Inbound firewall

Discussion in 'other firewalls' started by feniks, Nov 18, 2007.

Thread Status:
Not open for further replies.
  1. Stem
    Offline

    Stem Firewall Expert

    Diver-
    There are many articles, such as "Drive-by on routers". So are you refering to actual browser exploits?


    op_attack.JPG
  2. Stem
    Offline

    Stem Firewall Expert

    See post #40

    Sorry, bad week,.. please explain more.
  3. wat0114
    Offline

    wat0114 Guest

    What are your thoughts on Outpost's Attack plug-in, Stem. Effective or ineffective?
  4. Stem
    Offline

    Stem Firewall Expert

    They are effective on what they are intended for, (but they introduce extra process for each packet,.. and do slow down connections. Correct/full SPI would drop most without a need for external process)
  5. feniks
    Offline

    feniks Registered Member

    Sorry my bad english, held off = stop testing = did not test it yet. :oops:

    I mean something like this:

    http://www.wilderssecurity.com/showpost.php?p=1111050&postcount=145

    So I was wonder if that is some SPI filtering?

    In CHX-I with wan start rules and all inspections (arp, tcp, udp, icmp) checked also the same entries and the reason was "out of connection" flags ACK RST.

    So can I assume that Webroot have some SPI filtering similar to CHX-I and that is the reason for blocking?
  6. Diver
    Offline

    Diver Registered Member

    Stem,

    I thought it was clear that I was referring to browser attacks.

    As far as the router attack you link to goes, anyone who does not change the default password on their router is making a mistake. I have walked into businesses with free wifi for customers and accessed their router via the default password, then called the manager and explained the situation to them just to see the expression on their face. This often happens at scuba diving shops where they are more focused on life underwater than above.

    Thanks for the screen shot, but what does the plug in do? Does it dimply identify the attack? Does Outpost or the typical personal firewall repel these attacks? What is a Nestea attack, is it like Long Island ice tea?
  7. Stem
    Offline

    Stem Firewall Expert

    Dont worry, my english is bad, I only fully understand binary/hex

    Dont know without further info.(header info_ current connection etc)

    "Out of connection" - This can represent either a non-SYN scan or a packet arriving after a particular timeout value has caused the tear down of a connection. The same applies to an unsolicited UDP/ICMP packet.
  8. feniks
    Offline

    feniks Registered Member

    Unfortunately nothing like that in the log. :mad:

    Is there any way I can test/check it? I mean SPI implementation.

    Or it is something beyond regular user like me?
  9. Stem
    Offline

    Stem Firewall Expert

    If you are having probems or concerns, then install a sniffer, then at least we can see the full packets.
    example: Use Ethereal or wireshark both free.
  10. feniks
    Offline

    feniks Registered Member

    Hi Stem. Thank you very much for answers. I consider them carefully and my bank of questions gradually become more empty. :)

    I hope you not become impatient with me yet.

    While I read this replies in this thread and Wilders at large I come to some conlusions (which please - can you confirm/reject/answer):

    1. CHX-I is really decent int income filtering and protection and is not inferior to any of the popular firewalls today in this area of protection.

    2. What I only need is decent outbound control and I will have quite good firewall solution (CHX-I + outbound controled with something)

    3. You suggested HIPS and I am familiar with OA and DSA. Will that give me sufficient outbound control? Maybe there is something like HIPS and give me control over application connections (rules restricted where can go, maybe even IP control not just ports).

    4. I observe that if I use Webroot firewall with CH-I together than nothing is show in WDF logs for - all is in CHX-I logs. Is that mean that CHX-I filtering is before webroot firewall?

    I hope you can answer these questions. I wiil be really thankful and satisfied. :D

    EDIT: PS. This wireshark you mean I guess: Wireshark because your both links are to Ethereal . Do I need download Ethereal or only Wireshark will be fine to play with?
    Last edited: Nov 23, 2007
  11. Stem
    Offline

    Stem Firewall Expert

    Diber,
    It was not clear (please point to post of clarity)

    Would this be the same of your statement of users in front of of "Matousec" computers on test of leaks?

