Multiple Firewalls?

Hey Kas:

I was the guy with the "no brainer" comment. In context I was alluding to the turning on and off of the windows FW feature during and after installation NOT the whole thread as you unfortunately assumed.

FWIW your thread was interesting!

 

That depends. In series, it will cost you pressure drop, in parallel it will cost you efficiency since you're not staging. Same applies metaphorically for the PC context.

 

Opinion? It is not simply an opinion it is factually the case and technical reasoning behind it has been presented.
Keep insisting on it will not change a fact...

Cheers,
Fax

 

I give in, please be gentle with me.

Fully accepted ; more than ONE firewall is bad news.

All that stuff about series and parallel, which I am quite conversant with - Yes buddy I know that series filters result in lower pressure, it is all a question of resistance, but it is done in practice to achieve a more pure substance. Booster pumps are provided if need be.

Don`t tell me about engineering. The comparison was just an analogy.

I have disabled my Windows firewall and am running on COMODO IS alone.

I thank you all for your contributions and kindness in replying to my thread.
KAS

 

Hi Kas,

If you want to run the windows firewall along side a 3rd party firewall, then why not. As I put forward earlier in this thread, 3rd party firewall developers will ensure that there are no driver conflicts with the windows firewall.
What should be avoided is installing 2 3rd party firewalls, as example, if you where to install ZA and Comodo, then the chances are you will get BSOD due to drivers conflicts.


- Stem

 

Nothing in here about engineering. YOU stated the analogy and I only extended it to say there IS A COST to having two firewalls, it will chew up your CPU time and system functionality, the way MORE THAN THE ECONOMIC amount of filtration will needlessly chew up your horsepower. It's overkill, period. So just forget about the analogy and read what others have posted. I'm done, not going to continue the maintenance contract.

 

I disagree. I do believe though you stretched that statement beyond what can be concluded without solid proof.

Given the right combination, I don't believe it will chew up cpu time or system functionality.

Incorrect combination, I would agree that your assessment is very likely. But so many different combinations of hardware/software available, only testing will reveal it.


Sul.

 

I would say that with 2 firewalls there is at least double (redundant) filtering that is unnecessary and to that extent it's wasting resources. How much is another story. Even a router with the XP firewall is redundant and wasting cpu cycles, but is there any practical impact? Probably not.

 

Too true. But can we really look at it as redundant and wasting resources? After all, how many 'security' or 'network' related programs do many peeps use? What is the overlap? Do we consider that redundant and wasteful? I would say most call it 'layering' of securiyt. Yet you can probably find combinations where they 'overlap', or do the same thing, but in a different manner. Much like using 2 firewalls together that don't oppose each other.

I don't argue the principle that 2 firewalls may not give you anything extra, but I don't see how 2 firewalls that probably operate (or must) differently are any different than having 2 resident hips/ids/nids etc etc.

Do you?

Sul.

 

In a layered package, each app serves a unique purpose. They're selected and configured to support and complement each other. Each provides a function the others don't. Overlap is kept to a minimum. Installing 2 firewalls, HIPS, file integrity checkers, etc is building a pile of security apps, not building a layered package.

 

No, I have no proof for you, Sul. Perhaps the way you read what I said was a stretch for you - if so, I take responsibility for the imprecise wordsmithing.

My "assessment" was more on what had come before in the thread combined with a little analogizing. Based on what the experts said, there can be a cost. I don't think the odds are in Kas' favor that the cost will be justified.

I'm not an expert, so I'll try to overcome the impulse to participate and antagonize Kas any further.


P.S. And, no, I won't "tell you about engineering", even though I'm "conversant" in fluid dynamics, hydraulics, and process economics and optimization, simply because this is neither an engineering thread nor an engineering forum.

 

Yep, I would agree with this, well said.

Redundancy (and overlap) needs to be kept to a minimum. Installing 2 of something for the same task implies that you don't trust either one of them to do the job. If not, then get rid of the ones you don't trust, and put in something you do trust. A layered approach means layers of different kinds of security apps that together will hopefully cover the whole situation, not layers of the same thing like layers of paint.

 

Fair enough. I would agree that 2 of the same thing would not be layered. However, let is say in respect to this firewall conversation, that most likely (I would hope) one would use 2 because they would compliment each other. Take for example the combo that I have used often. XP firewall with no real outbound, and SoftPerfect with much more granular control. Router, XP, SP, that makes 3 inbound packet filters. But, you can allow all inbound and only monitor outbound. True, you could install one 3rd party firewall.

