Firewall -- help :(

[alexnj]

Hi!

Been searching for a good packet-filter based firewall, with user-defineable rules. (Software firewall, Windows[2k] platform).

Tried many, lost a month-time in search, but still haven't found the best.
Any suggestions?

Between, any one heard about CheckPoint firewall? Does it allow flexible rules?

Basically I want to create rules like:
DROP if
(sent_bytes > recv_bytes) and (dir == IN) and (dst_port = 466x) and (sent_bytes > 10KB);

I want to rule out eDonkey/eMule leechers, automatically. These mules ain't 'what u get is what u give', often.

Any idea??

Thx in adv,

Alex.

 

[techiways]

where are you looking to implement this firewall? (Web server, Home or Corporate network)

 

[alexnj]

@my home.

got a lan here, with one pc connected to the internet. net is to be shared among 3 pcs, using nat / proxy.

602lan suite provided good features nat+proxy but it misbehaved with skype and some other apps. often it crashed and caused system to reboot instantly. contacted support, but no response. so i threw it away. still, it was a good one -- lots of features. no good rule system, no log output. no idea what's going on in there.

also, can't use an application level firewall, because benchmarks done here@home say it wastes a lot of speeeeeed/bandwidth -- simply by checking all packets against app-list.

so what i need is a good packet filter based firewall (session+? good!!), with flexible rule system.

anyway, thanks a lot for replying, techiways.

alex.

 

[digen]

Dude alex from when did checkpoint start building software firewalls?
Afaik they build appliance level firewalls & VPN solutions.
Anyways you are asking too much from a software based firewall.
Btw how much are you willing to shell out?
Instead of using a software firewall which will eventually hog resources one way or the other may I suggest you read Doc Holliday's post from the url given below.The features you are looking for SPI[Stateful Packet Inspection]..blah blah can be found in a few router cum firewalls.

*www.thinkdigit.com/forum/viewtopic.php?t=17954&highlight=

And above that if you are keen on securing & understanding what goes on further on a deeper level then a Snort[a intrusion detection system] installation on the server pc will examine what the router cum firewall spills i.e if a proper rule has been set accordingly.This is exactly how my existing setup is right now.

Or else if the above doesnt suffice to your needs you've no option other than having software firewalls & gateways like wingate..
I hope this helps.

 

[alexnj]

Buddy, I honestly dont know when they started building software firewalls, but you might want to see *www.checkpoint.com/getsecure.html. I think its pretty much software, isn't it??

Also - keeping an SPI based firewall (good!!) in router would prove useless to me. Efficient it sure would be, but how about my rule definition demands? Would it satisfy?

Right now I'm evaluating Kerio WinRoute 6. Good one. Good performance, and I believe no memory leaks. So a good coded firewall wont hog up resources over time. Mind you, its all about how well its coded. 5 days continuous run, around 6 GB traffic is thru; and still its running smooth.

It offers SPI, VPN Server and Client, NAT, VoIP and UPnP support. Good@speed. No wastage of bandwidth anywhere -- benchmarks show good results. Rule definitions are good to an extent - but cannot filter for transferred-data-size of a connection .

Could you give me a brief overview of your 'Snort' based setup? Can I use it instead of a firewall (Or is it one?) -- seems like its working over WinPCap driver. Wouldn't it get it a bit more slow? Can I write my traffic-size based rule in it and drop connections accordingly (^ refer above, my first post)??

Thanks for the reply,

Alex.

 

[digen]

Snort is a rule based Intrusion Detection System & it is not to be confused with a firewall.Both come from different breeds,both do different jobs.

My setup consists of a hardware router provided by my ISP.Since I sometimes do offer public services I've a few ports open[port forwarded to the internal machine].My snort setup & the network topology can be seen here: *www.snort.org/docs/snort-win2k.htm Yes it works using the winpcap driver.
I've not experienced any slowdown considering the fact that my rule base is very minimum.
Any application level based firewall[software firewall] will use that many clock cycles to get the work done,thats one of the differences between a software & a hardware appliance firewall.
The reason I suggested a a hardware router cum firewall was since your requirements are rule based which I've atleast never come across in a software based firewall.What you are asking for can be seen in the entriprise level appliances like Cisco PIX which runs on the Cisco IOS.Incase if you hang onto something similar for a software variant then do let me know.

