Should You Fire Your Firewall?

Gsurface writes "A lengthy article over at Flexbeta.net focuses on firewall applications and how well they perform as far as securing your system. Four typical firewall applications were tested including two routers, one being the Cisco 831 SOHO, which performed rather well. In total, nine security test were conducted to measure how well each firewall performed."

I don't appreciate the hardware very much...

[MrNerdHair]

Very interesting, although I'ven never been much for hardware firewalls. I grab an old machine, load it up with Slackware 9.1, and custom-configure the netfilter/iptables rules. I's a lot more versitile, and it's not just a firewall. It can be expanded to run every server known to man, such as ssh for remote control, or FreeS/WAN, for VPN.

Re:I don't appreciate the hardware very much...

[nocomment]

Same here. Most of my company firewalls are running OpenBSD with PF. There's 1 linux box that is getting replaced very soon. Typical setup is 4 or 5 nics, multiple NAT's yadda yadda. plus now that OpenBSD is giong to have CARP in 3.5, you will have an auto-failover with a maintained state to another machine. This plus transparent squid caching, allows us to have about 100 users per T-1 with no complaints.

Re:I don't appreciate the hardware very much...

[Creepy+Crawler]

Hardware firewalls are not meant for exquisite filtering or heavy duty VPN. What does make firewalls nice is that they have multiple ports (hence a router) and have a FULL bandwidth between any 2 channels.

With your example, once that nice PCI bus gets saturated... Game Over. Too bad they dont make a 1 GBps card for the AGP slot

Re:I don't appreciate the hardware very much...

[Micro$will]

Actually most home cable/DSL routers run a small embedded Linux distro, though I've found most are less robust than my old Pentium. My friend has to restart his Linksys almost daily, while my machine (Red Hat 8.0 minimal install) has 200+ days uptime. I've never tested the Linksys, but my setup gets a thumbs up from Shields Up.

Re:I don't appreciate the hardware very much...

[nocomment]

Hardware firewalls are not meant for exquisite filtering or heavy duty VPN. What does make firewalls nice is that they have multiple ports (hence a router) and have a FULL bandwidth between any 2 channels.

I agree with you, to a point. For a medium sized network like mine, where there are _no_ hubs except for the one at the firewall (so the snort box can listen) the switches will take care of keeping the bandwidth that the firewall actually hears to a minimum. The PCI bus can handle 127-ish MB/s nad 64 bit PCI can handle 508-ish. So unless you have a really high traffic system[1] this setup is not even noticable between a Cisco, or other heavy duty router.

[1] I have a really high traffic FTP server on my DMZ that is accessed a lot from systems on one of my NAT's and from the internet. What I did was move this system (OBSD) in _front_ of the firewall, enable PF on the FTP server to firewall it. Then I added a 2nd NIC to the FTP server so it plugs directly into the LAN. This makes sure that almost _no_ traffic from that system actaully hits the firewall. If I didn't do this, the PCI bus, like you say, would slow things to a crawl.

Re:I don't appreciate the hardware very much...

[nocomment]

Actually most home cable/DSL routers run a small embedded Linux distro

Linux isn't bad because the OS can't handle the job, but rather because they just don't have the really wide backplane like the Cisco's have. If you were able to get a linux box with a backplane like what cisco uses linux would be jsut as effective, albeit perhaps not as robust as IOS.

Re:I don't appreciate the hardware very much...

I'm probably being niave here, but carp sounds like the least common denominator in load balancing/HA. There's a lot of low budget shell script ways to do HA and this doesn't sound much better. The load balancing aspect will never work in todays protocols unless it starts doing high level inspection. Try a simple SSL conection with it and you'll quickly see how usefull it is. Not very for real production networks. Which is the only place OpenBSD can even be justified beyond hobbyists.

The HA doesn't sound much better than something any bored admin script up 5 years ago to see if it was as easy as he thought.

Of course, I'm being contrary for a reason (besides drunkeness).

