Inbound firewall

Discussion in 'other firewalls' started by feniks, Nov 18, 2007.

Thread Status:
Not open for further replies.
  1. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Hi everyone.

    It is easy determine which firewall is good at leaktest because many people test that. But there is hard (for me) to find evaluations/test on inbound protection of these firewalls. I assume it is also much harder to do then leaktests.

    But for me as I learn here, and as old saying goes - Prevention is better than cure - firewall inbound protection is very very importand and that IMHO supposed to be his main strenght.

    Can somebody direct me to some tests of firewalls inbound protection or advise me which firewalls are top one in that and why?

    What should I look for in firewall capabilities, what is needed for secure inbound protection?

    Possibly some experts advise? :)
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    AFAIK, there aren't any tests which evaluate inbound/packet filtering abilities of firewalls.
    Most people are happy that their firewall gets a Stealth checkmark at grc.com
     
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  4. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Thank you for the read but it did not answer the questions I have. partially maybe but also the discussion is a little old if get about mentioned firewalls.

    I am not talking about closing port or stealth ability. That is standard. Like Stem said:

    I do not agree with the last part of your statement Stem about "them".

    So I still have both of my questions actual and not answered.
     
  5. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I can not personally vouch for this, but some of the members around here like the inbound filtering on CHX-1 (no longer supported), Look'n'Stop, 8Signs, Jetico and Injoy.

    All of these I have run at one time or another, and they are not the easiest bunch of fellas to get along with. If you use eMule, forget about 8Signs as it does not work right with Kademila. CHX-1 if you can scrounge up a copy requires a completely new way of making rules. LnS is a bit strange as well. Jetico throws more pop ups than anything I can remember. I only took a quick look at Injoy, but it seems interesting.

    Of this bunch only LnS and Jetico have outbound filtering.

    This area is much more difficult to evaluate than leak testing, which is probably why information is hard to come by.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Bad mood day. I was/am tired of users giving pref to firewalls that actually expect the user to be compromised (leak prevention), rather than putting in place filter on inbound.(no insult intended to anyone,.. but should I care?)

    For me, a firewall should give minimal full SPI. This for me is interception of TCP to sequence number,..... for such as UDP, a state table of outbound (record the outbound packet, with a timeout for reply), the same for such as ICMP but more logic is needed (as outbound ping could give reply as "reply" or "timout" etc).

    There are a number of firewalls that say give such, to what degree is of question.

    As example:
    Diver mentions CHX-I, this is quite an excellent packet filter (no application control), there is actually very little config needed, as there are rulesets available (simply:-- allow out and filter, and works well)
     
  7. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    My opinion that the benchmark firewall (esp. in regards to inbound filtering) is Sygate 5.x Pro. Despite being no longer supported (as Sygate was bought by Symantec), firewalls age much less than other security software and is still the benchmark firewall when it comes to inbound filtering.

    Why? Well lets take Comodo Firewall Pro, the most leaktest obsessed firewall on the planet. Yet if you go to Security>Define a new trusted network, all traffic from the ip range specified will be allowed! Yet for a home network you only need ports 135,137,138, 139 and 445 open. What this means is that if another computer on your network is compromised with a worm it can easily compromise any computer running Comodo as it allows any traffic (good/bad) from a trusted network.

    Sygate meanwhile, has an extensive inbound filtering system: For example you can set it to allow you to browse the file shares of other computers on a lan without them being able to browse you. I dont know many firewalls that give you that level of control. And that is just the beginning. See the screenshot attached for examples of all the features. What firewall today offers OS fingerprint masquerading for example? In the above example, Comodo doesn't even have a proper IPS. Just simple port scan / DOS detection

    And the icing on the cake is that Sygate is lightweight and fast. Probably the current industry leading firewalls like Outpost and ZoneAlarm Pro might have some of the features of Sygate but they have a lot of junk such as Anti-Spyware and AV-Monitoring that is not required in a firewall and make the firewall and RAM and CPU hogging behemoth it shouldn't be.

