SSM Firewall Enough

Discussion in 'other firewalls' started by Dazed_and_Confused, Feb 10, 2007.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Regarding firewalls, at this point I have come complete circle. I began using ZA Free many years ago, moved up to ZA Pro, then downsized to Ghostwall a couple of years ago, moved up again to Kerio v4, and have recently been experiencing problems with it. Once again come to a decision point in my relatively short life. How much firewall do I REALLY need?

    A couple of months ago I dumped PG and moved to SSM. Now that it has basic network rules, I am thinking - Can I do with just SSM's "firewall"?
    • From what I can tell, it's light on resources (SSM resource usage compared to with and without Network rules)
    • It has basic application outbound control.

    In the past I have used both ZA Pro's and Kerio's features to create detailed rules about what software has what access to what untrusted IP addresses, and what protocols. But that is really a hassle, especially since I really enjoy trying out new apps, etc. Requires a LOT of maintenance. I have now decided these detailed rules are not worth the effort (ie. addresses IMO a small threat, relative to effort required). So, if I want only basic app control (ie. Give Proximitron access to Untrusted, Do not allow XXX app access to trusted, etc), is SSM enough firewall? Or should I supplement it with Ghostwall (which is really light on resources)? What additional do I get by using Ghostwall on top of SSM? Or maybe should I use Ghostwall without SSM? o_O

    This may sound like a stupid question, but I'm not at all an expert on networking, firewalls, etc. By the way, I am behind a router (hardware firewall). Thanks in advance. ;)
     
  2. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    IMO, using SSM's basic Go/No Go outbound filtering behind a firewalled router is excellent protection. I was using that setup for a while and really liked it. However, I do like configuring firewalls 'til the cows come home, and Outpost Pro 4.0 does not seem to impose an appreciable lag on my network connection, so I went back to it.

    Honestly, I would say you can't go wrong with SSM and your router. Excellent setup!
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks for your opinion, cprtech. :)

    I thought so too. Not knowing that much about the technical details behind what's happening in a firewall, I was just concerned when I tried a firewall tester (GRC), and apparently I responded to a PING, although everything else was OK. It said the PING thing was bad. Not sure how bad that really is, and if it's worth the extra drag on resources to install something more substantial.
     
  4. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Seeing as you are behind a router you don't need ghostwall or anything like that as your router is doing the job. SSM is taking care of outbound connections so i reckon its sufficient. On this system i've done away with my firewall, i'm just using prosecurity plus my firewalled router. Simple and light.
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Your Router is replying to the Pings.
    Go into the router settings, you should find an option for (or similiar to) "Block WAN Requests"
     
  6. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Agreed, Farmerlee. Thanks! :)


    Thanks, Stem. I will try and find that. Either way, if it's the router responding, I guess I had that problem all along (even when I was using Kerio).
     
  7. tlu

    tlu Guest

    It depends ;) As you already mentioned, SSM provides outbound protection. A router should provide inbound protection IF it has an SPI (Stateful Packet Inspection) firewall! I think there are still some SOHO routers sold that claim to have a "NAT firewall". That's nonsense: NAT is NOT a firewall! Thus you should check that - and you should also check if a firmware update is available. There have been cases in the past where the firmware of some SOHO routers had security leaks, so applying the latest update is possibly important. And you don't make a mistake if you additionally enable the Windows firewall - just in case.
     
  8. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Considering a router firmware update is a lot like considering a BIOS update: only do so if you absolutely have to Even then, make sure you do so over a hard-wire (LAN patch cable) connected pc, not wireless, or you could destroy your router. There should be release notes on the firmware updates for your model router, so you can determine if it really is practical and necessary to update. If a scan on your router results in stealthed ports, with only the response to pings being the issue, then your router is effectively blocking unsolicited inbound attempts. Hopefully you can find the option in your router’s interface to disable response to pings.
     
