Inbound firewall

I think inbound protecton is something that should be rated just like the leaktests are. All known exploits tested against each firewall. I am sure such a website will emerge just as the leaktest websites have.

I have contacted Melih of COMODO and although the current help file for CFP does not go into in-depth details of the inbound protection such as ARP filtering, they are working on an "under the hood kind of manual" that I look forward to.

I think all software firewall developers should do this.

 

Stem,

Stateful inspection is a term originally coined by the security product manufacturer Check Point in 1993. Clearly detailed by Check Point ... sometime down the road, It comprises both the tracking of state using Layer 4 and lower protocol information and the tracking of application-level traffic commands.

Now the term Stateful filtering has been originally used to define the stateful tracking of protocol information at Layer 4 and lower. Under this definition, stateful filtering products exhibit no knowledge of application layer protocols.

... You understand stateful filtering terminology, stateful filtering does not in any way track the TCP flags, so it's not considered truly tracking of TCP Connection state. But there's advanced forms of stateful filtering that can also track sequence and acknowledgment numbers and the TCP packet flags. Now that's truly stateful connection tracking for TCP, although 'we still lack the ability to differentiate traffic flows at the application level'.

And whether you care to admit or not, CHX-I 'stateful inspection' feature implement lack the ability to differentiate traffic flows at the application level'...

 

Phantom,

If we went by the exact description, then we would need to look at:-
Communication Information
Communication-derived states
Application-derived state
Information Manipulation

All of which is put forward by checkpoint as part of Stateful Inspection. Do I see any point in going down this road, with a need to disguss this. I do not think it is needed/ wanted.

If we look at checkpoint, and as to how they performed the SPI, we are only (basically) looking at a set of filters. As with CHX-I traffic flow filters can be added and any data within the packet can be manipulated with payload filters.

So, what should we do, continue with a discussion of wording, or follow a path of actually looking at the implimentions of packet filtering/inspection by vendors firewalls for the security of members . Myself, I prefer the later, as this will actually give needed info to members.

 

Yes, yes, yes the later.

I have headache already from all this statefull, stateless, static filtering, dynamic filtering, deep, shallow, state table etc.

Coming down to info for members can you tell if Windows XP firewall and Ghostwall have SPI or what filtering exactly. As these two are basic level for incoming protection and I read different statements.

 

Stem; Well if it's shared opinion, not just specific to your needs and wants... then I'll refrain from posting information / FAQs in the future.

However, I thought it was useful and informational, something that individual(s) could appreciate.

We using SPI word pretty loosely here, and this leaves room for confusion. If the users doesn't know their options, then they really don't know what they asking for or wanting and the degree of protections offered / available... For instance, when you talking about 'full SPI' you really just talking about an implement capable of tracking sequence and acknowledgment numbers and the TCP packet flags and not something more?

I know about CHX-I v3 Payload Filter Module, weren't we before discussing firewalls SPI implementation? Now that you mentioning it, I'm curious are you going to be the one that provides filters for users to achieve "stateful inspection" to the degree that Check Point and some other firewalls offers?

 

I asked a question, to see how you would like to continue.

Currently you have put forward only a need for correct wording/definition. Why dont you instead perform some tests on firewalls to see what implimentation of packet filtering is being made on various firewalls?

I have already put forward the definition of my term "full SPI".

I would be interested is seeing a software firewall for the home "windows" user produced by check point or any other vendor that performs SPI to the degree of what "checkpoint" put forward as actual "SPI"

As for CHX-I, if this was still being updated, to remove some bugs, then I would take time to produce filters(maybe I could then set up a website and sell them )

 

Hi Stem,

I'm not sure what you meant exactly by "Currently you have put forward only a need for correct wording/definition.", if you implying my only participation on this topic involved this, then may I suggest re-reading starting from the beginning.. post #62. And as for my post #105, it was to explain where I'm coming from...

If my participations isn't up to your standards or offends you even, then I'll simply avoid further topics you involved in.


I have an old machine that's XP capable, I don't however have an operating system. And as for this here system I'm working with, it has to be on Internet stand-by, so I can't be running installations reboots, tests, uninstalls, reboots and repeated with next firewall. Therefore, even though I'm interested in doing such tests and publishing, I first need to buy OS such as XP that's abouts $165CAD for OEM version. And momentarily, I cannot afford it, besides I thought you were originally doing the tests for the people?

 

What standard? and I am not offended.

