firewalls

hello i am using win xp pro with avg free !! giant antispware! lavasoft etc.. i use sp2 firewall but was wondering if there is a set and leave type firewall i liked pc cillian but was mucking with my pc...but the firewall was easy to use set leave i hate these pop up firewalls?? anything out there that's small and easy to use thanks maddawgz

 

I quite like the free sygate firewall, it seems easier to use. Well to me it does. It has options to stop all the different messages appearing etc.

 

is serivice pack 2 firewall enuff u think do i really need one? another question? thanks in advance md

 

Some questions I have about current firewalls is this.

How do you know whether to allow or deny permission to an application? What criteria do you use to judge whether the program is legitimate or a malicious program 'disguised as a legitimate one?

So what if you use ZA and 'stealth' your ports. What if IE for instance is changed and although ZA picks it up ultimately YOU have to make a decision whether to allow it or not. How do you know for a certainty that the changed program has not become injected with malicious code? What criteria do you use to make the decision to allow it to run? That it says it's from Microsoft? That it's IE? Do you have a professional understanding of what you're doing or is it just a wild guess, a stab in the dark?

Given that the majority of users are NOT tech savvy, isn't that a very serious risk? So what good is ZA or any 'stealth' firewall if you make the wrong decision? ZA may know that the program has changed but NOT if it is malicious or not leaving the user with the dilemma - 'will I run it or not'?
And that's why people continue to get hacked - because hackers rely on the wrong decisions being made which they are all too often, compromising a system's security and allowing the hacker to do as he pleases.

Firewalls are supposed to protect, but the weakest link in the firewall is that it cannot determine whether or not a change in a program is malicious or not & turns the decision over to you. It has no way of verifying beyond the change and that's really not good enough is it?

With a lot of 'stealth' malware going around we need something more intelligent. Ports that are 'stealthed' still have to be opened to surf, download and access email which is when we are most vulnerable. Even a signature based firewall couldn't detect an 'in the wild' or 'unknown' attack so where does that leave us?

Your thoughts please.

Dave

 

there are other programs that will tell you if a program has been changed or a change has been attempted such as processguard and the microsoft antispyware beta will alert you if an attempt is made to change a prog. But running a firewall is a necessity and it is a good idea to do a little studying as to what the firewall is actually capable of. There are several types of firewalls available.

bigc

 

Look 'n' Stop is a very light, commercial firewall; http://www.looknstop.com/En/index2.htm

Takes up only 1828K Virtual memory on this computer. Install, load the enhanced rule-set and that's it basically.

You can also play about with the Rules, once you feel experienced with the program and there are no annual fees for this firewall.

 

Yes, I am aware of that but how does one tell if the change is malicious or not? A change in a program may be good or bad so how does one know? A firewall won't tell you that. It leaves it up to YOU to decide, which is the basic fault of all firewalls. Even ZA can only detect a change but cannot tell you if it had malicious code inserted. You are left to decide that. And if the change was malicious and you decided to allow it to run you're up the creek even with the best firewall. Unless you're a tech pro which most people aren't. My basic argument is that current firewalls are useless against the newer generation of 'stealth' malware because it's left up to the user to allow a program that's been changed to run. The firewall, like the user wouldn't have a clue.

Dave

 

The same with Process Guard. It's major flaw is that the user must approve changes and the majority of users wouldn't have a clue if malicious code has been inserted or not so all the protection in the world, even at kernal level is self-defeating if the user makes the wrong decision.

Who amongst us knows the difference between an illegitimate IE and the legitimate one. You have to really be a programmer to tell the difference because there is so much tech jargon used that the average user wouldn't have a clue. Malicious code hides and won't announce itself. All we are told is that the program has changed and then we must decide - allow or disallow. Also, many programs can change in a day and the user would have to spend a lot of time investigating to be absolutely sure that he is not allowing access to a malicious file.

I personally don't feel safe with any firewall because of this and hope that we will see intelligent firewalls which can know what is malicious and what is not after a change to a program.

Dave

 

Kerio 2.1.5 also alerts to signature changes in applications requesting internet access. In addition to Kerio, I have several apps that watch files for changes and others that detect the appearance of new files/processes, FileChecker and System Safety Monitor, plus others.
As for the heart of your question, summed up as "How do you know if a change in a file/application is legitimate or malicious code?" There's only a couple ways an application gets modified:

• It's updated, either manually or by an automatic updater.
• You installed something that modified it.
• Someone/something else did that's not one of the above.

