Firewall dilemma

I'm having a hard time deciding between ZA Pro 4.0 and NIS 2004. I also have a license for Outpost Pro 2.0, but have ruled that out for now because I hate the way it handles active content. I'm on a router, but still want an IDS - and I could go back to running ZA Pro + BlackICE since they work well, but NIS handles everything with one firewall. I got NIS 2004 free through my dad's work and can continue to get NIS free as long as he works there, but I bought ZA Pro and BlackICE this year and wonder if I should use them. With NIS 2004, my KAV Personal 4.5 would have to be a backup to NAV. Also, do ZA Pro and NIS 2004 offer an equal amount of protection and have equal reputations and amount of horror stories? Do you have any suggestions for me?

 

Right now, I have NIS on, but I'm open to advice.

 

Which setup is more recommended?

 

Well, if nobody thinks it matters, I'll use this setup:

router, ZAPro, BlackICE, KAV 4.5, BitDefender free (on-demand AV scanner), TrojanHunter, System Safety Monitor, SpywareGuard, SpywareBlaster, Ad-aware, Spybot S&D., regprot, mru-blaster.

 

Thanks, LowWaterMark - and I plan to keep the configuration I just mentioned (as I don't want to rely too much on one company,) except minus regprot. I'll just turn on registry monitoring in SSM.

 

Hi mvdu

I have a nearly identical setup to you - using ZA Pro, KAV 4.5, router etc. I have never tried NIS 2004, mainly because I don't like product activation, no reflection on the product. Your comments (and LWM) on BlackIce seem very sensible - I think I'll try that too. Anyway, the combination on my pc runs very well and never given me any problems. Since you are behind a router you probably only need a firewall for outbound protection, it is my impression that LnS provides better outbound protection that ZA Pro (can't provide the link as I can't remember which test showed it). Having said that I don't use LnS but may try it once current license for ZA Pro expires.

All the best

Steve

 

Hi, StevieV:

A leak test board showed LnS as doing better - but ZoneAlarm has something called process protection coming that should stop all leak tests. Another reason I changed from NIS is I didn't like how it configured programs.

Take care,

mvdu

 

Hi mvdu

Thanks for the info. I have just installed BlackICE, seems pretty stable so far. My attitude is 'if it isn't broke, don't fix it' and ZA Pro has always run very well on my system with no stability issues and seems to do everything a firewall should. The other thing I like about it is ZA arent just sitting on their laurels, they are constantly developing and trying to improve their product (I like KAV for the same reasons).

Good luck with whatever you decide

Steve

 

Thanks, Stevie! I guess this leaves only Sygate to try out - but I don't know if BI would fit as well with that..

 

Tried Sygate briefly for a month - clearly a very good program. Decided on ZA Pro because Sygate didn't perform very well on leak tests and also when I granted a program permission to connect to the internet, Sygate automatically assigned the program server rights and I had to edit each new entry manually to deny sever rights. Overall though a pretty impressive program but didn't suit me as well as ZA Pro. Don't know about BI with Sygate perhaps someone else has experience with this.

Steve

 

I know that Sygate has mostly fixed the leak test problem with the latest release. And I'd like to just have one firewall with an IDS. Guess I'll evaluate it fully. Too bad Sygate doesn't have the privacy features that ZA Pro does. Should I be concerned about some people saying Sygate has vulnerabilities?

 

Same configuration, but I think I'll use NPF 2004 as firewall. Things are a little slower with ZA and BI. And since I use KAV, I wouldn't be using the same company for AV and firewall. I assume no one has objections?

 

No, I better stick with what I decided. I still get the feeling that ZA Pro is more heavy duty than NPF. And BI running behind ZA Pro is a more extensive IDS.

 

I personally like SygatePF5.5 (free) they fixed all the leaktest probs, but, Syate will not work with BlackICE defender, One plus for sygate, is it has very detailed attacks logs/traffics logs/etc

 

As I understand it, the free version of Sygate doesn't have the IDS I want, though, or advanced configuration. So I think what I have is still best for me. I wonder if Sygate free also automatically grants access rights? Thanks for the input, though.

 

I will keep NPF and in the future maybe Outpost in mind, as I don't want to shut off all possibilities. As I stated when I first came here, I'm very open-minded.

 

mvdu,

Sorry, been away enjoying myself for most of the past two months.

I'm a little confused in trying to follow your postings because at one point you indicate you've decided to stick with ZAPro and then (apparently only a few hours later), you indicate you're going to keep NIS (or NPF, as the case may be).

I'm a long-time NIS/NPF/AtGuard user and LowWaterMark is a longtime (I think!) ZA/ZAP/ZA+ user. As has been said many times in both this and other security forums, the most fundamental issue in selecting a firewall is choosing one with which you're comfortable and which you are (or at least feel) most comfortable.

In that context, it's important to realize that ZA/ZAP/ZA+ and NIS/NPF/AG came (originally) from two rather opposed views of what kind of software firewall was most appropriate for the average end-user and, as time has passed, each product line has tended to migrate in the direction of the other!

NIS/NPF releases are essentially derivatives of WRQ's AtGuard product line that stressed the ability to write highly customized rules (as did ConSEAL, which is now the basis of the McAfee firewalls). That was great, as long as you knew exactly what you were doing. And, from the very first release 1.0 of NIS/NPF, Symantec embarked on a long campaign to eliminate this burden on the average end-user. In its latest releases, many NIS/NPF users have no idea what the rules actually are or how to find out or how to further tighten them to a particular user's individual requirements -- nor do they necessarily need to.

