Inbound Protection

Hi

Which firewalls have good inbound protection that are easy to use?

Thanks

 

The best way is to use a firewall hardware, naturally. As software fw, Outpost or Comodo, Zone Alarm Pro.

 

Almost all firewalls have inbound protection hardware or software.Even Windows Firewall (XP and Vista) have some inbound protection.

If you are looking for some precise, inbound protection for some particular scenario/traffic/attack , please state the same.

IMO, Kerio 2.1.5, Jetico and CA HIPS (formerly Tiny Firewall) have ability to create very precise and powerful rules. Which allow you to shield yourself from any particular inbound attack. But on the flip-side, you really need a lot of expertise to pull it off!!

 

Well, if you happen to have an animal worth several 1000s than yes. Otherwise, if you referring to typical cheap home routers, certainly no.

Almost? An app without inbound filtering is not a firewall...

Just to reply on topic...

If you just want "good" than install any. You would need to expand on "good" for further discussion.

 

Why not?
It also depends on the definition of 'cheap' I guess?
What kind of brands would you describe as 'cheap' and therefore not really suitable?

 

I don't proclaim myself to be a Security Expert. But from, what I have seen and read at Wilder's its debatable if SW firewalls provide inbound protection (See here). So I just wanted to give the right prospective, since I am not a Guru like many others here.

Also you would be amused to know that many centers actually deploy/try firewalls with no inbound access . For Ex: SDSC .

I think my reply was almost same as yours so I don't understand how I went out of topic Maybe my lingo was not as sharp.

Oh, well I was just hoping to help.

 

Hardware firewalls don't have to be expensive. Smoothwall can be used to convert a new or old PC into a very good hardware firewall, complete with IDS. It'll cost you a couple of network cards, a cable, and some time. Depending on how you equip it, less than $50. Version 2.0 will run quite well on hardware that originally hosted Win95. Mine runs on a 133mhz processor and 32MB of RAM. Has now run flawlessly for 135 straight days.

 

Yes, not all firewalls have proper inbound protection though all of them should have it. Just think of the first version of Windows firewall. It was called a firewall even when it did not have proper inbound protection.

 

Hi

I've heard that Sunbelt has a NIPS which protects against some attacks and that Safety.Net has Deep Packet Inspection. Which are supposedly better inbound? I don't really know.

Thanks

 

Hi

I don't think I know enough to make these rules.

Thanks

 

I have been using a "cheap home router" for years and never had one single issue of any kind. The day I spent $40 for the cheap router was the best day of my life, no more worries. What in the world are you talking about?

 

CHX-I is known to be pretty solid on the inbound side, but is not application aware.

 

Jetico I I guess is good.

But prepare some time to tame it down.

Also prepare for something strange:

1. exactly same application rule can be added to the table.
2. sometimes it messes something up, say, when firefox is connecting to a site, it pop up a message say Kaspersky AVP want an internet connection
3. occasionally, system freezes for no apparent reason.

Besides these
It is fast, never slows program down as OAF does.
It is light, very low in CPU time most of time, and only 3800K memory on my system now.
It has most convenient GUI.

 

http://i33.tinypic.com/2zfttzd.png

Maybe Stem or Diver can tell me what is this and how to avoid that?


This happens when I try to link to some forum/picture sharing site -- tinypic.com e.x., in firefox.

And to disable it, close the firefox before you click allow, after several clicks, get through and delete the new rules. At last I throw it into trust zone.

 

Inbound protection has been discussed extensively on this forum, but it has never been resolved. Unfortunately.

Some phrases: stateful packet inspection, deep inspection, deep stateful inspection, proxy firewall.

Stem has done some testing, but for as far as I know he did not find a 100 % proof firewall.

So I guess you'll have to accept a firewall with 'decent' inbound protection.

Easy to use firewalls ? Those are often part of a suite.

 

My main problem with Jetico 1 is perhaps related to yours, if i understand you.

