Multiple Firewalls?

Discussion in 'other firewalls' started by Kas, Mar 30, 2009.

Thread Status:
Not open for further replies.
  1. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    I have read much of the posting re. firewalls and came across a series of posts on this Forum about GHOSTWALL. The posts dealing with this firewall were very complimentary and said many nice things. It looked highly impressive so I would like to try it.

    I have Windows XP Home, SP3, IE7, OE6. My firewall is COMODO IS which is a very good "professional" type of firewall, the free edition of course. I will not dump it, since it is very comprehensive, also includes an anti-virus and defense + features.

    So, a QUESTION ?
    ===
    In engineering successive filters in series are a standard means of ultra-cleaning any fluid, be it air, gases, water, oils etc etc. including electric current and just about every other substance on Earth.

    THEN - WHY SHOULD RUNNING TWO FIREWALLS OR MORE IN SERIES BE IN ANY WAY DETRIMENTAL, OR POSE ANY TECHNICAL PROBLEMS ?
    GHOSTWALL + COMODO IS ?
    =====

    I know that SECURITY is an indeterminate commodity and you only get what you pay for. But it is also relative and subject to the law of diminishing returns.

    Example - Security at Fort Knox involving a Marines battalion, Special Forces and an astronomic high-tech profile costs $Billions and is 99.999% successful. Security at my home costs little - food for my huge Alsatian dog and ammunition for that old Chinese AK47 - result 99.99%. Not bad eh ?

    Hence there is nothing wrong with using FREEBIES, why pay more ?

    I would like to add a million thanks to CaixFang for all the extremely comprehensive help given to me on other matters I have raised. Truly amazing !
    KAS
     
  2. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Because the firewalls are not running in series - they are competing at the same time and same point in the network interface to do the same action. If you took all your engineering filters and mashed them together (not in series) they would leave some spaces where particles would get around the smallest filter size...
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Unlike physical filtering devices, there's no way to be certain that you are truly connecting them in series. There's also a big difference in how they function. An internet firewall either allows a specific traffic or it blocks it. How well it does this is solely dependent on the rules it enforces. There is nothing gained by adding another software firewall, but there is much to lose. Two firewalls trying to filter the same traffic can interact and cause all kinds of unexpected problems. Even if they get along, you're still using up resources, disk space and processor time and getting nothing in return. If those firewalls contain kernel level components, 2 can cause conflicts at a kernel level, resulting in BSODs, system lockups, and similar behaviors. You'll get much better results learning to tighten the firewall you like and taking full control over the traffic in and out of your system.

    If you really want 2 firewalls, use one hardware and one software firewall.
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Generally this is a very bad idea. But I see no reason why you couldn't try to having good backup software :)

    This is a two edge coin. From one side you can get the troubles you didn't expect to. From the other side the only valuable and true experience is experience you get as a result of your own mistakes. With "others" experience you can never be as confident as with your own one.
     
    Last edited: Mar 30, 2009
  5. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    ===
    Nice one Mem. In parallel eh ? Can`t mash them up - they have to be one or the other, in series or parallel. So the flow either all goes through ONE, which is what I have now, or it disproportionately divides between the TWO.

    That means, as the two filters are of different "mesh" i.e different data bases, what one does not stop, the other does or may stop. Either way, there is nothing lost. Two barrels are better than one.

    Surely the only way they can become embroiled in a personal battle, is if they are technically and electronically incompatible, such that the electronic interplay results in a coup-de-gras, which lets all of China into your living room.
    KAS
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
  7. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    No they don't. You are only thinking in straight mechanical terms in your analogy but it doesn't equate to the firewall issue (Two personal firewalls do not operate in series or parallel on a PC. A router firewall and a personal firewall are operating in series.) Take your analogy a little farther - two industrial water cartridge filters of differing filter partical size that were in one stream in series, mash them down and force them into one cartridge space side by side. You now have material in the same space and time as the original filter but they are inefficient and the finest particle filter will not have all the water flowing through it. Larger particles than you would expect will get through. You have lost efficiency and effectiveness of the filtering.

    You best answer is by noone_particular - use one and learn it well.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Well, if you want2 FW's in series make one a H/W Firewall and the next in series will be your S/W firewall. The H/W one is a router or something like an AlphaShield.
     
  9. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    Thanks JRV+, guess it looks grim. Mind you, a firewall provider WOULD say that, they all do, but I accept it is generally condemned as bad practice by experienced users like yourself and other members.

    Not technically satisfied why, but you do not always need proof to believe. Somebody says you`ll get hurt if you step in front of a train - YOU BELIEVE IT - NO PROOF NEEDED !
    KAS
    Ah well - looks like GHOSTWALL will have to disappear back into the ectoplasm.
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Kas, sorry to disappoint you. The technical point of view is that using 2 "software" firewalls end up with driver conflicts, yet you can have your cake and eat it too, by using a router (hardware firewall) plus Comodo, thus satisfying your "2 barrels are better than one" analogy. :)
     
  11. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    Thanks again JRV+. All good stuff eh ? You are fast becoming an icon in my beleaguered relationship with this cyber nightmare.

