I'm having a hard time deciding between ZA Pro 4.0 and NIS 2004. I also have a license for Outpost Pro 2.0, but have ruled that out for now because I hate the way it handles active content. I'm on a router, but still want an IDS - and I could go back to running ZA Pro + BlackICE since they work well, but NIS handles everything with one firewall. I got NIS 2004 free through my dad's work and can continue to get NIS free as long as he works there, but I bought ZA Pro and BlackICE this year and wonder if I should use them. With NIS 2004, my KAV Personal 4.5 would have to be a backup to NAV. Also, do ZA Pro and NIS 2004 offer an equal amount of protection and have equal reputations and amount of horror stories? Do you have any suggestions for me?

Right now, I have NIS on, but I'm open to advice.

Which setup is more recommended?

Well, if nobody thinks it matters, I'll use this setup:

router, ZAPro, BlackICE, KAV 4.5, BitDefender free (on-demand AV scanner), TrojanHunter, System Safety Monitor, SpywareGuard, SpywareBlaster, Ad-aware, Spybot S&D., regprot, mru-blaster.

Hi mvdu,

I'm sorry you ended up just talking to yourself in this thread, but I think I see the reason... When you ask a question like "Which of these two should I run?" and the two products are both good, it is difficult for people to advise you as it usually just comes down to personal preferences.

The crux of your question was whether or not to use ZA Pro 4.0 or NIS 2004. Since both are good solid products, there is no wrong choice to be made here. Either will do a good job - if they work well for you on your system.

Using ZAP with BlackICE for its IDS should be a very good combination, many people do that. (NIS would have been good, too.)

As for your full setup, that's a powerful configuration you have there. As long as you configure it all properly, and keep the tools updated, you'll have a very good layered defense.

Thanks, LowWaterMark - and I plan to keep the configuration I just mentioned (as I don't want to rely too much on one company,) except minus regprot. I'll just turn on registry monitoring in SSM.

Hi mvdu

I have a nearly identical setup to you - using ZA Pro, KAV 4.5, router etc. I have never tried NIS 2004, mainly because I don't like product activation, no reflection on the product. Your comments (and LWM) on BlackIce seem very sensible - I think I'll try that too. Anyway, the combination on my pc runs very well and never given me any problems. Since you are behind a router you probably only need a firewall for outbound protection, it is my impression that LnS provides better outbound protection that ZA Pro (can't provide the link as I can't remember which test showed it). Having said that I don't use LnS but may try it once current license for ZA Pro expires.

All the best

Steve

Hi, StevieV:

A leak test board showed LnS as doing better - but ZoneAlarm has something called process protection coming that should stop all leak tests. Another reason I changed from NIS is I didn't like how it configured programs.

Take care,

mvdu

Hi mvdu

Thanks for the info. I have just installed BlackICE, seems pretty stable so far. My attitude is 'if it isn't broke, don't fix it' and ZA Pro has always run very well on my system with no stability issues and seems to do everything a firewall should. The other thing I like about it is ZA arent just sitting on their laurels, they are constantly developing and trying to improve their product (I like KAV for the same reasons).

Good luck with whatever you decide

Steve

Thanks, Stevie! I guess this leaves only Sygate to try out - but I don't know if BI would fit as well with that..

Tried Sygate briefly for a month - clearly a very good program. Decided on ZA Pro because Sygate didn't perform very well on leak tests and also when I granted a program permission to connect to the internet, Sygate automatically assigned the program server rights and I had to edit each new entry manually to deny sever rights. Overall though a pretty impressive program but didn't suit me as well as ZA Pro. Don't know about BI with Sygate perhaps someone else has experience with this.

Steve

I know that Sygate has mostly fixed the leak test problem with the latest release. And I'd like to just have one firewall with an IDS. Guess I'll evaluate it fully. Too bad Sygate doesn't have the privacy features that ZA Pro does. Should I be concerned about some people saying Sygate has vulnerabilities?

Same configuration, but I think I'll use NPF 2004 as firewall. Things are a little slower with ZA and BI. And since I use KAV, I wouldn't be using the same company for AV and firewall. I assume no one has objections?

