1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need a Firewall

Discussion in 'Computer Security' started by CliffG, Dec 24, 2005.

  1. CliffG

    CliffG Nibble Poster

    72
    3
    17
    Hi there,

    I've made the decision to dump the norton security suite i've got installed in favor of AVG Free. The primary reason for this is because of how much system resources Norton occupy.

    The Norton suite came with Norton Firewall (which is brilliant IMO), and I don't want to trust the Windows XP Home Firewall that is part of SP2.

    Does anyone have any recommendations as to what firewall package (free) I can install that would work well?

    Regards

    Cliff
     
    Certifications: A+
    WIP: Network+
  2. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    I use Zonealarm. Not everybody likes it, but it suits me!

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  3. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    Zone alarm.

    Personally though I like XP Firewall.
     
  4. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    The reason I prefer ZoneAlarm over the built-in XP firewall is that the built-in doesn't block (or notice) outgoing calls.

    This means that if something *does* get into your machine and tries to 'phone-home' ZA will see it and warn, but the XP one won't.

    Harry.
    :fatherxma
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  5. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Zone Alarm is good but it is just another piece of software to install which can cause issues in certain circumstances.

    I have had no noticeable issues with the built in XP firewall and as is is installed already I use it rather than load another piece of software.

    Keep your PC lean, load the minimum software you can and it will run fast and well.

    I am running W2K Pro on my laptop with no firewall software at all. I am connecting via a D-Link ADSL router/modem using NAT and the firewall capability of that cheap unit.

    Here is my Shields up summary...

     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  6. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    You mentioned two things there - NAT and firewall in the router.

    Correctly set these would obviate the need for a firewall on the PC, as long as you look at the logs occasionaly. Otherwise you would be liable to miss any nasties phoning home.

    And shields-up, while being a useful indication, is not the whole story by a long shot. Unless Gibson has changed it, it only tests a subset of incoming ports, and is unable to check outgoing connections at all.

    CliffG didn't mention NAT or routers, so I had to assume that they weren't there. In this case IMHO ZA is *much* better than the XP built-in, and my experience with it under both Win98SE and XP is that it doesn't load the machine noticeably.

    There are, of course, other firewalls - but I don't have the experience on them to be able to comment.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  7. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Well my preferred firewall is ISA which beats both Zone Alarm and XP's one into a cocked hat. But it is probably over the top for Cliff :p

    I realise that the shields up site is not 100% indicative of a secure situation but it is a good indicator nonetheless. I was just trying to make the point about NAT and how it helps keep the baddies out even without a firewall.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  8. CliffG

    CliffG Nibble Poster

    72
    3
    17
    Cheers Guys, thanks for that :biggrin
     
    Certifications: A+
    WIP: Network+
  9. Sandy

    Sandy Ex-Member

    1,091
    2
    65
    Harry

    Er um how? I've been involved in networks and network security for a long time and your statement goes against everything I have ever been taught!
     
  10. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224

    In the normal business environment the firewall is either in the router, or just beside it, and no firewalls are run on the individual machines. Both my current place of employment and my last one worked like that, and both places are pretty clued up as to security.

    You have to ask what is the purpose of running a firewall on your workstation. If it is to keep out the nasties on the wider 'net then it is redundant, because the network firewall will be doing that. If it is to keep out the possibility that someone else on your network is nasty then that should be addressed in other ways. In a business this could include anything up to a P45!

    Generaly, in a network behind a router/firewall the requirement is for information to be freely interchangeable. This would involve cutting holes in individual firewalls to the point that they may become somewhat useless! The most important ports to block are mostly those that Windows uses for domain and workgroup networking which tend to be less than robust!

    In a home environment things may be different, if only to reduce friction among family members. However, a young child that persistantly loads Kazaa (say) should not (in my view) be allowed to poison a network.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  11. The_Geek

    The_Geek Megabyte Poster

    772
    13
    64
    I'm running a Cisco myself.
     
    Certifications: CompTIA and Micro$oft
    WIP: PDI+
  12. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    While on the subject of firewall's i am thinking of converting one of my old P2 machine to a firewall using smoothwall Anyone got any good or bad points on it?
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  13. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    Routers don't make good firewall's so don't rely on one to protect your system. XP's firewall is very basic and I would only say use it as a last resort. To be properly safe you need dedicated firewall and antivirus software. AVG is ok but the free Antivirus/Firewall software I recommend to people is Avast antivirus and Sygate Firewall which I've never had any problems with in the past and they are good at what they do. Everyone has their own preference but thats my recommendation.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  14. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    I'm curious as to why you say this Mick - have you had a bad experience using router/firewall combo ? If so, what router were you using at the time ?
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  15. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    Jakamoko, in my experience and what I've studied is that routers with integrated firewalls don't do an adequate job in protecting systems. Most of the time routers are bundled with poor firewalls with little or no configuability. They can also impact on performance of the network if it's constantly filtering out packets and routing network traffic. I'm not saying they don't help but I firmly believe that software firewalls are best for home use and dedicated firewall's either software of appliance firewalls for business use.