    What is "Long Island ice tea", is this a related attack, or simpy bullshit as I am finding your posts
  12. Phant0m
    Offline

    Phant0m Registered Member


    A cocktail..., including many ingredients :)
  13. Stem
    Offline

    Stem Firewall Expert

    LOL:D
  14. wat0114
    Offline

    wat0114 Guest

    Thank you Stem. Without elaborating on how, I will bring this up with Agnitum's developers.
  15. Diver
    Offline

    Diver Registered Member

    Stem,

    My posts are not BS, and I feel sorry for you if you think that. My impression is that you are so immersed in the technology that you are loosing site of its practical implications and how ordinary computer users may benefit from it. That is not unlike the publishers of some of the very noisy and inconvenient to use HIPS programs or HIPS enabled firewalls. I am not sure if you are being a knowledge snob, lack written communications skills, or have become so comfortable with the technology that you have lost site of how little everyone else understands, but you tend to dance around the answers and don't provide much usable information in the end.

    From what I can distill from your fragmented answers it appears that the Outlook plug-in does no more than alert one to the type of attack, but does nothing to block it as you say a good packet filter will do that. The unanswered question is whether Matousec's statement that nearly all firewalls are effective at blocking undesirable inbound communications is true. I would expect there are differences in performance and that would be particularly desirable if many machines were behind a single firewall/gateway, but for the ordinary Joe, it probably does not matter.

    Perhaps you did not understand my statement about users in front of Matousec's test computers. Simply, if the average Joe was faced with an actual exploit based on the concepts in the leak tests that Matousec uses he would receive some cryptic warning from the firewall or HIPS in question and more likely than not give the wrong response because he is concentrating on something else and has not a clue as to what is really going on to start with. Some products would give the user a better idea of the severity of the situation and thus the user would have a better chance of making the correct decision. However the less that the user is called upon to interact with the firewall or HIPS the less likely he is to do something wrong. A HIPS or firewall that never shuts up under safe conditions conditions the user to say yes to everything, thus undermining its purpose. For these reasons I believe many popular products will not accomplish their intended goal. In real life these will not perform as they do in the lab with experts manning the controls.

    As for Long Island Iced Tea, its the real deal, no BS:

    1 jigger Vodka
    1 jigger Gin
    1 jigger Triple Sec
    1 jigger Tequila
    1 jigger White Rum
    2 jiggers Sour Mix
    Add Coke until it is the color of Iced Tea and serve over ice in a tall glass.

    Two of these and you will not care about anything. Do not attempt to drive a car. Now, if you can provide that level of detail in your answers, the members around here might get educated, no BS.
  16. Phant0m
    Offline

    Phant0m Registered Member

    "The ability of a firewall to give "Stealth" in no way shows its ability to give inbound protection." ... Stem statement is so very true, and nicely said too!

    Kerodo; There's good reasons why many wouldn't see any kind of 'real attack' on either their routers or software firewalls. In regards to routers, not every router contains SPI capability, and the ones that do requires the user to be capable of accessing its settings, and visit the logs without getting lost. You may have a router and with SPI capability but not activated, or activated but not set to log. If the user could locate the Logs section, how long are entries kept with it? How often the users take visits to the routers logs area? And would the user simply glance over some of the logging entries? Would the user even know what they looking for? Not every router SPI shares the same implementation and logging characteristics. What you think boots the router devices? ... software of course. And exactly what its SPI implementation is based upon? Does the router detail its SPI technical details, does it have full or stateful like SPI implementation? ... much of this applies the same for installed software firewalls.


    Diver; So it's simply ignorance on the subject which prevents you from determining if a strong stateful software firewall product is of importance? I would also like to think that ignorance would be also what prevents most from stating something is useless and of no importance... I do recall several firewall experts, whom most likely studied the subject on technical level, stating the importance of SPI capability. So what's there to discuss or argue about? Seeking technical information about this capability is okay..., of course, but debating over and over again whether it's of importance or not, I find very much waste of time.


