Inbound firewall

[AJohn]

I think inbound protecton is something that should be rated just like the leaktests are. All known exploits tested against each firewall. I am sure such a website will emerge just as the leaktest websites have.

I have contacted Melih of COMODO and although the current help file for CFP does not go into in-depth details of the inbound protection such as ARP filtering, they are working on an "under the hood kind of manual" that I look forward to.

I think all software firewall developers should do this.

[Phant0m]

Stem,

Stateful inspection is a term originally coined by the security product manufacturer Check Point in 1993. Clearly detailed by Check Point ... sometime down the road, It comprises both the tracking of state using Layer 4 and lower protocol information and the tracking of application-level traffic commands.

Now the term Stateful filtering has been originally used to define the stateful tracking of protocol information at Layer 4 and lower. Under this definition, stateful filtering products exhibit no knowledge of application layer protocols.

... You understand stateful filtering terminology, stateful filtering does not in any way track the TCP flags, so it's not considered truly tracking of TCP Connection state. But there's advanced forms of stateful filtering that can also track sequence and acknowledgment numbers and the TCP packet flags. Now that's truly stateful connection tracking for TCP, although 'we still lack the ability to differentiate traffic flows at the application level'.

And whether you care to admit or not, CHX-I 'stateful inspection' feature implement lack the ability to differentiate traffic flows at the application level'...

[Stem]

Phantom,

Quote:

Originally Posted by Phant0m

Stateful inspection is a term originally coined by the security product manufacturer Check Point in 1993.

If we went by the exact description, then we would need to look at:-
Communication Information
Communication-derived states
Application-derived state
Information Manipulation

All of which is put forward by checkpoint as part of Stateful Inspection. Do I see any point in going down this road, with a need to disguss this. I do not think it is needed/ wanted.

Quote:

Originally Posted by Phant0m

And whether you care to admit or not, CHX-I 'stateful inspection' feature implement lack the ability to differentiate traffic flows at the application level'...

If we look at checkpoint, and as to how they performed the SPI, we are only (basically) looking at a set of filters. As with CHX-I traffic flow filters can be added and any data within the packet can be manipulated with payload filters.

So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection by vendors firewalls for the security of members . Myself, I prefer the later, as this will actually give needed info to members.

[feniks]

Quote:

Originally Posted by Stem

So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection by vendors firewalls for the security of members . Myself, I prefer the later, as this will actually give needed info to members.

Yes, yes, yes the later.

I have headache already from all this statefull, stateless, static filtering, dynamic filtering, deep, shallow, state table etc.

Coming down to info for members can you tell if Windows XP firewall and Ghostwall have SPI or what filtering exactly. As these two are basic level for incoming protection and I read different statements.

[Phant0m]

Stem; Well if it's shared opinion, not just specific to your needs and wants... then I'll refrain from posting information / FAQs in the future.

However, I thought it was useful and informational, something that individual(s) could appreciate.

We using SPI word pretty loosely here, and this leaves room for confusion. If the users doesn't know their options, then they really don't know what they asking for or wanting and the degree of protections offered / available... For instance, when you talking about 'full SPI' you really just talking about an implement capable of tracking sequence and acknowledgment numbers and the TCP packet flags and not something more?

I know about CHX-I v3 Payload Filter Module, weren't we before discussing firewalls SPI implementation? Now that you mentioning it, I'm curious are you going to be the one that provides filters for users to achieve "stateful inspection" to the degree that Check Point and some other firewalls offers?

[Stem]

Quote:

Originally Posted by Phant0m

Stem; Well if it's shared opinion, not just specific to your needs and wants... then I'll refrain from posting information / FAQs in the future.

However, I thought it was useful and informational, something that individual(s) could appreciate.

I asked a question, to see how you would like to continue.

Quote:

So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection

Currently you have put forward only a need for correct wording/definition. Why dont you instead perform some tests on firewalls to see what implimentation of packet filtering is being made on various firewalls?

Quote:

Originally Posted by Phant0m

We using SPI word pretty loosely here, and this leaves room for confusion. If the users doesn't know their options, then they really don't know what they asking for or wanting and the degree of protections offered / available... For instance, when you talking about 'full SPI' you really just talking about an implement capable of tracking sequence and acknowledgment numbers and the TCP packet flags and not something more?

I have already put forward the definition of my term "full SPI".

