Is Matousec a good reference for firewalls??

Discussion in 'other firewalls' started by nomarjr3, Aug 6, 2008.

Thread Status:
Not open for further replies.
  1. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    I'm not sure, but I think they're pretty biased to the other vendors.
    Their leak tests include HIPS which are not a standard in most pure firewalls.

    What do you guys think?
    Should we trust every recommended firewall by Matousec??
     
  2. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    Sure, you can trust them. That doesn't necessarily mean it fits your wants/needs or is the best, though.
     
  3. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812

    Trust None of the Site Recommendations. Try all. find what fits you and your need's vender version of a Firewall can be very Mild to very extreme. some say they should include Hips some say not to. it is all on personal choice trust no one that tells you there the best. try it your self and find out if it fits your needs.
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    You can trust every particular test result, there is no cheating. But rating itself is very very specific, it reflects only Matousec point of view on what is and should be modern firewall. Generally he only values the firewalls that are provided with powerful HIPS and disregards pure packet filters completely.
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    That website doesn't really test what a firewall must do.
    It's rather a HIPS & firewall test. ;)
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
  7. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The problem is nobody knows for sure what firewall must do :)

    What does Viki tells about it:
    https://www.wilderssecurity.com/showpost.php?p=1294982

    ===
    First generation - packet filters

    The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.

    Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).

    This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).

    Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.

    [edit]
    Second generation - "stateful" filters
    Main article: stateful firewall

    From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls.

    Second Generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful firewall as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

    This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

    [edit]
    Third generation - application layer
    Main article: application layer firewall

    Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall, also known as a proxy-based firewall. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the DEC SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.

    The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in a known harmful way.

    [edit]
    Subsequent developments

    In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

    The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).

    Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.
     
  8. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    That's why I say: these are HIPS tests, not Firewall tests.

    Avira has apparently decided to go against Matousec and labels many tests as malware.

    ssts\bin\Level 1\perftcp.exe TR/Spy.Gen
    ssts\bin\Level 2\awft1.exe TR/Small.61952.A
    ssts\bin\Level 3\awft3.exe TR/Small.61440.G
    ssts\bin\Level 3\awft4.exe TR/Small.62464.A
    ssts\bin\Level 3\dnstester.exe TR/Proxy.Gen
    ssts\bin\Level 3\kill4.exe TR/Hijacker.Gen
    ssts\bin\Level 3\kill7.exe TR/Hijacker.Gen
    ssts\bin\Level 3\killdll.dll HEUR/Malware
    ssts\bin\Level 3\thermite.exe TR/Small.61440.F
    ssts\bin\Level 4\cpil.exe TR/Small.61952
    ssts\bin\Level 4\cpilsuite1.exe TR/Small.68096
    ssts\bin\Level 5\crash1.exe TR/Hijacker.Gen
    ssts\bin\Level 6\keylog3.exe HEUR/Malware
    ssts\bin\Level 6\keylog4.exe HEUR/Malware
    ssts\bin\Level 6\killdll.dll HEUR/Malware
    ssts\bin\Level 6\runner.exe HEUR/Malware

    If a test is deleted before execution, the firewall doesn't leak anymore. :cool:

    Cheers
     
  9. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    It is better than nothing to refer. And it is almost impossible to try everything by yourself.

    Of course, all the scores has some artificial factor -- say, why they give 125 point instead of 30 points on some failed in default but passed in most security mode? There are lots of objective decision inside.

    And they provide a relatively complete collection of firewalls


    And I have a question, is combination of separate functional security component better or an internet security package better. What I mean is in principle, in speed, efficiency, size, flexibility, resource consumption...... Nowadays almost all the free stuff are partial functional, I want to pay nothing and get "better" protected.
    E.X.
    wbroot firewall + process guard + antivir av + superantisypware + adaware free......
     
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Test? What about real malware your AV misses?

    Leaktests are certainly not completely useless. As with any test, you would need to have the necessary knowledge to interpret them correctly.
     
  11. wat0114

    wat0114 Guest

    True, and he explains this in History and introduction

    Matousec briefly explains his take on packet filters in the same link:

    For those who adhere to the same beliefs as Matousec on what a personal firewall should be, his site is a great reference.

    Personally, though I'd say his testing methodology has some merit, it is not without flaws.
     
    Last edited by a moderator: Aug 7, 2008
  12. munckman

    munckman Registered Member

    Joined:
    May 2, 2002
    Posts:
    100
    I can not disagree with much of what has been stated; I'm subjective. I strongly agree with what alex_s has put forth:
    This sums Matousec's tests and recommendations pretty well imho.
     
  13. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Don't forget the deep inspection, deep packet inspection, deep stateful inspection (DSI), stateful packet inspection (SPI), and proxy firewalls ! :D
     
  14. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Trying 'everything' would be unwise, unless you have a good imaging system in place. And of course, there is the question IF you are able to correctly test
    those firewalls. While a crashing firewall is obvious, proper (whatever that is) inbound inspection/protection is a lot harder to test.

    I personally recommend a firewall that has very good inbound protection, is able to handle certain type of attacks (like a WinNuke attack), including the ability to properly handle a network, wireless connection, that is reasonably simple to set up, and that has basic outbound protection (not leaktest-proof).

    Please tell me if you have found one for Windows XP that is not expensive ! :D

    Of course, HIPS features or a full HIPS is not bad either if that's what you want.

    Btw, has the 'memory leak' in the Webroot firewall been resolved ? I suspect it's still there.
     
  15. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62

    Thanks Fly for your reply.

    The webroot thing is a random example. Most listed softwares I have never tried. Webroot firewall is totally new concept to me :D . So I don't know if it still doesn't free memory. My personal set up now is based KIS or KIS/OnlineArmorFree, and Jetico/AVS, Jetico AVG, Sygate Avast, I also use winpatrol or teatimer on some machine --- the problem to run separated software, is that it might be really slow to start on a slow machine --- I have at least 3, and some realtime scanning av always makes the computer even more slower.

    My dream free defense was lightweighted firewall, super light hips to some extend or simply watching programs, with AV on command. However, things has to be changed because the computer gets faster and has more resource to waste, on the other hand, every provider want to combine several techs to get their product looks stronger in 3rd party test. And some freeware is not free any more for 64 bit and vista.......

    Still watching.
     
Loading...
Thread Status:
Not open for further replies.