firewall opinions

[Guest]

I've been running Zone Alarm free version on my XP home SP2 system. The ONLY
thing I don't like about it, is the time it takes to load on bootup. Besides
ZA, what are some of the firewalls that you folks use and recommend??
Thanks ....

 

[Jon_Hildrum]

I just use the winXP firewall. However, I also have a router with a NAT
translator

 

[Vagabond Software]

I've been running Zone Alarm free version on my XP home SP2 system. The
ONLY
thing I don't like about it, is the time it takes to load on bootup.
Besides
ZA, what are some of the firewalls that you folks use and recommend??
Thanks ....

A simple $30 broadband router is better protection than any software
firewall can provide, but in addition to that; I recommend the Windows XP
SP2 firewall. It's actually a decent performer and is one of the easier
ones to manage and configure.

carl

 

[Mike Hall \(MS-MVP\)]

I must get one of these $30 routers for my dialup connection.. seems like it
is a panacea that works..

Re. software firewalls, the latest versions more or less configure
themselves.. can't see why they would be a problem..

--
Mike Hall
MVP - Windows Shell/user

 

[Vagabond Software]

I must get one of these $30 routers for my dialup connection.. seems like
it is a panacea that works..

Re. software firewalls, the latest versions more or less configure
themselves.. can't see why they would be a problem..

--

For people with broadband connections, they come damn close to being a
panacea. No more worms, trojans reduced to annoyances, ICS unnecessary, new
installs can be patched over the Internet without worry...

And all of this protection remains constant regardless of the level of care
and attention the end-user pays to system security.

carl

 

[Bruce Chambers]

I've been running Zone Alarm free version on my XP home SP2 system. The ONLY
thing I don't like about it, is the time it takes to load on bootup. Besides
ZA, what are some of the firewalls that you folks use and recommend??
Thanks ....

Sygate's Personal Firewall
(http://smb.sygate.com/free/default.php

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Bruce Chambers]

I just use the winXP firewall. However, I also have a router with a NAT
translator

WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is protect you from any Trojans or spyware that you (or someone
else using your computer) might download and install inadvertently.
It doesn't monitor out-going traffic at all, other than to check for
IP-spoofing, much less block (or at even ask you about) the bad or the
questionable out-going signals. It assumes that any application you
have on your hard drive is there because you want it there, and
therefore has your "permission" to access the Internet. Further,
because the Windows Firewall is a "stateful" firewall, it will also
assume that any incoming traffic that's a direct response to a
Trojan's or spyware's out-going signal is also authorized.

ZoneAlarm, Kerio, or Sygate are all much better than WinXP's
built-in firewall, and are much more easily configured, and there are
free versions of each readily available. Even the commercially
available Symantec's Norton Personal Firewall is superior by far,
although it does take a heavier toll of system performance then do
ZoneAlarm or Sygate.

If you use a router with NAT, it's still a very good idea to use a
3rd party software firewall. Like WinXP's built-in firewall,
NAT-capable routers do nothing to protect the user from him/herself (or
any "curious," over-confident teenagers in the home). Again -- and I
*cannot* emphasize this enough -- almost all spyware and many Trojans
and worms are downloaded and installed deliberately (albeit unknowingly)
by the user. So a software firewall, such as Sygate or ZoneAlarm, that
can detect and warn the user of unauthorized out-going traffic is an
important element of protecting one's privacy and security. (Remember:
Most antivirus applications do not even scan for or protect you from
adware/spyware, because, after all, you've installed them yourself, so
you must want them there, right?)

I use both a router with NAT and Sygate Personal Firewall, even
though I generally know better than to install scumware. When it comes
to computer security and protecting my privacy, I prefer the old "belt
and suspenders" approach. In the professional IT community, this is
also known as a "layered defense." Basically, it comes down to never,
ever "putting all of your eggs in one basket."


