Good app control / outbound access / low resource FIREWALL ?

hey you guys... another criteria for good solid app control....
1. It should be able to control which apps can launch others (present in Kerio, parent-child in SSM i think)
2. It should monitor ocx components as well (BlackICE does)

Also, in general, a firewall should have a nice readable logging system...
one reason why ppl. shy away from Kerio 4x (buggy logs) and ZA (poor logs) and go to Kerio 2 (wonderfully detailed logs).

 

Try Tiny. It has all that: DDL/OCX control, application spawning control between user defined application groups using parent or child security context, system privileges control like direct memory access, VirtualAllocEx, VirtualProcEx, etc.

Isnogood

 

Jetico passed all of the AWFT tests.

 

so... to anyone who's used all firewalls mentioned here, can you give us a comparison?
We're looking at Sygate vs Jetico vs Tiny vs Look 'n' Stop vs Outpost (which the thread starter hates, but I seem to be gravitating towards it, and Jetico's still in beta and I won't say anything more)
If anyone mentions critical vulnerabilities, it would be extra nice...

 

It depends on what the person is wanting in a software Firewall, if you looking for true Application-filtering base software firewall, then I highly doubt Look ‘n’ Stop, 8Signs and etc would be for you, something like Sygate, Kerio, and Outpost… would be something worth investigating. However true Application-filtering software firewalls lacks in certain areas but is efficient enough, for instance they lack is true Stateful Packet Inspection, some of them are stateful-like though. I on the other hand prefer strong & true stateful packet-filtering base software Firewalls like CHX-I which is freeware for personal use, and there are alternatives more suitable for less knowledgeable folks, like 8Signs for instance which is shareware. Disadvantages of using strong & stateful packet-filtering software firewalls are they usually don’t contain Application-filtering, even mere basic capability like Look ‘n’ Stop offers, and same goes for DLL, OCX Module-filtering. And again I rather use strong & stateful packet-filtering software firewall that offers advanced control for those who interested in taking advantage of, and with very detailed logging capabilities.

 

Phant0m, I'am interested to know why you consider stateful packet filtering more important than application control. Could you explain ? It always seemed to me that this type of firewall, as sophisticated as it is, is good for server type configurations only. It does not filter your outbound traffic, does it ? So it can nothing if you happen to have a trojan ? If you open port 80 for web browsing, a nasty is perfectly allowed to use it directly, it does not even need to cache itself in browser process. Just wondering, I'am not expert, so it's just a question ...

Isnogood

 

So halcyon, has ur question been answered, or are u as confused as I am?
Now I'll have to try 4 firewalls... TPF, Outpost, Sygate, LnS, and pray that none of them screws my system up.
On another note, I'm also scheduled to undergo Sec.Suite and AV testing, so u know what my head feels like (especially since no one pays me to do this stuff, and my end sems are near)

 

Any packet-filter has outbound filtering capabilities, but I know what you mean, application-filtering. If you have a Trojan infection, there is no limit to what can be done, damaging or otherwise. Yea if you have a authorizing rule for initiating connections to remote machines through www-http with no destination IP addresses specifications or restrictions, Application-filtering would be quite useful but then again… Of all the years I’ve been using software firewalls with Application-filtering capabilities, not once did it alert because of a Trojan, in-fact I never had a Trojan infection yet. If common sense is applied, and using AV and AT systems properly configured and kept up-to-date, and use of other security layers wouldn’t hurt, I see no reason for Application-filtering except the benefit for privacy issues, software phoning home for instance. Actually, I do use Application-filtering software as we speak, for along side my STRONG & STATEFUL packet-filtering software firewall.

I’m not saying Application-filtering should be ignored, just how often do you get Trojan infections that gets seen by your software firewalls application-filtering layer? Now think about all different possibilities there are, occurring on every-day bases against online users, you don’t have to be doing anything just being mere online user is acceptable of all kinds of attacks and threats, or mere malformed packets, and only strong and true stateful packet-filter can deal with these.

 

so, Phant0m, what do you recommend we use (name ur firewalls)

 

Thanks Phant0m. I see your point of view. But in fact, all major firewalls out there like TPF, Outpost, L&S and others claim to have stateful inspection. Or perhaps stateful-like as sou say. What's the difference ? Is it not sufficient in your eyes ?

By the way, I never had a trojan problem in my system neither, except when I test my system defense infecting myself sometimes. It does not mean that I would not protect myself against them. And common sense just tells me to have some outbound application control. Any signature based AV/AT is not sufficient against more stealthy threats, IMHO.

Isnogood

 

Phant0m already did name firewalls, read his post more carefully

 

I downloaded and installed latest Jetico beta.

It looks useful enough, although I can't for the life of me find a way to configure application rules, except by trying to use apps and then defining the rules.

After I've once given a "rule set" to an application, I can't find a way to change it from the Jetico GUI.

But it is beta, so I'm willing to try it now for some time.

Thanks for all the suggestions.

BTW, Jetico main firewall process consumes 14MB of RAM on my system.

 

@Halcyon
When u uninstall it, drop me a line.
@AJ... Phant0m never explicitly mentioned his firewalls, he merely hints at using CHX-I (actually, "prefers using") ...
and he never says anything about any other firewalls he uses....

