Inbound firewall

Discussion in 'other firewalls' started by feniks, Nov 18, 2007.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Well,ZA does have SPI. On this website there are the feature lists.
    http://www.zonealarm.com/store/support/zaas/generalFAQs.jsp#3

    I honestly doubt that Checkpoint wouldn't put full SPI inside ZA since they bought them.

    Regarding awards:I'm not sure if they were established themselves,but if you look in every review of them,you'll see that ZA blocks almost everything to get installed on your computer-and I don't believe they fake test results.
    It seems to me that other security testers who don't like ZA hate ZA and they want shutdown ZA's production...

    And again if you don' believe that take me as an user of ZA Pro and Nod32 antivirus(with Outpost Pro and Nod32 on the second computer and Jetico2 on the 3rd computer).

    Since I got ZA Pro I was testing its inbound protection (of course, you need to configure it to get maximum protection) against malware-loading websites.
    I don't want to name them,because i believe it's forbidden to post such links, however if you don't have adequate protection you will be infected.

    The main problem with these websites is that as long as you're connected they'll try to install malware...
    From my personal experience,I've never been infected while using ZA Pro (at maximum protection).
    The reason why I know this is because I had for extra case Spyware Doctor (but I deactivated its real-time protection while using ZA Pro's real-time spyware protection), Lavasoft Ad-Aware, Super-Antispyware and a few other antiviruses to check if there are any malware samples inside my computer,I found nothing,ZA found nothing, and my computer has never been compromised/zombified.

    So these awards mean something,it's not just awarding with no reason.
    You can believe or you don't have to believe me,it's your choice,but with ZA Pro I was the most secure (even more secure than with Outpost Pro).

    That's why, despite all marketing and establishment,yes ZA's techies are doing their job excellent.
    If ZA is bad I would already have malware samples installed on my computer, but I don't have them-any of them.
    The only problem is that right now ZA's techies are having problems with Vista compatibility.

    Cheers!
     
  2. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
  3. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thanks for the support.
    Your answer has reminded me on something.Basically the more powerful this software gets (or any other software for that matter), it becomes less usable,however again in this area I never had any problems except with the version 7.0.302.000,but than I uninstalled it and installed 6.5.737.
     
  4. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Thanks CoolWebSearch, Hairy Coo, and Wat0114 for your detailed replies!
    So ZoneAlarm was made by ZoneLabs before being acquired by Checkpoint but:

    Hmm so you're saying that ZA has "full SPI" :D

    Edit: Quote.
     
  5. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    It's still a great doubtful if they integrated the full SPI into ZA.
    I'll leave that to firewall experts to examine more thoroughly.
     
  6. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    I wonder how testing against these websites can test the inbound protection of a firewall. That is going to bypass every SPI as since the moment the browser send a request to load the page it's a outbound connection and the server is going to send the malware in perfect packets, not in malformed ones.
     
  7. wat0114

    wat0114 Guest

    It seems only Stem is willing or capable of this testing.

    I wasn't bashing them (not implying you were accusing me, just clarifying my stance :) ), especially since I don't even use the product. I was only stating a theory and one that i'm sure is quite credible. Let's face it, ZA was on the frontier of providing pc firewalls to home users and they have, over the years, done a splendid job of taking hold of the market - much the same way as Norton/Symantec/McAfee has.

    Actuially, I have noticed that those who bash ZA are those who have used the product and simply did not like it due to one or more of a number of reasons.
     
    Last edited by a moderator: Nov 28, 2007
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Yes,if malware wants to install itself it has nothing to SPI.
    This is similar when you download an file who is infected.
    For example,I used to download files from www.download.com, however I remember when ZA blocked the installation of an supposed trusted application (actually, it was an firewall if I remember correctly), however ZA stopped the installation.
    ZA Anti-spyware basically blocked that installation-now this is really strange, since it has detected Trojan.Downloader Win32 inside that file-I thought ZA's Anti-Spyware only blocks spywares,so how is it suppose to block Trojan installation?
    That's something,none has ever explained me, yet.

    For extra safety, I tested NOD32 Antivirus when I tried to download the same file if it will detect it as Trojan or spyware-just to make sure if ZA Anti-Spyware had or hadn't false positives.

