Inbound firewall

[feniks]

Quote:

Originally Posted by Phant0m

feniks; you can agree all you like with anyone, thing remains is ignorance, and ignorant remarks. Most SPI implementations are already set and forget, no special knowledge is required to be running and behind SPI.

Regards,
Phant0m``

Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?
Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

Why I should not look for such answer? Or nobody here knows the answer?

EDIT. Well I read it again and I have to admit I do not understand what are you talking about. About with whom I agree with what? And you talking about my ignorance and my ignorant remarks? Where I said that special knowledge to be protected by spi is required? So what if SPI is from 1990 - does OA have it and in full, deep packet inspection, pseudo UDP and ICMP or only TCP syn (all out is allowed in)? Sorry for my english you are expert so you know what I mean.

[Phant0m]

feniks, I agree that many places people decides to go and take advise from is so very ridiculous, there's so many amateurs out there who discusses things they have little to no knowledge of. Trying to find reliable sources can be difficult at times, it isn't impossible, but does require self dedicated investigations.

I don't think many will be-able to answer which is the best firewall for inbound, there's not even much technical details from product developers on their implements. I agree it isn't easy to get technical details when asking the product developers, but you shouldn't at least try.

I find it really sad that Comodo PF or any developer wouldn't respond happily with technical details regarding their product features implementations, ... like for SPI. I have been even curious at a far about exactly their SPI implementation. I guess one going to have to download and install and run extensive tests to get the answers.


Diver, that's a very good question "any of the widely used firewalls have a proper SPI implementation or not", I think it would be very reliable to get product technical details of their SPI implements, I think each user of different firewall should contact their product developer and ask for technical details. Then posting it all in one location would be very appreciative...

Matousec must have been in reference to products static packet filtering capabilities... and up against online web scanners....


dmenace; It's also very good to know, even more so for some how their products SPI works, and I really cannot complain.

Yet another very good question "But is there anything else apart from SPI that will give a firewall better inbound filtering?".


Regards,
Phant0m``

[Phant0m]

Hi feniks,

You are of course right, it's important to find out how different software products implement SPI, before we can really make opinions even.

You surely aren't doing any wrong by seeking such answers, I'm actually excited to see people ask questions about firewall products inbound filtering capabilities. Good job!

[Kerodo]

Quote:

Originally Posted by feniks

Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?

Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

Why I should not look for such answer? Or nobody here knows the answer?

feniks, you are right to ask questions like this, and you are not ignorant either. With all due respect to our local experts here like Stem and Phantom, who are both quite knowledgeable, I think nobody has any really good and *practical* answers for you.

You can try to obtain tech specs from the developers if you like, and research further, it's up to you. If you do, please share your findings..

My personal take on all this is that there isn't much point in getting buried in a lot of tech details. I used to install and test and experiment with all the various software firewalls available a year or two ago. It was fun. Then I got a router, dropped the software firewalls, and have been happy ever since. I believe that for any home user, that's all one needs. In fact, for any normal home user, almost *any* bug-free software firewall will be good enough too, including the Win firewall if you like. Remember, we're talking inbound here.

Now I'm sure people can and will argue with this, but put it to the test and see. That's what really matters and counts, not 1000 technical details and/or expert opinions.

Again, just my humble 2 cents....

[feniks]

Quote:

Originally Posted by Phant0m

Hi feniks,

You are of course right, it's important to find out how different software products implement SPI, before we can really make opinions even.

You surely aren't doing any wrong by seeking such answers, I'm actually excited to see people ask questions about firewall products inbound filtering capabilities. Good job!

Please read my edit in here:

post 76

And I think you answered here.

[Phant0m]

I don't use Online Armor, never used Online Armor, and the official product website doesn't seem to 'mention' any sort of SPI. A firewall developer would definitely want to advertise this if it has it.... so at first glance, I say it doesn't.


Regards,
Phant0m``

[feniks]

Quote:

Originally Posted by Phant0m

A firewall developer would definitely want to advertise this if it has it....

Regards,
Phant0m``

That is something to start with... Very good tip and very logical.

And if the developer do not answer that is suspicious, right?

[Phant0m]

Quote:

Originally Posted by feniks

That is something to start with... Very good tip and very logical.

Don't forget the support forums...

Quote:

Originally Posted by feniks

And if the developer do not answer that is suspicious, right?

Indeed.

[feniks]

People ignore proper packet filtering and inbound protection then why we have so many questions like:

I lost my connection
I have very slow connection speed
My transfer is so slow
My browser open pages so slow

If I understand correct what I read simple ICMP blind attack can harm our connection throughput. One is when attacker is sending constant messages "fragmentation needed and DF bit set" what force PMTUD to lower MSS maximum segment size for connection and practicly unable communication.

This is one example of attack maybe we are already safe from that but I read many Cisco routers were vulnerable to this attacks. And I am sure there are many other forms of attacks not malware or spyware but "only" messing up with our internet connection, slow down, break connections for some time etc. etc.