When you're setting up an HA network, can you really rely on nic teaming/carp/etc? I've yet to see comminuty endorsed equivlents of a proper load balancer (alteon, etc) or drivers/teaming solutins that I would trust in a production load balancing or HA enviroment. Thats why anyone who wants it pays out the ass for black box supported devices. My real goal here is to see if anyone has something real to offer here that they would trust in the most serious setups with linux on HP/Dell/IBM/custom hardware. Selling it is not the problem as we can see from what people charge out there for it. But is there anything out there that's a real open supportable standard for this?

not a verb at all

But because the Cisco router's price range is awfully steep, we would only recommend it for those who have money to through away

jeez

Crap

[Old+Uncle+Bill]

Any review of security/firewalls using Gibson's crappy analysis tools is beyond flawed. I would take all of this review with a grain or two of salt.

Re:Crap

Any review of security/firewalls using Gibson's crappy analysis tools is beyond flawed. I would take all of this review with a grain or two of salt.

Care to explain why? A link? Anything?

Re:Crap

[SpaceLifeForm]

Thanks, I'm glad I didn't RTFA then.

The Shields Up! Test

[Radical+Rad]

The D-Link router failed to stealth one port whiles the bare system shows how vulnerable we can be without a firewall.

But the port it shows as closed is 113 which is sometimes needed to authenticate to ftp or web sites. The authors of the review are assuming that the best firewall stealths absolutely everything. But if a product completely protects your system why wouldn't that be good enough? Same for ZoneAlarm4 not stealthing several ports under Advanced Port Scanning.

I like the way they bring up outbound filtering though. Most "personal" firewalls don't do anything with this.

Re:The Shields Up! Test

[boneshintai]

(For reference port 113 is the 'ident' identification protocol. Anyone using this for serious authentication should be shot.)

Re:The Shields Up! Test

[Quarters]

Yeah, their comments about the D-Link and port 113 illustrate the basic nature of the review. It's very easy to configure the D-Link routers to stealth 113 if you really want to. Just use the advanced tab in the setup to create a virtual-server at an unassigned IP address in the router's 192.168.0.* range and shunt the port 113 traffic there.

Re:The Shields Up! Test

[Micro$will]

I'm not sure about the DI-604, but I had an old DI-704 that would stealth 113 given the proper tweaks. I'm also surprised the 604 didn't show up to ICMP scans since I had to manually set mine to not reply.

The Zone Alarm results are confusing too. I just installed the free version on a friends machine, but had to disable it temporarily because it blocked the outbound request to access my file server. I assume there are many options you can configure to secure any hardware or software firewall, but you need to have the knowledge and patience to sit down for a day, preferably within a protected network, set them up and hammer on them with nmap.

Re:The Shields Up! Test

[nocomment]

Re:The Shields Up! Test Re:The Shields Up! Test (Score:1) by Micro$will (592938) on Wednesday March 10, @08:54PM (#8529083) (http://www.vixenny.com/) I'm not sure about the DI-604, but I had an old DI-704 that would stealth 113 given the proper tweaks. I'm also surprised the 604 didn't show up to ICMP scans since I had to manually set mine to not reply. The Zone Alarm results are confusing too. I just installed the free version on a friends machine, but had to disable it temporarily because it blocked the outbound request to access my file server. I assume there are many options you can configure to secure any hardware or software firewall, but you need to have the knowledge and patience to sit down for a day, preferably within a protected network, set them up and hammer on them with nmap.

I have zone alarm running on my wifes windoze box (only one in my house) and I set the preferences to prompt whenever something new requests a connection to the internet. Then when something hasn't been used before you get a popup asking for permission. I've caught spyware this way and simply denied it access and the pop-ups went away. I don't think it's a substitute for gateway firewalls, but they are very useful for situations like this.

