Basic or advanced FW?

Hello,

I surely have a question asked thousands times, but in the number of threads started here each day I was unable to find a satisfactory answer.

I'm reconsidering my security settings, and I'm decided to use some HIPS. In this case, does using of an advanced firewall add any value, or is a basic firewall completely sufficient?
In my understanding, advanced firewalls are nothing more than basic firewalls + some sort of HIPS + sometimes maybe a simple anti-virus - which I'm going to use anyway, but as a separate product.
Am I mistaken?

My point is that when using separate products for firewall, HIPS and AV, I have many more combinations to choose from to best suit my preferences than when I'm restricted to all-in-one security suites.

Thank you,
Martin.

P.S. I don't ask for advice of a particular product, there are millions of threads in this forum that do so .

 

Just found in another thread:

How's that possible? It must have been either because TF is not that good, or because the whole security setting was not tuned enough. Or am I a dumb?

 

Yes you can use a basic firewall plus a hips. No need to have an advanced firewall plus hips as they will overlap too much an cause too many alerts.

Basically go to matousec.com and find a HIPS (not a firewall that passes most leaktests) e.g. Prosecurity.

Now add a basic firewall of your choice (ignore leaktest results) e.g. Looknstop

Now you have a great lightweight firewall and a hips to catch the leaktests. No need for a bloated advanced firewall and hips at the same time

 

How did they obtain that figure of 75% ?

 

The link is https://www.wilderssecurity.com/showthread.php?t=188464, by "Hairy Coo" on October 20th.

 

AVG silently blocks some leaktests because they are listed on its database. I don't think this can be regarded as "stopped". It is stopped particular executable from running, but not a behaviour it has introduced.

 

Martin:

Yes you are a bit mistaken. But it doesn't matter much. I looked over your posts on the forum and your needs seem to be a setup that won't bother you with popups and confuse your non technical spouse. Fine.

These day users need a solid FW and a solid HIPS.

The FW keeps bad packets from getting to your PC and if it is an In/Out FW will also manage which sites/applications can receive packets from your PC.

This latter feature has to do with privacy of your information.

The HIPS deals with programs/applications trying to run on your PC that shouldn't be allowed to run. If a trojan slips past your AV/ASW and FW since none are 100% the HIPS is your last line of defense.

So It is not a matter of and Advanced FW being a HIPS the term advanced wrt a FW means advanced users can create modify the FW rules to be more secure and this means more specific on what ports can be used etc.

I have some ideas providing free FW and HIPS that are NOT tools
you have worked with before and were not happy with.

But you didn't ask for tools so I will hold these ideas back for now.

If you don't want a tool vs tool thread PM me and I will respond.

It would help if you could provide the id's of your AV and ASW and FW in use now if you are behind a router and what your OS version is.

 

Thank you Escalader for your offer. Your right, I'm looking for a setup that can be easy to handle by non-technical folks, but also that is configurable enough. Because its me who will be configuring it, but my wife and other members of my family will have to deal with the popups. Currently I've got the old Jetico FW, but it's so noisy that we all - including me - became used to click "Yes" on any popup without reading it. This is inacceptable. Fortunately we're behind a HW firewall and don't use P2P etc., so it's not so critical yet.

But the reason I started this thread is different - I'd like to clerify my own ideas. I've read tons of docs on this topic but am still confused - because the information is incomplete and contradictory. Of course, when one uses 5 firewalls, 3 HIPS, 7 AV, several keyloggers, anti-rootkits etc., he may feel safer than when he only uses 2 of each kind. Nonsense, of course.

But the same feeling I have when I read those popular leaktest sites and other comparative reviews. In my opinion they compare apples to pears. It's obvious that a FW with HIPS features blocks more threats than a basic one. But this does not make the basic FW any worse - because it was not designed to be used alone without any HIPS and AV software.

And here comes what I began this thread with. If the FW cannot be shut down, if a browser is blocked by the FW from executing any other program, etc. - what is this other than HIPS? And why to have HIPS in the FW if I already have a standalone one? (Of course, you can place two locks on your door instead of one, and will be more secured. The question is how much more. But this is not what I'm asking about.)

By a basic FW I meant a "smart" packet filter (the FW in the sense of Wikipedia, perhaps up to the 3rd generation, but still working on packets). By an advanced FW I meant everything else. (If a FW prevents itself from being killed, this has nothing to do with packets. If a browser needs to access IP 123.45.6.78, this definitely has something to do with packets, though the info from packets alone is not sufficient.) I appologize if I use an improper term, but I have no better.

It matters - me . Because excactly because of this I started this thread. If I am mistaken, can you please explain it to me a little bit more? Or at least a link?