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Bruce Chambers]

A simple $30 broadband router is better protection than any software
firewall can provide, but in addition to that; I recommend the Windows XP
SP2 firewall. It's actually a decent performer and is one of the easier
ones to manage and configure.

carl

If you use a router with NAT, it's still a very good idea to use a
3rd party software firewall. Like WinXP's built-in firewall,
NAT-capable routers do nothing to protect the user from him/herself (or
any "curious," over-confident teenagers in the home). Again -- and I
*cannot* emphasize this enough -- almost all spyware and many Trojans
and worms are downloaded and installed deliberately (albeit unknowingly)
by the user. So a software firewall, such as Sygate or ZoneAlarm, that
can detect and warn the user of unauthorized out-going traffic is an
important element of protecting one's privacy and security. (Remember:
Most antivirus applications do not even scan for or protect you from
adware/spyware, because, after all, you've installed them yourself, so
you must want them there, right?)

I use both a router with NAT and Sygate Personal Firewall, even
though I generally know better than to install scumware. When it comes
to computer security and protecting my privacy, I prefer the old "belt
and suspenders" approach. In the professional IT community, this is
also known as a "layered defense." Basically, it comes down to never,
ever "putting all of your eggs in one basket."

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Ken Gardner]

I've been running Zone Alarm free version on my XP home SP2 system. The ONLY
thing I don't like about it, is the time it takes to load on bootup. Besides
ZA, what are some of the firewalls that you folks use and recommend??
Thanks ....

I like the Windows firewall (SP2 version). I have never had a problem
with either this firewall or its predecessor (the one that originally
came with XP), while I have had (minor) problems with all of the third
party firewalls that I have tried (including Zone Alarm) and virtually
all of the firewall-related problems I read about in the Windows XP
newsgroups deal with third party firewalls (insert "hmm...." here).

Be advised that the Windows XP firewall is slightly less secure than
most of the third party firewalls, although in my opinion this isn't a
problem. All good firewalls, including the Windows firewall, block
others from communicating with your computer unless you the user
initiate the communication (e.g. by checking for your e-mail, or going
to a particular website). However, the third party firewalls also
block programs already on your computer from communicating with the
Internet unless you specifically give them permission to do so or the
program is known to be safe. This means that if some POS succeeds in
putting a trojan or worm on your computer, it won't be able to "phone
home" to the POS -- the third party firewall will block it. The
Windows firewall will not.

Be further advised that this additional security comes at a price, in
the form of a slight performance hit (e.g. Symantec's Norton Internet
Security), occasional software conflicts (e.g. Zone Alarm), and false
positives (firewalls blocking legitimate programs from accessing the
Internet, e.g. to update themselves). Personally, I prefer a security
strategy of using methods other than my firewall to keep the crud off
my computer in the first place. For example, virtually 100 percent of
all crudware on computers is there because the user volitionally put
it there, e.g. by opening an e-mail attachment from a stranger, or
allowing a dubious website to install an Active-X control, or by
clicking on a popup ad, or downloading "free" software, or doing
something really dumb like downloading Kazaa. So I simply choose not
to do any of these things. Computer security is definitely an
area where knowledge is power and an ounce of prevention is worth lots
of hours, energy, and dollars spent trying to get crud off your
machine because you, the user, made bad choices in allowing it to be
installed in the first place.

Opinions differ on this subject, and your mileage may vary. If you
are a security novice, a third party firewall may be a better choice,
akin to putting training wheels on a bike. But I would think a better
idea is to become more knowledgeable about computer security than ride
around on a bike with training wheels.

Ken

 

[Leythos]

WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is protect you from any Trojans or spyware that you (or someone
else using your computer) might download and install inadvertently.

Windows firewall, like other personal firewalls, is subject to being
disabled or hacked from a users account when they run as Administrator
account type also. In the case of most users, since they run as
Administrators of their local computers, this renders many personal
firewall solutions useless.

A NAT router solution is the proper way to go for home users, IMHO.

 

[Hugues-Antoine Suin]

I've been running Zone Alarm free version on my XP home SP2 system. The ONLY
thing I don't like about it, is the time it takes to load on bootup. Besides
ZA, what are some of the firewalls that you folks use and recommend??
Thanks ....