    Just a point, Windows XP 2002, my personal piece of aggro has a firewall which is ON all the time. Is this a kind of poor mans consolation, you know, a filter with big holes in it, or is it any good ?

    Anyway, as it is ON and I have my Delta Force COMODO IS on guard, surely I AM running two firewalls in harmony at present and have been doing for ages now. What does this mean ? Am I suffering some unforeseen calamity I am not aware of ?

    Do you reckon I should disable the Windows firewall ?
    KAS
     
  12. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I agree with JRViejo.
    The hardware + software firewall is a better choice IMO.
    I can attest to the software conflict resulting from installing two software firewalls.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Several years ago, I tried running 2 software firewalls. Back then, most firewalls were strictly internet traffic control software, not the combined suites with kernel level components that we have now. I used Tiny Personal Firewall and Zone Alarm. The 2 seemed to work as you were hoping for, with traffic having to be allowed by both before it could pass. Configuring the 2 was a nightmare. It wasn't always clear which one was blocking the traffic I wanted to allow. Even when I did get them configured, the double filtering noticably slowed my internet speed. On more than one occasion, each firewall lost its entire ruleset for no obvious reason. I had to start over more times than I want to admit. Firewalls aren't like physical filters. If you have a firewall rule that blocks TCP packets to and from a certain application, it blocks 100% of those packets.

    IMO, the only reason one would want to run more than one software firewall is if they didn't trust one to do the job. Multiple firewalls is for the movies. In reality, one firewall, properly configured will filter and control traffic as well as many. I'd suggest that you direct your energy into learning the basic internet protocols, the IP address system, ports, etc, and concentrate on working with the rules of one firewall to tailor the traffic flow to exactly what you want. Properly configured, a good firewall can actually speed up your internet experience by enabling you to more efficiently use your bandwidth. Writing good firewall rules is becoming a lost art. With most firewalls being combined security suites with some form of automatic rule creation, most users have forgotten how to write strong rulesets.
     
  14. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Kas, well, to answer your first question, some people dismiss the Windows Firewall as Swiss Cheese, yet Stem, one of our Firewall Moderators, has written an excellent tutorial about the Windows XP firewall that you should read.

    I use an old 5.5.094.000 version of Zone Alarm, and as noone_particular has aptly stated, it is strictly an internet traffic control program, without any hooks into my system, yet everything I read informs me that COMODO is an excellent firewall, however, and I hope a COMODO user pipes in, I thought that COMODO automatically disabled the Win XP firewall during installation? :doubt:

    To answer the 2nd question, no cataclysm to speak of while it's ON, but my suggestion would be to disable the Windows firewall and let COMODO protect you. :)
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I will agree that most always running two firewalls together are bound to make things, erm, sticky.

    However, that does not mean it is written in stone.

    I will give you an example of 2 software firewalls that will work in unison, and have posed no problems every time I try them.

    Windows XP Firewall (everyones most favorite)
    and
    SoftPerfect Personal Firewall (one of my favorites)

    I can and have ran both together. There have never been any problems on many different machines. Rules match for either. While they are different beasts, they play well together.

    Now you ask, why would you need two? Neither is really an application firewall, unable really to give much insight as to what is asking connection. XP will sort of tell you something is trying to recieve or be a server, but beyond that, nothing.

    And that is precisely why I use it. While I could throw up Outpost for testing purposes, I have found that using XP firewall daily is easy. When I really want protection I would use an ipsec rule anyway. So why SoftPerfect? Mainly because it is small and does not mind being installed but not ran. And starting it up poses no problem. It does not hook itself in as deep as some of the larger suites today. But then it does not do near what most today do either.

    I use them in tandem to test. Sometimes to block outbound if I don't want a static ipsec rule. Sometimes I use it for the log it can create. Sometimes I use it for mac rules. Sometimes I just want more resolution without stopping XP firewall to see what is happening.

    If I really want to know what program is requesting outbound traffic I start SoftPerfect and then start openports.exe logging. Between these programs I can see what is going on with a new program or a new problem without needing a current 'heavy' firewall.

    Just my opinion on the matter. Try it out and see if it does the same for you. Might be suprised how well they work together.

    Sul.
     
  16. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I like your examples. :)

    Security at Fort Knox. They are all working toward the same goal as a team which yields those high results. What happens when the team work breaks down, say the Marines trying to out do the Special Forces and they the same to the Marines. Eventually something is going to give way and a breech of security occurs.

    Your security. Huge Alsatian and AK47. Say you decide to beef up your security and add another huge Alsatian. If they get along great, if they don't get along not so great.

    Same goes for firewalls, if they get along with each other great, if they don't no so great. Like with the dogs, you'll never really know if they will get along until they meet. :)
     
  17. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It doesn't,at least during my experience,which is an oversight on their behalf.
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    When looking at possible software firewall conflicts, we are (well I am) looking at 3rd party firewalls.

