How to choose a firewall - cookbook

Hello all!

My original intention was to choose and install a good and secure firewall, and to spend as least time as possible by this. In no way I wanted to become a "security expert", and wanted to return to my other work as early as possible. But this intention turned out to be much harder than I would wish.

Sure, there is lot of info over the internet, but a newcomer gets easily lost in it. The information sources are incomplete, often tendentious, and contradict each other. However, the biggest obstacle I met was that at the beginning I wasn't able to distinguish between relevant and subsidiary information, and to to tell which firewall features are relevant *to me*.

After having to study tons of documents and opinions on these topics in order to make an "informed decision", I decided to help others in the same situation, and created a cookbook (below in this thread).

In the cookbook I summarized my gained knowledge and experience that help me to orientate in this area. In no way I meant to give advice on *which* firewall to choose, but instead what to consider when making the choice. Specifically, you won't find any particular firewall product name in the cookbook - if you're looking for such advice, search the forums for other users' opinions. Though I began to write the cookbook with focus on firewalls, I had to add sections on malware in general in order to set it into a meaningful context.

I publish the cookbook with hope that others will correct and supplement it, and in the discussion eventually create a thread worth mentioning in the forum sticky posts.

Martin.

 

This post aims to give some useful info on *how* to choose a firewall that fits your needs. It completely omits the question *which* firewall.

A good firewall intro from the *which* perspective is e.g. https://www.wilderssecurity.com/showthread.php?p=809711#post809711.
A very good list of links to other more or less technical info on firewalls can be found e.g. here: https://www.wilderssecurity.com/showthread.php?t=24415.


You wouldn't need a firewall, if there were no malware and bad guys that create them. But solving the question on "which firewall to choose" cannot be separated from the question "how to secure the whole computer". The firewall is only one piece in the security setting you should run in your system.


Why to fear malware?
====================
It can reduce stability or usability of your computer.
It can destroy or steal valuable data from your computer.
It can monitor your activities and steal sensitive information you enter (like passwords, credit card numbers etc.).
It can bother you by unwanted pop-ups and advertisements.
It can misuse your computer for performing criminal activities.


What to do to prevent malware?
==============================
Always have your system up-to-date (automatic WindowsUpdate turned on)
Install malware prevention, detection and removal software (see below).
Minimize risky activities:
- do not browse dangerous sites like cracks and porn
- do not download and execute programs from untrusted sources
- do not run executables sent to you by e-mail
- do not use P2P networks like Bit Torrent
- .........

The less you follow these rules, the higher anti-malware software protection you need.

Whatever security software you decide to use, never expect 100% protection! Malware evolves, new security holes are uncovered in the system and other software, and the programmers are only human. Therefore, always back-up all your valuable data!


What security software is for you?
==================================
There are complete security suits out there, that cover all aspects of security you might need. Depending on the particular product, it may be enough to install one of them and that's it.
And there are security products that cover only some security areas, but do this well. These products can be combined together and configured to form a more secure solution than any out-of-box security package offers. And even for free. But you won't succeed in this without having some good level of knowledge, because this task is neither simple nor straightforward.

Another aspect to consider is how technically advanced are the users of your computer. At times, the security software may ask the users whether to allow or disallow certain suspicious computer activity. Incorrect answers might compromise the computer security, or reduce its system stability (e.g. part of the system might stop functioning). Even when you in person are able to answer the questions correctly, the other users may not. When any of the users would always answer "yes" without understanding the questions a little, it may be better to use a less sophisticated security software.


What kinds of security software are available?
==============================================
Nowadays, there are four main malware protection software categories:
- Firewalls
- Sandboxes
- Pattern based protection (anti-viruses, anti-spyware,...)
- Behaviour monitoring based protection (HIPS: anti-trojans, anti-rootkits, anti-keyhookers,...)
All these categories are complementary, that is, they can be combined together to create stronger protection against malware. But it's not surprising that real security programs usually don't fit into a single category.

