GhostWall and "firewall purpose"

Hello All,

I have read the tag line with GW pertaining to "other firewalls having forgotten their main purpose" (paraphrased). And I was trying to find out more about what specific features of other firewalls are considered to be "off purpose".

If you don't want to name the company, fine, but how about the general description of the feature? For example is it the merging of AV with firewall that you find to be objectionable? Or the other "privacy protections" as in Zone Alarm?....those kind of things.

Could someone tell me more about that or direct me to good source?

I'm by NO means knowledgable about the details of security needs, but would like to learn more. I only looked for another firewall because creditable sources seemed to say the Windows firewall did not protect regarding outgoing connections, and that seemed to be doing TOO LITTLE. Yet on this forum you seem to be concerned about other firewalls doing TOO MUCH. So I'm trying to get a better understanding of what you consider to be "just right".

Ean

 

Oh god not one of these questions again You obviously don't know much about firewalls or protections.

I'll try to explain this as clearly as possible. The main purpose of a firewall is to block traffics (incoming). Many tools did that too but got more features added to it which is why Jason thinks those tools lost their main goal.
Many AV products these days also support spyware detection and some even got parent control functionality (so kids won't be able to see xxx sites or pop ups). As you can see not everyone wants all these extra features in their pc. Everyone/company got their own philosophy. So my question to you is do you think those AV products got off track with all these protections?
Exactly it depends on how you look at it. And ofcourse those companies want to stay in the competition so they probably had to add extra features, but that's another story.

A feature which is not included in GW but can be found in many AV or firewall products is application control (outbound protection) which allows you to decide whether certain applications can connect to the net or not.
Jason already explained why he won't add this to GW in this forum so asking him why he is concerned about a firewall doing too much is useless.

It all comes to what are your needs and how much do you know about protection. I don't think GW is for rookies, i suggest you try a couple of firewalls and play with them. See which one fits you

 

OK, Turion, well thanks for taking the time for someone as "wacko" as me or as so far inferior to you.

I've got a NAT router, and that came with a Freedom FW (free), presumably to provide some level of what seems to be called "app control/outbound protection". And I have access to a full ZoneAlarm Security Suite (paid subscription), that seems to have all kinds of the features that might be considered "off track" or bloat-ware on this forum.

My interest here is to hear from knowledgable people as to their ideas about what is/are the best way(s) to most efficiently and effectively do the protections.

Jason's slant that things should be efficent, low resources, etc. is particularly appealing. So I'm just trying to learn more.

So your example of an AV product expanding out to do more functions--if it's just trying for more market money resulting in inefficient MEANS of adding FW or Anti-spy to and AV, then that I would say is "off track". But if there is some good technical reason why if, for example, you already have a program monitoring for AV and then, say, if it was efficent for it to also filter spyware or even firewall functions "as long as it is down there hooked into the data", then that might be a wise thing. It would depend on the nitty-gritty details of the programming, how the computers are organized, ports, sockets, datastreams and all that stuff, as well as what actions need to be done at the lowest system levels to do AV, FW, anti-spy, Reg-defend, or other such functions.

I know to me (not a total novice BTW, but surely new to security), that it seemed possibly plausible that if you are going to have a firewall already there monitoring things, then it *might* make sense to do the AV right there as well. I'm not saying that as a conclusion, but just that it seemed possible. And I guess I look to a forum such as this to maybe see if people more knowing than I agree, disagree, or can clarify or add to or debunk such ideas. I want to learn more about such things.

Maybe my thread would be better stated like: "what functions do people think are necessary and what would be the most efficient way to accomplish those?" Totally aside from any business concerns or "market share grabbing" attempts of software manufacturers.

 

See even you have your own ideas. You did mention that it would be logic to add AV to a firewall as an example. So everyone has their own philosophy of what should be implemented and what should be left out. Lets take my example with AV, like you said it's wise to add spyware detection to an AV but do i want parent control? No. There are people who don't like tools providing extra features they don't use because it uses resources. Is parent control wise? maybe but to me it's off track, and i'm leaving the marketing stuff aside.

Jason doesn't want to add outbound protection, while you might want it build inside the firewall. He prefers efficiency, low resources, no warning bothering you if a tool tries to connect. Is GW the best solution? No but it does fulfill it's main purpose. So you will have to use another tool to protect you from outbound. Or you might want to use a all in one tool.

There is no perfect, or magical solution to protect your networks from stealthy Trojans. The firewall is not as impregnable as one might think.
A firewall does nothing but to allow/block traffic (whether inboud or outbound)
The best way to protect your system is to have an up to date AV, spyware scanner, a firewall, don't run servers if it's not necessary, closing certain ports, allow only tools you trust to connect, registry protection tool & common sense. Your NAT router is already sufficient but if you want to run a extra firewall sure why not.

 

Hi, turion

It is also not in his [jason] intrest to do so for free because, he sell a product that does control outbound protection Appdefend.

Take Care,
TheQuest

 

Good point Quest. And is it that architecturally/or technically for some reason it is best to split the functions between GW and AppDefend in that way, or is it just the economics of income streams that make it best that way?

