Wednesday, December 30, 2009

Outpost Pro 7.0: Seven Improvements of the Firewall Module

This blog posting is a New Year gift for advanced Outpost users. We heard and read some complaints concerning lack of information about the firewall improvements. Indeed, we may have overlooked the firewall development announcements in the past as they usually refer to something "not visible" and intangible. Now we'd like to correct this mistake and tell you more about Outpost firewall technology 2010.

Warning! Watch out! Gobbledygook ;-)

1. Windows 7-related activity

Agnitum's R&D has implemented a new mechanism of network activity and content filtration using Windows Filtering Platform (WFP) technology. This has helped to resolve compatibility issues with Windows 7 and – potentially – with future Microsoft OS's, because WFP is positioned as the major platform for future Windows releases. As a result this new mechanism brings more stability to Outpost solutions (including the aspect of interaction with other network filters).

2. Windows Filtering Platform on Vista

Due to successful and stable operation of WFP-based filter on Windows 7 we decided to use the same technology for Vista (from SP 1) instead of TLI filter built on the principle of intercepting OS's undocumented interfaces. As WFP interfaces on Vista and Windows 7 significantly differ in a number of critical aspects, our team performed the integration of WFP-filter into Vista. This helped resolve critical errors which may have led to a BSOD when using TLI.

3. Using the new filtration mechanism on receipt of packets for Vista/Windows 7. Optimized performance in high-speed channels.

The packet filter underwent deep remodeling in the aspect of processing incoming packets on increased IRQLs. The workaround was to organize delayed processing of such packets with an aid of worker thread pool. This enabled lower burden on CPU during filtration and improved system "responsiveness" within intensive network operation.

4. Channel load between the driver and managing service was dramatically decreased. Increased system stability and lower CPU load as a result.

Special rules for packet sniffer were introduced in order to precisely configure the packet sniffer for receiving only essential information about filtered packets, for example, blocked packets and packets related to installation/connection termination. Minimizing packet notification between the driver and service led to decreased system load.

5. Content filtration improvements (loopback, no binary flow filtration)

The mechanism of rules creation and behavior control for content filtration that helped limit the volume of filtered data at the expense of the data transmitted via loopback channel as well as binary data irrelevant in terms of content control. At that the mechanism of detection and non-filtration of binary streams has been fully realized in the driver, which minimizes the number of messages between the driver and service, facilitates content filtering and ensures less impact on system performance.

Besides, critical errors in TDI/TLI filters applied in Windows 2000/XP/Vista RTM were fixed, which enabled advanced system stability.

6. SPI for UDP implemented (regards to old good Outpost 4.0)

We introduced a mechanism that can be used for blocking attempts of using non-TCP endpoints in server regime. In other words, incoming datagrams for endpoints are allowed only for those remote hosts from which at least one datagram was sent from the current endpoint. The mechanism allows to limit datagram endpoint usage only to the model of client behavior in the client-server scheme. This adds flexibility in terms of network security settings.

7. Filtration of invalid TCP flags

The packet filter checks TCP flags and classifies a packet as unwanted in case of incorrect combination of TCP flags. This mechanism decreases the firewall and network stack load in case of host-focused bombarding by such packets, as the packets are blocked on initial stages.

That's it for now. Hope you'll find enough food for reflection in this article :-) Looking forward to your feedback!

Last but not least we'd like to wish you a Happy New Year! Best luck, happiness and health in 2010!

Maxim Korobtsev, CTO, Agnitum


qp said...

It's absolutely great to see a bit more technical postings.

Lincoln Rodrigues said...

Thanks for your information. I was worried about version 6.7.x in Vista because i received some BSOD from TCP level. In this way, the new version will be more resistant and stable. Good news.

H Mitchell said...

A bit of technical insight is always welcome as it aids the decisions regarding upgrading.
The "WFP-based filter" approach sounds like its all positive. However for the enterprise standing pat on XP (for the obvious reasons), is your new approach available for this version of the OS? Will the performance advantages still apply?
Best Regards.

Agnitum BLOG said...

Mitchell, thanks for the comment!

WFP filtration approach applies solely to Vista and Windows 7. However, this is just one of few examples of "platform-sensitive" tweaks. The majority of performance improvements mentioned in this and further blog postings concern all OS's.

Andreas said...

It would be nice to add the possibility of using wild-cards for the exception list (Web Control)!

Then there would be no need to address url's with or without www and sub-dir aka would be dealt with ala *

THAT would be an improvement as I have asked for it since using the V4.

In Addition it would be nice to toggle (disable/enable) the Web Control via HOTKEYs (incl. User Definition).

Anonymous said...

I'm running Outpost Security Suite Pro 6.7 on windows 7 ultimate x86 and i have found no compatibility issues.

It is just a little tricky to configure as it does like advertised, by blocking all web content with malware.

The real time scanning is very real time.

The network monitoring is excellent.

Great product.

Anonymous said...

In new Outpost Pro,is it possible to make an Ip Block list with IPv6 adresses and to do the same with Application Rules ?
It's just a ask.

Great Zoe

Anonymous said...

Hello!!!i,ma big fan og The Agnitum Produscts.when will appear on the market the new product!!!i can wait to tets it!!

Anonymous said...

Hi!!!i'm a big fan of the agnitum products when it will appear the new products!!i can wait ti test them!!