Inbound protection of software firewalls

We all know that when it comes to leaktest, or outbound protection, there are firewalls that clearly stand out above the rests. As can be seen in here: Matousec's Leak Test

My question would then be:
Is it reasonable to say that all software firewalls that can be configured to stealth all ports (that is out-of-the-box or not) provides the same level of inbound protection?
If not, what TYPES (and examples) of software firewall would offer the best possible inbound protection?

 

Heres one topic on the subject and heres another.

 

I was the one who started the thread in the first link you posted, and it is particularly with regards to CHX-I and Jetico v1. Anyways, both threads does not have the information I'm looking for which is why I posted this topic. Thanks for replying.

 

Not all software firewalls i've used over the years have stealthed all ports, a few just simply close them. From what i've read on here the whole stealth/closed port issue isn't that important. Personally i prefer a firewall that stealths all ports, it seems to give me better peace of mind. However as far as i know even when i ran a firewall that didn't stealth all ports i never had any problems.

 

Now, we're talking!
If stealthing/closing ports isn't that important, how would we then know/define inbound protection capabilities of software firewall?

Thanks farmerlee, this really is the type of discussion I'm trying to start here cause more people are inclined to dismiss a firewall just because it failed some leaktests. but, I'm sure a lot of people like me still doesn't care much about leaktests.

I'm not into particalar products here. I'm mostly interested in knowing the TYPE of software firewall that could provide the best of possible/reasonable inbound protection. An example of a certain type of firewall would be nice.
Or, as indicated by farmerlee's statement, how would/should we determine if a software firewall offers good inbound protection.

 

In my opinion, the best option is to just buy a cheap NAT router and be done with it. You can configure it to stealth all ports easily. Best day for me was the day I bought the router and stopped messing with all the software firewalls.

 

Not trying to hijack this, but I am behind an alpha shield and am testing NIS 2007---I get intrusion protection pop ups telling me it has stopped an attack So is the alpha shield failing or is the software firewall really that good at inbound protection??

 

Some firewalls don't have SPI (like PCTools) and some programs listed in Matousec don't have inbound protection.

 

In PC Tools thread in this forum, there is way mentioned by Stem to tighten the rules to block incoming despite the lack of SPI. So, we go back to post #1, "out-of-the-box or not."
Are all software firewalls the same when it comes to inbound protection, whether out-of-the-box or not?

 

I'm not sure what you're asking here, but a software firewall's job as regards inbound traffic is really pretty simple and straightforward. It should block any and all unsolicited inbound traffic, and only allow inbound appropriate responses to outbound traffic via SPI etc. There really isn't much more to talk about. Either the firewall does it's job or it doesn't. The worse possible scenario is if your software firewall were to allow unsolicited inbound. No firewall should do this unless it's buggy and not doing it's job properly. Whether or not stealth is important is something that people like to debate endlessly. As long as the port is closed, there isn't much that can happen. So I would say, if you're not concerned with all the so-called leak tests and outbound traffic, then almost any software firewall will do for inbound, assuming it's bug free and does it's job.

 

Are you sure that the workaround doesn't break things like Passive FTP (which uses remote ports 21 and 1024-65536)

 

I'm simply curious if it's safe to say that when it comes to inbound protection, all software firewall are basically the same. yes, that is what I want to know and you're answer does make sense to me.
but you mentioned about SPI, and also ggf31416:
do you imply that software firewalls with SPI provide the same level of inbound protection, but better than those firewall without SPI? or whether there have SPI or not, they all provide the same level of inbound protection?

 

There are a few other things, like signature checking MD5 vs SHA1, firewall's settings treating MTU fragmenting, verifing cheksums of fragments, their action vs attacks like DDoS, TCP, UDP or ect and so on. But basically all firewalls do the same, so you could say, that Windows Firewall is as good as others, but there are those "little wonders", which make difference and since they are part of the closed firewall's engine or they are "high tech", then people can not compare it, because they do not know about it or do not understand it, neither do I.

But inbound protection is a strange phrase, because when a browser, through which most exploits come into PC, is allowed in a firewall along with other aplications, then what it is an inbound protection about actually? I think, that firewall does more job protecting outbound.

 

Start a new thread and we can look into this.

