Firewall dilemma

First, could you give an example of a program with which this has happened? Mind, I am not using NIS/NPF 2003 or 2004, but I've seen a thread at DSLR Security Forum in which antdude (a Symantec consultant) has indicated that the Rules Assistant will pop up when a previously PERMITted app is upgraded -- and only provide the PERMIT ALL/DENY ALL options. (Apparently, you can subsequently change that; but the interface is hardly intuitive, if I understand his comment correctly.) And, yes, you are correct; PERMIT ALL does imply giving the application server rights -- on all ports to all remote IPs-- not a good default in my judgment.

I'm not quite sure what is happening here, but it appears that the latest versions of NIS/NPF are not only checking the executable's filename, but also some combination of its version/build number, date last modified, and possibly even its SHA1 hash. Unless ALL of the selected items match (which is unlikely to happen with a newly updated product -- even in the same path), it appears that the latest versions of NIS/NPF treat the app as a completely new app for which it has no information. I think that both Sygate and Kerio are a bit more informative in the resulting pop-up, i.e., they ask whether you have knowingly updated the application. If you indicate that you have, they simply modify the authentication information. (There's absolutely no reason why NIS/NPF couldn't do the same thing.)

Well, this is precisely my complaint with the latest releases of NIS/NPF 2003/2004. Up through NIS/NPF 2002 (version 4.0), a user could use Albert Janssen's AGNIS Rules Viewer and NIS Settings utilities to document the basic firewall configuration and Sven Schaefer's Log Viewer to quickly and easily determine how the firewall was configured and what events needed to be permitted/blocked if the ruleset needed to be customized. Beginning with NIS/NPF 2003, Symantec encrypted this information and refused to provide the necessary keys to Albert and Sven to decode it for their long-established freeware utilities. Perhaps more to the point, Symantec failed to provide (a deliberate choice on their part) any equivalent functionality within the product itself. Consequently, it is now impossible (for all practical purposes) for their average customer to analyze the firewall setup and appropriately customize the rules further for their own needs.

Every software firewall has its own deficiencies. As you will see from another thread in this Forum, the latest release of SPF looks very interesting in many ways, but Sygate has still failed to resolve the loopback issue (typically only of interest to people running a proxy server such as Proxomitron locally). LowWaterMark would have to address the ZA Pro portion of your query and I am certainly completely uninformed with regards to Outpost.

 

Although I don't personally use it, it is my understanding that KAV is a very nice AV package and is frequently updated. And KAV seems to be one of the few AV products out there at the moment that still checks hashes on the executables it checks (to guard against malicious modifications).

With regards to the software firewalls, I find myself in a situation very similar to your own -- every one of them seems to have some kind of glaring deficency (from my personal viewpoint), only the details differ. Some have embedded rules (which aren't documented and can't be modified), some have limited customization capabilities, some don't provide the information necessary to further customize the rules to your requirements, and virtually none of them provide decent documentation as to how their rulesets could be customized to be consistent with the end-user's specific internet connection requirements.

 

Hi again, and thanks - it happens with things like KAV's updater, which has to listen for Kaspersky Labs to update definitions. I dislike all the things you mentioned disliking about NPF. But are other rules-based firewalls easier for people like me, who mainly want to rely on default settings?

 

Which firewall do you use, Joseph V. Morris? If you also haven't been happy with the firewalls, which one are you most happy with?

I have been running ZA + BI for a while, and that seems to have most things I want, but BI mostly takes up space alongside ZA.

 

ConSeal still exists in fairly much it's original form. After McAfee took over, it resurfaced as Umbra, VisNetic, Deerfield, and now it's called 8Signs. Makes me wonder how many people they've ripped off with the licenses, it's hardly a cheap firewall. It also still looks like something from 1998.

 

I already answered that earlier in the thread. Jury is still out of the 'most happy with' part of your question.

 

Yes, that's what I thought had happened. I had problems with the ConSeal paradigm (but that's a personal matter); I don't recall anyone ever saying it wasn't acceptable. (CrazyM was a ConSeal user, incidentally.)

As for looking like something from 1998, heck, I can live with that! (Indeed, I only wish I looked like something from 1998, at the moment!)

 

Oops, sorry about that, Joseph. What would you recommend I run with BlackICE? Would you recommend I even keep BI?

As for why I changed so quickly, I've been experimenting.

 

All this info. is definitely helping me: I can rule out NPF based on what you said. I like the extra level of protection ZA Pro + BI gives you, but if someone has a good reason why Sygate or Sygate + BI would be better, I'll look into it. I'm not considering Outpost at least until the new version comes out.

