Inbound Protection

Discussion in 'other firewalls' started by Someone, Aug 19, 2008.

Thread Status:
Not open for further replies.
  1. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Which firewalls have good inbound protection that are easy to use?

    Thanks
     
    Last edited: Aug 19, 2008
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    The best way is to use a firewall hardware, naturally. As software fw, Outpost or Comodo, Zone Alarm Pro.
     
  3. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Almost all firewalls have inbound protection hardware or software.Even Windows Firewall (XP and Vista) have some inbound protection.

    If you are looking for some precise, inbound protection for some particular scenario/traffic/attack , please state the same.

    IMO, Kerio 2.1.5, Jetico and CA HIPS (formerly Tiny Firewall) have ability to create very precise and powerful rules. Which allow you to shield yourself from any particular inbound attack. But on the flip-side, you really need a lot of expertise to pull it off!!
     
    Last edited: Aug 19, 2008
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum


    Well, if you happen to have an animal worth several 1000s than yes. Otherwise, if you referring to typical cheap home routers, certainly no.

    Almost? An app without inbound filtering is not a firewall...

    Just to reply on topic...

    If you just want "good" than install any. You would need to expand on "good" for further discussion.
     
  5. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Why not?
    It also depends on the definition of 'cheap' I guess?
    What kind of brands would you describe as 'cheap' and therefore not really suitable?
     
  6. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    I don't proclaim myself to be a Security Expert. But from, what I have seen and read at Wilder's its debatable if SW firewalls provide inbound protection (See here). So I just wanted to give the right prospective, since I am not a Guru like many others here.

    Also you would be amused to know that many centers actually deploy/try firewalls with no inbound access :argh: . For Ex: SDSC .

    I think my reply was almost same as yours so I don't understand how I went out of topic o_O Maybe my lingo was not as sharp.

    Oh, well I was just hoping to help.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Hardware firewalls don't have to be expensive. Smoothwall can be used to convert a new or old PC into a very good hardware firewall, complete with IDS. It'll cost you a couple of network cards, a cable, and some time. Depending on how you equip it, less than $50. Version 2.0 will run quite well on hardware that originally hosted Win95. Mine runs on a 133mhz processor and 32MB of RAM. Has now run flawlessly for 135 straight days.
     
  8. xtree

    xtree Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    96
    Yes, not all firewalls have proper inbound protection though all of them should have it. Just think of the first version of Windows firewall. It was called a firewall even when it did not have proper inbound protection.
     
  9. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I've heard that Sunbelt has a NIPS which protects against some attacks and that Safety.Net has Deep Packet Inspection. Which are supposedly better inbound? I don't really know.

    Thanks
     
  10. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I don't think I know enough to make these rules.

    Thanks
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I have been using a "cheap home router" for years and never had one single issue of any kind. The day I spent $40 for the cheap router was the best day of my life, no more worries. What in the world are you talking about?
     
  12. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    CHX-I is known to be pretty solid on the inbound side, but is not application aware.
     
  13. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Jetico I I guess is good.

    But prepare some time to tame it down.

    Also prepare for something strange:

    1. exactly same application rule can be added to the table.
    2. sometimes it messes something up, say, when firefox is connecting to a site, it pop up a message say Kaspersky AVP want an internet connection
    3. occasionally, system freezes for no apparent reason.:D

    Besides these
    It is fast, never slows program down as OAF does.
    It is light, very low in CPU time most of time, and only 3800K memory on my system now.
    It has most convenient GUI.
     
  14. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    http://i33.tinypic.com/2zfttzd.png

    Maybe Stem or Diver can tell me what is this and how to avoid that?


    This happens when I try to link to some forum/picture sharing site -- tinypic.com e.x., in firefox.

    And to disable it, close the firefox before you click allow, after several clicks, get through and delete the new rules. At last I throw it into trust zone.
     
  15. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Inbound protection has been discussed extensively on this forum, but it has never been resolved. Unfortunately.

    Some phrases: stateful packet inspection, deep inspection, deep stateful inspection, proxy firewall.

    Stem has done some testing, but for as far as I know he did not find a 100 % proof firewall.

    So I guess you'll have to accept a firewall with 'decent' inbound protection.

