I need your opinion!

as I want to get a better understanding as to why people think one needs to have a personal (software based) firewall I'd like to know what specific services on a windows system you think one can not disable without causing serious problems. please give a few specific services and reasons why - I'd appreciate it (and please keep in mind, I am talking about services that open public ports)

On my system, I have disabled ALL unneccessary services based on guidlines from http://www.ntsvcfg.de/ntsvcfg_eng.html - AND everything is working fine for me and most of my customers too .

CHEERs

 

The RPC service is one example due to the number of other Windows components using it (e.g. fax, infrared, printing). Disabling the TCP/IP NetBIOS Helper service can stop the DHCP Client service from functioning resulting in loss of connectivity.

Closing services can greatly reduce the number of entry-points for an attacker - but any application creating a network connection offers a possible attack route (since a port will be open for the duration of the connection). Most personal firewalls include some form of stateful inspection where they can distinguish between unsolicited incoming packets and legitimate responses to previous outgoing requests, thereby blocking all such attempts (there is still the possibility of a man-in-the-middle attack where an attacker tries to hijack an existing connection but this is more limited in scope).

Another point of a personal firewall is being able to control what sends traffic out - several programs on a standard Windows XP install will "phone home" which can cause privacy issues and a firewall warning about a new program attempting an outgoing connection is, for many people, the first indication of malware on their system.

 

Another point worth making is that Windows services can be silently re-enabled by Microsoft updates, service packs and even certain software installations. Unless you keep monitoring service status and network activity, your system could be made vulnerable without you noticing. Most firewalls (i.e. excluding Windows XP's) would not be affected in this manner.

 

I switched from Zone Alarm Security Suite to Avast! 4.6 and Sygate Personal Firewall. I wanted more configurability of the antivirus (configurable mail scanning including encrypted email, http monitoring, activity monitoring, good support forum, ...) and better Firewall support data (traffic logging, easy rule sets and security enhancement control, ...). Had previously used NAV and tried AVG7 also. Even with time left on my ZASS subscription I am pleased with the switch and have used the newly available data to solve some other problems. Since you are already trying ZAF, give SPF a try too. I tried both SPF and Kerio (as well as ZAF) and found SPF much easier to use and more informative. ZAF is more of a "fire and forget" program which many users find attractive, but left me in the dark about what was happening.

 

HollywoodPC -

Hello -

Thanks for your replies. I am seeing that you highly recommend ZA. Why?

Dont you think Sygate will work with its Anti-termination feature?

I heard many many reports about ZA being bypassed or terminated. And its interface really looks like if it were designed by a 5 year old child..... Is anyone bothered by that?

 

Hello .

I think Sygate will work fine . I just do not see Sygate as being as secure . Sygate has been bypassed on Messenger services ( Yahoo , MSN , etc ... ) . Personally , I think ZA is more secure . Do I recommend ZA ? No way . They are going backwards in quality and God forbid if you ever need to contact them . Forget it . No help there . If you want a recommendation , I suggest either Outpost , Kerio , or LnS . I think LnS is a bit to confusing for a novice but , very good at what it does . Za has an interface that does look a bit a childish but , it used to work well so I changed the color and all was fine for me . Anyway . I hope this helps . Good luck in your quest .

 

Couple of questions here and I promise to drop this subject.

I am very lost here on which one to use: Sygate or ZA?

Does ZA (FREE Version) provide the anti-MAC Spoofing feature EVEN I cant see it in the interface

Does it provide Stateful

If ZA provides SPI, then I will take it, no doubt about it.

Now, I emailed Sygate's support and asked them if it does SPI, (yes, straight from the horses mouth) but Im still waiting for an answer....

Look.......... heres what I basically want here, I want a software firewall that does SPI and I want a "Install and forget" kinda like a Linksys router does. I want something that does not interfere with my work.

 

Ok .
My suggestion ? ZA . Not real sure on the free version but , the Pro has what you need . problem is , in the 5.5 version , when you block referrers and cookies in the interface , it sometimes fails to work . With Sygate , I am unsure about all of the features but , it is NOT as secure as ZAP USED to be . I say used to be because I dumped it awhile back . All I am saying is that , based on the choice between those two , I would go ZA without question . The safer of the two and , IMHO , the easiest . Good luck in your quest

 

Ok, I DO NOT, AND I REPEAT do not care about the add-on features like Cookie filtering, email scananer, AV and those... I do not care and I will turn them off or disable them.

All I care is the firewall itself. Thats all. A firewall program is meant to be a firewall program.

I have an AV already. No rpoblem and could filter out the cookies in my browser manually.

Is the Firewall the same as in the Free Version of ZA or whats the difference between the PRO and the FREE (Firewall wise) Do both provide SPI

I am running Win2000 and since it does not have the hide icons from systemtray iption like XP does, what could I do to hide it? I know its the registry but if I do remove the string value, the will ZA still function? All I want to do is remove the icon.

Thanks for your input on this.

 

ZA has SPI, and I would have to say that it's better than Sygate's because ZA has both TCP and UDP SPI whereas Sygate only has TCP SPI.

That said, either firewall is a good choice... Both have free versions also.

Take you pick...

 

Ok, cool I will go with ZA FREE.

But how come I dont see that option to Enable SPI on the Interface? How could I tell if ZA has SPI?

Can you post an attachment to show me on how can I tell in ZA?