 

Sygates ok as long as you dont use a proxy server as it still has the loopback problem and will allow anything that connects to the proxy server , without asking.I keep flitting between outpost and look n stop.I like look n stop as its so small and unobtrusive ,however i find it difficult to make rules for it and it does cause problems with programmes like ethereal ,on my system.I think youll find you wont be happy with any firewall for a while as the "best" one seems to be a combination of them all.
me

 

That's why unless I'm missing something, ZA Pro + BI would be my best bet until Outpost has an update that amazes me. Sometimes Agnitum is lazy - like with active content handling, bugs, and termination protection. I wasn't all that comfortable with Sygate - lots of features, but it's easy to get lost.

 

Well we both agree on BI , as i always use that ,with outpost or look n stop.Ive tried it with sygate and kerio with no probs too.I dont know why you have a problem with the active content plugin of outpost unless you mean the referrer per global rather than site basis?.I dont have a problem with that, as i use naviscope as a proxy and use the referrer and user agent blocking (per site basis) through that , so i just leave referrers on enable in outpost.The only thing i use the active content plugin for is pop ups really as ie6 does a beter job managing active x , cookies etc.(assuming you are using IE of course).I personally dont like zone alarm and would never install it again , due to the riduculous uninstall procedure (that doesnt actually uninstall everything...including .dlls in systems folder)
me

 

It's more the fact that there's no way to bypass pop-up blocking to see pop-ups you click to get. Outpost is the only other firewall right now that I have an eye on, though. Glad we agree on BI - I haven't had any problems with it, either. Security people are so entrenched in the one firewall idea that they aren't open to special circumstances.

 

I could also use Norton's firewall, if I come to understand the rules better.

 

Not sure what you mean about the pop up blocking mdvu?.You can enable/disable it globally (i block globally)but then enable certain sites. For sites that you need pop ups like maybe banking sites or shopping sites you can enable them...and block all others using the global block.Ive never tried norton firewall so cant comment on that.
me

 

mvdu,

Well, let me say something about BI (or Real Secure) being a software firewall. I use it exclusively for its IDS capabilities which continue to exceed anything provided by any of primary software firewall products. (I specifically include the latest releases of NIS/NPF in that comment and will have to wait until I know more about the Snort implementation in Kerio 4.x.)

To wit: I've never experienced or even read about a conflict between BI/RS and a primary software firewall. I've used various (older, to be sure) versions of NIS/NPF, Sygate, and Kerio with no problems whatsoever. I gather, from what I've read, that there are no observable conflicts with ZA/ZAP/ZA+. Last time I checked, the ISS site had failed to identify any conflicts. This is entirely different from the situation that is likely to obtain with trying to run two of the more recent releases of the various classical software firewalls. The latest releases of these 'more classical' software firewalls are beginning to burrow into the Microsoft TCP/IP stack and Winsock in ways that are not well documented (publicly, at any rate). Consequently, there is certainly a potential for 'collision' which is unlikely to be recognizable. As far as I can ascertain the BI/RS products have not done (and do not need to do) this to provide their functionality. As always, I'm willing to have someone refute that statement.

 

The definitive site on customizeing rules (and basic firewall configuration) for NIS/NPF (and AtGuard, also) has to be CrazyM's website at http://www.gpick.com/agnisrules/index.html .

I've been delaying posting that link because I'm concerned that it may simply further distract you.

 

Thanks for the link, Joseph Morris!

As far as BI is concerned, it's worth keeping an eye on - but not a major concern yet, I guess.

Well, thanks for the help, everyone. I think I can take it from here. I'll leave ZA Pro and BI on - but if I get comfortable with NPF, I'll use that - and if Outpost really improves, I'll use that. Good plan?

 

One more thing: NPF isn't looking so bad after all, after seeing the links. It can be strange using NPF without NAV, but it might actually be better since I'm not using the same company for both. I don't think I should use BI with NIS 2004, though.

 

I was leaning towards NPF until I had a lot of trouble with a rule for KAV's updater - even after I thought I had it solved, prompts kept coming up. Back to ZAP.

 

But if I want one firewall that has an IDS, what firewall do people recommend?

 

Do you recall the problem? Perhaps we could help with creating the appropriate rule.

Regards,

CrazyM

 

I got the right rules from the pcflank website; thanks for asking. But, I'm still not too keen on using NPF. I'm using ZAP now, but am wondering what the recommended firewall with an IDS is.

 

Off the top of my head: NIS/NPF, Sygate and Kerio v4.x have an IDS incorporated into the firewall. I would have to do some checking as to which others may have this capability built in.

Regards,

CrazyM

 

Which one has the best IDS, I wonder? NPF seems to give me quite a few false positives. Thanks for checking into it.