It is just my thought that: We could certainly discuss what SPI actually is (as put forward by check point) and go through misunderstandings on this point, but how would it actually help a user decide on a firewall?. Yes, they may understand the terms used, but it would then be a case of if vendors use the correct terms. I have seen firewalls that state "SPI", and they only check IP/port of TCP. So, if we put forward "SPI" is "as descibed by checkpoint", then the user goes to a firewall vendor that states the firewall has "SPI" (and it is actually only a check on IP/port), this would lead to a false sense of security for the user.

So how can we put forward SPI/ packet filter with descriptions of the layers filtered etc, without also the vendors being acurate of the firewalls ability of this?
As I said~ just my thought

I will be setting up again, and go through the firewalls again. I do have a couple of projects on already, so it will need to wait a few days.

 

I think the best thing to do would be for both of you to collaborate on publishing a webpage rating different software firewalls against your own definitions (or CheckPoint's) of SPI and other aspects of packet filering in a manner similar to the way Matousec handles leaktests.

So, if Phant0m were to obtain a legit copy of Windows XP then what do you two think about this?

 

Hello AJohn,
The fact of 1 extra PC will probably not help in such testing. I know most look at "Leaktests", which can be run on the host, then the firewall will catch this or not, a simple test.

When looking at a firewalls filtering, then different methods are needed.

Example:
For leaktests: 1 PC needed
For scanning: 2 Pc needed (normally the second PC is a website such as shieldsup)
For packet filtering: this is possibly debatable. As you need a PC to install the firewall to be tested, you then need a PC to send the packets (that the first PC as made connection to~ to check filtering on open connection), you then need to check on what is not filtered out,.. this could be a sniffer on the first PC, but, this could be incorrect, as it would not be correct to presume that the firewall did not block/drop the packet after sniffed (and that the firewall did not log this blocked packet)
So I normally check with 3 PC`s, a sort of piggy in the middle,.. the middle PC being installed with the firewall to check.
I do need to find better ways to check, as I do not always have 3 spare PC`s.

Regards,

EDIT,
I have also considered that filtering should be done in both directions, and that I could simply send out invalids etc,.. but I would think that this would be incorrect for such tests/checks.

 

Yes 2 or 3 computers seems best. Maybe this is part of why there are no such inbound firewall ratings as readilly available as the leaktest ratings are.

Maybe Phant0m would be able to work something out with what he has though, so lets see what he has to say.

Maybe between the two of you something could be done... if neither of your ISPs filter connections then that may be a start.

 

As I said before, there is only the one thing I need...


Regards,
Phant0m``

 

If it was as cheap here in the UK to purcahse an XP, then I would purchase and give you a lisense. As it is, it is twice the cost you mention.

If you know of a better way to test firewalls filtering, please advise.

 

We will see how time treats Mr.Phant0m

In the mean time you too should collaborate as much as possible

 

This may be a mute point, as I work from my findings of installing firewalls and directly checking these. From what I see, Phantom works from white papers and published support/help files. Please correct me if incorrect.

 

Stem, I'm not about to play your silly games...

feniks, I apologize for how things turned out, I'll refrain from posting any further on this topic, and hopefully the topic will get back on track.


Bests Regards,
Phant0m``

 

No apologies necessary as I learn a lot on protocols, terminology etc. And you were friendly to me. However all that theory does not help me on practical level which firewall has what and how to decide which one I want. Also I need to find something basic and good for my non technical friends or even kids and something really good for somebody willing to learn more and spend more time on that. Learning any of them is some work to do and first I will like to know if it is worthy that effort, see my point?

And maybe layered approach is better solution good inbound + good outbound. So far in terms of easy and good factor I see very good solution CHX-I + OA free without or with firewall.

Maybe one application if has it in/out quality on decent level?

See so many questions - and good answers only on outbound/leaking factor if the out/in info will be on same level - decision will be much easier to make and also it will be much wiser decision. For now I see many people are not even aware that inbound protection can be on different levels same like outbound/leak.

I was expecting practical info at list (the vendor are really skimpy in info and their "features" can mean everything or nothing) as to what features what firewall really has.. at list because I see real testing is not easy thing even for experts what to talk about me.

Well I feel to be a little ignored but well nobody pay you guys to answer.

Practically not many question I get answered and search give also skimpy results. Most info on that subject I found about CHX-I so far.

I did try to start from bottom (Windows firewall and Ghostwall) but no results yet. See the posts:

https://www.wilderssecurity.com/showpost.php?p=1126008&postcount=104

https://www.wilderssecurity.com/showpost.php?p=1125997&postcount=86

https://www.wilderssecurity.com/showpost.php?p=1126003&postcount=87

https://www.wilderssecurity.com/showpost.php?p=1125824&postcount=1

Well I know I go easy way of learning by asking but that is forum and experts for or is not?

And I feel maybe something useful finally will come out of that all...