Quote:

Originally Posted by Phant0m

I know about CHX-I v3 Payload Filter Module, weren't we before discussing firewalls SPI implementation? Now that you mentioning it, I'm curious are you going to be the one that provides filters for users to achieve "stateful inspection" to the degree that Check Point and some other firewalls offers?

I would be interested is seeing a software firewall for the home "windows" user produced by check point or any other vendor that performs SPI to the degree of what "checkpoint" put forward as actual "SPI"

As for CHX-I, if this was still being updated, to remove some bugs, then I would take time to produce filters(maybe I could then set up a website and sell them )

[Phant0m]

Hi Stem,

I'm not sure what you meant exactly by "Currently you have put forward only a need for correct wording/definition.", if you implying my only participation on this topic involved this, then may I suggest re-reading starting from the beginning.. post #62. And as for my post #105, it was to explain where I'm coming from...

If my participations isn't up to your standards or offends you even, then I'll simply avoid further topics you involved in.


I have an old machine that's XP capable, I don't however have an operating system. And as for this here system I'm working with, it has to be on Internet stand-by, so I can't be running installations reboots, tests, uninstalls, reboots and repeated with next firewall. Therefore, even though I'm interested in doing such tests and publishing, I first need to buy OS such as XP that's abouts $165CAD for OEM version. And momentarily, I cannot afford it, besides I thought you were originally doing the tests for the people?

[Stem]

Quote:

Originally Posted by Phant0m

If my participations isn't up to your standards or offends you even,

What standard? and I am not offended.

It is just my thought that: We could certainly discuss what SPI actually is (as put forward by check point) and go through misunderstandings on this point, but how would it actually help a user decide on a firewall?. Yes, they may understand the terms used, but it would then be a case of if vendors use the correct terms. I have seen firewalls that state "SPI", and they only check IP/port of TCP. So, if we put forward "SPI" is "as descibed by checkpoint", then the user goes to a firewall vendor that states the firewall has "SPI" (and it is actually only a check on IP/port), this would lead to a false sense of security for the user.

So how can we put forward SPI/ packet filter with descriptions of the layers filtered etc, without also the vendors being acurate of the firewalls ability of this?
As I said~ just my thought

Quote:

Originally Posted by Phant0m

............, besides I thought you were originally doing the tests for the people?

I will be setting up again, and go through the firewalls again. I do have a couple of projects on already, so it will need to wait a few days.

[AJohn]

I think the best thing to do would be for both of you to collaborate on publishing a webpage rating different software firewalls against your own definitions (or CheckPoint's) of SPI and other aspects of packet filering in a manner similar to the way Matousec handles leaktests.

So, if Phant0m were to obtain a legit copy of Windows XP then what do you two think about this?

[Stem]

Quote:

Originally Posted by AJohn

I think the best thing to do would be for both of you to collaborate on publishing a webpage rating different software firewalls against your own definitions (or CheckPoint's) of SPI and other aspects of packet filering in a manner similar to the way Matousec handles leaktests.

So, if Phant0m were to obtain a legit copy of Windows XP then what do you two think about this?

Hello AJohn,
The fact of 1 extra PC will probably not help in such testing. I know most look at "Leaktests", which can be run on the host, then the firewall will catch this or not, a simple test.

When looking at a firewalls filtering, then different methods are needed.

Example:
For leaktests: 1 PC needed
For scanning: 2 Pc needed (normally the second PC is a website such as shieldsup)
For packet filtering: this is possibly debatable. As you need a PC to install the firewall to be tested, you then need a PC to send the packets (that the first PC as made connection to~ to check filtering on open connection), you then need to check on what is not filtered out,.. this could be a sniffer on the first PC, but, this could be incorrect, as it would not be correct to presume that the firewall did not block/drop the packet after sniffed (and that the firewall did not log this blocked packet)
So I normally check with 3 PC`s, a sort of piggy in the middle,.. the middle PC being installed with the firewall to check.
I do need to find better ways to check, as I do not always have 3 spare PC`s.

Regards,

EDIT,
I have also considered that filtering should be done in both directions, and that I could simply send out invalids etc,.. but I would think that this would be incorrect for such tests/checks.

[AJohn]

Yes 2 or 3 computers seems best. Maybe this is part of why there are no such inbound firewall ratings as readilly available as the leaktest ratings are.

Maybe Phant0m would be able to work something out with what he has though, so lets see what he has to say.

