Firewall dilemma

Discussion in 'other firewalls' started by mvdu, Oct 28, 2003.

Thread Status:
Not open for further replies.
  1. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I'm having a hard time deciding between ZA Pro 4.0 and NIS 2004. I also have a license for Outpost Pro 2.0, but have ruled that out for now because I hate the way it handles active content. I'm on a router, but still want an IDS - and I could go back to running ZA Pro + BlackICE since they work well, but NIS handles everything with one firewall. I got NIS 2004 free through my dad's work and can continue to get NIS free as long as he works there, but I bought ZA Pro and BlackICE this year and wonder if I should use them. With NIS 2004, my KAV Personal 4.5 would have to be a backup to NAV. Also, do ZA Pro and NIS 2004 offer an equal amount of protection and have equal reputations and amount of horror stories? Do you have any suggestions for me?
     
  2. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Right now, I have NIS on, but I'm open to advice.
     
  3. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Which setup is more recommended?
     
  4. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Well, if nobody thinks it matters, I'll use this setup:

    router, ZAPro, BlackICE, KAV 4.5, BitDefender free (on-demand AV scanner), TrojanHunter, System Safety Monitor, SpywareGuard, SpywareBlaster, Ad-aware, Spybot S&D., regprot, mru-blaster.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi mvdu,

    I'm sorry you ended up just talking to yourself in this thread, but I think I see the reason... When you ask a question like "Which of these two should I run?" and the two products are both good, it is difficult for people to advise you as it usually just comes down to personal preferences.

    The crux of your question was whether or not to use ZA Pro 4.0 or NIS 2004. Since both are good solid products, there is no wrong choice to be made here. Either will do a good job - if they work well for you on your system.

    Using ZAP with BlackICE for its IDS should be a very good combination, many people do that. (NIS would have been good, too.)

    As for your full setup, that's a powerful configuration you have there. As long as you configure it all properly, and keep the tools updated, you'll have a very good layered defense.
     
  6. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Thanks, LowWaterMark - and I plan to keep the configuration I just mentioned (as I don't want to rely too much on one company,) except minus regprot. I'll just turn on registry monitoring in SSM.
     
  7. StevieV

    StevieV Registered Member

    Joined:
    Aug 21, 2003
    Posts:
    34
    Location:
    Southampton, UK
    Hi mvdu

    I have a nearly identical setup to you - using ZA Pro, KAV 4.5, router etc. I have never tried NIS 2004, mainly because I don't like product activation, no reflection on the product. Your comments (and LWM) on BlackIce seem very sensible - I think I'll try that too. Anyway, the combination on my pc runs very well and never given me any problems. Since you are behind a router you probably only need a firewall for outbound protection, it is my impression that LnS provides better outbound protection that ZA Pro (can't provide the link as I can't remember which test showed it). Having said that I don't use LnS but may try it once current license for ZA Pro expires.

    All the best

    Steve
     
  8. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Hi, StevieV:

    A leak test board showed LnS as doing better - but ZoneAlarm has something called process protection coming that should stop all leak tests. Another reason I changed from NIS is I didn't like how it configured programs.

    Take care,

    mvdu
     
  9. StevieV

    StevieV Registered Member

    Joined:
    Aug 21, 2003
    Posts:
    34
    Location:
    Southampton, UK
    Hi mvdu

    Thanks for the info. I have just installed BlackICE, seems pretty stable so far. My attitude is 'if it isn't broke, don't fix it' and ZA Pro has always run very well on my system with no stability issues and seems to do everything a firewall should. The other thing I like about it is ZA arent just sitting on their laurels, they are constantly developing and trying to improve their product (I like KAV for the same reasons).

    Good luck with whatever you decide

    Steve
     
  10. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Thanks, Stevie! I guess this leaves only Sygate to try out - but I don't know if BI would fit as well with that..
     
  11. StevieV

    StevieV Registered Member

    Joined:
    Aug 21, 2003
    Posts:
    34
    Location:
    Southampton, UK
    Tried Sygate briefly for a month - clearly a very good program. Decided on ZA Pro because Sygate didn't perform very well on leak tests and also when I granted a program permission to connect to the internet, Sygate automatically assigned the program server rights and I had to edit each new entry manually to deny sever rights. Overall though a pretty impressive program but didn't suit me as well as ZA Pro. Don't know about BI with Sygate perhaps someone else has experience with this.

