Inbound firewall

Discussion in 'other firewalls' started by feniks, Nov 18, 2007.

Thread Status:
Not open for further replies.
  1. feniks
    Offline

    feniks Registered Member

    Yes I am ignorant but when I read discussion of Stem with Mike about lack of full SPI in OA or Stem with Melih about SPI in Comodo or when I read about filtering in CHX-I (I was using it and I know what SPI options it have) then even I am ignorant I do undertsant that this is something that good firewall should have.

    If CHX-I should be benchmark then OA is loser same way like Windows xp in matousec tests. Maybe will lose even with xp firewall?
    Or I am completely wrong. Or it does not matter if there is SPI and how good it is?

    You have to agree that not all popular firewalls have it even Jetico implementation is not perfect.

    Why I should not look for such answer? Or nobody here knows the answer?

    EDIT. Well I read it again and I have to admit I do not understand what are you talking about. About with whom I agree with what? And you talking about my ignorance and my ignorant remarks? Where I said that special knowledge to be protected by spi is required? So what if SPI is from 1990 - does OA have it and in full, deep packet inspection, pseudo UDP and ICMP or only TCP syn (all out is allowed in)? Sorry for my english you are expert so you know what I mean.
    Last edited: Nov 23, 2007
  2. Phant0m
    Offline

    Phant0m Registered Member

    feniks, I agree that many places people decides to go and take advise from is so very ridiculous, there's so many amateurs out there who discusses things they have little to no knowledge of. Trying to find reliable sources can be difficult at times, it isn't impossible, but does require self dedicated investigations.

    I don't think many will be-able to answer which is the best firewall for inbound, there's not even much technical details from product developers on their implements. I agree it isn't easy to get technical details when asking the product developers, but you shouldn't at least try.

    I find it really sad that Comodo PF or any developer wouldn't respond happily with technical details regarding their product features implementations, ... like for SPI. I have been even curious at a far about exactly their SPI implementation. I guess one going to have to download and install and run extensive tests to get the answers.


    Diver, that's a very good question "any of the widely used firewalls have a proper SPI implementation or not", I think it would be very reliable to get product technical details of their SPI implements, I think each user of different firewall should contact their product developer and ask for technical details. Then posting it all in one location would be very appreciative... :)

    Matousec must have been in reference to products static packet filtering capabilities... and up against online web scanners....


    dmenace; It's also very good to know, even more so for some how their products SPI works, and I really cannot complain.

    Yet another very good question "But is there anything else apart from SPI that will give a firewall better inbound filtering?". :)


    Regards,
    Phant0m``
  3. Phant0m
    Offline

    Phant0m Registered Member

    Hi feniks,

    You are of course right, it's important to find out how different software products implement SPI, before we can really make opinions even.

    You surely aren't doing any wrong by seeking such answers, I'm actually excited to see people ask questions about firewall products inbound filtering capabilities. Good job!
  4. Kerodo
    Offline

    Kerodo Registered Member

    feniks, you are right to ask questions like this, and you are not ignorant either. With all due respect to our local experts here like Stem and Phantom, who are both quite knowledgeable, I think nobody has any really good and *practical* answers for you.

    You can try to obtain tech specs from the developers if you like, and research further, it's up to you. If you do, please share your findings..

    My personal take on all this is that there isn't much point in getting buried in a lot of tech details. I used to install and test and experiment with all the various software firewalls available a year or two ago. It was fun. Then I got a router, dropped the software firewalls, and have been happy ever since. I believe that for any home user, that's all one needs. In fact, for any normal home user, almost *any* bug-free software firewall will be good enough too, including the Win firewall if you like. Remember, we're talking inbound here.

    Now I'm sure people can and will argue with this, but put it to the test and see. That's what really matters and counts, not 1000 technical details and/or expert opinions.

    Again, just my humble 2 cents....
  5. feniks
    Offline

    feniks Registered Member

    Please read my edit in here:

    post 76

    And I think you answered here. :)
  6. Phant0m
    Offline

    Phant0m Registered Member

    I don't use Online Armor, never used Online Armor, and the official product website doesn't seem to 'mention' any sort of SPI. A firewall developer would definitely want to advertise this if it has it.... so at first glance, I say it doesn't.


