Fog Creek Software
Discussion Board




Personal Firewalls?

Which Personal Firewall(ZoneAlarm, Tiny Firewall, etc.) software do you use on your laptop/desktop, home/office (if any)?
If you are using one, do you see any issues with internet speed?
I have tried different ones, like Outpost, Norton, ZoneAlarm etc. but not been very happy. Any recommendations? Thanks for all your inputs.

Yaniv
Wednesday, March 26, 2003

I use no personal firewalls.  I have an aging Pentium that has OpenBSD installed on it that provides all the firewalling, NATing, and other such fun that I need.

flamebait sr.
Wednesday, March 26, 2003

Most windows based firewall software are working in an end-node configuration. And just don't work that well for most power users.

In the end you are best served having a dedicated Pentium to process those <3.5Mbps traffic using OpenBSD or Linux.
As a bonus you might have Linux or OpenBSD be the PPPoE client and do reserved NAT mapping mapping it's XX.XX.XX.XX:80 to your 192.168.XX.XX:80

Such a server can also help you do KaZaa downloads and what not while your primary computer sleeps. That's noise reduction if you hide the pentium somewhere that muffles the sound. This only works if your old Pentium box produces very little heat or you don't care if it broke from slight over-heating.

-- David

Li-fan Chen
Wednesday, March 26, 2003

I use WinRoute to provide NAT and firewall services. It's very effective, if expensive. The reason we're using it is because the built-in stuff in Windows 2000 wasn't near up to snuff for port mapping needs.

Brad (dotnetguy.techieswithcats.com)
Wednesday, March 26, 2003

Setting up a dedicated machine as a firewall would be great. But I have only my laptop, which I use both at home and work. I don't want to bother with buying/setting up another machine for this purpose. I am not paranoid or anything about security, but I do want some minimal protection at home. Hence I was looking into Personal Firewall software.

Yaniv
Wednesday, March 26, 2003

I tried ZoneAlarm once, totally too annoying with all those popups at all times. So I bought a hardware firewall with packet filtering and NAT and alot of other goodies. Wouldnt go back to SW firewall programs.

Patrik
Wednesday, March 26, 2003

If you run any services that you want to share with the outside world.
And just want to access everyday services like news streaming and hotmail. You can do well to try and live with ZoneAlarm the free edition.

Li-fan Chen
Wednesday, March 26, 2003

I use retired machines running Linux at home and at work.

But I carry a D-Link DI-704 with my laptop, for those occasions that it isn't running Linux.

I heartily recommend the DI-704P to everyone who has a broadband connection. I've made many users very happy.

Anonymous Coward
Wednesday, March 26, 2003

I'm happy with Norton's Personal Firewall 2003.

danpop
Wednesday, March 26, 2003

I use Zone Alarm. I have a desktop and a laptop but both work through dial-up connections so speed hits are hardly likely to be a problem.

Once you set it up (and of course disable the pop-ups) it works unobtrusively in the background (in fact too unobtrusively; I ran my laptop for three months without it installed and never realized !)

One hundred per cent recommendation!

Stephen Jones
Wednesday, March 26, 2003

I got Norton's personal firewall free from my ISP with my DSL service.  For what I need, it's a great fit.  The rules are per application, which I find really convenient - I can block my mail client's access (restrict it to just mail.earthlink.net, so HTML spam can't load images if I accidentally open it) without affecting my web browser.  The only thing I've run into trouble with is trying to configure permissions for services (e.g. Apache or IIS), but not everyone needs to run a web server.

Brian
Wednesday, March 26, 2003

I have been using ZoneAlarm happily for close to 2 years.  I upgraded from the free edition to ZoneAlarm Pro with Web Filtering around Christmas.  This is the only filtering program I have tried that does not offensively affect my perceived connection speed with a cable modem.

Darin
Wednesday, March 26, 2003

Does anyone use a Linksys Router for broadband and just rely upon its built-in firewall protection?  IS this something I can rely upon or do I need ZoneAlarm on top of it?

Stress
Wednesday, March 26, 2003

Yaniv,

This is an interesting topic.  I've thought about turning on IPTables (Linux firewalling) on my laptop when going off site.  But I've never done it.  Additionally, I pretty much run wide open, relying on my home firewall and work firewall to provide the protection (and never had any problems in 5 years of doing so).

I wonder how many people lock things down when they leave the security of home and work.  Like if you go on the road to work on site or with partners in integration labs (which may also have competitors lurking). 

I'm ususally pretty wary and run in paranoid mode with respect to things like this, but haven't been on the same network with potentially hostile people in the same room.

Anyone have any horror stories along these lines?

Nat Ersoz
Wednesday, March 26, 2003

Stress,

I don't know the answer, but I've wondered the same thing myself; I have a Linksys router/wireless setup myself.  For now I still have ZoneAlarm on all my machines, but I've been wondering whether with the router in place it's redundant.