    Steve
     
  12. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I know that Sygate has mostly fixed the leak test problem with the latest release. And I'd like to just have one firewall with an IDS. Guess I'll evaluate it fully. Too bad Sygate doesn't have the privacy features that ZA Pro does. Should I be concerned about some people saying Sygate has vulnerabilities?
     
  13. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Same configuration, but I think I'll use NPF 2004 as firewall. Things are a little slower with ZA and BI. And since I use KAV, I wouldn't be using the same company for AV and firewall. I assume no one has objections?
     
  14. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    No, I better stick with what I decided. I still get the feeling that ZA Pro is more heavy duty than NPF. And BI running behind ZA Pro is a more extensive IDS.
     
  15. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    I personally like SygatePF5.5 (free) they fixed all the leaktest probs, but, Syate will not work with BlackICE defender, One plus for sygate, is it has very detailed attacks logs/traffics logs/etc
     
  16. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    As I understand it, the free version of Sygate doesn't have the IDS I want, though, or advanced configuration. So I think what I have is still best for me. I wonder if Sygate free also automatically grants access rights? Thanks for the input, though.
     
  17. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I will keep NPF and in the future maybe Outpost in mind, as I don't want to shut off all possibilities. As I stated when I first came here, I'm very open-minded.
     
  18. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    mvdu,

    Sorry, been away enjoying myself for most of the past two months.

    I'm a little confused in trying to follow your postings because at one point you indicate you've decided to stick with ZAPro and then (apparently only a few hours later), you indicate you're going to keep NIS (or NPF, as the case may be).

    I'm a long-time NIS/NPF/AtGuard user and LowWaterMark is a longtime (I think!) ZA/ZAP/ZA+ user. As has been said many times in both this and other security forums, the most fundamental issue in selecting a firewall is choosing one with which you're comfortable and which you are (or at least feel) most comfortable.

    In that context, it's important to realize that ZA/ZAP/ZA+ and NIS/NPF/AG came (originally) from two rather opposed views of what kind of software firewall was most appropriate for the average end-user and, as time has passed, each product line has tended to migrate in the direction of the other!

    NIS/NPF releases are essentially derivatives of WRQ's AtGuard product line that stressed the ability to write highly customized rules (as did ConSEAL, which is now the basis of the McAfee firewalls). That was great, as long as you knew exactly what you were doing. And, from the very first release 1.0 of NIS/NPF, Symantec embarked on a long campaign to eliminate this burden on the average end-user. In its latest releases, many NIS/NPF users have no idea what the rules actually are or how to find out or how to further tighten them to a particular user's individual requirements -- nor do they necessarily need to.

    I think (and I'm sure LowWaterMark will correct me if I'm wrong) that ZA began from the opposite extreme -- "ease of use" for the average Joe being the primary consideration. ZA/ZAP/ZA+ have, consequently, tended to migrate towards a capability to further customize the rules in a manner that is now very similar to what one could do with AG/NIS/NPF.

    The NIS/NPF evolutionary strategy has tended to obfuscate the rules in place (i.e., to reduce the transparency of the rules); indeed, it's now extremely difficult to get a comprehensive idea of the rules that have been implemented or to determine how these rules could be further tightened for a particular user's requirements. And it's also exceedingly difficult to determine if the NIS/NPF firewall is actually working the way the end-user intended or to determine the nature of any problem that may develop. (Which, unfortunately, may be one of the reasons that so many users of NIS/NPF 2003/2004 are "satisfied" with these latest releases.)

    I'm not so qualified to explain what's happened with ZA/ZAP/ZA+ ; that's more in LowWaterMark's area of expertise. True, the rules can now be considerably more customized that was available in the early versions, but I find the implementation of this customization to be a bit awkward and unnecessarily complicated. (JMHO)

    At somewhere along the way, we got the original "Third Way" products. To me, Sygate Personal Firewall always seemed something like an enhancement of the original ZA (free) with some new ideas thrown in. And I've always felt that Tiny (and then Kerio) were something of a backlash against the 'bloat' that Symantec introduced in NIS/NPF to make AtGuard more user-friendly, again using a distinctly different approach.

