Fog Creek Software
Discussion Board




Personal firewall

Hi

Any recommendation on hardware firewalls for personal use is appreciated.

gg
Tuesday, September 30, 2003

Why would one need a hardware firewall for personal use? Whatever machine is the 'net gateway could easily run a piece of software (or, if you want hardware for that function, pick up a router from someone like Linksys, which will have rudimentary firewall capabilities).

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, September 30, 2003

You mean through a software firewall such as zone alarm, I'll get better sercurity than linksys?

gg
Tuesday, September 30, 2003

Yes, ZoneAlarm is better than the blunt-force firewall in a Linksys router. Especially ZoneAlarm Pro.

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, September 30, 2003

Honestly I am pretty impressed with Linksys firewalls for the money.  But I don't like host based firewalls, so I am biased against Zone Alarm.

part time admin
Tuesday, September 30, 2003

Brad, the main reason is for Application level filtering. Most (I only know of one) firewalls that you would run on a router etc will not do the layer 7 stuff. This is important, as when you run a personal firewall, you become aware of just how much innocuous shit calls home, over commonly open ports such as 80 (web).  By running a personal firewall that can filter on the application layer, you can prevent these nasty little call backs

Dan G
Tuesday, September 30, 2003

So, how does ZoneAlarm work?  I went to their web site and it offers no explanation regarding the 'how'.

To prevent an application, which you trustingly install, to not call home through a well known port seems difficult at best.

For example, if I wanted to block all instant message type products, I would have to do some sort of signature analysis (seems to me), and when the signatures change (due to software upgrade, or something like that), then the detection software must also change.

So, how do they do it?

nat ersoz
Tuesday, September 30, 2003

I'm personally partial to hardware firewalls.  The choice, in my opinion, depends on whether you want power or simplicity.

A software firewall gives you detailed control over privileges for individual applications, but at the expense of frequently pestering you about whether Progam X should be allowed to access the internet, along with the overhead of it constantly running in the background on your computer.  (Also, although ZoneAlarm is very powerful, it seems to be suffering from feature creep -- it's a rather bloated application.)

A hardware firewall gives you set-it-and-forget-it security.  It runs constantly without any user intervention and blocks any malicious inbound traffic.  However, it allows all outgoing traffic (including, e.g., spyware or trojans.)  Since I run an antivirus program and am judicious about not downloading strange applications, I think it's a reasonable trade-off.

Robert Jacobson
Tuesday, September 30, 2003

Forgot to mention that I'm running a Linksys router, which offers reasonable firewall protection.  Since it's also a router, it protects every computer in my house.

Robert Jacobson
Tuesday, September 30, 2003

"So, how does ZoneAlarm work?  I went to their web site and it offers no explanation regarding the 'how'."

It inserts itself into the TCP/IP stack at a point at which it can accept or reject any of the packets.

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, September 30, 2003

That's fine, but how does it know packets x are coming from application A?  Some protocols are documented - or at least ethereal knows about them, and that is documentation enough.  But most 'phone home' or spyware TCP or UDP transfers won't be documented.  Or, perhaps they send data using http or some other well known port and protocol.  How do you know which application needs to be shut down?

nat ersoz
Tuesday, September 30, 2003

"A hardware firewall gives you set-it-and-forget-it security.  It runs constantly without any user intervention and blocks any malicious inbound traffic."

Would that all malicious traffic were limited to inbound only... "set-it-and-forget-it security" is a myth.

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, September 30, 2003

"How does it know packets x are coming from application A?"

It is tracing back the socket handle to the owning application, and then lets you know the owning application.

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, September 30, 2003

Very interesting.  And, very useful...

nat ersoz
Tuesday, September 30, 2003

I'm unclear on how, but it definitely uses some sort of signature. I have been developing a TCP/IP app on my home network and after every compile, ZoneAlarmPro detetcts it as a new/or changed app a requests permission to let ie access the net.

sgf
Tuesday, September 30, 2003

I've been using McAfee's software firewall (mostly because it came w/ their antivirus stuff).  I tend to use the same programs over and over, so pestering is minimal.  Pretty simple to use, haven't been hacked yet.

Lee
Tuesday, September 30, 2003

How Kerio works anyway, with regards to application level filtering.

The first time an unknown application passes a packet, the FW  will add this application to its known application list, along with a hash to uniquely identify the exact compiled binary of the application. As such any re-compile, any change, Kerio will basically treat it like a new unknown application OR if the filenames are the same, will prompt you informing you that the binary has changed and allowing you to accept or reject the packet from the "new" application.

also, learning about the osi layers and tcp layers will help you understand firewalling and what layers they operate on to do their things

Dan G
Tuesday, September 30, 2003

I recommend Kerio's Personal Firewall (was called Tiny Personal Firewall in the past; Today's Tiny Firewall is something completely different).

It's not flashy and colorful like ZoneAlarm and friends. It just gets the work done, and gets it done well. At least last time I checked ZoneAlarm, Kerio gave me much better control when I needed it.

And, it's free for non-commercial use.

Ori Berger
Tuesday, September 30, 2003

>Would that all malicious traffic were limited to inbound only... "set-it-and-forget-it security" is a myth.<

Any idea of perfect security is a myth -- safety is relative, not absolute.  The only perfectly safe option is unplugging your computer from the network.  A hardware firewall can provide reasonable protection in most circumstances, as long as the user follows common-sense precautions of not installing potentially malicious software.