Maybe between the two of you something could be done... if neither of your ISPs filter connections then that may be a start.

[Phant0m]

As I said before, there is only the one thing I need...


Regards,
Phant0m``

[Stem]

Quote:

Originally Posted by Phant0m

As I said before, there is only the one thing I need...


Regards,
Phant0m``

If it was as cheap here in the UK to purcahse an XP, then I would purchase and give you a lisense. As it is, it is twice the cost you mention.

If you know of a better way to test firewalls filtering, please advise.

[AJohn]

We will see how time treats Mr.Phant0m

In the mean time you too should collaborate as much as possible

[Stem]

Quote:

Originally Posted by AJohn

We will see how time treats Mr.Phant0m

In the mean time you too should collaborate as much as possible

This may be a mute point, as I work from my findings of installing firewalls and directly checking these. From what I see, Phantom works from white papers and published support/help files. Please correct me if incorrect.

[Phant0m]

Stem, I'm not about to play your silly games...

feniks, I apologize for how things turned out, I'll refrain from posting any further on this topic, and hopefully the topic will get back on track.


Bests Regards,
Phant0m``

[feniks]

Quote:

Originally Posted by Phant0m

Stem, I'm not about to play your silly games...

feniks, I apologize for how things turned out, I'll refrain from posting any further on this topic, and hopefully the topic will get back on track.


Bests Regards,
Phant0m``

No apologies necessary as I learn a lot on protocols, terminology etc. And you were friendly to me. However all that theory does not help me on practical level which firewall has what and how to decide which one I want. Also I need to find something basic and good for my non technical friends or even kids and something really good for somebody willing to learn more and spend more time on that. Learning any of them is some work to do and first I will like to know if it is worthy that effort, see my point?

And maybe layered approach is better solution good inbound + good outbound. So far in terms of easy and good factor I see very good solution CHX-I + OA free without or with firewall.

Maybe one application if has it in/out quality on decent level?

See so many questions - and good answers only on outbound/leaking factor if the out/in info will be on same level - decision will be much easier to make and also it will be much wiser decision. For now I see many people are not even aware that inbound protection can be on different levels same like outbound/leak.

I was expecting practical info at list (the vendor are really skimpy in info and their "features" can mean everything or nothing) as to what features what firewall really has.. at list because I see real testing is not easy thing even for experts what to talk about me.

Well I feel to be a little ignored but well nobody pay you guys to answer.

Practically not many question I get answered and search give also skimpy results. Most info on that subject I found about CHX-I so far.

I did try to start from bottom (Windows firewall and Ghostwall) but no results yet. See the posts:

http://www.wilderssecurity.com/showp...&postcount=104

http://www.wilderssecurity.com/showp...7&postcount=86

http://www.wilderssecurity.com/showp...3&postcount=87

http://www.wilderssecurity.com/showp...24&postcount=1

Well I know I go easy way of learning by asking but that is forum and experts for or is not?

And I feel maybe something useful finally will come out of that all...

Quote:

Originally Posted by feniks

Well I feel to be a little ignored but well nobody pay you guys to answer.

you've had numerous responses to your questions, but you never seem completely satisfied with them.

Why not just stay with CHX-I? It seems to offer excellent inbound protection and alphalutra already informed you that Ghostwall does not include SPI. I certainly saw no mention of it on the website. There also does not seem to be any reports on which firewalls offer the best inbound protection.

[feniks]

Quote:

Originally Posted by wat0114

you've had numerous responses to your questions, but you never seem completely satisfied with them.

Do you know somebody completely satisfied? You know what Jagger from Rolling Stones is still singing about his satisfaction?

But seriously better word will be I am disappointed. Before I thought wow "big firewall" reading all these advertisements, but after I learn a little I suspect that in reality most popular firewalls are very poor as church mouse in inbound filtering, thus in this kind of protection.

Why popular firewalls does not have application level SPI/filtering? We have 2007 and computers capable to handle it but the firewalls are still in 1990 in SPI?

I am talking about firewall function - as the word come from fire doors or exits.

Quote:

Originally Posted by wat0114

Why not just stay with CHX-I? It seems to offer excellent inbound protection

Yes look like nobody from big and popular guys can beat CHX-I. I thought it is maybe outdated but looks like not yet.

Quote:

Originally Posted by wat0114

and alphalutra already informed you that Ghostwall does not include SPI. I certainly saw no mention of it on the website. There also does not seem to be any reports on which firewalls offer the best inbound protection.

