FireWall Functions, Pros and Cons

Hi Firewall Users.

I am not seeking a debate here just experienced views.

ZA Pro 7.0.337 is my current firewall. Even though I have 5 months to go in it's license I am not married to it at all! (or any other specific tool for that matter).

Here is a series of questions/requests for opinions pro and con and the technical rationale/ reasons for those opinions.

I have a list of 5 FW tools here and I'm likely to go with 1 of them in 5 months time.

1. COMODO
2. Look "n" Stop
3. ZA Pro
4. Outpost
5. PC Tools FW

What are the critical functions a FW must have? (I started it)

IN/OUT control
Program level rules
Trusted sites list
Ease of use with other security softwares
No known conflicts with other software
Effective Vendor support

What are the main (1-2?)Pros and Cons of each? What is the technical rationale/ reasons you have for the Pro's and Cons?

1. COMODO
2. Look "n" Stop
3. ZA Pro
4. Outpost
5. PC Tools FW

Some of you may a good FW is missing so add it in with same data!

When done I will be glad to summarize the results and provide it here!

Thank you in advance.

 

It seems to me that you have to answer this question yourself. Criteria would be,

"What is your definition of a firewall, that is, what do you want a firewall to do?"

Is a firewall just a simple packet filter, or do you consider a firewall an application that monitors/controls outbound traffic?

Some don't even use a firewall (I know of two) and I demonstrated last year that you can run without a firewall if your system is set up properly (all ports closed) - I tested for four days.

Some use the WindowsXP firewall which monitors just inbound traffic, confident that other protection against malware negates the need to worry about such connecting outbound.

The answer to your question should be in context of how a firewall fits in with your overall security plan.

Otherwise, the discussion becomes one of comparing features that may or may not be applicable to your situation, and consisting of comments by people whose security setup and consideration of threats may not be related at all to yours.


regards,

-rich

 

Thanks Rich for your views. Some will say users don't need a FW but I'm not smart enough to deal with that one!

You are right, I do have to and will answer this question myself.

The goal of studying others expert views to ensure I don't miss a function. No problem with reducing the list once done.

Here is a link to a FW which gives a pretty good idea of what I'm thinking about right now.

http://www.webroot.com/pdf/Prd_DtF_DSh_USA_0206.pdf

This one is not on the list but could be. Let me know if you want what you think of this one.

 

Well, I don't envy anyone today attempting to choose/compare products - so many of them are multi-functional and try to cover many bases.

For example, in the file you referenced about Webroot:

Are you concerned that an intruder will actually gain access to your computer and install a trojan?

If so,do you want the firewall to stop its actions, or do you depend on some other means of protection? If the latter, will the firewall just duplicate, or interfere with something else?

Looking at its other "key features" one needs to ask if all of that is necessary, will it interfere with other programs, and how all of this monitoring actually works.

Again, like many newer firewalls, it is more than just a firewall in the old sense. Too bad a new description hasn't been adopted.

Stem's reviews of firewalls is probably a good place to start!

regards,

-rich

 

Rich told a very wise words of advices after having been around a quite a while.
It is not which one, it is about what suits you best.
I am using Comodo currently, but its leaktest passing interest does leave out a few important features as a packet filter a bit missing amnd desired or anyways not that flexible.
My fave all time firewall kerio 2.1.5, not recommending it to anyone unless wanting to learn a rule based firewall and besides it is not working in Vista, just telling, covered that department most of any.

With newer "FW"'s, like Comodo etc, when they will go to HIPS's in newer versions i will predict, lots of imcompatibilities with any existing security software. Or will cause anyways a lots of problems and people disabling this and that feature after tried and not having nothing but troubles. Bloat is a bloat in one way or another.

I am fortunate that my new computer that I got less than month ago has only XP Pro and not Vista, so I have a lots to choose from and built my security.
Would be stupid of me to say any comments on programs in your list.

 

This is an important consideration. See some comments here:

One Suite vs AV, HIPS, FW, AS, +++
https://www.wilderssecurity.com/showthread.php?t=170615


-rich

 

Regardless of whether you choose a simple internet firewall or a multi-function suite, controlling internet traffic is the firewalls top (or only) priority. No matter what else a firewall does, controlling traffic is is critical to your systems security. Beyond that, it's your choice whether the additional functions such as application control are part of the firewall or provided by another application. There's pros and cons both ways.

IN/OUT control
Choose one that lets you configure incoming and outgoing traffic on a per application basis. Ideally, the firewall should let you specify allowed and blocked traffic by IP(s), protocols, ports, and direction.