No, I better stick with what I decided. I still get the feeling that ZA Pro is more heavy duty than NPF. And BI running behind ZA Pro is a more extensive IDS.

I personally like SygatePF5.5 (free) they fixed all the leaktest probs, but, Syate will not work with BlackICE defender, One plus for sygate, is it has very detailed attacks logs/traffics logs/etc

As I understand it, the free version of Sygate doesn't have the IDS I want, though, or advanced configuration. So I think what I have is still best for me. I wonder if Sygate free also automatically grants access rights? Thanks for the input, though.

I will keep NPF and in the future maybe Outpost in mind, as I don't want to shut off all possibilities. As I stated when I first came here, I'm very open-minded.

mvdu,

Sorry, been away enjoying myself for most of the past two months.

I'm a little confused in trying to follow your postings because at one point you indicate you've decided to stick with ZAPro and then (apparently only a few hours later), you indicate you're going to keep NIS (or NPF, as the case may be).

I'm a long-time NIS/NPF/AtGuard user and LowWaterMark is a longtime (I think!) ZA/ZAP/ZA+ user. As has been said many times in both this and other security forums, the most fundamental issue in selecting a firewall is choosing one with which you're comfortable and which you are (or at least feel) most comfortable.

In that context, it's important to realize that ZA/ZAP/ZA+ and NIS/NPF/AG came (originally) from two rather opposed views of what kind of software firewall was most appropriate for the average end-user and, as time has passed, each product line has tended to migrate in the direction of the other!

NIS/NPF releases are essentially derivatives of WRQ's AtGuard product line that stressed the ability to write highly customized rules (as did ConSEAL, which is now the basis of the McAfee firewalls). That was great, as long as you knew exactly what you were doing. And, from the very first release 1.0 of NIS/NPF, Symantec embarked on a long campaign to eliminate this burden on the average end-user. In its latest releases, many NIS/NPF users have no idea what the rules actually are or how to find out or how to further tighten them to a particular user's individual requirements -- nor do they necessarily need to.

I think (and I'm sure LowWaterMark will correct me if I'm wrong) that ZA began from the opposite extreme -- "ease of use" for the average Joe being the primary consideration. ZA/ZAP/ZA+ have, consequently, tended to migrate towards a capability to further customize the rules in a manner that is now very similar to what one could do with AG/NIS/NPF.

The NIS/NPF evolutionary strategy has tended to obfuscate the rules in place (i.e., to reduce the transparency of the rules); indeed, it's now extremely difficult to get a comprehensive idea of the rules that have been implemented or to determine how these rules could be further tightened for a particular user's requirements. And it's also exceedingly difficult to determine if the NIS/NPF firewall is actually working the way the end-user intended or to determine the nature of any problem that may develop. (Which, unfortunately, may be one of the reasons that so many users of NIS/NPF 2003/2004 are "satisfied" with these latest releases.)

I'm not so qualified to explain what's happened with ZA/ZAP/ZA+ ; that's more in LowWaterMark's area of expertise. True, the rules can now be considerably more customized that was available in the early versions, but I find the implementation of this customization to be a bit awkward and unnecessarily complicated. (JMHO)

At somewhere along the way, we got the original "Third Way" products. To me, Sygate Personal Firewall always seemed something like an enhancement of the original ZA (free) with some new ideas thrown in. And I've always felt that Tiny (and then Kerio) were something of a backlash against the 'bloat' that Symantec introduced in NIS/NPF to make AtGuard more user-friendly, again using a distinctly different approach.

I can't comment on Look 'n Stop or Outpost for the simple reason that I've never used either. I've never considered myself a tester of alternative software firewall implementations from different vendors; I just found what worked for me (acceptably) and tended to stick with it.

