Ultimate firewalls

IMHO, I am no expert, but after trying out almost every other major firewalls, I am currently using Zone Alarm free with ICS, it passes all the tests thrown at it and also does SPI. No stability problems with my ancient dual P-III 850 or my latest dual Athlon 64 machines, I dont play games so don't know about the game issue being reported in the Zone Alarm forums.

Combine that with the free version of Prevx and Avast latest which features real time web data scanning and you have yourself a moderately good level of protection and that too free.

I tried out Sygate which is quite good ICS supporting firewall but it cant support the newer web scanning feature in Avast, it also fails Leak Test which Zone Alarm passes, in fact Zone Alarm passed all the tests thrown at it by various sites. I also used Jetico which is showing the most promise of all the other programs out there but for enabling ICS, I have to disable SPI for TCP/UDP on the gateway machine, this is something I don't have to do with Zone Alarm. So, no harm in giving the new Zone Alarm free a try, I don't care much about their pro version as it has things I have no use for.

I also tried out Securepoint but after installing it, my net stopped working for good, also I have no idea if it supports ICS. It does show quite a lot of promise if integrated with their SNORT based IDS Nuzzler but for me, didn't work.

 

K- Thanks for the update on Kerio 4

I took a look at their site and it seems that Kerio 4 has a lot of features that are extraneous to a firewall. Pop-up blocking and stuff like that. How is it on memory usage and how many services does it show in task manager? Is it good, or just some product that does not know what it wants to be, so it trys to be everything at once.

 

Kerio 4 seems to be pretty good, but it suffers mostly from a long history of being buggy and a little bloated. It does have features that I don't want or need much, i.e., the web filtering stuff.

In task manager I see one instance of the firewall service and 2 instances of the gui. Total ram used for all 3 is about 24 megs. Similar to Outpost I guess. There are much lighter firewalls to be sure. For some reason it opens up a million ports and localhost connections. I don't understand why, but it does. I assume it's just the gui communicating with the service and so on.

I think they're trying to make Kerio 4 easy to use, like ZoneAlarm. So you can basically just install it with predefined rules and run it out of the box easily if you like. You can also go the rules route and set up as many rules as you like, import your Kerio 2 rule set into it, and so on.

All in all, I kinda like it. But the one thing I don't like is that you can't get rules to log properly. There is an internal "rule" or coding that logs all packets to unopened ports if you turn that option on. If you create a rule to block ports and set it to log, Kerio 4 will not pay attention to your rule for logging if it's a packet to a closed port. It will log based on it's internal logging rule, instead of your rule. This is just bad design IMO.

Anyway, I'm running it now and I like it well enough. I believe that the firewall itself is a good product. Seems to do the job well and is tight. But the history of bugs always makes you wonder if it's really doing it's job or not. I trust it, but some may not...

 

Just keep in mind it is not the site/forums opinion, but those of individual posters.

If all is working well and you are happy why do you feel you need to change?
You can always stick with what is working for you.

Whenever you ask a question like what is the best/ultimate ... in a forum you are going to get all kinds of answers and opinions, some which may not be appropriate for your environment. While this may help in pointing out options, the bottom line is that you have to assess what your needs are and base your decision on what best suits those and you. If you start using something you do not understand or are not comfortable with in a quest for the "ultimate", you will only increase the likelyhood of problems/risk, not reduce them.

Regards,

CrazyM

 

If you are willing to learn.Try Look"n"Stop,the best firewall and the best support,that's if you want the best? If not I can't recommend any of the rest I have tried them all!(twice over) and just found they all lacked something!,GOOD protection!

 

K-

If Kerio 4 needs 24 mb, it is probably not for me. Perhaps the logging is not buggy, but it does behave strangely. Next...

-Diver

 

Yeah, if you're looking for light on ram, it's probably not for you. For light, I love CHX-I and Jetico.. I have 512 here, so I figure what else is ram for but to use.. as long as there's no leaks then I'm ok with it...