    I can't comment on Look 'n Stop or Outpost for the simple reason that I've never used either. I've never considered myself a tester of alternative software firewall implementations from different vendors; I just found what worked for me (acceptably) and tended to stick with it.

    So what do I use? Well, until quite recently, I used NIS 2.5 on Win 98 SE, NIS 3.0 on Win 2000 Pro, and NIS 4.0 on Win XP Home, backed up by BlackICE (or Real Secure Desktop) to provide more extensive IDS capabilities. Furthermore, this was on a dial-up connection in which I used Microsoft's ICS as a software-based router. (NIS/NPF 2003/2004 lack the documentation capabilities which I find so important.) More recently, I've replaced NIS 2.5 on the Win 98 SE box with Kerio and NIS 3.0 on the Win 2K Pro box with SPF (both still backed up by BlackICE/RealSecure on those machines). Both are interesting implementations, but I must admit that I am uncertain and may well revert to NIS 2.5/3.0 on these two boxes -- primarily for the additional features provided by NIS. On the other hand, I am unlikely to upgrade to NIS/NPF 2003/2004 due to the lack of any reasonable capability to document system configuration or do trouble-shooting, both of which are quite critical to me.

    I haven't found the 'perfect' software firewall yet -- and I doubt that I ever will.
     
  19. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Any thoughts on the setup I decided on? If I want one firewall with an IDS, is NPF the way to go? Considering Outpost hasn't made improvements yet and I'd have to pay more for Sygate?

    Here it is:

    Dell router
    NPF/NIS 2004
    KAV Personal 4.5
    TrojanHunter
    System Safety Monitor (with application control and registry protection on)
    SpywareGuard
    SpywareBlaster
    Spybot S&D
    ProcessGuard
    Ad-aware
    MRU-Blaster
    XP Anti-spy
     
  20. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Forgot to add that I also have free BitDefender for on-demand AV scanner.
     
  21. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Ok, one more post for the night. I'm a little worried about rules-based firewalls. I generally know what's being allowed when I look at NPF's automatic rules, and I know how to change them. But I really don't want to create rules unless I need to for something. Would I be better off sticking with ZA Pro, or are NPF's defaults usually good enough?
     
  22. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi mvdu

    It really boils down to which one you are most comfortable with. Both offer good protection and the ability for custom rules. NPF's default rules are good for most users, but can still be customized and streamlined by those wanting to do so.

    Regards,

    CrazyM
     
  23. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Following up a bit on CrazyM's response to this question:

    NIS/NPF contains a list of something that must now be approaching a 1,000 popular, Internet-enabled applications. It can generate automatically rules for these applications that are typically a bit more stringent that the 'default' rules likely to be generated by ZA(free) -- I'm not that certain about the current situation with regards to ZAP.

    When I say that, I'm talking about the NIS/NPF pop-ups you're likely to see the first time an application attempts to access the Internet. If you see an option to "Allow NIS/NPF to automatically generate rules for this application". However, if you only see an option to "Permit All" or "Deny All", then NIS/NPF doesn't yet have rules templates for the application in question. I don't generally like the "Permit All" selection -- because that's exactly what it does for the application in question -- at that point, you might as well be running ZA (free).

    Still, as CrazyM notes, it's actually possible for an individual user to further tighten these rules for his or her unique requirements. I suspect that the most commonly cited example is restricting the general DNS rules to only the DNS servers upon which the user relies (usually a set of between two and four remote IP addresses). While there's a lot of automation in how NIS/NPF generates rules (and this is where the bloat complaint comes from), it's simply not very practical for NIS/NPF to automatically determine the IP addresses for a particular user's DNS servers. And, rather obviously, a similar situation pertains with regards to the POP3/SMTP servers that a particular user needs access to with their e-mail client(s).
     
  24. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Sometimes NPF will say an application is listening on ports, and to deny all or permit all. It means I'm allowing it to act as a server when I click permit, and I don't like that - but unlike with ZAP, some programs don't work if you don't click permit. At that point, I'd like to create custom rules in NPF, but don't always know the server's address that it's listening for.

    Would people recommend Outpost or Sygate over ZA Pro in my case? With Sygate, it's easy to turn off server rights.
     
  25. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    The thing is, I'm very happy with my AV, KAV - but I can't seem to be happy with any of the software firewalls I've owned. That's why I need help.
     
Loading...
Thread Status:
Not open for further replies.