    Regards,
    Phant0m``
  7. feniks
    Offline

    feniks Registered Member

    That is something to start with... Very good tip and very logical. :)

    And if the developer do not answer that is suspicious, right? :)
  8. Phant0m
    Offline

    Phant0m Registered Member

    Don't forget the support forums...


    Indeed.
  9. feniks
    Offline

    feniks Registered Member

    People ignore proper packet filtering and inbound protection then why we have so many questions like:

    I lost my connection
    I have very slow connection speed
    My transfer is so slow
    My browser open pages so slow

    If I understand correct what I read simple ICMP blind attack can harm our connection throughput. One is when attacker is sending constant messages "fragmentation needed and DF bit set" what force PMTUD to lower MSS maximum segment size for connection and practicly unable communication.

    This is one example of attack maybe we are already safe from that but I read many Cisco routers were vulnerable to this attacks. And I am sure there are many other forms of attacks not malware or spyware but "only" messing up with our internet connection, slow down, break connections for some time etc. etc.

    So the question is are we protected from that?
  10. MikeNash
    Offline

    MikeNash Security Expert

    I've answered this question to death already :)

    We have a state table.
    We do not (yet) do deep inspection of packets
    This is something that we plan to add in a future release.
  11. feniks
    Offline

    feniks Registered Member

    Yes you are right. I read that somewhere I guess with your discussion with Stem.

    I simply forget. Please forgive me. I think I have problem with remembering all that. To much reading in last weeks. :D

    Mike I really (I think not only me) respect your work and honest approach.

    And I wish you and your baby OA all the best. :)
  12. Stem
    Offline

    Stem Firewall Expert

    OK,

    Do I check firewalls SPI implimentation, yes, but this is time consuming, and to check correctly I use 3 PC`s, and believe it or not, I do use my PC`s other than just for checking firewalls.

    As example, the last firewall I looked at was PCtools firewall which stated "full SPI", when I checked, I questioned this, as it allowed invalids etc through,.. the description of SPI by the vendor was then changed.

    One of the problems is the fact of the term "SPI" and the way this is used by vendors. As I have put forward before, I expect an SPI firewall to check TCP down to sequence number, anything else, for me, is not SPI. This was one of the reasons I asked about the implimention of SPI in routers.

    Could I put forward a list of firewalls that perform such checks, yes, I could say "firewall A" does, and "firewall B" does not, but then I would get the fanboys of "firewall B" giving flame on my tests, with my need to show these,.. then who would take the time to check? I would then get the usual posts of "does it matter", I would then need to post info on the packets that cause problems/bypass, and I will not do that. So, in circles we will go.

    I will still press vendors to impliment full SPI, regardless of if users think this is needed or not (I know it is).
    Do realise, SPI is not like an HIPS, you will not get popups to ask if a certain packets should be allowed or not, invalid/bad etc packets should simply be dropped.
  13. Phant0m
    Offline

    Phant0m Registered Member


    MikeNash, I apologize for my ignorance on the subject.

    Keeping state table is done for even connectionless protocols like UDP and ICMP, so far all this tells me is there's possibly stateful-like mechanisms in OA, and to what extent remains to be seen... And then there's stateful packet inspection and then there's 'deep packet inspection'.

    Is this already been detailed? Please could you or someone else poster me up some links?
  14. MikeNash
    Offline

    MikeNash Security Expert

    Hi Phant0m,

    I think by your measures, SPI in OA is minimal at the moment... we keep state tables for all connections (I believe including udp/icmp but I would have to check on Monday). Other than that - we don't currently do so.

    We do plan some enhancements in this area in the future - particularly I've discussed implementing Snort rules.

    Cheers

    Mike
  15. Phant0m
    Offline

    Phant0m Registered Member

    Hi MikeNash,

    By my measures, ... accurate measures.. :)

    Thank you for the clarity, and I'll be looking forward to seeing your next post confirming if OA does state table for connectionless protocols like UDP and ICMP. Also enhancements in these areas are always much appreciated. :)
  16. Diver
    Offline

    Diver Registered Member

    OA:

    I thought there was an issue where network discovery and file/printer sharing were hard wired on. OK if you always want them on in a home or SOHO network, bad if otherwise. Anyone know if this has been fixed.

    Stem:

    You should publish your results fanboys or not. No point in treating hard won knowledge as some mysterious thing.

    On a lighter note, Diver is about to head out tomorrow to go scuba diving.
  17. feniks
    Offline

    feniks Registered Member

    I think you questioned it here in forum ans see that vendors are reading the forum and care if that is public.

