Author Topic: Which Firewall  (Read 12505 times)

Fatboy

  • Newbie
  • *
  • Posts: 14
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #15 on: December 16, 2001, 07:02:09 PM »
Zhen-Xjell interesting. I have deliberatly not mentioned "off the shelf" hardware solutions for 2 reasons...

1. It a pretty emotive subject for some people (sad I know) lol
2. I dont have much hands on experience with non carrier class firewalls.

But in generall i agree hardware/seperate firewalls are hard to beat and this "Zap" client-server functionality sounds very interesting.

This turned up in my inbox from a security mailing list. It is a nice quick description of NAT/PAT and thought it might be worth posting here. I would normally post just a link to the refernce but I dont think this mailing list is open in this way. Hope it is not out of place / offend.

F

[Snip]
Tim,

Well, as you probably know, NAT (Network Address Translation) is the idea of one internal address to one external address, or one to one.

PAT is the idea of One to Many, ergo many internal addresses to one external address.

So, there are 655536 possible ports. And you only have one IP address externally. But most internal users will only use 5-10 actual outgoing ports.

Here's the basic principle. You create a single IP address that is used external to the network, and have many internal machines point to it. Then, when those internal machines attempt to contact the external network, the firewall/router makes a table (called a state table on Cisco gear) that holds the internal IP address and port, and translates it to the (single) IP address and picks the next available port on that external IP. If the firewall/router is a good firewall/router, the next available port isn't usually the next numerical port. Hopefully, it's chosen by random chance, or an algorithm routine that is close enough.

Advantages are as follows;

1. You only require one single IP address on that external network.

2. It tends to be quick to set up, and scales up to large amounts of internal users.

3. PAT makes Link Sys and other types of home broadband routers a viable solution.

Problems with this are as follows;

1. It is hard to track who is actually using which port, and who may be using the external network access for malicious reasons, since you only have one single IP to get back to, and the state table may have refreshed by the time you track back to the firewall/router.

2. Some programs may require identical ports on both ends; for example, IPSEC VPN tunnels tend to die if more than one internal user is using the ports it requires.

3. If you have a significant number of users going out, you will eventually run out of ports. This is why you want a firewall that has very good scavenging.

4. You cannot use a PAT address for serving services to the external network/internet. There are no reserved addresses. Unless you use a universal PAT, that allows all incoming traffic to certain internal addresses, c.f. PIX 501, Link Sys firewall routers after March 2001.

5. The state table that has to be built for PAT tends to be a little more involved, thus costing the firewall/router a little more memory, and a little more time.

I hope that made PAT clear as mud. There's a lot more to do with it, including the header manipulation... but that's something you need an RFC for.

Here's one.

http://www.geektools.com/rfc/rfc1631.txt

You can search http://www.geektools.com/rfc for other Requests.

Seamus Hartmann

[Snip]

Fatboy
Fatboy

Zhen-Xjell

  • Jr. Member
  • **
  • Posts: 98
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://laudanski.com
    • Email
Which Firewall
« Reply #16 on: December 21, 2001, 02:12:59 AM »
I would unsubscribe from that mailing list for a couple reasons.  First, based on this comment:

"So, there are 655536 possible ports. And you only have one IP address externally. But most internal users will only use 5-10 actual outgoing ports."

That is impossible.  If you check here: http://www.iana.org/assignments/port-numbers , you will see that the port list goes up to 65535.  But, since there is UDP and TCP, that doubles the ports, so 65535 x 2 = 131070.  Clearly, a few hundred thousand less than what your security mail list is claiming to exist.

Another problem with that quote is that "internal users will only use 5-10 actual outgoing ports."  Again, don't know where that came from, but anyone who knows anything about the TCP/IP protocol suite knows of the ephemeral ports.  Everytime a client like IE accesses the Net or anything internal for that matter, it uses a new unique port number, and they fly by very quickly.

Another issue I have is with this quote:

"Well, as you probably know, NAT (Network Address Translation) is the idea of one internal address to one external address, or one to one.