    And trust me Nod32 detected the same Trojan,so it can't be be false positive-since when ZA's anti-spyware blocks the installation of Trojans?
    That should be antivirus's function,not anti-spyware's function.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Filtering of malware would need to be done (by a packet filter) within content, so such a firewall would be classed as DPI (Deep Packet Inspection), but this could be classed as similar to an AV web filter. As with DPI, certain strings need to be checked for. Example: I have just had a quick look at the latest version of Injoy,... you will see various (default) protection in place on various levels:-

    A default level I place on my geteway:-

    level-8.JPG

    [I have used version3 for quite a while, but the screenshots are for version 4.1]

    I put arrows (in above capture), first to to "Virus checking", this is by default basic, but shows the DPI. This is the default filtering:-

    04.jpg

    The second was to "Reject all UDP traffic - except DNS lookups", from such a setting, with a default windows installation, alerts will show the blocking of such as netBIOS:-

    03.jpg
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    In which respect,.. to actually install/check firewalls? or the fact I do not like word definitions which only add to confusion?

    At the end of the day, with respect to members here, most do not know what SPI is, and yes, could agree than specific defination is needed, but as I ask before, with no reply from yourself, how would it help members/users when firewall Vendors just state they have "SPI"?

    As I have seen from the last posts, members can certainly look up definitions, but it really means nothing if vendors are not acurate in own implimentation of such.
     
  11. wat0114

    wat0114 Guest

    I totally agree. I have looked up definitions in an attempt to gain a little more understanding about what SPI is and also because this subject now interests me a great deal, but, like you, I am now skeptical about SPI claims these software firewall vendors are making.
     
  12. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Maybe something like this they make about HIPS would be good to start about firewalls inbound, maybe some sticky post here on Wilders about inbound comparison?

    HIPS - Comparison

    Look how poor is firewall comparison:

    Firewall - Comparison
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Your posts were fairly good up-to the point when it seems you have implied I don't know about testing stateful packet-filters and also that I cry facts based on what I read on white-papers and published support/help files.

    Regarding testing stateful packet-filters, all that is needed is two machines, if you think you need an requirement of total three computers - in order to perform utmost top quality tests, then perhaps you the one confused here.

    That being said, please let me point you off to the right direction... You simply need two computers, a single cross-over cable and two Ethernet devices. Also If both Ethernet devices are new, then you probably be-able to use an straight-thru cable instead. You shouldn't use an router, and/or Internet to perform these tests, there's some possible cases which simply makes either of the two situations not advised.

    Now that you know...., should be bit easier to run your tests on stateful packet-filters... Or do I need to continue with making 'Testing stateful packet-filters for dummies' book. :)

    I believe you can be very observant person ... at times, I think your post #115 was from 'mainly' reading couple of my previous posts on this here topic.

    My post #81;
    "I don't use Online Armor, never used Online Armor, and the official product website doesn't seem to 'mention' any sort of SPI. A firewall developer would definitely want to advertise this if it has it.... so at first glance, I say it doesn't."

    I don't and have never used OA, it is very logical that if firewall has 'any sort of SPI' capability that it would mention it on the product official website and/or its manual. Is there anywhere in that post that I claimed or indicated that if there was some mentioning, that it's surely an properly implemented full SPI?

    Then there's my posts #88, #90... These here posts should tell you that I'm not familiar with OA and that I'm an curious person. It seems to me you act like firewall developers outright lies, and I know, they surely don't all tell the entire truth, and they even use fancy wording to make it seem something is more than what it really is... And if you ask simple questions then you'll likely get 'smart' answers .. from them that's really next to nothing. This all taking into consideration, there's also product advertising, regardless how they work it, if they indicate on how an feature is performed, and the product feature isn't performing to what's been advertised, I'm fairly certain this is subject to lawsuit. If you asked properly the right questions, before making an purchase of the product, they claim it performs in a certain manner and it doesn't, this spells lawsuit!

    There's no law I'm aware of that decides how developers labels particular features, even though improper labeling can likely be traced back to lost terminologies, and also not taking the time to-do full researches. And how you guys are acting now, not giving a damn about different terminologies, ... how you expect the product developers do anything differently?

