Best of free firewalls?

That's very simple to answer: No. ZoneAlarm is neither good nor a firewall. Therefore every real firewall and/or good software is better.

Comodo is one I've been using with good results.. and free

alan

Hm... Fullquoting, double empty lines, direct link... "Melih", is it you? ;-)

Yours, VB.

I would question that.

These are just some of my experiences noted down when I had a look at it about a week ago:

No matter if installed in its default (self-configuration?) mode or advanced mode, it would bug me for all kinds of technical questions and considerations. It would even give me wrong information - like

" is trying to connect to the internet on remote IP

127.0.0.1". I wonder how my localhost got out on the internet. or " is trying to connect to the internet on remote IP 192.168.x.x port 53".

Some people claim that PFW's add value since they can help you learn some basics about networking. I don't know what you can learn from messages like these.

It would also give me several socalled "security considerations" like "C:\\WINNT\\system32\\rundll32.exe has loaded .dll into .exe using a global hook which could be used by keyloggers to steal private information." or "Executable LSA-file and server-DLL (export version) is trying to act as a server. Security Considerations: WINLOGON.EXE may be using LSASS.EXE to connect to the internet." or "VNC server is trying to connect to the internet on remote IP

127.0.0.1. Security Considerations: SERVICES.EXE may be using mstask.exe to connect to the internet.

How is a non-technical user supposed to figure out of this behaviour is legitimate or caused by malware?

I also experienced these messages queueing up. But before I got to them, they would simply disappear again without telling me what had been done to these messages.

When trying to start my web-browser, it did however make a true statement. I was told that firefox was trying to connect to the internet. That was true. To tell you the truth, it was trying very hard indeed - but my network connection seemed to be broken, and I had to reboot before I could finally get my network access back.

I don't want to be offensive, but I hope the code lying underneath intended to protect you is of better quality than what is presented to the user.

Comodo PFW is definately not for novices.

The problem with a lot of these so-called 'security' apps is that they rely on you installing them on a clean system to begin with, and then they usually require a learning period of a few days where you more or less have to train them as to what's 'normal' on your system. After that training period and in the future then, any alerts you may see are supposed to be valid or potential problems arising.

But can you imagine Joe Blow installing something like this on an already messed up system and trying to make any sense out of all the popups? I think not...

An intelligent and educated user is a far better defense I think..

As far as outbound control is concerned, it seems like even that will not make much difference.

Me neither.

I would'nt say he needs to be intelligent. All he needs is a small amount of common sense and a few basic rules to follow. Otherwise, I fully agree.

or he could listen to VB and use the Win XP FW on Win XP machines.

VB: when you suggest doing that, what do you use to block outgoing (isn't layered security important? you should at least pick up if a system has been compromised after the fact, some decent log )

Nothing. Why should I? "Blocking outgoing" implies, that you have lost already, that your box is 0wn3d already. I agree with Jesper in this case:

So the idea is, not to get malware onto the computer. And for that case, there are sensible provisions to prevent from getting infected.

"Layered security" often is used as a buzz-word from people who mean "I don't understand the problems and I don't understand the provisions one could take and what they're meaning for the problems, but then I'm doing as many provisions as possible without understanding them, so maybe I'm lucky". Of course this is nonsense.

The correct term is "defense in depth". It's a common military strategy, and it can be useful in computer security, too. But this implies, that you're exactly knowing, what you're doing, and chosing sensible provisions only.

Yours, VB.

Strange, I block ALL OUTBOUND from our networks that is not APPROVED outbound. I block all port 135~139 and 445 Traffic and all SMTP outbound except from the mail server.

what is more powerful - watchguard? pix? *nix?

and why is it bad to have 2 HBPFs on the same comp? (I can see how it's pointless, e.g. if 1 tool does the job). But would they clash. I was using Win XP FW and Sygate , I didn't have problems. Now I just use the win xp fw, though miss sygate's port logger.

"More Powerful"?

It's at least pointless, maybe they would clash - so it's bad.

You mean, you didn't realize, because Sygate has big security design flaws.

Yes, the logging capabilites seem to be nice. Perhaps, you'll find similar things on

Yours, VB.

what about logging then? so you know you lost and are losing!

there are levels of loss. If I am compromised by malicious software, it'd be better if it didn't make outgoing connections. + i'd like to know it's there too (Through logs). Also, if a system is compromised, the software usually knows how to disable the win xp fw so for example, an smtp server can listen. .

Is there a totally safe server that does next to nothing. Which i'd set up just to test that my firewall is up. So I'd do a web based port scan and check that it comes up as closed. It needn't do anything, just respond.

what about detecting the loss, what about minimizing the loss.

ok, regarding minimising the loss, the best way is to disconnect from the network, reinstall everything. But what about minimising the loss before you've detected it.

With your solution of just using the win xp firewall, a person could be compromised by an smtp server which takes down the win xp fw easily. If the user were running sygate, then they'd be a good port logger, and it's less likely to be taken down so easily.