Anybody?

Kyralessa
Wednesday, March 26, 2003

Yaniv,

If you're using Windows XP it has "Internet Connection Firewall" built-in. Basic, but does the trick - just go to the properties of the LAN adapter in Control Panel>Network Connections and check the checkbox on the Advanced tab. It basically allows all outgoing traffic, but filters incoming - by clicking the Settings button you can open up various ports.

If you're using Windows 2000 then you can use IPSec to implement a firewall. See http://www.microsoft.com/TechNet/itsolutions/network/maintain/security/ipsecld.asp

Duncan Smart
Wednesday, March 26, 2003

I use an SMC Barricade 7004WBR at home. Firewall, router, and wireless access point in one box.

The hardware firewalls are so cheap & reliable these days I just don't see the point in running additional firewall software on my computer.

At work I just count on the work firewall. I just make sure there's nothing irreplaceable on the laptop.

Chris Tavares
Wednesday, March 26, 2003

I use OpenBSD as for firewall and nat. It's simple to setup, cheap, and highly configurable.

bdw
Wednesday, March 26, 2003

I use multiple $60,000 firewalls as my "personal firewalls" at work, but then again I work at a firewall company :-P.

Essentially most router firewalling solutions are simple packet filters. They see a packet, check what port, see if the port is open, and then forward if appropriate. You should not see any sort of performance impact with such a solution.

More complex solutions will involve some kind of tracking of state. For instance, the firewall will instead keep track of the current sessions going through, and match packets on sessions.

Moving up the ladder, there's support for application level solutions which may provide some mechanisms for content filtering, and preventing covert channel attacks.

In a home use scenario w/ broadband, you're probably fine (unless you have lots of enemies) blocking most inbound traffic. This will stop worms and port scanning kiddies will quickly loose interest.

Linksys and the like aren't exactly big into the security market. Their products have had frequent issues, but nothing horrendously bad. (Just keep upgrading the firmware.)

However, if you VPN into the office, be aware that most hardware solutions will simply forward that traffic and not do any blocking (unless you have a cool router that does gateway to gateway VPN). So if there's a worm running around the office network, and you're VPN'ing in on a machine without its own sort of protection -- watch out!

S. Gwizdak
Wednesday, March 26, 2003

Hardware firewalls are good for blocking unwanted incoming connections, but software firewalls are better for application-specific blocking of the outgoing connections of spyware.

T. Norman
Wednesday, March 26, 2003

Duncan - I have looked into using built-in Windows XP firewall. But I run SQL Server, MS-IIS etc on my laptop for devlopment purposes. So I have to allow incoming connections on and off. I need to set application level rules. So I wasn't sure how well the built-in firewall will work.
Stress-I have Linksys router which has the option of using ZoneAlarm. But I think you have to purchase ZoneAlarm Pro seperately. I may be wrong here. It may work well for you. But in my case, I also have an 802.11b access point and I give WiFi access to my neighbours. I didn't want block access to the stuff they need. I need something for each machines seperately.
I carry my laptop everywhere- home, work, client sites, school(my part-time MBA class) etc. I already have enough stuff to carry in my bag, I don't want carry another hardware firewall. So I am looking for a software solution.
I used free version of ZoneAlarm for a while and I noticed a significant reduction in my internet speed. And after that I have been using Agnitum Outpost for a while. But now my laptop crashes quite often and Windows Online Crash Analysis says it's a problem with one of drivers of the firewall. This might be the case with only my laptop. But I am looking for an alternative for my Outpost.
Nat-Setting up IPTables on a Linux box is fun. I did set one up on a hardened Linux box at work long time ago. We used it for a while until finally we went with a Cisco Pix box. But it will take considerable time of yours to maintain, watch the logs etc. Also it may not be advisable to set it up on the laptop you use for other work. You may need a dedicated machine for it.
Thanks for all your inputs so far.

Yaniv
Wednesday, March 26, 2003

I run my home PC with a D-Link 705P, XP, and finally, ZoneAlarm Pro.

It is hard to believe, but some attacks make it all the way to the ZoneAlarm layer.

Glade Warner
Wednesday, March 26, 2003

Hmmmm.  I guess I could answer my own question by looking at my router and ZoneAlarm logs.  Doing so, it turns out that the router mostly gets port 137 scans (Windows, harmless), and that nothing seems to get through to ZoneAlarm at all; the only blocks I have listed for it are local network ones (such as when I was at my parents' house logged on their network with my laptop).  So it looks as though ZoneAlarm is pretty superfluous in this case.

However, since it also tells me about outgoing stuff, and since I'd probably forget to reenable it when I really needed it elsewhere, I expect I'll just leave it running.

Kyralessa
Wednesday, March 26, 2003

My zone alarm blocks an average of twenty-five attemts at entry AN HOUR.

Stephen Jones
Thursday, March 27, 2003

I currently use the XP one on my laptop, but at the previous place I worked they tried Outpost. There's a free version.

