The new paid version of SSM was released today and includes network access (outbound app control). I realize the following questions depend on your configuration, but:

Would using SSM along with Ghostwall, provide enough inbound and outbound protection?

Would this combination be equivalent to using Kerio free, Filseclab, ZA free, etc.?

-or-

Would a router with NAT/SPI and SSM offer enough protection?

{QUOTE-> Would using SSM along with Ghostwall, provide enough inbound and outbound protection?

Would this combination be equivalent to using Kerio free, Filseclab, ZA free, etc.? <-QUOTE}Well, Ghostwall will filter the inbound/outbound packets(I have not tested how good this is yet), and SSM would filter the applications access,.... so on my first thought, yes.

{QUOTE-> Would a router with NAT/SPI and SSM offer enough protection? <-QUOTE}This at first would appear to be sufficient, as unsolicited inbound would be blocked, and there is control of application outbound,.... but I think there is a need to filter,.... so from the choice of the 2 setups, I would go with the first.

Better would be: Router:Ghostwall:SSM (with available choice)

Ghostwall combined with appdefend is pretty much a full in full out firewall. SSM would work well with ghostwall. If you have a firewall in your router then ssm alone would be sufficient.

{QUOTE-> Ghostwall combined with appdefend is pretty much a full in full out firewall. SSM would work well with ghostwall. If you have a firewall in your router then ssm alone would be sufficient. <-QUOTE}

I agree with these setup because appdefend is much more simpler compared to SSM. But we like to see appdefend with a "Learning Mode" in the future and a much greater list of predefind Applications.

{QUOTE-> Would this combination be equivalent to using Kerio free, Filseclab, ZA free, etc.? <-QUOTE}In my view no. SSM can't restrict access by domain, only by trusted/untrusted address so it can't offer the fine control a full firewall can (e.g. being able to limit your email client to connecting to your ISP mail servers only).

If you only wish to be able to allow/block outgoing access (like ZA Free) then SSM would suffice but its network control is currently very basic.

{QUOTE-> In my view no. SSM can't restrict access by domain, only by trusted/untrusted address so it can't offer the fine control a full firewall can (e.g. being able to limit your email client to connecting to your ISP mail servers only). <-QUOTE}You could place the mail servers within the trusted IP group of SSM, and restrict the mail client to trusted only,..... or as "InfinityAz" would also be using "Ghostwall", then IP/port for mail server could be placed there (or both).

{QUOTE-> You could place the mail servers within the trusted IP group of SSM, and restrict the mail client to trusted only,..... or as "InfinityAz" would also be using "Ghostwall", then IP/port for mail server could be placed there (or both). <-QUOTE}You can do this in SSM but that would also allow every other program with Trusted Network access to connect to the mail server - in this case probably not a major problem but it can be in other cases.

With Ghostwall a similar issue applies - allows or blocks apply to every program. It isn't possible to allow program X only access to location Y - and in many cases this is the best rule for a tightly configured setup (e.g. DNS access, program updaters, anonymising proxy access, etc).