Software firewalls can be more secure than hardware firewalls (assuming they're installed correctly).  Whether that additional security is worth the additional hassle depends on the particular user. 

Robert Jacobson
Tuesday, September 30, 2003

"A hardware firewall can provide reasonable protection in most circumstances, as long as the user follows common-sense precautions of not installing potentially malicious software."

I beg to differ. These days, web browsers and mail clients are actively exlpoited by viruses and other malware. Some exploits do not even require you to read an email to activate - just receiving it is sufficient (some Outlook versions have a buffer overrun in parsing the mail "Date:" string, for example).

A software firewall can somewhat reduce that risk - e.g., I allow my web browser to only access ports 80 and 443 in the outside world. If it were compromised, and tried to e.g. connect to port 25, my software firewall would stop it, whereas my hardware couldn't. (Yes, I use both).

I think it's sad that personal firewalls do not offer as much inbound security either - my Mail reader has no business touching files outside the mail store, but it's very hard to make that observation enforcable. Tiny's "Trojan Trap" (now part of Tiny Firewall) can do that, but it's relatively hard to configure properly.

A good chroot() facility is a relatively good solution if properly used, which is, outside of OpenBSD, not the case.

Ori Berger
Tuesday, September 30, 2003

Ori you need an application firewall to do what you want.

part time admin
Tuesday, September 30, 2003

part-time-admin: No, I need a way to limit what an app can do ("jail" it).

Filtering data is never enough - the data that's leaking out, and the malicious data that is getting iin could both be encrypted and hidden; e.g., use the letter case (Capital = 1, Lower case = 0) to encode binary data. It's wasteful, but it will get past any mail or web data filter.

An application level firewall is good for other things, but is usually very specific. The facility I want is quite general, but it requires apps to be "minimalistic" in their requirements for it to be useful.

Ori Berger
Tuesday, September 30, 2003

I second the recommendation for Tiny Personal Firewall (now Kerio??). I've used it for around two years, and never had a problem.  It is easy to install and use, effective, and powerful in its configuration options. Others might work as well, but I've never seen the need to try them.

HeWhoMustBeConfused
Tuesday, September 30, 2003

Windows XP comes with a built-in firewall. Good for home use.

BillyBill
Wednesday, October 01, 2003

Not quite. The Windows XP firewall can't block outgoing traffic.

John Topley (www.johntopley.com)
Wednesday, October 01, 2003

Cheap old or underpowered PC, OpenBSD, ssh.  Just make sure ssh isn't externally accessible.  Nothing's 100% secure.

H. Lally Singh
Wednesday, October 01, 2003

Re: software firewalls: viruses can disable them.  Seriously, Windows 95/98 is not an operating system, in that it provides no real security services, and the default WinXP Home is no better (otherwise, how could Swen disable firewalls?)

A hardware firewall cannot be disabled.  OTOH, it does not offer solid outbound protection as some of the software firewalls do.

As for "jailing" applications, if you want security, use a real operating system such as Linux or FreeBSD.  With security features such as chroot or jails, and open-source software that can be audited.  Not as usable or as glitzy as Windows, but you can be more sure of the security.

David Jones
Wednesday, October 01, 2003

I was going to write exactly that.
Before I got a 3Com router to build a wirelless network at home, I had a Pentium 200 with OpenBSD 3.x and it basically did the job without a hitch,

RP
Wednesday, October 01, 2003

Zone Alarm doesn't pester at all after the first try.

There is still however the security leak of a trojan getting into a program like Outlook or IE or Mozilla that you allow to access the net.

Incidentally, if you are paranoid, I would have thought setting software restrictions to allowed and then using the hash value to identlfy programs might be one way of stopping viruses running, though restoring from back up after a virus would certainly be less trouble.

Stephen Jones
Wednesday, October 01, 2003


Just for fun, I'm going to add the same comment I do every time this network vs. personal firewall discussion comes up: it's not a choice, run both.

Bill Tomlinson
Wednesday, October 01, 2003

I recommend ZoneAlarm as well.  Try this if you think you don't need any:

http://www.malware.com/greymagic.html

tekumse
Wednesday, October 01, 2003

Ori,

Your application firewall isn't good enough.  That's my theory and I'm sticking to it.

christopher baus (tahoe, nv)
Wednesday, October 01, 2003

>>I recommend ZoneAlarm as well.  Try this if you think you don't need any:

http://www.malware.com/greymagic.html <<

My hardware firewall plus Norton AntiVirus blocked this without a problem.  <g>

Robert Jacobson
Wednesday, October 01, 2003

Christopher, _what_ application firewall?

I can't find any that I like.

I use Kerio + a dedicated Linux iptables firewall running on an old 486 that wouldn't be too useful for anything else. I'd love to improve on this security, and I can somewhat, using chroot() jail when use my Linux station for software that works well under jails -- but generally, despite two firewalls (software + "hardware"), regular updates, various security settings, not using IE or Outlook or any software of questionable origin, I don't feel safe.

Ori Berger
Thursday, October 02, 2003

*  Recent Topics

*  Fog Creek Home