 

Some other things to consider for inbound (not everyone will find these important):

-if you use a router for inbound, how is the logging (if you care about this)
-If you use a 3rd party program for router log viewing, does it start as a service? Do you need a separate app to run as a service? How much memory does it use?

-if you use a software firewall for inbound, how is the logging? Can you selectively choose not to log some rules and log others? Can you log "permit" type rules or just "block" rules?

-does the router or software firewall limit inbound P2P connections (if you use P2P)?

-can inbound rules be application-specific if you want?

-Does the firewall start up quickly at startup? Or could you be vulnerable for a few seconds?

-other considerations like memory/CPU use, current or potential bugginess and/or vulnerability to remote exploits, company profile and support, whether you like the GUI and rule creation logic, cost, etc.

 

To me inbound protection is the least important trait of a software firewall... that's what hardware based firewalling is for IMO. You say you have an Alpha Shield (great product, check my sig). Are you also behind a router with NAT & SPI? This is the route I go. The router stealths your ports, and then the Alpha Shield makes your router invisible. Inbound protection from a software firewall is a pretty moot point with this setup, so I just use Windows Firewall.

An Alpha Shield is a great security measure but it does not take the place of a router. When combined the 2 make a great shell of protection. This is always my first recommendation to people looking to enhance their security. After that, the choosing software is all optional and you'll always get conflicting opinions on which way to go. But for the sake of arguement... with inbound protection as your ONLY criteria for a software firewall... you may as well just use the integrated Windows firewall. It will stop intrusions just as well as any paid software firewall will.

 

@luciddream: your comment is appreciated. please bear in mind, though, that the thread is restricted to "inbound protection of software firewalls." So, do you think all "software firewalls" offer basically the same level of inbound protection?

 

Consider this:

For inbound protection, then, you don't even need a firewall, if you can insure that all ports are closed:

http://www.urs2.net/rsj/computing/tests/fw_test/

Not recommended as a normal procedure, of course. So, in answer to your question about inbound protection,
I echo this:

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Windows firewall is a software firewall for inbound protection. So if the inbound protection of a software firewall was a moot point (obsolete, irrelevant, unnecessary, unimportant, etc), then why would you use windows firewall? This question is out of curiousity, so don't take it the wrong way.

 

Because it's extremely light, that's the only reason at all. I mean why use another software firewall that does no better at all of blocking intrusions that'll suck up a ton of resources? I have other (better) means toward monitoring/filtering my outbound traffic than having a bulky, resource sucking 3'rd party SW firewall on my PC.

Then point was that inbound protection from a software firewall shouldn't be a big criteria because hardware based firewalling does a superior job of it while the resource hit is non-existant. I mean heck I could just as easily disable the Windows Firewall, but I mean it's another layer of security and it's insanely light, so why? When combined with a good HIPS or similar program it can account for all the shortcomings of the Windows Firewall while being FAR lighter than using a bulky 3'rd party software firewall.

The way I worded it in that post, it does look pretty contradictory. But I think now you get the point that I was trying to convey?

 

I would go past "basically" as far as to say they're "practically all the same" in terms of strictly inbound protection.

 

reading all the replies i get the impression nobody seems to know which is the software firewall with the best inbound protection....please correct me if im wrong...
the leak tests are well documented.....
does anybody have an idea of the best inbound firewalls??
thanks

 

Again, as long as they keep out what you don't want in, then they're all pretty much the same IMO...

 

Since many have already stated they feel most are the same, the only way you will satisfy yourself is to download each for evaluation, configure according to instructions, and run an on-line scan test . My guess is that they all will return similar results of successfully blocked probes.

A few on-line scanners:

http://www.grc.com/x/ne.dll?rh1dkyd2

http://www.hackerwatch.org/probe/

http://www.pcflank.com/scanner1.htm



regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hello, Climenole,

Are you saying that there is a possibility that the ports are *not* closed, even though the GRC test says they are?

Or are you saying that it's possible for someone to be vulnerable, even though ports are closed?

(Let's please not get into the fragmented packet thing )

From my test linked above from a couple of years ago, I was convinced that if ports are closed, the common trojan/worm exploits had no chance.

EDIT: The reason for my test at that time was due to an article that was being printed everywhere saying that it takes 18 seconds (not sure if that's exact) for a computer to get infected without a firewall.

Thanks,

-rich