IMHO it has probably nothing to do with ZA. I use ZA with AV on SP2 and
it loads fast. I had used free ZA before. How do you know ZA is the
problem? Check if you could not tune your system, disable other
useless processes that load at startup, try bootvis, and see what
happens then .

To my mind ZA is a top 5 program, even in its free version. The best
firewall on the market.

 

[JW]

Hey Van, whenever you see conflicting advice on firewalls
(such as, (a) software firewalls are an important addition to a complete
multi-layer security system VS. (b) software firewalls are unnecessary
because hardware firewalls do everything that software firewalls do,
plus no Trojan can ever open a port on a hardware firewall), you really
have to go to a higher authority. Opinions are like armpits.

Last year, PC World Labs partnered with German security firm AV-Test to
test, evaluate and compare many firewall, antivirus, and anti-spyware
products. Included in the test was one of Linksys' best hardware
firewall/router/NAT devices. Their conclusion on page 3 was that two
software firewalls deserved the Editors Best Buy award, but neither of
two hardware firewall/router devices deserved the award. Furthermore,
the final recommendations on page 9 stressed the importance of using a
combination of defenses (not any one product that is good at only one
specialty), including Both a software firewall and a hardware firewall.
you can see their article at
http://www.pcworld.com/reviews/article/0,aid,115939,pg,1,00.asp

after reading this article, you will see that the test results prove
that (a) a hardware firewall/router does things that a software firewall
does not, and (b) a software firewall does things that a hardware
firewall does not. this is clearly why you need Both. For example, see
page 2 of the above article that states the following facts:

Consider the Bagle worm, which hides its identity by injecting itself
into the Windows Explorer application. When AV-Test infected a system
with this worm, the McAfee, Norton, Sygate, and ZoneAlarm firewalls
asked if Windows Explorer could access the Internet.

by comparison, a hardware firewall would not stop to ask the user for
approval of this outbound transmission of who knows what (maybe your
personal credit card or bank account number/password captured by a
keystroke logging program?), but would simply allow this outbound
transmission to go through unchecked.

another source of facts you can go to, when facing conflicting advice
from those who offer nothing but opinions, is an authoritative web site
such as the Gibson Research Corp web site. at www.grc.com, the section
named LeakTest describes another vulnerability that hardware
firewall/router devices are Helpless to defend against.

take the test for yourself. download their program named LeakTest.exe.
rename a legitimate program like IExplore.exe to IExplore.old. then
rename LeakTest.exe to IExplore.exe and launch it. the results are
clear and indisputable. a hardware router/firewall will not even stop
to ask you if this outbound leak of information is OK, but will allow
this outbound communication to pass through unchecked. ZoneAlarm will
stop it and ask for your approval. besides the fact that hardware
firewalls are inherently clueless to this vulnerability, what this also
means is that any kid who has read a book like Windows 101 can rename
any file from something like KeystrokeLoggerThatAlsoLaunchesIE.exe to
IExplore.exe with two simple commands.

 

[Leythos]

after reading this article, you will see that the test results prove
that (a) a hardware firewall/router does things that a software firewall
does not, and (b) a software firewall does things that a hardware
firewall does not. this is clearly why you need Both. For example, see
page 2 of the above article that states the following facts:

And what should be clear that each device is there for a specific reason,
hardware firewalls are boarder devices - they protect the boarder. If a
hardware firewall is properly configured you can't get malware from the
web or from email, but not all hardware appliances have SMTP/HTTP/FTP
proxy filters that can remove that type of stuff.

In all the years I've been doing this, when a client has a strong firewall
solution - and those Linksys/DLink/Netgear devices ARE NOT FIREWALLS, and
a strong AV product and a strong security policy for
users/systems/networks, there has never been a need for a personal
firewall application on their internal/protected machines. A laptop,
something that is internal and external is the exception, I run personal
firewall applications on every laptop.

