Inbound firewall

Discussion in 'other firewalls' started by feniks, Nov 18, 2007.

Thread Status:
Not open for further replies.
  1. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    The default installation contains some small rulesets, yes, but it is possible to download the full rulesets from snort.org in older versions and replace the default sets, and add new rulesets. This requires some work and decision making. One weekend might not be sufficient. :)
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If your system is clean and will remain so then there is almost no benefit in having a firewall with good leaktest performance (except for the small possibility of legitimate software trying to connect out surreptitiously).

    For most users however, anti-virus/malware scanners will provide a good - but not 100% - defence. A leak-resistant firewall can provide a useful backup where a scanner has failed.
    Not if you have software that provides process control - and this is what many firewalls have been expanding into.
    I would suggest that SNORT support is less significant to most users than effective outbound control. A personal firewall should block unsolicited incoming traffic by default (so knowing if blocked traffic is a recognisable probe or attack is of little relevance).

    Pattern-matching becomes useful for people running a server that has to accept unsolicited incoming traffic, which is why enterprise level firewalls tend to offer it. However even the best performers in this category can be easily bypassed by an attacker obfuscating their traffic.
     
  3. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Some people tested HIPS against real rootkits and it appeared that good HIPS can succesfully resist rootkits to get control over your system. Unfortunately such attempts were not too comprehencive, though you can make some conclusions even from those amateur attempts:

    http://membres.lycos.fr/nicmtests/
     
    Last edited: Apr 4, 2008
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,674
    Hi Stem,
    By any chance will you be testing Look'n'Stop also?
    Although I am interested in seeing your results from all tested.
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    Sorry for delay, but family matters have taken my spare time. I will make tests as soon as I can.

    Regards to all,
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I currently have a list of:-

    ZA (pro)
    Commodo
    Jetico 2
    PC tools

    I will add L,n,S

    -
     
  7. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    Somewehere in this thread it was stated that firewalls don't check toolbars and BHOs. And in another post someone stated that antispyware programs could check/detect these.

    Question: you know what toolbars and BHOs you have on your system. They are not known as 'typical spyware'. Are the toolbars and BHOs able to receive and send data on their own/as instructed, not filtered by the firewall ? Any difference between Stateful Inspection and proxy-firewalls ?
     
  8. aeonhuang

    aeonhuang Registered Member

    Joined:
    Mar 30, 2008
    Posts:
    7
    I'm waitting for the result!
    Why don't you add CHX-I and 8signs?:rolleyes:
     
  9. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    I would also very like to see the comparative results for those 2 veteran inbound fws!

    BTW, there seems to be a rumor as 8Signs' development possibly being at a halt. It would be ashame... Does anyone have successfully exchange e-mails with those folks lastly? Linda C. has always been so dedicated and responsive to all support/request that her present silence is realy no good signs :(
     
  10. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Any news?
     
  11. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,674
    I'm curious myself, but i'm sure this type of testing may take some time.
    Hopefully Stem will have some results posted soon. :D
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Its just a case of finding spare time.

    I have a couple of hours now, so will test what I can in that time.

    - Stem
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi,

    I have managed to look at 3. I will look at others when time available.


    The tests are on TCP, just a case of checking to see the packet filtering made on an outbound connection (what packets are filtered out inbound)

    So basically, I have a number of TCP packets, these consist of invalid flags, out of sequence and out of connection. These I send against the firewall to see what is logged/filtered out of a open connection.

    CHX-I V3.
    It filtered out and logged all packets.

    8signs (build 3037)
    It only logged 2 packets (null and xmas) but I did not see any packets pass, so looks like a lack of logging, but will check again on another setup

    LnS (v206)
    With SPI enabled.
    It only filtered out the packets that are in the Internet filtering (such as null, xmas) and blocked the out of connection. But other packets (invalid flags/ out of sequence where not filtered out)
     
  14. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    Well, that's highly technical !
     
  15. Netherlands

    Netherlands Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    159
    I realy like this topic. I also think that the Outbound leaktests are getting out of hand. Every vendor is trying to pass these leaktest so there is less time to look at the inbound protection. A couple of years back i had a site to test my firewall for statefull inspection (i used Sygate at that time). I cannot remember the site but maybe someone else can remember it.


    @Stem: Also if there is room left in your testing roundup i also would like to ask if you can test the firewall in Kaspersky KIS 2009. In this new version they have dropped the "stealth all ports" thing because of problems with P2P programm's. Well Stealth ports is ofcourse not everything.
     
  16. wat0114

    wat0114 Guest

    Thanks Stem! I hope you can check Jetico 2 and Agnitum's latest.
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Netherlands,
    Yes, I will try and fit that in tomorrow.


    - Stem
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi wat0114,

    I have just looked at Jetico2 (2_0_2_1). A little strange, it did filter out the null/xmas due to the packet filter rules, but it also filtered out (block all not processed) some on the invalid flagged packets such as syn/rst - fin/syn/psh. but it allow others such as all flags set. It did also allow out of connection, so it is not checking TCP sequence.

    -Stem
     
  19. Netherlands

    Netherlands Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    159
    Great news. KIS 2009 isn't officialy released but u assume that you know where to get it.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have V8 RC2, is that the latest?
     
  21. wat0114

    wat0114 Guest

    Thank you for all your efforts, Stem :) This is a bit disappointing with J2. I expected better from it.
     
  22. Netherlands

    Netherlands Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    159
    No, its 8.0.0.357 (V8 TR, Technical Release)
     
  23. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Can you test windows firewall as well?
     
  24. aeonhuang

    aeonhuang Registered Member

    Joined:
    Mar 30, 2008
    Posts:
    7
    Hi,Stem.I am very surprise for the results.Although no longer updated, but CHX-I is still the best.Can you tell me more about the details of the test? For example, testing methods, test data records, etc.:rolleyes:
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Is there an open download. I need to be cautious, if it is closed/private then there will be restrictions on any reports/tests published.


    - Stem
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.