Re:The Shields Up! Test

[higuy48]

Why even bother with nmap? I set up Zonealarm myself to allow my other computers to access the network freely. It was a lot of hassle. It was also pretty stupid, so I uninstalled it. Don't a large number of ISPs have upstream firewalls anyway? I'm on Comcast, and I'm pretty sure that there is a firewall upstream. I've taken the ShieldsUP test(s) before, and I'm always stealth across the board (with 113 merely closed, of course).

Re:The Shields Up! Test

[Micro$will]

Don't a large number of ISPs have upstream firewalls anyway? I'm on Comcast, and I'm pretty sure that there is a firewall upstream.

A lot of ISPs block certain ports, but which ones? Where are they blocked? Are they blocked all the time, or only during peak hours? You may be safe from a Shields Up scan, but are you safe from the 3|337 hax0r down the street?

Trusting my ISP to keep my computer secure is like trusting public transportation to be on time. If I *must* be somewhere at a certain time, I'd rather leave a little early or drive just in case.

Re:The Shields Up! Test

heh hee. For serious authentication. ha ha

But for low level authentication its ok. Raises the bar a teeny bit for the kiddies.

Re:The Shields Up! Test

[richie2000]

Anyone using this for serious authentication should be shot.

It's "taken outside and shot". We don't want them bleeding all that stupid blood on the carpeting, now do we?

Re:The Shields Up! Test

[orthogonal]

For reference port 113 is the 'ident' identification protocol.

For reference, it's used by sendmail.

Before learning this firewall users who read their logs (me!) will have a paranoia induced moment or two when they notice their host/ISP apparently scanning their ports, and will be even more bemused when they notice the scanning follows a regular period matching the period of their email client's polling.

Fun stuff!

Re:The Shields Up! Test

For reference, it's used by sendmail.

People that still use Sendmail should be taken outside and shot. What, does it run on the same box as your wuftpd server? How many times does a server have to be exploited before people stop using it? Get Postfix, qmail or even Exim, but for god's sake stop using that sendmail shit.

Re:The Shields Up! Test

[dpilot]

The ident request is being sent back to you by the UPSTREAM sendmail, and has nothing to do with what MTA you're using. Plus AFAIK sendmail isn't the only MTA that sends back an ident request, though I can't identify any others. I'm under the impression that some ftp servers send back ident requests, and that most IRC does, too.

Re:The Shields Up! Test

[gstoddart]

Not only that, but as an owner of a DI-604 I'm comfortable with the results.

Basically it says it doesn't adequately block outbound traffic (which I don't care to block) but does a great job of blocking incoming traffic.

For the price, what more could you want? I bought it before I bought an XP box to put on my LAN. (Actually, before I bought the DI-604, I didn't have a LAN per se.)

asdfas

[Smartcowboy]

For a long time, I had no firewall. Now I use ZoneAlarm. There is a really large number of thing I don't understand about firewall and while the article was an interresting reading, there is many thing I don't understand. Can somebody give me a little info about internet security?

Leak
--------------------
As I understand it, a leak occur when a firewall don't block a connection that should be blocked. How can this append? This sound like a very basic fonctionnality of a firewall and a firewall failing this sound totally broken to me. Is it more complex than that? How can a firewall effectively block some connection and not other that should be blocked?

Browser test
--------------------
To do cookies check and referrer check, the firewalls need to analyse the contents of the packets and not only their source, port and destination to filter them. Is this really something one should expect from a firewall?

Port scan
--------------------
How can a firewall fail to stealth a specific port? Some ports are harder to stealth than others? To this day, I was thinking of ports like arbitrary numbers conveniently standardized in their usage.

Re:asdfas

[Ayanami+Rei]

Leak:
1) Hardware firewalls _rarely_ block outbound traffic, so they implictly allow out (since they can't predict what you'll need).
2) Internal software firewalls work by intercepting a request to send a packet if it matches a rule. If the rogue software actively looks for a way to bypass the filter (by talking directly to the network card itself and bypassing the operating system), then there is nothing that can stop it.