I run all updates manually. None of them are allowed to auto update. This is as much for monitoring changes as anything else. I also use Inctrl5 to monitor all file and registry changes for anything I install, every patch I add, and every updater I run. Doing it this way does gives you a lot of data to sort thru and is inconvenient, but it is thorough. All changes are documented.
If an application gets modified at any other time, it's at a minimum, unauthorised, and possibly malicious. Then you have to base your decision on what exactly you were doing at the time and what your other security apps tell you. This is one example of where a process monitoring and controlling program really helps. I rely on System Safety Monitor here. It will tell me if it's an updater component trying to run or something else.
As for applications like IE6 or windows explorer, the only time they should be modified is when you're updating your system. If it happens at any other time, it's likely malicious. For other applications, some automatically look for updates as soon as they start up and don't prompt the user at all. Call Wave, aka internet answering machine is one such program. One day Kerio alerted me to a change in the applications signature and blocked its internet access. An e-mail to them confirmed that it was an auto-updating component, built into the main executable, that they didn't mention. Lacking such verification, you can also base your decision on what the application is doing, where it's trying to connect to, etc. A good whois like Sam Spade is very valuable at times like this. Track the IP it's trying to connect to and see who it belongs to.
You can also limit most of this activity with your firewall rules. Many apps have a separate executable for obtaining updates. Others use a different IP to get updates from than the ones they use for their normal functions. If you don't make set rules allowing the updates and your firewall has an "ask me first" setting like Kerio does, you can control and monitor most such updating.
While most good firewalls do monitor internet applications for signature checking, it's not their primary function. If you take your security seriously, you should use a separate application for this. Javacools FileChecker works good. System Safety Monitor also does this, and much more. There's another good reason to have this task separated from the firewall. Specific attacks designed to shut down firewalls exist for many of them. If such an attack shuts down your firewall, you also lose all the other functions it provided, file checking in this instance, at a time when you're most liable to need it.
There is no way to be 100% sure about whether to permit every file change. Some judgement on your part is generally needed. Just use other applications to give you as much info as possible and base your decision on that and what was happening at the time.
Rick

 

Is Look'n'stop better than zonealarm, sygate etc.....
Coz
I have been looking at the site and it says it is compatiple with Win Xp SP2 so it has double the protection and it is ranked 1 in www.firewallleaktester.com

But its not as famous as Zonealarm, sygate nor kerio. so does that mean its worse??

 

Hi,

Looknstop with enhanced ruleset is at least as good as the other firewalls

 

Does look'n'stop have more awards than any other or better reviews

 

http://pages.infinit.net/carbo1/firewalls.html
"one of the best firewall on the market"
Since this review LooknStop has been improved

 

Then i might be consedering on trying look'n'stop

The only problem is i am used to using a good firewall like Zonealarm but if u ppl say look'n'stop is maybe the best software firewall there is then i will try it out.

I just hop it block in a better way and block more than any other firewall.

 

An other review


http://wilders.org/firewalls.htm

 

You'll find there's no connection between an applications popularity and its quality. That's more of a reflection of the companies advertising budget than anything else. Internet Explorer is much more common and famous (or imfamous) than Mozilla and FireFox, but it definitely isn't better.
You'll also find that Kerio 2.1.5 was not tested on that page you linked to. The newer, bloated version was. The 2.1.5 version passes several tests that 4.1.1 doesn't. The results of those tests are also very dependent on your ruleset. I noticed they mentioned running the firewalls at their highest "settings", but make no mention as to whether the default ruleset is used or how it might have been modified for the tests. Those are not conclusive tests. Few if any firewalls come with rulesets that are as tight as they need to be.
Rick

 

So then look'n'stop is like firefox with but in firewall


I have seen the features in look'n'stop not so many features compared to other firewalls doesn't that mean its not as good

Is it true there is updates daily for look'n'stop not only program updates. And if that is the case wat does the updates do for that firewall


Will there be a new version anytime soon for the 2005

 

There are no daily updates for looknstop(for no other firewall neither).

