Is it fair to say this about firewalls?

Discussion in 'other firewalls' started by HandsOff, Jan 7, 2004.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Everyone,

    in light of what i have been experiencing and reading at Wilder's own website -

    (http://www.wilders.org/HTMLobj-1073/firewall%20vulnerability.txt)


    Would it not be fair to state that all software firewalls are pretty much worthless, and that we should all be making the transition to hardware based firewalls?


    I know my question sounds provocative, and I am not up on the latest efforts of software makers to fix the packet vulnerability much less the failure (in my opinion) to present intelligent default rules options, however, i am not sure subtlety would serve my purposes, and those of people who want to be relatively safe in our computing.

    While hardware firewalls are not strictly speaking, a software topic, i am hoping that you will grant that it is a related topic, and that there is a large population who might find it useful to understand that this approach has several unique advantages.
     
  2. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hi Handsoff!

    I would consider that the issue of hardware and software firewalls are related because I am using both. :D My router is a hardware firewall and I also use a software one. Even my ISP cannot get through them when they do their little tracking stuff! ;) (I cannot stand it when people try to read over my shoulder.)

    Hardware firewalls are not perfect and neither are the software ones. I like to get them to balance each other so neither has to work too hard but all the basics are covered. ;)
     
  3. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I don't agree that all software firewalls are worthless.
    I think that your connection is a factor.
    I'm on dialup and use a software firewall.
    If I ever get an "always on" connection,I would definitely add a hardware firewall.

    It's only my opinion,but I think that there are some very good software firewalls.
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I disagree completly.

    A hardware firewall can't handle outbound application access since executables aren't running on it, it will allow a connection coming from you, that it was a trojan or a legit software.
    In addition a personal firewall (software) can help you to spot a threat (trojan.exe) whereas a hardware can't.
    So it's more than blocking malicious threat, it's to identify them.

    About the fact that firewalls are supposed to not handle packet crafted using non Winsock stack it isn't true for all.
    It _was_ but firewall had evolved and now just take a look at Look'n'Stop 2.05b1 which is able to block packet sent directly to NIC.

    you are talking about to make the transition from software firewall to hardware firewall as if it was the same but hardware more secure, but they aren't the same.
    Personally i'm using both because i have features in each that i can't find in the other.

    Software firewalls aren't useless or worthless.
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Very crude to come on here and state ALL Software Firewalls are pretty much worthless because of issues revolving around a number of Software Firewalls. What’s been said in “firewall vulnerability.txt” is far from being “Recent News” and I mean by far; therefore jumping to conclusions that the listed Software Firewalls are still vulnerable is outrages.

    Use a Software Firewall that Controls ALL IP & Non-IP or Other IP Protocols, contact the Software Firewall vendors and check. VisNetic Firewall and James Grant other Software Firewalls has this support however if you use P.P.P.o.E you must disable the block of all "Other Protocols (... NetBEUI, IPX)". Look ‘n’ Stop Personal Firewall also has Controls of ALL IP & Non-IP or Other IP Protocols, and if you use P.P.P.o.E you don’t need to disable block of all “Other Protocols” like required of James Grant Software Firewalls currently.

    As for using a Hardware Firewall blah! :D
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I have a hardware firewall and a software firewall and between them there is nothing going out or in I don't want to run. They both have their place .
     

    Attached Files:

  7. mraka

    mraka Guest

    It would not be fair to say that. Both versions of Sygate specifically provide such protection.

    The only advantage I see of Hardware firewalls are to lower log file size and prevent unsolicited packets from even reaching a computer. Otherwise they are quite crude.
     
  8. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    3 questions I have for any Networking Jedi out there :D:

    - For a firewall to be able to block ANY incoming protocol, even non-IP packets, at what layer of the OSI model must it operate? (though I guess it must be a rather low layer)

    - For a firewall to use "stateful inspection", at what layer of the OSI model must it work?

    - Is there a relation between a firewall's ability to block any protocol and the fact that it uses or not stateful inspection (sorry 4 the n00b question)??
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I guess that if you receive a non IP packet, the OS will drop it or discard it because you just have a TCP/IP stack installed by default.
    But if you receive a GRE protocol packet (built in IP), it's to your firewall to play.
    About the OSI level i think it's Link layer (2), same than MAC adresses (or 3, depending where the new protocol is).