Hence the all fail the leak test. That's to be expected. In general you cannot expect to be connected to the internet at all and NOT be _somewhat_ vulnerable about information being transmitted without your knowledge.

Browser test:
You're right. Firewalls shouldn't double as a content/URL filter. That's the job of an "application proxy". Many firewall vendors are functioning as both... which is fine for a consumer who doesn't know the difference.

However, this is partially due to the fact that windows has this API called "NDIS".
Firewalls are implemented by placing filters in the NDIS chain that check for incoming/outgoing IP addresses and stuff, and can process them. But the NDIS chain also allows you to intercept URLs and how they are parsed, control DNS lookup, and more. (This is a Windows-specific feature). So most firewall developers naturally decided to add URL/content filtering because it was an easy step from IP filtering, since they were using the same programming interfaces.
It wasn't rocket science... it was right there in the programming manuals next to the other stuff. :-)

Port scan:

By default, ZoneAlarm is configured to allow ports 135-139 in (but ONLY for the "Local Zone", if they bothered to check) so you can use Windows File Sharing between computers. It's easily turned off making the computer invisible to everyone just like the rest of them.

ZoneAlarm wanted to be friendlier to people who wanted to share files or printers inside their house.

YRO?

[winsk]

Does this really belong in the Your Rights Online section?

TooLeaky test is BS

[VarmintCong]

I decided to try some of these tests myself. When testing using TooLeaky, I got a notification that it sent the information to GRC.com and recieved information from GRC.com, even when I disabled my internet connection.

Sounds like BS to me.

Good thing about hardware...

[dpilot]

It's a good first line of defense for the home user, especially if you're getting tired of keeping up the necessary due diligence for a good sofware firewall. I went with hardware on my home LAN about a year ago, after running software for several years. In this case, I'd been running RedHat and their release strategy change left me unsure of how I wanted to maintain that system. Getting hardware for my front-line meant that I just had to keep the box running for my internal services, though I did feel it necessary to shut down my external ports.

Obviously security criteria are different between home and business, not in resisting attack, but in the users you must accept and services you must offer.

My hw FW blocks outbound!

[redelm]

I use a Siemens 2602. I could easily set up a Slack9.1 box to do the same thing, but the electricity consumption, noise, space and admin aren't worth it.

Blocking outbound is an important feature. My kids run MS-Win boxen, and these are sure to get trojanned. One of the nastiest rather quietly acts as a spam relay. AOL (hardly authoritative) has claimed 1/3 of spam inbound is from DHCP broadband. So I'm a responsible netadmin and block outbound 25 from their machines. They get their mail via yahoo anyways.

Now, if my son needs grounding (he hasn't), I may need to find out the AIM ports to block.

Re:My hw FW blocks outbound!

[GoneGaryT]

I could easily set up a Slack9.1 box to do the same thing, but the electricity consumption, noise, space and admin aren't worth it.

Know the feeling!

I'm running Smoothwall Express 2 (GNU/Linux components) on my old PC, which is a tad overkill to protect a couple of machines. It would probably serve a small department or a couple of labs pretty well; it has snort, squid and so on and has a ssl-secured web interface for admin. Nice interface, good logging and traffic graphs, enough facilities to make it pretty useful, and fairly quick and easy to set up (I didn't R much of TFM). It nags you to check for updates regularly too. I'm kind of fond of it despite the negatives.

Luckily my new PC makes enough fan-noise to drown out the old one ;)

'personal' firewalls...and why you want one

[Frennzy]

In general, you should always use a dedicated device to filter incoming packets. Consider it 'first line' defense.

Where things like ZoneAlarm and Kerio make a difference is that they filter outbound connections. Of particular note is that, if the user pays attention and doesn't randomly approve everything the software shows them, then a firewall application can not only block specific outbound ports, but it can maintain specific application+port rules. That way, rogue malware can't hijack commonly used ports, such as port 80. It also would prevent worms/viruses that use their own SMTP engine.