I accepted his answer I just do not understand the way Ghostwall decide what is allow in. I know it is not real SPI but the term is so confusing at list. For example closing ports is in SPI definition and processing TCP (three way handshake) can be also understand as SPI. Or static filtering do this? Well but I am still learning.

Is it forbidden here?

Maybe some day I will know more, for now please forgive me.

EDIT: PS. And for sure yes/no answer from somebody I do not really know - will not satisfy me. I need more then that to understand and to accept it.

And in fact alphalutra did not answer my question (and I was not asking if Ghostwall have SPI as I read his statement before) - he just try to tell me what scanning and protocols are.

Quote:

Originally Posted by feniks

I just do not understand the way Ghostwall decide what is allow in. I know it is not real SPI but the term is so confusing at list. For example closing ports is in SPI definition and processing TCP (three way handshake) can be also understand as SPI. Or static filtering do this? Well but I am still learning.

Is it forbidden here?

Maybe some day I will know more, for now please forgive me.

PS. And for sure yes/no answer will not satisfy me. I need to understand more to accept it.

Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.

Also, you have every right to understand more and, hopefully, your questions will be answered to your satisfaction. As I mentioned earlier, I never gave SPI too much thought until Stem has frequently questioned how effectively many of the pc firewalls and home routers implement it. Thankfully someone is asking questions and pushing firewall vendors to implement it correctly, especially when they advertise SPI as one of the features of their product. It is very easy to say: "our product has SPI", so those who are misinformed and do not want to question will think: "wow, this is such a great product because it features SPI", yet little do we know it may not be full SPI.

Unless someone with technical "clout" asks these questions and pushes vendors, it is very easy for them to take the lazy approach and offer a half-as*ed feature.

[feniks]

Quote:

Originally Posted by wat0114

Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.

I get it! At list I think so. But I feel I am closer. I did confuse just packet filtering with SPI which is more than filtering is additional packet inspection. THANK YOU!

Now I understand how Ghostwall can decide what to allow based on outgoing traffic. SPI is similar but more active complex and "inteligent" filtering.

That is why even similar rules with CHX-I (allow all outgoing) when I force allow incoming some port in CHX-I there were still packet dropped but in case of Ghostwall not.

With better filtering is harder to fool firewall. Do I get it now correct?

Quote:

Packet Filtering

All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. All your file downloads, Web page retrievals, emails -- all these Internet communications always occur in packets.

A packet is a series of digital numbers basically, which conveys these things:
The data, acknowledgment, request or command from the originating system
The source IP address and port
The destination IP address and port
Information about the protocol (set of rules) by which the packet is to be handled
Error checking information
Usually, some sort of information about the type and status of the data being sent
Often, a few other things too - which don't matter for our purposes here.

In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.

Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.

Packet filtering policies may be based upon any of the following:
Allowing or disallowing packets on the basis of the source IP address
Allowing or disallowing packets on the basis of their destination port
Allowing or disallowing packets according to protocol.

This is the original and most basic type of firewall.

Packet filtering alone is very effective as far as it goes but it is not foolproof security. It can potentially block all traffic, which in a sense is absolute security. But for any useful networking to occur, it must of course allow some packets to pass. Its weaknesses are:
Address information in a packet can potentially be falsified or "spoofed" by the sender
The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access.

An advantage of packet filtering is its relative simplicity and ease of implementation.

Quote:

Early Firewalls, Packet Filtering Firewalls and "Stateful Firewalls"

The first firewalls were based on either a proxy design or a simple packet filtering ruleset. The proxy firewall operates by interposing itself in the middle of the application protocol and interpreting it while applying security controls to the application commands and data, where appropriate. The original value proposition of a proxy firewall is that the proxy is essentially a security-oriented reference implementation of the application protocol – in some cases omitting dangerous operations entirely, or providing additional controls on certain security-critical commands. Proxies have always been considered a conservative security design because the proxy reduces the likelihood of protocol backdoors or side-effects since the proxy’s designer is effectively performing a security assessment of the application protocol’s features prior to implementing them. Early packet filter firewalls implemented a simple policy-table lookup based on { source-ip, destination-ip, source-port, destination-port, SYN-seen yes/no } permit or deny. Consequently, packet filters were extremely fast since they did very little computation. They were also extremely easy to implement since they required virtually no security expertise. The simple compute requirements of packet filters, and the fact that they required no security knowledge-base, made them easy to implement in silicon so they quickly became a feature of most routers. From the beginning, proxy firewalls were recognized as being more secure, because they effectively are implementing a correctness check upon the application protocols they gateway. This is still an important property of proxy firewalls. For example, when the author first implemented the FTP proxy in the DEC SEAL firewall, he simply left out unused FTP protocol commands that allowed users to issue remote commands to the FTP server. Years later, when hackers discovered those commands and attempted to exploit them, they simply did not work against proxy-protected networks because the proxy refused to gateway the command through to the target. Sites behind packet filtering firewalls were vulnerable, if the reachable systems behind the firewall were themselves vulnerable.