  9. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks again, cprtech. :-*

    No, I could not find anything about that in the manual. But from what I've read elsewhere, responding to pings is not really that serious a threat to the average girl. :shifty:

    It appears from everyone's response that I'm good to go with just SSM giving outbound protection, and router protecting the inbound. So now I just need to turn my attention to getting a better understanding of SSM. What a powerful tool! That is, if you understand how to use it's endless features. :rolleyes:

    Thanks again! :cool:
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nice quote from http://mywebpages.comcast.net/SupportCD/XPMyths.html


    Any outbound host-based firewall filtering in Windows XP is really just meaningless as a security feature in my opinion. True, it stops some malware, today, but only because current malware has not been written to circumvent it. There simply are not enough environments that implement outbound rules for the mass market malware authors to need to worry about it. In an interactive attack the attacker can circumvent outbound filters at will. To see how, consider this. Circumventing outbound host-based firewall filters can be accomplished in several ways, depending on the scenario of the actual attack. First, the vast majority of Windows XP users run as administrators, and any malware running as an administrator can disable the firewall entirely. Of course, even if the outbound filter requires interaction from the user to open a port, the malware can cause the user to be presented with a sufficiently enticing and comprehensible dialog, that explains that without clicking "Yes" they will not ever get to see the "dancing pigs". See, the problem is that when the user is running as an administrator, or the evil code runs as an administrator, there is a very good chance that either the user or the code will simply disable the protection. Of course, the user does not really see that dialog, because it is utterly meaningless to users. That is problem number one with outbound filtering. Given the choice between security and sufficiently enticing rewards, like "dancing pigs", the "dancing pigs" will win every time. If the malware can either directly or indirectly turn off the protection, it will do so. The second problem is that even if the user, for some inexplicable reason clicked "No. Bug me again" or if the evil code is running in using a low-privileged account, such as Network Service, the malware can easily step right around the firewall other ways. As long as the account the code is running as can open outbound connections on any port the evil code can simply use that port. Ah, but outbound Firewalls can limit outbound traffic on a particular port to specific process. Not a problem, we just piggy back on an existing process that is allowed. Only if the recipient of the traffic filters based on both source and destination port, and extremely few services do that, is this technique for bypassing the firewall meaningful. The key problem is that most people think outbound host-based firewall filtering will keep a compromised asset from attacking other assets. This is impossible. Putting protective measures on a compromised asset and asking it not to compromise any other assets simply does not work. Protection belongs on the asset you are trying to protect, not the one you are trying to protect against! Asking the bad guys not to steal stuff after they have already broken into your house is unlikely to be nearly as effective as keeping them from breaking into the house in the first place."

    END QUOTE

    Due to the fact that most XP users are running as admin, I prefere to spend money on policy control sandbox applications like GeSWall and DefenseWall.
    Due to the fact that most leaktest either compromise existing processes or piggy on normal system processes, I would place my money on a Classical HIPS like SSM or Prosecurity, because that is what they are designed for (and are good at). Only problem is that those applications require some knowledge to configure.

    People not bothering about the PC internals are best off with Hardware firewall and DefenseWall plus CyberHawk.

    Regards
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Above quote taken from blog May 06

    The article is about windows Vista firewall. He needs to get a good 3rd party firewall, then join "Wilders" and learn some security implimentations
     
  13. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Just to clarify on my response to Daisey, because it does contradict this one here, I sensed from her post that she was not at all interested in a rules-based firewall. It has become clear to me – and a learning experience - from being a member in Wilders that some of us just don’t want to be bothered with trying to configure a full-blown firewall, including local/remote ports, local/remote ip addresses, protocols, direction and everything else that goes along with a rules-based firewall. And there is nothing wrong with that. Not everyone wants that type of control, nor wants to exert the tremendous time and effort it takes to configure it all. Furthermore, no one should try too hard to persuade someone in that group to convert to a full, rules-based firewall. Sometimes a simpler approach such as the go/no go option in SSM’s network filter is the best solution for some individuals, just as the basic XP firewall or something like ZA free might be the best. So, my opinion has recently changed on using SSM’s basic network filter option instead of a full firewall, especially when behind a router. I now sincerely believe it is an excellent option for those who are not interested in a full firewall.
     
  14. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    In my case, I have a hardware firewall and run a light software firewall for outgoing. It, along with a good HIPS does all I need.

    I've been the configuration route. I don't have the ability to understand all the technical jargon. The firewall I tried to configure was an older version of Tiny, a couple of years ago. I did lock it down tight - to the point that I couldn't even get into my own computer, not even in Safe mode. I had to reformat to get rid of it.

    Based on that experience, I've stayed with firewalls that did most of the work for me. I can do slight configurations of HIPS programs now, but one rule at a time to see what happens, then on to the next. Maybe it's a case of being from the older generation, or a matter of not being 'gifted' with the ability to understand technical matters. I think there are quite a few like me who read Wilders regularly.
     
