Posts: 2,072
Threads: 62
Joined: May 2006
Reputation:
0
Firewall recommendations
05-05-2009, 06:33 AM
I've been using ZoneAlarm Pro for some time, and it seems to have served it's purpose, but some of it's issues are getting tiresome, and when I
installed a newer version on a second computer it caused massive lag and instability. So I'm looking for something better.
Anyone have any suggestions?
-Morgan.
Posts: 2,635
Threads: 170
Joined: Mar 2008
Reputation:
0
friend of mine uses Kerio.
I stick with external hardware
"No can brain today. Want cheezeburger."
From NGE: Nobody Dies, by Gregg Landsman
http://www.fanfiction.net/s/5579457/1/NGE_Nobody_Dies
Posts: 2,354
Threads: 83
Joined: Jul 2005
Reputation:
0
I'll echo Wire's sentiment. In any home/small office situation I've been in a router has been in place.
All of the modern ones I've dealt with have some sort of firewall capability. Though most of the need for one is taken care of with nat-ing.
I'm not familiar with what Zone Alarm Pro does. Do you want to do more than just block unsolicited traffic to your devices?
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy
Posts: 1,449
Threads: 137
Joined: May 2007
Reputation:
0
Thirding Wire and Sweno. However, despite my reliance on external hardware (my router, in this case), I do see a valid need for a software firewall: namely,
when you're using a laptop and may be connecting to an uncontrolled access point.
If that's the scenario... I still recommend ZoneAlarm. In my experience it's never been responsible for lag and instability. The one time I saw that
was due to a competing product trying to do the same job, ZA just brought it to light (I wasn't aware that a firewall was already running).
I use the free ZA, maybe the Pro version has other issues.
Still, though, if you're behind a router -- one that does NAT -- then there's no need for a firewall to be running on your machine. If you're
talking a desktop that isn't going to be connecting to J. Random Access Point, then don't bother with -any- firewall. AV and anti-spyware, sure.
Firewall, no need.
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs
CattyNebulart
Unregistered
Sofaspud Wrote:Still, though, if you're behind a router -- one that does NAT -- then there's no need for a firewall to be running on your machine. If you're talking a desktop that isn't going to be connecting to J. Random Access Point, then don't bother with -any- firewall. AV and anti-spyware, sure. Firewall, no need.
I disagree, multilayered defenses are better, and more importantly many of the better firewalls (like zonealarm) give you the option of stopping outgoing traffic.
ZoneAlarm is the best windows firewall I have used, and for home use it is the one I would recomend without hesitation. However I have also not used windows in almost 8 years, so things might have changed.
E: "Did they... did they just endorse the combination of the JSDF and US Army by showing them as two lesbian lolicons moving in together and holding hands and talking about how 'intimate' they were?"
B: "Have you forgotten so soon? They're phasing out Don't Ask, Don't Tell."
Posts: 1,450
Threads: 168
Joined: Oct 2003
Reputation:
2
If you have a NAT at home, all you really need is Windows Firewall, a decent live virus scanner (I'm fond of avast! lately since AVG's gone goofy), and
some attention paid to your browsing habits.
Posts: 2,354
Threads: 83
Joined: Jul 2005
Reputation:
0
The point about laptops in coffee shops is a valid one. Some sort of software firewall in that situation is not a bad idea. Are we talking about laptop or
desktop?
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy
Posts: 417
Threads: 27
Joined: Jan 2006
Reputation:
0
If it's just a firewall you need I'd suggest just turning on the built in firewall that every windows version since XP has had. If it's for dealing with potential spy ware and viruses which I suspect is the case since you've been using zonealarm pro...Then I would suggest f-secure internet security http://www.f-secure.com/en_EMEA/ wjhich I've used for the last four years or so since I abandoned the norton internet security my PC had come with.
I do not recommend Norton internet security at all as it is in my experience is a resource hog. (at least as far as the consume version I've heard that it is a very different tale as far as the corporate version is concerned.
--Werehawk--
My mom's brief take on upcoming Guatemalan Elections "In last throes of preelection activities. Much loudspeaker vote pleading."
Posts: 1,449
Threads: 137
Joined: May 2007
Reputation:
0
Quote: CattyNebulart wrote:
I disagree, multilayered defenses are better, and more importantly many of the better firewalls (like zonealarm) give you the option of stopping outgoing
traffic.
... to which I point out, that's what your router is for.
If you're NATted, you need not worry about incoming traffic (excepting things like drive-by installs and whatnot, which a firewall won't stop anyway;
that's your AV/anti-spyware package's job).
If you're interested in blocking outbound traffic, I'd have to ask why. I mean, if your AV/AS software is working as designed, and you're not
trying to catch every bit of malware out there (and thus getting stuff they don't know how to handle yet), then
the only outgoing traffic from your PC is going to be stuff you originate. Why would you want to block that?
