[Question] What is the best Windows Firewall?

[TinTin]

Ok, theres several around on the market,

So what do u guys reckon to

ZoneAlarm

Net Commando etc


Feedback welcome

[ShaolinTiger]

For windows I would highly recommend what was Tiny Personal Firewall.

It is now known as Kerio and is guess what FREE. It's available HERE

By far the best I've found, easy to use yet very configurable as you get more advanced. You can nail it pretty tight if you know what you are doing.

It passes all my tests

I used to like conseal best but it doesn't work with Win2k very well and since they got bought out it went all crap.

They have also gone on to make somehting better known as Visnetic firewall under the brand Deerfield which is available HERE, but it is *quite* expensive.

Zonealarm is ok, a bit bloaty for my liking and too 'simple' but I guess it does the job.

I've also heard some good things about Outpost http://www.agnitum.com. Aside from basic firewall functions, it has an integrated ad-blocker, attachments filter, and active content filter (i.e. you can filter out popups, javascript, etc).

These are only my opinions though, anyone else have anything to add?

P.S. If you've got the money or you are a small business you can go for Microsofts ISA (suprisingly good) or Checkpoints Firewall-1.
_________________
Share your knowledge, it's a
way to achieve Immortality.

Quit Smoking - Darknet Hacking

Kung-Fu Geekery

[TinTin]

Does anyone have an opinion on Norton Firewalls????

[ShaolinTiger]

1) Norton Internet Security 2000 - Doesn't run under NT -- at all. I guess they don't realize that many machines sold in companies have NT installed. Symantec bought this product from another company and certainly didn't do it any favors. There are other features in the system that may make it worth the $59.95. It really slowed down the machine during attacks but did not fail. It has provisions for parental blocking, blocking cookies and blocking Internet Advertisements. If you're looking for a pure firewall, you'll probably want to keep looking.

2) Norton Personal Firewall 2002, Symantec, Windows 95/98/Me/2000/NT/XP, $50 list, annual renewal $7, includes privacy features and cookie manager; Internet Security, $70 list, annual renewal $11, adds anti-virus, ad blocker and parental control (formerly in the family edition). Both are based on the former AtGuard firewall program acquired in 1999 by Symantec; now refined and enhanced. Features -- Effective, works on inbound and outbound traffic, provides pre-written rules for novices, allow experts to write custom rules, suite provides other useful security features; ICSA certified.#

My opion: not bad. But why pay when there are better things available for free?
_________________
Share your knowledge, it's a
way to achieve Immortality.

Quit Smoking - Darknet Hacking

Kung-Fu Geekery

[TinTin]

I've had the Norton Firewall last year as part of a bundle. However, found it to be a pain in the backside when it came to downloading, sometimes i had to enable or disable certain features before I could download.

I'm now using Norton 2002 Firewall and Antivirus, I find the 2002 firewall a much improved version, it doesn't go mad every time you sneeze.

The AV 2002 scans incoming as well as outgoing mail, also has much more features/options and is less of a pain when downloading.

[M3DU54]

Personaly, I think too much emphasis is placed on firewalls ...

No firewall even comes close to making your machine secure ... Most of the security holes that a hacker will use are in applications you ALREADY allow access through your wall ... take for example something lame like the rather old 'Godmessage' exploits ... email bugs, MSN and ICQ exploitable overflow conditions ... What will your firewall do about these?

NOTHING, thats what ... simply log the packets for later analysis (If your wall even supports logging - many don't)

Turning to trojans... sure, a process based firewall will detect some of the poor public malware currently being pushed in the media as the biggest threat on the net - but ONLY if they are not modified - for that matter so will your AV solution. But these are just toys.

Other trojans use IPC techniques to get your default browser to do the communication for them ... and guess what, your firewall is probably all set up to allow it.

Although I may sound negative about walls (And don't even get me started on AV) I still suggest you have them because it keeps the less-capable wanabes away from your system for a while ... and lets face it, there are about a 100,000 wanabes to hacker ratio.

But, please, dont for one second think that your choice of firewall/AV solution is going to make a damn bit of difference if anyone with a degree of skill decides to crack your box for fun or profit. Security rhetoric is a multi-billion dollar industry and thats all it is, rhetoric.

Personaly, I've never met a local software firewall that can detect or packet log a VxD Layer-0 trojan ... and many can't even detect semi-available LSP/SPI trojans that wrap the base layer. And I've never met even a big-box or corporate solution that can do anything about socketless trojanware using promiscuous or parasitic quoted techniques.

