Inbound firewall

Discussion in 'other firewalls' started by feniks, Nov 18, 2007.

Thread Status:
Not open for further replies.
  1. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Excellent reference. It even mentions the exotic SNORT rules. ;)

    For some reason, these are never discussed in this forum, even though they are more relevant to firewalls than "leak tests". Maybe because "leak tests" are easier to understand? Maybe because modern "leak test" firewalls don't do SNORT?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I agree, and I have mentioned before.

    Let me attempt to compare:-
    Leaktests: all can download, then run if wanted, this actually causes no problem to user, this is an option, yes?
    Inbound: We need to look at direct filtering/ possible filtering, So if anyone would show such bypass/problem,.. then this is a major problem as this is a a possible attack. It is why I have no problem with anyone showing these leaktests,.. but I would have serious problems with anyone showing attack vectors(inbound attack compromise)

    I have been talking with Mike @ OA for quite some time on implimentation for inbound protection,.. he did indicate the possibility of adding snort rules,
    How would users react to this inclusion (if made)?
     
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I agree with another poster that said you will never get a concrete answer to this question because everybody's preferences are different. It is my belief that there isn't much difference (in most cases, none at all), in the inbound protection from one software firewall to another.


    ... This however, is sound advice that I believe most would agree with. If you find a good hardware based solution to your inbound the rest is a moot point.
     
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I perfectly accept that opinion, but just like my opinion it is based on my beliefs, not what i know.
    What i do know is a more restrictive firewall (SPI, pseudo SPI for non TCP p. etc.), with more control over the different aspects of a packet, is preferred.

    Take SPI: outgoing packets must match your rules, and incoming packets must match as replies to the outgoing ones (not just match user rules).
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,066
    Location:
    Serbia
    Well, preferences aside, there is a 'good' inbound protection and then there is 'not-so-good' inbound protection. I somehow think that everybody will go for the former.

    Oh yes, there certainly is. Please reread the thread...

    afaik, a router is a software firewall as well. It is just off-shore (if I may use such loose term), packed in a chip in a small plastic box :D So, everything that is said about software firewalls' inbound here (regarding SPI) is valid for hardware ones too.
     
  6. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Perhaps that would be to lose the ego?
     
  7. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Hi Stem,
    It is interesting that you should mention OA in this context, as it is designed for inexperienced users.

    IPS is for experienced users, I think. You have to handle false positives, possibly by disabling rules, if they block important traffic. You should also update your ruleset regularly in order to block new threats and clean out obsolete rules.

    Nobody seems to be using any of the existing SNORT-based firewalls, or they just don't see any issues?
     
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Hi, Feniks, could you give me the link where Stem and Melih discussed about SPI in Comodo, and also could you giv eme the link where MikeNash and Stem also discussed about about SPI in OnlineArmor.
     
  9. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Than what software firewall does have true SPI?
     
  10. wat0114

    wat0114 Guest

    Good question :) I don't know, but I have seen many posts in this forum citing CHX-I Packet filter as having quite possibly the best inbound protection, so this could mean very good SPI. From my experience I have seen log evidence (Block all not processed protocol packets) in Jetico 2 that could mean it has strong SPI, at least with TCP protocol. Its UDP SPI is very basic. There are probably a few others strong in the SPI department, such as Injoy firewall, but, again, I don't know.
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    What would be the point? The "packet-level" SPI (as defined here) that virtually all personal firewalls currently implement is good enough for non-enterprise use.
     
  12. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    But what about rootkits?
    I truly don't know why there is so huge interest in leak-testing, but I do have some complex questions:

    Can you tell me which of those leaktests really exist in the real world and are not just extreme situation hypothetical maybe this could happen but there is no real threat been made for this.
    It' nice to know the ZA/Za Pro or Outpost Pro or Comodo Pro will withstand the hard drive killer virus and not be shut down, but on the other hand a hard drive with a rewritten and unuseable file system is almost self defeating - sure the firewall passed, but the PC and all it's files are lost for ever. Kind of nice to know the firewall will last anyways?


    Since no firewall checks the BHO and toolbars, any test with this in mind would on any firewall would fail. No firewall checks BHO and toolbars. Yes there are real BHO and rogue toolbars, yet not tests are available for this very much real threat. Yet the rogue BHO and rogue toolbars are acitvely connecting out unrestricted. Why is that? Why do users allow rogue BHO and rogue toolbars installs the first place? Do they know better or just rely on the anti- something to stop it's install and protect them? Should the user know any better and not install these and lock down the browser to stop these unwanted installs? Or spend their money and hope they found the best protection?

    Some malware will install it's own TCP/IP stack and then will do any connections both incoming and outgoing absolutely unrestricted. Yes this malware is very real. And no firewall would catch this because it will not examine the new stack. Yet no leak tests are made for this.
    Why is this?
    Should the user rely on the security applications or just use safe hex and avoid the traps which will install dreck like this?