    There's several reasons that makes stateful packet inspection a very important firewall feature to have, it can handle malformed, invalid, traffic and other malicious / unsolicited packets. For full / complex SPI, the router/software can drop different packets 'such as' Denial of Service (DoS) attacks, Ping of Death, Port Scanning, SYN Flood, LAND Attack, and IP Spoofing.



    Bests Regards,
    Phant0m``
  17. Kerodo
    Offline

    Kerodo Registered Member

    I guess all I'm saying is, for all practical purposes, all these technical details make no difference anymore to me. I buy a cheap $40 NAT router, I don't even know if or what kind of SPI capability it has, nor do I care. I slap the router in place, plug it in, and I have no further troubles as far as inbound protection goes. I use it for years, never giving it a 2nd thought. And no further thought required.... ;)
  18. Pedro
    Offline

    Pedro Registered Member

    Diver, as Stem said, i also think that
    To give a different perspective, Alphalutra1 showed here some time ago his OpenBSD's pf ruleset, and how simple it is, yet how advanced it is.
    The average joe never heard of HIPS or tried any firewall, any conclusion derived from this is wrong. I know maybe 1 person that has heard of Comodo, Jetico, SSM etc.
    They are lucky if they use an up to date AV.
    The HIPS will alert of something about to start, or something set in motion. Not having it is the same or worst than not having, never better (excluding whatever CPU it uses etc.).
    A good one should be silent after configured. SSM free is silent here (most of the time disconnected) and i can now understand the big picture of its policies, pop-ups and GUI.
    One that does not go silent after being setup, is one that isn't finished (i have a hunch that's the case with D+).
  19. feniks
    Offline

    feniks Registered Member

    I think that that people and the makers of firewalls are so focus on leaking and outbound because of two sites - matousec and firewallleaktester. They are there and that for average people is some authoritative source of knowledge about firewalls.

    Of course many people find their knowledge from some reviews which I found ridiculous at list and they not prove anything. (How nice the GUI is :) etc.)

    But can somebody direct me to tests on firewall inbound protection. Maybe where they testing even only SPI filtering implementation?

    NO.

    Then if somebody is more inquiring/digging then maybe start reading forums. Look here on Wilders - how much you can find about it? Such and such firewall this and this about inbound.

    General theory yes - but nothing practical like which firewall should I buy if I need good inbound protection?

    So people choose firewall based on matousec. Here Diver is right that for average user it will be useless because of lack of knowledge what to do. By the way I think you guys do not understand his point but maybe that is me and my english.

    So I believe that inbound can be less troublesome in mintenance for average user and is important. But no maker of firewall will care about it if they do not have to. People even do not ask about it. But if ask they do not get answer.

    I asked on Comodo forum about that aspect of CF and no answer. Look what happened to Comodo firewall but they change anything about inbound, spi? Why and who ask for that?

    Here you can see how many answers I get about the specific firewalls I asked.

    So the forum seems useless as such source of such information. I can live with that maybe I will dig on my own but average user?

    So unless you experts start answering questions or start some test site with inbound testing we will be in matousec leak testing realms. And makers will ignore inbound site (I read Stem and Mike discussion about OA) Finally the firewall will end up as anything but no firewall.

    I am close to go Kerodo way because it start to be to frustrating to be so helpless. And I do not plan to change profession to be firewall expert/tester.
  20. feniks
    Offline

    feniks Registered Member

    I do not agree with that. All my friends are using Comodo 2/3 or OA becaue of Matousec. And they spread the word. :) They are the local experts because they know english and read matousec. :) And in my country people do more care about the price of the software so...