What they didn't show you in those tests was a user running as an
administrator level account accessing a virus/worm that was designed to
disable the personal firewall software - something that would not work on
a firewall appliance.

Also, with even cheap routers / NAT boxes like the Linksys, you can block
outbound ports 135~139,445,1433/1434,1026/1027 and stop many worms from
spreading like they would normally. This was something else they left out
of their review.

The clear first layer is a hardware device that provides NAT, with SPI if
you can find one, and to not forward anything inbound. A second is quality
Antivirus software, then all service patches, including MS Office patches,
and then securing IE/OE/Outlook, and then if you still feel the need, then
install a personal firewall application, but don't use the computer as an
administrator level account or there is little point in using the PFW.

 

[JW]

thanks again Leythos. always good to hear from you, since you are
always a valuable contributor. no dispute or disagreement with anything
you said. what is unfortunate is that 99.99% of the average PC users in
the world will never read anything that you or i write here.

99.99% of the average PC users in the world will acquire something for
PC security (whether it is hardware or software), and do little more
than plug it in and walk away, like a microwave oven. they have no
desire to spend hours reading instructions about how to tweak and
configure the firewall (hardware or software) to stop every conceivable
intruder/intrusion. that's why the best hardware firewall in the
world will always be less than adequate in the hands of 99.99% of
average PC users in the world. this is exactly why 99.99% of average
users in the world need Both a software and a hardware firewall.

as if the above were not convincing enough, hardware firewalls are
inherently clueless to stop the vulnerability described by Gibson
Research Corp in their LeakTest documentation at www.grc.com. This
leaves over 99% of average PC users in the world vulnerable, who go
surfing the "wild wild web" logged in with Administrator privileges.
Does the fault lie with the uneducated user? Of course. this is
precisely why over 99% of average PC users in the world need Both a
hardware and a software firewall.

farewell for now. as always, it is has been a benefit and pleasure to
cross paths with you again. i always see something new or different,
when i hear back from you. have a nice weekend.

 

[Guest]

As usual ...... great advise and comments!!! Thanks to everyone and
especially to you, JW!!!!

 

[Leythos]

thanks again Leythos. always good to hear from you, since you are
always a valuable contributor. no dispute or disagreement with anything
you said. what is unfortunate is that 99.99% of the average PC users in
the world will never read anything that you or i write here.

Yea, it's really to bad that not only will they never read it, but they
will never understand that there are serious security problems with their
default configured machines. Even worse, once they do get compromised the
first time, they won't learn anything from it, and their repaired machine
will still not be secured.

99.99% of the average PC users in the world will acquire something for
PC security (whether it is hardware or software), and do little more
than plug it in and walk away, like a microwave oven. they have no
desire to spend hours reading instructions about how to tweak and
configure the firewall (hardware or software) to stop every conceivable
intruder/intrusion. that's why the best hardware firewall in the
world will always be less than adequate in the hands of 99.99% of
average PC users in the world. this is exactly why 99.99% of average
users in the world need Both a software and a hardware firewall.

Let me give you an example of a Sorority that we manage. When they
residents started this year, only one was a returning resident, all the
others were new residents. The ones that came from the Dorms at the Univ
to the house were the most infected of all of them. The next worst were
the ones that had been living in apartments with other students - with one
exception, two of them had been sharing an internet connection in a house
where they had a simple Linksys router - they had spyware but not serious
problems.

As part of our overall solution we installed a Linksys BEFSX41 router (NAT
box) between the ISP's DSL modem and their 48 port switch for the house.
We also installed a Windows 2000 Server running IIS (to allow remote
access to the router logs) and WallWatcher, and VNC on a non-default port
and with a nasty password.

With this configuration, and with the residents using email from the Univ,
they have all managed to remain virus free, spyware free, and safe without
using any personal firewalls. How do I know, I can see it in the router
logs. It was funny, I noticed the traffic go from 8mb per day to around
30mb once and tracked it back to a resident that had installed Kazza,
which is a violation of the AUP, and it took a simple BLOCK of her IP in
the router to stop it, and then a call to get her to remove it, and it was
all resolved again.