 

[abhinav]

well i hav a firewall problem.
ie. that i cant hav voice chat option on yahoo messenger becoz of security reason so how can i solve this problem.
I am using windows xp sp2 prof

 

[alexnj]

FYI, digen. Software firewalls can be of two types - application firewalls and packet filter firewalls.

Kerio WinRoute, 602LAN Suite, InJoy, etc. are packet filter based firewalls. Well, they are not slow daemons like the normal application firewalls -- because they just match each packet with a set of rules only. And I think we can always do a better rule set definition in a software based packet filter firewall than in a hardware one.

For example, InJoy firewall suite has even a rule workshop!, that allows us to create flexible packet-level rules (unfortunately, for me, no size-based rules in it!) just like a hardware firewall.

Except for the transferred-bytes-based-rule, I'm satisfied with Kerio WinRoute 6 firewall (packet level). Also InJoy firewall suite performed well; but its cluttered interface (or lack of interface?) annoyed me - and threw it away.

And if any one's looking for a good application level firewall, seems Agnitum Outpost Pro 2.6 is the best!

And for buddy abhinav.
If the voice chat option is not visible in Ymsgr, you are connecting to Yahoo with 'Use proxy' or 'Firewall with no proxy' turned on. You can check this in Messenger > Connection Preferences menu. I think Yahoo allows voice chat only in the direct connection mode (No Proxies).

Alex.

 

[digen]

Ahha yes forgive me I completely overlooked "Circuit level gateways" & the "application level gateways".Thanks for not letting that part go away from me.

Kerio WinRoute, 602LAN Suite, InJoy, etc. are packet filter based firewalls. Well, they are not slow daemons like the normal application firewalls -- because they just match each packet with a set of rules only. And I think we can always do a better rule set definition in a software based packet filter firewall than in a hardware one.

eh? where did that come from?No offence mate but have you seen the Cisco PIX at work? or did I seem to have lost you there with you still talking about router cum firewalls?
Cause a appliance is a hardware firewall after all,aint it?
Now since you are comparing the likes n dislikes of software v hardware firewalls I would like to share what I know of.
For a small SOHO setup a software firewall[gateway level filter or application level firewall]should suffice.The more the number of nodes & bandwidth processing involved the pendulum slightly shifts towards the hardware based firewalls.Everything depends upon requirements & how much you can shell out.A Cisco PIX doesnt deserve to be placed in a small SOHO network,similarly a software firewall doesnt deserve its place in a thousand node network,the next thing before the blink of your eye it had already passed out[read as crashed].

Oh btw it seems you've tested quite a few firewalls did any of those ever meet your requirement yet?
If yes then bro good job.

 

[alexnj]

Yea, that's true. Never seen a Cisco PIX at work -- without it, I can't just compare it with a software firewall, u're right. So digen, if you've seen one before, I think it should be quite easy for you to compare it with a software packet level firewall (use Kerio or 602) and check to see which one's more flexible and easy to use/setup (Yea, power, for sure, goes to hardware one!! -- no comments on that part.).

Ahh. Na.. None met my requirement yet. Still, I think I should continue with Kerio WinRoute 6. Though it doesn't have the transfer-size-based filter ability that I'm looking for, its quite good in its performance and easiness to setup/use.

I think I should spend some time to code one.

Alex.

 

[digen]

Haha.Choosing the right firewall does take some effort doesnt it?
Hope you find the right one.

 

[escape7]

how about zone alarm, needs some customization but after that it works fine, some versions also have a built in firewall.

 

[theraven]

some versions of zone alarm has a built in fire wall ?
are u sure ?
what zone alarm are u using
cuz as far as i can remember zone alarm IS the firewall
i think u meant to say some versions have a built in AV
btw which i might add sux to the core3


just to add abt the checkpoint and pix
they are STATEFUL firewalls and not application gateway or packet filtering
all other firewalls are GENERALLY packet filtering !
so that makes a firewall of 3 types and not 2

checkpoint is the software somewhat equivalent of pix and ofcourse is completely GUI based
the diff being the lack of an ASA algorithm in checkpoint
besides as pointed out its enterprise level firewall and not a "Software firewall"
besides it costs a bomb ( in L's ) and ofcourse is nto feasible
also no "Cracks" are available for it AFAIK if u were thinkin of doin it !
all said an ddone .. firewalls are gettin redundant now man i think these classes are gettin to me hehehe

 

[selva1966]

May be excape7 installed Zone alarm Security Suit (which includes Ant-virus and firewall).