Recommend a Firewall

OK, so who can recommend a good firewall solution. Hardware/software Free/Bought - all suggestions welcome.

Reply to
Ben Hardy
Loading thread data ...

What is the problem that this firewall is expected to solve?

Jason

Reply to
Jason Edwards

There is no way to know without you letting us know what you are protecting, what capacity you will need, what services you are planning to offer and need.

Reply to
Leythos

Even further, what is the current network configuration and infrastructure? Which operating systems on which hardware?

Reply to
Sebastian Gottschalk

Strewth! OK, I have my home setup consisting of 2 PCs, one running XP PRO & the other running XP Home. I have file sharing enabled between the two. I have a website that I regularly maintain using Dreamweaver. I use Firefox browser and Thunderbird email. I have a Router/ADSL Modem: Dynamode R-ADSL-C4S for Net connection that has a built in Firewall. It is in default mode since I have no instructions on how to configure it and I don't understand most of the terminology, being a Networking dunderhead. I used to use Zone Alarm for a software Firewall but since everyone seems to rubbish it I have dumped it in favor of Outpost (which I am currently trying out). Windows Firewall is on. I use AVG Antivirus, Spyware Doctor, Windows Defender and Ad-Aware. What other info do you need? I just need to know that I am as secure as reasonably possible when using the Net. All suggestions welcome.

Leythos wrote:

Reply to
Ben Hardy

So, well, the only problem arises from accidentially transiting the Windows file sharing communication to the internet. This can be trivially addresses by blocking the relevant port (137+138/TCP+UDP,

139+445/TCP) at the router. Read the manual.

This is rubbish as well, and probably you've even worsen the situation.

Eh... then why Outpost?

Wow, a big load of crap.

What about replacing Windows file sharing with a more solid implementation, f.e. FTPS? Using Novell NetDrive you can mount it as a net drive as well. (But well, please be aware of the little security problem in there :-)

What about TCP/IP stack hardening?

What about hardening the system? There's a lot of good documentation on microsoft.com, like "Threats and Countermeasures: Securing Windows Server 2003 and Windows XP" with a detailed discussion about system-relevant security configurations.

For the network configuration: If only one host is supposed to connection to the host, you might use two different network cards for two different nets, whereas file sharing is only done in the internal network and disabled on the internet connection.

Reply to
Sebastian Gottschalk

PIX 501 Appliance.

Flamer.

Reply to
die.spam

Typical Home User.

Do you run the website on your computer? Meaning do you allow people to access inside your network with the website on one of your computers?

Good, great idea.

It's a simple NAT router, not a firewall - marketing types call anything which does NAT a firewall. I looked at the specs, it's just a NAT router.

If you have Windows Firewall ON, then you should not be using the others, you should not run more than one firewall at a time.

I just fixed a kids machine that used the latest AVG with the latest definitions, he had a number of malware installed and it didn't even detect them let alone stop them.

I used David Lipman's Multi-AV tool to clean the baddies and then Spybot Search and Destroy to remove the spyware - it was clean after 30 hours of scanning it.

As for AVG, I'm a disbeliever in the product, we do a lot of Sorority computers and the ones running AVG get compromised every couple months, the ones running Symantec never report any problems, nor the ones running Panda (but panda is a bigger resource hog than Symantec), even the McAfee machines don't stay clean.

None - but I'm going to assume you don't host your own website inside your network.

With your setup, as long as you've not forwarded any ports inbound, you are about as secure as a typical home user can get for a reasonable price.

If you want to be able to block malicious conetent while browsing the web, you need a firewall/proxy that can remove it before it reaches your network - a D-Link DFL-700 will remove/block items in HTTP sessions (like not allowing .EXE/.BAT files to be downloaded via the web)....

What you need to do is make sure that you are not running your computer with Administrator proveledges unless you are doing maintenance on it. Create a simple USER account and use it always, unless doing maint, so that things have a harder time installing without you knowing.

Don't install every plugin for your browser, I don't install anything except flash and shockwave in mine.

Keep your PC updated with the latest AV definitions, latest patches for the OS, and DELETE any email with an attachment that you didn't request the attachment for - that means if your Mom sends you a picture in a Zip file and say to open it using password 123, delete it, don't guess, don't check, delete it immediately - then call/send email asking her to confirm that it was really sent and to send it again without the password so that your AV software can scan it.