    Easy to use firewalls ? Those are often part of a suite.
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    My main problem with Jetico 1 is perhaps related to yours, if i understand you.

    I set the browser for instance, with the range 1024-5000 to port 80, and Jetico still asks me. It's not an unusual port, nor anything. The rule should be working, same parameters.
    If i use any local port for the rule, it works.

    So i'd say if you choose Jetico, try version 2.

    What i like about Jetico overall is that it's very similar in many ways to iptables. I don't know why i didn't see this the first (and second) time i tried it.
     
  17. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Since you seem to be wary of making rules (like me :D ), i would recommend Outpost Pro which I use.
    It has a good HIPS and Intrusion Detection. Plus it has this feature called ImproveNet, by which I get new rules set automatically based on my programs.
    Plus their SmartAdvisor, help and support system allows even people who are not necessarily very proficient to create custom rules effortlessly.

    A trial is available, try it out and see if it works for you.
     
  18. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    No, it is debatable how the inbound protection is implemented in both - software and hardware. They both provide some...

    Good for them. But not my cup of tea so I'm hardly amused.

    You didn't. The "just to reply on topic..." was not aimed at you.

    Not having an issue doesn't mean your traffic is filtered properly.

    I am talking about proper/full SPI and/or DPI implementation. But let's leave packet contents out for a moment, our "cheap" home routers will have very basic header inspection on TCP (at best, mostly SYN flags filtered) and none with the connectionless protocols. This is the reason I choose to bridge my router (as I have no LAN most of the time) and use a quality software firewall instead.

    Just to suppress further questions and to stay on topic - it is Injoy. I recommend it, v4.1 has been working flawlessly for the last couple of months here... Not for LAN users though as it doesn't have any ARP filtering whatsoever.

    Cheers,
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    The logical conclusion from that would be that the browser is using a local port outside your 1024-5000 range, which would be odd, but maybe not impossible? Otherwise, make sure you're allowing all remote addresses too.
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I know what you're saying Seer, but let's be reasonable and practical. Whether a home user's traffic is "filtered properly" or not hardly matters. That's mostly an exercise for folks who like to dissect this kinda stuff and have the time to do so. As long as the end result is no issues or problems, then the cheap home router is good. Nothing else is needed. And let's face it, most of the users here at Wilders are just that, simple home users with a hobby. I can see where one might care more in a business or other environment, but not in a home environment. The cheap router is all anyone needs.... Unless of course you're expecting an onslaught of "attacks" from the wild... ;)
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I checked the logs, and the pop up. It's in the 1024-5000 range, to port 80. The rule should apply, but it doesn't.
     
  22. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    I guess we are in the same situation.
    The repeated exactly same rule seems a real confusion and trouble maker.

    Also there are two other concerns:

    (1) it shows avp want to connect to internet when firefox really does. I don't know what it is but I guess the security software hooked (--if the expression is correct) network driver. The problem is, sometimes uninstall the program (AVP in this case, it the connection lost).
    (2) the ip address 0.0.0.0 and port 0 seems odd to me, I am not sure why it looks like that.

    I am trying to make this screenshot show as much as information
    But I suggest you to check all the field for the consistency, I once found I misread field like hash, the rule is too long to align them when you are not careful. Just avoid the mistake I made before :)

    OOOOhhhh, I guess the order also might matter, especially you have some ruleset with denial at the end. But infact, I don't know how to read the rules now, the new rule, which should be used to override the old one, is placed at the bottom. While the years old rule is listed at the beginning. So once it tries to match a rule, it read lots of garbages first, then reach the latest new version rule, and then asked you decision.......



    Negative, they asked for money for this version.

    Hopeless Debian User, Now we are using Arch Linux :)
     
    Last edited: Aug 19, 2008
  23. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    the browser is trying to send datagram instead of outbound through certain port.
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ghost_ARCHER: first thing i did, was to make a separate table for that access to network. 1 rule that matches any access to network, with the jump to that table. Then that table has an ask rule of course.

    BTW, if that avp is part of the AV, you should probably remove the localhost from trusted. Then it makes sense.
     
  25. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Weird...... well if it's not udp out or something strange like that, and it's in the range, and no other rule is conflicting, then maybe it's just a bug in Jetico?
     
Thread Status:
Not open for further replies.