Oh, we installed AVG and FireFox for all sysetms, and AVG has been updated
to AVG7. Any machine that was running McCrappy (McCaffy) had it replaced
with AVG or Norton AV (if they could afford NAV).

Now, one other thing, I block outbound 135,136,137,138,139,445, 1433/1434,
1026,1027 to those destination ports. The only inbound is the IIS (and
it's locked down and requires a user/password) and the VNC on non-default
port.

So, with almost 6 months of running time and 40+ residents, I would hazard
a guess that the router is able to do about 99% of the protection they
need.

as if the above were not convincing enough, hardware firewalls are
inherently clueless to stop the vulnerability described by Gibson
Research Corp in their LeakTest documentation at www.grc.com. This
leaves over 99% of average PC users in the world vulnerable, who go
surfing the "wild wild web" logged in with Administrator privileges.

Actually, LeakTest a scare tactic, a good one, but a scare tactic - much
like vendors calling routers with NAT firewalls (which they are not). A
real firewall should be configured to block most of what leaktest will
attempt - about the only outbound traffic that should be exposed is 25,
80, 110, 443, 53 for people that use external mail servers and SOHO
devices or cheap routers.

It should also be noted that a personal firewall application running on
your typical users computer won't protect them either as most of them will
permit an application to access the internet without even knowing what
that application is or is doing.

Does the fault lie with the uneducated user? Of course. this is
precisely why over 99% of average PC users in the world need Both a
hardware and a software firewall.

Sure, it likes with the User, but, like sheep, there are simple things
that ISP's can do to protect them. Almost every ISP's cable/dsl modem has
the ability to provide NAT and block unsolicited inbound traffic - if they
would just install them in this mode as default it would eliminate a lot
of issues with users computers. Allowing a user, without question, to
request that NAT be disabled would be necessary too.

I guess what we have to figure out is how a user that can't be protected
by a hardware appliance is going to be protected from their own ignorance
when running a PFW - since they are more likely to get compromised by
misconfiguring the PFW I don't know where to begin with them.

farewell for now. as always, it is has been a benefit and pleasure to
cross paths with you again. i always see something new or different,
when i hear back from you. have a nice weekend.

It's been great chatting with you too - look forward to your reply. Have a
great week.

 

[Bruce Chambers]

another source of facts you can go to, when facing conflicting advice
from those who offer nothing but opinions, is an authoritative web site
such as the Gibson Research Corp web site. at www.grc.com, the section
named LeakTest describes another vulnerability that hardware
firewall/router devices are Helpless to defend against.

I'm in complete agreement with everything you had to say, except for
this one paragraph. While the advice to research at an authoritative
web site is good, you example wasn't. Gibson is considered to be little
more than a joke to true security professionals.

Gibson has been fooling a lot of people for several years, now, so
don't feel too bad about having believed him. He mixes just enough
facts in with his hysteria and hyperbole to be plausible. Anything he
says, and especially the Snake Oil solutions he offers, should be taken
with a grain of salt.

Perhaps you should read what computer security specialists have to
say about Steve Gibson's "security" expertise. You can start here:
http://www.grcsucks.com/



--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[JW]

just be sure to apply this advice to other areas besides firewalls (this
advice about the importance of using a combination of defenses (not only
one product that is good at only one specialty). For example, Spybot
S&D is very good at a specialty, but AdAware Plus and SpySweeper are
very good at a different specialty. Using instructions at the web site
http://www.mvps.org/winhelp2002/hosts.htm lots of crapware would
never be downloaded because would be inaccessible.

another layer of defense is Not surfing the wild wild web logged in with
Administrator privileges. (surfing does not mean getting Windows
Updates.) i also go went another step, by removing all access from
Limited User accounts to the folder named \Program Files, except for
Read/Execute. so when i do surf the wild wild web using a Limited User
account, Program Files will not be replaced/corrupted by an infection or
intruder. Since antivirus programs have the same specialty, there is no
need to use multiple antivirus programs.

it's like home security. be sure to watch "It Takes a Thief" on
Discovery Channel (a very good program with advice from ex-burglars
after filmed break-ins). they do not rely on just locks, or just
sensors, or just one security mechanism. besides locks on the outside
doors and windows, they also use locks on the inside doors, and locks on
valuable paintings. besides sensors and inside sirens, they also use
outside sirens. they don't stop there either. you'll see when you
watch the show.

