Firewalls + HIPS + AV = Overkill?

I do like CA's interface. I've noticed that a lot of you use a HIPS and so I'm wondering what additional security any HIPS can bring to someone like me who is behind a router (with firewall) + Comodo FW + NOD32 AV?

For that matter, in my case would I be better off using a HIPS instead of Comodo?

 

Post split from here

There are a number of firewalls that now include some form of HIPS, even some AV`s now include this,... so caution is needed when installing various security apps.

We have had threads on "suites" compared to single apps put together (firewall/AV/hips), and I think it is a subject that will come up for a while.

 

Hi, Jo Ann

If you have [had] never seen Tiny Firewall, well that is basically what you are seeing with that GUI.

Take Care,
TheQuest

 

You can think of a HIPS as a "system" firewall, monitoring your pc for new or changed applications and processes. This can be beneficial in preventing zero day exploits from springing into action if they avoid detection by your anti malware apps. Still, it doesn't mean you need or will want to use a HIPS. You could always try one out if it intrigues you. Comodo has some HIPS-like functionality built in, but not to the extent of a true HIPS.

 

Hello Jo Ann.

IF I am asked, I always ask in return first what kind of protection is needed. As the answer in 99.9% is "maximum" I then advise to separate defenses as much as possible. An application should do only what the name suggests. A firewall should do "firewalling" and nothing more, a HIPS should do process behaviour inspecting, and AV should deal with malware. I do not care about spyware-stuff anymore, and I stopped using AS applications, so I do not recommend those.
Regarding your setup, I presume you also want a maximum protection, so my 2c: I can see a possible overkill with your router and Comodo (double inbound filtering if you use default rules in Comodo). You should be rather fine with ditching Comodo and putting a simple SPI packet filter to take care of your outbound activities. It's impossible to find a firewall that does outbound only, but you can always turn inbound off in a sw FW. You should accompany that FW with a decent HIPS also. Although Comodo possess an excellent traffic filter, it also implements a HIPS variant, but this HIPS cannot quite be compared to specialized IPS applications. If you are eager to play with software, I'm sure you'll have no problems finding some excellent stuff that matches my descriptions here on Wilders whether you use the search option or do an inquiry. But if you are tired of trying out different vendors and their offsprings, I would also add that your setup may easily be considered as perfect. Comodo's HIPS WILL get better, and you can turn off that Comodo's inbound which your router is dealing with. NOD is an AV/T and doesn't put any overkill on your setup.
So, my short answer to your second question would be "yes", but you must take care that your chosen HIPS does outbound NIPS.

P.S. GUI is NOT a relevant factor, but I do understand your need for an eye-candy.

Regards

EDIT: Well, english is not my native language, so I had to edit the post to make it more clear (well, I often do that) but I think I made it in the end.

 

Totally agree,

Therefore I use a the following schedule to prevent overlap

 

Hello Kees1958:

Nice table. I can see you are using sandboxing-type protection aswell. That's a "new kid on the block" if I may use this expression. Me liking DefenseWall also. Sandboxing is a revolutionary idea, but not yet developed to its full potential IMO. I don't want to confuse OP Jo Ann, so I will stop, just wanted to say it's a nice approach if you don't want to miss a spot.

 

My point of view.

From the requested thread title "Firewalls + HIPS + AV = Overkill?", my answer could be yes or no, as for me it would depend on what was installed.
Lets look at 2 possible setups.

1. Comodo firewall + SSM + KAV6 (all modules active on all) I would see this as overkill, as there is a lot of overlap in protection, with possible conflicts. Now I know that certain modules can be disabled, but that in itself is not always enough, there would be a need not to install some modules (where possible)

2. Kerio 2 + SSM + NOD. This is for me is not overkill, as there would be no overlap, and little to no chance of conflict, although for all "Leaktest" prevention this would not be enough.

So really for me, it is a case of finding the correct balance(layers) of security applications (with minimal amount). Personally my main intention for having a computer is to run my applications (aside from my installations for support issues), not simply for running my security apps.

@Jo Ann

From your setup,.. Router: Yes, I have always used a router with SPI, this is a good line of defence (correctly setup)
Comodo + NOD, again a good combination. To add to this, well, really for me, all that is missing is program execution prevention. I would of suggested using maybe ProcessGuard free, but there have been reports of conflicts with Comodo+PG. So maybe SSM/PS free, with minimal settings. You could run either in learning mode for a while (ensuring that the PC is clean of any infection). Now if there are any conflicts with Comodo+SSM or Comodo+PS I do not know, I have never tested these combinations.
Now, is there a need to have a software firewall when you are behind a Router. This for me depends on the setup. If for example, there is only one user on the local LAN and this is wired, possibly not, but if this is shared or untrusted (maybe at college etc) then yes, even if this was just the XP firewall.

There have been reports that comodo 3 will include a HIPS. So at that point you may not have to worry about adding to the config you currently have.

 

Thank you all for your feedback. I'm learning quite a bit here (actually my head is starting to spin).

But I still don't think I have a good understanding as to whether a HIPS (e.g., SSM) would actually replace the outbound filtering funcitons of Comodo? If it can, then I could 'lighten the drain' on my laptop's resources by just going with my router's FW and a HIPS.

 

Jo Ann,

SSM free will not give any internet access control. SSM paid version will allow you to allow/block applications access to the internet.
I think the free version of ProSecurity will give you internet access control.

Using these, for internet access control, will only give the basic allow/deny. You cannot create rules (although SSM does have a trusted zone) for applications to control ports/IP used.

 

Hi there again Jo Ann.

There is no quick soluiton in computer security if you want to be fully patched. Different people are of different opinions, and if you are not very computer savvy, the more you ask the more confused you will get. But you learn stuff accordingly, so that is good, and after a while the clouds are starting to break slowly. It doesn't necessarily mean that my perfect protection setup will work on your hardware in same fashion and without an issue, take several opinions that you find to be the most serious in account and try them out. Eventually, you will find out what level of protection fits your online habits and accomodate your companion software. My computer is definitely not 99% patched, not even close. But I realized that I don't really need a Fort Knox, and maybe you will come to the same conclusion as well.

 

Wouldn't simply adding Cyberhawk Free and Firefox with NoScript be all that was needed yet? I think Jo Ann already has the bases covered here with Comodo and its Leak Test capabilities and Nod AV with its Antispyware protection, plus being behind a Router Firewall. But if a Behavioral HIPS like CH was added yet along with Firefox and NoScript, I think it would even cover the Outfield. LOL.

 

I strongly believe in the adage... "if it ain't broke, don't fix it".

As others have properly pointed out, there is no absolute answer, but it you haven't experienced security breaches or other security issues with your AV & FW (which btw, is the same combo I use on my laptop), I would leave well enough alone.

 

IT Rule #1

BTW, who had that in his sig around here?

 

Hi, The Seer

As for your [supernatural insight ] understanding well it is far off.

I have no need for a eye-candy firewall, as I am using Linux.

Take Care,
TheQuest

PS: Where by I say am using Linux. I mean as my Main OS

 

Hello TheQuest:

Well, if Jo Ann likes it, than it's her preference that counts.

Regards.

 

All;

Feel free to correct me if I am wrong... but..

My take on things is that HIPS really works best in a network of computers type of setting as HIPS is best used to correlate "bad behavior" from a number of machines. Else, your really adding some heuristic analysis atop A/V.

I am basing this more on the OWASP project and experience. I haven't really toyed with some of the commercial offerings, particularly those from A/V vendors so my "insight" may be a bit skewed here.

- beads