Are you aware that you are saying the opposite than "dmenace" above?

Thanks, Martin.

 

I re-read dmenance's post(s) and have no real differences so that's fine.

This thread has posters ( me included) who seem to have different definitions of advanced FW's. If we are saying that a advanced FW is only advanced because it has functionality beyond packet scanning that one view.

Another might be that the Basic FW + a powerful HIPS = a and Advanced FW.

Others may call that combo a "suite". It is much easier and less confusing to define what functions user should have working on his PC, then search for the products/ vendors/ that best provide those needs.

You are right that the FW should defend it self from being shut down or modified by untrusted Programs.

But it would help me if you could rephrase your question(s) or indicated what exactly you would regard as a "good"/ "useful" outcome for your thread?

It's probably just wording...

 

This one of the best short list of requirements and mirrors my view on FW/Hips 100%.

https://www.wilderssecurity.com/showpost.php?p=976945&postcount=7

I hope this helps.

 

Wasnt supposed to be anything but a rough and ready test.

I mentioned "accessible leaktests",for as Alexs points out",AVG silently blocks some leaktests because they are listed on its database."

To get proper results ,I suppose you would really have to run tests on each app.

 

Escalader, let's agree on that Basic FW means a "smart" packet filter, and that Advanced FW is Basic FW + "something more". Then my question is whether that "something more" is HIPS.

In other words, if I combine Basic FW with a standalone HIPS program, will I miss anything in comparison with Advanced FWs?

However, I don't want to fall into academic debates. I'm just not sure that I'm not steadily overlooking something.

Edit: I've submitted this before your other post. Thanks for the link, I'm going to have a look at it.

 

I don't know whether I understand well, but in my opinion it is useless to run leaktests on individual security components. It is important whether the system security as a whole withstands the leaktests - but for this purpose the individual security components must cooperate.

What you've written was alarming to me, because I was thinking of TF + a basic FW + AV as a possible leakproof security settings candidate.

 

So does mirror mine . But as an amateur, I wanted to see my opinions confirmed by someone erudite. Thanks for the link.

 

OK to satisfy yourself the only way is to trial the apps of your choice and test them.The risk really isnt great!

As you are worried about leaktests and seem to want a firewall without HIPS plus a separate HIPS-the obvious answer is to use ProSecurity for your HIPS.

If I were you I would just settle on a Firewall with HIPS which scores well on the leaktests,as this seems to be your criteria, for some reason.

Consult Matousec and you have two choices.

There is an obvious suitable candidate which would solve your problems.

Then choose an AV

Do not get too bogged down-its really not that complex unless you make it so and wont help you in the end

Edit; If you run separate leaktests you will find out how each component scores and in which test.

Then ,by trial and error or from established results, you will use those that score the best,or complement each other and are compatible-to achieve the optimum total result.

There's no magic! The layer principle.

 

Not a problem. Glad to help.

 

This is exactly what I didn't want to . Because, as you say, this gives me only a single (freeware) choice, and I have some specific requirements. And that's why I was asking whether basic FW + separate HIPS leads to the same results. There's no reason why I should choose a firewall that doesn't pass the leaktests - if I didn't want to use a separate HIPS with it - even though the risk is not high.

This is a way too, but I agree with the principle stated in the link provided by Escalader: "The less (the layers) overlap in functions, the better."

Thanks for the response!

 

Just have read the whole thread. Excelent discussion! Thanks again!

Just one question: What is

mentioned there by Pedro? Maybe this "outbound control" is what differs Advanced FW (in my sense) from Basic FW + HIPS combination?

 

Hello,

"... is the basic firewall sufficent ..." for what?

1. Do you have to control your apps outbound on port / protocol basis?
2. Do you fear infections?
3. Do you have more than 1 network adapter?
4. Is your setup a mixed bags of OSs, computers, LAN, sharing etc?

All these will impact whether you "need" or "want" a basic or an advanced firewall.

The tradeoff is - advanced firewall requires more interaction, but gives you better control. But if all you do is connect to the web for a bit of news, some emails and such on a single machine, and would not know how to answer a question regarding ldap tcp 389 wants to connect blih blah blah, then a basic firewall is the right one for you.

Mrk

 

Yes, the 3 main FW learning threads do provide a lot of good information. I have it in mind (someday) to go over them all extract the common wisdom and publish that in a post.

I'm sorry but I don't understand "HIPS with outbound control" not my post.

Again the HIPS function manages what executes and what doesn't. The FW should provides access control.

For example, in OA 2 under FW rules, there is a list of programs that have access to the internet. That means to me I have certain programs that are denied access, games, etc etc.