So what do I use? Well, until quite recently, I used NIS 2.5 on Win 98 SE, NIS 3.0 on Win 2000 Pro, and NIS 4.0 on Win XP Home, backed up by BlackICE (or Real Secure Desktop) to provide more extensive IDS capabilities. Furthermore, this was on a dial-up connection in which I used Microsoft's ICS as a software-based router. (NIS/NPF 2003/2004 lack the documentation capabilities which I find so important.) More recently, I've replaced NIS 2.5 on the Win 98 SE box with Kerio and NIS 3.0 on the Win 2K Pro box with SPF (both still backed up by BlackICE/RealSecure on those machines). Both are interesting implementations, but I must admit that I am uncertain and may well revert to NIS 2.5/3.0 on these two boxes -- primarily for the additional features provided by NIS. On the other hand, I am unlikely to upgrade to NIS/NPF 2003/2004 due to the lack of any reasonable capability to document system configuration or do trouble-shooting, both of which are quite critical to me.

I haven't found the 'perfect' software firewall yet -- and I doubt that I ever will.

Any thoughts on the setup I decided on? If I want one firewall with an IDS, is NPF the way to go? Considering Outpost hasn't made improvements yet and I'd have to pay more for Sygate?

Here it is:

Dell router
NPF/NIS 2004
KAV Personal 4.5
TrojanHunter
System Safety Monitor (with application control and registry protection on)
SpywareGuard
SpywareBlaster
Spybot S&D
ProcessGuard
Ad-aware
MRU-Blaster
XP Anti-spy

Forgot to add that I also have free BitDefender for on-demand AV scanner.

Ok, one more post for the night. I'm a little worried about rules-based firewalls. I generally know what's being allowed when I look at NPF's automatic rules, and I know how to change them. But I really don't want to create rules unless I need to for something. Would I be better off sticking with ZA Pro, or are NPF's defaults usually good enough?

Hi mvdu

It really boils down to which one you are most comfortable with. Both offer good protection and the ability for custom rules. NPF's default rules are good for most users, but can still be customized and streamlined by those wanting to do so.

Regards,

CrazyM

-{ Quote: " quoting: mvdu link=board=23;threadid=15554;start=15#msg97965 date=1067747612]. . . . But I really don't want to create rules unless I need to for something. Would I be better off sticking with ZA Pro, or are NPF's defaults usually good enough?" }-
Following up a bit on CrazyM's response to this question:

NIS/NPF contains a list of something that must now be approaching a 1,000 popular, Internet-enabled applications. It can generate automatically rules for these applications that are typically a bit more stringent that the 'default' rules likely to be generated by ZA(free) -- I'm not that certain about the current situation with regards to ZAP.

When I say that, I'm talking about the NIS/NPF pop-ups you're likely to see the first time an application attempts to access the Internet. If you see an option to "Allow NIS/NPF to automatically generate rules for this application". However, if you only see an option to "Permit All" or "Deny All", then NIS/NPF doesn't yet have rules templates for the application in question. I don't generally like the "Permit All" selection -- because that's exactly what it does for the application in question -- at that point, you might as well be running ZA (free).

Still, as CrazyM notes, it's actually possible for an individual user to further tighten these rules for his or her unique requirements. I suspect that the most commonly cited example is restricting the general DNS rules to only the DNS servers upon which the user relies (usually a set of between two and four remote IP addresses). While there's a lot of automation in how NIS/NPF generates rules (and this is where the bloat complaint comes from), it's simply not very practical for NIS/NPF to automatically determine the IP addresses for a particular user's DNS servers. And, rather obviously, a similar situation pertains with regards to the POP3/SMTP servers that a particular user needs access to with their e-mail client(s).

Sometimes NPF will say an application is listening on ports, and to deny all or permit all. It means I'm allowing it to act as a server when I click permit, and I don't like that - but unlike with ZAP, some programs don't work if you don't click permit. At that point, I'd like to create custom rules in NPF, but don't always know the server's address that it's listening for.

Would people recommend Outpost or Sygate over ZA Pro in my case? With Sygate, it's easy to turn off server rights.

The thing is, I'm very happy with my AV, KAV - but I can't seem to be happy with any of the software firewalls I've owned. That's why I need help.

