Is stateful inspection provided by Outpost?

[cosmos]

In the Suggestions & Feedback->Announcements Forum, stateful inspection is a to-do for Oupost. I believed that Outpost currently supported stateful inspection. I've also found this Usenet thread: http://groups.google.com/groups?q=ou...g3ef%404ax.com

So my question is: does Outpost support stateful inspection now?

[Mark]

Excuse my ignorance, but what does "stateful inspection" mean?

Mark

[cosmos]

I'm also somewhat ignorant on the subject so perhaps someone else could correct me...

A firewall that implements stateful inspection will monitor incoming packets and reject unsolicited ones, i.e. frames that were not asked for.

This feature implements an additional level of security.

[Mikhail]

No, it is in todo list. Statefull inspection is not a "must" have for personal firewall. Nothing against this feature but it is not so critical.

[cosmos]

Quote:

Originally posted by Mikhail
No, it is in todo list. Statefull inspection is not a "must" have for personal firewall. Nothing against this feature but it is not so critical.

Mikhail, I'll have to strongly disagree. The term critical has a relative meaning. Having a look at the planned feature list, keeping in mind that Outpost is first and foremost a firewall product and, finally, that similarly priced (i.e. free) PFs like Tiny and Sygate do implement stateful inspection it seems that this feature should definitely be implemented as fast as possible! Once more don't get me wrong! Yes, I am aware that TPF does not provide the level of content filtering that Outpost does, but this can change. Additionally, it is always good to keep an eye on the best implementations out there and try to keep up with them in the areas they perform best.

One last word: suppose that stateful inspection is not needed by a PF (although I strongly oppose to this). Marketing works miracles though, and I can see quite a few vendors out there touting their support for this feature...

[Mikhail]

Quote:

The term critical has a relative meaning

Besides a marketing reasons, can you please explain why it is so critical.
BTW as for marketing, I doubt 1% of regular home user aware of statefull inspection.

[cosmos]

Quote:

Originally posted by Mikhail

Besides a marketing reasons, can you please explain why it is so critical.

As I've mentioned, it is a relative term. Having a look at Outpost's coming feature list you'll notice that there are quite a few of bells and whistles (for example, Add port descriptions (eg. 80 ? WWW) in the Allowed Log and the Blocked Log, Add a dashboard to the GUI, Make a plug-in that transparently sends all connection through different anonymous proxies) that I feel are less critical than stateful inspection.

Strickly theoretically speaking, no stateful inspection means that an allowed application (Outlook Express, for example) that has Outpost rules for receiving traffic, may be congested with incoming, unsolicited information, leading to system exploits.

Quote:

BTW as for marketing, I doubt 1% of regular home user aware of statefull inspection.

I am afraid that the success of Zone Alarm, a firewall touted and included in computer magazines, was due to an excellent marketing approach... When Dvorak from PC Magazine will discuss and analyze personal firewall important issues, you can be certain that stateful inspection will be among the list of features. If it hadn't been comp.security.firewalls I would have never installed Tiny or Outpost...

[cosmos]

I am able to understand a little bit better what goes on with stateful inspection. An example is FTP. Another one is H.323 applications like netmeeting. In the netmeeting case, the user should leave a large number of ports open (say UDP traffic on ports 1024-65535), since netmeeting opens/closes them dynamically on demand for audio/video conferencing.

For a simple packet filtering hardware firewall this is a major problem, since no awareness exists for the actual application from the intranet side, that needs to access these ports. Therefore, a huge hole exists on the firewall since the administrator must open all these ports a priori. The situation is not the same with an application personal firewall: the PF knows which application listens to which port for example, so inbound communication towards a port > 1024 is matched additionally on whether netmeeting has actually a socket there.