    Don't waste your time worrying about how developers labeling particular features, put up your page, list the terminologies used and define them clearly and accurately... I'm pretty sure as the site become populated, different developers will make label corrections or provide more details about how their feature implements performs in their products.

    And don't waste your time trying to convince me that different terminologies are pointless, when those who interested reads the different terminologies, they become wary, when this happens they begin to know what and how to look for, and begin to ask the right questions.

    Is there anything more needing to be said about terminologies? Stem, how would you like to proceed?



    Regards,
    Phant0m``
     
  14. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    How do those websites challenge your incoming protection? Just curious.

    Cheers,

    Alphalutra1
     
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Can anybody explain what is SPI for and how it can be found FW doesn't have SPI and, especially, what reproducable danger does it bring. I have a time, I have a lot of computers and I have a wish to test my FW. Just tell me what should I do and I'll be glad to report my results.
     
  16. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Read some of the very recent threads that go quite deep into the subject, use google to find info, google about testing firewalls (not leak testing, but real packet filter testing), learn about TCP/IP, then use the tests to collect a large amount of objective data stating specifically every single thing involved in the testing (down to all of the components of the pc, ethernet cable, NIC, RAM, CPU, Harddrive, OS, etc.), and publish it on the forum for us to enjoy ;)

    Cheers,

    Alphalutra1
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This would be unfair. You want me to do all the work without any help ? :)
    I'm ready to spend some time to make a real testing, but let somebody provide me with at least brief algorithm. For exmple: create ethernet frame of type x, fill it with data y, send it to z, look for responce r - if any - your firewall failed the test. You, boys, spend a lot more time arguing of nothing. So I think my request is not too demanding :)
     
  18. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,304
    Location:
    Kent. UK by the sea
    Hi, alex_s

    IMO, it reads more of a troll :ninja: .

    Take Care,
    TheQuest :cool:
     
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Does it really matter how it does "reads" ? We can check quite fast how it "really is". Still I see nobody who could audibly state a principle that exploit could be built on. C'mon, I'm still waiting :)
     
  20. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    No, people have done it all for you in these forums in other posts and on other internet webistes. But I do not believe anyone will take any of you tests as credible sources if you don't understand the matter at all and learn and take the time to master it. Just doing what someone tells you would make it so I could skew the results to favor my personal favorite firewall or the one that gave me a material incentive.

    Cheers,

    Alphalutra1
     
  21. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    If people already have done it, then there must be exploits accessible. Let us take a look at the Matousec. You can value his project or not, but there is published methology and there is a set of tools that _ANYBODY_ can take and check every test result. Unlike Matousec leaktesting there is neither a methology nor a set of tools to measure SPI/DPI quolity, there is just a set of talks about it. I do not care either somebody will take my results to his heart or not, I just was going to make a tool for everybody. If I'm wrong and such tools already exist, then I would be glad to get myself pointed out to them. But instead of this I continue to get the words and words and words ...
    The only one person that acts respectfully is Stem. He was short in words and just pointed me to a tool. Then the question was closed pretty fast.
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have looked at a number of setups, and as I mentioned in post 110, it is debatable, certainly with checking on what as, or as not passed through filtering. I have before setup just using 2 PC`s, but found some firewalls silently drop packets even though the installed sniffer logged these. We are looking at inbound here, not to see if a firewall will filter the outbound packets, or should we presume that the same filtering is performed in both directions? if we did, then it is a very simple test.

    Well, talking about a setup is easy, but actually setting up and getting correct results is more demanding. Have you actually set up and checked a firewall using your method? Please do explain, as I could show the the pitfalls in such a setup.
     
  23. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    492
    vmware
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi alex_s,
    Well, Phantom is willing to create a post to explain:-
    You would also need to look at packet creation programs.
    examples (both free):-

    Excalibur

    Colasoft
     
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    According to the website I'm going to give you it says that proxy firewall technologies have proven time and again to be more secure than "stateful" firewalls and will prove to be more secure than "deep inspection" firewalls.
    http://www.ranum.com/security/computer_security/editorials/deepinspect/index.html
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.