For a full overview of the categories see e.g. http://wiki.castlecops.com/Different_classes_of_security_software

General rules for combining various security pieces together:
- The less they overlap in functionality, the better.
- There are no known conflicts
- .....


How many security software is enough?
=====================================
It depends on
- how risky user you are - and not only you, but also other users of your computer.
- how much you can loose if your data are destroyed or stolen.
You should know that installing too many security software can negatively affect performance and stability of your computer - because individual security components could clash.
On the other hand, you should know that the *only* way how to reach 100% security is to disconnect from internet altogether. Thus your security settings will *always* be a compromise between security and usability. Hence, you are the only one who can tell what level of compromise is still acceptable to you.

- If your computer is used only for office work with occasional internet browsing to read newspapers etc., an anti-virus and a pre-configured firewall might be enough. But in this case, your computer is surely full of valuable data, so have a backup software configured to regularly back them up (off your computer)!

- If you perform risky activities, or when you're paranoid, you should add another security layers (like HIPS) and use more advanced (i.e. more configurable) security components. But this usually can't be done without a price. Now and then, the additional security components ask you (and also ask the other users of your computer) on something, and you have to know what to answer. Or they may require you to follow a special discipline (like sandboxes).

- If you have specific requirements, see below.


What kind of firewall is for you?
=================================
Inbound FW
----------
Everyone connected to internet needs an "inbound" firewall to filter out traffic coming from outside. Without "inbound" firewall you'll probably get infected by malware in several minutes, even without starting your web browser at all!

However, you don't need to look for such a firewall if either:
- your computer is behind a HW router
- you've got installed Windows XP/Vista and did not tampered with their default settings.
In these cases you're protected by an inbound firewall already.

Inbound FW cannot protect you from getting infected when using internet (e.g. when using web browser), this is task for your sandbox, HIPS and anti-virus.

If you're not interested in learning more and you are not a "risky" user (for risky activities see above), you probably could stick with this kind of firewall.

Outbound FW
-----------
Outbound FW allows to control access to internet on per-application basis. It is used both to prevent known applications running on your computer from accessing internet (sometimes people have such a need), and to prevent unknown applications (malware) from doing so. If malware - despite your anti-virus and HIPS - succeeds to get executed in your computer, the outbound FW is the last resort that prevents it from sending your precious data to malicious sites, or from downloading other malware into your computer.

You yourself must decide whether you need an outbound firewall. But if you think you don't need it, it's probably because you don't have enough fancy to imagine what harm malware can do to you.

Using outbound FW has a negative side - to be of any use, it must be configured first, which is a time-consuming work and for experts only. Therefore, if you have no special requirements, choose a firewall whose creators maintain a "whitelist" of known "secure" applications - it will save you lot of configuration work, time and annoying pop-ups.

If you decide to configure it yourself, keep in mind that there is much more applications which ask for internet access than those that really need it.

HIPS protection
---------------
Malware authors are aware of anti-malware programs, and try to find ways how to get past them. An outbound FW alone is not an obstacle for malware that already succeeded to sneak into your computer. There are many ways how it can get around the FW - these are the infamous firewall leaks. With respect to firewalls, HIPS programs are meant to prevent firewalls from being cheated.

If you want the best protection, you definitely need to install some HIPS program. But HIPS programs are usually very demanding on qualified user response. This can be reduced if the HIPS program creators maintain a whitelist of secure applications, and/or if the HIPS program uses some expert-based logic of what behavior is still acceptable, and when the behavior begins to be suspicious.

If you decide to configure your HIPS program yourself, be prepared that every Windows, anti-virus or any other program update will start a little avalanche of pop-ups asking you what to do. But as these pop-ups won't occur immediately, not only you but all users of your computer need be qualified enough to give correct answers.

Differences between firewall products
-------------------------------------
- Price
- Vendor and community support
- Ease of administration and usage (automation of initial setting, whitelists, number of pop-ups,...)
- What features they have in addition to the classical firewall (e.g. various degrees of HIPS, whitelists,...)
- Performance and amount of used resources (especially when using IM, P2P,...)
- .....


