Inbound Protection

That would be a good read. Thanks

 

I think these are the basic methods. Some companies, build upon these and call them as *New* revolutionary technology . But they are just a subset of the above.

Lets see to my best knowledge:
PCTools FW,Jetico gives both SPI and Ruleset based protection
Sunbelt PF has Ruleset, SPI and a basic NIPS
Outpost also has some SPI along with HIPS, Ruleset.

That's the best I can recall at the moment. Please if anyone else knows more please add to this. Thanks

Note: NIPS is considered a subset of HIPS by most vendors.

 

Cheap as in the definition as what as been posted,.. cheap to purchase.

There can be a large price difference between routers, some which are classed as an "hardware firewall" rather than just a router, abd some do come with inbuilt rules to detect various packets/attacks etc, some are even updated from the vendor (but with a subscription).

My own thoughts on this are, that many put forward that there is better inbound protection/filtering from a router picked up off the shelf for £20-40 than with windows firewall, which I think is incorrect.

- Stem

 

Stem,
That would be great. Thanks.
Hugger

 

OK, that's clear.
I guess this kind of discussion can go on and on.
I think I misunderstood you in your previous post.

Home routers aren't 'bad' by definition and can provide decent protection?
In combination with XP's firewall one should basically be 'fine' I guess (leaving the discussion about outbound protection aside for now...)?

 

Thanks! What about Comodo and OA? Do they only have rulesets? Do you mean Jetico 1 or 2 or both?

 

Well yes, and I prefer just to put forward the ability of the windows firewall from testing, then users can make up thier own mind.

I am not saying they are "bad". Home routers intentions are to share a connection and the filtering is just very basic.

I have started putting together a post, so users can see and decide, as I do with any other firewall. I am not judging,.. just putting out info.


- Stem

 

Is filtering also basic on home routers with SPI and IDS
(Linksys/Alcatel-Speedtouch for example)?

Many people are using these kind of routers, but do I understand you correctly that we are at risk?

I look forward to your post about Windows XP's firewall.
Thanks for all your input. I'm not a techie myself, but I want to understand it.

Do you work with routers yourself? What brands/models would you recommend (if any)?

 

Unfortunately the terms "SPI" and "IDS" are very open to interpretation certainly from a vendor. For example, if looking at a basic home router, the SPI is based on a check of IP/port, which to me is very basic. As for IDS, well, again, it would depend on the implementation for that specific router.

I did not put forward a user is at risk, I am merely putting forward filtering capabilities.
I do know that some streams of illegal packets can cause the system (and some applications) problems, but that is for another possible thread (I will mention some findings in the "windows firewall" thread I am creating)

I do not use routers now, I have in the past used them for internal LANS, but now use old switches due to the fact I can tap them easily for full logging (when testing firewalls).

- Stem

 

Comodo and OA both have good HIPS and ruleset for management. But Comodo HIPS is a bit too sensitive IMO.
As far as I remember both don't have SPI.

Sorry,I mean Jetico2

 

I can only comment on SpeedTouch ( Now Thompson SpeedTouch, Alcatel sold of the modem business).
Its basic in comparison with actual routers like Alcatel 77xx series. But its a small enough subset to protect HOME users.

For simple, example: Thompson SpeedTouch 536 v6 will crash in face of ARP flood at less than 1 MB/s.
But seriously the chances of that happening outside the lab, in realtime is very very low....

 

From this I gather you have a SpeedTouch yourself?
What about models later than 535 v6? Are they better?

What is that ARP flood at less than 1MB/s you are talking about? What happens in that scenario?

 

No I am not from Speedtouch. But I did have a stint at Alcatel ADSL division as a third-party. So I have seen/used/tested SpeedTouch there.

I am not sure of other models. In lab we usually had if I remember correctly, ST 536,546 and a SHDSL 610 (i think).
The newer ones had better firmware, as per some of the tests of my peers.

The scenario is Flood in downstream towards user. We used different protocols, starting at around 100 Kb/s and then steadily increasing to try a DoS. We found ST was very allergic to ARP flood (we kept incrementing SRC-IP and MAC). Basically, there was a issue with the ARP Table capacity of ST, hence at variable values it would crash.
I am not sure if that bug has been fixed by ST. But it was just an example from my experience that atleast the early models didn't emphasis much on filtering.

--- EDIT ---

Just like to add that much of the firewall/IDS programs in home routers are not written by the vendor like say SpeedTouch or Linksys. They generally buy/license code from third-party which have developed a firewall for a particular network processor.
So older models had older processing chips which were less powerful. Hence the code ported was also basic.
But now models have network chips which are almost same as most industrial switches. Hence they can take more processing and so now you have better SPI and Firewall. But since these are still not at par with network processors used in actual network grade routers, they can only do a subset of what their larger siblings can achieve.