Data security should always be a layered approach. Take care of different threats with different (appropriate) defenses.

ShieldsUp doesn't go far enough to test servers.

[Futurepower(R)]

He wasn't being careful in what he said, probably. There is nothing wrong with ShieldsUp! at GRC.com. (Scroll down to ShieldsUp, which cannot be linked directly.)

However, ShieldsUp doesn't go far enough in testing for vulnerabilities. ShieldsUp is perfect for testing systems or LANs that have no servers, because you are only trying to verify that there is no response at a particular port. However, if there is a server, other attacks than those of ShieldsUp should be tried.

Re:ShieldsUp doesn't go far enough to test servers

[delus10n0]

Check out http://www.grcsucks.com/ for info debunking GRC/ShieldsUp/Steve Gibson. He's a quack.

"An In-depth Look at SMALL SYSTEM Firewalls"

[Futurepower(R)]

This is just one more case where an excellent area of inquiry is ruined by the wording of a Slashdot article, and by people trying to show how much they know without saying anything that could actually be used by someone else.

The article at Flexbeta should not be worded, "An In-depth Look at Firewalls", it should be "An In-depth Look at Small System Firewalls". Most single computers or small LANs have no servers.

The parent post is considering an important issue for systems of 100 users. Systems that large are far out of the scope of the Flexbeta article.

We need two Slashdot articles on firewalls, one for small systems, and one for more complex LANS.

The Flexbeta article considered only Linksys (now owned by Cisco) and D-Link small system hardware firewalls. It did not consider Airlink Plus and Netgear.

I got burned with poor technical support from Cisco. Also, Cisco stopped supporting its 675 router. I don't want to be involved with Cisco again, so Linksys is out, especially because of the confused Linksys web site. Cisco has an enormous conflict of interest. If Linksys sells good firewalls, it will mean Cisco sells fewer.

So, which is the better hardware firewall, D-Link DI-604, or the Netgear RP614?

Re:"An In-depth Look at SMALL SYSTEM Firewalls"

[MindStalker]

D-link makes very poor equipment, definatly Netgear anyday of the week (just make sure its not in the slick silver cases, those are made by a third party, not sure who and they suck). BTW cisco and linksys arn't even remotly in the same market, so its really not a conflict of interest.

Re:"An In-depth Look at SMALL SYSTEM Firewalls"

[monster811]

I dont have any experience with the D-Link 604, but i used to have a 704P and it kept overheating, at which point i would get terrible ping and dialup speeds. I managed to get a couple more months out of it by adding some fans to the side, but when it did finally die, I couldnt touch it for a few minutes. I have a Netgear RP612v2 now, its been working perfectly with regard to both the firewall and the network. I would definately say netgear is the better choice. Lets not even get started on linksys, everything i have bought from them has died on day 1.

Re:"An In-depth Look at SMALL SYSTEM Firewalls"

[Bishop]

Cisco is great if you are buying the expensive stuff. You can still get the software updates for the old routers. The support has always been good as well. But like you say the support for the smaller boxes is pretty poor. It is not even just the low end stuff. I have been burned by "enterprise" access points as well. It seems end of life happens just a few months after the first production is finished.

Even if Linksys is a sperate entity from Cisco I won't buy one. Linksys has always made crap. A local ISP hates Linksys due to bad fragmentation of PPPoE packets.

Netgear can be hit or miss. Friends and I scored some underpriced Netgear switches (FS105) that have been flawless. Mine has been running nonstop for four years. On the other hand I had 10 Netgear hubs (DSx08) in the lab. A year later atleast half had intermittent failures. I would still buy Netgear over D-Link.

All the D-Link stuff I have used has been obviously cheaply made. Some stuff worked, some didn't, but it was all cheap. The NICs have cheap chips but mostly work. At the other end we have 8port desktop switches. I scrounged over a dozen switches still in the box. When I got them back to the lab all but one of the power supplies were missing. I found out later that the power supplies would get really hot and melt.

