Firewalls - Fact & Fantasy

Hi
I review security software for the best freeware website on the planet.

http://www.techsupportalert.com/

Best because all 80+ editors are volunteers and none of us have any affiliate or other commercial links with anyone or anything. During the course of my "work" I've used most the freeware firewalls available and several of the commercial offerings too.

I'll start by repeating a quote from a presentation made by one of the world's leading network security consultants at the recent RSA security conference in San Francisco.

"99% of all network intrusions are caused by firewall mis-configurations, rather than flaws within the software itself"

In other words, whatever you choose to install will not provide optimum protection "out of the box" no matter if the vendor says it will. I prefer to be a member of the 1% minority and to join this group all you need to do is spend a little time in Google reading about protocols, port numbers and the applications and services which use them. With this knowledge you can then add to the default security provided by your chosen firewall and also become a member of the safer minority.

At the outset it's important to appreciate the value of the various testing results which are viewed by many as being of biblical importance. Most of the published tests are either flawed, not conducted in 'real world' environments or so obviously biased towards commercial interest as to be unbelievable. Matousec were the only reliable independent source with open methodology but since their acquisition by Difinex it remains to be seen yet in which direction this group will now move. Even so, the value of the Matousec tests has more to do with the added HIPS component in firewalls than their packet filtering abilities. In this respect some HIPS components perform better than others and some are more stable than others in an average PC environment. There are always risks involved when combining technologies together. This is why a lot of users on this site and my own still prefer to use a combination of different applications to achieve their security objectives instead of relying on just one software "suite". Of the top ten firewalls in the Matousec rankings only two cause no or very minor system problems. Of the remaining eight some of the issues are severe. Just browsing the various forums will demonstrate this readily enough. I know that the statistical army will emerge from their trench with talk about the 1'00's who do use these applications successfully but that is not in question. Computer security is all about reducing risk, not potentially adding to it.

So what is good and what is bad? Well, in terms of packet filtering abilities the 5.5 2710 version of Sygate was one of the best ever written and remains so today*. Any firewall is only as good as it's logging ability because without this how can you monitor your connections and create the necessary rules to protect and restrict them? Sygate has always excelled in this area, but use this third party plug-in too and you have probably the best log filter available.

http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm

The additional protection technology has advanced since Sygate was produced however, so for optimum security you would need to combine this with a standalone HIPS of some sort to compliment your existing AV. Because of continued issues (some severe) being experienced by many ThreatFire users you may wish to consider the previous version of this software (Cyberhawk), EQSecure or Realtime Defender. All of these applications have a following on this site with good information and links. There are of course excellent commercial offerings too like Prevx.

NetVeda remains an excellent firewall alternative, only requiring a few boxes to be ticked for good default protection. Be aware though that the ability to create advanced rules, although comprehensive, is not so easy to understand.

Of the up to date offerings the Comodo component in CIS should be the best if only it would stop eating Windows in the process. Even accepting the UDP broadcast vulnerability and network recognition issues there are still too many bugs in this software to make the risk of using it acceptable, especially with Vista.

The newly updated version of Outpost Free would seem to be one of the best currently available although I experienced logging and rule issues. That said I was only able to trial this briefly and it may have been my failure to understand the configuration settings in the short time I had available.

In terms of overall protection and system stability the best firewall I have ever used is Privatefirewall. Don't be fooled by it's similarity to the freeware offering from Webroot which looks almost identical, because although Webroot license the technology from Privacyware the resulting component mix is not as comprehensive, or reliable. I have never experienced any system issues with Privatefirewall and whenever I have the need to remove it and then re-install, it goes back exactly the same as before including the rules and settings (so long as you only use your third party un-installer like Revo in "safe mode"). Privatefirewall is currently being revised to include performance improvements, alert reductions, 64 bit Vista compatibility and IPV6 compliance. The version last tested on Matousec is not the March build which should score higher than the 82% shown if these things are important to you.

My assertions above are targeted towards average users. Obviously some of the software issues may not be so "serious" if your system knowledge is at a higher level, but that still doesn't mean you have to put up with them.

Despite the varying standards, firewalls as with all software are also a matter of personal preference. In order to use one efficiently you need to be able to understand it and feel comfortable working with it, even if it's just the GUI appearance.
What suits one person may be totally unacceptable to another. That said many of the so called top selection do not presently provide the stability to go with the security so some pre-choice research is essential before making a decision.

*Many of these older firewalls will cease to be of value once IPV6 becomes the dominant protocol.

