Re:CHX-I Stateful Packet Filter 2.4.1

Discussion in 'other firewalls' started by Patrice, May 22, 2003.

Thread Status:
Not open for further replies.
  1. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi CrazyM,

    this software doesn't look that bad actually! Did you already test it? And did you already test it behind a router? Actually I use Look'n'Stop which has a Stateful Packet Inspection rule included. Pretty happy of that! :D

    Best regards,

    Patrice
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Patrice

    Had your question moved here for discussion.

    Topic from original post:
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Patrice

    A little quote from the help file re stateful inspection in CXH-I

    Regards,

    CrazyM
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi CrazyM,

    sounds interesting indeed! Sorry that I have posted in the wrong forum, I just realized it afterwards that you shouldn't reply in the Update forum... :p

    I only can talk about the Stateful Packet Inspection of Look'n'Stop. In the help file it mentions this like that:

    'TCP Stateful Packet Inspection': if the option is selected, Look 'n' Stop watches the TCP connections and verifies that all TCP inbound and outbound packets belong to an active connection. If not, an alert is displayed in the log page. If this option is selected an additional button (Connections) is available in the log patch to see the active TCP connections.

    I tested this function with several online tests and 'home-made' attacks (Superscan, nmap,...). Quite impressive though! There are quite a lot of packets which are intercepted. But I'm really interested in your tests with this CXH-I. Did you already perform any or do you need to get accustomed to it first? Perhaps Phant0m will join our discussion as well. He might be interested in this tool as well. He tested the TCP Stateful Packet inspection also. ;)

    Best regards,

    Patrice
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    When initially configuring the rule set I took the router/gateway out of the picture to test it. No problem with the few test sites I went to, stealth all around.

    I saved off the log entries from the pcflank stealth test:

    2003/05/04 21h:40min:33sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53551, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:40min:39sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53552, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:40min:45sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53553, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:40min:51sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53554, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:40min:58sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: ACK, from IP:195.131.4.164, Port:53555, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:41min:04sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags:, from IP:195.131.4.164, Port:41009, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:41min:10sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags:, from IP:195.131.4.164, Port:41010, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:41min:32sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: FIN, from IP:195.131.4.164, Port:56190, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:41min:38sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: FIN, from IP:195.131.4.164, Port:56191, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:41min:44sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: URG PSH FIN, from IP:195.131.4.164, Port:36365, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:41min:50sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:TCP, Flags: URG PSH FIN, from IP:195.131.4.164, Port:36366, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:41min:56sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:UDP, Flags: - NA -, from IP:195.131.4.164, Port:59469, to IP:142.173.17.132, Port:1, Filter

    2003/05/04 21h:42min:02sec, Direction:Incoming, Interface: xx xx xx xx xx xx , Protocol:UDP, Flags: - NA -, from IP:195.131.4.164, Port:59470, to IP:142.173.17.132, Port:1, Filter

    You can see from the details in the logs that it correctly identifies/blocks and logs the different types of stealth scans.

    Regards,

    CrazyM
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    VERY interesting!! :D Thanks for this nice piece of information. Yes, this tool is really a nice one!

    But as far as I understand, it's only a Stateful Packet Filter right. Nothing more, that means you still nead a firewall or a router. Right?

    But overall a very nice tool indeed! ;)

    Regards,

    Patrice

    P.S. Did you already test it with nmap? Would be an interesting test indeed, because you can make different stealth attacks as well, which go further than PC Flank as far as I know.
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    I would consider a packet filter a firewall. In the case of CHX-I it offers only stateful packet filtering. A lot of users now are looking for and/or wanting more out of a firewall. Such as application control and more recently program launch and component control. For those wanting these features, then CHX-I may not be for them. There are also other alternatives for application control that could be used in conjunction with something like CHX-I.

    As for the need of the router, as always they afford good protection independent of your system, but would be the choice of the user, it would not necessarily be required.

    No, I did not have the opportunity to do that. From what testing I did do, I don't imagine it would have a problem dealing with any unsolicited inbound traffic.

    Regards,

    CrazyM
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi CrazyM,

    I'm really happy that Look'n'Stop provides TCP Stateful Packet Inspection. There are quite a few packets which pass the router in some way and are blocked by my firewall. That's why I think this tool could provide some additional security for those who have a router but don't wanna use a software firewall next to it.

    Regards,

    Patrice
     
Thread Status:
Not open for further replies.