 

i know there is no best/ultimate firewall.

all i want to know now is wat is the advantage of outpost compared to zonealarm and wat is the advantage of zonealarm compared to outpost. that all i want to know?

coz they are both for novices roght

 

Budfox,

All firewalls have to work at driver level and most current ones run as services also providing protection during Windows startup. Most also offer some level of process monitoring to block IE so NetOp is hardly unique here.

The only thing that NetOp seems to offer that others don't is centralised management (Kerio and Tiny offer this, Outpost has such a facility in beta). This is useful for businesses but irrelevant to home users.

Finally, I would instinctively distrust any commercial product where the price was not specified on the website. Care to inform us how much a single licence of NetOp costs?

Chaos16,

Outpost allows more detailed rules settings than ZoneAlarm Free and an easier GUI for such settings than ZoneAlarm Pro. Local proxy traffic is more tightly controlled (programs need access to loopback to access any proxy and the proxy requires a rule to allow incoming traffic as well) and Outpost has a wider choice of plugins. Outpost also offers far better logging facilities including the ability to create filters and sort by different fields - third party software would be needed to achieve the same with ZoneAlarm (though there is plenty available).

However as everyone else has said, the best option is to trial each prospective firewall. All have strengths, all have weaknesses.

 

p2k-

Net op is $59 for a single license. It is on a web site, but I forget which one, or where. So, no link, but I did see it.

 

K-

I have 512 here as well, but i have some other stuff that eats ram like a fat man eats french fries. CHX-1 is probably what I would use if I did not have a router, like for a notebook used on public wireless. It is also on a machine here where there can not be any user intervention or interuptions. My ther lite favorite is good old Kerio 2.15. Jetico is interesting, but this network access thing pretty much requires an unbelievable number of responses over days. Almost everything is network aware these days. More user intervention means more chance for error, and this is not solely a Jetico thing. [There are some people who tell me their mom could handle some of this stuff, but I know lots of folks with college degrees who can not.]

Perhaps it is time to trial Tiny 6.5, but I bet it uses a bunch of ram as well.

 

One quick note about Zone Alarm, the free version officially doesn't support ICS/NAT and to enable it, the host machine running Zone Alarm has to set the security level of the INTERNET Zone to medium which would make the computer visible on the net although sharing would still be blocked as well as Net BIOS, important to consider this factor in case one is considering ICS or NAT. This makes Look n Stop, Outpost, Kerio and Jetico far better option in my opinion.

 

diver,

fyi, tiny 6.5 is about 25MB RAM.

don't run PG3.15 with it as surfing is uncomfortably slower, at least to me.

 

well i am trying outpost and its going good for now

 

wat is IGMP protocol should i block all communications via this protocol or should i allow it

it has block but i don't know

this is outpost

and can u tell me wat to permit or block for active content the recommended

 

Tiny takes 25 mb...

A contradiction in terms.

 

Diver, yep, Kerio is nice too. I used 2.1.5 for many a month. It used to be my favorite.

You should definitely try Tiny 6.5. I am intrigued by it (if that's the right word). There's plenty to experiment and play with, enough to keep you busy for weeks probably, if you really get into all aspects of it. I know there's still much that I haven't even explored in Tiny. I don't recall if 6.0.140 used much ram, but I suspect that it does. I'll have to check on that sometime.

 

That's about what I would have guessed... Similar to Kerio 4 and Outpost.

 

Yeah, there's definitely nothing tiny about Tiny...

I really liked 6.0 a lot. The only thing that bothered me about Tiny was that sometimes it would alert and block legitimate code injection (I think that's what it was) by programs such as MS Media Player and such when loaded from other programs. I don't want anything to block legit programs from operating right. I would guess that there's a way to allow it somehow, but I didn't get that far.

Also, I noticed that Tiny seemed to let parts of fragmented packets thru to the OS, since I saw occasional ICMP type 11 outbound letting the sender know that the time was exceeded for the rest of the fragment to show up. I don't know if this is really a problem, but I did notice it.

