Time Synchronization and Comodo's pseudo UDP SPI

[Guest]

[Jarmo P]

Let's see if I have understood correctly a few things and maybe also able to help clear some concepts to others.

First the clock update preliminary information that are same with any firewall:
1. When starting the update from the systray clock, the svchost.exe sends an UDP packet from local port 123 to time server (default IP 207.46.130.100) port 123.
2. The time server responds to that packet by sending an UDP packet back containing the time value from remote port 123 to local port 123, svchost.exe.
Notice that the sent and received packets are not usually belonging to the same internet connection, but they are related in a sense that it is a request and a reply.

Step 1 in CPF needs to allow in Application Monitor svchost.exe to connect to timeserver IP, UDP port 123. Besides the default allow UDP out to any ip and port network rule.

Now to step 2.
Most CPF users have the default Network Monitor rules of not allowing incoming connections unless running some server type applications.
It is not needed either with time synchronization. Thanks to Network Monitor's SPI, Stateful Packet Inspection.
The incoming reply connection is passed in despite the no explicit UDP incoming allowed rule.

Then CPF Application Monitor that is in my knowledge not implementing any SPI bookkeeping comes to play.
There needs to be a rule allowing svchost.exe allow incoming UDP for local port 123 to your computer IP (or your PC's hostname).
Notice that CPF application incoming rules are more limited than with firewalls like Sygate or Kerio 4 since these allow to specify the remote source server IP). But I see this not as a serious risk if any since normally only SPI matching incoming connections are passed in.

Kerio 4 has pseudo UDP SPI in application rules and thus no incoming rule is needed.
Older firewalls like kerio 2.1.5 or Sygate 5.5 have no pseudo UDP SPI.

Comodo has decided to be very uninformative how their firewall is actually really working, but above are the conclusions I have come to so far.
Hope this helps others besides me, if above is correct.

Jarmo

[Jarmo P]

Anyone?
Able to confirm my findings?
I really want to use this firewall, but as long as it remains a black box ...

[Little Mac]

Jarmo,

Have a look at this explanation of Network Rules:  http://forums.comodo.com/index.php/topic,6167.msg45480.html#msg45480, and also this explanation of CFP's layered ruleset/security:  http://forums.comodo.com/index.php/topic,6167.msg45545.html#msg45545.  The heading for each topic links back to the original topic, where you can post specific questions.

The short answer is that no extra Inbound rule is needed in the Network Monitor as long as you have the default rule to allow the Outbound traffic necessary for the timeserver.  This is because the Inbound in this case is in Response/Reply to the Outbound request (ie, when svchost.exe connects to MS timeserver and requests an update on the time).  If you were to create a separate In rule, you would be allowing the remote location (timeserver, etc) to connect to your computer at will.  This is something you DON'T want.

LM

[Jarmo P]

Thanks for your reply LM. 
 
I am slowly starting to accept how Comodo works. Makes me trust it more than my initital reaction.
Once I knew it has no SPI bookkeeping on Application Monitor but only on Network Monitor, it was easier for me starting to accept that Act as Server default install access. Since by default all incoming unsolicited connections are blocked in Network rules.
I though did not find any reference to this application monitor missing SPI behaviour on your forum, not in the help file and not even in those links you gave me, unless I read too carelessly. Could had helped me a lot if it was mentioned.

And these days not many software needs to open incoming ports in Network Monitor. Most work just fine with SPI. Some do, but they are usually higher numbered ports and as you sayed opening something like UDP 123 to all would be indeed quite stupid.

[Little Mac]

Regarding SPI, I'd refer you to the Help files, under the Overview section, where it has the following info:

Comodo Firewall Pro - Overview

--------------------------------------------------------------------------------

Introduction
Comodo Firewall Pro is designed as an endpoint security enforcer which fulfills all the requirements of a host based security system should do. With its layered security architecture, it is one of the most challenging personal firewalls available, providing an all-in-one security enforcer for all OSI network communication layers. Comodo Firewall Pro includes an integrated executable file database, which is a comprehensive classification of all known executable files. It is the only firewall which provides such significant information with users.


Network Protection

Comodo Firewall Pro, although designed for personal use, includes an industrial strength stateful inspection firewall, acting at OSI Layers 2, 3 and 4 to filter incoming and outgoing network traffic. Such an advanced filter keeps track of each and every packet sent/received and performs intelligent analysis on critical protocols such as TCP, UDP, FTP etc.

Comodo Personal Firewall also detects and prevents DOS/DDOS attacks including:

SYN/UDP/ICMP Floods,
TCP/UDP Port Scans,
Upon facing such an intrusive attack, it switches to an emergency mode by creating some automatic rules and updating its internal states according to the attack behavior, to secure the host against it until the attack ceases. Users will not notice such a change in terms of functionality but will remain protected.

Quick Features:

Advanced TCP/UDP/ICMP and IP protocol filtering
IP fragmentation handling
DOS/DDOS resistance and handling
Stateful TCP/UDP Protocol Inspection
Application Protection

Although the network protection is adequate to defeat the most of the network based attacks, today’s threats require highly sophisticated application based access filtering mechanisms to enforce true host based security policies.

