation of the SPI. One example (that I personally do not like) of SPI is "Outpost Pro", as if you enable SPI on browser rules this would allow inbound connections from any outbound that you make (meaning: If you connect out to a website with SPI enabled, then that site can make connections back into your PC, so if you connect to a "Bad" site, that site can connect back without issue) info I have personally never tested this, as I take the info given as correct.

Instead "Outpost pro" uses a "Attack Detection" plugin to filter out bad/illegal packets.

I personally test firewalls for Packet filtering ability, but this can be time consuming, and as the majority of members are only concerned with the inbound ability of a firewall to "Stealth" I only test firewalls I personally use and/or install on other users PC`s.

I would need to test them all before I could give an answer, and finding the time to make such comprehensive tests would be difficult.

 

Most firewalls operate in the same manner and have the same ability to protect your computer. Some also have self-protection so they cannot be terminated easily by malware. But most firewalls out there are not much different from one another. The difference is the rules that can be created and the ability to use specific rules to tighten down the areas of access to your system (ports, protocols, etc). This is where firewalls greatly differ in relation to another.

Some might take it on blind faith. I don't. I use tight firewall rules to lessen the areas of access that malware has to get into my system. Like I said, all the firewalls out there will perform reasonably well. However, some believe that stealthing their system will make them invisible to hackers. In actuality, there are cases where stealthing actually aids a hacker to know you are there. Stealthing ports is mostly hype and and a tactic companies use to sell firewall products. The important thing is that your vulnerable ports are CLOSED. Again, this is where good rules come into play. And, in order to have good rules, you need a firewall that allows you to employ good rules. [/QUOTE]

You know they are better if they allow you maximum flexibility in creating rules. This means you want a rules-based firewall rather than simply an application-based firewall. Many of the newer firewalls, such as Zone Alarm free, Comodo free are application-based rather than rules based. Comodo does allow you to create rules, but only to a certain point. I have spent countless hours researching firewalls and how to create proper rules. In my own opinion, there are only three firewalls out there that allow you to tighten your system down as much as possible: Kerio 2.1.5, Jetico, & Look n' Stop. Out of the three, I feel Kerio 2.1.5 is the easiest to configure. There are also numerous tutorials on the net that help with this. Jetico is an extremely effective firewall but difficult to learn. However, again, there is some great information here at Wilders on how to configure it. I don't know as much about Look n' Stop as it would not run right on my system and I didn't get to play with it much.

As far as fragmented packets - I run a packet sniffer as well as Wireshark and analyze my network traffic. In the last two years I've only had ONE alert for a fragmented packet. Also, as I believe Stem has also written about, there isn't any evidence that a fragmented packet can do any harm to your system. Aside from that concern, I kept trying other firewalls, but I keep coming back to Kerio 2.1.5 because none of the others give me the control I have with this older firewall. You can configure the rules as tight as you please, which is not something many of the newer firewalls seem to offer. In my thinking, that is the best protection against any inbound threats. Just like protecting your home - it wouldn't do you any good to have locked deadbolts on all the doors and have most of the windows closed and locked if you left two windows open. To me, that is the problem with some of the newer firewalls. They pass all the leaktest stuff, but leave the possibility for windows to be open that you can make sure are closed with some of these older firewalls. IMO, that is the way to look at it. Like I said, most of the firewalls operate basically the same way and all are effective to some extent. The decding factor is the USER, and the rules the user has in place to ensure all the doors and windows to his or her computer are closed to any intruders.

 

Fragmented packets can cause system hang, as I have posted info before (I think you have confused who posted what info)

To repeat some info:

As for "Kerio 2.1.5", a change to the registry "EnableFragmentChecking" can be made to block these.

As for "tight rules" within a firewall, yes these certainly help, but without correct packet filtering TCP exploits can be made.

 

dear members
thank you for all your answers...

dear stem
thank you for wecoming me to wilders...
your above quote suggests you that you have tested the firewalls you use for inbound ability...
would you be kind enough to tell me the name of the one/ones you were refering to in the quote?