That's just the example of the type of thing I am wondering.

I guess turion will always say, "It's up to different opinions." And that is true, but I've always found that if one can LEARN enough about what is forming those opinions, one can possibly start to differentiate better "opinions" than others!

 

Ean in this case for a firewall it's not really about technical or architectural reasons why Jason doesn't build application control for GW. Like Quest already said it's in his other tool Appdefend which is not for free. There are lots of firewalls out there which has application control. If Jason didn't want to make money he would have made Appdefend freeware right? (If it was freeware then you should ask the question if it's about technical issues to split them)
A feature of application control is popups warning you a tool tries to connect.
Jason mentioned he likes a firewall to sit quietly in the systray without disturbing the user. So this is also a (personal) reason for him to seperate them. There are people on this forum beging him to put application control in GW because they are used to having this feature in other firewalls. So to them and maybe to you as well it's an obvious request. But to Jason he's got a financial and personal reason (probably not the most important one) to do this. I doubt you can form a better opinion out of this story but you can always try
I don't think you should be concerned about a wall doing too less or too much. No wall is 100% impregnable cause very skilled hackers can make stealthy trojans to hide their presence. The problem is can security tools (whether having too much features or not) detect new type of stealth trojans. This is an endless battle. That is why the user must have some common sense and should not click on everything he sees.

 

I'll weigh in here,

Ghostwall is really quite solid firewall, the best thing about it is its extremely low ram useage, and next to zero processor useage. The KISS principle applies with software as much as many other things irl, (Keep It Simple Stupid). There's WAY to many companies out there that add all kinds of crap in that it tries to promise the holy grail of all-in-one security, and quite frankly, this just isn't possible, and even if it was, wouldn't be the best solution anyways.

I use an SPI/NAT router (Stateful Packet Inspection, and Network Address Translation--pretty standard, nothing fancy about that), I also use ghostwall for 1) Redundancy, in case somehow, my router was hacked somehow and packets were allowed through it, Ghostwall would be sitting there still blocking the traffic anyways--while this is extremely improbable, security is only enhanced with an "onoin" approach, as in layers of protection, and ther's no performance hit really, so why not?

This is not the main reason I use ghostwall even though I have a router however. The main reasons are this: Many times I want to forward a port in my router, forwarding a port makes all traffic through that port completely bypass firewall protection for that port in the router, with Ghostwall, even with a forwarded port, I can still selectively allow ONLY either UDP traffic, or TCP traffic to pass through, AND not only that, but I could also specifically filter any traffic by IP address on top of that, increasing security greatly even WITH a forwarded port. I don't want my machine to be pingable, so all of my "allow" settings are always set to TCP/UDP only and not "all", I don't need ICMP to do anything I need to do on the internet anyways.

Ghostwall, with its rules based design, can also serve as a mock IP blocker to a very limited degree like protowall of Peerguardian 2, for certain applications, thus saving me ram by not having to run a separate IP blocker **sometimes**. (it will be REALLY nice someday if and when Jason gets the IP blocklist support coded in). If I want to play Halo online, I find out which IP addresses are absolutely required to join a public server, or to create my own, and noticed the only traffic that was required to pass through was UDP traffic to the Gamespy servers. When you play Halo, TCP packets are sent automatically to 2 or 3 different IP addresses at Micro$oft. Now the connection attempts to them are in no way required to play (one is used for updating purposes but you can update the game offline anyways). So Ghostwall blocks all the TCP attempts that I don't want leaving my machine, I also have used this with the game Everquest, allowing ONLY their server IP's which were required to log on and play the game to have access.

Anyways, a more widespread and important use of a rules based firewall would be for anyone who wishes to setup a VPN server or client on their machine, as VPN requires an open port. You can selectively whitelist traffic that you know is trusted (the client/server that you wish to connect to via VPN), this way, port scans will show that forwarded port as still stealthed, even though it is open on your router, because Ghostwall blocks all othe traffic except that which you have specifically permitted via IP.

Once again my personal opinion as far as what I think should be added is only to get the IP blocklist functionality be implemented, as this still directly serves the purpose of a true firewall. Other things like spyware, malware, AV, etc are all best left to completely separate programs for reasons already stated here by others. One thing about application control: If people were more careful about trying every new program they find on the internet and installing it just to try it out, you wouldnt need application control. Know wtf your installing on your machine. If you wanna mess around, get another pc and dedicate it as a crash machine and test out programs to your hearts content. There's so much malicious crap out there, and its getting worse, that I'm really close to switching to Linux (Ive used it before, Fedora Core 3, and VectorLinux), as its inherently immune to all the junk that Bill Gate's piece of crap is vulnerable to.

One last note on security, don't forget encryption, encrypt ANYTHING that you feel is even remotely sensitive or that you wouldn't want anyone else to see or know about, it's your PC, and your privacy/business. There's alot of free open source tools out there that you can learn about. Example; what if you have a laptop with important information on it and it gets stolen, or lost somehow? The only thing thats going to protect your data from falling into the wrong hands is encryption.

I hope I was of some help, be safe out there.