Comodo Firewall Pro provides a powerful application firewall which is one of the best application filters available in the market.

Restricting network traffic according to the application which generates it, requires filtering at OSI Layers 3, 4, 5, 6 and 7.

Application Filtering

Comodo Firewall Pro provides full control on applications’ networking behaviors.

Application firewall can;

Limit applications network access characteristics such as port, protocol and host.
Give users the ability to control number of connections per minute an application can create
Leak Resistance

Unfortunately, malware programs are evolving rapidly. Many of such programs employ very advanced techniques to conceal their malicious activities so that they easily bypass the standard protection mechanism provided by the most personal firewalls. These techniques are commonly known as “leak” techniques.

Comodo Firewall Pro passed ALL LEAK TESTS with an outstanding success rate not seen in any other firewalls available.

Although passing the known leak tests are often enough to provide you a robust protection, Trojans do not have to limit themselves to these known techniques and they always try to find new ones to cheat the protection mechanism you have. Due to this fact, Comodo developers constantly research to improve our firewall to keep you protected at all times against emerging and unknown threats.


User Friendliness

Comodo Personal Firewall has an easy to use and intuitive GUI which is suitable for both advanced and novice users.

Our selection of wizards make sure novice users will face no difficulties in managing vital security configurations.  Advanced users and experts can fine tune Comodo Firewall Pro using its extensive configuration options.





--------------------------------------------------------------------------------

Copyright © 2005 - 2007 COMODO ®. All  Rights  Reserved

LM

[Jarmo P]

Something only a firewall expert could understand.
Sounds more as an advertisement one wants to skip as most of the Comodo helpfile  actually does.
Sorry for sounding so harsh, it is not your fault LM and thanks for your replies.
The information I needed I still could not find in that excerpt. 

[Little Mac]

Sorry that didn't help...

Do you still have an unanswered question at this point?

LM

[Jarmo P]

Nope and also thanks for that help file quote.
I would not usually be this critical towards documentation, but this thing had me puzzled for weeks.

[Little Mac]

Normally, if you can't find it in the help file (or not in a way that answers your question), the forums are a good place to go.  I've always found the users and staff here to be friendly and helpful.

Glad I could help a bit, to clear it up for you.

LM

[OldDuffer]

Hi

Please forgive me but I have read various posts and have failed to comprehend the advice given (I am a computer user not a programmer).

I have set up rules and can happily surf the internet, access the router, access other computers on my network. GRC Shields Up reports no problems.

What I cannot get to work is the Internet Time Protocol.
Could anyone give an idiot like me an example of what to set and where.

[Little Mac]

Hey Bob,

If you have the default Network Monitor rules in place, and have not placed a block on svchost.exe in the Application Monitor, you should be good to go.  That is, if you're referring to the Windows clock synch, where it checks and updates the time.  This uses svchost.exe, and makes an outbound connection using UDP, to update.

If you're having a problem with it (which sounds like you may be), can you give some more specifics about what you're experiencing, when/how, etc?  That will help on this end.

TNX,

LM

[OldDuffer]

Hi, thanks for reply.

There are 3 computers on the network, mine, wifes and weather. All running XP.
The router is a D-Link DSL-G604T.

The computer with Comodo A/V and Comodo Firewall installed is dedicated to running a weather station. It will effectively be unatended. It needs to sync time every 6 hours, this being controlled within the weather software, I am trying to find out what time server it uses.

My computer has Panda internet security.
My wifes has Avast anti-virus and Sygate personal firewall.

The results of testing with the built-in time software are this:
Mine- Close automatic protection (i.e. disable Panda) / time.nist.gov = no  time.windows.com = no.
Wifes- Firewall and A/V working /  time.nist.gov = no  time.windows.com = yes.
Weather- Comodo Firewall and A/V working /  time.nist.gov = no  time.windows.com = yes.

So I do not think it is a Comodo problem. As to why two computers update the time from windows.com and not from nist.gov and the third from neither I do not know.

Any ideas!

[Little Mac]

Bob,

Is the time on the weather station not updating, then?  Is there a Comodo log entry showing a connection being blocked to the (or a) timeserver IP address?

There should be some setting, presumably, within the weather station software regarding the timeserver used, if it's needing to update separate from Windows updating.  If you can't find it, you might contact the software company and ask where it is, or what is used...

Regarding your computer not updating the time, it may have the automatic update disabled...  If you open the time control window (double-click the time in the systray) and go to the 3rd tab (Internet Time), see if the box "Automatically synchronize with an internet time server" is checked.

LM

[v0id]

[snip]

So I do not think it is a Comodo problem. As to why two computers update the time from windows.com and not from nist.gov and the third from neither I do not know.

Any ideas!

You might want to give this a try:

Start -> Run ->
cmd
w32tm /resync /rediscover

(or just "w32tm", sans the quotes, for a list of parameters)

[Tags:]