Really Needed?

If you're using Kerio to control outbound, it's virtually useless. It won't stop something determined to get out. SSM is a better choice for catching things, so that's good, but IMO you'd be better off dumping old Kerio and keeping SSM with a router for inbound. Light and just as effective. Using Proxo is fine also if you like that approach. That should keep a lot of browser nasties out....

 

Unless you insist that application firewall functions have to be combined with the internet firewall in one package, Kerio is not useless by any means. Kerio's primary role is internet traffic control, which it does very well. I keep the application firewall functions kept separate from the internet firewall. SSM handles these and the bulk of the malware control duties. Proxomitron also has a role there. Keeping malware from connecting out is a secondary role for Kerio, one it's not likely to have to perform unless SSM and Proxomitron fail. I have yet to see that happen, just as Kerio has not failed to do what it was designed to. I will not compare Kerio by itself to a security suite. That's like claiming that Thunderbird is inferior to the Internet Explorer package because Thunderbird can't browse the internet, but IE can open e-mail using OE, which comes with it. If you want to compare security suites and packages, I'll put my package and rulesets up against any security suite. How well one component in a suite or package protects you means nothing. Users don't run just one component of a security suite or just one program in a security package. How well the whole package works is what matters.

 

You do have a light setup there, I'll give you that. I just don't quite agree on the effectiveness of Kerio. If you're just using it to control "normal" apps on your system, then fine, but anything remotely "devious" will easily bypass it and find a way out. But then like you say, hopefully SSM will catch it executing before then, but then again, that depends on you, and what you allow to execute when SSM alerts you. If it hides behind something else and/or fools you, then you're dead....

In the end, I think it's mostly up to the user to stay clean and clear of harm. So I run light here with just Avira free and Defender on Vista x64. The router or Win Firewall covers inbound. Outbound or malware I don't worry bout cause I don't expose myself to it. I have pretty much run this way for years without harm, so it works for me..

To each his own as they say....

 

On my PCs Kerio controls the internet access for legitimate apps and system components. SSM makes sure that everything running is legitimate. My primary PC changes very little and very seldom. I run SSM with the UI disconnected, no prompts for the unknown. Users can't install or update anything. They get an automatic "access denied" for everything not whitelisted. It's secured by a default-deny security policy that's applied to all applications and system components and includes each ones activities and parent-child settings. The internet access for each application and system executable is also governed by the same policy, each getting only the access it needs to function. Most of them are required to connect through Proxomitron so that the content they receive can be filtered. The operating system itself has no internet access. It doesn't need it and the internet definitely doesn't need any access to my OS. I've found Kerio to be ideal for this role. Kerio's ability to control loopback traffic increases Proxomitron's effectiveness because it won't let apps connect out without going through it.

For me, a software firewall is a necessity, and Kerio is ideally suited to my needs. I've also used this combination for years on several PCs with different operating systems and it has never let me down. It just shows that there's more than one way to make an OS secure.

 

Are you talking Kerio 2 or 4? I have used both, I loved 2 and had tons of fun with the rules for a year or so. 4 was ok, but another things altogether, with a few problems of it's own. I prefer 2 myself. Lean and mean....

 

Definitely Kerio 2.1.5. Tried one of the version 4 releases once, don't remember which one. Did not like it at all. It only took a couple of minutes to decide that I wanted nothing to do with it. If only someone would write a modern equivalent of Kerio 2 that fixed a couple of minor bugs, gave it better logging, and made it IPv6 compatible.

 

Yeah, 2 is a classic. There is no better interface for rule making IMO. I doubt anyone will ever make anything close to it again though, sadly enough.. But it's fine as is, it has flaws, but it's good enough. Kerio 2 was what got me into a long haul of trials with firewalls back in 2004. I spent a lot of time on the rules and enjoyed it. In the end though, I slapped the router in place, and let go of it all. I rely mostly on myself to keep nasties out. So far so good....

 

How about Jetico or even Look'n'Stop? Will you guys stop weeping over Kerio already and just move along? (Nothing personal, I'm speaking in general terms)

As you said, this is only your opinion.

Cheers,

 

Did you really need to say that bubba? Anything written in these forums is the poster's opinion, that's a given.... Lighten up dude...

Jetico is fine too, I was the first to post on it here at Wilders years ago. It's nice, but has it's shortcomings also....

 

Yes I did. I'm pretty much sick of nostalgic posts that lead nowhere and just cry over the "good old times". Quit living in the past.