 

you've had numerous responses to your questions, but you never seem completely satisfied with them.

Why not just stay with CHX-I? It seems to offer excellent inbound protection and alphalutra already informed you that Ghostwall does not include SPI. I certainly saw no mention of it on the website. There also does not seem to be any reports on which firewalls offer the best inbound protection.

 

Do you know somebody completely satisfied? You know what Jagger from Rolling Stones is still singing about his satisfaction?

But seriously better word will be I am disappointed. Before I thought wow "big firewall" reading all these advertisements, but after I learn a little I suspect that in reality most popular firewalls are very poor as church mouse in inbound filtering, thus in this kind of protection.

Why popular firewalls does not have application level SPI/filtering? We have 2007 and computers capable to handle it but the firewalls are still in 1990 in SPI?

I am talking about firewall function - as the word come from fire doors or exits.

Yes look like nobody from big and popular guys can beat CHX-I. I thought it is maybe outdated but looks like not yet.

I accepted his answer I just do not understand the way Ghostwall decide what is allow in. I know it is not real SPI but the term is so confusing at list. For example closing ports is in SPI definition and processing TCP (three way handshake) can be also understand as SPI. Or static filtering do this? Well but I am still learning.

Is it forbidden here?

Maybe some day I will know more, for now please forgive me.

EDIT: PS. And for sure yes/no answer from somebody I do not really know - will not satisfy me. I need more then that to understand and to accept it.

And in fact alphalutra did not answer my question (and I was not asking if Ghostwall have SPI as I read his statement before) - he just try to tell me what scanning and protocols are.

 

Ghostwall looks to be only a packet filter with the provision to restrict what is allowed on local/remote ports and local/remote ip addresses, without SPI filtering.

SPI seems to ensure that all incoming connections match the packet information in the initial outgoing packets.

Also, you have every right to understand more and, hopefully, your questions will be answered to your satisfaction. As I mentioned earlier, I never gave SPI too much thought until Stem has frequently questioned how effectively many of the pc firewalls and home routers implement it. Thankfully someone is asking questions and pushing firewall vendors to implement it correctly, especially when they advertise SPI as one of the features of their product. It is very easy to say: "our product has SPI", so those who are misinformed and do not want to question will think: "wow, this is such a great product because it features SPI", yet little do we know it may not be full SPI.

Unless someone with technical "clout" asks these questions and pushes vendors, it is very easy for them to take the lazy approach and offer a half-as*ed feature.

 

I get it! At list I think so. But I feel I am closer. I did confuse just packet filtering with SPI which is more than filtering is additional packet inspection. THANK YOU!

Now I understand how Ghostwall can decide what to allow based on outgoing traffic. SPI is similar but more active complex and "inteligent" filtering.

That is why even similar rules with CHX-I (allow all outgoing) when I force allow incoming some port in CHX-I there were still packet dropped but in case of Ghostwall not.

With better filtering is harder to fool firewall. Do I get it now correct?

I add these quotes as they explain a lot to me and maybe it will be helpful to somebody also. Now will be good to know how in firewalls who claim they have SPI this remembrance is achieved and how deep, "smart" and complex it is.

 

Thank you for those quotes feniks. It makes for some good reading. A member at the Outpost forum was kind enough to provide this Checkpoint PDF document download.

I haven't read it yet but will when time permits. It looks very comprehensive.

 

Yes comprehensive enough to answer my question. You make me satisfied. For now...

Now I see that I did not knew how to ask. Maybe even I make Alphalutra1 confused. Maybe he was thinking - what this guy want, I answered already...

There is saying - first you have to learn to listen nicely if you want to speak nicely...

But I am to impatient sometimes to read and dig and search more before ask.

And the luck to find correct readings... If I knew the Checpoint document before...

That is the problem of beginners...

Anyway thank you very much for patience and help.

 

Here's another document that you might want to read. Basically you can use this as a benchmark for testing inbound filtering of firewalls. It provides a comprehensive list of inbound attack types:

http://www.agnitum.com/support/kb/article.php?id=1000193&lang=en

_________

Regarding the Checkpoint Document:-

If ZoneAlarm is created by Checkpoint and Checkpoint INVENTED SPI (from the document) therefore ZoneAlarm has the best / most complete implementation of SPI there is.

Am I correct? Is that why ZoneAlarm is so highly regarded / award winning?

Edit: Spelling

 

I saw no mention of SPI in the ZA Pro feature list. Checkpoint uses their version of SPI in their hardware appliances. Also, didn't Checkpoint purchase ZA from Zonelabs? I'm not sure why ZA is award winning, though I think it has something to do with establishing themselves worlwide long ago, similar to the way Norton/Symantec did.