Does Sygate have any SPI capabilities???

Discussion in 'other firewalls' started by my2cents, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    If not, then I would like to have a software firewall that does Stateful Packet Inspection.

    Could anyone recommend oneo_O And I need a free one preferably.....
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Yes, Sygate has TCP stateful. Most of them do, including ZoneAlarm, Outpost Pro, Kerio 4.x, and many others...
     
  3. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    Ok, just to confirm, Sygate (Both FREE and PRO) have Stateful Packet Inpection o_O? Just to confirm.

    Then how come on the Sygate wepage it describes it as a Application-Centric firewall instead of a SPI firewall?

    Also is there a way to tell if does SPI?
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
  5. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    I looked at the page. But the manual does not explain whether its SPI or not. Can you name me one other firewall that does SPI?

    But you dont sound too convincing if Sygate does SPI or not.

    I been wishing for a software firewall that does SPI?
     
    Last edited: Feb 21, 2005
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    They don't advertise it much, but Sygate states in the user manual that they do "stateful packet inspection" on every remote TCP connection. If that's SPI to you, then Sygate does SPI. Quoted directly from the manual:

    "Does the Firewall do Stateful Packet Inspection?
    Yes, the Personal Firewall does Stateful Packet Inspection on every Remote TCP connection. The Personal Firewall also uses an algorithm to check Remote UDP and DHCP traffic to make sure that the communication is secure."

    ZoneAlarm does stateful inspection also.

    Others that do stateful are Jetico, Kerio 2 and 4, Outpost Pro, CHX-I, 8Signs/VisNetic, and on and on.

    If you're trying to start a debate on what "SPI" means, then maybe someone else can jump in here and debate it with you... ;)
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    As Kerodo mentions, most firewalls will do stateful inspection.

    What SPI means to different vendors and users will always be the subject of debate ;)

    Regards,

    CrazyM
     
  8. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    Can you guys recommend me a good firewall with GOOD SPI? Please provide me with a list. And is there any free ones?
     
  9. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Some vendors define SPI differently, but here's really the scoop on "Stateful Packet Inspection". Originally, the very first firewalls were simple "packet filters". A packet filter simply looks at the incoming packet and determines whether it meets the filtering rule or not. So, if you have a web server and you have a rule that says incoming TCP port 80 traffic is permitted, then the packet filter lets it through. This seems to work great, but... what about client applications like Internet Explorer? IE will create an outbound connection to destination TCP port 80, but it's source TCP port will vary and be somewhere in the TCP port 1000 - 2500 range (actually I'm not precisely sure of the range or the methodology, but I'm just going off of netstat values). So, ok, now when you have packets returning from the web server and to some dynamically allocated TCP port for IE... how do you create your filter rule? The answer is that most firewalls now maintain a session or state table. They see that the outbound IE connection to TCP port 80 is allowed, they put that TCP session in a table and then when the return packets arrive at the firewall... it scans its state table and sees that these returning packets are part of an existing, previously allowed session. That way, by default, the firewall can deny all incoming packets, but still allow in packets from sessions that are part of ongoing conversations initiated from the internal side of the firewall. If there wasn't a state table or session table, then you would have to create packet filter rules for all sorts possibilities for incoming returning traffic. That's basically all SPI really means.

    Of course, there are also "proxy firewalls"... which are network firewalls that intermediate conversations at the application layer and "proxy" both the client and server sides. And then there are also "application firewalls" which are host-based only firewalls that have access to the process information of the host machine and can therefore correlate outbound and inbound packets with actual application processes on the host.

    Now, here's the thing... SPI has come to mean something a little more. For example, take Network Address Translation (NAT) routers. Many vendors sold NAT as a firewalling technology, which it isn't really but it does sort of have that effect as a side-result. Why? Because with NAT the router has to build up a table that stores the port translation with the initiating private-side workstation. Essentially NAT also results in the creation of a state table. This state table is designed simply to match conversations arriving at a single public, routable IP with the corresponding internal, private IP workstation; but as a side-effect if a packet arrives at the public IP for which there is no session in the NAT table... then the router will discard it because it doesn't know where else should have gone, and is therefore acting as a firewall of sorts. But, here's the thing, NAT is basically a one-sided affair... whereas a true SPI firewall can be configured with rules and policies that affect both outgoing and ingoing packets to a far greater degree of configurability. Moreover, SPI usually also implies that the device includes more robust network attack mitigation technologies for use against things like SYN floods, malformed packets, etc.
     
  10. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    Thanks for the explaination on that.

    Is there a list of firewalls that almost entirely relies on SPI? Can anyone provide me with a list?? I also read that Look n Stop does not provide any TRUE SPI. So I dont know.

    I just discovered one, which is CHX-Packet Filter, but Im to hesitant to use it because its not popular. I find it very good by reading on the site. But how come its not very talked about?

    And just one note here: I am using a router on this PC, but.... I am looking for a SPI software firewall for my dial-up box.
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Look ā€˜nā€™ Stop does do SPI
     
  12. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    Ok great I'll stick with Look n Stop. CHX is hell to setup... So I dumped that.

    And also, since Look n Stop does SPI, is there like a button to ENABLE Stateful Packet Inspection? I dont know, I have not downloaded it yet.
     
  13. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    Ok, Ihave downloaded it. But can you please explain on what settings I have to do for a basic computing use like only for Internet and email, Thats it. Its just basic computing.

    So, should I leave the default settingso_O But I have enabled the SPI under Options. And, I am using this for my dial-up PC

    So, should I just leave the default settings? I do alot of Internet surfing and email. Thats it. What do I have to do.

    I would appreciate the response.
     
  14. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    If I remember right, if you click on the Advanced Options button, there is a checkbox to enable stateful inspection. Sorry, but I don't remember which tab Advanced Options is under.

    Also, in case you still feel like experimenting & trialing:
    http://www.8signs.com/firewall/features.cfm
    Very good stateful fw, and like CHX, does not offer any app filtering. Should be easier to setup than CHX.
     
  15. my2cents

    my2cents Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    45
    For my dial-up box, and for basic internet surfing and email, should I leave the default settings in 8-Signs alone?

    Or what do i have to do?
     
  16. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    I would suggest going through the configuration wizard and be sure to allow things that you know you use. (Web Browser, Email Client, etc...) Upon installation you'll be to use the wizard among other options.
     
Thread Status:
Not open for further replies.