In 1993, "stateful" firewalls appeared on the market. The first popular stateful firewall, Checkpoint’s Firewall-1, implemented a simple connection-origin table that tracked whether a connection had originated behind the firewall and permitted response packets for that connection. A layer-7 hook to parse FTP PORT commands and update the state table allowed FTP to work transparently through the firewall. Subsequent versions of the stateful firewall added TCP sequence number interpretation, and DNS query/response matching to ensure that return packets were only allowed in response to queries that had originated from the inside. It is important to note that stateful firewalls added these features to overcome vulnerabilities in their design – attacks such as TCP RST flood attacks and DNS cache poisoning. Proxy firewalls never had these kinds of vulnerabilities. Stateful firewalls have continued to evolve; often in response to new types of hacking techniques as they have been discovered. Proxy firewalls have evolved, as well, but mostly in response to ever-higher requirements for performance and transparency.

Quote:

What does "Stateful" mean?

"Stateful" basically means "remembers things that came before." Something that is "stateful" knows about the current "state" of things -- what's going on at that moment, and what went on before that.

A "stateful" firewall knows not only about the packet it's looking at, but also about packets that came before that one.

Why is that useful in a firewall?

Imagine that you had no memory. At any moment, all you knew about was that moment, and you had to figure everything out just from what you could see. This is how old firewalls worked -- they knew only about the current packet they were looking at. They couldn't "remember" packets they had seen before.

I add these quotes as they explain a lot to me and maybe it will be helpful to somebody also. Now will be good to know how in firewalls who claim they have SPI this remembrance is achieved and how deep, "smart" and complex it is.

Thank you for those quotes feniks. It makes for some good reading. A member at the Outpost forum was kind enough to provide this Checkpoint PDF document download.

I haven't read it yet but will when time permits. It looks very comprehensive.

[feniks]

Quote:

Originally Posted by wat0114

Thank you for those quotes feniks. It makes for some good reading. A member at the Outpost forum was kind enough to provide this Checkpoint PDF document download.

I haven't read it yet but will when time permits. It looks very comprehensive.

Yes comprehensive enough to answer my question. You make me satisfied. For now...

Now I see that I did not knew how to ask. Maybe even I make Alphalutra1 confused. Maybe he was thinking - what this guy want, I answered already...

There is saying - first you have to learn to listen nicely if you want to speak nicely...

But I am to impatient sometimes to read and dig and search more before ask.

And the luck to find correct readings... If I knew the Checpoint document before...

That is the problem of beginners...

Anyway thank you very much for patience and help.

[dmenace]

Here's another document that you might want to read. Basically you can use this as a benchmark for testing inbound filtering of firewalls. It provides a comprehensive list of inbound attack types:

http://www.agnitum.com/support/kb/ar...000193&lang=en

_________

Regarding the Checkpoint Document:-

If ZoneAlarm is created by Checkpoint and Checkpoint INVENTED SPI (from the document) therefore ZoneAlarm has the best / most complete implementation of SPI there is.

Am I correct? Is that why ZoneAlarm is so highly regarded / award winning?

Edit: Spelling

Quote:

Originally Posted by dmenace

Regarding the Checkpoint Document:-

If ZoneAlarm is created by Checkpoint and Checkpoint INVENTED SPI (from the document) therefore ZoneAlarm has the best / most complete implementation of SPI there is.

Am I correct? Is that why ZoneAlarm is so highly regarded / award winning?

I saw no mention of SPI in the ZA Pro feature list. Checkpoint uses their version of SPI in their hardware appliances. Also, didn't Checkpoint purchase ZA from Zonelabs? I'm not sure why ZA is award winning, though I think it has something to do with establishing themselves worlwide long ago, similar to the way Norton/Symantec did.