    I am not trying to advertise Sygate, but rather pay tribute to one of the best software firewalls ever made, one that I continue to use today. However I now sadly recommend Comodo knowing full well it is rubbish, feeding of leaktest paranoia that surrounds software firewalls today.

    On a final note many leaktest authors struggle to give examples of in the wild malware that utilises their method to bypass firewalls. You are more likely to be attacked with an unpatched software exploit such as those in IE. Here leaktest firewalls fail and those with IPS signatures pass.
     
  8. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Screenshot (found on internet)
     

    Attached Files:

  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    All looks very nice. Are you able to explian and show the protection?

    Simple example:
    DOS protection: against what? (please name). Most as said by users on this forum are "outdated", which I agree, most are. But as with Viri, attacks by method change. I do know various methods of DOS (and various) which will bypass a lot of firewalls.
    Anti-mac spoofiing: This I find amusing. From all the firewalls I see, there is no protection here (out of the box~ a need to create rules),.. simply because no binding is first made to gateway. I see a number of attempts by firewalls,... such as OP pro, that will block the mac of gateway when spoof attempt is made (it sould be IP within packet, not mac), the user is then blocked (DOS`ed) anyway.
     
  10. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    dmenace-

    What is that a screen shot of? I am going to guess it is Sygate Pro. At any rate the IDS signatures are wayout of date if you want to use Sygate. The technology is in use in Symantec Endpoint 11.

    Also, I don't think it matters much if all traffic is allowed or just the netbios ports. If there is a worm, its going to to look for the netbios ports first in all likelyhood. You don't have to use the default rules made by the wizard either. Comodo will work with tighter netbios rules. I just have not figured out how to get tighter rules to work with allowing a VMware guest to access the host.

    Stem-

    I seem to remember there was a simple CHX-1 rule set that would do the job for most. Its so elegant that it is baffling.

    What I mainly remember is with that list of firewalls (except for Injoy which I only briefly looked at) I spent way too much time playing around with the rules. I probably spent way too much time messing with Kerio 2.15 as well. I would likely set up much looser rules if working with any rule based firewall today.

    ---

    There is probably a bunch wrong with Comodo 2.4, but it is so easy to deal with. True, it was designed with leak testing in mind, but I would hardly say the authors were obsessed with that one factor because they really got the user friendly part right.
     
    Last edited: Nov 18, 2007
  11. gud4u

    gud4u Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    206
    I'm certainly no security expert, but I'll comment anyway.

    It doesn't require much security savvy to install a NAT router with SPI protection for very good inbound protection:
    - Select one.
    - Read the manual.
    - Install, update the latest firmware and configure the router.

    It's a first-layer approach that offers good inbound protection - regardless of whatever software firewall you select.

    I'd also suggest that you should expand your requirements for a software firewall to include both inbound and outbound connection protection. Often, a user's first indication of malware presence is a software firewall alert about an outbound-connection-attempt by a suspicious program.

    An excellent suggested software firewall for the novice is Comodo 2.4. It passes 'Shields Up' and combines good inbound and outbound protection, plus limited HIPS functions.

    And never forget that inbound protection is highly dependent on the user's discretion to be careful about the sites you visit and the 'free' downloads the user authorizes.

    Hope this helps!
     
  12. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    I don't see how inbound protection can be dependent on surfing habits when everything downloaded by the browser are outbound connections.
     
  13. wat0114

    wat0114 Guest

    Not all connections are outbound:

    Three Way Handshake
     
  14. woobook

    woobook Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    131
    There are five beautiful girls in Stem's office. You come in and ask him, Can you tell me which is the most beautiful girl in this office.
    ^_^
     
  15. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Exactly:D

    Unreasonable questions-everyones preferences are different.

    So choose the one that best suits you-they are all GOOD,maybe one is a bit naughtier than another,but there wouldnt be much in it.
     
  16. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Yes, that would be not polite. :)

    How shuld I ask this question, take Stem on side out of the office? :)

    Maybe he can PM me? Would be that possible and proper? :)

    Well maybe I ask wrong way, maybe I should ask - can you describe me the inbound protection qualities of these beauties?

    Well I need to know if they have SPI (I only find out that ESS and WDF have for sure) and how about its implementation?