Other popular topics
====================
What firewall is, and what it is not
------------------------------------
People often argue on firewall features, while by "firewall" they understand different things. There are two main meanings of the "firewall" notion.
A "classical firewall" is just a smart packet filter, see e.g. http://wiki.castlecops.com/.
An "ideal firewall" in addition protects itself from being disabled and/or cheated, see e.g. http://www.matousec.com/ (section "Design of an ideal firewall").
Real firewall products lie somewhere in between.


Leaktests
---------
Leaktests reveal known security holes in security settings, mainly with respect to firewalls. See e.g. http://www.firewallleaktester.com/, http://www.matousec.com/. Individual security components need not be leak-proof, it is the whole security setting that should be - because the individual components need to cooperate to resist the threat caused by leak tests.

Leaktests themselves are not contraversory - it's the interpretation of their testing results. Some e.g. compare firewalls with HIPS to firewalls without HIPS and conclude that the first are better, which is misleading. And even when they do not claim such a statement explicitly, their published results have a great marketing value for those firewalls that scored in leaktests well.

When choosing a firewall of your own, only leaktests of complete out-of-box security suites are of any practical value. In other cases you should ignore the leaktest results at all, and focus on other criteria like ease of use,configurability etc. When you finish building your own security setting, *then* you may try to check how well it scores in the leaktests.

Why do some people not care about leaktests?
--------------------------------------------
This may be because either:
- They don't consider themselves to be risky users. In this case they use their outbound firewall only to control application access to the network, not to protect them from malware. Because of this, there is no need of HIPS for them.
- Individual leaktests are not equally serious. Some of them are not likely to be misused by malware. In this case, it is important in which leaktests the security setting fails, not in how many.
- They believe that malware rarely uses any sophisticated techniques to sneak in and perform its tasks - because there is such a number of unprotected computers available that malware creators don't bother to overcome the protections. I doubt this opinion is substantiated anyhow.
- They don't need to be protected, it's enough for them to FEEL protected.


Closed and stealthed ports
-------------------------
When a port is closed, none can get in from outside, but the computer replies "this port is closed". For stealthed ports, the computer not even replies. When most of your ports are stealthed, a potential attacker wouldn't know your computer is connected to the network, and thus wouldn't try to scan for open ports to get in through them. But there's a catch - it's usually not a good idea to stealth port 113, which effectively results in completely revealing your computer and thus almost denies the reason for port stealthing. Different people have different opinions on security value of port stealthing.

SPI
---
Stateful Packet Inspection is just an advanced way of inbound communication control. It enables to expose communication ports only at times they are needed, and this way it improves protection against port-scanning.


Edit: Added section on port stealthing.

 

"Why do some people not care about leaktests?"

This section I think is poorly written and shows your bias (particularly your last reason). Clearly you are in the group that values leak tests.

I'm on the fence about it, but let me state what I think is the main reason why people (and many are very very competent indeed who feel that way) who don't feel leak tests are important.

People who think that once malware hits your computer and it is executed it is too late. Either because they can do worse things like wipe out your hard-disk, or because no matter what you do, they will be able to bypass your system (partcularly if in admin mode).

These are generally in the group of people who don't feel that outbound filtering is valuable of course and almost always those who don't believe in software firewalls.

 

Hello,

You wrote:

- do not browse dangerous sites like cracks and porn
- do not use P2P networks like Bit Torrent

I say:

- what's wrong with a bit of nudity?
- p2p networks are completely legitimate way of transferring legitimate content, including Linux distributions and are not more inherently dangerous or illegal than cars. Plus, lots of old, forgotten and "foreign" (non-English) stuff can only be obtained through p2p, like Hungarian, Czech movies.