So the question is are we protected from that?

[MikeNash]

Quote:

Originally Posted by feniks

That is something to start with... Very good tip and very logical.

And if the developer do not answer that is suspicious, right?

I've answered this question to death already

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release.

[feniks]

Quote:

Originally Posted by MikeNash

I've answered this question to death already

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release.

Yes you are right. I read that somewhere I guess with your discussion with Stem.

I simply forget. Please forgive me. I think I have problem with remembering all that. To much reading in last weeks.

Mike I really (I think not only me) respect your work and honest approach.

And I wish you and your baby OA all the best.

[Stem]

OK,

Do I check firewalls SPI implimentation, yes, but this is time consuming, and to check correctly I use 3 PC`s, and believe it or not, I do use my PC`s other than just for checking firewalls.

As example, the last firewall I looked at was PCtools firewall which stated "full SPI", when I checked, I questioned this, as it allowed invalids etc through,.. the description of SPI by the vendor was then changed.

One of the problems is the fact of the term "SPI" and the way this is used by vendors. As I have put forward before, I expect an SPI firewall to check TCP down to sequence number, anything else, for me, is not SPI. This was one of the reasons I asked about the implimention of SPI in routers.

Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.

I will still press vendors to impliment full SPI, regardless of if users think this is needed or not (I know it is).
Do realise, SPI is not like an HIPS, you will not get popups to ask if a certain packets should be allowed or not, invalid/bad etc packets should simply be dropped.

[Phant0m]

Quote:

Originally Posted by MikeNash

I've answered this question to death already

We have a state table.
We do not (yet) do deep inspection of packets
This is something that we plan to add in a future release.

MikeNash, I apologize for my ignorance on the subject.

Keeping state table is done for even connectionless protocols like UDP and ICMP, so far all this tells me is there's possibly stateful-like mechanisms in OA, and to what extent remains to be seen... And then there's stateful packet inspection and then there's 'deep packet inspection'.

Is this already been detailed? Please could you or someone else poster me up some links?

[MikeNash]

Quote:

Originally Posted by Phant0m

MikeNash, I apologize for my ignorance on the subject.

Keeping state table is done for even connectionless protocols like UDP and ICMP, so far all this tells me is there's possibly stateful-like mechanisms in OA, and to what extent remains to be seen... And then there's stateful packet inspection and then there's 'deep packet inspection'.

Is this already been detailed? Please could you or someone else poster me up some links?

Hi Phant0m,

I think by your measures, SPI in OA is minimal at the moment... we keep state tables for all connections (I believe including udp/icmp but I would have to check on Monday). Other than that - we don't currently do so.

We do plan some enhancements in this area in the future - particularly I've discussed implementing Snort rules.

Cheers

Mike

[Phant0m]

Hi MikeNash,

By my measures, ... accurate measures..

Thank you for the clarity, and I'll be looking forward to seeing your next post confirming if OA does state table for connectionless protocols like UDP and ICMP. Also enhancements in these areas are always much appreciated.

[Diver]

OA:

I thought there was an issue where network discovery and file/printer sharing were hard wired on. OK if you always want them on in a home or SOHO network, bad if otherwise. Anyone know if this has been fixed.

Stem:

You should publish your results fanboys or not. No point in treating hard won knowledge as some mysterious thing.

On a lighter note, Diver is about to head out tomorrow to go scuba diving.

[feniks]

Quote:

Originally Posted by Stem

OK,
As example, the last firewall I looked at was PCtools firewall which stated "full SPI", when I checked, I questioned this, as it allowed invalids etc through,.. the description of SPI by the vendor was then changed.

One of the problems is the fact of the term "SPI" and the way this is used by vendors. As I have put forward before, I expect an SPI firewall to check TCP down to sequence number, anything else, for me, is not SPI. This was one of the reasons I asked about the implimention of SPI in routers.

I think you questioned it here in forum ans see that vendors are reading the forum and care if that is public.

Quote:

Originally Posted by Stem

Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.

But think how much good will come out from this. Look for PcTools and Mike example.

I thing great numbers of people will benefit from such information. Many people here accept you as expert not because of the title, but from reading your posts. And you do not have go in details as not many even understand all of that. If get about fanboys you can just ignore them or answer. People read and think believe me. Well there is always price but the discussion begins and many people became aware of the subject, start asking vendors etc. Vendors will forced to stop ignore this subject.

How many people understand how leaktest works? They just read there is something that need to be and become interested if their firewall have it.

Quote:

Originally Posted by Stem

I will still press vendors to impliment full SPI, regardless of if users think this is needed or not (I know it is).
Do realise, SPI is not like an HIPS, you will not get popups to ask if a certain packets should be allowed or not, invalid/bad etc packets should simply be dropped.

Believe me you alone will not mean to vendors as much as many users. And to them you are not even user of their product. Money counts.

But of course feel free to do whatever you decide to do.

I became aware of the SPI and fitering becuse of you mention it many times. Thank you.

