Basic or advanced FW?

Discussion in 'other firewalls' started by mrsteel, Dec 7, 2007.

Thread Status:
Not open for further replies.
  1. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Hello,

    I surely have a question asked thousands times, but in the number of threads started here each day I was unable to find a satisfactory answer.

    I'm reconsidering my security settings, and I'm decided to use some HIPS. In this case, does using of an advanced firewall add any value, or is a basic firewall completely sufficient?
    In my understanding, advanced firewalls are nothing more than basic firewalls + some sort of HIPS + sometimes maybe a simple anti-virus - which I'm going to use anyway, but as a separate product.
    Am I mistaken?

    My point is that when using separate products for firewall, HIPS and AV, I have many more combinations to choose from to best suit my preferences than when I'm restricted to all-in-one security suites.

    Thank you,
    Martin.

    P.S. I don't ask for advice of a particular product, there are millions of threads in this forum that do so :).
     
  2. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Just found in another thread:

    How's that possible? It must have been either because TF is not that good, or because the whole security setting was not tuned enough. Or am I a dumb?
     
  3. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Yes you can use a basic firewall plus a hips. No need to have an advanced firewall plus hips as they will overlap too much an cause too many alerts.

    Basically go to matousec.com and find a HIPS (not a firewall that passes most leaktests) e.g. Prosecurity.

    Now add a basic firewall of your choice (ignore leaktest results) e.g. Looknstop

    Now you have a great lightweight firewall and a hips to catch the leaktests. No need for a bloated advanced firewall and hips at the same time
     
  4. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    How did they obtain that figure of 75% ? :eek:
     
  5. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    AVG silently blocks some leaktests because they are listed on its database. I don't think this can be regarded as "stopped". It is stopped particular executable from running, but not a behaviour it has introduced.
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Martin:

    Yes you are a bit mistaken. But it doesn't matter much. I looked over your posts on the forum and your needs seem to be a setup that won't bother you with popups and confuse your non technical spouse. Fine.

    These day users need a solid FW and a solid HIPS.

    The FW keeps bad packets from getting to your PC and if it is an In/Out FW will also manage which sites/applications can receive packets from your PC.

    This latter feature has to do with privacy of your information.

    The HIPS deals with programs/applications trying to run on your PC that shouldn't be allowed to run. If a trojan slips past your AV/ASW and FW since none are 100% the HIPS is your last line of defense.

    So It is not a matter of and Advanced FW being a HIPS the term advanced wrt a FW means advanced users can create modify the FW rules to be more secure and this means more specific on what ports can be used etc.

    I have some ideas providing free FW and HIPS that are NOT tools
    you have worked with before and were not happy with.

    But you didn't ask for tools so I will hold these ideas back for now.

    If you don't want a tool vs tool thread PM me and I will respond.

    It would help if you could provide the id's of your AV and ASW and FW in use now if you are behind a router and what your OS version is.
     
  8. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Thank you Escalader for your offer. Your right, I'm looking for a setup that can be easy to handle by non-technical folks, but also that is configurable enough. Because its me who will be configuring it, but my wife and other members of my family will have to deal with the popups. Currently I've got the old Jetico FW, but it's so noisy that we all - including me - became used to click "Yes" on any popup without reading it. This is inacceptable. Fortunately we're behind a HW firewall and don't use P2P etc., so it's not so critical yet.

    But the reason I started this thread is different - I'd like to clerify my own ideas. I've read tons of docs on this topic but am still confused - because the information is incomplete and contradictory. Of course, when one uses 5 firewalls, 3 HIPS, 7 AV, several keyloggers, anti-rootkits etc., he may feel safer than when he only uses 2 of each kind. Nonsense, of course.

    But the same feeling I have when I read those popular leaktest sites and other comparative reviews. In my opinion they compare apples to pears. It's obvious that a FW with HIPS features blocks more threats than a basic one. But this does not make the basic FW any worse - because it was not designed to be used alone without any HIPS and AV software.

    And here comes what I began this thread with. If the FW cannot be shut down, if a browser is blocked by the FW from executing any other program, etc. - what is this other than HIPS? And why to have HIPS in the FW if I already have a standalone one? (Of course, you can place two locks on your door instead of one, and will be more secured. The question is how much more. But this is not what I'm asking about.)

    By a basic FW I meant a "smart" packet filter (the FW in the sense of Wikipedia, perhaps up to the 3rd generation, but still working on packets). By an advanced FW I meant everything else. (If a FW prevents itself from being killed, this has nothing to do with packets. If a browser needs to access IP 123.45.6.78, this definitely has something to do with packets, though the info from packets alone is not sufficient.) I appologize if I use an improper term, but I have no better.

    It matters - me :). Because excactly because of this I started this thread. If I am mistaken, can you please explain it to me a little bit more? Or at least a link?