Trusted sites list
Regarding trusted sites list, this doesn't need to be a separate component or listing. You can effectively create a trusted sites list in a rule based firewall. Even ones like Kerio 2.1.5 allow you to set up a custom address group which could be used as a trusted site list if you choose.

Program level rules
If you're referring to application control, it's your choice whether this is supplied by a firewall suite, a separate HIPS, sandbox, or system policy.
If you're referring to controlling internet traffic on an application level, if you find that easier, it's your choice. You have greater control over the individual apps traffic with a rule based firewall.

Ease of use with other security softwares
The less overlap in functions, the better. It's very important that security apps can be configured to accomodate and accept each other, especially if they function at a kernel level.
If you're referring to ease of configuration, that often comes at a price. It can be increased disk and resource usage, dependence on a vendors server, or a lower level of protection due to very permissive configuration.

No known conflicts with other software
That's almost a catch 22. Just because an app doesn't conflict with the present versions of other security apps, that doesn't mean that there won't be one when one of them updates to a newer version. I've run into this with several security apps. They got along fine until one releases a new version. This can even happen in a multi-function suite, especially when an AV is part of it. On more than one occasion, a vendor has released an update that has crashed the whole package. The chances of conflict are increased if more than one of the apps function at a kernel level. The more features that get added, the more chances for conflicts.

Effective Vendor support
Depends on the type of application. With an AV or other signature based app, support is critical. With apps like a rule based firewall, script defender, or web filtering software (like Proxomitron) where updates aren't necessary to the app to remain effective, support isn't that important. Support is more important with newer apps and more recently released types of security-ware than it is with apps that are fully developed. Kerio 2.1.5 for example isn't supported anymore, but it's still a very effective firewall. With apps like virtualization and sandboxing programs, support is more important as these are still being developed and improved.

Probably the single most important consideration in choosing a firewall or firewall suite is choosing one that matches your ability to configure and use it. This is far more important than features, leaktest results etc. More than anything else, the security apps you choose have to fit you.
Rick

 

Hello Jarmo,
it would be of interest to this thread to see what you think Comodo lacks in packet filtering. Also, doesn't Kerio 2.1.5 lack SPI or something?

You two seem to have much to say, so i ask you to answer Escalader's specific questions.

I'd like to state that i have a hard time trusting ZA, after that phone home episode. Maybe it wasn't real?

Outpost seems a nice firewall, if all that AS, A-spam and cookies can be selected off, or not installed. I never touched it, specifically because of these addons. They also intercept a specific leaktest (as in, they detect that leaktest code, and block it- matousec's anti-something)- this does not give me warm feelings.

Look "n" Stop is highly appreciated, but i don't know it. PC Tools seems a copy, if i recall some remarks over here.

Comodo i abstain . I'll never pay for a FW because of Comodo. That's why i'd like to know what it lacks in packet filtering. If you turn off the leaktest functions (as in, forget leaktests), is the FW good or not?

TIA (thx Escalader, you have a way with topics)

 

It is not so much what it lacks, but how it works. When using Comodo, one misses a rule based packet filter like kerio 2.
When one wants to examine internet connections, the logging and tweaking of rules is not so nice with Comodo.
For most users it should be ok. Remeber I am using it currently too.

Kerio 2 has SPI. Not sure if pseudo spi in some firewalls is of much good. Reading time sychronization problems like this:
http://forums.comodo.com/index.php?PHPSESSID=e94c757d3f12d8b78de845fb424baa07&topic=7649.0

 

Hi Guy's!

Thanks to Jarmo P, Pedro, herbalist, Rmus, and any future posters here:

Just a reminder:

"I am not seeking a debate here just experienced views. ".

I like to debate myself (as everybody here knows) but this time I am looking for posts that deal with the thread as is. So if there is to be healthy debate about say Comodo vs Kerio vs ZA then it is premature for this thread.

What I'm getting so far is 1st rate and I promise to produce a macro list of FW functions and the rationale for them when done. FW users could then (if they wish) adjust this list to their own use/needs by dropping functions they don't need or are covered off in another piece of security software they have (but I may not have) so as to produce "THEIR" list. This is why some debates talk past each other, since each debater has their own list even if not documented. What I am trying to do it tap your brains and experience to produce a macro list then do my own as a subset. Yes, it isn't easy but that hasn't ever stopped me before!!!

Here is what I mean:

FW Functions

Rule based packet filter and the rationale for needing this is ?. I can't fill this in lacking the knowledge you have, so please replace ?? for me.

examine internet connections and the rationale for needing this is ?

logging and tweaking of rules and the rationale for needing this is

SPI and the rationale for needing this is

No devious code... like phone home... blocking leak test software rationale using disceptive or dishonest methods in a SECURITY tool!