But still I do not know much if get down practically to firewalls and that what I know was achieved Indiana Jones way searching for hidden treasure.

Quote:

Originally Posted by feniks

I became aware of the SPI and fitering becuse of you mention it many times. Thank you.

Likewise with me too Before if I saw "SPI" advertised for any pc firewall I would think: "wow, that is impressive!" but after seeing that Stem has exhausted time and effort in testing for this and seeing less than impressive results which he has stated many times in this forum, I now will take it very seriously and do whatever I can to press vendors (at least with regards to products I use) to properly implemement it, in spite of those who declare it is unnecessary because in "their experience" they have never been burned by it. It is like saying: "I only require seatbelts for my safety while driving a car because the airbag has never actuated in my few fender benders. The seatbelt always prevented serious injury." Of course the airbag actuates at higher impacts, preventing one's face from smashing into the steering wheel or dash. This may seem like a lame analogy, but it is the best I could conjure up.

A firewall and security expert is stating the importance of SPI (airbag), yet there are some who refute it! Baffling to say the least

[Pedro]

Quote:

Originally Posted by Stem

Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.

I take many things for granted, some of that is what vendors say.
I would prefer to know what is true or not with your tests, whether the firewall is my favourite or not. Just try to give details as far as your can, and forget anything else. I value information and facts.

Cheers

[Stem]

Quote:

Originally Posted by Phant0m

.... if OA does state table for connectionless protocols like UDP and ICMP

Yes, it does.

[Seer]

Hello.

Quote:

Originally Posted by Diver

You should publish your results fanboys or not.

Quote:

Originally Posted by feniks

I thing great numbers of people will benefit from such information.

Quote:

Originally Posted by Pedro

Just try to give details as far as your can

There is no need for Stem to post a detailed report on his findings. He already does much on this subject (from time to time), you would just need to pay a little attention. Publishing that kind of info is not a trivial matter...

Cheers,

[RejZoR]

I think Comodo Firewall set to "Training Mode" and with Network Rules applied could also do it. This way it will automatically set everything for applications while still use inbound filter/attack detection engine.

[Phant0m]

On an additional note, there's something I simply would like to point out...

Stateful inspection and Stateful filtering aren't quite the same thing, and apparently there is much confusion on all sides, when discussing SPI.

Stateful Inspection provides highly efficient traffic inspection with full application-layer awareness, where-else stateful filtering doesn't have application-layer awareness... This is how it was coined from the beginning, so for instances CHX-I, 8Signs and Look 'n' Stop referring using 'stateful inspection' labeling isn't accurate by original coined terms...


... Please not the face?!?!


Regards,
Phant0m``

[Stem]

Quote:

Originally Posted by Phant0m

On an additional note, there's something I simply would like to point out...

Stateful inspection and Stateful filtering aren't quite the same thing, and apparently there is much confusion on all sides, when discussing SPI.

Stateful Inspection provides highly efficient traffic inspection with full application-layer awareness, where-else stateful filtering doesn't have application-layer awareness... This is how it was coined from the beginning, so for instances CHX-I, 8Signs and Look 'n' Stop referring using 'stateful inspection' labeling isn't accurate by original coined terms...

I think it is the vendors that have most confusion on this point.

Such as CHX-I does perform SPI (stateful packet inspection), this is a check on the state of the TCP packet (flag check).
Stateful filtering, this would descibe a firewall that only checks IP/port for TCP, (as with protocols such as UDP)

Quote:

The definition of stateful filtering seems to vary greatly among various product vendors and has developed somewhat, as time has gone on. Stateful filtering can mean anything, from the ability to track and filter traffic based on the most minute of connection details to the ability to track and inspect session information at the application level

Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and lower. Under this definition, stateful filtering products exhibit no knowledge of application layer protocols. At the most basic level, such products use the tracking of the IP addresses and port numbers of the connecting parties to track state. This is the only way that connectionless protocols can be tracked, but at best, this is only "pseudo-stateful." What about using this same method of stateful filtering for the tracking of the connection-oriented TCP? This method does not in any way track the TCP flags. TCP's flags define its connection states; therefore, although this method might be tracking some information from the various communication sessions, it is not truly tracking the TCP connection state.

[CoolWebSearch]

Quote:

Originally Posted by Stem

I think it is the vendors that have most confusion on this point.

Such as CHX-I does perform SPI (stateful packet inspection), this is a check on the state of the TCP packet (flag check).
Stateful filtering, this would descibe a firewall that only checks IP/port for TCP, (as with protocols such as UDP)

Hi,Stem,I wanted to ask you if ZA Pro 7.0.462.000 has full Stateful Packet Inspection for application filtering and all other things...?
I mean their website claims that it has SPI(after all Checkpoint invented SPI,as far as I know,and the same Checkpoint bought ZoneAlarm)

And what about it's Anti-Mac spoofing and ARP protection?

Thanks a lot.

What about configurability?
I tried to configure some things in ZA Pro,but it seems to me that I can't do it manually
Maybe there was thread about this
Thanks.