Re:CHX-I Stateful Packet Filter 2.4.1

[Patrice]

Hi CrazyM,

this software doesn't look that bad actually! Did you already test it? And did you already test it behind a router? Actually I use Look'n'Stop which has a Stateful Packet Inspection rule included. Pretty happy of that!

Best regards,

Patrice

[CrazyM]

Hi Patrice

Had your question moved here for discussion.

Topic from original post:

Quote:

CHX-I Stateful Packet Filter

"May 8th version update
Security Severity: N/A
Functionality impact: High
The 2.4.1 release contains a fix for stateful behavior in router installations. Due to a design error, the stateful mechanism would drop valid packets and consequently breaking proper TCP/UDP transmission.
Additionally, the 2.4.1 release corrects a potential problem with IP datagram length verification."

"May 6th version update
Security Severity: Medium
Functionality impact: Low
The 2.4 release corrects the behavior of the CRW/ECE flag which previously required a re-start of the packet filter driver for the changes to take effect. This version introduces two alternate ways to deal with IP fragmentation issues. See manual for details.
A bug in the remote management client was corrected. Refreshing logs while having selected a log entry would cause the client process to hang."

For full details: [url]http://www.idrci.net/idrci_products.htm[url]

While not for everyone, anyone looking for a good stateful packet filter for W2K/XP this is definitely worth a look. Free for personal use.

I am currently having another look at it. Works well stand alone or behind a router.

Rules configuration is approached a little differently compared to other main stream software firewalls, but when configured properly, affords excellent control.

The reason I commented it may not be for everyone is the rules configuration and the fact it is a traditional packet filter with no application control. To quote their help file "The Packet Filter offers a simple, effective, no non-sense alternative to either insufficient native IP filtering mechanisms or expensive third party bloat ware."

Regards,

CrazyM

[CrazyM]

Quote:

quoting: Patrice link=board=23;threadid=9531;start=0#msg62304 date=1053605552]Actually I use Look'n'Stop which has a Stateful Packet Inspection rule included. Pretty happy of that!

Hi Patrice

A little quote from the help file re stateful inspection in CXH-I

Quote:

As opposed to the classic static packet filtering methodology where each packet is inspected on an individual basis, the CHX-I stateful mechanism tries to analyze each packet in the context of traffic history, correctness of IP/TCP header values and TCP connection state transitions. In the case of stateless protocols (e.g. UDP) a pseudo-stateful mechanism is implemented based on historical traffic analysis.

While an exhaustive analysis of TCP state transitions and behavior correctness is beyond the scope of this manual, the CHX-I stateful mechanism generally acts the following way:
- A packet is passed through the stateful routine if it is explicitly allowed via static filters.
- The packet's examined if it belongs to an existing connection by checking the CHX-I connection table for matching end points
- The TCP header is examined for correctness (e.g. sequence numbers, flag combination)

Once enabled, the stateful engine is applied to all traffic traversing the interface.

The UDP pseudo-stateful mechanism - by default - simply rejects any incoming "unsolicited" UDP packets. If the packet filter operator is running a legit UDP server, she MUST explicitly allow (via static filters) traffic to that particular service. For instance, in a non-prohibitive IP policy, if there is a DNS server running, a "Force Allow" rule permitting UDP traffic to port 53 is required.

Regards,

CrazyM

[Patrice]

Hi CrazyM,

sounds interesting indeed! Sorry that I have posted in the wrong forum, I just realized it afterwards that you shouldn't reply in the Update forum...

I only can talk about the Stateful Packet Inspection of Look'n'Stop. In the help file it mentions this like that:

'TCP Stateful Packet Inspection': if the option is selected, Look 'n' Stop watches the TCP connections and verifies that all TCP inbound and outbound packets belong to an active connection. If not, an alert is displayed in the log page. If this option is selected an additional button (Connections) is available in the log patch to see the active TCP connections.

I tested this function with several online tests and 'home-made' attacks (Superscan, nmap,...). Quite impressive though! There are quite a lot of packets which are intercepted. But I'm really interested in your tests with this CXH-I. Did you already perform any or do you need to get accustomed to it first? Perhaps Phant0m will join our discussion as well. He might be interested in this tool as well. He tested the TCP Stateful Packet inspection also.

Best regards,

Patrice

[CrazyM]

Quote:

quoting: Patrice link=board=23;threadid=9531;start=0#msg62327 date=1053612703]But I'm really interested in your tests with this CXH-I. Did you already perform any or do you need to get accustomed to it first?

When initially configuring the rule set I took the router/gateway out of the picture to test it. No problem with the few test sites I went to, stealth all around.

I saved off the log entries from the pcflank stealth test:

2003/05/04 21h:40min:33sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53551, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:40min:39sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53552, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:40min:45sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53553, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:40min:51sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53554, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:40min:58sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53555, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:41min:04sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags:, from IP:195.131.4.164, Port:41009, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:41min:10sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags:, from IP:195.131.4.164, Port:41010, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:41min:32sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: FIN, from IP:195.131.4.164, Port:56190, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:41min:38sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: FIN, from IP:195.131.4.164, Port:56191, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:41min:44sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: URG PSH FIN, from IP:195.131.4.164, Port:36365, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:41min:50sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: URG PSH FIN, from IP:195.131.4.164, Port:36366, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:41min:56sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:UDP, Flags: - NA -, from IP:195.131.4.164, Port:59469, to IP:142.173.17.132, Port:1, Filter

2003/05/04 21h:42min:02sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:UDP, Flags: - NA -, from IP:195.131.4.164, Port:59470, to IP:142.173.17.132, Port:1, Filter

You can see from the details in the logs that it correctly identifies/blocks and logs the different types of stealth scans.

Regards,

CrazyM

[Patrice]

VERY interesting!! Thanks for this nice piece of information. Yes, this tool is really a nice one!

But as far as I understand, it's only a Stateful Packet Filter right. Nothing more, that means you still nead a firewall or a router. Right?

But overall a very nice tool indeed!

Regards,

Patrice

P.S. Did you already test it with nmap? Would be an interesting test indeed, because you can make different stealth attacks as well, which go further than PC Flank as far as I know.

[CrazyM]

Quote:

quoting: Patrice link=board=23;threadid=9531;start=0#msg62349 date=1053621025]
But as far as I understand, it's only a Stateful Packet Filter right. Nothing more, that means you still nead a firewall or a router. Right?

I would consider a packet filter a firewall. In the case of CHX-I it offers only stateful packet filtering. A lot of users now are looking for and/or wanting more out of a firewall. Such as application control and more recently program launch and component control. For those wanting these features, then CHX-I may not be for them. There are also other alternatives for application control that could be used in conjunction with something like CHX-I.

As for the need of the router, as always they afford good protection independent of your system, but would be the choice of the user, it would not necessarily be required.

Quote:

P.S. Did you already test it with nmap? Would be an interesting test indeed, because you can make different stealth attacks as well, which go further than PC Flank as far as I know.

No, I did not have the opportunity to do that. From what testing I did do, I don't imagine it would have a problem dealing with any unsolicited inbound traffic.

Regards,

CrazyM

[Patrice]

Hi CrazyM,

Quote:

quoting: CrazyM link=board=23;threadid=9531;start=0#msg62561 date=1053681475]As for the need of the router, as always they afford good protection independent of your system, but would be the choice of the user, it would not necessarily be required.

I'm really happy that Look'n'Stop provides TCP Stateful Packet Inspection. There are quite a few packets which pass the router in some way and are blocked by my firewall. That's why I think this tool could provide some additional security for those who have a router but don't wanna use a software firewall next to it.

Regards,

Patrice