But the real reason bubba said it is this - the discussion you two started in a last couple of posts is OT and is essentialy a hijack, isn't it? Should we end every firewall thread in a 10-forward manner weeping over Kerio or Sygate?

Cheers,

 

If you don't like what's being posted, stop reading it..... Simple enough.

 

Um... yeah but... how would I know if I like or dislike something if I haven't read it

But perhaps you're right. I should at least refrain from posting. Which I, believe it or not, often do.

Cheers,

 

Folks,

Could we keep the discussion centered on the original question? Namely....

My own take is no (i.e. not needed, but arguably desirable in many situations), although the phrasing of the question seems to betray a misunderstanding of the functional capabilities of the two approaches.

Blue

 

For ultimate control we don't have to lament over firewalls of yesteryears, Comodo now has developed into a good alternate to Tiny, it has its fair share of pop ups but it does cover lots of grounds and is among the one and only that is fully x64 OS compatible. However its only for those paranoid about leak etc. as the pop ups would make your PC experience quite full of pop ups.

 

Since we're back on track here, and in line with this

I can only tell that a good software firewall is very desireable. Here's an example of something that doesn't happen often (in fact it never happened before) that my router failed to stop. A log entries from Jetico firewall, during a P2P session -



(sorry for the big image)
If you (the majority) still think you're well off with a simple state table check that home routers provide, I can only say,

Cheers,

 

Just to play devil's advocate here, what exactly is the threat or danger in those packets? Explain how any harm can result from them please...

 

I see no security advantage to having the internet firewall and the application firewall (HIPS) combined into one program. , Regardless of whether the security package is a suite or user selected single purpose components, the internet firewall is one component I consider necessary in most any package for many reasons, several of which I mentioned earlier. In security packages centered around sandboxing or virtualization, an application firewall isn't really a necessity, but with most firewall suites, you get one whether you wanted it or not. In packages like these, a separate internet firewall is an asset. It might not be something the masses would want to use, but the average user wouldn't want to deal with Comodo either.

IMO, the internet firewall is the most important security app for keeping your personal data private. Without one, you have very little control over the data that leaves your PC, and no control over where it goes or what app sends it.

 

Kerodo,

I am not talking of danger but of proper packet filtering. As you know, there is a distinct difference. Sure, you won't be at danger even without a router, connected directly to internet if all your ports are closed. Even if some are opened, with patched applications holding them you are not at danger. You know this as well.

It is just a matter of unsolicited packets arriving at my stack - I won't have this even if it doesn't pose any risk. Most of you will disregard my opinion as you're thinking only how to get your a$$es out of trouble. And I do understend you, I simply have a slightly different point of view.

Cheers,

 

Alright, that's fine, I understand where you're coming from.....

 

P2P needs port forwarding which means letting in inbound traffic, your router has no control over that as you have opened the hole in it by choice, in that case even a software firewall would be able to do nothing as P2P needs to be server. Thats the vagaries of P2P and you have to live with it, all you can do is run a IP filter or Peer Guardian which would stop most of the inbound rogue traffic.

 

1) Successful XSS exploits will send data via the browser, and the firewall will happily oblige.

2) Regarding other applications sending via malware exploits: What about users who are confident that no malware can intrude to send out data?

There are other ways than a firewall to control what goes on in one's computer.

----

 

Arup,

when you P2P you would need to forward port(s) in your software firewall as well. So the software firewall will also pass the unsolicited through. This is a must if you want to P2P, as you said.
But a good software firewall will let you create granular user-specific rules, something that is not possible with a router, at least not with ones we are using. A NULL packet is one of many invalid-flagged TCP packets and something that is certainly not desireable - it will connect nowhere and will deliver its payload nowhere. So Jetico has (in case of NULL packets default) rules to allow you filtering of these undesireable (unsolicited/invalid flagged) packets. That is all. I don't have to live with it or use an IP blocker if I don't want. I just need to use a good firewall.

Cheers,

 

i agree if we have a good and strong solid antimalware protection,well no malware is sending nothing out,unless you are already infected

 

I see your point, in that case, if I am worried, I will set up a old PC with celeron and run it with a Linux firewall like Snort etc. That way I have total control of what goes in or out.

 

Um... Snort is not a Linux firewall. It is an Intrusion Detection System and will filter nothing by itself. It will monitor network connections and allow you to create granular connection-specific rules which are not possible to create by the means of ordinary firewalls.
Perhaps you were referring to Untangle, IPcop and such...?