Hardware Firewall best??

After using LNS and Outpost I have finally converted to a hardware firewall/ antivirus/ IPS system. All of the processes running on my system slowed me down too much. Now all is taken care of by a Fortigate 60. I would suggest to people out there running multiple computers get a centralized firewall instead. Now all systems are protected at the central location ... sooo much better.

You can find these 60's on Ebay for around $400.

 

It was reliance on a centralized firewall that allowed Zotob to bite so many companies.
One example from San Diego County USA illustrates all it takes is something let loose behind the wall to get everything. The blame was placed on a laptop.

 

Using both is ideal. An external firewall will be best at deflecting incomming connections, but a software firewall will allow you to restrict outgoing. Since I have a router, I chose Look'n'Stop (with beta components), it's also the lightest. I also think $400 is a bit much for the average home user, but if you have an old computer laying around you can turn it into an external firewall for free with one of the Linux firewall distros.

 

Hardware firewalls aren't neccessarily best b/c they dont' really help too much against trojans do they? I've never heard of hardware firewalls doing well on leak tests.

 

Also good true SPI hardware firewalls have to be ICSA certified at least, but you still have to provide some sort of outbound protection.

 

Fortigate is one of the only a/v's to catch the latest rounds of trojans on the fly including Zotob. That is how I found them. As to the reliance of a centralized firewall....that is a stupid statement. Do you run 2 firewalls on your system?? If so, take one off!

As to guarding outgoing connections, I think a process guard is much better at stopping rouge programs from calling out. There are so many ways around a firewall in terms of the outbound. We all have discussed leak tests on this forum. What better way to stop internal leaking then stopping the process from running in the first place?

You guys crack me up. The only difference between what I am using and what most of you are using is that mine is a dedicated piece of hardware whos sole purpose is to protect the network, but without any drain to my CPU or memory! Fortiguard has Deep SPI, and yes is ICSA certified up the wazooo. It has IPS and trojan protection as well as antivirus. Oh, yea, one last thing...who here has push install capabilites for the latest threats Try to get that in a software A/V program.

For me $400 is a small price to pay for securing 5 computers. I was spending so much time on securing each system, I never has time for my business.

Anyway..just wanted to let forums members know that in my opinion, a hardware security system is a much better way to go.

 

What do you mean by push install, as for SPI, CHX does deep SPI at the cost of 2.8MB, small price to pay in today's world of 2GB RAM systems, as for A/V, Avast, KAV, NOD all do a swell job, for IPS, there is Antihook which is free and also works nicely.

I would rather spend the $400 in hardware upgrade but thats my opinion.

 

Arup,

Its not the point of space, its a point of speed. If your security antivirus/firewall is not taking up you system resources, everything will run faster. I have noticed a huge differnce since installing the hardware firewall. This is esp important since a trading program I used was getting slammed by my firewall during fast markets.

BTW, I am giving a link to the response time of a/v's responding to the worms.
You will see that Fortinet is one of the highest ranking a/v's....at no cost to my system resources.

http://www.av-test.org/


O yea, a push install is a method to patch you security as soon as a new exploit is found. Fortinet is one of the only lower priced firewalls (<$1000.00) to do this.

 

BudFox,

I like running light so I see your point, however, there are software solutions that can run light or with little impact and do a swell job as well, what worries me is the lack of transparency on hardware devices vis a vis router's SPI, Firewall etc.

 

ROFLMF

.....

sigh hardware firewall great... unfortunately they don't control outbound... sigh. So many are not getting it these days. Best solution, Hardware firewall to filter the inbound then a software firewall to filter outbound and inbound that has program access control (dll, components, injection etc.) After that you need an AV,AT,Process Guard,AntiHook etc....

Just a hardware firewall is not enough even in a corporate environment. We always make sure that all our GOV system are updated with the latest av signature and are running process protection and monitoring tools...

All I can say to people only running a Hardware Firewall is what do you think ya doing ya fool?

Regards,
fluxgfx.com

*No more replys from me on the subject* It's been discuss so many times that it's starting to sound like OLD gramps around the corner.

 

Flux....dont think you even read these posts completely! Just think you like seeing your "cleaver comments"?? Fortigate is a firewall/ AV/ IPS/ Anti trojan system. Furthermore, I alread said that I am running Process Guard as well.

Until you get a firewall that passes all leak tests, outbound control is overrated!
It is much more important to have process control if you want true outbound control. If the process cant run, it cant call out. Outpost comes close as do a few others, but they are system resource killers.


Fortigate 60
Process Guard
SafeNSecure
Ghost Security Suite

I think im covered
.....Sigh!!