    When a 3rd party firewall developer creates a firewall it must be compatible with the OS it is to run on, that includes it being fully compatible with the low level network drivers of that OS, which would include the network drivers of the windows firewall, if it was not, then it would be unusable. However, 3rd party firewall developers are not going to take the time and resources to create network drivers that are compatible with other 3rd party firewalls, so conflicts can take place.


    - Stem
     
  19. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    Hello playmates,
    I have read all the replies so far and I respect and am very grateful for every one of them. They show a general pattern of opinion regarding this issue.

    Bottom line - I need to know the technical reason why two firewalls cannot operate with harmony. Currently, apart from a wealth of experienced viewpoints, I am not being given a precise technical explanation. OK, I accept that everybody says that two firewalls in unison make life a pain. BUT WHY ?
    Ignore what firewall suppliers say - THEY ARE SELLING the item and obviously do not want competitors to sit in the passenger seat with them.

    As said earlier. I have operated with Windows/MS firewall ON and another firewall of MY choice for years with no problems. AND, so have hundreds of millions of other users globally. Most of these users are simply unaware that the Windows/MS firewall is up and running and install another firewall of their choice, just like I have.

    At one time I had THREE firewalls running - Windows/MS + Zone Alarm + PCGuard (NTL) and at no time did I sense any controversial pulse fights going on between micro-chips and incoming signals. The screen did not melt with internal micro-chip conflict.

    Are we simply becoming paranoid about an electronic circuit and too observant of old wives tales which is in practice not a problem at all ?

    If multiple firewalls do in fact cause immense problems within our beloved PC and cause drives to engage in fisty-cuffs then WHY is it that millions of users do not get blasted out of their seats by this cybernetic Apocalypse ? It does not happen.
    Conclusion - it does not matter about multiple firewalls, there are no ill effects.

    Looks a little like saying BOO to the goose before the goose has actually pecked, simply because the goose LOOKS threatening.

    If anybody can negate these argumentative and logical points, then please do so. I really want to know whether this multiple firewall prospect is simply a myth or is a safe practice.
    KAS
     
  20. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Mainly, the technical reason for not running multiple firewalls is that some of them might hook the same windows kernel API functions and this could generate conflicts. If we would live in a perfect world, where there are no bugs or bad programmers, hooking the same kernel API could be done multiple times without problems. But because we are not living in such a perfect world, and because hooking kernel is not documented very well (or not documented at all), you can't be certain that multiple programs that hook the same function will work together well.
    There are cases when you can run multiple firewalls without any conflict though. For instance, Windows XP Firewall and Kerio 2.1.5 are not hooking the same functions so they will work together very well. However, there is one more problem that arises here: for incoming packets, the NDIS part of Kerio will act first, then Windows firewall, then the TDI part of kerio; for outgoing packets it's TDI, Win firewall, NDIS. This makes rule creation when running multiple firewalls a real nightmare.
     
  21. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Kas, I believe Stem and Nebulus have both stated the technical reason as to why. However, if both your present firewalls are like two peas in a pod, why upset the apple cart, let them live together until they disagree, then get a firewall marriage counselor to intervene. ;)
     
  22. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    andyman35, thank you for confirming that COMODO does not auto disable the Win firewall. Take care.
     
  23. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    During installation of any 3rd party FW's they should keep the windows FW active until installation is completed. That is how they should behave as users don't need to lower their guard and thus security during install.

    After they are installed and running, they should automatically turn the windows FW off thus avoiding the double FW conflicts discussed in this thread.

    If they have a feature to turn off the FW for some reason, then they should turn the windows fw back on providing some coverage against incoming.

    This seems a no brainer to me, but I'm sure I missed something.
     
  24. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Sure, you can use two firewalls (besides routers).

    You just need two computers.

    Computer 1: entirely dedicated to the software firewall. All connections to the internet go through this machine.

    Computer 2: the computer you use for work, to visit the internet, where you're running your security software, including a firewall.

    Connect both computers by cable/wire.

    It's possible.
     
  25. Kas

    Kas Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    147
    Location:
    Bedfordshire - Rip-Off Britain
    Hi everybody who has responded to this thread.

    I would like to thank you all for a very thorough, technically explanatory and dedicated response. The subject has been covered very well indeed and I am satisfied with the variety of comments made.

    Obviously, the overwhelming opinion is that more than ONE firewall is bad news and I accept the general explanations given for this.

    My COMODO IS serves me 100% and I will keep it until such time that an equivalent or better prospect arises - that could take some considerable time.

    I will as suggested, disable my Windows firewall and see what happens.
    A comment was made rather sarcastically and extremely patronising about this thread that it was a "no brainer".
    I can only point out that on the contrary it is a complicated electronic issue quite commonly raised globally that even the most knowledgeable expert finds it difficult to explain.

    If it IS a "no brainer" then we must join that universally exclusive fraternity of many hundreds of millions of users, engineers and technicians who obviously have "no brain".

    My condolences to half the worlds Internet users who do use two firewalls and do not even know it - Windows + A.N.Other

    Again I thank every one of you.
    KAS
     
Loading...
Thread Status:
Not open for further replies.