    Too wide question, SPI is many things put together.
    However, i think i would put it with the network filtering (layers 3 & 4)

    There is no relation at all, SPI is a totally different feature than blocking others protocols or not.
    Statefull Packet Inspection will record your traffic, and for every traffic coming back (or coming) it will check if it is related to one of your connection/flaw.
    If it is, it's automatically allowed without checking against rules, if not, it is compare to rules.

    SPI is a very efficient way to allow only return of what we had inititated while blocking any other traffic.
    For many software you are however in the need to add specific rules to allow servers to be reached (application which wait for traffic).

    Apart of that, the firewall can or not blocks others special protocols, it isn't the same feature.
     
  10. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    Hmm ... getting a tad too technical here..

    but thanks for the answer, Master! :D
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Master ? i don't think :)

    but indeed sometimes i like that people call me like that after to have learned that i am the author of the ANTI-LeakTests 100% efficient

    http://www.wilderssecurity.com/attachments/Ciseaux.gif
    => efficient with any network wire, 100% guaranted

    annual fee : 10$ US
    update : 5$
    support : 1$

    :D


    seriously there is so much things i don't know, fortunaly wilder forum is there :)

    EDIT :

    from memory : sygate blocks others protocols (even if i have found this feature a bit buggy) but doesn't have SPI.
     
  12. controler

    controler Guest

    This is the SPI my router has bult in internaly besides web filtering. IP filtering, Im blocking ect.

    Security Level
    Services Table
    The following information is related to the Firewall options (High,Medium, and
    Low) in the “Advanced Services” chapter of this manual (page 35). The types of
    services and their respective ports are listed in the two right-hand columns; the
    “In” column details if a particular service can be accessed by a user outside of the
    network; and the “Out” column informs whether a computer on the Gateway’s
    network can access a particular incoming service.
    For example, in the “High Security Level” section below, the http service uses port
    80. Since no is listed in the In column, a user outside the Gateway’s network cannot
    access a computer on the network via the http service; in this case, no computers
    on the network can be used as a Web server (i.e., hosting a Web site accessible
    to outside users). However, since yes is listed in the Out column, all computers on
    the Gateway’s network can access the Internet via the http port.
    If Basic Security is selected in the “Firewall” screen, firewall filtering is based on the
    basic NAT firewall.
    ☞ Note: This stateful packet inspection firewall is based on the
    Globespan-Virata implementation and specification for release 8.2.
    High Security Level
    Service Port In Out
    http 80 no yes
    dns 53 no yes
    ftp 21 no no
    telnet 23 no yes
    smtp 25 no yes
    pop3 110 no yes
    nntp 119 no no
    real audio/video 7070 no yes
    icmp n/a no yes
    H.323 1720 no no
    T.120 1503 no no
    SSH 22 no no
    F
    108
    Actiontec Wireless-Ready DSL Gateway User Manual
    Medium Security Level
    Service Port In Out
    http 80 no yes
    dns 53 no yes
    ftp 21 no yes
    telnet 23 no yes
    smtp 25 no yes
    pop3 110 no yes
    nntp 119 no yes
    real audio/video 7070 yes no
    icmp n/a no yes
    H.323 1720 no yes
    T.120 1503 no yes
    SSH 22 no yes
    Low Security Level
    Service Port In Out
    http 80 no yes
    dns 53 yes yes
    ftp 21 no yes
    telnet 23 no yes
    smtp 25 no yes
    pop3 110 no yes
    nntp 119 no yes
    real audio/video 7070 yes no
    icmp n/a yes yes
    H.323 1720 yes yes
    T.120 1503 yes yes
    SSH 22 yes yes
    Basic Security Level
    NAT (Network Address Translation) only.
     
  13. mraka

    mraka Guest

    Sygate does do SPI along with blocking other protocol drivers. It must be transparent like the "stealth" though. From the help file:

    Does the Firewall do Stateful Packet Inspection?

