Comodo Firewall VS. Agnitum Outpost

As mentioned by "The Seer" there is "pseudo-SPI". Basically, this is an internal "table/log" that is kept by the firewall of outbound UDP (and possibly ICMP in some firewalls/filters). replies/inbound are then allowed back based on this table, within a timeout period.

 

Hello Stem

You probably know this already. Does Comodo's pseudo-SPI performs request/reply on IP level only (for ICMP i.e.), or does it apply further checks?

 

Stem, i'd like to know this too, if you can recall.
Also, do you guys have a good link/links to read on SPI?
I've read about protocols, a bit about how FW's fit in, but nothing that good on the firewall's most important features, how it handles things, etc.
TIA

 

My last checks where only on its defence against inbound attacks, I did not check on the impliment of its pseudo-SPI.

What do you want checking?

 

Here is a start:-
http://en.wikipedia.org/wiki/Firewall_(networking)
http://en.wikipedia.org/wiki/Stateful_firewall

You could also do a search

 

Thanks, wikipedia is also my first choice when looking. But i was hoping you had some special article that breaks it down top to bottom. Wikipedia sometimes is too much, i have to go from links to links to get the whole picture, and loose a few links in the process.

Thank you anyway, i'll read that first.

 

Hey Stem

I have been a member of this forums for barely two months, and I already learned a lot (and also found out that I know next to nothing ). This has been a very useful crash-course for me, and being that I have primarily much interest in firewalls, your posts, past and present, has been of enormous value for me (I have noticed that you are very willing to pass the knowledge). So, to cut a short story shorter, I would prefer if you have the time and patience not to check, but rather to explain something to me (and Pedro) which could then serve as a guide for any present or future user who have interests in these things. I want to know how to check for pseudo-SPI in Comodo for conectionless protocols. So that I could do it by myself in the future with any firewall . How do you do it? I have already been googling for a few days, but besides usual controversial 'Comodo does this' and 'Comodo doesn't do that' rants, I didn't find anything which explains Comodo's pseudo-SPI or how to check for it. I am so sorry if I ask too much from you, but I am sure that you will give me at least a link or two where I can educate myself more on this topic. TIA and sorry for my unpolished english ,

The Seer

 

Hi The Seer,

Checking for pseudo-SPI, at its simplest, is to check the network or application rules (depending on the firewall).

As with Comodo, you will already be aware that without inbound rules to allow TCP/UDP then unsolicited inbound packets are dropped. You should know this due to the posts made concerning P2P/torrent clients, where rules are required to allow the inbound. Now to confirm that there is pseudo-SPI for UDP, this can be seen in such events as a DNS lookup, if there are rules in place to allow the outbound, but no rules to allow the inbound, but the returned packet is allowed, then this can indicate pseudo-SPI. (As putting both pieces of information together- "No unsolicited inbound UDP (for P2P) + "returned packets allowed due to outbound")

For ICMP, again, look at the rules in place. If there is, for example, no rule to allow inbound ICMP ping (echo) reply, ping a server (or router in such a setup), if the reply is allowed without that rule, then this would indicate pseudo-SPI for ICMP

 

Hello Stem,

As i thought about it, looking at the rules, i considered that.
I understand the concepts, but still unable to articulate my thoughts and conclusions. Posts like that give me a framework to think things through, thanks.

Can i conclude that Comodo has SPI for every protocol it supports? Basic or not. (that would be another question, how good is it lol).

 

Hello guys.

Thank you Stem for the very simple explanation! Again, sorry for my stupid inquiry. I have already noticed that those outbound rules without the need for inbound are placed in Jetico, so I figured that it has to do something with the SPI (only the requested/solicited traffic is passed through). I just wasn't sure that the same applies for the conectionless protocols. I am, of course, still trying to learn something here. I will now install latest Comodo on my test box and have some carefull look into its outbound rules and the established connections. I have delayed this for long, as Comodo gave me other kind of issues, resource-related. I will also have a little play with Wireshark, just to be sure that the three-way handshake (SYN>SYN/ACK>ACK) is indeed established. But with your reassurance now, I will try not to post incorrect info in the future... Thank you again for having the patience in reading my somewhat long posts. With my best regards to you and Pedro also,

The Seer