 

budfox,

I trade commodities only.
Use dedicated machine, run NO PROGRAMS other than markets info on that machine: has minimal router instead of FW, & AV & dedicated software for markets.
Get minimum one new machine per year, fastest state of the art.
Everything else on other non-networked standalone workstation.
Hardware cost trivial in relation to cost of Bloomberg or Reuters data feed.
One trade = profit or loss of several years hardware expense.

Good Luck in Trading your Markets

trader7

 

All I can say is good luck. LoL MF.

 

I basically agree with with you Flux, but it does depend on your use of computer. It you have a dedicated machine to one program then I can see Budfox's point, however if you have a mixed machine then a f/w to control outgoing I think is essential. In my own case, apart from controlling nasties which PG can do well, it does not control programs you want to run but don't wish to phone home.
Last point is that i can think of better ways to waste $400.

 

That right there is the whole thing in a nutshell..

 

Nice to see the same kind of nuts are hanging out here. "If you don't run 1,500 "security" applications like I do, you're a fool, and your systems aren't secure. If you rely on a hardware firewall, you're a fool, and your systems aren't secure." Blah blah blah...

Budfox et. al., don't bother... They don't get it. They'll never get it. They can't get it. Making their systems crash and run like hell is a hobby for them. And they can't comprehend how anyone, like us, could use a system responsibly, and not inadvertently install malware every 15 seconds. We do it, to be sure, but... Well put it this way, it's like a drunk not having any concept of what it's like not to need the bottle.

 

Neither DiamondCS' Process Guard nor System Safety Monitor provide any control over network access so relying on them for outbound network access is a mistake. They are a useful complement to an application-filtering firewall but not a replacement.

This does assume you have the ability to judge whether any new program is going to attempt to leak or not before allowing it to run. However only experienced malware analysts are likely to have this skill. The point of a software firewall is that it can let you know when, where and how a program is trying to communicate.

Anyone running a router with NAT and its own firewall has similar protection - at far less cost.

Virus/trojan scanning is rather a pointless feature for firewalls since they can't detect malware in encrypted traffic (try using the bottom 4 SSL options in the EICAR test page to verify this, which Fortigate's EICAR page lacks). As for the merits of SPI, these have been pretty well done over elsewhere.

As others have said, a hardware firewall is a good first line of defense, blocking probes, scans and other unsolicited connection attempts. However unless it includes an application-level proxy server (Fortigate's documentation suggests that they do not), it cannot provide anything like the comprehensive protection you allude to.

 

Wow.. you guys are too easy to rile up!!! So predictable.

I am an x hacker from the 80's. I hacked EDS when I was 15. I know a thing or two about computers. Here is what I know as of now....

The real threat to the comsumer is overrated!!!! I have had 2 viruses hit within the last 2 years, and they where sent via email. No worms and no trojans. The ones who where hit with the last round of exploits came due to unpatched systems or if you decide to install some free software!! If you are a moron with no DHCP, no firewall, antivirus and dont understand what a windows patch is, then you will get hammered.

Security firms out there have an agenda to push their protection. I know that SOME of you on this site know lots about security and I am very impressed. but.....

With protection from the outside via a firewall, running firefox with java disabled, and if you keep your system patched and dont download any free programs and if your email is scanned for viruses, some sort of registry and process protection, your pretty much golden.

For all of you security gurus out there..please please please post how I am going to get hit with the config listed above~

 

budfox,

I know what DHCP is, but how would it protect you from malware?

 

I had a great idea for you all..

Today is 11/5/2005. I am going to run my system my way.
Fortigate 60 hardware firewall/ AV/ IPS
Process Guard
Regdefend
SafeNSecure
Wormguard
Tracks Eraser
Firefox with Java disabled.

Thats it.

In 1 month 11/6/2005 I will reinstall AVK, CounterSpy, Spycop, and spysweeper. I will also monitor ports using port guard to see if anything is calling out that shouldnt be.

I would guess given you security pro's I should be crawling with spyware, greyware, malware, and viruses and trojans.

Either way I will be back to report my findings.

Peace out!

~Snipped Personal Attack~ -dog

 

My apologies to the member who was the recipient of the rude comment/personal attack.

Should those type of comments continue this thread will be closed.

"It's nice to be important, but it's more important to be nice."

Regards;

Steve

 

Gee, is that all? There are many that would consider this excessive, too.

I guess the question is, are you actually saying there's something wrong with running both a hardware and software firewall, or is it just a matter of personal preference for you?

 

Devinco,

DHCP would make pretty much zero difference. From the posts above (and his highly "malleable" point of view), it seems obvious that Budfox is trolling (and trying to show off his "l337 3k1llz" over everyone else) so responding to him further would be a waste of time.

 

IMO I think a hardware firewall/router is the only way to go. If one has things on their computer accessing the internet that they don't know about, shame on them anyway, they are just asking for trouble.

 

Thanks P2K. I didn't think it made a difference, but I thought I'd ask anyway.