    I'm using a Linksys router and whilst the firewall is enabled on it I wouldn't trust it to do the job of software firewall and only have it enabled as extra cover in conjunction with Trend's PC-Cillian.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  16. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Ah right. I'm just curious, as I have been using my Netgear's built-in f/w more and more prominently lately, and was wondering about needing indivual f/walls on the machines behind it. This was prompted by ongoing probs with Sygate blocking my ftp when all seemed set to allow, so I uninstalled it and decided to run with the router and XP's own for a while. Be interested in your (or anyone elses) thoughts on this.

    Thanks Mick :)
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  17. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    IMHO there are no easy answers here, as it depends too much on implementation.

    A firewall in the router is not in itself a bad thing, but as I said above, depends on the implementation.

    In general I prefer firewalls *off* the local machine, but of course there are a few problems with this.

    1) If it is on the local machine then a new app pops a request up, and you can allow it to be used in the future. If the firewall is off the local machine you have to manualy cut the required hole.

    2) If the firewall/router has limited processing power then it could cause slowdowns on the network. Answer is, of course, to buy a better one.

    There are problems with using a router and/or firewall combo *instead* of local soft firewalls when others on the local network are less 'on message' about nasties. This of course is a social, rather than a techncal problem!

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  18. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I've been relying on my cable/dsl router/switch with NAT for firewall protection for several years now. I haven't found any noticeable problems with poor LAN performance during all this time.

    I think about the only time any performance hit from using the router/switch firewall would be noticeable is if the LAN is under a heavy network load, and that isn't something that is going to happen very often on SOHO networks. These small networks simply aren't going to generate enough network traffic to really load the router enough bog it down, even with the firewall being used.

    I've used both the SMC and Linksys 8 port routers in this capacity. I've found I like the SMC better than I liked the Linksys. The Linksys died after a couple of years and its firewall was less configurable than SMC firewall is. It did, however, have the plus of having available software for monitoring the firewall activity remotely though. That, and the fact that the Linksys LAN ports were on the back rather than the front of the router, are the only distinct advantages it had. The SMC seems to beat Linksys in all other respects, including the fact that it's a metal enclosure rather than a plastic one.

    I have had one strange hiccup with the SMC router. One time, for some reason, I couldn't access email from one of my machines. I went through every troubleshooting procedure I could think of, spent time on the phone with my ISP's help desk, and finally stuck the machine outside the router. Then I could access email. I got on the phone with SMC's help desk and they ran me through a routine of resetting the router to factory defaults--this routine was not in the owners manual--and the problem cleared up. Never did figure out why it suddenly started dropping all return traffic from my ISP's mail server for only one machine and it hasn't happened again so I've ended up chalking the problem up to gremlins. :rolleyes:

    I have to say SMC's help desk was pretty good. Their response time was excellent. I don't think I had to wait more than a couple of minutes. They are, however, off shoring their help desk and there was a communication problem. The gal had such an accent I had problems understanding her. She was knowledgeable, but just hard for me to understand.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  19. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    FFreeloader makes some fair points for home use you won't see a hit on the network for one PC under general use using a router with a firewall integrated. Personally maybe I'm being a bit harsh as all my training and learning is geared towards business use. I would be surprised if anyone relied on a firewall that was integrated into a router for protection in a business environment. IMHO I personally still wouldn't rely on a router/firewall combo even for home use. My Linksys one simply isn't configurable enough and I wouldn't trust it to do the job of software firewall does especially using a Windows OS.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  20. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167


    Well, the way I look at this the combination of NAT and a firewall that is configured to drop all WAN requests is about all the vast majority of SOHO users need. Not many run a server of any type that they are sharing with the outside world because (1) the ISP's simply won't allow it, and (2) the upload speed is so severely limited as to make a server on their home LAN a practical impossibility as bandwidth restrictions and upload speeds would be far too slow to be useful.

    Any port forwarding that needs to be done can be done pretty easily.

    As to small businesses using the cable/dsl routers, well, I know of some pretty experienced techs that install them in small business situations. I also know personally of several small businesses that have them installed. They don't run a web server or mail server. They use the web for research and getting their email from their ISP, and for a small charge get their own domain name for their email from the ISP. To what purpose do they need a firewall that does anything more than SPI and drops WAN requests? It's overkill to sell them a fully configurable firewall. They don't really need it from what I can see.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1

Share This Page

Loading...