Is it fair to say this about firewalls?

Hi Everyone,

in light of what i have been experiencing and reading at Wilder's own website -

(http://www.wilders.org/HTMLobj-1073/firewall%20vulnerability.txt)


Would it not be fair to state that all software firewalls are pretty much worthless, and that we should all be making the transition to hardware based firewalls?


I know my question sounds provocative, and I am not up on the latest efforts of software makers to fix the packet vulnerability much less the failure (in my opinion) to present intelligent default rules options, however, i am not sure subtlety would serve my purposes, and those of people who want to be relatively safe in our computing.

While hardware firewalls are not strictly speaking, a software topic, i am hoping that you will grant that it is a related topic, and that there is a large population who might find it useful to understand that this approach has several unique advantages.

 

Hi Handsoff!

I would consider that the issue of hardware and software firewalls are related because I am using both. My router is a hardware firewall and I also use a software one. Even my ISP cannot get through them when they do their little tracking stuff! (I cannot stand it when people try to read over my shoulder.)

Hardware firewalls are not perfect and neither are the software ones. I like to get them to balance each other so neither has to work too hard but all the basics are covered.

 

I don't agree that all software firewalls are worthless.
I think that your connection is a factor.
I'm on dialup and use a software firewall.
If I ever get an "always on" connection,I would definitely add a hardware firewall.

It's only my opinion,but I think that there are some very good software firewalls.

 

I disagree completly.

A hardware firewall can't handle outbound application access since executables aren't running on it, it will allow a connection coming from you, that it was a trojan or a legit software.
In addition a personal firewall (software) can help you to spot a threat (trojan.exe) whereas a hardware can't.
So it's more than blocking malicious threat, it's to identify them.

About the fact that firewalls are supposed to not handle packet crafted using non Winsock stack it isn't true for all.
It _was_ but firewall had evolved and now just take a look at Look'n'Stop 2.05b1 which is able to block packet sent directly to NIC.

you are talking about to make the transition from software firewall to hardware firewall as if it was the same but hardware more secure, but they aren't the same.
Personally i'm using both because i have features in each that i can't find in the other.

Software firewalls aren't useless or worthless.

 

Very crude to come on here and state ALL Software Firewalls are pretty much worthless because of issues revolving around a number of Software Firewalls. What’s been said in “firewall vulnerability.txt” is far from being “Recent News” and I mean by far; therefore jumping to conclusions that the listed Software Firewalls are still vulnerable is outrages.

Use a Software Firewall that Controls ALL IP & Non-IP or Other IP Protocols, contact the Software Firewall vendors and check. VisNetic Firewall and James Grant other Software Firewalls has this support however if you use P.P.P.o.E you must disable the block of all "Other Protocols (... NetBEUI, IPX)". Look ‘n’ Stop Personal Firewall also has Controls of ALL IP & Non-IP or Other IP Protocols, and if you use P.P.P.o.E you don’t need to disable block of all “Other Protocols” like required of James Grant Software Firewalls currently.

As for using a Hardware Firewall blah!

 

I have a hardware firewall and a software firewall and between them there is nothing going out or in I don't want to run. They both have their place .

 

It would not be fair to say that. Both versions of Sygate specifically provide such protection.

The only advantage I see of Hardware firewalls are to lower log file size and prevent unsolicited packets from even reaching a computer. Otherwise they are quite crude.

 

3 questions I have for any Networking Jedi out there :

- For a firewall to be able to block ANY incoming protocol, even non-IP packets, at what layer of the OSI model must it operate? (though I guess it must be a rather low layer)

- For a firewall to use "stateful inspection", at what layer of the OSI model must it work?

- Is there a relation between a firewall's ability to block any protocol and the fact that it uses or not stateful inspection (sorry 4 the n00b question)??

 

I guess that if you receive a non IP packet, the OS will drop it or discard it because you just have a TCP/IP stack installed by default.
But if you receive a GRE protocol packet (built in IP), it's to your firewall to play.
About the OSI level i think it's Link layer (2), same than MAC adresses (or 3, depending where the new protocol is).

Too wide question, SPI is many things put together.
However, i think i would put it with the network filtering (layers 3 & 4)

There is no relation at all, SPI is a totally different feature than blocking others protocols or not.
Statefull Packet Inspection will record your traffic, and for every traffic coming back (or coming) it will check if it is related to one of your connection/flaw.
If it is, it's automatically allowed without checking against rules, if not, it is compare to rules.

SPI is a very efficient way to allow only return of what we had inititated while blocking any other traffic.
For many software you are however in the need to add specific rules to allow servers to be reached (application which wait for traffic).

Apart of that, the firewall can or not blocks others special protocols, it isn't the same feature.

 

Hmm ... getting a tad too technical here..

but thanks for the answer, Master!

 

Master ? i don't think

but indeed sometimes i like that people call me like that after to have learned that i am the author of the ANTI-LeakTests 100% efficient

http://www.wilderssecurity.com/attachments/Ciseaux.gif
=> efficient with any network wire, 100% guaranted

annual fee : 10$ US
update : 5$
support : 1$




seriously there is so much things i don't know, fortunaly wilder forum is there

EDIT :

from memory : sygate blocks others protocols (even if i have found this feature a bit buggy) but doesn't have SPI.

 

This is the SPI my router has bult in internaly besides web filtering. IP filtering, Im blocking ect.

