Firewalls vs. leak tests - inadequate?

Discussion in 'other firewalls' started by mrsteel, Mar 14, 2007.

Thread Status:
Not open for further replies.
  1. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Hello.

    After reading tons of pages on firewalls, It seems to me that choosing the best firewall according to its results in leak tests is inadequate. Fighting leak tests should not be the job of firewall itself but rather of some anti-trojan or other security software, I would say. The plain Windows firewall should be completely sufficient if supplemented by a good anti-spy/anti-trojan and anti-virus software installed alongside. Firewalls that are able to pass leak tests successfully are actually a two-in-one solution, they combine a firewall with some sort of anti-trojan techniques. So, this is in theory, back to reality.

    Which freeware programs would you recommend as a good supplement to an average freeware firewall so that the couple would pass the leak tests? The reason I ask is because there are only two freeware firewalls that gain good score in the leaktests (Comodo and Jetico v1), but each one has its own problems (Comodo is repoted as buggy and resource hungry, Jetico's v1 development has been stopped and its anti-trojan functionality is limitted in some aspects).

    Would e.g. SpywareGuard's, Spyware Termainator's or Spybot S&D's process behaviour monitors do sufficient job to prevent firewall leak tests from failing?

    Thank you for your opinions,
    Martin.
     
  2. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    I dont completely share your views about firewalls,although what you say has substance.
    Unless you use a HIPS as an anti everything and,consequently,as an antitrojan i dont think you can find anything free worth installing around.
    In this case you could use a firewall of your choice + SSM or ProSecurity,or Neoava when it comes out of beta.
    In order to do this you have to be quite skilled,though.

    My view is that Jetico 1.0 plus a paid antitrojan like Boclean represents the best and lightest solution, requiring only limited skill in rigging the firewall. (large number of posts about it here and superb teaching)
    Who cares if Jetico 1.0 is not developed anymore?
    You are going to use the firewall's firewalling abilities ,and nothing more, so it does not really require any further development, until the internet is like it is now.
     
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    You can disable Comodo's modules Component Control and Aplication Behaviour, which will result in less memory usage as well as better compatibility with other security software and much less popups. Those 2 modules provides mostly anti-leak protection, which you want to replace with other software anyway. By the way, Comodo version 3.0 will include full HIPS, sadbox later as well, so you will not need other security software. You can add some HIPS even to Windows Firewall, which should provide fair protection. AV, AS and etc will never stop all nasties, so that is why antileak protection or behaviour blockers are better. :)
     
  4. 666

    666 Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    48
    True for a one-way firewall that only blocks unwanted incoming traffic.

    However, most firewalls out there claim they can block undesired outgoing trafic as well, and that makes self-protection against threats from within a part of the firewall itself.

    Anyway, my current favorite combo is Comodo with Hitman Pro*. Hasn't always been so, and it will probably change in the future. Good programs come and go, so brand loyalty is a bad idea.

    * OK, so I'm cheating here. Hitman Pro itself is a combination of anti-malware apps.
     
  5. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    If you're happy with XP's firewall, then you could stick with it and supplement it with a free HIPS such as SSM or ProSecurity - if you feel you have the ability and desire to learn the inherent complexities of those two, or go with something easier such as Process Guard, Cyberhawk or any number of other free alternatives that are available and easy enough to figure out. Just remember the HIPS is nice because it can alert you to zero-day exploits that your antivirus/antitrojan could miss, but it is still up to you to recognize the process as suspicious so that you can stop it from spawning. Also, If you can afford one, I would recommend a NAT router, even an economical one.
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Is that Hitman Pro legit?
     
  7. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
  8. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Thank you all for your replies.

    As I've already written, everyone (in the forums) judges firewalls according to their results in the leak tests at first place, and there are only two freeware firewalls with good results in the tests. I've tried Jetico, but it didn't allow me to configure certain things, and technical reviews of Comodo sound deterrently. Thus I was looking for another possibilities.

    I was looking at how e.g. Jetico, Kerio or Windows firewalls work. Also, I've read e.g. the indignant vendor reactions at leak test pages saying that their light-weight firewalls cannot be used separately from their security packages (I think they are right). After that I've had an idea of using a simple firewall (e.g. Jetico v1 with the "process attack" module switched off) combined with a good configurable process security software from another vendor. This is for an explanation.

    Actually, I've got one. But HW router cannot help against trojans, it blocks only from undesired incomming traffic. Moreover I use a sandbox (VMWare) for browsing internet. However, as I recently found two trojans in my fortress, I feel its fortification has been week. (The trojans could get in before I bought the NAT router, or while I was experimenting with firewall settings, I don't know.)

    Do you mean that a process security module (like the Jetico's "process attack module" or the Comodo's "application behaviour" module) cannot be installed independently from a firewall? I don't see a reason why. If the module monitors behaviour of all processes, why couldn't it protect the firewall process too?

    Again, thanks for your tips.
    Martin.
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    A note: you probably downloaded the trojans, or you're using IE.
    Firewalls have nothing to do with what you open (messenger, browsers etc.).
    You explicity open the firewall for this trafic.
     
  10. 666

    666 Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    48
    That's like requiring (the software in) a router to stop an outside attacker from sabotaging your software firewall.

    If a one-way firewall is supposed to resist attacks from outside, a two-way firewall should resist attacks from within.
     
  11. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    All true. Also, the trojans could have been brought in via p2p or warez download, but in no way am I accusing you of this. I'm only stating other possibilities. Hey, I've dabbled on the "dark side" before and paid for it, so I'm aware of these things ;) This is where a HIPS might have helped, especially if you had recognized the alerts on the trojans as suspicioous looking processes attempting to launch. Not everyone believes in HIPS, especially one forum member in particular, because you are supposed to trust yourself, or something to that effect, but you could always try it out if you like. You will know soon enough if it's your cup of tea or not.
     
  12. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program

    Not everyone, I will consider leaktests, but they are by no means a deal maker, or breaker, of a firewall (for me). Until recently I was using Kerio 2.1.5 and it would not pass all leaktests, but I still used it. I am currently using Blink Neighborhood Watch and I haven't even performed a single leaktest against it.

    So not all of us place leaktests at the top of the list. :)


    Reason for edit: spelling
     
    Last edited: Mar 14, 2007
  13. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Hipgnosis

    I agree with you 100% on that.

    Take Care,
    TheQuest :cool:
     
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ok, just to complete what i and the others said, the outbound protection is to control what can connect, and regarding leaktests and trojans, outbound tries prevent the trojan from comunicating too. It does not clean trojans, to be clear.
    The problem is that there are many ways to bypass firewalls (from within your pc), even with anti-leaktest features.

    IMO, it's better to detect the leaktests and prevent them, but it really is not the main criteria to choose a firewall. It's another criteria.:thumb:
     
  15. mrsteel

    mrsteel Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    19
    Well, now I've learned that what I'd been calling anti-trojan techniqes, "process attack module" or "application behaviour module" is officially called HIPS. :)
    Now I know what to look for...

    Thanks a lot,
    Martin.
     
Loading...
Thread Status:
Not open for further replies.