 

This well may be, though when according to your prognosis IPV6 dominating era will happen ?

 

Yes, what he said

Sul.

 

Well to me "a network intrusion" would refer to an inbound connection.

Windows default firewall's are fine , with no configuation needed for this ...
so I don't agree with that leading security expect ...

just wish I was paid as much

 

In/Out traffic that's about it.. Software firewall is needed so no one just could take over your system like they were able to more in 90's. You could go into yahoo chat with no protection and never knew that anyone could remote into your box and take over. Thus the need for the firewalls started with Sygate Free and Pro. Tiny, Zone and the rest of the gang.. Frankly if you had a smart box firewall then you won't need software firewall running on every darn system you have.

Most clients got BlueCoat Web Content Filter Box cost is $10,000 each. Thus you need to train someone on your IT Staff to use it and become the Admin for that device. It does work very well. Keep employees from going to all type of sites.

Firmware from DD-WRT has some good firewall features that most average joes routers don't even offer in their firmware. Still just need a tiny program to monitor I/O on your systems. GhostWall works with your WinFirewall. BullGuard and some others software.

I need to know what to block and not to allow or allow.. Fancy meters not going to cut it for me. Just keep it plain and simple..

 

The reality is that most of the suits we see with the "Auto type" protection can so easily be implemented incorrectly by the vendor(and many times is), and as we see many times actually block home users from Internet access rather then protecting them. Although it could be argued if they cannot connect to the Internet they cannot be compromised.


- Stem

 

I too live in the real world but that doesn't mean I have to accept everything in it. One more person with a little knowledge is one less likely to spread unwanted stuff to the rest of us.

It's like saying "ah well, drugs and child abuse are here to stay" rather than trying to do something about it.

This quote is from the Online Solutions team in St. Petersburg

"Unfortunately, the average user is ready to make efforts in learning the abc of Emule and P2P, but not to learn the abc of the registry and malware's behaviours".

Someone else who sees the situation for what it is and I do not disagree. I just think that more encouragement and less acceptance is the better way forward.

 

The bloke is correct there.

 

If I remember right, didn't Sygate have problems filtering loopback connections properly?

Although I agree with your assesment completely, I feel the real problem is even more basic. Too many users don't know how to formulate an effective security policy. IMO, the security policy is the single most important component in any security package. It's the basis on which security apps are chosen and dictates how they should be configured. Without a sound policy as a guide, the configuration of firewalls, HIPS, etc is piecemeal, not following a sound pattern. Without that guide, an attempt to build a layered security package ends up being a pile of security apps that don't support or complement each other, with some functions duplicated and others overlooked.

The ability to write good firewall rules is becoming a lost art. Even among security conscious users, many have not grasped just how much a good rule based firewall can do. The same applies to HIPS software. Features that enable the user to restrict low level disk and physical memory access are useful, but learning to properly set the parent-child permissions will do a lot more to secure a system than the other features ever could.

Sites like Matousec's make this problem worse, using leaktests as advertizing gimmicks, emphasizing features instead of strong configuration of both the security software and of the OS itself. IMO, he could do all users a service by closing down that site. Users don't need that steady diet of "newer is better" shoved at them while the basics are regularly ignored.

 

Sygate didn't filter loopback connections at all.

100% agree.

Unfortunatelly this is too true... And the fact that all firewall vendors try to achieve "out of the box" protection in their products isn't helping too much. Of course, "out of the box" protection is good for novice users, because it helps them setup up a (more or less) secure system, but it also discourages them to learn more about what security means, and about what they really want from a security point of view.

 

From such a statement. I would expect a posting of the results of the packet filtering tests made to confirm this.


- Stem

 

All the internet users I know personally just can't be arsed to find out what goes on in their PC. You don't have to know HOW your car works - you just want to jump in it, start it & go - same with a PC!
Only a few will try & understand the way a car works and thus be able to have a clue when it goes wrong - same with a PC & its security.
Those security vendors who produce "out of the box" solutions are the ones who will have the lion's share of the market.
The winning trick is to produce a truly secure solution with no user input - a pipe-dream, I fear.

 

In most countries it is needed to take a driving test before being able to drive a car on your own. It is usually also advisable that you know how to fill the car with petrol/oil, also to check the tire pressures etc.


- Stem

 

Very well said, best summary in this thread so far. Many people here on this forum are into computers as a hobby, or work with computers as part of their job....IT department. So they have a working knowledge of the computer and related things. Thus it's easy to stick their nose up in the air and call the average computer use ignorant.