If a new version comes until now the upgrades are free for registred users

 

Norton firewall has daily updates

But i would like to know this coz i am thinking of changing So then look'n'stop is like firefox with but in firewall


I have seen the features in look'n'stop not so many features compared to other firewalls doesn't that mean its not as good

 

Hello Claire! May i ask where can i find the Phantom's enhance rules & configuration? I cant find it...would really appriciate that if anyone can post a link

Cheers

 

That was just an example to show that popularity and quality don't necessarily go together. There's no connection between LooknStop and FireFox. I haven't used LooknStop so I'm not familiar with it.
You need to base your choice on what's right for your skill level and how well it gets along with the rest of your system/security package. You also need to decide if you want the firewall to just control internet traffic and use something else to monitor applications for changes, etc, or if you want a security package that addresses all the issues. Norton Internet Security and Zone Alarm Pro are examples of packages, performing multiple security functions. Generally speaking, single purpose applications will do a better job than security packages or suites. Assembling your own package of single purpose programs does require more configuring on your part and good application choices to make sure you don't leave gaps which can be exploited.
An assembly of single purpose programs will generally use less disk space and system resources than the equivalent security suite. A good security suite will likely have most of the gaps covered and require less configuration and detailed knowlege on your part, but will require more disk space and use more of your system resources to do so. Regardless of which way you go, make a system backup before you install anything. That way, if it doesn't get along with something you use or you decide to try something else, it's much easier to get back to where you started.
Rick

 

WorldCitizen,
This is a very good question. What I call a real thinking mans question. I have wondered the same and have resolved it myself this way.

You are correct a firewall in and of itself is not going to stop a wrong decision it is only one layer of protection. I believe and I know many users will not learn all what they need to know to make the right decision. This would include me to some degree. However I have tried to learn the program ...exe or what ever it is that each application as it is named as wanting access to the best of my ability. If it is a new or changed one I will proceed with caution I might even deny access to see what happens, depending on what I am doing on my machine at the time. If what I am doing does not function correctly then the request was very likely legitimate. Also you may have recently added some MS Security updates well if for example ZA says it is changed or new this is very likely o. k. You do not need to be real tech person to figure all of it out. Granted you are at more risk then a tech person for sure.

Next, remember you are not alone in your battle. This is why good security software is a must. This is why a seperate Anti-Trojan from your AV is a must this is why Adaware or Spybot or Anti-Spy or TDS or Trojan Hunter....you see the list goes on. Some one earlier mentioned System Safety Monitor or something like that (I am not familar) but see my point you are not alone these security apps are all watching protecting for known behaviors of bad stuff. Pick your defense weapons carefully keep them upto date, look here at the Wilders and other places like this to keep up to date on what bad stuff is happening and what to watch for. Finally be careful what you do, where you sirf, what you load, so on...use a little common sense. I hope this helps.

 

Hi chaos16. If your comfortable using zonealarm, stay with it. Zonealarm free is as good as any firewall. If you want a free rule based firewall. I suggest kerio 2.1.5. Here is a tutorial by BZ on how to set kerio 2.1.5 up. click here. Kerio also has a great support forum located Here

The advantage one has in using kerio 2.1.5, is one is able to learn to make your own rules at the beginning. You don't have to depend on someone elses ruleset. This can be fun and give you a feeling of accomplishment. I was never comfortable using anyone elses rules. I wanted to know how to make rules myself.

Look n stop is a great firewall. I tried it out for awhile. However, in my opinion, it doesn't provide any extra protection over either zonealarm free, or kerio 2.1.5. All 3 firewalls passed all the stealth tests at grc.com pcflank.com etc.

Chaos you will be the one to have to make the decision. As previously stated, if your comfortable with zonealarm..stay with zonealarm.

If you want a good (free) rulebased firewall pick kerio 2.1.5.

If you want a rulebased firewall with rules already placed for you. Then purchase look n stop for $ 39.00

(disclaimer: These are the opinions of Mr2cents only. You have the right to disagree. That's your opinion

 

you can take the checksum and ask if it's the same as everyone else's.

 

Hi,

The enhanced ruleset is included in LooknStop the Phantom's ruleset is different and can be found here

http://www.fluxgfx.com/ssc/showthread.php?t=14

HTH