Jetico 2: SPI & ARP SPI effectiveness?

Discussion in 'other firewalls' started by wat0114, Oct 22, 2007.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    There is concern expressed in the official forum about the effectiveness of these two areas in Jetico 2. Does anyone know if these are as strong as they should/could be?
     
  2. wat0114

    wat0114 Guest

    Never mind, I got my query answered in the Jetico forum :)
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello wat0114,

    I did request an ARP SPI, but I am still waiting for this. The implementation made is very basic, and as far as I am concerned does not give the protection needed. I can easily DOS a PC on LAN via ARP that is protected by Jetico2.

    Jetico have introduced what they say is an ARP SPI that is said to block unsolicited replies. I have not actually tested to see if it does this, as I do not use an ARP reply to DOS, I use an ARP request (as with most of the tools that are available to do this). As I have put forward a number of times, the only way to actually block this type of DOS is to be able to bind the gateway IP with its MAC address (so that inbound ARP (uni-cast frame) requests with incorrect binding of gateway IP with non-existent MAC address are blocked)
     
  4. wat0114

    wat0114 Guest

    Thank you for the clarification Stem! I had a feeling this was not quite up to snuff with Jetico 2, based on what was reported in the Jetico forum. I'm not on a home or business LAN, but I believe my ISP, Shaw, does arrange their customers into LAN segments, so proper ARP SPI would certainly play an important role here. However, I'm behind a router so I do not really worry too much about this, plus I'm under the impression DOS attacks are most likely geared towards business servers. In the end, hopefully the developer, NAIL, will bolster this feature, though just like so many other firewall developers he seems preoccupied with hardening it towards leaktests.

    Anyways, I like J2 tremendously and bought a license the other day. I have the configuration file whittled down to <100 kB, so I figure it's processing rules quite efficiently now :)
     
  5. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    JPF 2.0.0.37 allows APR opcode, src/dst IP checking. It also limits incoming ARP requests rate.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Tommy,
    I have just seen the new build. There is no mention about "limits incoming ARP request rate". If there is any such "limiting" then I hope this can be changed by the user.

    I will install later to test this.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This update (.37) does now allow me to create rules to filter out the attempted DOS via ARP.
     
  8. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    I will check this later and also ask Nail. Still running Build 36.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Tommy,
    Do check. I have done this and find from the default rule that a DOS via ARP is still possible. Simply try "Netcut".
    There is a need to apply rules to filter. This I do find acceptable, as packet filter is made, so such as "netcut" cannot DOS. But, I do find the term "ARP SPI" confusing when applied to this within Jetico.
    As example:-
    I would expect that I could place a rule to allow outbound ARP to Broadcast/Gateway, any reply allowed based on this, but there is a need to create rules to allow the replies.

    Dont get me wrong,... this implementation is good for me. I can block DOS attacks via ARP. (so can set rules for others I support)
    As example:-
    I have set rules to allow outbound/inbound ARP based on my gateway, I also allow mapping so connections can be made over the LAN. But still the attempt of DOS is blocked due to rules in place.

    Here is an attempt from "Netcut" to DOS my PC, you will see the attempt to bind my gateway IP to a non-existent MAC address (these are the blocked "Not processed protocol") The gateway being 192.168.1.1, none of the MAC addresses shown are correct.

    ARP block.jpg

    This is good for me. I know of no other firewall that can do this correctly (I still need to check look`n`stop on this)
     
  10. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Just installed it and can confirm your report. Big advantage for Jetico! :thumb:
     
    Last edited: Oct 25, 2007
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Certainly.

    Now if we can only get Jetico to allow import/export of rulesets (tables), so we can post rulesets for others, (as with jetico1) for simple import.
     
  12. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Agreed as this would help a lot. I will wright again an email to Nail.
     
    Last edited: Oct 25, 2007
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have asked before (2 or 3 times directly), and was told by "Nail" this would be easy to do, due to the way the rules are saved. But am still awaiting this.

    It could certainly help a lot of users, as a "repository" of rule_sets could be made.
     
  14. wat0114

    wat0114 Guest

    Thank you Stem and Tommy for sharing your results. It is good to see the developer addresses these (ARP filtering) concerns.
     
  15. lookcity

    lookcity Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    46
    Location:
    China
    Good news . Looking forward the sharing of the rules.;)
     
Thread Status:
Not open for further replies.