Is a software firewall such as Zone Alarm essential for added protection if I am already using the XP firewall, AVG antivirus (free) and have a wired router (D-link-524)? Will it offer me any additional protection? If so, is there a better free firewall than Zone alarm?
Thanks.
Your primary means of protection from external sources would be the NAT Router, then properly secured computer/updates/security patches, then proper/quality Antivirus software. The windows firewall provides NO protection in your setting as long as you have the NAT Router, and it doesn't provide much protection when you run as an Administrator as most malware and most good applications can create exceptions in the rules that you never know about.
ZA, as long as you understand it, and run as a limited user, then you could use it and feel reasonably secure. I use Tiny or ZAP on my laptops when we enter a unknown area, and we use them specifically for being able to see what is attempting to access our system as well as block what attempts to access them - but, we could configure them so that we didn't need a firewall, but that also imposed some limitations on the way we can use our systems.
I cannot see anything in the common "Personal Firewall" products, which is not useless if not counterproductive.
Yours, VB.
Your router, AVG free and Mozilla Firefox are all you need. Zone Alarm and all other 'personal firewalls' are not fireewalls at all, they are all garbage! Visualize these two scenarios:
-1 You install ZA or some other similar crap, then you start your browser. Your 'firewall' pops up a message asking you if you wish to allow the browser to access the internet and tells you a whole story about how dangerous that can be. You want to be safe and tell ZA to keep blocking it, but decide to keep your browser anyway because it has a cute icon. Then, you start your email client and you get another message asking you if you wish to allow it to access the net. You want to stay safe and tell ZA to keep blocking it, then you go to the nearest bookstore and buy all the books on telepathy, since you can't use electronic mail any more. You pop an audio cd in your drive and Windows Media Player tries to retrieve info on that cd to display it for you. But, ZA stops it. Then, you try to play an online game and ZA tells you it's not safe and you allow it to block the game. At the end of the day, after you allowed ZA to control you life, you ask yourself: Why the f*ck am I paying for internet access?
-2 You install ZA or some other similar crap, but this time you allow everything to access the internet, because you need to browse and communicate, etc... At the end of the day, you ask yourself: Why the f*ck did I install Zone Alarm?
-3 It's broken, totally broken, just like any other PFW. Most recent case: Computer A had ZoneAlarm running. A could ping B, but B could not ping A. ZoneAlarm got deactivated, still didn't work. ZoneAlarm got uninstalled, everything worked fine.
That wasn't so bad, I have recently tested close to 100 different pfw's, looking for one that blocks outside intruders, not me. Some of them screwed up my settings and left them screwed up even after uninstall. Luckily, I wouldn't test any crappy software without a fresh Ghost image. The only software firewall that does what it should do, detect an attack and give you the option to block the offending IP, was Black Ice. It's a shame it crashed my email server every five minutes. I got a better router in the meantime and I'm happy.
Blocking the offending is a wonderful idea to shoot yourself in the foot.
Bad memories coming up... wan't this the software where ISS demonstarted how RegExps should not be used?
Whaout about some serious HPBF implementation for Windows like Wipfw, InJoy Firewall or the Windows Firewall? Or what about not using any packet filter at all?
As cheap firewalls go, I'm fond of the Kerio Enterprise firewall, which seems to give you a Checkpoint style rule interface and about 40% of the capability of Checkpoint, but at about 1/8th the price. Around $350 / computer, wish it were less.
Agreed that the ZoneAlarms of the world are so anxious to be cute, and so targeted at not stopping the truly stupid user, that they are nearly completely worthless to anyone who understands networking.
If you had been following the ramblings of Sebastian, you'd know that, in his eyes, there are *NO* effective software firewalls.
LQTM
Yeah, that thing even got an ICSA evaluation. Eh... did you ever read the evaluation report they're so proud of? Seems like this thing is horribly insecure and very vulnerable to DoS, thus after many bugfixes hardly passed the evaluation at all.
and a horrible ruleset expressiveness.
