New build needs new firewall.

Discussion in 'other firewalls' started by Hugger, May 27, 2008.

Thread Status:
Not open for further replies.
  1. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I'm hoping to be finished with my first 'from scratch' new build.
    It'll be using XP Pro w/SP3 for the OS.
    I use a D-Link DIR655N router, which has NAT and some sort of SPI.
    I plan on using Threatfire, Defensewall and Antivir AV for full time protection and Sandboxie and SAS for on demand.
    I need a good easy to use firewall that will give us above average protection w/out having to write rules or wrestle with more HIPS.
    Free would be nice.
    Suggestions, please.
    Thanks.
    Hugger
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    you can try Online Armor is free and easy to use.
     
  3. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    jmonge,
    Thanks. But I'll pass.
    I'm less worried about leaktests and more interested in keeping the garbage out.
    And OA has HIPS.
    Tried it and Commodo.
    Got tired of wrestling with them.
    Hugger
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    PC Tools 3 is not bad- based on Look 'n' Stop.
     
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    You can disable comodo's and OA's hips and have them operate purely as a firewall.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I have this combo (nearly identical to your initital idea), see
    https://www.wilderssecurity.com/showpost.php?p=1249089&postcount=2528
    TF custom rule: see pic

    I think it is more usefull to combine a partition virtualisatin application ShadowServer/PowerShadow or the freebie (Returnil) with DW than an application virtualisation sandboxe (like SBIE), note SafeSPace offers beside application also partition like virtualisation, SO my freebie preference would be Returnil -> SafeSpace -> SBIE to combine with DW see post for argumentation: https://www.wilderssecurity.com/showpost.php?p=1248922&postcount=21

    Note: The nework module of Avast and its inbound data check (AV + AS) sort of replaces SAS on demand

    Regards Kees
     

    Attached Files:

    Last edited: May 28, 2008
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I prefer the simplicity but yet security of SafeSpace and Malwarebytes.
     
  8. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Kees 1958,
    Thanks for the help. I was thinking about similar while I was out today.

    All,
    Thanks to you too.
    Hugger
     
  9. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Just one important question. Do you realize what do you need firewall for ? It may be you don't need it ? What does mean "to keep garbage out" ?
     
  10. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I think he meant that monitoring inbound communications is more important than outbound communications. :D
     
  11. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    What I mean is that in my opinion it's more important to prevent problems rather than try to prevent leaks after the fact.
    I think too much emphasis is placed on leak test/prevention and not enough on just producing a high quality reliable inbound firewall that's easy to use for the non geeks yet can be played with your hearts content if that's what you prefer.
    Sorry if I didn't say it correctly.
    Hugger.
     
  12. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Hm .. From his words "I plan on using Threatfire, Defensewall and Antivir AV for full time protection and Sandboxie and SAS for on demand."
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OK. I know a lot of modern malware that uses the holes in outbound protection. Most of them are used to distribute a spam. But I didn't hear about modern malware or virus or whatever that eploited the holes in inbound. Yes, they were many some 5-6 years ago, but not recently. So Windows XP build in firewall is pretty enough, I think. And, BTW, at least a half of the leaktests actually deals with what you call "inbound". Memory tampering, dll inject, hooks setting, enty point infection etc etc ..
     
  14. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Thanks for the info Kees.

    I have a few questions-

    1. Would you have a screen shot of what the info box for a particular outbound attempt looks like? Is it pretty generic or does it contain detailed info?

    2. Also, if the outbound connection attempt is turned on and I am also behind a high speed modem/hardware firewall should I disable the Vista firewall?

    3. Have you heard of any conflicts with the latest build of Threatfire and Avira Personal Premium?

    4. On install of the latest build of Threatfire is there an option to not install the PC Tools av?

    5. Is anyone aware of how Threatfire does in leaktests when configured to notify about outbound connection attempts?

    thanks
     
  15. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    acr1965 ,
    I'm using what I believe to be the latest versions of Avira Premium and Threatfire with no problems on my old pc.
    I don't anticipate any problems using them on the new pc.
    Regards.
    Hugger
     
  16. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Thanks for the info, I may give it a try.
     
  17. Hoodied

    Hoodied Registered Member

    Joined:
    May 30, 2008
    Posts:
    10
    Excellent concept that you have here, and I wish more people would follow it. In all honestly (unless your a malware tester) once malware reaches your system and installed, than your system is already compromised. I believe that prevention is the key as well.

    About your question about Threatfire, to my understanding Threatfire monitors or can be configured to monitor outbound silent connections, which can determine leaks or silents connections from legitimate or illegitimate programs.

    Looking at your original Post and Requirements, I would suggest the Firewall PC Tools Firewall being that you don't care about leak test performance (although pc tools can prevent some leaks), and easy rule making. It's very light and fast well and also includes powerful SPI filtering capabilities.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Just a message screen with blue warning level, meaning
    a) It is checked against the virus data base and not a know malware
    b) Only the process is mentioned, with click to learn more, you can google with this information for this proecess
    c) The warning message is what you enter yourself

    When you have a old fashoined cable connection no, when on wire less between router and PC yes (but Vista FW is integrated in OS, so very fast)

    No

    No, when an intrusion occurs TF first checks the Antivirus data base. This is so much more efficient than a classic AV-kernel does (checking when reading/writing a file, loading a program)

    On Vista only 4 leaktests will come through, when you run LUA (use TweakUAC to set in quiet mode) you also have IE in protected mode, besides DefenseWall or GeSWall would prevent you coming in such a situation, so phhffff who cares?

    See post above
    - leak test = worrying on how to prevent thiefs from running, when they broke in your house
    - policy sandbox (internet facing aps) + LUA (for rest of the programs) + behavior control = prevention to break in
     
  19. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Thanks for the info Kees, good stuff as always.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @ arc1965

    With Avira Premium you are close to realising a digital fortknox security setup

    Level1: your Router (plus Vista FW when using wireless)
    Level2: LUA + DefenseWall policy mitigation (reducing the attack surface)
    Level3: Avira Premium AV/AS check (I would set it to check only at writes, so all incoming data streams are checked before writing to disk)
    Level4: Behaviour blocking of TF (with custom rule for outbound) plus AV-data base check at intrusion and Avira's heuristics at program execution

    Occasional on demand check of Avira before backup and TF on rootkits and bad guys have a hard time beating your set up.

    (AD 3: Because DW keeps downloaded file in its enforced limited rights environment, you can set Avira to check at writes only, in stead of read and writes, speeds up your system a little).

    Regards Kees
     
Loading...
Thread Status:
Not open for further replies.