Reading time sychronization and the rationale for needing this is

Special thanks to Herbalist! You made it easy to log your information!

I will divide these FW functions into at least 2 maybe 3 broad categories:

(1) Simple FW Functions: eg: Traffic Cop

(2) Additional FW Functions: eg: application control

(3) Other FW issues, vendor service, vista compatibility etc

One question I have is on application control, If the FW doesn't do this what other class of application would, and what is the rationale for even needing this? "virtualization and sandboxing programs?"You guys will by now see that what is obvious to you isn't to me!

This is why I'm doing this to learn as well as answer the questions in the original post. If the FW is too complex for me to fly I will crash and waste resources and $! No doubt about that one!

Lets keep going....

 

I think you know . Packet filter to only allow the traffic you need. For example, if you need to allow inbound for Emule (so you can get out of "low id), you make a rule only for the ports you need, and the protocol in question.

Logging can tell us what's wrong, like when you can't syncronise the time, and you check if something is being blocked. It also allows you to detect intrusion attempts, but i'm lost there- what's noise and what's an attack..
Tweaking rules generally is about control i guess, you allow specifically what you need.

The outbound rule doesn't mean anything without it (confirmation would be nice ). SPI allows INcoming traffic for what was requested (OUTbound connection established).

On the Outpost part, i'd like an Outpost user to comment, to be correct.

Other programs would be something like HIPS, with outbound control.
Application control, on Firewalls, is only about control of outbound, what can connect (i think maybe i misread you here )

I'm answering this for the same reason. Maybe someone will call my bluff and teach me the right stuff!

 

Hi Pedro/Someone:

Good stuff! No I don't think you have ever misread me.

The macro list we are all building will appear here with the functions and the rationale with no names attached to who provided or said what ( sort of a project) . The functions and the connecting rationale can then be critiqued and honed down!
Should be fun and informative (at least for me).

I' m already ahead of the game since I didn't know that HIPS's could have application based outgoing rules!

You may think I know but I don't have FULL knowledge of why things are needed thus the drive for rationale and functions.

 

Well, before Lucas pointed me to a nice tutorial, i only had pointers too. Now i have... more pointers.
http://www.urs2.net/rsj/computing/kerio/index.html
I actually used Kerio 2.1.5 to learn, but it should work with other firewalls. The most important part of the tutorial isn't doing what he says (rules), but reading what he tells you to - the terms and the ports.
From there i tried the BZ rules, but i didn't follow them blindly: i tried to understand them. Sometimes i return...

HIPS like SSM seem to have basic outbound control. It's almost only yes/no. But there's no reason why it shouldn't evolve.

I'd wait for Rmus, or Jarmo to reply again. They know, i pretend.

 

Hi Escalader,

Well, you've got quite a project going!

Not necessary, perhaps, but nice to have if you want specific controls to tighten up things.

Rationale:

Another example in addition to what Pedro suggested: You can create separate Port 443 rules (HTTPS secure sites) for your browser, each having its own IP address placed in Custom Addresses. Any other attempt to connect to Port 443 will bring up an alert. To demonstrate, I removed my Yahoo IP from the custom addresses, so the firewall alerts:

http://www.urs2.net/rsj/computing/imgs/yahoo.gif
______________________________________________________________

You can create separate DNS rules using custom addresses, followed by a "deny all other Port 53" rule.

http://urs2.net/rsj/computing/kerio/images/dns2.gif
_______________________________________________________________

A rule below your application permit rules can block all other ports, which will block all unauthorized attempts to the trojan/spam ports:

http://www.urs2.net/rsj/computing/imgs/deny-other.gif
_______________________________________________________________

Non-custom rule set firewalls have good default protection, of course, but making a custom rule set lets you be aware and in control of everything.

(my brother, a software programmer and consultant, being lazy in some things, has never used a custom ruleset firewall in 20+ years of work, and has had nary a problem nor any malware)

In the initial stages of setting up rules, this is a great learning aid. You can see how the probes of the trojan ports and spam ports are continuous, mostly just normal internet noise/junk. Attacks specifically at home users would seem to be rare, especially for those with dynamic IP addresses. This is probably a worm probing, since all from the same address:

http://www.urs2.net/rsj/computing/imgs/portscan.gif
____________________________________________________________

This is probably a p2p situation, where the former user of my current IP was doing p2p -
many addresses looking for Port 6881 - p2p. Common occurrence with dynamic IP (you are assigned a different one each time you connect)

http://www.urs2.net/rsj/computing/imgs/probe.gif
____________________________________________________________

It goes without saying that your first step in using a rule-based firewall is to study/learn the internet terminology: port, tcp/udp, protocol, etc. Otherwise you either flounder, or use someone else's ruleset without understanding what the rules really do.