    Yes, the Personal Firewall does Stateful Packet Inspection on every Remote TCP connection. The Personal Firewall also uses an algorithm to check Remote UDP and DHCP traffic to make sure that the communication is secure.
     
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    About SPI, there isn't any standard if i am not wrong so each vendor can implement it as it want.

    For Sygate, i didn't know, i didn't test network filtering apart of others protocols.

    In any case, for the SPI, the only one i know is the best is provided by NetFilter, the Linux core firewall, with a degree of customization (not automatic) unseen in any personal firewall, so i doubt Sygate has _the_ SPI of NetFilter :)
    (in your help quote i don't see SPI for other protocol, such as ICMP quite common)

    As controler shows, you can define the SPI to handle only particular traffic, but may be it's easier to allow/disallow what you want, and then apply SPI to all which is allowed, in the Linux Firewall howto it isn't adviced to do filtering with the SPI (people also tell me that in the netfilter mailing list).

    SPI is good, but is useless against outbound leaks, so keep installing personal firewall (software) even if you have a router, you must control applications accessing the Internet to be safe.
     
  15. controler

    controler Guest

    I just wanted to remind everyone the last post I made was of my routers SPI firewall. There is really no tweaking other then the level settings. Any level setting above basic will not allow an IM chat programs to act as servers. Along with the routers built in firewall, I keep Windows Xp Pros firewall enabled. I also am using Look & Stop
    on this test machine. So far I haven't noticed any conflicts.
    The bad news is that the wireless features of my firewall are WEP.
    The router allows both hard wire and wireless LAN's.
    On top of this I am using KAV's 5.0 Beta and Bo Clean.
    Then Spyware Blaster and Guard, Anti-Keylogger and to top it off
    Ad Aware.
     
  16. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hello Everyone, And thank you to everyone who posted a reply,

    To whomever said that I am crude because I cause I asked my question, I will say you brought up some valid points, but may I ask that the next time you call me crude would you at least call me 'Crude, but effective'? My intention was to call attention to this issue, and find out if the situation was as bad as it appeared to me. Perhaps I cannot stress strongly enough my ignorance, though it always seems to get covered, somehow. I interpreted the article to assert to say that, even if one were to block all incoming traffic with a software firewall, it would be possible for someone to write code that would essentially go around it and neutralize it from the inside. (What you might call 'a stealth trojan'). In this imagined scenario of mine, the admittedly handy ability to block outbound packets becomes moot. As for the statefulness of this packet or that, or stacks, or cues, or protocols, i really don't know.

    I maybe should appologize to the moderators of this forum if anybody thought i was implying that they would be fielding firewall questions if they knew firewalls to be completely worthless. I hope that they know i would not do that.

    And actually, you were right to point out that i glossed over the outbound blocking that helps keep rogue processes from casually calling the mothership. Especially, since my firewall has done a very good job at this. (How soon we forget)

    The fact is, I just didn't seeing anyone discussing this issue and it confused me.

    One last thing, a tip for very very low level firewall users only!

    DO NOT READ BEYOND THIS LINE IF YOU ARE AN EXPERT:
    ------------------------------------------------------------------------------------------

    Okay, for the rest of us, you know that obnoxious flashing firewall
    warning in your tray that wont stop flashing every few minutes. Here
    is the fix: Put a little piece of tape over it! Problem Solved!!!

    -HandsOff!
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey HandsOff

    Actually I should apologize; apparently the question-mark didn’t register to me at that time. Asking questions, seeking answers on the board is the whole point. ;)
     
  18. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    no need to apologize, you have asked _if_ it was faire to say... so we have answered you that no :)
     
  19. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Dear Mr. ' ', May I call you Phantom,

    No apologies ever need be made, you let people know where you stand. Thats better than the alternative.

    ===============================================

    "...Justine never knew the rules,
    Hung down with the freaks and the ghouls
    No apologies ever need be made, I know you better than you fake it
    To see that we don't even care to shake these zipper blues
    And we don't know just where our bones will rest
    To dust I guess
    Forgotten and absorbed into the earth below"

    -from the song "1979" by The Smashing Pumpkins
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
Loading...
Thread Status:
Not open for further replies.