PAT is the idea of One to Many, ergo many internal addresses to one external address."

That is the newest definition I have seen, and it is off base.  NAT doesn't do a one-to-one correspondence, it does a one-to-many. One Public IP to many Internal IPs.

"3. If you have a significant number of users going out, you will eventually run out of ports. This is why you want a firewall that has very good scavenging."

Now that is the FIRST time I've ever seen a comment like that.  And they don't even offer evidence or more explanation.

Don't know Seamus, but if he wrote that post, he is WAY off base.


pcoopers

  • Newbie
  • *
  • Posts: 10
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #17 on: January 11, 2002, 08:25:23 PM »
It may interest some of you to know I've seen this topic on another BBS, and got rid of Zone Alarm.  If interested, take a look at HDC BBS, I think you'll find identical heading under the "How do I?" heading.  Could have been under security.  

Basically, it turned into a discussion of whether Zone Alarm is spyware.  Good arguments on both sides, I'm unconvinced. But the facts are rather scary, becuase TrueVector was designed to gather browser information, and the CEO has been quoted making various claims about it's info gathering capabilities.

Several links are provided within the thread, you need take no one's word, read it and make up your own mind!

Paul Cooper
Paul Cooper

Andy

  • Newbie
  • *
  • Posts: 1
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #18 on: January 20, 2002, 01:18:25 PM »
quote:

sends all it's info to a SPYLOG server after it's done. ... ([^/]++.|)1000stars.ru



You're really paranoid, man :) 1000stars is old russian counter service (like hitbox for example) that had too little features and been owned by Spylog counter service. You can now see free spylog counters on a lot of russian servers (or Metrix counters for another countries), but they has no such information in statistics that you could get on that nice page, since nothing is sent - only counter image loaded. That's what I know for sure.


 
 

Shaka

  • Newbie
  • *
  • Posts: 20
    • ICQ Messenger - 41207823
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://shakainc.cjb.net/
    • Email
Which Firewall
« Reply #19 on: March 16, 2002, 05:49:50 PM »
Zone Alarm may be spy ware

 O-my goodness I guess Zone Alarm was slapping your heads all day long.

If you have ever messed with a loadable kernel for windows you would find that most software firewalls, have no clue of it being there and transacting. But there are some that can control the mod's actions. If some thing is to easy to use and config then it may be to good to be true. I really DO NOT like to talk about what software is better to use or more secured. Most of the time people go with the easiest to config and use. If any one needs help on configing tiny or any other firewall. I can help. I know tiny is hard to use for some peeps. Furthermore if you really want to be secured buy a Hardware firewall or have a computer setup just for routing.

 
 

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Which Firewall
« Reply #20 on: March 16, 2002, 07:20:51 PM »
... and Shaka may be a spy

Great entry to my forum! And welcome.



Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

grey

  • Newbie
  • *
  • Posts: 4
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #21 on: August 22, 2002, 09:54:06 PM »
Hello "Proxo-Users"

First off let me say that Shaka is absolutely right, hardware is the way to go if you want really good security.
I want to point people that are interested in firewalls to this site http://www.pcflank.com/ as it offers extensive testing(all ports) if you have the time to spare(12+hours:) as well as the most common exploits,ports etc.etc..
As to software firewalls Agnitum Outpost, http://www.agnitum.com/ is a really good rule based firewall and it works wery well with proxomitron, especially if you list proxomitron as your only trusted application and route your traffic trough proxomitron.


 
 

lnminente

  • Jr. Member
  • **
  • Posts: 73
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #22 on: August 22, 2002, 10:38:59 PM »
Hi Grey.

I also use Agnitum Outpost, but i set it in restrictive mode, to not let
other applications connect to internet through proxomitron.

Regards.

