incoming protection firewall performance

Discussion in 'other firewalls' started by nmaynan, Mar 7, 2008.

Thread Status:
Not open for further replies.
  1. nmaynan

    nmaynan Registered Member

    Joined:
    Mar 2, 2008
    Posts:
    98
    with all the focus on leaktests etc, it seems software firewalls don't tout their ability to keep stuff off the computer in the first place.

    Assuming a context where a laptop is used on a public wireless network--hence a software firewall is needed for inbound protection, are there significant differences between Firewall capabilities in this area? Is the focus of software firewalls on outbound protection because all software firewalls provide the same level of protection for inbound stuff?

    Anybody know of any reviews that concentrate on Firewall performance as it relates to inbound protection? For example, Ignoring outbound protection, will a third-party firewall provide better inbound protection than the Windows XP firewall?
     
    Last edited: Mar 7, 2008
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    In most of the cases, incoming protection works fine with any firewall (including XP firewall).
     
  3. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    I only run software firewalls that are in-bound packet filters.

    I look at whether or not the filtering is stateful or stateless,
    stateful offering some additional protection against altered packets.

    Also of concern, are the options available in rule-making concerning
    what is allowed and what can be blocked. The Windows FW, for example,
    does not (I thinK) allow the option to deny IGMP, whereas many
    third party packet filters do.

    Additionally, you cannot really know how effective your FW configuration
    is, if it does not provide accurate and comprehensive logging.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It would be a case of what is defined as inbound protection.

    Any firewall can deny unsolicited inbound, for me it is the ability to filter the packets inbound from an outbound connection made (packet filtering).

    One of the main problems I see is for users on un-trusted LAN, due to ARP not being filtered by windows firewall (or many 3rd party firewalls). There is no way to filter this within windows, so 3rd party applications are needed. Of course, there are other considerations as to the actual packet filtering (due to possible spoof/invalid flags etc that can possibly cause problems)
     
  5. nmaynan

    nmaynan Registered Member

    Joined:
    Mar 2, 2008
    Posts:
    98
    are there any FW that do these pretty well. Can you name them?
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
  7. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Its pretty hard to get information on this topic, especially with Matousec making statements like "most firewalls handle inbound acceptably" and Scott Finney saying the only reason for a software firewall is outbound filtering.

    Stem,

    Perhaps you could tell us which firewalls protect against ARP attacks, or what ARP attack are for that matter.


    -The Diver
     
  8. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    importance: protection against arp attacks is only important if u are on untrusted lan exactly like me

    examples: firewall with arp pritection are
    1-outpost
    2-lavasoft "outpost based"
    3-comodo
    4-L'n stop "not sure"
    efficiency: not perfect because they work by blocking the unwanted packets "spoofed packets" but in the same time block the gateway
    the dos attacks are targeted at cutting the net service
    such firewalls protect against spoofing and DOS attacks by also cutting the service so the goal of dos attacks and arp spoofing is achieved indirectly by the firewall itself

    but away from the incompatibility issues and BSODs , outpost and subsequently lavasoft firewalls are the most efficient in this item "arp protection

    although other good and perfect firewalls like zonealarm and online armor are completey deprived from any function related to arp spoofing or DOS attacks
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Diver,
    Arp poisoning can be made, this is where ARP cache entries can be made to make your PC think IP`s are at different MAC address. Can be used to redirect you through any PC.
    ARP DOS can be made, this is where (as example) an ARP request is made to a user with an incorrect MAC/IP binding of the gateway where the MAC address does not exist.

    Both the above would be classed as Spoofed ARP attacks.

    There are more simplistic attacks, such as ARP flooding.


    The firewalls I have looked at:

    Outpost pro: The latest version does now have better protection, and does not simply block the gateway (as I have posted info about before). This protection is automated.

    Comodo: This protection was to be updated, but have had no time to check.

    LnS: Full protection against spoofing can be made using various pre-made rules. But have not checked it against flooding.

    Jetico2: Full protection against flooding (settings can be made via registry) and rules can be made to prevent spoofing.


    I do still need to check some of the latest releases of various firewalls.

    If anyone does have a firewall installed (that I have not mentioned) that shows ARP protection, then please let me know so I can check the implementation.
     