And Wipfw is for free. Now, what's your point? If you're not going to build a routing firewall but merely want a host-based packet filter, I'd say that Kerio Enterprise is total overkill.
Full ACK. Just the lack to refer to TCP flags or the captures TCP session states should make that obvious. One must be really totally clueless to get along without such prerequisites.
Which routing firewalls do you like that have a GUI configuration interface and cost under $900?
I would always want a firewall to have some level of stateful inspection. Packet filters that don't even attempt to see who started the connection are pretty easy to defeat.
For my own use, I prefer routing firewalls since I tend to use virtual machines a lot and those get put on separate subnets behind my computer.
I'm certainly not bragging that Kerio Enterprise is the best routing firewall. It's just good value for the buck, for protecting workstations or low end applications behind a main firewall. I certainly do see a lot of room for improvement, and I'm certainly open to suggestions about what is better, without spending Checkpoint or ISA prices.
I would not build any firewall upon Windows. Anyway, judging from your description you wanted a host-based packet filter.
As Wipfw has.
Nonsense. What difference should it made, except adding more potentially vulnerable code?
This sound even more nonsensical, since this both wouldn't provide any protection and can't even work.
I see that SG didn't answer your question when he replied, he is really good at ignoring questions and Side-Stepping them.
In the under $400 market, I would pick a DFL-700 device.
In the under $900 market, I would pick a WatchGuard X55e (about $920) and then a X20e for a small shop (20 users, about $600).
greg
That's your problem.
Security is a process, not a product,
Those of us who work in the real world have deployed and supported FW1 on NT for the better part of a decade. (Not my 1st choice as a checkpoint platform, but that's a client decision, some sites do not tolerate Unix in any shape or form).
Those of us who work in the real world have evaluated ISA 2k4/2k6 and found a lot in there to like.
It usually takes MS about 3 attempts to get something approaching right & in the case of ISA 2k4/2k6 it's a very capable enterprise grade firewall solution.
If MS did the right thing and made EMC an offer for rainwall/rainconnect they couldn't refuse , it would IMHO be a viable option for a multitier solution in any enterprise sized MS shop.
greg
Let's say you want to create a firewall rule that allows the host behind the firewall to make DNS queries going to the Internet.
A firewall that tracks who initiated the request and looks for the response to come within a certain time period would allow a rule that specifies the source host or network behind your firewall and the destination as the outside network, using DNS UDP 53. The firewall would reject UDP 53 queries coming from the outside in unless the firewall's state table could match those packets to an appropriate outstanding request.
To contrast, a stupid packet filter defines simple rules for for DNS queries that allow destination port 53/UDP out and source port 53/UDP in. If there is no internal state table that keeps track of queries that originate from your internal network, any intruder can bypass your firewall simply by using a source port of 53 and sending the data as a UDP packet. There are lots of routers and simple packet filtering firewalls that implement designs not much more sophisticated than that.
Do you always have the habit of making assertions without submitting any form of evidence or reasoning? At very least try. You may not be able to control the fact that you are disagreeable to every idea, but you could at least try to make yourself effective in the process. Otherwise your posts all come across as just grumpy emotional displays, no factual information provided.
It works just fine. You define virtual adapters that are private networks between the firewall host and the virtual computer. Routing is turned off on the box, and all traffic must pass through the routing firewall. The routing firewall sees the virtual adapter as it would any physical adapter, and you can construct host and network based rules, NAT rules, whatever, that use those virtual adapters. I've tested such firewalls with packet constructors like HPing3 and while they are not great they are a whole level beyond what host based packet filters like ZoneAlarm can do.
It also works more securely than a host based packet filter. There are lots of published mechanisms for circumventing software based firewalls that run on the same OS as the application you are trying to constrain. You can circumvent a firewall that runs on the same host OS as your application by playing games with how the OS APIs are called, installing rootkits, etc, on the OS. If the software you are trying to constrain or publish out runs on a different OS on a virtual computer, and your firewall sees that traffic on the wire as it would a separate physical computer with a separate ethernet network, there is a lot less the application can do to bypass the firewall rules. If it is a virus it can malform packets, but most commercial applications don't do that. So there are just fewer tricks that can be used to circumvent the firewall.