I looked up "defence in depth" . My reading shows it as the opposite of what you suggest!!

"The term defence in depth is now used in many non-military contexts. For example, a defence in depth strategy to fire prevention does not focus all the resources only on the prevention of a fire; instead, it also requires the deployment of fire alarms, extinguishers, evacuation plans, mobile rescue and fire-fighting equipment and even nation-wide plans for deploying massive resources to a major blaze."

See, it doesn't just work to prevent the fire ( the system being compromised). It has fire alarms (logs) . It's also good to prevent the compromise from spreading by blocking outgoing. At least until you realise you've been comromised, and you reinstall it all.

Is it only PFWs that can't block outgoing(/can be easily circumvented), or is it FW appliances and ipchains *nix boxes too?

There are logging mechanisms in Windows itself. And: if the system is compromized, you may not rely on logging mechanisms on the same system, and have to have extra logging mechanisms in your network to detect.

You cannot prevent from that. This will never work. If your box is 0wn3d by someone else, then she/he controls what's going on, not you.

You just can try to detect and reset your box.

Yes, of course. You can log nearly everything in Windows, using the plain logging possibilities of Windows:

Or you can use the tools from sysinternals.com, for example.

And: for detecting, if your box already is 0wn3ed, you better have an external logging facility. Nothing works reliably after your box is

0wn3d, you cannot trust in anything after that point of time.

Yes, this is the point. A "Personal Firewall" will not help here, too.

This is just wrong. It's quite easy to ignore any "Personal Firewall", if malware code already runs on user's machine.

Where do I suggest the opposite? I'm suggesting different provisions, not only "enable the Windows-Firewall" and that's it.

The difference is, that you're knowing from _each_ provision, what it exactly does and what it's for. You know the exact attributes and properties it has, you understand the attack vectors and the weaknesses of each provision.

"Layered security" should be the same as "defense in depth", with the exception, that the people I know, who use the first term, usually don't understand anything about what they're doing.

Nothing can prevent from tunneling _by_ _concept_. In a capability based system, you can prevent applications from communicating at all, but this is very hard with Windows, because Windows is not a capability based system.

Yours, VB.

If properly configured they can all be powerful, some offer different/more features than others.

I like firewall appliances that offer proxy services that let me filter HTTP session content and SMTP session content so that I can remove bad things before they reach the network users.

It's kind of like using Two AV scanners at the same time, they fight for resources, having to PFW solutions on the same PC would be a waste as if you are unskilled enough to improperly configure one, well, you won't do the other one properly either. The problems with conflicts, one blocking the other, that if you run as an Admin account you might as well not use one.....

TCPview, or alternatives like active ports, or whatever, those types of program i've tried are like an active form of netstat. And like netstat, they don't tell you if the connection is incoming or outgoing.

Port numbers "could" tell you, I've read that generally < 1024 indicates server, and generally >= 1024 indicates client. But what if malicious or badly written software doesn't follow those guidelines and misleads? And most seciroty people run servers at a port > 1024 (>65535?) anyway netstat, and these logger programs just say "ESTABLISHED" , they don't say who initiated the connection. They do say "LISTENING" before a connection is established, that does tell me of a server at my end. But what about when it's established! Ethereal as a " port logger " doesn't compare either. It doesn't dispaly date / time, doesn't display process name.

Doesn't not having a good log bother you ?! It seems that defence in depth requires more than just the one line of defence (win xp fw). what do you do when the fw goes down. how would you limit the damage before detection. how would you detect it. Just recmomending a win xp fw doesn't cover any of those vital things. Sygate really covered a lot!

The opposite is true - just try to learn, how TCP is working, and what's the meaning of listen().

After a TCP connection is established, it does not matter any more, which end opened the connection.

Please read RFC 793 / STD 7.

It seems you never used Ethereal, because there is a timestamp, of course.

Because of the fact, that Ethereal is a packet sniffer and not a TDI monitor, of course, there is nothing about processes in it. If you want to log and monitor processes, maybe those will be better for your purposes:

Sygate has big security design flaws, and therefore is not in the game. For talking about sensible provisions, we should define a target group and attack vectors first.

What target group would you like to talk about? What attack vectors should we consider in this discussion?

Yours, VB.

regarding this point, I think you just answered in that prev post , - we're posting concurrently! - so a win xp FW or PFW is limited in that it can be taken down. You suggested having a FW appliance,

any particular firewall appliance?

I'm not suggesting a particular firewall appliance. And: what's the problem, if any filtering software can be taken down, if malware already runs on the box?

If we're talking about a home user, then she/he usually has only one box. It has to be configured as a bastion, and there a host based packet filter like the Windows-Firewall can help.

Or are we talking about a networking environment? For which purpose?

Please let us first define the target group of users and the exact case description, before we're coming to the point, where we're able to make suggestions.

Yours, VB.