SSM + Ghostwall = Full In/Out Firewall?

Discussion in 'other firewalls' started by InfinityAz, Nov 11, 2006.

Thread Status:
Not open for further replies.
  1. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    The new paid version of SSM was released today and includes network access (outbound app control). I realize the following questions depend on your configuration, but:

    Would using SSM along with Ghostwall, provide enough inbound and outbound protection?

    Would this combination be equivalent to using Kerio free, Filseclab, ZA free, etc.?

    -or-

    Would a router with NAT/SPI and SSM offer enough protection?
     
    Last edited: Nov 11, 2006
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Well, Ghostwall will filter the inbound/outbound packets(I have not tested how good this is yet), and SSM would filter the applications access,.... so on my first thought, yes.

    This at first would appear to be sufficient, as unsolicited inbound would be blocked, and there is control of application outbound,.... but I think there is a need to filter,.... so from the choice of the 2 setups, I would go with the first.

    Better would be: Router:Ghostwall:SSM (with available choice)
     
  3. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Ghostwall combined with appdefend is pretty much a full in full out firewall. SSM would work well with ghostwall. If you have a firewall in your router then ssm alone would be sufficient.
     
  4. jasonago

    jasonago Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    31
    Location:
    Philippines
    I agree with these setup because appdefend is much more simpler compared to SSM. But we like to see appdefend with a "Learning Mode" in the future and a much greater list of predefind Applications.
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In my view no. SSM can't restrict access by domain, only by trusted/untrusted address so it can't offer the fine control a full firewall can (e.g. being able to limit your email client to connecting to your ISP mail servers only).

    If you only wish to be able to allow/block outgoing access (like ZA Free) then SSM would suffice but its network control is currently very basic.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You could place the mail servers within the trusted IP group of SSM, and restrict the mail client to trusted only,..... or as "InfinityAz" would also be using "Ghostwall", then IP/port for mail server could be placed there (or both).
     
    Last edited: Nov 13, 2006
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    You can do this in SSM but that would also allow every other program with Trusted Network access to connect to the mail server - in this case probably not a major problem but it can be in other cases.

    With Ghostwall a similar issue applies - allows or blocks apply to every program. It isn't possible to allow program X only access to location Y - and in many cases this is the best rule for a tightly configured setup (e.g. DNS access, program updaters, anonymising proxy access, etc).
     
Loading...
Thread Status:
Not open for further replies.