Mrk

 

Hello,

If I can help with the firewall cookbook:

1. Absolute stability - 0 crashes
2. Low impact on resources
3. Low impact on traffic & ability to handle massive traffic
4. Good integration into combined setups (several comps, NAT etc)
5. Ability to control inbound (first), outbound (second) - app / port based
6. Should close / stealth ports by default
7. Be easy to use

I have found the following firewalls to meet the requirements:

Win: Sygate, Kerio 2.1.5, Windows firewall
Linux: iptables with / without frontend (Firestarter)

Mrk

 

Mrk, Comodo v3, as soon as it passes the test of time (proven stability, no CPU etc), meets your requirements. Don't install Defense+ and it's like Kerio 2.1.5 is back, with the extra sepparation of Global Rules from Application rules.

On topic, i think a firewall that needs no learning is the one built in since SP2. It's just SPI in front of you, allowing everything out, blocking unsolicited in (hopefully).

All others that ask questions need something more, even if little more.

 

Based on my experience, several statements you make appear to be
incorrect or simply your opinion. For example:

"You yourself must decide whether you need an outbound firewall.
But if you think you don't need it, it's probably because you
don't have enough fancy to imagine what harm malware can do to you."

I don't use outbound firewalls, I use IDS and HIPS instead. The last
malware infection I got that actually executed was in 1998.

"Using outbound FW has a negative side - to be of any use, it must
be configured first, which is a time-consuming work and for experts
only."

ZoneAlarm is an inbound/outbound firewall, generally considered as easy
to use for beginners.

"If you decide to configure your HIPS program yourself, be prepared that
every Windows, anti-virus or any other program update will start a
little avalanche of pop-ups asking you what to do."

I don't see anything but the now and then rare pop-up.


I wonder how much of your cookbook is based on your actual experience,
as opposed to simply what you have read on the Internet?

 

Great work mrsteel! An excellent explantion!

Naturally this being Wilders, people will start a debate and criticise. This isn't a bad thing as it will make your work even better.

 

I have to agree. Thanks mrsteel!

 

This one I kind of agree. Of course, what counts as a lot of popups and little depends on One's tolerance for them , but even if we talked about absolute figures like x popups a week or something it would depend on

* Whether the HIPS has features that reduce popups via features like whitelists (based on digital signatures or not), learning modes
* How many applications used, how often the user changes his setup, whether he uses unconventional apps (that might not be recognised by whitelists) etc..
* Whether one starts counting before or after training mode

As an aside I think the piece is not too bad.

In works such as this, one should strive to be as balanced as possible, and state all viewpoints as fairly as possible when there is a genuine disagreement among experts. This is important particularly when the author himself has a strong opinion in one direction or another.

I think the work is generally quite well nuanced, except with respect to the issue of leaktests and outbound filtering where it seems the piece gets emotional. It's quite jarring really.

 

Nice effort, but your personal opinion shines through to much. Increase the effetciveness and reduce the personal opinion in particular this section.

Would you please add as a reason:
- Because they focus on preventing intrusion. What is the sense of putting all your money on a defense which prevents the thief from running away. I rather focus on preventing the theft.


Applying this logic with this prejudice, I can use the same (questionable) arguments. "I can not understand why people are not using a sandbox (when running as Admin) or are not running as a limited user". Okay inbound protection is a number one, but Sand boxing LUA is a higher priority over outbound software FW. Policy sandboxing is like posting a guard before the doors of your OS that really matter, runing as Limited User is like replacing the doors with a wall. Using an outbound FW is like a guard standing on the exit of a school with all the kids storming out of school. The poor guard has to discover who is allowed to exit and who does not.

Sandbox/Limited User for steady state PC, when installing software you would like to have a classical HIPS (good when you are an expert), behavioral HIPS (better when you are an average skilled PC user like me), Virtual Environment with install monitor (perfect when you can interpretate this all). This should also have priority over an outbound firewall. Because this are the moments of truth in your security set up.

Regards Kees

 

Keep in mind he is giving advice on how to avoid malware as it relates to FW topic. He is not giving moral advice.

 

Probably not much in the proper context, unless you're a religious fundamentalist.

Habitually watching porn is most often a sign of a sex addiction. If someone's computer security then takes into consideration their watching porn, well there's another clue.