Just one persons point of view, Those that read and trust in the manual will probably wish to differ ... and they are welcome to.
_________________
M3DU54 of +44 'Oderint dum metuant'

[chris]

[M3DU54]

A local firewall (As opposed to gateway or hardware) sits either as low in the TCP/IP protocol stack as possible (and nievely hopes the OS makes apps behave) ... or it sits as low as it can in the OSI model generaly by wrapping the interface functionality.

The first is ridiculous and the second is highly questionable

First ...

The first can be got around by tapping the Layered Service Provider's Transport Provider Interface for example... which is essentialy one half of the protocol stack (The other being the Namespace Provider Interface) .. this is done by simple inclusion of a .DLL exporting an SPI (Service Provider Interface) at both its upper and lower edges and thus sitting in the middle. By aggressively holding the lowest position in the stack by claiming to all above it to be the base layer etc ... this DLL can not only use ports parasiticaly but can generate phantom ports that dont show up on netstat and other socket enumeration ... it can also fake in both directions presenting non-network data to applications as though it were regular traffic - and presenting traffic as though it were formed in an application.

This on its own can present significant problems exploiting inherrent trust in a process-based-firewall environment ... and can even be used to promiscuously listen for quoted commands on ANY port or protocol (And strip such sections before presenting up the stack to the app) ... similarlt messages can be quoted into a legitimate stream and passed OUT through the converse method, at least as trusted as the application who apparently generated the traffic.


The second is FAR nastier ...

Not only will it NOT show up on any local firewall (Process based or not) due to being on the OTHER side of the firewalls hooking and thus already from OUTSIDE of the machine (In a TCP/IP context) ... it also is running INSIDE the machine in a code context ... The best of both worlds !

Not only this ... but external firewalls and gateways can be fooled by the same quote/dequte scheme as before. And traced back to ... the legitimate app.

This makes every port on your system a trojan, and any log that shows a LEGITIMATELY FORMED transaction could be a trojan command that was stripped prior to the firewall seeing the packets.


Not only this ... from the VxD layer we can intercept any API call, any registry call, and any Disk access (Even sector reads/writes) ... and filter them and/or remap them and/or return a lie. We've even beaten IDS into submission with this and managed to propagate holes into several layers of backup.

Anyway ... This means that our VxD based trojan is transparent, socketless, promiscuous and has no window/task/thread ID's ... It also may (depending on coding) be impossible to see in a memory scan, drive scan and its registry storage may be invisible to all ... or even different depending on the process doing the asking.

DaVinci Group wrote The MiniBaug LSP trojan in 1999 and several variations of VxD wrapper based trojans for concept over recent years.

Combine these low level tools with some pretty basic exploits and you have a reason not to trust AV/FW solutions as far as you can comfortably spit a horse.

Linux *spit* *spit* is not above this either ... in fact, it can often be easier to install this type of code into the abstract machine representation in a linux based environment that even the windows systems depending on the specific configuration... certainly, IDS systems like Tripwire have never been much of a problem on either system.

Personaly, I believe the much hyped Magic Lantern software probably uses such techniques with the added advantage of good co-operative relations with the governments bedpartner, microsoft... And, if it doesn't ... well, theres no excuse.

Luckily LSP and VxD development are not so openly documented that the lamer can easily exploit these techniques. And DaVinci are a members only non-publishing organisation ... both with code and exploits, by a strictly enforced disolvement policy. However, anyone with coding experience and a copy of the MSDN DDK (VxD) or the MSDN SDK Subscription (LSP) should find their way given a little determination.


M3DU54 of +44
supervisor@freeuk.com

[flw]

Simple answer. The best windows firewall is one that uses Cisco Pix's firewall located in a DMZ for all internal activity. :>

fastlanwan

[M3DU54]

The 'best' solution as you describe is only barely a solution. Firewalls offer virtualy no protection. Of course, I'm going to get slammed for saying that so let me ask some questions and readers can decide for themselves if their gateway firewall would cope.

1. Trojan/Worm uses default mailer
2. Trojan/Worm uses common messaging clients (ICQ, MSN, AIM...)
3. Trojan uses default browser

Even less complicated... Trojan is configured to call out to port 80 or a port in the temporary range on a remote.

Lets face the facts... A firewall does very little to protect anyone. Local walls are easily disabled or bypassed using a range of tricks varying from the simple to the complex. Gateway and hardware firewalls are far easier as rulesets are horribly ambiguous in almost all cases -or at least- they are if you want general connectivity.