And if you had real experience, you could build any type of firewall on any OS. And then, if no such stupid "no Unix" constraints are given, BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious reasons.
And, depending on your company's policy, you should really consider not working for clients which demand firewalls on Windows, since it's not worth the risk.
ISA is pretty much based on the integration to proprietary Windows protocols that can't be easily handled by other firewall products or would require separate hosts (even if virtual).
~~~ ~~~
I just underlined where you got it wrong. Stateful filtering has nothing to do with identifying processes.
And if there is, he can tunnel through DNS. Your point being?
Fine:
I thought that this should be obvious to someone who claims to run a firewall and knows about NAT and virtual machines implementation.
What about creating trivial scenarios which disprove your idea?
Just like this:
Virtual Machine A opens a TCP connection with src.ip=192.168.1.1 src.port=3000 to dst.ip=12.34.56.78 dst.port=80. The NAT mechanism of the VM translates if to src.ip=192.168.100.1 src.port=1040. Then it gets passed through the routing firewall, which translates it to src.ip=78.56.34.21 src.port=1040.
The connection times out, VM A drops the connection and the VM NAT mechanism deassociates the NAT state.
Not the physical host opens a connection with src.port=1040 and creates a connection to 12.34.56.78:80 as well.
Now an answer to 78.56.34.21:1040 is received.
Question: What should the routing firewall do? a) forward to the virtual interface of VM A b) forward to the program running on the physical host c) drop the packet
Hint: Neither is right. From a security perspective, one would choose C, but then you'd have f***ed up the network. If you don't choose C, you're trivially getting insecure.
I guess you be able to construct a similar scenario for the case of port forwarding being utilized.
Anything is better than ZoneAlarm. Doesn't make your stupid application or serious software any more serious.
They share on physical interface, and the host is supposed to be secured as well. That's why this often heard idea fails so blatantly.
Legitimate applications don't require any such control. That's exactly why they're legitimate.
Let's see... you're adding a VM, complex configuration and a non-working or trivially insecure setup... for the sake of... achieving nothing?
Only someone who has no clue regarding operational risk could make such a ridiculous statement.
Don't teach your grandmother how to suck eggs.
Show me a 'free' solution which can dynamically filter soap/xml/rpc *and* doesn't require command line hackery to manage.
Show me the netfilter/pf solution that can dynamically fixup and sanitise a huge range of application protocols other than basic FTP.
Again you have demonstrated a lack of real world experience, client requirements extend far beyond mere L3 packet filtering.
Considering that you have singularly failed to quantify that 'risk' in anything resembling terms other than emoting hearsay, I'll treat your advice with the due consideration it deserves.
Oh puhleeze. Enough with the bullshit already, you clearly do *not* know about the commercial products under discussion.
greg
What are you referring to? Calling the constraint stupid? Well, it certainly is. And has nothing to do with operational risk, for obvious reasons.
This "command line hackery" as you call it is exactly why you can utilize a wide variety of management tools, including graphical ones. Just show me one "non-free" solution that could compare to the management of large networks with ShoreWall.
Well, netfilter. I just looked at the list... weeh, more than 900 helper modules for netfilter. Including one for such nasty stuff like H.323 which you can find no-where else.
I never claimed anything in this way. But well, as you may understand, most L7 protocol filtering is done using proxy firewalls.
sizeof(Windows_installation_stripped_down) = 300 MB+ sizeof(Linux_from_a_scratch+netfilter) = 1 MB
I rest my case. You really don't understand how much overkill and complexity a Windows installation provides, and how hard it is to properly secure it just on its own.
I do. If you really need something like ISA, then ISA is great. But better don't create such an unnecessary need.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.