If it's a case of wanting to filter some outbound traffic (for example, if I wanted to, I dunno, keep my kid from
serving up files via BitTorrent or something), that's a job better suited to your router, again. A software firewall on the same machine it's intended
to protect is already in a compromised situation -- the user can simply turn it off, for example. For laptops and wifi it's the best of a bad lot, so you
still use it. For a home network it simply makes no sense.
--sofaspud
-- "Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs
Posts: 2,072
Threads: 62
Joined: May 2006
Reputation:
0
I'm a believer in defense in depth.
I am in fact using a NAT router now. (I wasn't when I first set up the firewall. At that point I was using an internal modem, so my options were kind of limited.) But without any outbound filtering, there's nothing helping you if your AV/AS *doesn't* catch something.
Quote:If that's the scenario... I still recommend ZoneAlarm. In my experience it's never been responsible for lag and instability. The one time I saw that was due to a competing product trying to do the same job, ZA just brought it to light (I wasn't aware that a firewall was already running).
Only other firewall on this particular machine was the windows firewall (which ZoneAlarm turned off). From searching their forums, it's a problem other people have had too. One of the processes ends up using 99% of the processor... forever, basically. x.x
(Also, Windows Firewall isn't really an option for a windows 2000 machine. '.' )
-Morgan.
Posts: 1,449
Threads: 137
Joined: May 2007
Reputation:
0
Yowch. 99% processor suck, that's not fun.
I've never encountered that... but I haven't run W2k in, well, forever, and when I did it wasn't on a laptop and had (you guessed it) an external
firewall.
Maybe it's the Pro version, or maybe it's the ZA/OS interaction, I dunno. But yeah, ZA needs to go in that case. Wire's recommendation of Kerio
is a good one -- we used to use them back when I was setting up corporate networks. They's 'spensive for a corporate solution, which it doesn't
sound like you need. Kerio Personal Firewall was their home offering, and it's now offered by Sunbelt. I can't recommend for or against it, because I
haven't used it since the switchover... but Kerio made a damn fine corporate product, so I'd be willing to give it a trial run, personally.
As for the multi-layered defense... it's a trade-off. If it makes you feel more secure, by all means run with it. I personally don't like the
performance hit it generates, and the added layer of complexity (and potential for "WTF, why won't you talk to each other?" moments) isn't
worth the perception of greater security to me.
As an anecdotal data point: my FTP server is the only machine on my internal network that's ever been attacked -- which, well, duh, it's the only one
visible from the outside. My router has been attacked a couple hundred times -- just part of the territory on any high-speed link these days. No other
attacks make it past the NAT. None of the attacks have been successful. The thing is, this is in the bog-standard configuration, basically; I've applied
one firmware update to the Cisco, and that was for the Code Red thing waaaaaay back when.
That's not to say that security isn't needed, or that you won't be attacked? But all I'm saying is, consider the trade-off realistically. If
the firewall you're using is causing you problems, the question might not be "which one is better", but rather, "do I need one at all?"
What router are you using, if you don't mind me asking? A lot of them can do outbound filtering as well.
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs
CattyNebulart
Unregistered
Quote:As for the multi-layered defense... it's a trade-off. If it makes you feel more secure, by all means run with it. I personally don't like the performance hit it generates, and the added layer of complexity (and potential for "WTF, why won't you talk to each other?" moments) isn't worth the perception of greater security to me.
I feel the performance hit is minor enough on a fairly high end machine that is used primarily for word processing and exell that it is worthwhile. Especially since the user doesn't know and doesn't want to know how to keep safe on the net. Also a whole bunch of legitimate applications phone home each startup, which is annoying and gives out a lot of privacy information. Then there is always the chance of catching a piece of malware that the virus and adware scanners can't yet detect. Then there is a wireless accsesspoint on the network, and the router doesn't secure the lan, just what comes in from the net.
All in all a reasonable precaution given the situation above. But yes, it is based on the situation, and not everyone will need a software firewall. However I would argue that most people do need a software firewall. In fact i would argue that everyone that browses with javascript enabled needs a software firewall.
E: "Did they... did they just endorse the combination of the JSDF and US Army by showing them as two lesbian lolicons moving in together and holding hands and talking about how 'intimate' they were?"
B: "Have you forgotten so soon? They're phasing out Don't Ask, Don't Tell."
Posts: 2,072
Threads: 62
Joined: May 2006
Reputation:
0
It was the pro version. (And it was actually on the computer with XP that happened. It's not causing such problems on the 2K machine... but I also
haven't upgraded to the version that apparently has the issue.)
The advantage of the software firewall is that it can allow or disallow access by program, which I wouldn't expect the router to be able to do. (This modem
doesn't seem to have outbound filtering at all.)
-Morgan.
Posts: 400
Threads: 66
Joined: Nov 2003
Reputation:
1
I came across this topic last night and it was too late for me to put my two cents worth in then... now some 12 hours later when I'm a little more awake...
here goes:
*wince* my inner security 'know it all' is a-cringing... big time.