  10. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    hi stem
    i totally agree with u except for the gateway block in outpost when it tries to block the spoofing ip
    this occurs sometimes with me , but not alaways
    i forgot to mention that jetico has arp protection , u did , but i've red that it"S not an actual arp protection
    i wonder how could a populat fw like OA lacks this function i think lacking such function make it just a hips not an actual fw
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi hany3,
    I did see some problems with outpost, but the last version I looked at did appear to resolve the issue. But of course, as I do not run OP all the time, so as you mention, the problem may still be there.
    The default rules are limited to blocking ARP flooding. There is a need to create rules to filter out any attempt to spoof the Gateway. (binding of the gateway IP/MAC can be made)

    Quite a number of firewalls do not have ARP filtering.
    OA (I have been informed) will be adding this in the future.
     
  12. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    thanks for ur valuable comment stem
    sure many firewalls do not have this function
    but none of them have 100% leak protection on matousec
    when u r on top , it put more responsability on u

    to compare the 2 firewalls on top
    outpost has great networking abilities like arp and spoofing protection and reporting if the gateway has changed
    but it still has great incompatiblity issues ,many downloading and surfing problems

    on the other hand OA is more stable and very much less buggy than OP
    but as i said lack some important "at least for me" networking functions like arp and spoofing protection

    so i believe the word that "threre's no perfect firewall"
    but on the light side OA show good promise
    and i was also informed in OA forum that such networking and arp functions will be added in the coming versions
    but till now nothing done
    i just hope that it becomes true
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is a thread concerning "incoming protection" so do not want this thread to digress into another "leak" thread, but I would certainly be open for further discussion if you would like, on another thread on that subject?

    I have no reason not to believe Mike(OA) who informed me of this. It is just a case of priority. At the moment they are pushing for better compatibility (some possible bugs) and for a vista release.

    Dont worry, I will keep reminding Mike(OA) of what as been mentioned (and needs of users)
     
  14. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    sorry coz i sailed away from the main subject of the thread
    but u know sometimes discussion pull u away to other corners where u can not prevent urself from getting in such distant corners
    and i dont mind continue in another thread
    best regards
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No problem. Please do start a new thread, I will certainly interact.

    Edit:

    I see you edit during my reply, so answer:

    We must respect the thread starter and the topic made. You did yourself take the topic to "leaktest"

    Please keep to topic, or make new thread.

    TIA
    Stem
     
    Last edited: Mar 8, 2008
  16. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    It might be worth taking a look at the recent history of the Windows firewall. No release of Windows (that I know of) had a built in firewall prior to XP. XP RTM had a firewall, but it was off by default. I cant exactly remember what happened with SP!, but by SP2 the firewall had been substantially rewritten and was turned on by default.

    The change was made because a Windows machine directly connected to the internet would be infected with a worm in an average of 20 minutes. It happened to someone I know in about 10 seconds once when some cables got connected wrong and the router got left out of the circuit. Windows by default listens on several ports, and that is what makes it vulnerable. Its possible to close these ports, but it also involves turning off various windows functions.

    IMO, 95% of the job a firewall must do for the typical workstation PC is protecting the machine's open ports from worms. The other kinds of attacks, especially DOS, are more of a worry for servers. AS for ARP, it might be a problem on public networks with a large number of poorly regulated users, such as universities, but I don't hear much about it actually happening.

    The other 5% is outbound control, at least in my system of values. This was originally conceived as a way to enforce policy so that only authorized applications will communicate with the internet. Someone came up with POC to fool the outbound control by starting IE and controlling it with another application and leak testing got rolling.

    It seems like today we have gone to the next stage where a firewall like Comodo 3 has a HIPS built in that goes far beyond what is necessary to prevent outbound leaks. Whether that is good or bad will have to be the subject of another thread.

    In my view, if you have a desktop computer a router is enough and all the XP firewall does is stealth any forwarded ports when they are not in use. If you have a notebook your needs are somewhat more complex as one must differentiate between trusted and untrusted networks, assuming you allow any network as trusted. With the XP firewall Windows file and printer sharing must be turned off manually. Vista identifies new networks and asks each time if the network is trusted. Another approach is to set up your trusted network with an oddball address range and block everything else on ports 135-139.
     
Loading...
Thread Status:
Not open for further replies.