You might like Kerio 2.1.5 if you can adjust to rules. It uses a mere
5mb ram, steady as a rock, and gets the job done. Can be configured to do almost anything you want. Little bit of a learning curve for the rules but well worth it.
There are many free offerings nowadays, but most of them are trash. Even the paid ones are junk and from my experience with them, they all have bugs of one sort or another.
CHX is another good one, however, there is no outbound app control in CHX, it is just a very good packet filter. It is free also.
Not particularly wanting to take on the bloatware of the next update of Zone Alarm, would it be a risk (security-wise or for an XP OS) to go back down to a 2.1 or 3.1 version?? I just really want a decent firewall that protects my system wihtout the tonnes of Megabytes of memory used up. Or is there a freeware/paid for version out there that's as good and a lower resource puller. TIA.
lee walters wrote in news:Xns96E2AD0DDBF08pepplewickhotmailcom@195.92.193.157:
Although I don't use XP's FW because I purchased BlackIce long ago, you can go with it. It's free. I also use IPsec and Analogx's Secpol rules for IPsec, which I have enabled IPsec on my laptop with BI while I am on the road using a dial-up connection. With IPsec enabled and me disabling the AnalogX rules for Windows networking - blocking them and enabling the clinet side rules for HTTP, HTTPS, NNTP, etc etc, nothing is coming past IPsec for BI to even respond too anything - nothing. Prior to me enabling IPsec, BI was barking like a dog and lots of log entries. This is the first time I have used IPsec in a direct connection with a machine to the Internet and I am impressed with it. I was using IPsec and BI to supplement the NAT router when I was using a NAT router.
The only thing with IPsec and the AnalogX rules is it blocks traffic for file downloads by default on the high ports > 1024 and you either create rules to open the ports with IPsec or you disable IPsec for the download.
IPsec can stop inbound or outbound traffic by port, protocol or IP and it's on the O/S too to supplement any PFW solution.
formatting link
With the use of IPsec and someother things I have done to the XP O/S, the laptop is solid on the road.
Volker Birk wrote in news: snipped-for-privacy@news.uni-ulm.de:
Well, I've gone the Kerio 2.5 way and I have encountered a problem. I'm actually using a Neatgear router and, yes, this may indeed be firewall protection enough, but I wanted protection more from, for example, a trojan sending out from my PC rather than stuff coming in...and the reason why Windows Firewall isn't any good for me. Anyway, for some odd reason Kerio blocks on-line mail sites such as Hotmail. With it running I can't login. Is this a confliction do you think with the router? And how could I fix it? Again -- thanks in advance.
No it wouldn't - Windows Firewall does not have anywhere near the features of ZA. Please stop spreading lies by suggesting that Windows Firewall is anywhere near what the commercial firewall applications are
- and yes, even the Free Zone Alarm is a commercial application.
Keep thinking that, and I'll keep posting that you're wrong - the Windows Firewall offers the least protection of anything on the market, and is almost completely useless.
I already have, several times, but you've not offered anything that indicates I'm wrong (even though you seem to think you might have at some time)....
I proofed _every_ statement about facts I made here. And I will repeat the proof for anybody who is requesting it again.
You're refusing to proof _one_ _single_ statement you're making here. As a matter of fact, you're even contradicting yourself:
In you answered my question:
| > May I ask you to offer _one_ _single_ technical argument for this point | > of view [why the Windows-Firewall should be bad] now at last? | Sure, as said several times before - the SP2 firewall runs on the same | PC as the user who is most likely running as a local administrator and | has control of the personal firewall. If that's not enough of a | TECHNICAL REASON then you are completely missing what security is really | about.
Here you're explaining, that your problem with the Windows-Firewall is, that "the SP2 firewall runs on the same PC as the user who is most likely running as a local administrator and has control of the personal firewall."
This is true for every "Personal Firewall" and every host based packet filter. It is true for Zonealarm as well as for the Windows-Firewall.
And this was all you had to say about the Windows-Firewall yet.
Read this - and this very point has been mentioned several times before:
formatting link
or
formatting link
And you say that the Free Zone Alarm is a "commercial application" even though they acknowledge the flaw but say they are not going to patch it? What business could trust it? - there have been proof of concept exploits shown for several years re software firewalls.
How nice. They're even realizing it. Thank you for informing.
Zonelabs has not understood the real problem BTW:
"The proof-of-concept code published uses the Windows API function ShellExecute() to launch a trusted program that is used to access the network on behalf of the untrusted program, thereby accessing the network without warning from the firewall."
Of course, only an idiot would use ShellExecute(), because this is easy to prevent with any "Personal Firewall" like the "Pro" version of Zonealarm.
One would use the same technics to start the application one uses for tunneling, like I'm showing in:
formatting link
(it's for Internet Explorer and the German version of Windows XP only)
"für geistig Arme" means "for the simple minded" BTW ;-)
It could be changed easily to run on Windows XP in the English version. Is the window title of the window which is opened by pressing Windows+R "Run"? Then the following should work.
| As I've reported before, the Windows Firewall lacks outbound blocking
David seems not to know that this will not work.
| What's your last line of defence to keep one of these exploits from | phoning home? Outbound blocking
I'd like to hear what he has to tell us about
formatting link
| Felman poses the rhetorical question, "If we can turn it off, then why | can't the hackers?"
They can. And they can disable Zonealarm like any other "Personal Firewall", too, if there is already malware running on the box, as we showed in our test.
Felman is disgracing himself here, and David does not realize that.
| Microsoft officials have repeatedly downplayed the significance of the | outbound blocking feature's absence, arguing that once malicious code is | on a system, it's a game-over situation anyway.
Microsoft officials are completely right here.
"Total lockdown" is ridiculous, because of course if I would write malware, I would simulate user input to de-facto disable Zonealarm, like Chippy's autoclicker does.
| Are the third party products from Zone Labs, Sygate and others as good | as they can be? | Hardly.
This is a point I'd agree with. But David does not realize, _why_. He does not mention the security breaches "Personal Firewalls" have. He just detected the popup-problem.
Maybe David did no closer look on the implementation of Sygate for example, or he has not the needed knowledge about Windows system programming. But then he should not write such articles.
| Yet another feature missing from firewalls is an easy way to whitelist | and blacklist our browsers from reaching certain domains. It can be done, | but you have to be a rocket scientist to do it. What would be better is a | prompt so that every time our browsers try to reach a new domain on the | Internet, it says, "Hey, I've never been here before, should we whitelist | this site?" This offers a measure of comfort in knowing that some malware | isn't going to come in, hijack my browser, and send some confidential | information via the Web to a Russian organised crime site
And this crazy idea proofes, that he does not understand anything, because with the Autoclicker technics it is trivial to phone home in spite of such a "protection".
Kerio 2.1.5 is perfectly stable on Windows XP and uses almost no resources. I believe the version 2.1.4 had a few security issues but
2.1.5 fixed them. Pricelessware.org list Kerio 2.1.5 as pricelessware. Kerio 2.1.5 uses MD5 signatures to validate or verify programs that communicate out on the internet. MD5 is virtually impossible to fool. Stephen Michael at snipped-for-privacy@gmx.net.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.