I guess I'd consider buying the light version (non-Pro) of 6.5 for $49 if I felt that I really needed all the protection it offered other than the basic firewall.

 

To allow code injection, you have to go to the windows security tab. under system privileges, you can add a rule for system apps or non system apps and make the ticks accordingly. so far, i have only be toying with the firewall but i guess you can make your system as tightly secure as possible if you wanted to. make sure you back up your rules. also backup your whole system in case anything goes wrong.

 

I knew it was possible somehow, just hadn't taken time to figure it out..

When I was playing with 6.0.140 I would make a backup of my rules every time I made any serious changes. Pretty nice feature. I like Tiny a lot actually. I'll have to install 6.5 and have another look soon...

 

Bitguard personal firewall is very nice . I have recently changed from look n stop .Found unfortunately to many hassles with the previous that kept interfering with setting up after reinstall or reformat However Bitguard is very easy now to install and set up and is a secure firewall .

 

Paranoid,


Netop installs its own miniport driver making it superior to most other firewalls.
Also, It passed all the leaktests I threw at it. I was running outpost before purchasing Netop, which failed many of the tests.

http://ferruh.mavituna.com/article/?769

This link will bring you to one leak test that outpost failed miserably... I contacted Agnitum and they have no fix.

Since I see you are an "expert" what firewall are you running? Lastly have you even tried Netop?

 

Nice link, but it is mostly a warning to not rely too much on application control.

 

Hi,

***Budfox

***We could repeat each day the same things, there will always someone to claim that his firewall is the Best.

Definitively: Best=Subjectivity.
Instead of "best", it's better to say: "my favourite" or "one of the best".

***I know NetOp and ithink that if someone claims that it's the best firewall, he has to post the Proof of concept.

If it's only an opinion, it should stay just a personal opinion.

Do you really know how to evaluate a firewall?

And how much of them have you tested?

Listening how many i have practiced (personal, corporate with IDS/IPS + VPN+Central management etc) is not the subject.
But you can sure that i know what i'm talking about.

**I'm not sure that it's with leaktests that we can evaluate firewalls.
It' not the most important.

A firewall has to protect your pc for any Intrusion.

Therefore, the efficiency of incoming traffic filtering is more important.
Agressive penetration test + real network attacks (ARP cache poisonning...) are more interesting to see the limit of a personal firewall.

From a cybercofee of 30 computers, it will not be difficult (for the ones who know how) to make a little DDOS.
And i'm not sure that NetOp firewall will resist...

On a recent post, i've linked some articles about the subject :

https://www.wilderssecurity.com/showpost.php?p=387618

On this post i've also given the same refence of some firewalls vulnerabilities (securiteam):

http://www.securiteam.com/windowsntfocus/5FP002KELE.html

Just an other one : http://www.securiteam.com/securityreviews/6S0030ABPE.html

Leaktests just demonstartes that you have security isues/holes in your line defense.
With a sandbox, an integrity protection or a firewall application, leaktest are not a problem.
Give me one of the worse firewalls, no leaktest will be able to run.

If you don't have any of these protections (sandbox...), just try this litlle utility: Winsonar: http://digilander.libero.it/zancart/winsonar.html

It's more dificult to evaluate a firewall than an AV, AT or an AS (antispyware).
And as often, the methods used by specialists to audit a corporate's defense are often the same techniques used by attackers to penetrate or crash those systems.

It's a complex subject and my english is limited.

Here i just give a list of some personal firewalls that i've seriously tested with real attacks and which are really efficient (a french magazine has made test which confirms quite the same results):

*Look'n'stop
*Visnetic,
*Kerio,
*ZoneAlarm Pro,
*Injoy,
*PortsLock,
*Outpost
(.....................)


If you're satisfied with NetOp; it's also great for you.
But do not claim that is the best firewall if you can't prove it.

Regards