-{ Quote: " quoting: mvdu link=board=23;threadid=15554;start=15#msg98119 date=1067793487]
Sometimes NPF will say an application is listening on ports, and to deny all or permit all. It means I'm allowing it to act as a server when I click permit, and I don't like that - but unlike with ZAP, some programs don't work if you don't click permit. " }- First, could you give an example of a program with which this has happened? Mind, I am not using NIS/NPF 2003 or 2004, but I've seen a thread at DSLR Security Forum in which antdude (a Symantec consultant) has indicated that the Rules Assistant will pop up when a previously PERMITted app is upgraded -- and only provide the PERMIT ALL/DENY ALL options. (Apparently, you can subsequently change that; but the interface is hardly intuitive, if I understand his comment correctly.) And, yes, you are correct; PERMIT ALL does imply giving the application server rights -- on all ports to all remote IPs-- not a good default in my judgment.

I'm not quite sure what is happening here, but it appears that the latest versions of NIS/NPF are not only checking the executable's filename, but also some combination of its version/build number, date last modified, and possibly even its SHA1 hash. Unless ALL of the selected items match (which is unlikely to happen with a newly updated product -- even in the same path), it appears that the latest versions of NIS/NPF treat the app as a completely new app for which it has no information. I think that both Sygate and Kerio are a bit more informative in the resulting pop-up, i.e., they ask whether you have knowingly updated the application. If you indicate that you have, they simply modify the authentication information. (There's absolutely no reason why NIS/NPF couldn't do the same thing.)

-{ Quote: "At that point, I'd like to create custom rules in NPF, but don't always know the server's address that it's listening for." }-
Well, this is precisely my complaint with the latest releases of NIS/NPF 2003/2004. Up through NIS/NPF 2002 (version 4.0), a user could use Albert Janssen's AGNIS Rules Viewer and NIS Settings utilities to document the basic firewall configuration and Sven Schaefer's Log Viewer to quickly and easily determine how the firewall was configured and what events needed to be permitted/blocked if the ruleset needed to be customized. Beginning with NIS/NPF 2003, Symantec encrypted this information and refused to provide the necessary keys to Albert and Sven to decode it for their long-established freeware utilities. Perhaps more to the point, Symantec failed to provide (a deliberate choice on their part) any equivalent functionality within the product itself. Consequently, it is now impossible (for all practical purposes) for their average customer to analyze the firewall setup and appropriately customize the rules further for their own needs.
-{ Quote: "Would people recommend Outpost or Sygate over ZA Pro in my case? With Sygate, it's easy to turn off server rights." }-Every software firewall has its own deficiencies. As you will see from another thread in this Forum, the latest release of SPF looks very interesting in many ways, but Sygate has still failed to resolve the loopback issue (typically only of interest to people running a proxy server such as Proxomitron locally). LowWaterMark would have to address the ZA Pro portion of your query and I am certainly completely uninformed with regards to Outpost.

-{ Quote: " quoting: mvdu link=board=23;threadid=15554;start=15#msg98121 date=1067794024]
The thing is, I'm very happy with my AV, KAV - but I can't seem to be happy with any of the software firewalls I've owned. That's why I need help." }-Although I don't personally use it, it is my understanding that KAV is a very nice AV package and is frequently updated. And KAV seems to be one of the few AV products out there at the moment that still checks hashes on the executables it checks (to guard against malicious modifications).

With regards to the software firewalls, I find myself in a situation very similar to your own -- every one of them seems to have some kind of glaring deficency (from my personal viewpoint), only the details differ. Some have embedded rules (which aren't documented and can't be modified), some have limited customization capabilities, some don't provide the information necessary to further customize the rules to your requirements, and virtually none of them provide decent documentation as to how their rulesets could be customized to be consistent with the end-user's specific internet connection requirements.

Hi again, and thanks - it happens with things like KAV's updater, which has to listen for Kaspersky Labs to update definitions. I dislike all the things you mentioned disliking about NPF. But are other rules-based firewalls easier for people like me, who mainly want to rely on default settings?

Which firewall do you use, Joseph V. Morris? If you also haven't been happy with the firewalls, which one are you most happy with?

I have been running ZA + BI for a while, and that seems to have most things I want, but BI mostly takes up space alongside ZA.