You need to answer the second part first: what is *your* rationale for outbound application control? If it is to monitor what installed applications do, like Windows Media Player auto-updating, you can control this with most rule-based firewalls, like Kerio 2. A rule for WMP to block outbound can be easily created.

Kerio will prompt when any application attempts to connect to the internet. This is how you set up permit rules for your browser, email, etc. Anything else will prompt an alert.

Here, in testing a trojan, it attempts to connect out via Port 53 (DNS port)
but it is blocked by the "deny other Port 53" rule because the IP address is not already permitted:

http://www.urs2.net/rsj/computing/imgs/gift_3.gif
___________________________________________________________

Here, the trojan has installed a downloader which attempts to connect out,
but the firewall alerts because it has not previously been given permission:

http://www.urs2.net/rsj/computing/imgs/gift_4.gif
____________________________________________________________

You have to define what you want in a firewall. If a simple packet filter, then it will fail the leaktests. If you are confident with your other security, then this is a non-issue.

If you want to control what the leaktests purport to do, then, if the FW doesn't do it, you need an application (and there are many - see the Other Antimalware Software forum) which monitor/control such activity.

I've not run across any malware in the wild that uses those techniques demonstrated in the leaktests. I think some are posted on the leaktest site, but I haven't encountered them.

Finally, you have to decide what the chances are that some malware of that type would get past your security and be installed in the first place.

-rich

 

Priceless, thank you! Learned a bit more

 

I meant to add that the reason I know that Port 6881 is p2p (Bit Torrent) is that I looked it up when I first saw it.

When starting out with learning rule sets, I examined my logs daily and looked up all of the ports. Two good sources are

http://isc.sans.org/

http://www.grc.com/PortDataHelp.htm

I still add to my list; I learn a lot, and have a good reference. The .gif file is a screen shot of the log entries for that port (as I showed in above post)

http://www.urs2.net/rsj/computing/imgs/infoselect.gif
_____________________________________________________________

-rich

 

Application control can be many things. This includes system policies, to control what apps can run. HIPS carries this farther by controlling what the allowed apps can do in regards to hooking other processes, installing drivers, and what other apps they can start and be started by. Sandboxing roughly translates into containing untrusted processes to their effects on your system is as limited as possible. Virtualization roughly translates into running the apps on a virtual operating system, aka one that exists as in software, not one made of actual hardware components.

System policies and HIPS emphasize control over what is allowed to run. The advantage is that undesired code can't run, and if tightly configured, processes can't access any other processes they don't need for normal operations. The disadvantage is that you have to know what processes/behaviors are normal on your system. Think of HIPS apps like SSM this way. SSM is to applications and executables what Kerio 2.1.5 is to internet traffic. The basic approach to both apps is similar. You specify what is allowed with each, in as much detail as you're comfortable with. Anything not conforming to the allowed "whitelists" (one for traffic, one for application activity) draws a prompt, unless the UI is disconnected (SSM) or "block unknown" is selected (Kerio).

Sandboxing and virtualization emphasize containing or isolating unknown or untrusted processes. The methods differ, but both attempt to keep the contained processes from modifying or infecting the physical operating system.The advantages are they're generally easier to use. A user doesn't need to make rules for all the executables/processes. Installs don't have to be permanent. They're a much more convenient choice for users who try a lot of software including things that can't be installed on a normal operating system, like a virtual Linux system running on windows. Just how secure these methods are is open to debate. Malware writers are always looking to try to break out of containment software or write code that doesn't reveal its true nature in such environments. In one respect, both virtualization and sandboxing are a type of blacklisting. Instead of blacklisting apps, the concept is applied to their activities as they relate to the operating system. I'd expect to see an ongoing battle between virtualization/sandboxing apps and malware that's designed to defeat them. Basically the same battle we've seen all along but with different apps, methods and nastier malware.
Rick

 

I continue to assemble what will no less become a full featured documentary if not encyclopedia with all these type most interesting comments you continue to share with us herbalist. Hope you don't mind.

Very good infomation that you always offer and from first-hand experience i might add. You simply leave nothing to chance in breaking everything down from it's bare origins all the way to what can be expected and all points in-between. Good coverage!