 

[JW]

thanks again for your contribution. the experiences you convey here are
very valuable. with No disrespect, i must disagree with a couple of
your points.

it is Not really the router that protects the 40+ residents after 6
months of use. it is Not a gun on the wall that protects a home owner.
it is the experience and preparation and training of the gun owner.
in this case, it is years of Leythos' experience planted into the
device, and your ongoing monitoring that protects the 40+ residents.
the fact remains that 99.99% of average PC users in the world will never
attain (and have no desire to attain) that zenith of knowledge about the
ideal router configuration.

you also might be confusing LeakTest with some other tool like
ShieldsUp. the purpose of LeakTest is Not to test various ports (e.g.
80,25,110, etc.) for outbound capability. and although the results are
scary, it is not a tactic by a snake-oil salesman (per another posting).
the Real purpose of LeakTest is to test whether or not a firewall
would Stop to ask a user for approval, whenever a legitimate program
(e.g. IExplore.exe) attempts access through a legitimate port (e.g. 80).
if not, then any Trojan (or script easily written by a kid) that
renames an evil program to masquerade as the legitimate program, has
easily provided the evil program with unfettered access to a world full
of infections. this remains a weakness that hardware routers are
inherently clueless to prevent.

on the other hand, if a PC user did not launch program ABC, and out of
the blue, suddenly ZoneAlarm asks "Do want to allow program ABC to
access the internet ?", then the user will probably say "Where did this
come from ? I did not initiate this ?" now, if the user blindly
approves this nonsense, it is the user's fault, not ZoneAlarm. but at
least the user had a chance to stop it, which a hardware router would
Never have provided, because hardware routers do Not even stop to ask
about Approved programs going through Approved ports.

finally, there will always be instances where we cannot protect users
from their own ignorance when using Hardware routers, not just software
routers. the fact is that users of ZoneAlarm do not need to spend hours
reading or posting questions here in order to learn all the ports and
tweaks needed to properly configure it for use with Messenger. they
simply check Ask on the line labeled Messenger, and ZoneAlarm takes care
of knowing all the ports and tweaks.

on the other hand, i see angry users every day coming to the Messenger
newsgroup, asking what are all the ports used by Messenger, so they can
open ALL of those ports on their router, because they are so angry that
they cannot get Messenger to work with their new router. considering
the fact that the number of people who come asking for help are
outnumbered by the people who Never come asking, that reduces a huge
number of hardware routers to useless piles of metal. this is clearly a
case where ZoneAlarm would help 99.99% of average PC users in the world.

does this remove the benefit of having a hardware device ? of course
not. i have never and will never say that. i have always said that for
99.99% of average PC users in the world, multiple layers of defense are
better than one device very good at one specialty. software and
hardware firewalls have many features in common, but clearly each can do
some things that the other cannot. because a hardware router cannot be
turned off by a Trojan, a hardware router is an important addition to a
total multi-layer defense strategy.

always a pleasure conversing with you. i do believe you realize i am
only talking about 99.99% of average PC users in the world, not that
fraction of 1% -- the expert users in the world who have attained the
zenith of knowledge about ideal router configurations.

 

[Plato]

Discovery Channel (a very good program with advice from ex-burglars
after filmed break-ins). they do not rely on just locks, or just
sensors, or just one security mechanism. besides locks on the outside

Visit the dog store. Buy the 2 largest dog feed dishes available. Slap
some slop in them to dirty them up dont worry the birds/mice will eat it
but still leave stains. Put them next to your doors. No burgler will
even take the chance.