Pure firewalls list

I hope we can see this on CIS 6

https://forums.comodo.com/wishlist-cis/cis-charrette-firewall-alert-t62046.0.html

http://forums.comodo.com/wishlist-c...cation-network-activity-control-t66314.0.html

 

Hi,

I've forgotten Routix that i've linked a few month ago, and ReaSoft Network Firewall:
http://www.routix.net/netcom/ (paid, and free with limited rules)
http://www.reasoft.com/products/networkfirewall/ (paid)

More a firewall integrates HIPS features, and more high are the probabilities of third party softwares incompatibilities (when serial hookers meet serial hookers they often make a baby called BSOD ).
More over, it is not a good idea to put all its security in an all in one security suite: a simple vulnerability in the driver for instance, and all the security can be compromised.
Users who are looking for a special and personal combo have often good reasons.

I've not tried FK personal firewall but of course it has its place on this list.
LnS is with no doubt one of top 3 best value for money for a personal firewall, and i've often played with it in the past.
It has interesting packet filter rule abilities, but in the same way integrates a behavioural engine that can not permit for my concern to include it in the list of pure packet filter firewall (if phantom can read french, there is a good overview of LnS VS leaktests here: http://www.tdeig.ch/windows/contournement_pfw.pdf ).

But except 2, 3 or 4 ones, theses pure firewalls are quite old, and have not been updated to follow the evolution of OSI model, and Insecurity sophistications (automated evasions techniques and co).

Like system expert HIPS (SSM, NeoVaGuard etc), their number will be certainly more and more limited in the future, as the average users want maximum security with the minimum of efforts.
Rgds

 

Hi kareldjag,

Can I try Routix with Privatefirewall installed or it might break things? Thanks. I have been reading all your posts and have learnt a lot.

 

Look ‘n’ Stop packet-filter is independent layer, you don’t need to have Application filtering layer enabled, and you don’t need to enable DLL and Protocol filtering protections ... so I’m confused why Look ‘n’ Stop is being black listed?

 

Not blacklisted here, Actually LnS is my current and preferred Pure Firewall.

 

It wasn't "black listed". Merely it was suggested that its behavior analysis properties warrant its exclusion from a list of pure firewalls.

However, my concern with LnS is that it seems that its proponent is no longer on the job. I appreciate that you & Stem are highly skilled in answering technical questions about LnS. However, the fact remains that LnS is a 1-man program & its proponent is a long-time absentee. Such being the case I hesitate to recommend purchase of LnS.

 

I know its not blacklisted, I was overly exaggerating to express the degree of emotion I’m feeling for Look ‘n’ Stop not being included on the list.

My apologizes, I seemed to have lost track here, when did the concerns for Look 'n’ Stop development status a factor in this list?

I’m arguing the idea that some people thinks Look ‘n’ Stop isn’t a pure firewall, I’ll give that Look ‘n’ Stop has additional layers besides just the packet-filter, Application Filtering layer can be disabled easily, other protections don’t need to be activated. You don’t even need to keep Look ‘n’ Stop application running in order for it to continue to packet filter.

The independent NDIS packet-filter makes Look 'n’ Stop a 'pure firewall’, maybe you should change the title to something like ‘Solely NDIS packet-filtering firewalls’, then I can understand the reasons for exclusion would be the mere fact it’s more than just a NDIS packet-filtering firewall.

 

I could understand if the firewall was in need of an update. But the firewall is already compatible with win7-64 and does fully filter IPV6.


- Stem

 

Phant0m/Stem

Hi Stem and Phantom have been meaning to ask you guys this for a while. Unless a sophisticated hacker knows your public IP address and is trying to hack into your pc what is the actual benefit of using a pure firewall and filtering the above rules 1-7 that you have mentioned here. Its not like a pure firewall with packet filtering is going to block incoming malware and block it from self executing. I'm not saying that packet filtering isn't a good idea but what does it achieve in real life?


Even if a Hacker was trying to get into your pc wouldn't they have to first get passed your Router? most Routers these day's have SPI denying all unrequested packets.

and even if they got passed your Router they wouldn't be able to plant any malware on our pc's to gain remote access because most of us here have anti executable software.

 

Please do not forget that some computers are not bolted down to the floor in your house and behind a router. Think also of laptops traveling wild servers or wild home networks. Perhaps it's irrelevant to this thread. I'm not sure really.

OT: post #76 - Comodo requires three separate windows or tabs to make one rule?? Ouch.

 

Router, who mentioned a router?

NAT will prevent unsolicited inbound to a closed port. SPI is an implementation to mainly control replies to outbound requests. The routers I have looked at (I do use them behind my gateway, but not as a gateway) only have a limited SPI, and do not filter out replies with (for simple example) Invalid flagged TCP packets.

I remember asking a question on a firewall vendors forum concerning filtering out inbound Invalid TCP flagged packets. The replies I got where stating it was Microsoft's duty to harden the TCP/IP stack to block/control those. My reply stating that Microsoft already do that with the inbuilt windows firewall did not really make an impact. If Microsoft block them in their own firewall, and 3rd party vendors are replacing that firewall, should they not at least provide equal or better filtering?

- Stem

 

Another possible problem with such a setup with a router.
Lets say someone is connected to a large untrusted LAN. Does the router block ARP spoofed requests that can be used to redirect all the comms from the router through a 3rd party?
Would your answer be the same as I have had before, in that it is the manager of the LAN to control that?.


- Stem

 

Re:- L`n`S

What behavior analysis?


- Stem

 

Speaking of rules and logs and all that... We are speaking of that, right?