BTW, still won't part with Kerio 2.15. As obsolete as it might be considered these days to most users, with SSM as an additional go-between and other various "light" behavioral apps (as if really needed anyway ), forced intrusions are nearly if not entirely obsolete themselves from what i've experienced with that combination. Certainly has proven far more effective to me than one might would have expected only a couple years ago.

 

Hello ALL:

"BTW, still won't part with Kerio 2.15".

The goal is as stated in post 1, not trying to get anyone to part with Kerio or anything else.

Personally I would drop or replace piece of software without a single regret if there was a good solid understandable technical or support reason to do that. If there is no reason to change don't!

For this thread, (it's a gift to the forum) remember if a FW was left out
then add it! So I'll add Kerio.

Another thought I had was referencing the Windows Basic FW. Should users view it as a base case FW, and compare others to it? If you could only add one (1) function to it what would it be?

ZA Pro lets users deal at an application level on permissions, it is on my PC only because I wanted to control/ manage outbound internet traffic. It has an ASW on it which I disable since it is not certified or among the top products IMHO. I was very disappointed with ZA's perk known a MyVault.
The vault leaks information under certain conditions. So on that feature I look to other methods now to block leakage.

What I don't have to do with it is manage ports rules port by port!
I can block certain web sites, designate others as trusted.

What exactly is a port anyway? I know I know you think I know but I don't have a good basic definition of them. Is it physical? Surely not, it must be a logical device / address for email in/out etc.

I know these leak tests deal with them and that there are thousands of them. I hope we don't have to have 1000's of rules to create/copy to deal with so we all have to micro mange PC's!!! If we lay out $ for a FW wouldn't most want the software designers to provide a easier way than that? So a white list of applications is shorter, maybe a blacklist is shorter?

If we have to know as much as the designer of an OS or a PC to operate a firewall on a PC then something is amiss at least for me.

BTW, there are many more viewers of this thread than posters, this is good since I think it means that it is providing value to more than just me!

Thanks to all!

 

Although I am not getting into the pro's and con's, anyone of the firewalls in your list will do the job well. For that matter, the Vista FW (which I use) will do the job well. Coupled with your AV and the FW you choose, you're all set.

 

You have to remember that many people like Buzzstone are satisfied with the basic protection of the Windows firewalls, or similar, choosing not to get involved with learning about the internet protocols, and creating custom rules, and they get along fine. I mentioned my brother, a computer professional and programmer, who has worked this way for 20+ years and has not experienced any untoward intrusion.

Many I've spoken with are like him: they don't have time nor the inclination to get involved with customizing, as do people here at Wilders.

regards,

-rich

 

While I have used several FW's (Comodo, Norton, LnS, Jetico, etc.) and am quite able to set up custom rules, protocols etc., I just find there is no reason for me to do so. I am not a safe surfer and have had no problems in the years I've had a computer. I also come here to expand my knowledge of security software. My favourite FW is LnS but it will not work with my system using the nVidia 65.55 ethernet drivers. When new driver's are released I'll give it another go.

 

Escalader: you don't manage port by port. You simply allow this or that application use this or that port/port range.

http://en.wikipedia.org/wiki/Computer_port_(software)

http://en.wikipedia.org/wiki/TCP_and_UDP_port

Besides no outbound control (or no control), the Windows Firewall is good, i've been told... But i'd like to know how its inbound is really like. Is it good?
It has SPI for one, which allows it to accept incoming packets for outbound requests (tracks down which communications you made, to allow the replies).
For some protocols anyway. I have not delved into SPI too much. When i find the time or patience.

I also think there's nothing wrong in using a FW like you do. I did it, and still do in a way (not really, but i'm not doing anything special). Trusting the people who made it, and the rules they built.
Personally, it's the learning experience, and degree of control/awareness. I don't like things doing everything by themselves without me understanding at least the basics.

 

Pedro:

You are a very good instructor! Thank you!

I think a port should be renamed a "tag" or a "destination/ code" or some other words more like the definitions you provided.

Good, I don't half to manage port by port. only by application and port ranges.

How then does the user know what ranges to allow for what applications?

 

Answering pop-ups is more straightforward, although annoying. You use the program, and watch/answer the pops for the specific port. You can search in google for that too.
Comodo for instance will merge rules if the ports are continuous (pop-ups for Avast for instance, for port 1020, 1021 , 1022, will be merged into one rule with those ports). Kerio 2.1.5 will let you refine the rule on the pop-up, but won't merge you anythning (it's really mechanical, you clunch in everything).

For inbound rules, you really need to know what to open, if you need them (like with Emule).