I've been using the free Sygate PFW in combination w/ a Linksys router/switch since just before it was discontinued. I've been happy with it; the outgoing application control is fast and doesn't seem to screw up the normal execution of any other applications -- a rare find.
However, since the product is no longer updated, I wonder if it is still a valid solution since any recently discovered flaws or security holes won't be fixed. Opinions? Is it a good idea to just switch to the windows XP SP2 firewall? Another 3rd party PFW? Or can I continue to use Sygate?
No. Keep Sygate PFW. Version 5.5 build 2710 preferrably (latest one has been modified in order Windows useless security center be aware of Sygate; but it doesn't have any security improvement and this latest and last version is very buggy!).
First, Windows firewall does not inform user when an apps tries to connect to internet: it knows to block only inbound connexions, not outbound ones.
Volker and his fellows will say you it is a good design choice! Even if this was true, Windows firewall has definitely a big hole: when apps are installing, they can add an exception and so allow an *inbound* connexion without requesting user's authorization or even without informing him (her). For example, just try to install Skype 2.0, or any security product which needs to connect to internet...
This arrives, of course, when app is installed in a session where user has admin rights (note that almost all windows apps require an admin session to be installed); it arrives also when app is installed invoking "runas", or when app is launched using "Psexec" (an utility from Mark Russinovitch) which gives the app the execution rights of "SYSTEM" user.
Of course, what legitimate apps can do, malware can also do. And several malware can install themselves using Psexec or similar method and can have so full access to add exceptions.
--> Windows firewall is not a firewall, it is like a sieve!
Better in this case to have a firewall that requests user's authorization when an app tries to connect to internet...
Note that no software firewall can give you an absolute security:
- A firewall is normally done to prevent unwanted packets to reach the target machine; and a software PFW runs on the target machine! Big contradiction... packets have reached target machine when they are intercepted by PFW.
- PFW can have their execution stopped.
- They can be deceived by malwares attempting to connect.
However, among PFW's, Sygate PFW is probably, not the best, but the "least bad". It has an unique possibility to distinguish when an application which wants to connect is launched directly by user or launched by another app; in the second case it will request user's authorization (here is one Volker's proofs of concept defeated...).
It also seems to be less targeted by malwares than Windows firewall.
My recommendation:
- If you can afford it, buy a NAT / firewall / modem-router; for example US Robotics 96107.
- And use Sygate PFW complementary, to add fine tuned advanced rules (filter hosts, protocols) and filter your outbound connexions (too many softwares want to "phone home" without your authorization).
But don't bet your life on the fact Sygate PFW will detect and block all malwares wanting to connect! It should be used in a secure environment (windows with full security patches applied; a good antivirus software; web browsing with high security level, javascript / java / Active X disabled; antispyware; and, if you are paranoïd, intrusion detection software...). And even in that case you cannot be sure your computer will not be damaged by a malware.
In fact, a computer should not, for security reasons, be connected to internet! ;-)
So, never forget to periodically backup your computer! You might need, one day, to recover from a crash, induced by malwares or whatever else.
Pretty normal. And spares You from annoying pop-ups.
It is *not* a hole. It is a design choice. Whether it is a good choice can be debated.
Wrong. When running it as admin, You have authorized it.
Using personal firewalls has just made You consider this a must.
Only the minority of users (like people reading this group) cares for a second about connections being opened. All they care about is that the app they just installed works properly.
Why allow an application to run and then afterwards try to put restrictions on it? If You don't trust an app, don't run it.
In a secure environment, You don't need a PFW at all.
If You can accept an internet-security-level of less than 100% then Yes, it should ;-)
That's interesting. I've been using V. 6.6 build 2808 -- hasn't been buggy so far, but thanks -- I'll try downgrading if problems arise.
Yeah, that's an ADSL modem-router. I have a cable connection with a gateway (AKA cable "modem") and Linksys NAT router/switch/WAP behind that. It has some basic filtering functionality, but is not actually a firewall.
After having read this group for a few months, I expected to hear quite a few mixed opinions of outgoing-app control -- perhaps its somewhat bloatware and somewhat helpful. Like I said, the reason I like Sygate's is that it's fast and plays well with other apps -- a rare find.
But as far as the PFW functions go, thanks for your input. I've been using it complimentary w/ the above setup on one box, and the SP2 firewall on another less-often-used one.
How do you solve the mentioned security design flaws of Sygate?
Hm... at least I will, yes :-P
Yes. Don't install applications you cannot trust in.
Yes. If the user installs this, usually she/he want's to use it. What's wrong with it?
Yes. And if an application is installed using Administrator's rights, no "Personal Firewall" can do anything against this, if the setup is clever coded.
You have the same non-arguments as everyone else here, which tryed to argue that way.
This is boring. Why you're totally wrong, everybody can read in older postings in this group already. Always discussing the same?
If an application want's to communicate to the outside, it's no problem to do so at all. Not only my own two PoC codes for that prove it.
I cannot see that. Sygate has bad security design flaws, which make a PC more insecure and not more secure compared to the Windows-Firewall.
It's not. You just don't understand, that my PoC code does not deal with "how is it started". And it should not.
Why?
If Sygate would manage to prevent starting malware reliably, then all other functionality of Sygate would be superfluous. The existance of the functionality of wanting to "control outbound traffic" is the proof, that Sygate themselves don't think that they can prevent starting malware reliably. And they're right in this single point here, at least malware sometimes is started by a fooled user, a victim of a social engineering attack. So "how can it be prevented from being started" is _not_ part of my PoC code.
I'm testing "how good is the 'Personal Firewall', if the code already is running" case. If you want to test my PoC code, you have to start it and let it running, assuming, that (if it would be malware, which it not is) this problem is already solved. Then you can test with it the one and only object it's developed for: if it manages to have outbound communication in spite of your "Personal Firewall".
And the actual implementation has ambient conditions, you have to implement, or you cannot use it for a test:
- you have to have a PC with Windows 2k or XP and a web-browser, which is allowed to be used for browsing the web (for the test implementation, only Internet Explorer and Mozilla Firefox 1.0.x are supported, while it's easy to adapt to an arbitrary browser)
- for the second test, you have to have a PC with Windows 2k or XP and activated Active Desktop, which may include web content
The first scenario I chose, because it's very common; most of the owners of a "Personal Firewall" will have such a scenario.
The second scenario I chose, because it's the default configuration of Windows and most of the "Personal Firewalls"; most of the owners of a "Personal Firewall" will have such a scenario, too.
If you don't implement this ambient conditions in your testing environment, then your tests are useless and pointless.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.