Confessions of A Former Firewall Junkie

Years ago when stuck with dial-up, I used both Tiny 2.x and Zone Alarm. At the time the support for Tiny 2.x (now, Kerio 2.15) was not as good. I became frustrated with making rules and switched to Zone Alarm. Eventually, I got wired for DSL and stayed with ZA until about 3 years ago when I bought a PC with XP on it. That caused me to switch to the built in XP firewall. Two years ago the next evolution was a router/wireless access point with NAT, later upgrading to a better router/wireless box that had SPI as well as NAT. When I acquired the first NAT the software firewall was removed.

Several months ago I started testing various software firewalls. These included XP ICF, Kerio 2.15, CHX-1, Zone Alarm 5.5, 8Signs, Jetico, Tiny 6.x, LooknStop, Outpost, Sygate, A-Wall and Netvida. With some I spent more time than others, namely Kerio 2.15, CHX-1, Jetico and Zone Alarm.

After all of this testing I returned to using only the hardware NAT/SPI in my router with one modification. Today I have no ports forwarded. Rather, the only applications that require server access are able to open a port on the firewall using UPnP.

What happened?

For one thing playing around with P2P applications really showed me the limitations of software firewall performance. The difference in system performance using a software firewall while running bittorrent clients was enormous.

The only software firewall that seemed to be able to deal with eMule (which I no longer use) and its crazy usage of a random UDP port was CHX-1. Every thing else requires opening a range of Ports 1024-5000 for inbound UDP, or simply granting eMule unrestricted internet access.

I found that dealing with advanced application controls to be tedious and annoying. There are a range of opinions on the topic of outbound application filtering. Obviously, I am one who does not believe that it is worth the effort. In this forum there are several who feel the measure of a firewall is how many leak tests it can pass. Somewhere in the middle are those who like simple application controls for the purpose of controlling network access of known applications. Having dispensed with the need for outbound application filtering there seemed to be no need for a software firewall, so I ditched mine and noticed how much better things ran.

Actually, I found that I spent a lot of time tweaking firewall rules, even without advanced application filtering, and sometimes without any application filtering. There are also differences in how a hardware and software firewall will treat the same connection. Those differences will show up as excessive log entries in many firewalls. I noticed that Kerio 2.15 and the Windows ICF suffer from this affliction while CHX-1 was relatively free from it. Some of the others I may not have looked at closely enough for this issue.

There were influences other than this forum and the hands on testing that I have done. In particular there are several faq's over at DSLR dealing with using a software firewall behind a NAT. I won't bother to link at the moment, but everyone around here should read those faq's. Additionally, I had conversations with several IT professionals who ran elaborate networks at home and used nothing other than the hardware firewall in their router.

What if I had a laptop, and used it on public wireless networks? Probably, I would enable the built in XP firewall for those sessions, or possibly go with CHX-1. But, behind a router I will not likely bother with a software firewall again, and a hardware firewall is something I would not mind having built in to a motherboard, as in the latest Nvidia chip set.

So far over the years I have been hit only once with a trojan. It was something I downloaded and probably should have waited a few days to run so that the AV vendors could have caught up with it. It was also very obvious what had happened. The program did not do what it was supposed to do, an additional process showed up in the task manager, and there were additional start-up entries in the registry. I continue to be amazed with the complete lack of stories about how a system was saved by any of these advanced security measures, while stories of detections by various AV programs are seen on a daily basis.

So, that is the story.

 

I too have had a similar journey down firewall lane. When I got cable internet the first thing I did was to buy a router. Similarly, when I first started out, I used ZA free and then OP free together with the router.

Though not a firewall junkie, more recently I've tried out OP pro, netveda, kerio4, and jetico. I wasn't truly happy with any of them. I'm not, “a tester or a tweaker or a wiz at creating rules”, the concepts seem to elude this old mind. (In no way was the previous sentence a knock on anyone so inclined.) I fly more by the seat of the pants - does it slow me down - does it create to many diversions, and evaluate do I even need it. I want the whole process to be invisible.

