Jetico 2: SPI & ARP SPI effectiveness?

There is concern expressed in the official forum about the effectiveness of these two areas in Jetico 2. Does anyone know if these are as strong as they should/could be?

Never mind, I got my query answered in the Jetico forum

[Stem]

Hello wat0114,

I did request an ARP SPI, but I am still waiting for this. The implementation made is very basic, and as far as I am concerned does not give the protection needed. I can easily DOS a PC on LAN via ARP that is protected by Jetico2.

Jetico have introduced what they say is an ARP SPI that is said to block unsolicited replies. I have not actually tested to see if it does this, as I do not use an ARP reply to DOS, I use an ARP request (as with most of the tools that are available to do this). As I have put forward a number of times, the only way to actually block this type of DOS is to be able to bind the gateway IP with its MAC address (so that inbound ARP (uni-cast frame) requests with incorrect binding of gateway IP with non-existent MAC address are blocked)

Thank you for the clarification Stem! I had a feeling this was not quite up to snuff with Jetico 2, based on what was reported in the Jetico forum. I'm not on a home or business LAN, but I believe my ISP, Shaw, does arrange their customers into LAN segments, so proper ARP SPI would certainly play an important role here. However, I'm behind a router so I do not really worry too much about this, plus I'm under the impression DOS attacks are most likely geared towards business servers. In the end, hopefully the developer, NAIL, will bolster this feature, though just like so many other firewall developers he seems preoccupied with hardening it towards leaktests.

Anyways, I like J2 tremendously and bought a license the other day. I have the configuration file whittled down to <100 kB, so I figure it's processing rules quite efficiently now

[Tommy]

JPF 2.0.0.37 allows APR opcode, src/dst IP checking. It also limits incoming ARP requests rate.

[Stem]

Hi Tommy,

Quote:

Originally Posted by Tommy

JPF 2.0.0.37 allows APR opcode, src/dst IP checking. It also limits incoming ARP requests rate.

I have just seen the new build. There is no mention about "limits incoming ARP request rate". If there is any such "limiting" then I hope this can be changed by the user.

I will install later to test this.

[Stem]

This update (.37) does now allow me to create rules to filter out the attempted DOS via ARP.

[Tommy]

Quote:

Originally Posted by Stem

This update (.37) does now allow me to create rules to filter out the attempted DOS via ARP.

I will check this later and also ask Nail. Still running Build 36.

[Stem]

Hi Tommy,

Quote:

Originally Posted by Tommy

I will check this later and also ask Nail. Still running Build 36.

Do check. I have done this and find from the default rule that a DOS via ARP is still possible. Simply try "Netcut".
There is a need to apply rules to filter. This I do find acceptable, as packet filter is made, so such as "netcut" cannot DOS. But, I do find the term "ARP SPI" confusing when applied to this within Jetico.
As example:-
I would expect that I could place a rule to allow outbound ARP to Broadcast/Gateway, any reply allowed based on this, but there is a need to create rules to allow the replies.

Dont get me wrong,... this implementation is good for me. I can block DOS attacks via ARP. (so can set rules for others I support)
As example:-
I have set rules to allow outbound/inbound ARP based on my gateway, I also allow mapping so connections can be made over the LAN. But still the attempt of DOS is blocked due to rules in place.

Here is an attempt from "Netcut" to DOS my PC, you will see the attempt to bind my gateway IP to a non-existent MAC address (these are the blocked "Not processed protocol") The gateway being 192.168.1.1, none of the MAC addresses shown are correct.



This is good for me. I know of no other firewall that can do this correctly (I still need to check look`n`stop on this)

[Tommy]

Just installed it and can confirm your report. Big advantage for Jetico!

[Stem]

Quote:

Originally Posted by Tommy

Just installed it and can confirm your report. Big advantage for Jetico!

Certainly.

Now if we can only get Jetico to allow import/export of rulesets (tables), so we can post rulesets for others, (as with jetico1) for simple import.

[Tommy]

Quote:

Originally Posted by Stem

Now if we can only get Jetico to allow import/export of rulesets (tables), so we can post rulesets for others, (as with jetico1) for simple import.

Agreed as this would help a lot. I will wright again an email to Nail.

[Stem]

Quote:

Originally Posted by Tommy

Agreed as this would help a lot. I will wright again an email to Nail.

I have asked before (2 or 3 times directly), and was told by "Nail" this would be easy to do, due to the way the rules are saved. But am still awaiting this.

It could certainly help a lot of users, as a "repository" of rule_sets could be made.

Thank you Stem and Tommy for sharing your results. It is good to see the developer addresses these (ARP filtering) concerns.

[lookcity]

Good news . Looking forward the sharing of the rules.