Yet...if they have a leak in a pipe at home or a running toilet..do they fix it themselves? Or call a plumber? How would you feel if the plumber showed you how easy it was to redo a fitting with teflon tape and tighten it...and made you feel stupid?

Do they change the oil in their car or replace the brakes when needed? Or take it to a car mechanic? How would you feel if that greasy guy showed you how easy it was to change your oil and made you feel stupid because you didn't know how?

Do they mow their own lawn and keep the blades of their lawnmower sharp?

Are you able to do your own home improvement..or do you need to call a contractor?

Do they know how to troubleshoot/replace the GFI electrical outlet in the bathroom if it acts up? Or do you call an electrician? How would you feel if the electrician showed you how easy it was to replace a GFI and made you feel like an idiot?

...

The same "snobbery" can be applied to all aspects in life. I happen to work in IT for a living...small business network consulting. Many years of working with clients...they just want their computers to work, with minimal effort on their end. They have their work to do..as they have a right to. They shouldn't have to learn the depths of the system.

This is one of the reasons I don't put a lot of faith in software firewalls. Most end users don't want to be bothered with them. Most end users see some alert come up...like "explorer.exe is trying to access the internet", or "svchost.exe is trying to access the internet"..and they just start clicking "allow" out of frustration. OK so a few dozen times of that...now...how effective is that naggy software firewall?

 

Why would you need to feel like an "idiot" just because a contractor you chose to employ made the job in question look easy?



I don't think that reproducing a data sheet of IP filter stats here would be of any benefit to the context of my original posting which was designed simply to highlight some of the issues concerning Firewalls and their configuration.

I also accept that the trend towards "out of the box" solutions and "suites" is here to stay and we will all have to live with it. The challenges involved are clearly demonstrated by CIS with a new crop of bugs appearing with every component integration. The dream of course is to get it right as pointed out by rogervernon and in this respect you have to admire Comodo's commitment to making this project work. They are probably as close as anyone to achieving this if only they can crack the stability issues. My feelings are that the 3.9 final will still have problems but by the time V4 hits we could have a really usable solution, and for free.

I still think this latest version of Outpost Free will turn out to be a good choice for many people. Even the logging issue is of no real importance to a lot of average users who would never look at it anyway. The rules configuration needs some attention but I'm sure Agnitum will be on to this already.

My personal intention is to stick with Privatefirewall which is due out shortly with IPV6 and Vista 64 compatibility plus other improvements and a reduction in the number of alerts. If the new one has better support for specifying IP addresses then I'll be even happier.

 

If you refuse to put forward results of packet filter testing to confirm your statement, then I will presume your statement is Fantasy rather than Fact, and you have not made packet filtering tests.



- Stem

 

If there's one thing I've learned in the computer security industry is the "KISS" theory. This works the best in most cases for the average user. Any security app that provides a good amount of protection with the least amount of "popups", is the clear winner here.

Just my .02cents
Ice

 

I would say that is 1/2 the equation. I would also add that despite the 'effectiveness' of the application in regards to 'popups', much will depend how comfortable or how well liked the GUI is to the user. Many 'effective' apps have a GUI that blows. Personal preference or ease of use, however you want to term it.

IMO this is especially true in firewalls and hips, where terminology is already confusing for many. Better to use a product you can navigate and possibly understand than one that speaks another languge and makes decisions confusing.

Sul.

 

Please forgive my ignorance, but what is that KISS theory?

Best regards,
François

 

I'm saying...some people who happen to know computers well, or happen to work in IT for a living, tend to be snobby and "look down at" other average computer users. Just because the average office worker or home computer user doesn't know/care/or want to know the inner depths and secrets about firewall...

I'm giving an analogy of the plumber or electrician making the home user feel stupid..similar to how others do here towards users who may not know the inner workings and trade secrets of software firewalls. There's no need for that.

 

Keep It Simple Stupid!

 

Salut François,

it means something like "Keep your sh*t simple, Buddy"...
YO

 

I have given CIS, (latest beta), a spin on my laptop - XP Home SP3 - and found that it runs perfectly - no glitches at all
In fact I am just waiting for my OA sub to run out in a few days, my Avira paid having already expired and I'll probably use CIS (except the Ask search & any toolbars etc. !!!).
Living in Spain and having all my pension income being generated in £GBP, the dire exchange rate to Euros has made me count every centimo, I'm afraid. ADSL here is grossly expensive, too, so economies must be made.