    Same way I found Comodo and OA but they simply not working for me so I dig further.
  21. Pedro
    Offline

    Pedro Registered Member

    If they are the local experts, that's not exactly a good sample is it?
  22. feniks
    Offline

    feniks Registered Member

    I did mean local in where they are, but I have many such friends all over country.

    Well I will put it that way I know very few people with computer who did not hear about Comodo. And everybody I know have AV and windows xp firewall at list.

    I did not say that is general situation just my experience do not agree with yours. :)

    Yours sample was not good either just one man experience - yours.

    i am talking about average person who is using internet, search before buy and you are talking abot people below average for me. I agree - such people do not have even AV. But people with AV soon start looking for firewall etc. And they will find matousec and download Comodo. And become local experts. :)

    So inbound protection have hard time.

    Edit: Maybe average joe mean somebody below average? Like blonde chick in my country?
    Last edited: Nov 23, 2007
  23. Diver
    Offline

    Diver Registered Member

    Perhaps someone would like to tell us if any of the widely used firewalls have a proper SPI implementation or not. Will any of them be breached by malicious inbound packets? By widely used I mean the build in windows firewalls in XP and Vista, various versions of Zone Alarm, Comodo 2.4 (3.0 is too new), Sunbelt/Kerio and Sygate. Judging from polls on Matousec's site and DSLR, these account for a major share of what is in use.

    There are advocates of CHX-1, Jetico, Look'n'Stop, 8Signs, Injoy and perhaps Ghostwall. How do these compare against each other and do they really (not in theory) provide better inbound protection than the widely used firewalls. Altogether, not very many people use these even though several are free.

    Popularity may not prove quality, but it certainly measures impact and relevance. I can safely say that the popular products excel in ease of use. The surveys don't tell the whole story either. I bet there is a lot of NIS 200X around because it comes on many new computers. Those are not the same people that hang out here, at DSLR or Matousec.

    Where is the real difference, or is Matousec right when he says most of them have the inbound side right. Frankly, I cant seem to disprove this, nor has anyone else around here taken a good shot. Furthermore I cant seem to find anything that says a typical (Linksys, Buffalo, Netgear, D-Link) router or wireless access point that costs $50, give or take, does not keep the bad stuff out, save for morons that don't change the default password.

    Don't get me wrong, I don't think any of the products in the list starting with CHX-1 are bad. They are just harder to use, only two have outbound filtering, and 8Signs does not work correctly with eMule. I have tried them all...
  24. Phant0m
    Offline

    Phant0m Registered Member

    Firewall developers and its users got hyped on outbound filtering and to have it cover known leak methods demonstrated by different leaktests loooong before matousec came into the picture... Just now they have common grounds, to learn and improve and be competitive with their implementations.

    SPI shouldn't be treated as if it's something that just recently came into existence, and we having little understanding of, it has been in existence since the early 1990's. So now you can just imagine how much time was available to understand fully everything technical about SPI. Like it or not, the best, the security/firewall experts have already spoken, static packet filtering is no match.

    feniks; you can agree all you like with anyone, thing remains is ignorance, and ignorant remarks. Most SPI implementations are already set and forget, no special knowledge is required to be running and behind SPI.


    Regards,
    Phant0m``
  25. dmenace
    Offline

    dmenace Registered Member

    Hello,

    There seems to be quite an argument going on in this thread!

    I haven't read every post but this is what I understand the question being asked is:

    Which firewalls offer good inbound filtering? What do you look for / how can you tell?

    Most people here know that SPI is an essential feature. But is there anything else apart from SPI that will give a firewall better inbound filtering?

    Earlier on I posted about Sygate. Why? Well have a look at the various inbound filtering techniques it uses in addition to SPI. Note "Smart DNS, Smart WINS and Smart DHCP" (See attachment)

    These are the features that you should look for in addition to SPI that will improve the inbound filtering of your firewall. :thumb:

    Attachment here:
    http://www.geocities.com/zeroday_software/sygate.rtf

    Edit: Merged
    Last edited: Nov 23, 2007
Thread Status:
Not open for further replies.