Of course, firewalls are the industries new darling product worth billions per year... The term 'Firewall' conjours up images of near impenetrable solid barriers - they are actualy just filters but that didn't sound quite so dependable.

Anyone that pushes a firewall as a 'solution' is just falling for marketing hype because they ALL fall a long way short of addressing ANY real problems. The same is true of those that trumpet on endlessly about Linux having excellent security...

Still, what the hell do I know. Feel free to disagree.

[Mongrel]

and seemingly very experienced. I'll agree that there are endless ways to get around or through even the most high-end firewall devices. Port 80 is always there and they'll be finding more and more ways to exploit it.

Now let's talk the difference between home and business use - two versus two hundred stations.

At home, you have the mostly wide open computers with all the standard ports open - SNMP, WWW, FTP, NETBIOS, on and on. Joe average is not going to drill down and disable services or block ports manually. For this purpose I would see a firewall of great value. For $100 you can get a decent hardware router/firewall that will do NAT, stateful inspection, even disable ICMP to your public IP so the script kiddies and scanners will most likely bypass you.

I have been doing this computer thing for fifteen years and I can tell you from experience, Joe home user can get by quite nicely with a decent router and good up to date AV - that is unless Joe home user is busy doing other activities that may call attention to his computer from unscrupulous sources. In that case, you get what you ask for and you better be prepared to pay the price.

The biggest risk people face is being robbed of their identity (SS#, Credit Cards, Banks Info etc) at a "secure" website, opening up all the stupid unsolicited email attachments, or handing out their real email address to too many places. Mostly common sense things.

In a business application, a firewall is essential to close up the two hundred machines as much as possible and NAT the addies to private non-routable IPs. HOWEVER - depending on the sensitivity of the corporate data, a firewall is but one small piece of the picture.

It's a new science you are discussing that is evolving daily and will continue to do so as long as we use this heap of wire we call the Internet.

Respectfully submitted
Haknwak

[ShaolinTiger]

Hi again M3dz

Correct again, in some aspects at least.

I wouldn't push a firewalls as a complete solution but it is part of the solution...the onion approach blah blah.

If you have a firewall and 100 machines, rather than all 100 machines being wide open to the net you have 1 point which can control them?

Easier no?

If they can't run any exploitable apps, and clients wont be running services apart from hexed trojans and DDoS what can get through?

1) Client has secure default mailer (e.g. none/web or intranet interface)
2) ICQ MSN AIM IRC are all banned, blocked at the firewall and in policies
3) A securer browser than IE is used as default. (Opera 6.03 as grey magic just found a bug in 6.02 )

And the trojan in the first place has to be run, if you don't have any of the above mentioned insecurities.

Most of prevention is in education of the users, not fancy bits of software/hardware.

I like firewalls, they stop people being nosey and they save me having to go round each of 100 machines individually securing each one.

I don't there is any *one* solution, one ring to rule them all.

It's a combination of many things, then you get to the best situation you can with the resources available.

Basic security checking, education of users, Firewall, IDS, AV on mail and clients.

Not much more you can do than that, apart from if you start getting funky with your Windows Kernel.

And as for Linux, I think I can secure Windows better than most l33t people can secure Linux.

Windows is harder to break once it's tightened I think.

I may be wrong..

But I'm no expert

Shaolin.

P.S. What the hell do I know?
_________________
Share your knowledge, it's a
way to achieve Immortality.

Quit Smoking - Darknet Hacking

Kung-Fu Geekery

[ShaolinTiger]

[Mongrel]

Didn't mean to upset anyone Shaolin - Also didn't mean to implicate anyone. I generally try to avoid places where I put myself in jeopardy.

The price is loss of your computer and/or it's contents and possible legal consequences. If you have never paid this price, you are knowledgeable and adequately protected.

I deal with people on a regular basis who constantly claim to have been hacked.

They are oftentimes playing in places they shouldn't ought to be and unknowledgeable in anonymizing techniques or even the most rudimentary protection.

[M3DU54]

[Mongrel]

M3DU54 - Awesome response.
Not to be a smartass here - genuinely curious and genuinely impressed with your knowledge - how would you set policies where virtually every computer needs access to just about every server in a network?

I could limit many machines/users from administrative access (already done) and control some functions within few servers, but by far and large, 80% of my computers must be able to use just about every resource on the network at one time or another.

Even if I were to segregate and form general policies, for programmers, data entry (and yes, they too need access to just about every box in the house) office workers etc, the groups would be so large that an attack on any one device would affect nearly the entire enterprise.

TIA