Edited by - lnminente on 22 Aug 2002  23:40:15
 

grey

  • Newbie
  • *
  • Posts: 4
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #23 on: August 22, 2002, 10:47:50 PM »
Hi lnminente, are you using outpost pro or the free version, as in are you able to set global policies?
I use proxomitron as it is less likely (hopefully) to be used by trojans than other type of software and with this setup im able to pass every leaktest that i have tried :) see Personal firewalls vs Leak Tests..
http://www.pcflank.com/art21.htm

 
 

oltelman

  • Newbie
  • *
  • Posts: 18
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #24 on: August 23, 2002, 07:00:24 AM »
First & foremost, you need a wall and a moat!  I think ZX said a router, the physical part, and then a personal firewall.
I've used ZoneAlarm, it's the MacDonalds, fast & easy.  It's a resource hog!
I'm using Kerio (old Tiny) now.  Very small footprint, typically around 3-5 Megs of memory.  It is a rules based structure.  There are several good resources for setup & troubleshooting.
If you can setup & tweak a Proxo list, Kerio would not be a problem.


 
 

TEggHead

  • Jr. Member
  • **
  • Posts: 93
    • ICQ Messenger - 21893433
    • AOL Instant Messenger -
    • Yahoo Instant Messenger - eljarec
    • View Profile
    • Email
Which Firewall
« Reply #25 on: August 23, 2002, 10:44:01 AM »
quote:

I'm using Kerio (old Tiny) now.


Are they realy one and the same now. I can still download Tiny from their own page at http://www.tinysoftware.com/home/tiny2?la=EN and it is definitely different (version 3.0) from the version that is now known as Kerio Personal which is still at 2.1 at http://www.kerio.com/us/kpf_home.html


FWIW, I've used WinRoute Pro (Kerio now) from day one because I needed both a firewall and a gateway...it does NAT and can be told to use only a set range of ports as source ports for the request it passes on. can deny or drop. Internally I used to use ATGuard but now switched to Tiny. About IGMP as was mentioned by Shaka, I've never seen any referral to it in the other firewalls I tired, but I hardly doubt it'll be a problem as IGMP is only of meaning if you use IP Multicast.

http://www.networksorcery.com/enp/protocol/igmp.htm




 
 

lnminente

  • Jr. Member
  • **
  • Posts: 73
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #26 on: August 23, 2002, 03:12:18 PM »
To Grey: I use the free version.

The global rules are:


 
 

oltelman

  • Newbie
  • *
  • Posts: 18
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #27 on: August 23, 2002, 10:21:14 PM »
quote:
Are they realy one and the same now.


They are not.  It started out as Tiny.  Tiny has a new firewall w/ IDS built-in (Tiny 3.0).  I haven't tried it & have not seen that many good reviews.  (I'd better duck now)  Some one will want to dispute that one.
The same coders that did Tiny 2.XX started Kerio.  It is the same lineage as the Tiny 2.XX.
At least that's what I've read!

WinRoute is for a much larger scale than I have.  Small network for the family.  Mostly for surfing, but do have a file & print server.

 
 

Jor

  • Sr. Member
  • ****
  • Posts: 421
    • ICQ Messenger - 10401286
    • AOL Instant Messenger - jor otf
    • Yahoo Instant Messenger - jor_otf
    • View Profile
    • http://members.outpost10f.com/~jor/
    • Email
Which Firewall
« Reply #28 on: August 24, 2002, 12:05:54 AM »
otelman: correct. Kerio 2.x is a direct successor to TPF 2.x

Also, Kerio 3 (beta) and Tiny 3 look _very_ alike.

 
 

oltelman

  • Newbie
  • *
  • Posts: 18
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Which Firewall
« Reply #29 on: August 24, 2002, 01:20:40 AM »
I loaded Kerio 3.0 before my last reload.  Admin is starting to look a lot like ZAP.  Using the expert mode didn't give me the results I was looking for.  I gotten it to the point of not being able to reach most of the sites I'd made rules for.  They have some work to do & I have some more learning ahead.

Tiny 3.0 interested me for the Tiny Trojan Trap part.  I'd followed several threads at DSLReports on the original product.  Most seemed to think TTT was better this time around.  I have since found a couple of nice proggy's that do some of what it provides, with a lot less work to configure & maintain.