 

Hello,
All I was saying - no need to treat a certain portion of Internet as "bad." It's no different from any other portion - save the content.
Mrk

 

No need to insist on advertising your opinion of morality, which is completely irrelevent in a thread discussing computer security.

 

You've pretty much said it, so I'll save myself the trouble.

People who insist that omitting outbound protection means omitting protection are just plain silly; they remind me of those who keep crying that antivirus software is necessary. Both groups are people who haven't been educated about more effective means of PC security, and yet decide to label those who have as foolish about their own online safety.

 

Hello,

It is very much relevant. Security begins with reason and understanding.

Saying that p2p / pron are bad is nothing but opinion of morality - or lack of knowledge.

P2P is a LEGITIMATE way of transport - just like cars. If someone uses them to download / upload copyrighted material of any sort, that's their private problem.

It does not turn software / protocols into bad - no matter what MPIA and RIAA try to sell you with false fear-mongering along the line of - if you use p2p, you'll get infected. Completely baseless and untrue.

Regarding porn:

Just another avenue of the web, no different than any other. It is no more or less dangerous than any other site. Again, fear-mongering / morality to keep you away from perfectly normal part of the reality of the web.

Keeping away from either won't make you any safer - the understanding whether you should use these or not - might.

Mrk

 

In other words "anything goes" as long as you are safe?

 

Or it's bad from a computer security standpoint because they're most often sources of infection, and should be avoided to stay safe.

The same reason weedkillers aren't bad, but shouldn't be allowed near toddlers.

 

Look at least he didn't go with the a PC magazine approach in his explanation.
i.e. a bland, non-controversial, not opinion provoking explanation and recommendation of symantec etc.

Also he posted this to the worst possible audience:- security professionals. Obviously he needs to specify his intended audience, novices or similar. If you criticise say antivir programs saying there are better security programs, a novice user is unlikely to use a full blown HIPS and ISR solution. They are not paranoid.

 

Why not?

Computer security is not a single-faceted science. There are many people who stay infection-free even without any security software. Other solutions obviously work, and deriding people for only chasing after an illusion of security instead of real security just because they do not employ your protection method of choice is just plain foolish.

 

Limiting his audience to novices does not excuse posting misleading allegations. I do not suggest that he recommend advanced solutions to novices, but alleging that not using firewall outbound control means that the user has only an illusion of security is completely inaccurate and short-sighted.

 

Hello,

Then the Internet itself is bad, because it IS THE source of all infections ... Or you could claim that browsers are bad, for the same reason.

You can get bad files as easily going to a site as through p2p downloads. No difference. Avoiding X or Y has no meaning.

If you're looking for infections you'll find them in your downloads, if not, you won't. As simple as that. In my hundreds of GB of p2p, I have never ever downloaded anything malicious. The same goes for the adult sites.

That does not mean you cannot find trouble. But it's not lurking for you like some vampire. P2P / adult sites / anything are just the reflection of the users.

Mrk

 

Not that I am any expert, but I see this piece as having been written
by a well-intentioned, but inexperienced computer user. It is
based on limited knowledge and opinion, which has resulted in
both flawed logic, and inaccurate statements. To allow it to stand
uncriticized would be a disservice to the forum and the writer.

 

Yes, we all know that your personal unsubstantiated anecdotal evidence fairly represents the entirety of the internet at large. Of course, you can go ahead and claim that fake porn codecs, fake email attachments claiming to be porn, fake cracks/warez etc are all figments of Joe Paranoid's imagination, and I will be unable to refute you, because it's impossible to refute irrationality by using logic.

Irrationality ftw. Browse reputable sites like cnet, CNN, Yahoo etc, and I guarantee you will never get an infection through those parts of the internet or your browser. Not the whole of the internet is bad for computer security, only certain parts of it. And while every once you may get compromised through a trusted site, that's the very rare exception, rather than the rule.

True, it's equally easy. But not equally likely, and that's the whole point. You seem bent on ignoring this fact. What's more likely to result in an accident, giving a toddler a cup of weedkiller, or a cup of water?