Inbound firewall

[Lundholm]

Quote:

Originally Posted by Stem

Are these rules not already included with the default installation of Kerio? or is there a need to update the bad_traffic file? and if so, then what are users adding to that file, if indeed they are actually adding/using any.

The default installation contains some small rulesets, yes, but it is possible to download the full rulesets from snort.org in older versions and replace the default sets, and add new rulesets. This requires some work and decision making. One weekend might not be sufficient.

[Paranoid2000]

Quote:

Originally Posted by CoolWebSearch

Now I have 100% clean PC-what's the point of leak-tests if you have 100% clean PC,

If your system is clean and will remain so then there is almost no benefit in having a firewall with good leaktest performance (except for the small possibility of legitimate software trying to connect out surreptitiously).

For most users however, anti-virus/malware scanners will provide a good - but not 100% - defence. A leak-resistant firewall can provide a useful backup where a scanner has failed.

Quote:

Originally Posted by CoolWebSearch

It seems that malware these days are so advanced that leak-tests are useless, once you get malware on your computer the game is literally over.

Not if you have software that provides process control - and this is what many firewalls have been expanding into.

Quote:

Originally Posted by Lundholm

Don't forget those FWs that support SNORT rules. It adds an extra dimension to packet filtering, if you have the CPU power.

I would suggest that SNORT support is less significant to most users than effective outbound control. A personal firewall should block unsolicited incoming traffic by default (so knowing if blocked traffic is a recognisable probe or attack is of little relevance).

Pattern-matching becomes useful for people running a server that has to accept unsolicited incoming traffic, which is why enterprise level firewalls tend to offer it. However even the best performers in this category can be easily bypassed by an attacker obfuscating their traffic.

[alex_s]

Quote:

Originally Posted by CoolWebSearch

But what about rootkits?
I truly don't know why there is so huge interest in leak-testing, but I do have some complex questions:

Can you tell me which of those leaktests really exist in the real world and are not just extreme situation hypothetical maybe this could happen but there is no real threat been made for this

Some people tested HIPS against real rootkits and it appeared that good HIPS can succesfully resist rootkits to get control over your system. Unfortunately such attempts were not too comprehencive, though you can make some conclusions even from those amateur attempts:

http://membres.lycos.fr/nicmtests/

[LoneWolf]

Quote:

Originally Posted by Stem

I dont really want to go down a path of checking Enterprise/server firewalls. I will be looking at products for home use, as used by the majority of users on the forum, such as Jetico, outpost pro, comodo etc. If I was to look at Sunbelt, then it would only be the home product.

Hi Stem,
By any chance will you be testing Look'n'Stop also?
Although I am interested in seeing your results from all tested.

[Stem]

Hello,

Sorry for delay, but family matters have taken my spare time. I will make tests as soon as I can.

Regards to all,

[Stem]

Quote:

Originally Posted by LoneWolf

By any chance will you be testing Look'n'Stop also?

I currently have a list of:-

ZA (pro)
Commodo
Jetico 2
PC tools

I will add L,n,S

-

[Fly]

Somewehere in this thread it was stated that firewalls don't check toolbars and BHOs. And in another post someone stated that antispyware programs could check/detect these.

Question: you know what toolbars and BHOs you have on your system. They are not known as 'typical spyware'. Are the toolbars and BHOs able to receive and send data on their own/as instructed, not filtered by the firewall ? Any difference between Stateful Inspection and proxy-firewalls ?

[aeonhuang]

Quote:

Originally Posted by Stem

I currently have a list of:-

ZA (pro)
Commodo
Jetico 2
PC tools

I will add L,n,S

-

I'm waitting for the result!
Why don't you add CHX-I and 8signs?

[ruinebabine]

Quote:

Originally Posted by aeonhuang

Why don't you add CHX-I and 8signs?

I would also very like to see the comparative results for those 2 veteran inbound fws!

BTW, there seems to be a rumor as 8Signs' development possibly being at a halt. It would be ashame... Does anyone have successfully exchange e-mails with those folks lastly? Linda C. has always been so dedicated and responsive to all support/request that her present silence is realy no good signs

[ggf31416]

Any news?

[LoneWolf]

Quote:

Originally Posted by ggf31416

Any news?

I'm curious myself, but i'm sure this type of testing may take some time.
Hopefully Stem will have some results posted soon.

[Stem]

Quote:

Originally Posted by LoneWolf

I'm curious myself, but i'm sure this type of testing may take some time.
Hopefully Stem will have some results posted soon.

Its just a case of finding spare time.