Your personal firewall is going to do very little in your current environment, IMHO.

Other than the above, you are in reasonably good shape - just make sure you keep your browser/email programs patched.

Reply to
Leythos

That will be any solution hardware or host based and not a personal FW that meets the specs for *What does a FW do?*. Something you can use Wallwatcher (free) with it to look at the logs.

formatting link
Duane :)

Reply to
Duane Arnold

Leythos wrote in response to:

No

Leythos wrote in response to:

Mmm.. If thats the case then why does it have in the configuration all this stuff about Firewalls i.e:

Conexant Firewall Version: 3.2.2

"Conexant firewall allows users to configure various databases/firewall options and Inbound/Outbound policies for controlling Inbound/Outbound traffic.

Advanced Options: The following firewall options are configurable for advanced firewall feature:

- Protection Policy

- Hacker Log

- Service Filtering

Firewall Databases: The following databases are configurable for setting inbound/outbound policies:

- IP Group

- Service Group

- Time Window

Inbound/Outbound Policies: The following policies are configurable for controlling traffic:

- Inbound Policy

- Outbound Policy"

Leythos wrote:

I understood that W> As for AVG, I'm a disbeliever in the product, we do a lot of Sorority

Since I've been using AVG (for about a year) it has discovered a couple of baddies and instantly put them in the virus vault. I occasionally run a sweep using other software (Panda etc) and so far, so good.

Leythos wrote:

Yeah but it's rather pricey for a home setup

Leythos wrote:

Yup, I do all of that.

Many thanks for your input

Ben

Reply to
Ben Hardy

I've been a long time user and fan of Sygate's Personal Firewall 5.5 and would strongly recommend that over all other software firewalls (ZoneAlarm/Kerio/Agnitum-Outpost/TinyFirewall - these i've tried!).

You can setup Advanced-Rules, that you can backup; The GUI is simple and clean and un-cluttered. You must set the user password and enable "Disable Network on firewall exit" - I've had issues with Sygate exiting for mysterious reasons (albeit only once).

You can also try WIPFW. This is a FREE, BSD based firewall which looks to be superb, except that i haven't tried it out (still migrating from Sygate). It's hard to install unless you have some experience with iptables/ipchains and other Unix type command line firewalls. It does only firewalling and does not notify you regarding what apps are trying to connect out.

Reply to
Vivek.M

For what purpose?

Yours, VB.

Reply to
Volker Birk

In German, there is a saying: "den Teufel mit dem Beelzebub austreiben" (to expel Satan and replacing with the Devil)

Good idea.

Maybe a good idea if used sensibly.

OMN! Forget them.

Yours, VB.

Reply to
Volker Birk

Be careful.

Usually, a simple filtering implementation on your NAT router will do the job.

Yours, VB.

Reply to
Volker Birk

Sincere condolences.

Also Sygate installs a system service, which opens windows - and this is a big security design flaw.

Yours, VB.

Reply to
Volker Birk

Installation is trivial. Configuration is the matter.

Well, why should it?

Reply to
Sebastian Gottschalk

I have written NT service applications. I know what it takes to access or make a NT service application do anything, which the calling program to the service must know the interfaces into the NT service application.

At best, the only thing that could happen is that some malware hits the machine and shuts the service down, which can happen to any PFW running with a NT service, including XP's FW I would think.

Duane :)

Reply to
Duane Arnold

No, it needs not if the service itself attaches a desktop and opens windows. Then for example shatter attacks are possible in principle:

formatting link
or just something like this:

formatting link

I hope, your services don't open windows, or your error does endanger your users.

Yours, VB.

Reply to
Volker Birk

Attaching at the desktop is already sufficient to receive unauthenticated data, but doesn't directly imply a vulnerability (f.e. ProtectedStorage interacts with the desktop to export data on demand, but does sufficient checking).

And I hope that it sets its ACLs correctly. I've seen too many system services with NULL DACLs or otherwise insecure configuration that allows the users to stop the service, change the service image path and start the service again.

And there're some other things that can be done wrong as well.

Reply to
Sebastian Gottschalk

It's simply dumb not to use secure IPC for communicating with a service. Why should one want this?

Microsoft's developer's information is completely right here, that one better should split such programs into a service and into a client program, which runs without elevated privileges and securely communicates through i.e. a named pipe or DCE-RPC or something like that.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.