 

SPI IS there . It is not one that you can set manually with certain rules as you can with Outpost . It is always on . And I am glad you made your choice . I am glad you repeated about not wanting cookie control or anything like that as I NEVER saw that . very sorry . ZA is a good choice . Congrats and enjoy

 

But please note: I downloaded the FREE Version of ZA. Does that provide SPI too or only the PRO version??

And also, I can I remove the ZA icon form the system tray? I am running Win2000. 2000 does not have the hide icons feature.

 

Yes, ZA free has SPI just like the Pro version. It's a good firewall. Enjoy it.

I don't know how to remove the tray icon. There are utilities out there that let you select icons to remove from your tray for Win2k. Just look around some of the file download sites and you'll probably find one...

download.com
majorgeeks.com
snapfiles.com

and on and on...

 

Green Dragon,
This is enough. I have the same also and everything is doing fine. Avast is a great product

 

Just out of curiousity, why do you think Sygate will not protect you? Just wondering. Any reason?

Installed ZA anyway, and ALL STEALTHED... So as long as Im stealthed no worries and thats a good sign.

 

Don't count on that too heavily. Specific attacks exist for several firewalls that can crash them. Do yourself a favor and do another port scan on your system, this time with the firewall shut down. You won't be stealthed, but you should strive to have the ports closed anyway. Should your firewall crash for any reason, it'll give you an idea of where you really stand.
Rick

 

Anyone running local proxy software (e.g. web filters like Privoxy, Proxomitron or WebWasher, some antivirus email scanners and anonymizing proxy clients like JAP and Tor) will not be able to prevent malware from sending traffic out since Sygate does not filter localhost traffic. This means that any software can access proxies and gain network access via their rules.

Using software like Process Guard to protect your firewall (and any other security applications) from being terminated by malware is a good idea, and the free version of PG will do that. There have been very few vulnerabilities to outside attack discovered for personal firewalls (and most of those tend to be Denial of Service that can hang a computer/break a connection rather than giving an attacker access) so it is only malware allowed through (as part of legitimate traffic like an email attachment or a file download) that should be a concern.

 

Ok I have the follwoing Services DISABLED:

Like NetBIOS/NETBois Helper

File and Sharing id Disabled

Ports 139, 445, and those ars disabled

DCOM is Disabled

Local Security Policy is set to= (LSA in registry set to= (2)

netmeeting is Disabled...

I could go on and on. Trust me..... I am a little paranoid here...

So, what do you think With all these services and ports disabled, will I be safe without a firewall incase it shuts down on me?
And the far most important here, I am running as restricted user for daily tasks.

 

thanks for the fast response however, RPC per se does not open any ports. thus it's not a problem leaving it ON. it can be used by other services to open ports but then one can shut down those as one can read about in the link I gave earlier.

what port does that service keep open?

yes, I agree on that but imo that's what I already covered by saying that one should use one's brain when installing and running programs - nothing is more secure ... but ok, it's interesting to see what programs try to access the network. for that, I found, running JETICO firewall (FREE for now) as application firewall only (like ssm or a similar DiamondCS product) does a good job informing me what's going on. the Network packet filter is switched off completely

 

well done my2cents, seems you understood the logic behind suggesting reducing the code base very well In your case, check out the link I gave earlier on. it's a simple way to switch off all non neccessary services. then get a program like Active Ports to see what ports are still open if any (url: http://www.protect-me.com/freeware.html)

once your ports are closed, you are quite save - but keep in mind, there is no 100% solution and never will! also most attacks against the tcp/ip stack have been patched over the last few years I have been online 24/7 on dsl for 85days, got scanned at least 500+ times a day but never had a crash due to malformed packets. perhaps you can keep us informed about your status without a firewall - thanks

 

True, there aren't that many effective external attacks for any given firewall. That's not to say that more won't be found. I use System Safety Monitor to keep Kerio and other security apps running. I would like to point out that external attacks are not the only problem here. If the firewall in question is part of a security package, a problem with another component can at times crash the whole package. Also, both Norton and ZA have released updates that have caused crashes. On low power systems, a sudden demand on your system resources, such as a website launching other applications at the same time your security package needs the additional resources can cause it to crash.
I realize that none of these instances are likely, but it's not impossible for your firewall to crash. My point is this. If you have open ports when your firewall isn't running, you are vulnerable should it fail, be it from an attack, faulty update, system problem, etc. It's important to close as many ports as possible via system configuration and not just rely on the firewall for this.
Getting This for port scan results with a firewall running isn't hard. Any good one should do it.
Getting This for results without a firewall running is a bit harder, but should be considered necessary. Even if you use another application to keep the firewall in memory, there is a period of time between its failure and when it's restarted when you're vulnerable.
Rick

 

I will be the first to admit....I know zilch, nada and nothing about ports, services

but that program JoMcDo recommended at start of thread....shure did

seem to shut down a load of serives and ports....when I checked with Outpost

had only 2 ports open.

Another handy little program similar to aports is TCP view

http://www.sysinternals.com/ and here's one with more "toys" than you can

believe.....and even more amazing free

http://www.d3tr.de/

 

So, will I be safe using Zone Alarm

If I have these DISABLED already, will ZA be efficient enough?

And does ZA do Stateful Packet Inspection?

 

There has been some talk and very little mentioning of ZoneAlarm being stateful, however nothing official and regardless, it’ll be stateful-like instead of true stateful that you would see in CHX-I and 8Signs and Checkpoint.

Personally I like to see some official something regarding ZoneAlarm being stateful... Guess this wont happen anytime soon, oh well.