-{ Quote: " quoting: Joseph V. Morris link=board=23;threadid=15554;start=15#msg97931 date=1067736617]

(as did ConSEAL, which is now the basis of the McAfee firewalls)

" }-

ConSeal still exists in fairly much it's original form. After McAfee took over, it resurfaced as Umbra, VisNetic, Deerfield, and now it's called 8Signs. Makes me wonder how many people they've ripped off with the licenses, it's hardly a cheap firewall. It also still looks like something from 1998.

-{ Quote: " quoting: mvdu link=board=23;threadid=15554;start=15#msg98128 date=1067796419]Which firewall do you use, Joseph V. Morris? If you also haven't been happy with the firewalls, which one are you most happy with?. . . " }-
I already answered that earlier in the thread. Jury is still out of the 'most happy with' part of your question.

-{ Quote: " quoting: ->Guest<- link=board=23;threadid=15554;start=15#msg98192 date=1067808281] . . . . ConSeal still exists in fairly much it's original form. After McAfee took over, it resurfaced as Umbra, VisNetic, Deerfield, and now it's called 8Signs. Makes me wonder how many people they've ripped off with the licenses, it's hardly a cheap firewall. It also still looks like something from 1998." }-Yes, that's what I thought had happened. I had problems with the ConSeal paradigm (but that's a personal matter); I don't recall anyone ever saying it wasn't acceptable. (CrazyM was a ConSeal user, incidentally.)

As for looking like something from 1998, heck, I can live with that! ;) (Indeed, I only wish I looked like something from 1998, at the moment!)

Oops, sorry about that, Joseph. What would you recommend I run with BlackICE? Would you recommend I even keep BI?

As for why I changed so quickly, I've been experimenting.

All this info. is definitely helping me: I can rule out NPF based on what you said. I like the extra level of protection ZA Pro + BI gives you, but if someone has a good reason why Sygate or Sygate + BI would be better, I'll look into it. I'm not considering Outpost at least until the new version comes out.

Sygates ok as long as you dont use a proxy server as it still has the loopback problem and will allow anything that connects to the proxy server , without asking.I keep flitting between outpost and look n stop.I like look n stop as its so small and unobtrusive ,however i find it difficult to make rules for it and it does cause problems with programmes like ethereal ,on my system.I think youll find you wont be happy with any firewall for a while as the "best" one seems to be a combination of them all.
me

That's why unless I'm missing something, ZA Pro + BI would be my best bet until Outpost has an update that amazes me. Sometimes Agnitum is lazy - like with active content handling, bugs, and termination protection. I wasn't all that comfortable with Sygate - lots of features, but it's easy to get lost.

Well we both agree on BI , as i always use that ,with outpost or look n stop.Ive tried it with sygate and kerio with no probs too.I dont know why you have a problem with the active content plugin of outpost unless you mean the referrer per global rather than site basis?.I dont have a problem with that, as i use naviscope as a proxy and use the referrer and user agent blocking (per site basis) through that , so i just leave referrers on enable in outpost.The only thing i use the active content plugin for is pop ups really as ie6 does a beter job managing active x , cookies etc.(assuming you are using IE of course).I personally dont like zone alarm and would never install it again , due to the riduculous uninstall procedure (that doesnt actually uninstall everything...including .dlls in systems folder)
me

It's more the fact that there's no way to bypass pop-up blocking to see pop-ups you click to get. Outpost is the only other firewall right now that I have an eye on, though. Glad we agree on BI - I haven't had any problems with it, either. Security people are so entrenched in the one firewall idea that they aren't open to special circumstances.

I could also use Norton's firewall, if I come to understand the rules better.

Not sure what you mean about the pop up blocking mdvu?.You can enable/disable it globally (i block globally)but then enable certain sites. For sites that you need pop ups like maybe banking sites or shopping sites you can enable them...and block all others using the global block.Ive never tried norton firewall so cant comment on that.
me

mvdu,

Well, let me say something about BI (or Real Secure) being a software firewall. I use it exclusively for its IDS capabilities which continue to exceed anything provided by any of primary software firewall products. (I specifically include the latest releases of NIS/NPF in that comment and will have to wait until I know more about the Snort implementation in Kerio 4.x.)

