Preferred firewall for Windows?

Adcadet

Storage Freak
Joined
Jan 14, 2002
Messages
1,861
Location
44.8, -91.5
Hey all,
We recently discussed preferred virus scanner, and thanks to suggestions here a while back started happily using AVG in favor of Norton. For years now I've used ZoneAlarm, which seems to be getting more annoying by the day. Are there any good free alternatives out there for Windows (XP)?
 

LiamC

Storage Is My Life
Joined
Feb 7, 2002
Messages
2,016
Location
Canberra
I've used Kerio (now sold to somebody else, but still available I think) with good effect.

My recommendation is to build a SmoothWall box from parts if you have them lying around--cost = $0. A P166 with 32MB and a 1GB disk will suffice. I ran that sort of config 24/7 for three years without issue. It's now a P!!! 550E, but that has more to do with Folding @ Home than Smoothwall box performance.

I find Windows "snappier" without a soft Firewall running.

Security Rule, if you want to stop something, don't try to stop it on your machine, don't let it get to your machine!

If your willing to spend $$$, and you have ADSL or cable, why don't you get one of the firewall/router/modem setups?
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
I've become even more conscious of power consumption. A smoothwall box means yet another almost complete system (even if it's headless) and that's something I don't want to do.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,297
Location
I am omnipresent
I suggest sticking with the Windows XP firewall for XP users. NIS, Zonealarm etc are obnoxious and easy to misconfigure, and in some case have moronic default configuration anyway (e.g. McAfee's firewall, which blocks SMB file/printer sharing by default). The one that comes with Windows works just as well for external network security, or at least I haven't heard of it being compromised yet. So much stuff piggybacks off Internet Explorer or runs through "important" system processes (e.g. svchost) that I'm not sure much use there is in blocking individual programs from accessing the internet.

I also suggest that everyone use a router with a firewall of its own. No one should have a high-speed internet access device plugged directly into his or her computer.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
Mercutio said:
No one should have a high-speed internet access device plugged directly into his or her computer.

And that about sums it up. I also agree with Merc re firewalls - can someone explain to me what benefit (if any) you can get from Zone Alarm or any other add-on firewall as compared to the XPSP2 one? I can't think of any reason to favour anything else except a real (i.e. hardware) firewall, or if you don't have that, the XPSP2 one.

But maybe someone here knows something Merc and I don't.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
ZA worked well, was easy to configure and worked on non-XP versions of Windows. One by one, most of those advantages have been frittered away by it's previous and current owners. Now it doesn't even work like it's supposed to. In the last couple of releases, computers in the trusted zone are still firewalled off. Twice in the last 10 days I have been unable resolve this issue.

I haven't worked much with the XP firewall; if it has a trusted zone, it will do and I will use it without hesitation. If it doesn't, I'll have to look for an alternative.
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
Tannin said:
can someone explain to me what benefit (if any) you can get from Zone Alarm or any other add-on firewall as compared to the XPSP2 one?

Really the only reason, that I can think of, to get a seperate software firewall is to detect unauthorized internal -> external communication. A situation where a machine has already been compromised by some some unauthorized software that is trying to report back can be effectively stopped. To my knowledge, no external firewall can do that because they can not analyze what specific application is sending the data. Further, the basic XP sp2 firewall does not check authorization of the application for outgoing communication either.

So there is a need, as small as it may be, for a software firewall. Unless, that specific problem is what needs to be protected agains, I would not recommend a software firewall either. A hardware firewall, combined with SP's sp2 firewall and good AV/Spyware protection is good enough for the vast majority.
 

Will Rickards

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,012
Location
Here
Website
willrickards.net
The thing about zone alarm is you have to use an old version and one that works for you. Then turn off the automatic updates.

I stopped having people automatically update because it didn't fix anything for them and it more than likely broke something else. It all started when they tried to do all this other stuff in the free product like e-mail scanning and such.
 

Will Rickards

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,012
Location
Here
Website
willrickards.net
P5-133XL said:
Further, the basic XP sp2 firewall does not check authorization of the application for outgoing communication either.

I think it does. But it has a list of stuff already authorized so joe user virtually never sees the warnings about authorization and more than likely just hits accept and never ask me again.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,742
Location
Horsens, Denmark
I agree with Tony, Merc, and Buck....use the XP SP2 firewall AND have a hardware firewall (Smoothwall, Linksys, etc) between you and your modem.