Stateful inspection uses information that utilizes layers 3-7 of the OSI model (network layer and upwards), in order to obtain knowledge like allowing traffic on specific ports dynamically, i.e. without user intervention, a claim which has been criticized by many. Why? Take any stateful firewall and assume that an application like a new SQL database server opens ports dynamically. Does the stateful firewall understand this need for dynamic port opening? Mostly no! To my understanding, stateful personal firewalls may have support for a couple of wll known applications like FTP or netmeeting, but proceeding to full-fledged stateful inspection would require a firewall driver of some sort for each network application (like the database server above). Personal firewalls depend mostly on application awareness to do their task and stateful inspection functionality is not that useful there. The same is not true for hardware firewalls: Checkpoint's FW-1 which claims stateful inspection capabilities has support for a limited number of protocols like FTP.

IMHO, and please do not flame me, for stand-alone machines (i.e. machines that do not play the role of a firewall router for others) with application aware personal firewalls, stateful inspection can just limit the fuss of creating new rules; lack of it does not compromise system security.

Not an expert, just trying to help...

[Mikhail]

Quote:

Is there any indication when these features will be available?

I hate question starting with "When...". All of them are in frequently Unaswered questions list

[chrisclu]

Don't sweat it. You won't offend anybody here. We're a pretty neat bunch. Mikhail is just a little spread out right now. He is sitting on probably the world's best firewall in the making. Everyone wants it all NOW!!! But he is as nervous as a long tailed cat in a room full of rocking chairs. He wants it to be all right and bug free before he releases it. A lot of features are on the to-do list and will get done eventually but they take time to develop and even more time to test and fix. I don't think any of us want it done faster than he does. But he want's it to be something he can be proud of so it won't be rushed. (Such pressure, huh Mikhail?)
Chris

[Mikhail]

Quote:

I apologize I did not mean to rub anyone the wrong way

Forget it, I probably was wrong when I used too strong word ("hate")
[QUOTE]I don't think any of us want it done faster than he does./QUOTE]
Exactly.

Quote:

But he want's it to be something he can be proud of so it won't be rushed. (Such pressure, huh Mikhail?)

Life without a pressure is like food without a salt for me. You can eat it but it tastless

Quote:

Mikhail has done a fantastic job so far.

I am not the one

Quote:

As you indicated myself and many people are looking foreward to stateful inspection and packet logging to add to this already excellent firewall.

After we official non-Beta release we will start work hard with our todo list.

[AlexE]

Quote:

Originally posted by agnitumsurfer
I can pass EVERY security scan from various sites when configured properly I am in FULL STEALTH and able to configure many options manually.

Are you SURE you are a full stealth ;-)? AFAIK, Outpost currently fails ACK scan (nmap -sA), for example, thus making you visible at least.
Michail might be right stating that a "full-featured statefullness" is overkill but some "simplified workarounds" on things like this might still prove useful, eh?

[cosmos]

Quote:

Originally posted by AlexE
Are you SURE you are a full stealth ;-)? AFAIK, Outpost currently fails ACK scan (nmap -sA), for example, thus making you visible at least.
Michail might be right stating that a "full-featured statefullness" is overkill but some "simplified workarounds" on things like this might still prove useful, eh?

I agree and must add that I expect some SPI functionality to be the first to-do to be implemented for the engine. My wish for 2002

Ok, ok I lied a bit. I would prefer the first feature to be a modification in NetBIOS handling to be implemented, as discussed in [url=http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=2197]Some optimizing on rules part II[/quote]. SPI would be welcome to come next.

[Mikhail]

Quote:

Are you SURE you are a full stealth ;-)? AFAIK, Outpost currently fails ACK scan (nmap -sA), for example, thus making you visible at least.

Not a bug but a feature. man nmap
"The idea is that closed ports are required to reply to your probe packet with an RST, while open ports must ignore the packets in question "
"Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows95/NT"

[meneer]

Perhaps there's a question about definitions:

scanning on sygatetech this is the result:
======
SOURCE PORT 4049 BLOCKED This is the port you are using to communicate to our Web Server. A firewall that uses Stateful Packet Inspection will show a 'BLOCKED' result for this port.
======

So according to Sygate ( )my firewall does use stateful inspection.

Call it whatever you want, OP is very effective as a personal firewall. The fact is that I use it on a computer that enables internet sharing (small LAN, 3 hosts, but it must count), so stseful inspection might come in handy.