    Rootkits will install virtual drivers or virtual TCP/IP stacks. Yet no leaktests for this either. This is a real threat which does exist. Yet the firewall does not check for virtual drivers or virtual stacks. So a firewall would fail this leaktest as it does in the real world.
    Should the use continue to spend more money or just use safe hex and avoid it in the first place?

    Oh just remembered another real world exploit - the trojan injected into the stack. Yup all firewalls miss this one too, but no leaktest is made for this either. Why is that?

    If someone could answer me that I'd be grateful.
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,154
    what exactly is snort rules?
     
  14. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,612
    Location:
    European Union
    First of all, a firewall's job is not to check the drivers, but to block network packets according to a set of rules. But let's assume that a firewall has incorporated HIPS too (because these days nobody cares to separate their functions).
    If an application (a rootkit for instance) tries to load a protocol driver into the stack, in order to communicate with the attacker, a normal "pure" firewall will not be able to detect it, because the driver will run at a level "below" the firewall. Now let's assume there is a HIPS installed. The HIPS also has very little possibility to see what the rogue driver is doing, But it will intercept the instalation of that driver, so the computer will be protected.
    In other words, I could create a proof of concept driver which would be loaded in the TCP stack, but it would be stopped before I would try to load it. In my opinion, this is the reason nobody bothered with doing it.
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Firewalls, like any other security software, cannot guarantee to detect an installed rootkit though some may be able to detect and block any attempted installation. Dealing with rootkits is very much beyond the scope of the product suggested in this thread though.
    See the Firewallleaktest In the Wild page for a few examples. It is dated now but you can be sure that more recent malware will have improved in this area.
    Malware that disables systems completely isn't a likely threat simply since it doesn't spread well. A greater danger is those that capture private financial data - this is a focus of major malware producers (increasingly organised crime) so there are plenty of examples and doubtless far more to come.

    In any case, file protection is already handled quite well by Windows' own NTFS as long as users don't run as Admin by default.
    BHOs/toolbars can be detected and removed by most anti-spyware scanners (and a couple of firewalls do have this function integrated).
    Any firewall working at driver level (monitoring access to network hardware) should intercept this - since packet sniffers using WinPCap have been doing something similar, it isn't a new phenomenom by any means.
    Outbound and MBTest are leaktests using the "direct to network" method to bypass firewalls.
    Could you be more specific about this? (i.e. include a name for this trojan). Virtually all firewalls will detect changes in executable files, most will detect process code/memory injection. That leaves driver installation which a few firewalls address but that is more in the area of system/process control software like SSM and its ilk.
     
  16. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    http://www.snort.org/

    Read all about it, and let us know. ;)

    This is real firewall stuff - unlike leak stuff.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Hi, Paranoid. I want to thank you for your answer (I didn't think that you'll answer). I must say that my problem with leak-tests is the following:
    I have recently reinstalled my computer from scratch.
    Now I have 100% clean PC-what's the point of leak-tests if you have 100% clean PC, I only need inbound protection.

    And besides, can all leak-tests really show the power and effectiveness of the true malware samples, only a few leak-tests show that on the link you give me, but these samples are passed by almost all firewalls-if you assume that computer is already infected (just look what Sunbelt Kerio firewall creators answered to Matousec).



    It seems that malware these days are so advanced that leak-tests are useless, once you get malware on your computer the game is literally over.
     
  18. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Exactly. So why do you guys keep on posting about leak tests?

    This thread started as a genuine firewall discussion (one of very few), but again, somebody managed to turn it into yet another leak thread.
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Agreed,

    Lets please get back to and stay on topic.

    I will have some time this weekend to set up and check a few firewalls for packet filtering. It will just be testing what level of filtering is made and what packets are dropped (illegal flagged packets etc).
     
  20. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Don't forget those FWs that support SNORT rules. It adds an extra dimension to packet filtering, if you have the CPU power.
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I will only be looking at windows based firewalls, and will only have time to check about 6.

    I do also want to check a router (I have a linksys that I can use)
     
  22. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Perfect. I know that the Sunbelts and late Kerios do SNORT rules. Others too I think.
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I dont really want to go down a path of checking Enterprise/server firewalls. I will be looking at products for home use, as used by the majority of users on the forum, such as Jetico, outpost pro, comodo etc. If I was to look at Sunbelt, then it would only be the home product.
     
  24. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    I agree. This is what I meant to say. The personal Sunbelts and Kerios (for Windows) do SNORT rules. :)
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Are these rules not already included with the default installation of Kerio? or is there a need to update the bad_traffic file? and if so, then what are users adding to that file, if indeed they are actually adding/using any.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.