  15. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    Hi Chuck,

    I don't have the knowledge or want to take the time to learn all that seems to be needed to configure some firewalls.
    I am using LooknStop with the enhanced rules. My other firewall that I have used for years is Kerio 2.1.5. Both have done well, as far as I can determine.

    Right now I am not using Kerio because I recently installed F-Secure Internet Security. Frankly, I was just as happy with the FS AV and Kerio, but the suite is what I got.

    You said, Quote Based on that experience, I've stayed with firewalls that did most of the work for me.end Quote.

    What are a couple of firewalls that satisfy that requirement? I think the bulk of users also want such firewalls.

    Thanks,
    Jerry
     
  16. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    For me, it's Look n Stop, too, with the enhanced rule set. I've tried a lot of firewalls and, as I mentioned, had one so secure I couldn't get into my computer, and some that I just threw up my hands and gave up on. For the past couple of years, on my old computer and this one, I've stayed with Look n Stop. The hardest part of LnS is finding the enhanced rule set and applying it. I love it.

    I used the 4.5.xxx version of ZA free. It was light and nice, compared to the newer versions, and I still have the .exe saved on my other drive, but I always return to LnS.
     
  17. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Couldn't agree more Chuck :thumb:
     
  18. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    Thanks for the replies. I see all the new firewalls come out, and a lot of complaining about how to set them up or problems. It just makes me more inclined to keep what I have.:thumb:

    Best,
    Jerry
     
  19. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,616
    Location:
    USA
    @D&C... You didn't mention if you're talking about a desktop or laptop - it could very well matter!

    While I would agree that SSM is good enough behind a router with a qualified hardware firewall, when using a laptop at various 'hotspots' you never know what kind of hardware firewall (if any) is enabled.

    So even though I'm behind my router's firewall at home, I do use my laptop at hotspots, so I feel I'm safer having a software firewall on my laptop than just relying on a hips!
     
  20. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada

    Good point. In that case and/or a pc/laptop behind a router on a LAN could use as a minimum, I would think, SSM's Network module enabled combined with, say, XP's built-in firewall.
     
    Last edited: Feb 15, 2007
  21. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,616
    Location:
    USA
    I guess, but (on my laptop) Comodo's FW does it for me. ;)
     
  22. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    I have found for safe browsing, the SSM with a router, firefox and an antivirus is enough. Of course, to harden the windows and close ports and vulnerabilities was done. JMO.

    12fw
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    This is an interesting tread.

    Point is that many good firewalls need good configuration. The lack of knowledge for good software FW configurations is the problem.

    A good firewall needs to detect process injection et cetera. Therefore Comodo (problably the best free firewall) recognises changed processes, but does not prevent the process change itself. In the next releases Comodo will provide HIPS like protection (when you recognise the change, why not prevent the change!).

    I am currently running DefenseWall (treath gate sandbox protection), SSM free (protection at process level) and SensiveGuard (firewall and data access protection). I will be happy to change SSM and Sensive Guard for Coreforce when it comes out of Beta. Ultimately a firewall by design with added HIPS and data access protection is the best architectural solution. Comodo's next releases might also be interesting.

    The setup of a FW itself and the good security alignment of your HIPS and FW
    is a security issue on itself. To trigger discussion I therefore had placed the quote in my previous post.
     
  24. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    After reading through this thread I can see why SSM has more value for protection than most other software, but can SSM Free be used without any configuration? For example if you run it for a few weeks while in learning mode on a clean system, and use other protection like Cyberhawk and maybe an Antispyware to keep it that way, would the configuration made in learning mode be adequate enough protection after taking SSM Free out of it?
     
  25. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    With Cyberhawk, I am skeptical of its preventive protection.
    Not running it now, but my impression is that you would first have to install a baddie. It could notice it and you were then warned.
    But not sure, remembering the av-comparatives review where it did well.

    I am not a strong advocant of SSM since it is too noicy for my system.
    Just happy with PG free.
    2 weeks should be just fine, so bring SSM out of it's learning mode and check what processes/programs it allowed. It is a good diagnostic tool.

    And more into sandboxing solutions that don't need the knowledge of processes/programs run, but safeguard against malware for more ignorant casual users.
    EDIT
    This should have gone more to anti-malware forum, but hope readers don't mind ;)
     
    Last edited: Feb 16, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.