 

Phant0m, being curious I checked the CHX-I stateful packet package from www.idrci.net. Here you have what they say about their product (extracts from FAQ and user manual):

Well, I believe it may be a good solution to those who run a web/mail server or network, but certainly not for an average user with single host internet connection and typical surfing habits. I dont deny some interest of deep stateful ispection of raw IP traffic, but for my personal use I would rather have less-stateful firewall with full application control than a true-stateful firewall without app control at all.
We are much more vulnerable to trojan based threats than by direct attacks from the net. Skilled hackers won't waste time to get into your home machine through a well configured firewall. They have loads of easier or more valuable targets around. Have you ever been a victim of a direct exploit ?

Isnogood

 

According to their What's New list, their Stateful Inspection seems to apply to network and transport layers which doesn't really differ from that of most personal firewalls (which can at least identify whether a packet is part of an outgoing or incoming network connection).

While the security-conscious are unlikely to get a trojan at all, for most other users it is their firewall alerting them to a strange new application attempting network access which is their first warning. Virtually every trojan needs Internet access to function so firewall application filtering can also catch new or customised trojans that a scanner may miss.

 

I apologize, I was in rush this morning, I was running late for a doctors.

Let me make myself clear, I’m not recommending anyone to switch from one software firewall to another. And between the two, true application-filtering software firewalls and strong & stateful packet-filtering software firewall, there are disadvantages on both ends.

True application-filtering software firewalls works on application layer, the ones that has SPI feature is based on that, which makes it "stateful-like" by making rules dynamically according to what allowed apps are doing. The difference between the two is quite great, a lot of disadvantages compared to true stateful packet-filtering system that works on network layer. And besides the security advantages against remotely generated packets, and among other advantages, another being it uses very little system resources and holding its ground, and even under the heaviest connection loads and flood packets.

True Application-filtering base software firewalls are significant, against basic threats and attacks. There however is much greater world with many forms of attacks and threats that aren’t controllable by a true application-filtering base software firewall.

My personal tastes has always been, a rule-base software firewall that contains strong & stateful packet-filtering capabilities, works on the lowest network, offers maximum performance while functioning to its capacity, and offering advanced detection and controls against everything, especially in regards to attacks, threats, and malformed packets. With superior detailed logging, I know exactly what is coming and going In and Out of my system, authorized or otherwise, necessary and the unnecessary.

 

One of the reasons I like Outpost Pro so much is it's excellent logging. You can even create filters to include/exclude whatever you like. It's very nice...

 

I've posted on another thread about full stateful inspection vs. application control. Pardon me for being lazy and just linking to it rather than repeating everything, but it is related to the discussion here and my keyboard's wearing out.

 

Anyone seen Tiny's logging (I like its process control on the face of it... will check out it GUI soon!!!... bidding goodbye to Kerio, temporarily at least, by tuesday... Anyway, both Tiny and Kerio were/are made by the same guy... he sold off tiny and then made kerio)
Will NOT be using Outpost... will see about LnS vs. Sygate...
Funny... two years ago, I picked up Kerio over tiny 'coz kerio was free... now that i have a router, I'm taking Tiny 6 over Kerio 4 and Kerio 2... never thought THIS could happen.

 

Heh, that Jetico honeymoon didn't last for long

I finally managed to track down the way application rules are edited. Not very intuitive UI, but what the hell, I'm only a usability expert myself, so what do I know

Anyway, I could create rules for most of my apps, but games turned out to be a real problem.

Startin Desert Combat (free BF1942 mod) would crash both DC and Jetico and taking down the whole system with it.

This was apparently due to Jetico blocking access to network from DC and asking in a pop-up window whether I wanted to grant access to it.

However, this window remained under the frontmost DC application and I could NOT switch to it in any means (ESC, ALT-TAB, CTRL-ALT-DEL) or even bring up the task manager.

The only thing I could do was wait and the situation did not resolve itself nicely, but the machine just hung.

Pressing hard reset on my machine I'm now in a situation where my user account is corrupted and I can't log into it.

I'm now writing this from another account in safe mode (the only mode that allows me to log-on).

So, something got corrupted and I just don't know what it was (BTW, Jetico is no longer installed, but removing it didn't fix the problem).

So, if you try Jetico, PLAY REALLY SAFE as it can really play havoc on your system.

You have been warned.

regards,
halcyon

PS If I survive from this without a reboot, it's time to try out L'n'S. I hope it won't be as much of a disappointment as Jetico was (granted Jetico _IS_ beta).

 

Join the club...
Halcyon, sorry to hear about Jetico... I myself went to a format after Jetico... similarly with LnS... but GoBack saved my lean skin....
I'm leaning towards Tiny right now, maybe I'll take Outpost if I like referrer blocking so much...
If u need simple outbound, Kerio v2 ... App control ... SSM / PG / BlackICE....
All pretty light.

 

Thanks for all the suggestions, I appreciate them. They enable me to be more accurate in my requirements.