I practice safe-hex, don't use p2p, don't download music or use any stuff like kazaa. I run a w2k machine, so no built in XP firewall. I did find that I can configure IPSec, something that's already on my computer, which does work facing the internet. IPSec thread here

So right now I'm using the router, IPSec and IE locked-down, and constantly going to windows update and feel quite safe. That's my story, and I'm sticking to it.

 

It really comes down to what you are happy with and you are obviously with yours and what you do with it, so good luck to you for taking a balanced view of it (that is not a snide remark).

I am not confident in taking that approach as I have confidential information that I don't won't to risk. If I use an app that seems to slow the m/c then I discard it and find an alternative that is more acceptable. It is all a question balance.

 

Even if one does not use a firewall, Harden-IT, a freeware will harden your TCP layer using MS conventions but with a nice GUI, most of the protections offered by firewalls for pakcet filtering like TCP ACK SYN RST protection, DDOS, Flooding etc can be implemented with this utility.

 

hey diver:

you should put a link to this thread in your signature. that way the next time you piss somebody off with your 'out of the box' firewall thinking, (which should be any moment now), they'll know where you're coming from! j/k, kinda

 

Are you talking about bandwidth speeds or rule creation or both?
Any activity which involves a lot of new connections rather than continual traffic to a constant number will usually be much slower. I believe the reason for this is that there is less processing that needs to be done. With new traffic the firewall must search the firewall table to determine that an entry does not exist. Then some 'state' analysis needs to take place and then addition to the table. This could even occur even with broad 'allow all in' 'allow all out' rules. But with more traffic from a connection already in the table very little needs to be done. Perhaps a search of the firewall table from examination of a very small amount of the packet, sometimes just the TCP flag. But also note that examination of only a small part of the packet also means that it is possible to carry out very techinical attacks by spoofing certain fields in the packet header, even if this is uncommon.
*The* source for more related information is of course http://www.spitzner.net/fwtable.html

As fa as your troubles with P2P I think you have encountered one of the main problems with static packet filters as opposed to stateful packet filtering, some of which can be dropped into any network without reconfiguration. Hence, the reason why Stateful Packet Inspection technologies are (a) popular (term).

What do you mean by this exactly? In Kerio2x you can choose exactly what you want to log and ICF simply logs any packet not initialized from your end or part of an existing connection. Perhaps you are referring to Kerio2x's 'Log Suspicious Packets' "feature" which logs TCP flags sent out of sequence as 'Attacks'?

 

I just had an idea here:

A good feature would be a throttle to determine how much or which part of the packet will be examined to make an evaluation. On home machines highly techinical attacks involving spoofing of certain TCP headers are unlikely so you might just check the TCP flags for fast processing. But a more paranoid setting with the slowest processing would use all fields. For example, include TCP sequence numbers and tie this information to addresses, in case of the rare event that someone comes up with an identical sequence number from another address (Highly unlikely unless the TCP sequence number generation is flawed).

 

Ghost-

I might have a been a bit unfair about attributing excessive logging to Kerio 2.15. Unchecking the "log suspicious packets" box does indeed cut out most of the garbage from the difference between the hardware firewall determines when the connection is over and when the software firewall decides so. By the way, I did not determine that there is a timing difference by personal experimentation. I found it to be the only credible explanation for what was happening and it was mentioned in one of the DSLR FAQ's. With the Windows ICF, I was unable to cut this extra logging down.

So far as P2P and performance goes, setting rules was only a problem with eMule, and only so far as how much you want to trust that application. [With 8Signs there is a problem because it does not make sense to allow inbound UDP on ports 1024-5000 for what is in effect all applications.] What I noticed was that my system would become sluggish when running long Bittorrent sessions. This was with a variety of Bittorrent clients and firewalls. Remember that Bittorrent will maintain as many as 80 connections per download. Without the software firewall, there was no slowdown. I do not know the technical cause, only that eliminating the software firewall solved the problem.

 

Very Interesting 1st post in this thread.