Inbound firewall

Excellent reference. It even mentions the exotic SNORT rules.

For some reason, these are never discussed in this forum, even though they are more relevant to firewalls than "leak tests". Maybe because "leak tests" are easier to understand? Maybe because modern "leak test" firewalls don't do SNORT?

 

I agree, and I have mentioned before.

Let me attempt to compare:-
Leaktests: all can download, then run if wanted, this actually causes no problem to user, this is an option, yes?
Inbound: We need to look at direct filtering/ possible filtering, So if anyone would show such bypass/problem,.. then this is a major problem as this is a a possible attack. It is why I have no problem with anyone showing these leaktests,.. but I would have serious problems with anyone showing attack vectors(inbound attack compromise)

I have been talking with Mike @ OA for quite some time on implimentation for inbound protection,.. he did indicate the possibility of adding snort rules,
How would users react to this inclusion (if made)?

 

I agree with another poster that said you will never get a concrete answer to this question because everybody's preferences are different. It is my belief that there isn't much difference (in most cases, none at all), in the inbound protection from one software firewall to another.

... This however, is sound advice that I believe most would agree with. If you find a good hardware based solution to your inbound the rest is a moot point.

 

I perfectly accept that opinion, but just like my opinion it is based on my beliefs, not what i know.
What i do know is a more restrictive firewall (SPI, pseudo SPI for non TCP p. etc.), with more control over the different aspects of a packet, is preferred.

Take SPI: outgoing packets must match your rules, and incoming packets must match as replies to the outgoing ones (not just match user rules).

 

Well, preferences aside, there is a 'good' inbound protection and then there is 'not-so-good' inbound protection. I somehow think that everybody will go for the former.

Oh yes, there certainly is. Please reread the thread...

afaik, a router is a software firewall as well. It is just off-shore (if I may use such loose term), packed in a chip in a small plastic box So, everything that is said about software firewalls' inbound here (regarding SPI) is valid for hardware ones too.

 

Perhaps that would be to lose the ego?

 

Hi Stem,
It is interesting that you should mention OA in this context, as it is designed for inexperienced users.

IPS is for experienced users, I think. You have to handle false positives, possibly by disabling rules, if they block important traffic. You should also update your ruleset regularly in order to block new threats and clean out obsolete rules.

Nobody seems to be using any of the existing SNORT-based firewalls, or they just don't see any issues?

 

Hi, Feniks, could you give me the link where Stem and Melih discussed about SPI in Comodo, and also could you giv eme the link where MikeNash and Stem also discussed about about SPI in OnlineArmor.

 

Than what software firewall does have true SPI?

 

Good question I don't know, but I have seen many posts in this forum citing CHX-I Packet filter as having quite possibly the best inbound protection, so this could mean very good SPI. From my experience I have seen log evidence (Block all not processed protocol packets) in Jetico 2 that could mean it has strong SPI, at least with TCP protocol. Its UDP SPI is very basic. There are probably a few others strong in the SPI department, such as Injoy firewall, but, again, I don't know.

 

What would be the point? The "packet-level" SPI (as defined here) that virtually all personal firewalls currently implement is good enough for non-enterprise use.

 

But what about rootkits?
I truly don't know why there is so huge interest in leak-testing, but I do have some complex questions:

Can you tell me which of those leaktests really exist in the real world and are not just extreme situation hypothetical maybe this could happen but there is no real threat been made for this.
It' nice to know the ZA/Za Pro or Outpost Pro or Comodo Pro will withstand the hard drive killer virus and not be shut down, but on the other hand a hard drive with a rewritten and unuseable file system is almost self defeating - sure the firewall passed, but the PC and all it's files are lost for ever. Kind of nice to know the firewall will last anyways?


Since no firewall checks the BHO and toolbars, any test with this in mind would on any firewall would fail. No firewall checks BHO and toolbars. Yes there are real BHO and rogue toolbars, yet not tests are available for this very much real threat. Yet the rogue BHO and rogue toolbars are acitvely connecting out unrestricted. Why is that? Why do users allow rogue BHO and rogue toolbars installs the first place? Do they know better or just rely on the anti- something to stop it's install and protect them? Should the user know any better and not install these and lock down the browser to stop these unwanted installs? Or spend their money and hope they found the best protection?

Some malware will install it's own TCP/IP stack and then will do any connections both incoming and outgoing absolutely unrestricted. Yes this malware is very real. And no firewall would catch this because it will not examine the new stack. Yet no leak tests are made for this.
Why is this?
Should the user rely on the security applications or just use safe hex and avoid the traps which will install dreck like this?