I have now learned the hard way that I need:

- A tool that is NOT in beta (it _just works_). I cannot beta test on my production machine (maybe on the laptop, but that's another issue).

- A tool that has application rules AND firewall in one single package (but no more). I already have way too many apps running. I'd rather add one more, rather than an app launch controller and a separate firewall (i.e. application starting controllers like Abtrusion Protector need NOT apply as they are just part of the application start control, not oubound network control. I need more granularity on app network control level than just "can run"/"can't run").

As for Jetico, It took me 7 hours of work to get myself where I was before Jetico/DC incompatibility completely hosed my system (ended up doing a 'Repair Windows XP installation' and manually rebuilding network connections, services, settings, etc.) I could have managed it faster, had I not tried to get around by not using Repair Windows XP Installation... (but you never know before you try).

Now I'm weary of trying L'n'S if people have been able to get their systems to "reinstallation only cures" state with it. After my Jetico fiasco, I'm not ready for another for at least another two weks or so.

I'm adept enough in computers and WinXP, so this should not happen in my book. Besides, actully re-installing my whole work environment takes close to a whole work week to complete.

So, re-install is not an option for me (even repair can be too much of a nuisance).

Also, to me L'n'S looks like a one man effort. Nothing wrong with that, but if the author gets hit by a truck, all paid customers are left with no update path. Further, it's app control capabilites look quite rudimentary to me (I know, it's a design choice). Again, I mean no offence against L'n'S author/users, it's just not for me. I'm sure it's a great firewall for those who need that kind of app.

As for Kaspersky AH, it looks like it's not much better in outbound access control than Kerio 2.x series:

http://www.firewallleaktester.com/tests.htm

So, it's off of the short list. The same applies to Sygate, so I'm not really hot on that either.

So, to re-iterate, I'm still looking for more input on:

Which of the followings could be most stable, least resource hungry and still with good app control:

- X-Wall (A-wall)
- Anything else?

I'm worried that I may need to add ZAP and Outpost Pro back to the list

Try to think: Kerio 2.1x but with known outbound holes and security bugs fixed. I need nothing more than that. It must be stable like Kerio, fast like kerio, use little resources like Kerio and provide decent enough app control like kerio AND it must be more tight in catching outbound access variations (so, better than kerio 2.x).

Is there such a beast?

BTW, For me SPI is the work of a dedicated hardware firewall, which I already run. The aim of a software workstation firewall (IMHO) is to control (mainly outbound) access of applications on the workstation it runs on and it must do it well, hence Kerio 2.x does not pass the test.

Thanks again for all the help and please let's try to keep this discussio on the lines of:

Which similar program to replace Kerio 2.x with in order to cure Kerios' outbound holes and security bugs? A software that is stable, fast and low on resources with good app control.

Let's not make this another generic firewall thread, as there are way too many of those already in this forum.

So, let's try and stay focused

regards,
halcyon

 

Hmm is there any theortical reason why a firewall can't be good at both? That is it has good application control AND true Stateful packet inspect?

Much of the discussion between you and Phantom seems to imply that it's one or the other.

 

I just read your entire post halycon and I did see what you had to say about Look 'n' Stop, but it seems like L 'n' S is exactly what you need. It has the best application control out out all of the firewalls I have seen and you say you do not need a full SPI, which Frederic plans to implement later anyways. Look 'n' Stop is the lightest firewall I have ever used. I have used every firewall listed on firewallleaktester.com and if I had to choose one it would be L 'n' S. Personally ATM I am using L 'n' S for its application protection and 8Signs for its firewall, but it seems like L 'n' S would be more than enough for what you want. I highly recommend giving it a try.

 

Theoretically, application-filtering based software firewalls works on the application layer and everything based on that, to offer true stateful packet-filtering system they would be adding as we known it, another arm and thus possibly be bad if you very sensitive in regards to system resources, nearly 2005yr and people still expects today’s software to run on 486/20mhz 8MB of RAM. And it wouldn’t be to far fetch to say those developers building application-filtering based software firewall finds it to be quite less of a hassle, pretty much touch and go because, it offers basic packet-filtering functionality. Offering strong & stateful packet-filtering system would mean extra work for the ignorant users who would be more then eager to ditch something after min of install and encountering minor setup difficulties. Users wants ease, they want to be capable of interpreting something without the need to think, and of course this means low quality packet-filtering capabilities, like application-filtering based software firewalls a dreamers choice, convenient, no mind meld necessary and set and forget type of thing.

Look ‘n’ Stop application-filtering, its implementation is different but you can say its efficient enough, besides it has good leak coverage compared to some of the others. It’s packet-filtering system on the other hand lacks a great deal, that is why I only use Look ‘n’ Stop for its application-filtering, along side my strong & stateful packet-filtering systems. And because there is so much fuss about mere leaktests (so far), that only the application-filtering layer is being attended too. Actually you can download Look ‘n’ Stop Lite which is freeware that includes only the packet-filtering system, the only thing you actually do pay for in the personal version is mainly application-filtering. And how I see it if you have to pay mainly for the application-filtering capabilities, you should be allowed to use it alone along side maintained packet-filtering systems.

Anyways as everyone always says, that’s my 2cents worth…