Inbound firewall

The default installation contains some small rulesets, yes, but it is possible to download the full rulesets from snort.org in older versions and replace the default sets, and add new rulesets. This requires some work and decision making. One weekend might not be sufficient.

 

If your system is clean and will remain so then there is almost no benefit in having a firewall with good leaktest performance (except for the small possibility of legitimate software trying to connect out surreptitiously).

For most users however, anti-virus/malware scanners will provide a good - but not 100% - defence. A leak-resistant firewall can provide a useful backup where a scanner has failed.

Not if you have software that provides process control - and this is what many firewalls have been expanding into.

I would suggest that SNORT support is less significant to most users than effective outbound control. A personal firewall should block unsolicited incoming traffic by default (so knowing if blocked traffic is a recognisable probe or attack is of little relevance).

Pattern-matching becomes useful for people running a server that has to accept unsolicited incoming traffic, which is why enterprise level firewalls tend to offer it. However even the best performers in this category can be easily bypassed by an attacker obfuscating their traffic.

 

Some people tested HIPS against real rootkits and it appeared that good HIPS can succesfully resist rootkits to get control over your system. Unfortunately such attempts were not too comprehencive, though you can make some conclusions even from those amateur attempts:

http://membres.lycos.fr/nicmtests/

 

Hi Stem,
By any chance will you be testing Look'n'Stop also?
Although I am interested in seeing your results from all tested.

 

Hello,

Sorry for delay, but family matters have taken my spare time. I will make tests as soon as I can.

Regards to all,

 

I currently have a list of:-

ZA (pro)
Commodo
Jetico 2
PC tools

I will add L,n,S

-

 

Somewehere in this thread it was stated that firewalls don't check toolbars and BHOs. And in another post someone stated that antispyware programs could check/detect these.

Question: you know what toolbars and BHOs you have on your system. They are not known as 'typical spyware'. Are the toolbars and BHOs able to receive and send data on their own/as instructed, not filtered by the firewall ? Any difference between Stateful Inspection and proxy-firewalls ?

 

I'm waitting for the result!
Why don't you add CHX-I and 8signs?

 

I would also very like to see the comparative results for those 2 veteran inbound fws!

BTW, there seems to be a rumor as 8Signs' development possibly being at a halt. It would be ashame... Does anyone have successfully exchange e-mails with those folks lastly? Linda C. has always been so dedicated and responsive to all support/request that her present silence is realy no good signs

 

Any news?

 

I'm curious myself, but i'm sure this type of testing may take some time.
Hopefully Stem will have some results posted soon.

 

Its just a case of finding spare time.

I have a couple of hours now, so will test what I can in that time.

- Stem

 

Hi,

I have managed to look at 3. I will look at others when time available.


The tests are on TCP, just a case of checking to see the packet filtering made on an outbound connection (what packets are filtered out inbound)

So basically, I have a number of TCP packets, these consist of invalid flags, out of sequence and out of connection. These I send against the firewall to see what is logged/filtered out of a open connection.

CHX-I V3.
It filtered out and logged all packets.

8signs (build 3037)
It only logged 2 packets (null and xmas) but I did not see any packets pass, so looks like a lack of logging, but will check again on another setup

LnS (v206)
With SPI enabled.
It only filtered out the packets that are in the Internet filtering (such as null, xmas) and blocked the out of connection. But other packets (invalid flags/ out of sequence where not filtered out)

 

Well, that's highly technical !

 

I realy like this topic. I also think that the Outbound leaktests are getting out of hand. Every vendor is trying to pass these leaktest so there is less time to look at the inbound protection. A couple of years back i had a site to test my firewall for statefull inspection (i used Sygate at that time). I cannot remember the site but maybe someone else can remember it.


@Stem: Also if there is room left in your testing roundup i also would like to ask if you can test the firewall in Kaspersky KIS 2009. In this new version they have dropped the "stealth all ports" thing because of problems with P2P programm's. Well Stealth ports is ofcourse not everything.

 

Thanks Stem! I hope you can check Jetico 2 and Agnitum's latest.

 

Hi Netherlands,

Yes, I will try and fit that in tomorrow.


- Stem

 

Hi wat0114,

I have just looked at Jetico2 (2_0_2_1). A little strange, it did filter out the null/xmas due to the packet filter rules, but it also filtered out (block all not processed) some on the invalid flagged packets such as syn/rst - fin/syn/psh. but it allow others such as all flags set. It did also allow out of connection, so it is not checking TCP sequence.

-Stem

 

Great news. KIS 2009 isn't officialy released but u assume that you know where to get it.

 

I have V8 RC2, is that the latest?

 

Thank you for all your efforts, Stem This is a bit disappointing with J2. I expected better from it.

 

No, its 8.0.0.357 (V8 TR, Technical Release)

 

Can you test windows firewall as well?

 

Hi,Stem.I am very surprise for the results.Although no longer updated, but CHX-I is still the best.Can you tell me more about the details of the test? For example, testing methods, test data records, etc.

 

Is there an open download. I need to be cautious, if it is closed/private then there will be restrictions on any reports/tests published.


- Stem