Trust me on this. I spent a semester studying this last year - all about internet and network security. What's all that learning translate into the real
world? Not a lot... but it should be enough for me to give some pointers.
To survive the net and be relatively safe, you need three levels of protection:
1) Firewall,
2) Anti-Virus,
3) Spyware + Malware
Did I forget to mention level 4? Regularly maintained and Up-to-date versions.
Anyway... Stage 1) Firewalls.
Contrary to popular opinion, a hardware firewall is only partial protection. A -Serious- Cracker, (note the capital C) can get around the simple measures that
hardware firewalls put in place.(I've seen a Cracker get around a NAT system... it wasn't simple but it can be done) And the windows firewall isn't
worth the code it is written with. (Don't get me started on Nortons.)
That is why you need a software firewall, in addition to any hardware firewalls. They muddy the water so to speak and make it harder for any Crackers to get
in. Go to www.firewallguide.com This place is a good
reposity of info. The page you need in particulare is here: the Personal Firewalls page. It has a list of articles that is very interesting reading, as well as links to some
providers of firewalls. Of the ones listed, I personally recommend Online Armor, and Comodo. Why? I use one and my sister use to use the other before it choked
on a 'critical patch for 64bit XP'. But then I generally know my way around a computer and so does my sister.
For a comparison of firewalls and how well they protect: go to the Firewall Testing page on that guide site, which will send you to some sites that will test how secure your current
setup is, and will also send you to www.matousec.com which regularly tests available products and
sees which is the best. Yes they are independant, and well respected by most in the industry. Just read the fine print at the bottom of the page or get someone
to explain it to you.
My personal setup?
The modem is connected to the Gateway (which has own software firewall);
which is connected to a firewalled switch;
which is then connected to me via a LAN.
I run a software firewall (Online Armor, Paid edition);
I run an 'always on' anti-viral engine, (avast!)
I run a Spyware and Malware scanner regularly, (Spybot & Ad+Aware)
I update, scan, and BACKUP regularly.
Hope this helps.
Shader
Posts: 2,072
Threads: 62
Joined: May 2006
Reputation:
0
... And of course the most recommended ones don't seem to have windows 2000 versions. *stare*
-Morgan.
paladindythe
Unregistered
Something to keep in mind
05-06-2009, 09:17 AM
Microsoft has already stopped adding features to Windows 2000. Any programs that are incompatible with Win2K are likely to stay that way.
http://en.wikipedia.org/wiki/Windows_20 ... _lifecycle.
Here's my opinion: if you have spyware on your system, it's compromised. At best, a software firewall can help you spot that you've been
compromised---maybe. Win2K is missing security features that are in WinXP SP2, at least according to Microsoft; I'd recommend against someone
who's--not computer savvy--from using it. That being said, here are some recommendations to protect your system.
- If you need a simple one stop protection suite, well, AVG isn't bad, and it's very lightweight, and compatible with Win2K.
(Antivirus/antispyware is free, suite is something like $60/year, with some deals for multiple computers and/or multi-year contracts) http://free.avg.com/
Also, if you are legitmately concerned about being deliberately targeted and hacked, you are going to need a more professional (and stand alone) system.
Astaro comes highly recommended. Astaro
Security Gateway
CattyNebulart
Unregistered
if you use firefox use the noscript plugin. Javascript is a security nightmare.
E: "Did they... did they just endorse the combination of the JSDF and US Army by showing them as two lesbian lolicons moving in together and holding hands and talking about how 'intimate' they were?"
B: "Have you forgotten so soon? They're phasing out Don't Ask, Don't Tell."
Posts: 2,354
Threads: 83
Joined: Jul 2005
Reputation:
0
Firefox + noscript + adblock + flashblock = wow, usable web.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy
Posts: 1,450
Threads: 168
Joined: Oct 2003
Reputation:
2
For the record:
Every test I could find on that Firewall testing page passed my system (and my wife's, which runs Trillian) as fully secure:
Linksys Broadband Router
Windows Firewall
IE 8 (somewhat modified for higher security)
Windows Defender
Avast! Free
Ad-Aware Free
I do agree with Microhue's backing up philosophy. But that's mostly because I work on the philosophy that a disk *will* fail, and you *will* lose all
the data on it, so keep copies of important stuff.
I personally have a secondary disk in my PC where I copy all essential stuff from my system disk (personal data, etc). That disk is then copied to an external.
I then copy that stuff to a DVD, and take it with me to work.
Posts: 2,072
Threads: 62
Joined: May 2006
Reputation:
0
XP wasn't an option until quite recently for that machine, due to inavailablility of critical drivers. '.'
As it is, I was considering an XP install anyway, but since it's going to be a dual boot setup, I'd like to have something on 2000 as well... Well, I
suppose ZA will probably be fine under the circumstances.
Edit: I'm coming to think that Irene really doesn't want to run Windows XP. The dvd drive which works just fine in windows has various errors during
the xp install program, and none of the alternate methods I've tried have worked so far... -.-
-Morgan.
|