Checksum verification or Stateful Packet Inspection-what's safer for an firewall?

Discussion in 'other firewalls' started by CoolWebSearch, Feb 25, 2008.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,217
    Hi, everbody.
    I found an interesting topic on Comodo's forums where an poster asked about what's the main difference packet filtering checskum verification and Stateful Packet Inspection for inbound protection against malformed connections, he also mentions Stem's statements about it.
    But the real problem here I noticed is that he specifically says that either Melih or Egemen are looking for PRACTICAL EVIDENCE about that packet filtering checksum verification is less safe than Stateful Packet Inspection.

    So far none has provided practical evidence that Comodo's inbound protection is worse than those firewalls who have implemented fully-featured SPI (SPI= Stateful Packet Inspection)

    So, how do we know that in practice firewalls with fully-featured SPI are safer than those with packet-filtering checksum verification?

    Here is THE COPY OF THE ENTIRE THREAD:
    http://forums.comodo.com/leak_testi...ectionswhats_thebest_for_comodo-t20103.0.html

    And here is copy of the enitre text:

    "Hi, everbody.
    Everyone is invited in this thread.

    The reason why I opened this thread is because I have questions regarding specifically Comodo Firewall and its history.

    1.I remember Matousec said something about CFP 2.3.6.81. had weak inbound protection and that was full of security holes-can anyone please explain on what did he mean by that?
    I was using that version and really nothing bad happened to my computer.
    Maybe CFP 2.3.6.81. with all vulnerabilities didn't have protection against ARP spoofing?

    2.What about CFP 2.4.18.184-is this version vulnerable to ARP spoofing?

    3.Inbound protection against bad and malformed connections(I don't mean on preventing malware's installation, just pure firewall function-inbound protection against unwanted connections):
    This question might be a bit controversial:

    What do you think, is better:
    Stateful Packet Inspection (SPI) or Checksum verification, NDIS for protocol analysis that CFP uses?

    The rason why I ask this is the following:
    Some firewall moderators are insisting on SPI-but I don't understand why.
    Their arguments are following:
    Checksum verification only checks if an connection is corrupted or not, while SPI checks if an connection good or bad-which is supposedly better and safer than what Checksum verificaqtion does.

    Melih and Egemen said that they need a practical proof that their firewall's inbound protection is weak, and I respect that-so far none has ever proved in practice, after all they would respond instantly.

    But here is ANOTHER QUESTION:
    Could anyone please explain me what is the main difference between packet Checksum verification (or + protocol analysis, because I use all of it when I use CFP) and SPI (SPI=Stateful Packet Inspection)?

    I tried to find this answer everywhere on the internet but there is no website that explains what's the difference between SPI and packet checksum verification?

    Is there any reason why I should worried about?

    Big thanks to everyone.

    Please, let me know if I'm too intrusive with my questions.

    Thanks to all."


    Any opinions?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Where?

    What is a malformed connection?

    Malformed packets can have a correct checksum.
    Some packets can have an incorrect checksum (due to a number of reasons).

    Comodo performs packet filtering, checksum verification is just an added feature.
     
  3. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,217
    Hi, Stem.
    I honestly don't know, maybe he refers to the post you posted about long ago when Coolio10 posted screenshot of CFP 3.0, I honestly don't know.
    Maybe he meant that CFP doesn't SPI.

    Or maybe it's because he saw in the Outpost "block malformed DNS rquests" option.
    I honestly don't know. Maybe his entire point was that CFP doesn't SPI like Jetico2, Outpost Pro or ZA Pro.
    Again, I don't know.

    The post he made is not very clear on what he meant to say.

    I have to go, I' quite busy.
     
  4. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    The Wikipedia discussion of Stateful Packet Inspection and Deep Packet Inspection at http://en.wikipedia.org/wiki/Stateful_firewall is probably a good place to start. A "good" connection or input is something that is expected based on the state of a connection you set up or a packet you send out. Like a DNS response to a DNS request, when you don't have a specific rule to allow a DNS response. Egemen has stated that CFP doesn't support "enterprise SPI", but that otherwise has full featured SPI. By "enterprise SPI" he means things like FTP that use multiple connections are not supported. Checksums are just an attempt at discovering whether packets are corrupted, independent of whether they are part of an SPI-allowed response.
     
    Last edited: Feb 25, 2008
Loading...
Thread Status:
Not open for further replies.