Security Level
Services Table
The following information is related to the Firewall options (High,Medium, and
Low) in the “Advanced Services” chapter of this manual (page 35). The types of
services and their respective ports are listed in the two right-hand columns; the
“In” column details if a particular service can be accessed by a user outside of the
network; and the “Out” column informs whether a computer on the Gateway’s
network can access a particular incoming service.
For example, in the “High Security Level” section below, the http service uses port
80. Since no is listed in the In column, a user outside the Gateway’s network cannot
access a computer on the network via the http service; in this case, no computers
on the network can be used as a Web server (i.e., hosting a Web site accessible
to outside users). However, since yes is listed in the Out column, all computers on
the Gateway’s network can access the Internet via the http port.
If Basic Security is selected in the “Firewall” screen, firewall filtering is based on the
basic NAT firewall.
☞ Note: This stateful packet inspection firewall is based on the
Globespan-Virata implementation and specification for release 8.2.
High Security Level
Service Port In Out
http 80 no yes
dns 53 no yes
ftp 21 no no
telnet 23 no yes
smtp 25 no yes
pop3 110 no yes
nntp 119 no no
real audio/video 7070 no yes
icmp n/a no yes
H.323 1720 no no
T.120 1503 no no
SSH 22 no no
F
108
Actiontec Wireless-Ready DSL Gateway User Manual
Medium Security Level
Service Port In Out
http 80 no yes
dns 53 no yes
ftp 21 no yes
telnet 23 no yes
smtp 25 no yes
pop3 110 no yes
nntp 119 no yes
real audio/video 7070 yes no
icmp n/a no yes
H.323 1720 no yes
T.120 1503 no yes
SSH 22 no yes
Low Security Level
Service Port In Out
http 80 no yes
dns 53 yes yes
ftp 21 no yes
telnet 23 no yes
smtp 25 no yes
pop3 110 no yes
nntp 119 no yes
real audio/video 7070 yes no
icmp n/a yes yes
H.323 1720 yes yes
T.120 1503 yes yes
SSH 22 yes yes
Basic Security Level
NAT (Network Address Translation) only.

 

Sygate does do SPI along with blocking other protocol drivers. It must be transparent like the "stealth" though. From the help file:

Does the Firewall do Stateful Packet Inspection?

Yes, the Personal Firewall does Stateful Packet Inspection on every Remote TCP connection. The Personal Firewall also uses an algorithm to check Remote UDP and DHCP traffic to make sure that the communication is secure.

 

About SPI, there isn't any standard if i am not wrong so each vendor can implement it as it want.

For Sygate, i didn't know, i didn't test network filtering apart of others protocols.

In any case, for the SPI, the only one i know is the best is provided by NetFilter, the Linux core firewall, with a degree of customization (not automatic) unseen in any personal firewall, so i doubt Sygate has _the_ SPI of NetFilter
(in your help quote i don't see SPI for other protocol, such as ICMP quite common)

As controler shows, you can define the SPI to handle only particular traffic, but may be it's easier to allow/disallow what you want, and then apply SPI to all which is allowed, in the Linux Firewall howto it isn't adviced to do filtering with the SPI (people also tell me that in the netfilter mailing list).

SPI is good, but is useless against outbound leaks, so keep installing personal firewall (software) even if you have a router, you must control applications accessing the Internet to be safe.

 

I just wanted to remind everyone the last post I made was of my routers SPI firewall. There is really no tweaking other then the level settings. Any level setting above basic will not allow an IM chat programs to act as servers. Along with the routers built in firewall, I keep Windows Xp Pros firewall enabled. I also am using Look & Stop
on this test machine. So far I haven't noticed any conflicts.
The bad news is that the wireless features of my firewall are WEP.
The router allows both hard wire and wireless LAN's.
On top of this I am using KAV's 5.0 Beta and Bo Clean.
Then Spyware Blaster and Guard, Anti-Keylogger and to top it off
Ad Aware.

 

Hello Everyone, And thank you to everyone who posted a reply,

To whomever said that I am crude because I cause I asked my question, I will say you brought up some valid points, but may I ask that the next time you call me crude would you at least call me 'Crude, but effective'? My intention was to call attention to this issue, and find out if the situation was as bad as it appeared to me. Perhaps I cannot stress strongly enough my ignorance, though it always seems to get covered, somehow. I interpreted the article to assert to say that, even if one were to block all incoming traffic with a software firewall, it would be possible for someone to write code that would essentially go around it and neutralize it from the inside. (What you might call 'a stealth trojan'). In this imagined scenario of mine, the admittedly handy ability to block outbound packets becomes moot. As for the statefulness of this packet or that, or stacks, or cues, or protocols, i really don't know.

I maybe should appologize to the moderators of this forum if anybody thought i was implying that they would be fielding firewall questions if they knew firewalls to be completely worthless. I hope that they know i would not do that.

And actually, you were right to point out that i glossed over the outbound blocking that helps keep rogue processes from casually calling the mothership. Especially, since my firewall has done a very good job at this. (How soon we forget)

The fact is, I just didn't seeing anyone discussing this issue and it confused me.

One last thing, a tip for very very low level firewall users only!

DO NOT READ BEYOND THIS LINE IF YOU ARE AN EXPERT:
------------------------------------------------------------------------------------------

Okay, for the rest of us, you know that obnoxious flashing firewall
warning in your tray that wont stop flashing every few minutes. Here
is the fix: Put a little piece of tape over it! Problem Solved!!!

-HandsOff!

 

Hey HandsOff

Actually I should apologize; apparently the question-mark didn’t register to me at that time. Asking questions, seeking answers on the board is the whole point.

 

no need to apologize, you have asked _if_ it was faire to say... so we have answered you that no

 

Dear Mr. ' ', May I call you Phantom,

No apologies ever need be made, you let people know where you stand. Thats better than the alternative.

===============================================

"...Justine never knew the rules,
Hung down with the freaks and the ghouls
No apologies ever need be made, I know you better than you fake it
To see that we don't even care to shake these zipper blues
And we don't know just where our bones will rest
To dust I guess
Forgotten and absorbed into the earth below"

-from the song "1979" by The Smashing Pumpkins