PacBell has started using a DSL modem with router and WAP included for free. I'm not sure how much I trust it's firewall, it's a little too "user friendly" (read: featureless) for me, but it doesn't like having a router on the inside.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
The thing with an outgoing firewall is, there are essentially only three possible circumstances to consider:

Scenario a: the user has some clues and actually knows what it means when the firewall pops up an "application atomic.exe is tring to access the internet" message, and has a rough chance of figuring out whether to click "allow" or "deny".

Even for geeks, it isn't always easy. (What about the example I just used? Legit? Spyware? Or just useless junk in the Realplayer update class? Answers below, please.)

Under this scenario, the utility of the firewall is practically zero: you have to buggerise around with it, but if you are smart enough to get the yes/no questions right, then you are easily smart enough not to get infected in the first place.

Scenario b: the user is the sort of complete loser who likes nothing better than to sit in front of his machine doing "work" on it - where "work" is defined as getting up in the morning, starting scandisk and watching it run all the way through, then running defrag, then running Sysoft Sandra and HDtach just to make sure everything is working properly, then reconfiguring Zone Alarm, then running Spybot and watching it all the way through, then a pleasant hour and a half moving one of the glowing blue leds half an inch to the left, then it's time for the highlight of the day, running a full scan with Norton System Doctor. After that, it's check the email and forward 16 pages of totally stupid jokes to people who delete them unread because User B's forwarded jokes are always the same ones you first read 6 years ago and didn't laugh at even then. Finally, it's time to run defrag again and go to bed. Tommorow is a special day: he's going to format the system and reinstall Windows. It's way past time for a reinstall, he hasn't actually wiped the drive clean and reinstalled it since Wednesday, and it's running really slow.

Scenario c: the user is a typical and normal user. He or she has absolutely no chance in hell of figuring out WTF all those "application X is trying to use the internet" mesages mean, and must simply guess. Pretty quickly you end up with either of two circumstances: they clicked "no" to something important and now you have them screaming at you because their email isn't working, and unknown to them is that this is because they clicked "no" when the firewall said "application thunderbird.exe is trying to access the internet" because they had never heard of Thunderbird and all they were trying to do was send an email. (Yes, this happens. Frequently. We have to fix this sort of screwup every working week.)

The other possibility is even worse. You've spent hours with them teaching them to think before they click, to be cautious, and not to trust stuff that pops up. Just when you think they have got it, they go home and have this new software firewall which, as a matter of routine, reqires them to click "yes" to stuff they don't understand, weren't expecting, and haven't a clue what it does. This is the worst training it is possible to give to a user. Pretty soon, they are clicking "yes" to "Warning: your computer is infected. Click here to scan and clean", and three days after that you are cleaning Spy Sherrif off their machine (again) and they have just spent another $75 and lost the use of the computer for a couple of days.

Short answer: I cannot think of a single good reason to use a software firewall. Unless you call being User B a good reason, which I don't. User B shouldn't be allowed to own a computer, shouldn't be allowed to drive a car, and on no account should be allowed to have children.
 

Buck

Storage? I am Storage!
Joined
Feb 22, 2002
Messages
4,514
Location
Blurry.
Website
www.hlmcompany.com
Fortunately, most of my users are C and get along just fine without a software firewall. I rarely get user B, and when I do, they usually come along with a user C.
 

Adcadet

Storage Freak
Joined
Jan 14, 2002
Messages
1,861
Location
44.8, -91.5
When you guys talk about a hardware router, are you talking about something more than a pretty typical router like my BEFW11S4?
 

Adcadet

Storage Freak
Joined
Jan 14, 2002
Messages
1,861
Location
44.8, -91.5
Over the past few years I have liked seeing which programs access the internet using Zone Alarm. It made me feel like I had some control over my Windows machine.

Do you guys have a good reference for locking down a network using a hardware router (such as my trusty linksys)?
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
Adcadet said:
Over the past few years I have liked seeing which programs access the internet using Zone Alarm. It made me feel like I had some control over my Windows machine.

Do you guys have a good reference for locking down a network using a hardware router (such as my trusty linksys)?

Generally, the routers start out quite locked down: by default, virtually everything incoming is blocked unless it the packet is responding to an internal request. Try Shields up to test the firewall.
 
Top