    Are you aware that you are saying the opposite than "dmenace" above? :)

    Thanks, Martin.
     
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    I re-read dmenance's post(s) and have no real differences so that's fine.

    This thread has posters ( me included) who seem to have different definitions of advanced FW's. If we are saying that a advanced FW is only advanced because it has functionality beyond packet scanning that one view.

    Another might be that the Basic FW + a powerful HIPS = a and Advanced FW.

    Others may call that combo a "suite". It is much easier and less confusing to define what functions user should have working on his PC, then search for the products/ vendors/ that best provide those needs.

    You are right that the FW should defend it self from being shut down or modified by untrusted Programs.

    But it would help me if you could rephrase your question(s) or indicated what exactly you would regard as a "good"/ "useful" outcome for your thread?:doubt:

    It's probably just wording...
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
  11. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    Wasnt supposed to be anything but a rough and ready test.

    I mentioned "accessible leaktests",for as Alexs points out",AVG silently blocks some leaktests because they are listed on its database."

    To get proper results ,I suppose you would really have to run tests on each app.
     
  12. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Escalader, let's agree on that Basic FW means a "smart" packet filter, and that Advanced FW is Basic FW + "something more". Then my question is whether that "something more" is HIPS.

    In other words, if I combine Basic FW with a standalone HIPS program, will I miss anything in comparison with Advanced FWs?

    However, I don't want to fall into academic debates. I'm just not sure that I'm not steadily overlooking something.

    Edit: I've submitted this before your other post. Thanks for the link, I'm going to have a look at it.
     
    Last edited: Dec 7, 2007
  13. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    I don't know whether I understand well, but in my opinion it is useless to run leaktests on individual security components. It is important whether the system security as a whole withstands the leaktests - but for this purpose the individual security components must cooperate.

    What you've written was alarming to me, because I was thinking of TF + a basic FW + AV as a possible leakproof security settings candidate.
     
  14. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    So does mirror mine :). But as an amateur, I wanted to see my opinions confirmed by someone erudite. Thanks for the link.
     
  15. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    OK to satisfy yourself the only way is to trial the apps of your choice and test them.The risk really isnt great!

    As you are worried about leaktests and seem to want a firewall without HIPS plus a separate HIPS-the obvious answer is to use ProSecurity for your HIPS.

    If I were you I would just settle on a Firewall with HIPS which scores well on the leaktests,as this seems to be your criteria, for some reason.

    Consult Matousec and you have two choices.

    There is an obvious suitable candidate which would solve your problems.

    Then choose an AV

    Do not get too bogged down-its really not that complex unless you make it so and wont help you in the end :)

    Edit; If you run separate leaktests you will find out how each component scores and in which test.

    Then ,by trial and error or from established results, you will use those that score the best,or complement each other and are compatible-to achieve the optimum total result.

    There's no magic! The layer principle.
     
    Last edited: Dec 7, 2007
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Not a problem. Glad to help.
     
  17. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    This is exactly what I didn't want to :). Because, as you say, this gives me only a single (freeware) choice, and I have some specific requirements. And that's why I was asking whether basic FW + separate HIPS leads to the same results. There's no reason why I should choose a firewall that doesn't pass the leaktests - if I didn't want to use a separate HIPS with it - even though the risk is not high.

    This is a way too, but I agree with the principle stated in the link provided by Escalader: "The less (the layers) overlap in functions, the better."

    Thanks for the response!
     
  18. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Just have read the whole thread. Excelent discussion:D! Thanks again!

    Just one question: What is
    mentioned there by Pedro? Maybe this "outbound control" is what differs Advanced FW (in my sense) from Basic FW + HIPS combination?
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    "... is the basic firewall sufficent ..." for what?

    1. Do you have to control your apps outbound on port / protocol basis?
    2. Do you fear infections?
    3. Do you have more than 1 network adapter?
    4. Is your setup a mixed bags of OSs, computers, LAN, sharing etc?

    All these will impact whether you "need" or "want" a basic or an advanced firewall.

    The tradeoff is - advanced firewall requires more interaction, but gives you better control. But if all you do is connect to the web for a bit of news, some emails and such on a single machine, and would not know how to answer a question regarding ldap tcp 389 wants to connect blih blah blah, then a basic firewall is the right one for you.

    Mrk
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes, the 3 main FW learning threads do provide a lot of good information. I have it in mind (someday) to go over them all extract the common wisdom and publish that in a post.

    I'm sorry but I don't understand "HIPS with outbound control" not my post.

    Again the HIPS function manages what executes and what doesn't. The FW should provides access control.

    For example, in OA 2 under FW rules, there is a list of programs that have access to the internet. That means to me I have certain programs that are denied access, games, etc etc.
     
Loading...
Similar Threads
  1. Overkill
    Replies:
    5
    Views:
    726
Thread Status:
Not open for further replies.