But now you must ask yourself (if you are fanatically resource stingy) if xp firewall and softperfect (as an example) were to only consume 2-3% cpu cycles and only 12mb ram (if you can trust how much xp fw is using, hard to do),under heavy packet load, that is not much. Toss in most major firewalls, and you will probably be above that. Most I have tried are definately above that. And often, under same loads, the 3rd party firewall is doing sooo much it is using more cpu cycles than the xp/sp combo.

So now, which is more efficient? As always, user preference and hardware/software dependent.

Funny though, I have tried so many firewalls, and so many combinations. I have ran tests myself to try and see, under load, light load, whatever, what each firewall does. How multiple firewalls do. Waht if you run wireshark or tdimon, or even constant ping, how does that effect the system with X brand firewall under X percent load. Things like that, useless really, but still interesting to know. So I pose these questions not to say 'you are wrong' etc, but to say, evidence is inconclusive. Generalizations at best. If there were an all-inclusive 'official' test, we would know.

When I see absolutes thrown about with computers, or indeed anything electronic, or,even hydraulic I can't help but think of all the 'anomolies' to the absolute I have found over the years.

BTW, @crofttk, do you really know a lot about fluid dynamics? A very sincere question I would like to know.

Sul.

 

Enough to size a control valve without cavitation, restriction orifices that stay subcritical , relief valves that don't allow equipment to rupture, and have developed a proprietary reactor feed flow distribution device but I can't run Fluent and am not a CFD expert. I guess whether that's alot depends on what you know about it.

 

That, is very nice to know. Having to apply it myself at times, much respect going your way. Flow is full of anomolies I find.

Sul.

 

Indeed, anomalies keep it interesting and make for lifelong learning.

 

Hi Crofty,
Luv ya dialogue and WOW all that vast engineering experience, breathtaking - Gee man, how on Earth did you manage to learn all that complicated scientific stuff in only one lifetime ?

Fluid dynamics and all that jazz ! I`ve spent a whole life messing around with that, plus of course those other elementary subjects like Advanced Mathematics, Thermodynamics, Structural Science, Stress Analysis, Guided Weapon design and God knows what else. All to degree standard.

But, alas all that is gone now, I get my kicks from irrelevant chatter on Forums. Much more exciting and infinitely less demanding.

Are you trying to impress us ? OK, we are impressed.

OH, go on please ! Antagonise me more, I love the adulation..
KAS

 

Grow up, I was talking to Sully.

 

Hello,

Please keep on topic.

If you want to chat about engineering, then please find an appropriate forum, or you can chat via PM.


- Stem

 

WELL DONE CHIEF, KEEP US ON TRACK. I PROBABLY CHANGED THE POINTS OVER UNINTENTIONALLY - SORRY.
KAS

 

The router doesn't qualify as a software firewall or a packet filter. The firewall in a router protects the entire network, not just the one PC unless that's all there is. Routers and hardware firewalls are not generally aware of individual apps on a PC.

I haven't used SoftPerfect but I see no advantage to leaving the XP firewall running with it. No matter what combination of software firewalls are used, they all use CPU power to process the individual packets each one filters. I don't see where there is anything to be gained by running more than one software firewall. I definitely wouldn't do it just to make use of some extra feature that one has and the other doesn't. If that "feature" is really that important, use an app that's designed just for that purpose. I'd like to see an example where 2 firewalls complement each other more than they duplicate each others coverage.

 

We all do have a different point of view. A router running a *nix mini OS is a packet filter. True, it is not aware of apps, but the definition of a firewall does not have to include apps at all. A firewall in it's truest sense is capable of blocking incoming or outgoing packets or both. A router these days definately falls into that category, as does iptables and ipsec. Term the word 'firewall' what you will, but I see them as firewalls.

I did not say there was really an advantage to using softperfect. But I did say the two play well together. And I also said if you can guage what is happening by cpu usage and the different memory usages specs, that xpfw and sp together have less usage than some larger 3rd party that are popular today.

To put this into context, using xpfw as in inbound firewall is simple with little resources used. Sometimes you wish to know more than what xpfw tells you. You can run wireshark or tdimon, or other tools. Or, since softperfect and xpfw play well together, you can use SP to get more info. Many times I have it running alongside xpfw, to see a finer resolution. To make rules and see what is happening, and sometimes to see what xpfw can do in cerain situations.

Regardless of why someone wants to use 2 firewalls, it can be done. While not a software engineer, I have spent my fair share of time using a computer. I cannot say whether or not running 2 is as bad as you might say, but I can say that I know how to tell when a program puts a load on a system. Comodo for instance puts way more of a load on systems I have tested, than using xpfw and softperfect.

But in the end, unless you have some sort of absolute fact, it is your preference and opinion that using more than 1 firewall is absurd. Thats cool. I can see where you are coming from. But I don't agree 100%.

Sul.