Sunbelt Personal Firewall inbound protection...

Does it has a better inbount protection than other free personal firewals?

because it has a IDS with Snort ruleset...
Include the IDS has any atvantage over other firewals like COmodo?
anyone can teach me?

 

Re: Sunbelt PFirewal inbount protection...

I used their forewall, however, that web filter section can not be used with many modern web sites, even if you exclude web site from web filter it still does not work.

 

IDS rules are separate from the Web filtering section. IDS rules refer to things like port scans, various ICMP activities, backdoor and bad traffic activities, denial of service, etc. Based on Snort rules. It's called IDS which means intrusion detection system. Many good firewalls have similar features, though they may be using different rules and different names. I cannot comment on which is the best.

Sunbelt's Web Filtering is a totally different filtering section. It monitors http and similar traffic for content - referers, cookies, javascripts, VB scripts, ActiveX, ads, popups, etc. I've had no problems, but everybody's use is different.

 

The Sunbelt Personal Firewall implemented on an stand alone computer will work as advertised, as the Firewall was designed to protect one computer.
The ad and referral blocking are superb. However, implement the Sunbelt Personal Firewall in an Network and the Firewall will block the L3Retriever Ping by its default hard coded rule.
This in turn will block the Windows Browser Service. The aftermath resulting in the computer that is the current Master Browser can not see or be seen by other computers in the Network.
File and Printer Sharing will be temporarily available and unavailable, depending on the status of the Master Browser. This poses no problem on an stand alone computer.
The Sunbelt Personal Firewall implemented on an stand alone computer is easy to learn, manage, and maintain. Inbound and Outbound protection will work as advertised.


HKEY1952

 

thanks for your replys, yes the webfilter is not a problem, i can use proxomitron for that, and it is more powerful...

but back to the inbount protection, for a stand alone Pc, will the SPF povide more security compaird with Personal Firewalls, which don't have a IDS? that is my question...About Pc in network, that's another story...

 

No:

Some Firewalls such as PC Tools Firewall Plus exists more granular control over the Firewall Rules minus the IDS


HKEY1952

 

please can you explan more, how does this granular control improve the inbound protections?

 

If NetBIOS ports are blocked from the internet to be safe, I'd think one can disable this one rule in the icmp.rlk file by putting # on the rule, like this:

I did it. I only permit ICMP[8] for Echo Requests incoming from the LAN, but really I don't think is a security issue too much. So I reply to ping in the worst case. So what.
Most of the time I'm behind a router so not really worried to much about it. And all LAN functions are happy.

 

Having more granular control over any Firewall Rule I believe speaks for its self. One can dictate the exact actions any one rule will enforce.


HKEY1952

 

Preceding the above rule in the ICMP.rlk file with the # sign only prevents the alert and logging of the blocked event, it does not allow the L3Retreiver Ping.
I have had three tech support sessions with Sunbelt and they were unable to resolve the issue as the rule is hard coded into the executable.
Also, some Routers, especially some older Routers, also send out L3Retriever Pings.
Agreed, it is not much of an security issue, it only blocks the Master Browser Service. Sunbelt claims they will fix this issue in future releases.
The Firewall was originally designed to protect an stand alone computer, not an computer in an Network.
Sunbelt has not done much with the Firewall since they purchased it from Kero.
The Sunbelt Personal Firewall is ideal for an stand alone computer.


HKEY1952

 

HKEY1952,
I think you're right that the "#" is about logging, I guess I forgot how it was at the beginning.

But my memory hasn't failed on the file and printer sharing. Because I do it all the time.
I've seen Master Browser and Backup Browser and Workgroup announcements and all the NetBios packets using Wireshark so they must be happening
Netbios has two trusted "?" on the apps tab and I have rules for NetBios ports for just the LAN IPs.
Works like a charm. XP-SP2 and XP-SP3 home and Pro, Sunbelt FW 4.6.1861.

My information is that the old Kerio 2.1.5 was for the networks, not just standalone computers. I believe it was originally made for servers, not just little PCs.
The Sunbelt version can work with several computers.
As a matter of fact, as I write this, both Kerios are running on two computers and easily talk with one another. The same was true when 2-3 different firewalls were in the same LAN as the Sunbelt firewall on one PC, as well as two computers, both running Sunbelt FW.

Oooops, we've gone off-topic, and I think testsoso still does not have the answer about IDS rules

 

anyway，thank you for sharing your knowlegde, and yes i still want to know more about it's inbount protection,with it's IDS.

Why do we need an IDS beside the Firewall? How does it help?

 

The IDS rules can help the firewall better block malicious traffic.

While you can use most firewalls to limit what programs are allowed to connect into and out of your machine. The IDS rules look for known patterns and signitures in the connections, such as with Port scanners, DDOS attacks, and other attempts to gain access to information on the machine.

The pre-defined rules are much faster at identifying them and blocking them then if you were try and manually deny the connections.

 

And the IDS rules update how often and how many rules are we speaking of?

 

Answers to most of your questions about the Sunbelt Personal Firewall and the IPS (intrusion prevention system) are detailed in the user guide.
Here is the link to the Sunbelt Personal Firewall User Guide .pdf
http://www.sunbeltsoftware.com/documents/sunbelt_personal_firewall_user_guide.pdf

See Intrusion Detection: Chapter 9 Page 84 (9-2, 9-3, 9-5, 9-9)

There are many rules and they are automatically updated:

QUOTE SPF MANUAL/
Sunbelt Personal Firewall detects and blocks many types of network intrusions. It uses an internal
intrusion database that is automatically updated each time a new version of the firewall is installed
or updated. This is one reason you should update Sunbelt Personal Firewall after receiving an
alert that an update is available.
\END QUOTE SPF MANUAL

The Sunbelt Personal Firewall uses three systems to prevent network intrusions and malware installation, as well as behavior monitoring:
01)- NIPS = Network Intrusion Prevention System
02)- HIPS = Host Intrusion Prevention System
03)- Application Behavior Blocking = Monitors Application Behavior (firewall rules)


HKEY1952

 

Interesting...

after i search the Forum, i find out that the creator of Online Armor, MikeNash said it in severe Time, that he like to implement the Snort Ruler in Online Armor, but it seems not yet done.

So an NIDS is very useful..

But i saw on the Snort website, they do have two Rulersets, one is free, and for other people have to pay... which one use the Sunbelt? the paid or the free?

 

The answer to your question can be found at the bottom of the next Web Page by following the link below:

SPF Free vs. Full Versions
http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/


HKEY1952