But the main question is, if this subset is enough for HOME user ??
Ans: Depends on your vendor,processor and firewall module. Newage CPE are good enough, the older ones / cheaper ones have a large chance of being a let down.

 

I doubt whether routers with 'full' (whatever that may mean) SPI can exist. Especially when referring to the typical home (NAT) routers, not the Cisco-like routers.

Of course, one could also debate what exactly 'SPI' means.

I think I have a router with 'partial SPI'.

In the past I had a software firewall which log showed that some stuff could get past the NAT filter of my router.

 

Which router (brand/model) was that and what was the software firewall?
I have to admit that I'm becoming increasingly worried. I always thought, and was told by people who work with networks a lot, that (home) routers were good for home use and that they offer good protection.
I'm starting to think otherwise...

 

I'm a bit paranoid and won't mention the brand/type router.

The software firewall: McAfee version 7 or something close to that.

The log of the current McAfee firewall doesn't show that, it has been disabled by McAfee, presumably 'support' got too many questions.

 

My router would block completely unsolicited traffic, but once a connection has been established (for example, by a browser to a website where I log in), how can my router know if the datastream into my router is what I want to come in ?

Hence, you would need FULL SPI, and perhaps more.

 

You're still using the router in combination with a software firewall (which could even be Win XP/Vista's firewall I guess)?

It's hard to find any information about SPI and all other implemented security measures about routers on brand level (or perhaps I'm just not looking in the right places...). Some kind of 'comparison' would be nice.

 

Ok, I should have just shut my mouth
I am sending you towards security paranoia, which is of no help.

Home Routers are good, but conditions apply. Choose newer models that can take the demands of protecting in today's dynamics. Preferably buy a brand/vendor who has firewall products too, so that you can be sure of the firewall quality.

 

This is how I see an ideal n/w setup for home (like mine):

* Router with basic firewall/IDS/SPI : To protect against any flood attacks and basic spoof attacks.
* PC SW Firewall : Since your router works only at IP level. It can't make out if you are sending TCP/IP or UDP/IP. It can't tell the difference between HTTP or HTTPS.
So you need some software that see if the TCP/UDP ports on your systems are monitored for type of traffic (above IP level).
*HIPS: To prevent modern day hacking/malware which rely on malicious code and not malicious packets

If you got all 3, on your PC or independently. Rest assured of GOOD protection. So if have a weak router complement it with a better SW solution and vice-versa. That's it

 

If you're just talking inbound, then no, in my opinion the Win Firewall would be fine in most home user situations. Now if you're talking outbound, then that's a whole other kettle of fish.... Win Firewall in XP is useless for outbound. Vista is a different story.

I am sure there are ways that packets with various flags can "sneak" back in a TCP session though, actually I have seen UDP sneak in on a TCP allowed outbound session, but that depends on the rules in place and SPI implementation. It can happen, question is, is it any threat or anything worth worrying about. My attitude is, it's not. Again, truth is, nothing is perfect and no firewall is bulletproof, it's mostly just a matter of what's practical for your situation.

I see Stem is going to add some information for us later also, so that may help you too.

 

It would be great before to say either this or that has/doesn't have SPI to clarify what SPI is. No one firewall can go without SPI. It needs SPI at least to control which packets are allowed to go in and out (connections statetable). But to control TCP packets inside a connection for consistensy is another task which also is SPI. And here I think tcp/ip stack is better for the task and third-party firewall is just doing extra job controlling this. Double-check is a theoretical overhead. In any case tcp/ip stack should control stream consistency to handle connections. Another question there is nothing ideal and tcp/ip stack implementation can be wrong. But third-party implementation can be wrong as well and third-party SPI implemented incorrectly can cause additional troubles. So generally third-party SPI question is questionable

 

Apparently everyone's implementation of SPI is different to one extent or another, as Stem has mentioned many times.... I have noticed it in the past also in various firewalls. You can see in the logs of CHX-I for example what it blocks that a lot of other firewalls allow thru. Same with various other software firewalls, there is a lot of variation. CHX-I was great in that you could adjust a lot of these variables in the registry settings if desired.

 

Agreed

Maybe I should have said they both have partial SPI implementation. That would have been more holistic.

 

The TCP/IP stack handles and routes packets, why would you think it filters them? MS added the windows firewall to filter packets and protect the TCP/IP stack.

There are a number of illegal flagged packets that should not be seen on a connection, some do happen due to hardware problems or corruption, but any illegal flagged packets should be blocked from ever getting to the TCP/IP stack, even windows firewall filters those out.