Tiny vs Sygate vs Outpost

Just decided to dump kerio as it hasn't got component control, poor logging and a bunch of other crap missing that really, should have been there, and since its content filter is messy (especially on forums) and its private data "vault" is useless, a farewell to a trusted product.

Comparing the things that Tiny(T), Sygate(S), and Outpost(O) [Pro versions] have over Kerio and/or each other............

Sygate features
- Mac and IP spoofing prevention ----> unique, but useful??
- Active response / Dynamic stealthing ( a la Zone Alarm)
- Blocking "listen" connections (like Armor2Net)
- IP fragment protection ---->others don't mention, but may have it, Router does
- OS fingerprint masquerading -----> cool!! can I do this without Sygate (manually)?
- bootup protection
- Anti-termination protection
- Terminates known trojans --->nice

Outpost features
- Malformed DNS protection ------> wonderful, but don't others have it as well
- Memory injection protection ---> decision influencing item (DII) #1
- Bootup protection
- DNS caching ---> eh... doesn't svchost.exe do that for me?
- referrer blocking, cookie control ---> DII #2, unless a 3rd party app does that for ALL browsers
- Ad blocking, mobile code blocking
- Updates for Adblocking lists

Tiny features
- File Access Guard ---> unique, seems painful
- Registry Guard ---> ditto
- Process Spawning Guard ---> DII #3
- OLE/COM Guard (is this protecting OCX?) ---> DII #4
- services control Guard ---> See T1 above
- Device Access Guard ---> ]JetDirect based Printers attacked on port 9100
- Snort based IDS/IPS

Now...
Which firewall should I choose and why? out of the three...
if u say Jetico, I'll say "beta"
if u say Look 'n' Stop, I'll need a feature list.

 

Tiny --> Hard to use
Sygate --> If using a local Proxy server, such as Proxomitron, it is a big vulnerability that still exists in the latest version.

I'd pick Outpost out of the three.

Sygate is fine if you don't use any proxy server ^_^

 

I use Sygate but as mentioned I don't use a local proxy. Outpost crashes on my system during testing at the PCFlank website.

 

Outpost --> too easy to use
Tiny --> just right for me to use. I enjoy tweaking things to make them work and work well.
Sygate --> will consider it some time later.

Level of security and configurability? All of the firewalls have their own merits and drawbacks. It all depends on your personal demands.

 

does neone know of ne comparion/contrast of these firewalls?
does outpost have ids/ips?
i personally use sygate but i havent tried the other two and im always open to ideas.

 

Hmm...
What do I want in a firewall...
basically... I want what Kerio does (app control incl spawn control and per-interface settings for each app, snort based IDS/IPS, monitoring ALL connections and interfaces incl new dialled numbers without fail, Content control THAT WORKS... cookie control - foreign,session,persistent, referrer blocking, no need for blocking ads or JS, blocking of private info.)
On top of that... I'd like Component control like BlackICE, its IPS config should also be there, and Armor2Net's ability to monitor "Listen" connections, and the ability to kill a connection from the GUI itself... and finally, the ability to beat Thermit and Copycat.
Also, the more configurabe it is, the better

 

WSFuser...
click on the links I've provided

 

hmm... Suddenly, Kerio's Web Filter's behaving well again (bless its little heart)...
But if Tiny is both light and has web control, I'll switch.
If outpost can monitor OCX components and beat Thermite/copycat... its nearly perfect...
Just give me a Process Spawning Guard, OCX monitor and web control in an app... I'll take Sygate.

 

How about none of the above! I use 8signs and have to say It is one powerful packet filtering firewall. Of course it doesn't have any application control, which is understandable, because James Grant is against this for obvious reasons! Which I completely agree with... It uses a true implementation of spi and there are plug-ins, such as Snortsam for it.
www.snortsam.net
SInce I use a server/client config, it is great. But, I can see from your previous postings, that you are for one, gainst NOT having any application filtering, (no matter how illusionary it is.) And two, that you run more than one firewalls at once from behind a router. And none of them
really suite your expectations, why not use ALL of them at once?
SO, I guess your journey for the 'perfect' firewall continues on!!!

Cheers
Lowen

 

yeah, you may be right, but my router has SPI, and the configuration is HARD and LONG and I'm just a kid, no more than that...

Assuming you have WinXp, how do you plan to block windows' time update module Lowen? Try it sometime with an app. firewall...... It'll catch time synchronisation attempts really soon. Its a serious loop hole in your security when it syncs (on UDP i think) with time.windows.com ... nice, no? A backdoor ready for a buffer overflow (I'm guessing it can be exploited, note that I'm using my memory of 2003Aug when I first removed it from the Services area)
I use 3 firewalls for a simple reason... each gives me a separate dimension of control over my pc, illusory though it may be... Kerio has spawn control, BID has DLL/OCX (aka component) control, and Armor 2 Net blocks even "Listen" attempts.
BTW: Both BID and Kerio have different IDS/IPS rules that don't clash because Kerio works on bottom layer beneath the OS (from the Kerio manual)
What I want now is a firewall that gives me all this at the same time, becuase the memory load is higher (Engg. application software is HEAVY)...
And finally, no firewall (in fact anything) is perfect, that's why I'm prepared to use two firewalls at once.
The software firewalls give me control over what program gets access to the net, some thing SPI can NEVER protect me from. If I want SPI, I'll get my router - no need for any migration policy for custom rules etc. there, just pick up and go...

My question to SPI experts and fans : S, T, O all three say they implement SPI.... is it true-blue SPI, or SPI-like behaviour?
Please remember, I want a firewall to have a heavy degree of App Control

 

Could you explain why you find application filtering illusionary? I find it usefull since a trojan could send any information via port 80 and others unless you configure 8Signs to only allow traffic to certain IP addresses for every website you visit and even then it could still send information to those if it wanted.