While the 32-bit only Malware Defender has its distraction on the network side of things (well discussed in other threads here) it still has IMHO the bestest ever granularity of any app I've ever seen...

The Edit Network Rule dialogue is available and active for any app or service, even if flagged as Trusted. Permissions are Ask, Permit, Block and Ignore - highly granular. Some pretty restrictive outbound rules can be built and will alert to those interesting outbound requests to servers that don't whois on ports like 45621 while you're browsing wallpaper sites or news content in... well, those countries. And even if some non-80/443 outbounds are benign (i.e. Amazon's 843 and Macromedia's 1935) I'd still like to decide if I want VideeOhDudez dot com a 1935 or not.

Judging by those screen shots of Comodo, there might be a 64 bit solution for me when this XP box gives up the spirit and I have to go Windows 7. (Yes, I know Win7 is 32 also, but mainstream off-the-shelf systems are for all intents and purposes nonexistent.)

Regards.

 

Speaking of Comodo... We are speaking of that, right?

Does it still install that un-disableable whitelist of some 5000 "trusted" vendors?

 

Sorry. NO behavior analysis in LnS. I misread another post.

 

hi,

In fact my post comes 3 or 4 years too late!
Most Internet boxes acts as a router, but a serious router (with IPS integration) has often a second PC/laptop cost!
The major part of infections are client/server side via port 80: high skilled attacker will not send you TCP/UDP/ICMP, find open ports, OS version, and then launch an exploit with CANVAS or Metasploit in order to get a shell on your host!
There is much more interesting targets (OBAMA, SARKOZY or MURDOCK!) and ways to make evil money than the average user!
As all come from port 80, and as this port is necessary for the surf, i see no reasons to guive to firewalls more importance than they really have.
There is fan boys for Firewalls, Antivirus, HIPS and this is the full "Software as Security" religion that should be demystified: since i experiment security softs with ethical hacker mind and goal (defeat them), this is here an evidence.
For my concern, a protocol analyzer appears more important for detecting for instance a stealth backdoor that comes binded and cryped in a trusted installer file (the TEREDO interface is listed by any serious sniffer).

@phantom: hopefully LnS is an NDIS based firewall ( http://msdn.microsoft.com/en-us/windows/hardware/gg463267.aspx NDIS hooks/patching is much more effective than simple TDI hooks (colander like filtring against proffessional malwares), but application filtring enabled or not, does it change sometthing on its hooks?
But this deeper level of filtering for any serious firewall is not a problem for sophisticated malwares like some MBR rootkits:they have their own TCP/IP stack, and do not use the whole NDIS driver to be more stealth from HIPS and firewalls, but only the part of the code they need; and use tunneling and /or encrypted peer2peer channels to bypass firewalls.
Regarding LnS place on this list, it still quite subjective of course, and it's up to you to post your own nomenclature/classification of firewalls .

@datarishik: euh...one of my goal was to show possible redundancies and heresies in some softwares associations ! and this is the case with Routix and Private firewall!
Then regarding incompatibilities issues, i don't know as installing two firewalls on a system has never come to my mind.

Rgds

 

Well if you don’t believe me, rename the lnsfw1.sys driver which is for TDI filtering, leave just the NDIS driver (lnsfw.sys) and re-boot the computer. Look 'n' Stop application on next start will complain about the missing driver, but the packet filtering still works.

 

I don’t like full application filtering based products, I don’t like just the mere TDI filtering, it has to have kernel level NDIS filtering. Look ‘n’ Stop works as described here - http://www.giesa.altervista.org/openfirewall/tech.php (for OpenFirewall)

 

Comodo covers that area :

http://help.comodo.com/uploads/Comodo%20Internet%20Security/f22f1d2263be13642a744c6a1a3b5e2d/5eac818f1e1c4adc19d335055b06586b/55ed1ca139411e937754c09013a0f5b5/advanced.png

http://help.comodo.com/topic-72-1-170-1732-Advanced-Settings.html

 

Hi arran,

That [the rules] was just a quick list of the top of my head, only some of the possible filtering abilities, that unfortunately, most firewall do not contain.

I am not putting forward a need for a pure packet filter firewall. I am more interested in what packet filtering a firewall performs, be it a stand-alone packet filter, or a packet filter contained within a suite. Although I do prefer to be able to have the option of what packet filter I have, what hips I have etc, rather than having a single application protecting my setup.

It depends on what the packet filter is actually filtering. Most firewall are quite simplistic with a filter only on common (TCP/UDP/ICMP) protocols. Even the more sophisticated packet filters will only be filtering the header of the packet, not the contents (where malware can be placed). For filtering for contained malware, then you need to look at DPI(Deep Packet Inspection) firewalls that filter/search the packets contents. For example, how do you think web AV scanners work? That is a filter of the HTTP stream over TCP.

My own personal concern with a firewall, is its ability to check/confirm replies to my outbound requests. With (for simple example) I want my DNS (UDP) replies to be checked to the lowest level it can be, that is for the reply to have its ID number confirmed (along with all other relevant info) to help prevent spoofed reply. Now I know some may put forward that DNS spoofed reply does not happen, but how would they know without checking?
Why for example, do users use an AV, is it because they know they will be infected, or is it due to the possibility of being infected?.


- Stem

 

No problem my friend.

I have been having a look at FK firewall, but have been getting unpredictable results. It may be the firewall is buggy, or it may not like the current setup (I installed it onto a laptop as I had no spare PC available). I will need to find time to setup the firewall on a different box to re-test.


Regards,

- Stem

 

I look forward to it!

 

It sure does! Every single one of them "trusted".

 

I start by setting it up to block everything then I start one by one allowing certains apps to certain ports.