    Does any of these 5 have full SPI?

    Or there is no way for me to get expert advise on the 5 firewalls? Not some fan of one of them recommendation. Kind of honest comparison/benchmark of inbound protection capabilities of these five.
     
  17. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Fenik-with all due respect-you are unlikely to get more deep and meaningful information-you have enough.

    This is already your second thread on the same type of subject,plus numerous posts.

    You keep on asking the same questions!

    Dont you think its time to take the plunge and make a decision-the risk really isnt big.
     
  18. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Hi, Hairy Coo.

    So are you saying that there no significant difference between them? (in inbound prot.)

    I know they are stealth etc. But windows xp firewall too and it has SPI.

    What about their SPI or some problems or advantages/disadvantages that I even do not know about, but are important in inbound protection?

    When I start the thread I ask for inbound tests as leak tests are widely available.

    Looks like there are not any, so maybe (hopefully) I get the answer here.

    Actually I need to know about these 5 I mentioned obove.
     
  19. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Feniks

    What can I say-the fact that you dont have all the info you personally want indicates that its either not available-not considered relevant or important-has been previously posted or more to the point-an expert isnt going to broadcast his top choice,as he just doesnt want to-so just leave it alone!

    As I said you cant keep on asking the same questions forever.:)

    Make a decision ,you have enough knowledge:thumb:
     
  20. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Feniks

    My last post on this.

    You seem to have good knowledge-just experiment with your new firewall or whatever other app. interests you.

    Then you can help someone with advice :D

    Cheer up!
     
    Last edited: Nov 20, 2007
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    There are a number of rulesets, it is really down to what you require/ need on your setup.
    I know a lot of users like to sit behind a router, then not use a software firewall, why pay for a router when CHX-I will protect as well, if not better. An HIPS with application control for internet access can be added.

    There have been a number of threads concerning CHX-I, which would give the basics, and also links. Or start a new thread if info is required, there are other users of CHX-I
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is the filtering of the returned packets. Do remember, that everything you see on your PC monitor when browsing as been downloaded to your PC. (so you do need to filter this inbound)
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I will help any member (time permitting), but I will not get caught up in a "which firewall is best" thread. It just leads to flame wars.
     
  24. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    CHX is the best inbound packet filter I ever found. I ran it as my
    only firewall for the last two years I was on dial-up. I'm on DSL
    behind a router now, but I still run it anyway, as it allows me to
    create rules for ports, protocols, and IPs. It's SPI is about as good
    as it gets, and logging is fantastic. It's one the lightest firewalls I
    know of. It works on XP.

    There is a great deal of information in past threads at Wilders, as
    Stephan R, one of its developers used to post here to provide guidance.

    The is also a forum here:

    http://www.sscnetwork.net/

    See also these Wilders threads (there are others):

    https://www.wilderssecurity.com/showthread.php?t=65266&highlight=CHX-I

    https://www.wilderssecurity.com/showthread.php?t=124457&highlight=green

    https://www.wilderssecurity.com/showthread.php?t=139457

    If you try it, I'll bet you'll get help from some really expert forum
    members. I learned it by reading every post about it at Wilders that
    I could find.
     
  25. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Stem please accept my apologies. That was overreaction caused by my ignorance about forum rules or etiquette. I have to learn not only security matters. The post was deleted.

    I know I keep asking the same questions. Maybe somebody can direct me to answers?

    For what I understand from your posts these subjects are importand and many days search does not bring my answer. I am to small to test the applications myself. The producent sites do not tell that much.

    As you seems to be expert in both subjects (firewalls and etiquette) can you tell me if these questions below also are not proper to ask?

    I will accept any answer.

    1. Well I need to know if they have SPI (I only find out that ESS and WDF have for sure) and how about its implementation?

    2. Does any of these 5 have full SPI?

    3. Some problems or disadvantages that I even do not know about, but are important in inbound protection?

    I am talking about ZA, OA, WDF, ESS as Outpost do not like my system.
     
    Last edited: Nov 20, 2007
Loading...
Thread Status:
Not open for further replies.