It works ok, but can be a pig sometimes if its not set up properly and and you're doing development work against  SQL Server. Admittedly the environment was a deeply unsafe VLAN; we were continually finding hacking attempts in the log files. Set up properly, its OK. Allows multiplayer unreal and wolf3d, so it can't be all bad.

http://www.agnitum.com/products/outpost

Justin
Thursday, March 27, 2003

Now, as a result of checking my Zone Alarm logs to see if  I could find anything usefiul for this thread, I have found out the solution to a mystery that has been puzzling me for nearly a month.

I connect to the internet through the ISP's proxy, as do all users in Saudi Arabia. For the last month or so I have found on occasion that I can't connect to any site or sometimes just sites such as this, though email has always worked fine. Yet if I switch over to the laptop and use the same phone line and internet connection I don't get this problem.

Looking through the alerts for today I found the solution.
Alert 2:
- "The firewall has blocked Internet access to proxy.myISP.net.sa (123.45.67.89) (ICMP Time Exceeded) from your computer.Occurred: 118 times between 27/03/2003 13:51:06 and 27/03/2003 14:11:06"-

The 118 times incidentally was 93 when I first saw it and kept on increasing. This was the explanation of why data was being downloaded but the pages never loaded. I put the proxy sites into the secure zone using the configuration and hopefully the problem has gone away.

I know there is at least one other reader here from Saudi, and presumably there may be others using other proxy configurations who find that Zone Alarm or anothr firewall slows them down, so I thought I would mention it.

Two interesting questions are: why does the same thing not happen on my laptop, which had Zone Alarm configured in the same way, and why did it not start until a month or two back. The answer I believe may lie in the OS. The laptop has XP, and presumably the defaults for the ICMP time exceeded are different, and the problem on the desktop coincided with my installing W2000 SP3.

anyway, thanks to the original poster, who has inadvertently saved me a load of time.

Stephen Jones
Thursday, March 27, 2003

You are most welcome! Stephen :)

Yaniv
Thursday, March 27, 2003

Does anyone know of a, well, let's call it an "application level" firewall for Linux?

By "application level" I mean like ZoneAlarm or the Norton product; firewalls that let you say that the "foo" program is allowed to be a client on port 80 but the "bar" program is not.

As opposed to, let's call them, "traffic level" firewalls like iptables. Which only let you say that any program is allowed to be a client on port 80 or none.

As many people have pointed out, traffic level firewalls are great for protecting against inbound problems, but they don't really provide protections against outbound problems (trojans, spyware, etc). I think it makes sense to run both types.

Bill Tomlinson
Thursday, March 27, 2003

MacOS X, built-in.

pb
Thursday, March 27, 2003

I just replaced my Outpost firewall with Norton Personal firewall. So far everything is great. When I had Outpost, my computer crashed like 10 times a day and Internet speed was horrible. After removing it, my machine works great! Lets see how far it goes. Thanks  for all your inputs.

Yaniv
Thursday, March 27, 2003

"traffic level firewalls are great for protecting against inbound problems, but they don't really provide protections against outbound problems (trojans, spyware, etc). "

Bill, it begs the question: why on earth are you installing crap that would include trojans/spyware?

Duncan Smart
Thursday, March 27, 2003

I use Tiny Personal Firewall on one PC and the free ZoneAlarm on another PC, I'm extremely happy with both.

Realist
Friday, March 28, 2003

I use Tiny Personal Firewall. I used to use Zone Alarm, but it caused problems with my anti-spam program, so I switched.
I use the software firewall as an anti-Trojan device, to be alerted when a new program tries to access the Internet. My primary protection is a hardware firewall that has all but a few specified ports shut.

David Burke
Friday, March 28, 2003

Duncan asks why I would install stuff with trojans and spyware.

I think that's a pretty silly question. Of course no one ever would intentionally. But the only way to 100% insure that nothing bad ever happens to your computer is to never turn it on. If you ever install anything on your computer (even microsoft (or red hat, if you prefer) OS updates) you take risks. These days, a computer that you never, ever, install anything on (after the install OS install) isn't very common.

Running the personal firewall is like car insurance. You would never intentionally crash your car, you do everything you can to to avoid accidents. But you're realistic enough to know that stuff happens, and you'd better have insurance.

Bill Tomlinson
Friday, March 28, 2003

I've been running IPCop, a spinoff of Smoothwall firewall that runs in Linux.

It is small and very easy to install plus you can customize the rules as needed though you will need to learn/read Linux firewalling.

I'm even thinking of running it on a small old pentium notebook which makes it very silent and consume low power.

RRS
Friday, March 28, 2003

I agree with Bill. Also, being a techie, I actually find it quite interesting and informative seeing what programs are up to with your internet connection.

optimistic coder
Monday, March 31, 2003

*  Recent Topics

*  Fog Creek Home