I think (and I'm sure LowWaterMark will correct me if I'm wrong) that ZA began from the opposite extreme -- "ease of use" for the average Joe being the primary consideration. ZA/ZAP/ZA+ have, consequently, tended to migrate towards a capability to further customize the rules in a manner that is now very similar to what one could do with AG/NIS/NPF.

The NIS/NPF evolutionary strategy has tended to obfuscate the rules in place (i.e., to reduce the transparency of the rules); indeed, it's now extremely difficult to get a comprehensive idea of the rules that have been implemented or to determine how these rules could be further tightened for a particular user's requirements. And it's also exceedingly difficult to determine if the NIS/NPF firewall is actually working the way the end-user intended or to determine the nature of any problem that may develop. (Which, unfortunately, may be one of the reasons that so many users of NIS/NPF 2003/2004 are "satisfied" with these latest releases.)

I'm not so qualified to explain what's happened with ZA/ZAP/ZA+ ; that's more in LowWaterMark's area of expertise. True, the rules can now be considerably more customized that was available in the early versions, but I find the implementation of this customization to be a bit awkward and unnecessarily complicated. (JMHO)

At somewhere along the way, we got the original "Third Way" products. To me, Sygate Personal Firewall always seemed something like an enhancement of the original ZA (free) with some new ideas thrown in. And I've always felt that Tiny (and then Kerio) were something of a backlash against the 'bloat' that Symantec introduced in NIS/NPF to make AtGuard more user-friendly, again using a distinctly different approach.

I can't comment on Look 'n Stop or Outpost for the simple reason that I've never used either. I've never considered myself a tester of alternative software firewall implementations from different vendors; I just found what worked for me (acceptably) and tended to stick with it.

So what do I use? Well, until quite recently, I used NIS 2.5 on Win 98 SE, NIS 3.0 on Win 2000 Pro, and NIS 4.0 on Win XP Home, backed up by BlackICE (or Real Secure Desktop) to provide more extensive IDS capabilities. Furthermore, this was on a dial-up connection in which I used Microsoft's ICS as a software-based router. (NIS/NPF 2003/2004 lack the documentation capabilities which I find so important.) More recently, I've replaced NIS 2.5 on the Win 98 SE box with Kerio and NIS 3.0 on the Win 2K Pro box with SPF (both still backed up by BlackICE/RealSecure on those machines). Both are interesting implementations, but I must admit that I am uncertain and may well revert to NIS 2.5/3.0 on these two boxes -- primarily for the additional features provided by NIS. On the other hand, I am unlikely to upgrade to NIS/NPF 2003/2004 due to the lack of any reasonable capability to document system configuration or do trouble-shooting, both of which are quite critical to me.

I haven't found the 'perfect' software firewall yet -- and I doubt that I ever will.

 

Any thoughts on the setup I decided on? If I want one firewall with an IDS, is NPF the way to go? Considering Outpost hasn't made improvements yet and I'd have to pay more for Sygate?

Here it is:

Dell router
NPF/NIS 2004
KAV Personal 4.5
TrojanHunter
System Safety Monitor (with application control and registry protection on)
SpywareGuard
SpywareBlaster
Spybot S&D
ProcessGuard
Ad-aware
MRU-Blaster
XP Anti-spy

 

Forgot to add that I also have free BitDefender for on-demand AV scanner.

 

Ok, one more post for the night. I'm a little worried about rules-based firewalls. I generally know what's being allowed when I look at NPF's automatic rules, and I know how to change them. But I really don't want to create rules unless I need to for something. Would I be better off sticking with ZA Pro, or are NPF's defaults usually good enough?

 

Hi mvdu

It really boils down to which one you are most comfortable with. Both offer good protection and the ability for custom rules. NPF's default rules are good for most users, but can still be customized and streamlined by those wanting to do so.

Regards,

CrazyM

 

Following up a bit on CrazyM's response to this question:

NIS/NPF contains a list of something that must now be approaching a 1,000 popular, Internet-enabled applications. It can generate automatically rules for these applications that are typically a bit more stringent that the 'default' rules likely to be generated by ZA(free) -- I'm not that certain about the current situation with regards to ZAP.

When I say that, I'm talking about the NIS/NPF pop-ups you're likely to see the first time an application attempts to access the Internet. If you see an option to "Allow NIS/NPF to automatically generate rules for this application". However, if you only see an option to "Permit All" or "Deny All", then NIS/NPF doesn't yet have rules templates for the application in question. I don't generally like the "Permit All" selection -- because that's exactly what it does for the application in question -- at that point, you might as well be running ZA (free).

Still, as CrazyM notes, it's actually possible for an individual user to further tighten these rules for his or her unique requirements. I suspect that the most commonly cited example is restricting the general DNS rules to only the DNS servers upon which the user relies (usually a set of between two and four remote IP addresses). While there's a lot of automation in how NIS/NPF generates rules (and this is where the bloat complaint comes from), it's simply not very practical for NIS/NPF to automatically determine the IP addresses for a particular user's DNS servers. And, rather obviously, a similar situation pertains with regards to the POP3/SMTP servers that a particular user needs access to with their e-mail client(s).

 

Sometimes NPF will say an application is listening on ports, and to deny all or permit all. It means I'm allowing it to act as a server when I click permit, and I don't like that - but unlike with ZAP, some programs don't work if you don't click permit. At that point, I'd like to create custom rules in NPF, but don't always know the server's address that it's listening for.

Would people recommend Outpost or Sygate over ZA Pro in my case? With Sygate, it's easy to turn off server rights.

 

The thing is, I'm very happy with my AV, KAV - but I can't seem to be happy with any of the software firewalls I've owned. That's why I need help.