The SMC Barricade is another mini-router to consider. I know of two that have been running flawlessly for close to two years. I think there may still be Engineers working at SMC :-)

Overblown language, but ShieldsUp tests ports.

[Futurepower(R)]

While Steve Gibson is known for overblown language, his ShieldsUp does in fact test for open ports.

Re:Overblown language, but ShieldsUp tests ports.

[robochan]

his ShieldsUp does in fact test for open ports.

However, it even fails at that.

how good is good enough

[tanguyr]

One of the questions that this discussion doesn't take into account is just how good does a personal firewall on a home computer have to be in order to be effective?

It seems to me that you have to take the "threat level" into account: are you looking for a solution to keep you one hundred percent safe in the face of a dedicated attack by an expert opponent or do you just want to deter random port scanning dorks from malasia? If you're not a convenient victim and your neighbor runs vanilla windows XP, doesn't have a firewall, doesn't apply security patches and, hey while we're at it, surfs porn from dodgy russian sites all day... chances are you're safe enough... for now. /t

I follow no firewall

[g0bshiTe]

I don't trust the buggers. I am currently running one of my home pc's with Win98SE stock from cd only patch is i run IE6.(though I use Firebird) I have offered for people whom I know to be in security related feilds to "hack me". To this day no one has. Granted I know this doesn't mean it can not be done, anything is possible. I just happen to keep a tight reign on what programs I allow to communicate to the outside world. Scary stuff. I have no anti virus either, and have gotten only 2 virus infections neither of them were serious.
I suppose it's up to the individual user as to how secure they want to think they are.
Keep in mind firewalls can be shutoff from outside by using a common exploit like IE and activex.
Security doesn't mean running anti virus or a firewall for that matter. It means the user needs to be vigilant and know what their machine is doing at all times. One of the main reasons I love Linux is the difficulty of software installation. You have to upgrade 3 or 4 pakages to run that new version of X-chat, on the plus side you know what is bieng installed on your system unlike the point and click GUI world of Windows.
I once read somewhere that out of 100 hackers, all 100 can scan for open ports. Of those 100 maybe less than 10 would know what to do when they found one. I don't know how creditble that statement is, the day may come where my offer of "hack me" leaves me dumbfounded until then I refuse to use anti virus or a firewall. Both seem pointless to me at least.

Re:I follow no firewall

maybe it's not worth their time demonstrating Yet Again to another Unbeliever?

this is a sad troll.

Re:I follow no firewall

I wonder if any Vegas bookies would be willing to take odds on whether or not your computer is pwned at the moment.

Any more info about D-Link?

[Futurepower(R)]

Any more info about Netgear would be helpful.

Cisco 675 modems competed directly with Netgear. Not sure what Cisco is doing now.

If you know the market, I think you would be convinced that there are many cases where Cisco sales people are selling very expensive gear when a $50 Netgear box would do as well.

A 50-person company whose employees occasionally browse the internet, that has no servers, and only sends business email doesn't need much.

Default settings

[W1K-Galoot]

I take it these folks used only default settings rather than setting things up for maximum security. My DI-604 stealths port 113 just fine because I've set it up that way.

So, basically, I can't tell anything from this "review." If it doesn't accurately portray one products capabilities, it may not accurately portray the capabilities of any of them.

Thanks.

[Futurepower(R)]

The advice is very much appreciated.

Thanks again for the advice. SMC firewall/modem

[Futurepower(R)]

One model of SMC Barricade

Froogle results: SMC SMC2804WBR Cable/DSL RTR 802.11GW/Switch

"This latest Barricade g Wireless Cable/DSL Broadband Router provides hacker prevention and logging functionalities. For example, when a hacker attempts to access your network, the Barricade g can alert you via email so you can take appropriate action."

Anyone should gladly pay a little more for a good firewall.