I have a couple of hours now, so will test what I can in that time.

- Stem

[Stem]

Hi,

I have managed to look at 3. I will look at others when time available.


The tests are on TCP, just a case of checking to see the packet filtering made on an outbound connection (what packets are filtered out inbound)

So basically, I have a number of TCP packets, these consist of invalid flags, out of sequence and out of connection. These I send against the firewall to see what is logged/filtered out of a open connection.

CHX-I V3.
It filtered out and logged all packets.

8signs (build 3037)
It only logged 2 packets (null and xmas) but I did not see any packets pass, so looks like a lack of logging, but will check again on another setup

LnS (v206)
With SPI enabled.
It only filtered out the packets that are in the Internet filtering (such as null, xmas) and blocked the out of connection. But other packets (invalid flags/ out of sequence where not filtered out)

[Fly]

Quote:

Originally Posted by Stem

Hi,

I have managed to look at 3. I will look at others when time available.


The tests are on TCP, just a case of checking to see the packet filtering made on an outbound connection (what packets are filtered out inbound)

So basically, I have a number of TCP packets, these consist of invalid flags, out of sequence and out of connection. These I send against the firewall to see what is logged/filtered out of a open connection.

CHX-I V3.
It filtered out and logged all packets.

8signs (build 3037)
It only logged 2 packets (null and xmas) but I did not see any packets pass, so looks like a lack of logging, but will check again on another setup

LnS (v206)
With SPI enabled.
It only filtered out the packets that are in the Internet filtering (such as null, xmas) and blocked the out of connection. But other packets (invalid flags/ out of sequence where not filtered out)

Well, that's highly technical !

[Netherlands]

I realy like this topic. I also think that the Outbound leaktests are getting out of hand. Every vendor is trying to pass these leaktest so there is less time to look at the inbound protection. A couple of years back i had a site to test my firewall for statefull inspection (i used Sygate at that time). I cannot remember the site but maybe someone else can remember it.


@Stem: Also if there is room left in your testing roundup i also would like to ask if you can test the firewall in Kaspersky KIS 2009. In this new version they have dropped the "stealth all ports" thing because of problems with P2P programm's. Well Stealth ports is ofcourse not everything.

Thanks Stem! I hope you can check Jetico 2 and Agnitum's latest.

[Stem]

Hi Netherlands,

Quote:

Originally Posted by Netherlands

@Stem: Also if there is room left in your testing roundup i also would like to ask if you can test the firewall in Kaspersky KIS 2009.

Yes, I will try and fit that in tomorrow.


- Stem

[Stem]

Hi wat0114,

Quote:

Originally Posted by wat0114

Thanks Stem! I hope you can check Jetico 2 and Agnitum's latest.

I have just looked at Jetico2 (2_0_2_1). A little strange, it did filter out the null/xmas due to the packet filter rules, but it also filtered out (block all not processed) some on the invalid flagged packets such as syn/rst - fin/syn/psh. but it allow others such as all flags set. It did also allow out of connection, so it is not checking TCP sequence.

-Stem

[Netherlands]

Quote:

Originally Posted by Stem

Hi Netherlands,
Yes, I will try and fit that in tomorrow.


- Stem

Great news. KIS 2009 isn't officialy released but u assume that you know where to get it.

[Stem]

Quote:

Originally Posted by Netherlands

KIS 2009 isn't officialy released but u assume that you know where to get it.

I have V8 RC2, is that the latest?

Quote:

Originally Posted by Stem

Hi wat0114,

I have just looked at Jetico2 (2_0_2_1). A little strange, it did filter out the null/xmas due to the packet filter rules, but it also filtered out (block all not processed) some on the invalid flagged packets such as syn/rst - fin/syn/psh. but it allow others such as all flags set. It did also allow out of connection, so it is not checking TCP sequence.

-Stem

Thank you for all your efforts, Stem This is a bit disappointing with J2. I expected better from it.

[Netherlands]

Quote:

Originally Posted by Stem

I have V8 RC2, is that the latest?

No, its 8.0.0.357 (V8 TR, Technical Release)

[ggf31416]

Can you test windows firewall as well?

[aeonhuang]

Hi,Stem.I am very surprise for the results.Although no longer updated, but CHX-I is still the best.Can you tell me more about the details of the test? For example, testing methods, test data records, etc.

[Stem]

Quote:

Originally Posted by Netherlands

No, its 8.0.0.357 (V8 TR, Technical Release)

Is there an open download. I need to be cautious, if it is closed/private then there will be restrictions on any reports/tests published.


- Stem