I set the browser for instance, with the range 1024-5000 to port 80, and Jetico still asks me. It's not an unusual port, nor anything. The rule should be working, same parameters.
If i use any local port for the rule, it works.

So i'd say if you choose Jetico, try version 2.

What i like about Jetico overall is that it's very similar in many ways to iptables. I don't know why i didn't see this the first (and second) time i tried it.

 

Since you seem to be wary of making rules (like me ), i would recommend Outpost Pro which I use.
It has a good HIPS and Intrusion Detection. Plus it has this feature called ImproveNet, by which I get new rules set automatically based on my programs.
Plus their SmartAdvisor, help and support system allows even people who are not necessarily very proficient to create custom rules effortlessly.

A trial is available, try it out and see if it works for you.

 

No, it is debatable how the inbound protection is implemented in both - software and hardware. They both provide some...

Good for them. But not my cup of tea so I'm hardly amused.

You didn't. The "just to reply on topic..." was not aimed at you.

Not having an issue doesn't mean your traffic is filtered properly.

I am talking about proper/full SPI and/or DPI implementation. But let's leave packet contents out for a moment, our "cheap" home routers will have very basic header inspection on TCP (at best, mostly SYN flags filtered) and none with the connectionless protocols. This is the reason I choose to bridge my router (as I have no LAN most of the time) and use a quality software firewall instead.

Just to suppress further questions and to stay on topic - it is Injoy. I recommend it, v4.1 has been working flawlessly for the last couple of months here... Not for LAN users though as it doesn't have any ARP filtering whatsoever.

Cheers,

 

The logical conclusion from that would be that the browser is using a local port outside your 1024-5000 range, which would be odd, but maybe not impossible? Otherwise, make sure you're allowing all remote addresses too.

 

I know what you're saying Seer, but let's be reasonable and practical. Whether a home user's traffic is "filtered properly" or not hardly matters. That's mostly an exercise for folks who like to dissect this kinda stuff and have the time to do so. As long as the end result is no issues or problems, then the cheap home router is good. Nothing else is needed. And let's face it, most of the users here at Wilders are just that, simple home users with a hobby. I can see where one might care more in a business or other environment, but not in a home environment. The cheap router is all anyone needs.... Unless of course you're expecting an onslaught of "attacks" from the wild...

 

I checked the logs, and the pop up. It's in the 1024-5000 range, to port 80. The rule should apply, but it doesn't.

 

I guess we are in the same situation.
The repeated exactly same rule seems a real confusion and trouble maker.

Also there are two other concerns:

(1) it shows avp want to connect to internet when firefox really does. I don't know what it is but I guess the security software hooked (--if the expression is correct) network driver. The problem is, sometimes uninstall the program (AVP in this case, it the connection lost).
(2) the ip address 0.0.0.0 and port 0 seems odd to me, I am not sure why it looks like that.

I am trying to make this screenshot show as much as information
But I suggest you to check all the field for the consistency, I once found I misread field like hash, the rule is too long to align them when you are not careful. Just avoid the mistake I made before

OOOOhhhh, I guess the order also might matter, especially you have some ruleset with denial at the end. But infact, I don't know how to read the rules now, the new rule, which should be used to override the old one, is placed at the bottom. While the years old rule is listed at the beginning. So once it tries to match a rule, it read lots of garbages first, then reach the latest new version rule, and then asked you decision.......

Negative, they asked for money for this version.

Hopeless Debian User, Now we are using Arch Linux

 

the browser is trying to send datagram instead of outbound through certain port.

 

Ghost_ARCHER: first thing i did, was to make a separate table for that access to network. 1 rule that matches any access to network, with the jump to that table. Then that table has an ask rule of course.

BTW, if that avp is part of the AV, you should probably remove the localhost from trusted. Then it makes sense.

 

Weird...... well if it's not udp out or something strange like that, and it's in the range, and no other rule is conflicting, then maybe it's just a bug in Jetico?