To wit: I've never experienced or even read about a conflict between BI/RS and a primary software firewall. I've used various (older, to be sure) versions of NIS/NPF, Sygate, and Kerio with no problems whatsoever. I gather, from what I've read, that there are no observable conflicts with ZA/ZAP/ZA+. Last time I checked, the ISS site had failed to identify any conflicts. This is entirely different from the situation that is likely to obtain with trying to run two of the more recent releases of the various classical software firewalls. The latest releases of these 'more classical' software firewalls are beginning to burrow into the Microsoft TCP/IP stack and Winsock in ways that are not well documented (publicly, at any rate). Consequently, there is certainly a potential for 'collision' which is unlikely to be recognizable. As far as I can ascertain the BI/RS products have not done (and do not need to do) this to provide their functionality. As always, I'm willing to have someone refute that statement. :)

-{ Quote: " quoting: mvdu link=board=23;threadid=15554;start=30#msg98517 date=1067894006] ... I could also use Norton's firewall, if I come to understand the rules better. . . ." }-
The definitive site on customizeing rules (and basic firewall configuration) for NIS/NPF (and AtGuard, also) has to be CrazyM's website at http://www.gpick.com/agnisrules/index.html .

I've been delaying posting that link because I'm concerned that it may simply further distract you.

Thanks for the link, Joseph Morris!

As far as BI is concerned, it's worth keeping an eye on - but not a major concern yet, I guess.

Well, thanks for the help, everyone. I think I can take it from here. I'll leave ZA Pro and BI on - but if I get comfortable with NPF, I'll use that - and if Outpost really improves, I'll use that. Good plan?

One more thing: NPF isn't looking so bad after all, after seeing the links. It can be strange using NPF without NAV, but it might actually be better since I'm not using the same company for both. I don't think I should use BI with NIS 2004, though.

I was leaning towards NPF until I had a lot of trouble with a rule for KAV's updater - even after I thought I had it solved, prompts kept coming up. Back to ZAP.

But if I want one firewall that has an IDS, what firewall do people recommend?

-{ Quote: " quoting: mvdu link=board=23;threadid=15554;start=30#msg98651 date=1067926410]I was leaning towards NPF until I had a lot of trouble with a rule for KAV's updater - even after I thought I had it solved, prompts kept coming up. Back to ZAP." }-

Do you recall the problem? Perhaps we could help with creating the appropriate rule.

Regards,

CrazyM

I got the right rules from the pcflank website; thanks for asking. But, I'm still not too keen on using NPF. I'm using ZAP now, but am wondering what the recommended firewall with an IDS is.

Off the top of my head: NIS/NPF, Sygate and Kerio v4.x have an IDS incorporated into the firewall. I would have to do some checking as to which others may have this capability built in.

Regards,

CrazyM

Which one has the best IDS, I wonder? NPF seems to give me quite a few false positives. Thanks for checking into it.

-{ Quote: " quoting: mvdu link=board=23;threadid=15554;start=45#msg100228 date=1068444829]
Which one has the best IDS, I wonder? NPF seems to give me quite a few false positives. Thanks for checking into it. " }-

This is getting interesting! There are old problems in the NIS IDS component, still unfixed (apparently) according to a current thread at DSLR security. (A bit surprising, since I would expect better of the Raptor technology upon which the NIS IDS component is supposedly based). And, in another thread here in the Wilders forum, BlitzenZeus just chimed in and said the KPF 4.x invocation of Snort as an IDS is terrible! (He oughta know!) Specifically, it appears that in KPF 4.x, the user can't customize the IDS signatures in any manner, whereas as CrazyM just noted in the DSLR thread, it's at least possible (in NIS 2003) to exclude questionable signatures.

I'd rather NIS fix them than me exclude them, though.

Comments in this link are holding me back from using NIS. I think the poster Wulfman has a legitimate complaint.

http://www.outpostfirewall.com/forum/showthread.php?s=36a8a61bf55bacc440d59e74ffd17403&threadid=6695&perpage=15&pagenumber=1

What do you think?

I'm trying Kerio 4.0.7 right now, and the IDS looks good - though I'd rather you be able to exclude signitures rather than type of intrusion. I like the firewall and will try it for a while.