Rootkits will install virtual drivers or virtual TCP/IP stacks. Yet no leaktests for this either. This is a real threat which does exist. Yet the firewall does not check for virtual drivers or virtual stacks. So a firewall would fail this leaktest as it does in the real world.
Should the use continue to spend more money or just use safe hex and avoid it in the first place?

Oh just remembered another real world exploit - the trojan injected into the stack. Yup all firewalls miss this one too, but no leaktest is made for this either. Why is that?

If someone could answer me that I'd be grateful.

 

what exactly is snort rules?

 

First of all, a firewall's job is not to check the drivers, but to block network packets according to a set of rules. But let's assume that a firewall has incorporated HIPS too (because these days nobody cares to separate their functions).
If an application (a rootkit for instance) tries to load a protocol driver into the stack, in order to communicate with the attacker, a normal "pure" firewall will not be able to detect it, because the driver will run at a level "below" the firewall. Now let's assume there is a HIPS installed. The HIPS also has very little possibility to see what the rogue driver is doing, But it will intercept the instalation of that driver, so the computer will be protected.
In other words, I could create a proof of concept driver which would be loaded in the TCP stack, but it would be stopped before I would try to load it. In my opinion, this is the reason nobody bothered with doing it.

 

Firewalls, like any other security software, cannot guarantee to detect an installed rootkit though some may be able to detect and block any attempted installation. Dealing with rootkits is very much beyond the scope of the product suggested in this thread though.

See the Firewallleaktest In the Wild page for a few examples. It is dated now but you can be sure that more recent malware will have improved in this area.

Malware that disables systems completely isn't a likely threat simply since it doesn't spread well. A greater danger is those that capture private financial data - this is a focus of major malware producers (increasingly organised crime) so there are plenty of examples and doubtless far more to come.

In any case, file protection is already handled quite well by Windows' own NTFS as long as users don't run as Admin by default.

BHOs/toolbars can be detected and removed by most anti-spyware scanners (and a couple of firewalls do have this function integrated).

Any firewall working at driver level (monitoring access to network hardware) should intercept this - since packet sniffers using WinPCap have been doing something similar, it isn't a new phenomenom by any means.

Outbound and MBTest are leaktests using the "direct to network" method to bypass firewalls.

Could you be more specific about this? (i.e. include a name for this trojan). Virtually all firewalls will detect changes in executable files, most will detect process code/memory injection. That leaves driver installation which a few firewalls address but that is more in the area of system/process control software like SSM and its ilk.

 

http://www.snort.org/

Read all about it, and let us know.

This is real firewall stuff - unlike leak stuff.

 

Hi, Paranoid. I want to thank you for your answer (I didn't think that you'll answer). I must say that my problem with leak-tests is the following:
I have recently reinstalled my computer from scratch.
Now I have 100% clean PC-what's the point of leak-tests if you have 100% clean PC, I only need inbound protection.

And besides, can all leak-tests really show the power and effectiveness of the true malware samples, only a few leak-tests show that on the link you give me, but these samples are passed by almost all firewalls-if you assume that computer is already infected (just look what Sunbelt Kerio firewall creators answered to Matousec).



It seems that malware these days are so advanced that leak-tests are useless, once you get malware on your computer the game is literally over.

 

Exactly. So why do you guys keep on posting about leak tests?

This thread started as a genuine firewall discussion (one of very few), but again, somebody managed to turn it into yet another leak thread.

 

Agreed,

Lets please get back to and stay on topic.

I will have some time this weekend to set up and check a few firewalls for packet filtering. It will just be testing what level of filtering is made and what packets are dropped (illegal flagged packets etc).

 

Don't forget those FWs that support SNORT rules. It adds an extra dimension to packet filtering, if you have the CPU power.

 

I will only be looking at windows based firewalls, and will only have time to check about 6.

I do also want to check a router (I have a linksys that I can use)

 

Perfect. I know that the Sunbelts and late Kerios do SNORT rules. Others too I think.

 

I dont really want to go down a path of checking Enterprise/server firewalls. I will be looking at products for home use, as used by the majority of users on the forum, such as Jetico, outpost pro, comodo etc. If I was to look at Sunbelt, then it would only be the home product.

 

I agree. This is what I meant to say. The personal Sunbelts and Kerios (for Windows) do SNORT rules.

 

Are these rules not already included with the default installation of Kerio? or is there a need to update the bad_traffic file? and if so, then what are users adding to that file, if indeed they are actually adding/using any.