 

Hi everybody

I thought I was cool getting through the one thread started here today but now see there three and basically all about the same topic.
SPI compared to application control.
I try to mention to stay away from Zone alarm and MacAfee.
Even to this day they cause nothing but system problems.
I admit, I do not know as much about firewalls as allot of you and that is because that is not the only software I test and don't have much time for testing anymore. In the early days I tried to devote my testing to only one product at a time. I think the first firewall I remember testing was @guard.
Then since I was testing for Symantec at the time Symantec purchased @guard, I told people to use Symantec's firewall. I didn't really think there was any better at the time.
I do respect all the posts by both sides. I really enjoy reading them.
Phantom? I have read allot of your posts over the pat few years and respect your knowledge on firewalls. Have you tried Bit guard Firewall at all? If so, what do you think about Bit Guard?

Here are the three threads I am slowly trying to read. LOL


https://www.wilderssecurity.com/showthread.php?t=53787


https://www.wilderssecurity.com/showthread.php?t=53646


https://www.wilderssecurity.com/showthread.php?t=54724


Bruce

 

NP controler...
But this thread is NOT about SPI... its about which firewall out of the three here will suit a certain criteria...

Edit: link3 is this page itself.

 

Ajohn-
what I meant about application filtering being, 'illusionary' is that people tend to rely on it too much, as a 'gate keeper' for their applications on their systems. And the illusion portion being that it will protect your system and it's supporting apps from any and all attacks, being internal executed without your knowledge. Granted, I agree that sometimes it is good to control and know what is 'exactly' calling out, but can you do this without any form of application filtering? Is there another way of stoping or deterring certain or all apps from calling home? If your At & AV doesn't stop certain malware, will your application filtering be your savior? In most cases, most likely not!! But like I believe DRI had earlier posted, about a 'leaky' bucket analogy. (I have heard that somewhere before!) makes sense and holds true. I am not saying I am against any form of application filtering. But, it is over-rated and illusionary by how it protects one system.

No13-
All those firewall you asked about are 'stateful like'. none are true-blue stateful!

Cheers
Lowen

 

My router gives me SPI... anyone know where I can get a list of rules that'll fit any generic router and...
1. Thwart known attacks
2. Stealth all ports (while allowing Yahoo messenger etc. to continue)

 

For anyone who wants to know why I'm dumping BlackICE... this sprouts as "Alert" in its unobtrusive interface...

Code:

Time, Event, Intruder, Count
15/11/2004 1:08:51 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:51 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:51 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1
15/11/2004 1:08:50 PM, Application Added, 0.0.0.0, 1

.... this is repeated many times, in many places at different points in time and ith varied no of lines, stupid, stupid BID..........
The main reasons I'm dumping Kerio (even after I convinced other ppl. to take it) is mainly that there's no component control, and the "Web" module has bugs... for eg... WSF's cookies are forgotten even when I've set it to allow and its "Private Info" storage is as good as useless (maybe good as a secret Notepad, 'coz no one will look there for your shopping list).

 

Tiny Wins!!!
I'm doing Tiny Firewall tomorrow, and I'll use Proxomitron with it. Thanks a bunch guys!!!

 

Check out http://www.fwbuilder.org/
I have used it with my linksys WRT54G and Sveasoft firmware with no problems.

 

You mentioned kerio and blackice but i thought this thread was for sygate, tiny, and oupost. maybe i should reread this entire thread.

 

I'm not a firewall expert, so correct me if I'm wrong here, but couldn't you use Outpost with SSM? That way you get a great firewall and still have the app control.

Also there was a program called Tiny Trojan Trap at one time, it was not a firewall, but a very useful app. that could be used with any firewall. Now it's just the full Tiny firewall. Maybe you could still find it somewhere and use it with the firewall of your choice.

 

I currently use Kerio+BlackICE+Armor2Net... alll gel well together, but I don't want to use 3 prog.s for the same purpose, when there are perfectly good apps around....
Basically, I wanted a decent firewall, heavy duty App Control and Content filtering for privacy maintenance. The best combo I see is Tiny+Proxomitron. I don't like the UI of SSM, and I think it has issues with Kerio 4, so I'll try it on someone else's PC first.

 

@Half Baked...
I did not like SSM... sorry, but it came at the wrong time for me. I'll try it if Tiny+Proxo don't do the job...
Thanks.

 

Hey AJohn... thanks again for an amazing, insightful (and might I add, "Tiny") Post!!!!!
But I've tried this before, and not until I've completed CCNA, am I going to poke this product again... (CCNA starts in June next year, classes end the february after that... long way to go)

 

hmm.. a quadruple post (tho' this post comes a week later)
Consider this a bump, and another attempt for some answers (Tiny's official forum was not of much help, wouldn't even let me login)
I'm about to pick up Tiny (I've delayed it for so long 'coz I've had exams)
I'll be using Tiny+Proxomitron

Questions...

1.Does Tiny provide
a. MAC address/IP address spoofing prevention(cool sygate feature)
b. OS fingerprint masquerading
c. Blocking "listen" connections (not just outgoing/incoming connections - kerio just monitors these)
d. pre service start protection
e. anti-termination protection(like ZA/sygate)
f. OCX componentstartup/injection protection
g. Any kind of content filtering

2. What is OLE/COM guard?

3. Is it true that [proxo+tiny] > [outpost+ssm]

And finally, does anyone have a resource for a ready-made tiny config to be imported on-the-fly (i.e. min. configuration hassle... I need this only temporarily, until Jan starts, then I'll give it an overhaul)

 

Im constantly switching things up... right now im using Outpost with Tiny Windows Security and PcInternetPatrol for checksuming.. is working great