    But think how much good will come out from this. Look for PcTools and Mike example. :)

    I thing great numbers of people will benefit from such information. Many people here accept you as expert not because of the title, but from reading your posts. And you do not have go in details as not many even understand all of that. If get about fanboys you can just ignore them or answer. People read and think believe me. Well there is always price but the discussion begins and many people became aware of the subject, start asking vendors etc. Vendors will forced to stop ignore this subject.

    How many people understand how leaktest works? They just read there is something that need to be and become interested if their firewall have it.

    Believe me you alone will not mean to vendors as much as many users. And to them you are not even user of their product. Money counts.

    But of course feel free to do whatever you decide to do. :) ;) :D

    I became aware of the SPI and fitering becuse of you mention it many times. Thank you.

    But still I do not know much if get down practically to firewalls and that what I know was achieved Indiana Jones way searching for hidden treasure. :)
  18. wat0114
    Offline

    wat0114 Guest

    Likewise with me too :) Before if I saw "SPI" advertised for any pc firewall I would think: "wow, that is impressive!" but after seeing that Stem has exhausted time and effort in testing for this and seeing less than impressive results which he has stated many times in this forum, I now will take it very seriously and do whatever I can to press vendors (at least with regards to products I use) to properly implemement it, in spite of those who declare it is unnecessary because in "their experience" they have never been burned by it. It is like saying: "I only require seatbelts for my safety while driving a car because the airbag has never actuated in my few fender benders. The seatbelt always prevented serious injury." Of course the airbag actuates at higher impacts, preventing one's face from smashing into the steering wheel or dash. This may seem like a lame analogy, but it is the best I could conjure up.

    A firewall and security expert is stating the importance of SPI (airbag), yet there are some who refute it! Baffling to say the least o_O
  19. Pedro
    Offline

    Pedro Registered Member

    I take many things for granted, some of that is what vendors say.
    I would prefer to know what is true or not with your tests, whether the firewall is my favourite or not. Just try to give details as far as your can, and forget anything else. I value information and facts.

    Cheers
  20. Stem
    Offline

    Stem Firewall Expert

    Yes, it does.
  21. Seer
    Offline

    Seer Registered Member

    Hello.

    There is no need for Stem to post a detailed report on his findings. He already does much on this subject (from time to time), you would just need to pay a little attention. ;) Publishing that kind of info is not a trivial matter...

    Cheers,
  22. RejZoR
    Offline

    RejZoR Polymorphic Sheep

    I think Comodo Firewall set to "Training Mode" and with Network Rules applied could also do it. This way it will automatically set everything for applications while still use inbound filter/attack detection engine.
  23. Phant0m
    Offline

    Phant0m Registered Member

    On an additional note, there's something I simply would like to point out...

    Stateful inspection and Stateful filtering aren't quite the same thing, and apparently there is much confusion on all sides, when discussing SPI.

    Stateful Inspection provides highly efficient traffic inspection with full application-layer awareness, where-else stateful filtering doesn't have application-layer awareness... This is how it was coined from the beginning, so for instances CHX-I, 8Signs and Look 'n' Stop referring using 'stateful inspection' labeling isn't accurate by original coined terms...


    ... Please not the face?!?! :shifty:


    Regards,
    Phant0m``
  24. Stem
    Offline

    Stem Firewall Expert

    I think it is the vendors that have most confusion on this point.

    Such as CHX-I does perform SPI (stateful packet inspection), this is a check on the state of the TCP packet (flag check).
    Stateful filtering, this would descibe a firewall that only checks IP/port for TCP, (as with protocols such as UDP)

  25. CoolWebSearch
    Offline

    CoolWebSearch Registered Member

    Hi,Stem,I wanted to ask you if ZA Pro 7.0.462.000 has full Stateful Packet Inspection for application filtering and all other things...?
    I mean their website claims that it has SPI(after all Checkpoint invented SPI,as far as I know,and the same Checkpoint bought ZoneAlarm)o_O

    And what about it's Anti-Mac spoofing and ARP protection?

    Thanks a lot.

    What about configurability?
    I tried to configure some things in ZA Pro,but it seems to me that I can't do it manuallyo_O
    Maybe there was thread about thiso_O
    Thanks.
Thread Status:
Not open for further replies.