Jump to content
Sign in to follow this  
fajw

Best firewall software?

Recommended Posts

I am contemplating whether to use Kaspersky PURE which includes a firewall, or Kaspersky Anti-Virus 2014 plus Comodo Firewall. Suggestions?

Share this post


Link to post
Share on other sites

Unless any of these firewalls come with intrusion detection/prevention (IDS/IPS) then you will save money by just using the windows firewall which is a quality firewall. No frills. Any other firewall product without any of these more advanced features will just acheive the same thing and cost you money.

 

For a decent AV with a firewall with IPS; Eset Smart Security is the best bet. Otherwise stick with Windows firewall and just an Antivirus product from the company you like. Don't buy their internet security suite, just the plain old AV.

Share this post


Link to post
Share on other sites

Best software firewall is an oxymoron.

If you want a GOOD firewall, install some firewall software on an old PC or Raspberry Pi. hardware is the only way to go.

 

Also, there is a firewall built into windows that will do what you're goign to 'add' by installing more software.

And your modem will already have SPI and NAT protection too.

 

 

Your best bet in sensible security is still AVAST free, windows firewall, and some adblocking of some sort.

 

I add peerblock to the mix personally too.

Share this post


Link to post
Share on other sites

Best software firewall is an oxymoron.

If you want a GOOD firewall, install some firewall software on an old PC or Raspberry Pi. hardware is the only way to go.

That would be a software firewall.

Share this post


Link to post
Share on other sites

Not in common terms, it wouldn't, no.

a hardware firewall is a dedicated piece of hardware, solely tasked to... be a firewall.... and is put after your WAN connection, and before your LAN as a gateway.

 

a Raspberry Pi (with 2nd card) or an old PC running, say ipCOP; is hardware. I can physically touch the device, that is my firewall (and only my firewall).

 

Good reading since you dont get it :)

http://www.smallbusinesscomputing.com/webm...vs-Software.htm

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

I read your link and it doesn't mention using a PC as a firewall.

Share this post


Link to post
Share on other sites

If you want to be pedantic all firewalls are, in a sense, 'software' firewalls, coz even in a device specifically built just to be a firewall it's still software running from ROM chip or whatever.

 

But that's missing the point. Master_Scythe is correct. 'Software Firewall' is application software running on the client/end-user PC. 'Hardware firewall' is a device sitting between the client/end-user PC and the network. Modem/router with Firewall functionality is a 'Hardware Firewall'. A separate PC dedicated to just running firewall software is a 'Hardware firewall'. etc etc etc.

Share this post


Link to post
Share on other sites

Okay then.

 

Anyway, a hardware firewall is not always practical, especially when you are travelling with a laptop computer.

 

"Best software firewall" is not an oxymoron. Some software firewalls are better than others and I wan to know which is the best, hence the thread.

Share this post


Link to post
Share on other sites

As already said, most software firewalls don't really give any better protection than the built-in Windows Firewall already provides. And also, as already said, ESet is probs best of the consumer-level offerings.

Share this post


Link to post
Share on other sites

I'll start by saying, yes, it does mention using computers as a firewall; not a "Personal Computer" (PC) as you're saying, but I never said that. All modems, routers, firewalls, etc. are computers. With you use a fully fledged x86 (or even really good ARM) you get a LOT more power spare, so you can run pretty GUI's and more features.

 

If you're travelling with a laptop computer, then you're not going to have the same IP long enough to be targeted by anything with half a brain for the months it might take to 'get in'. even if you're swept by a port scan or fifty, if you don't have trojans you'll be fine.

 

You do realise that to be 'hacked' you need to be running something that's 'broken' right? You cant just find a PC, and 'hack it'. It needs, say, an old version of SQL Express, so you can inject it... or bad VPN software, streaming media player with overflow vulnerabilities, or something like that.

 

 

Anyway enough beating around the bush:

The best software firewall for a Windows PC is Windows Firewall. Its extremely configurable with easy to read rule sets and comprehensive program list. It takes up practically 0 system resources, and 99% of all 'network aware applications' know what Windows Firewall is, and wont conflict with it.

 

Since a software firewall is so limited in what it can do (regardless of what it claims); and since Windows Firewall does every required task; and since its Free, with almost ZERO overheard; it wins hands down.

 

 

I personally dont run one, since my router has NAT and SPI (as they all do), and I don't run broken software. I'm at no risk.

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

How do you know you don't run broken software? Do you think that no more vulnerabilities will be found in the software you use?

 

 

Regarding Eset, how do you know it is the best? Have you guys seen a comparison?

Share this post


Link to post
Share on other sites

because all the software I run works over standarised protocols. They haven't had flaws found in my life time so far; and when they do (since they're so common) there will be plenty of news around it.

So yes, I think that no more will be found. Though its not impossible (STEAM i think is the biggest risk). And in that unlikely event, i'll patch said software.

 

besides, if you want to be technical, my router (like all of them) has NAT and SPI, so I do already run 2 types of security.

 

And besides, simply leaving windows firewall on default settings stealths all your unused ports. so its just as good as any commercial software wall.

 

 

I'm going to be blunt because I don't understand your posting habits.

Why do you ask a question, then argue with the people who have more knowledge on the subject than yourself?

 

This entire discussion is retarded.

If you have a need for honest to god serious firewalling, you'd run a hardware one.

If you travel a lot, you'd use no software firewall, and just Tunnel to get 'home' and use the same hardware one.

If you want software; then clearly your firewalling needs aren't very important; YET you want to talk like they are?

 

You know what; another question:

What do you want your firewall to do?

please explain in detail; not just one line. Include protocols and software examples if possible.

Once we know what you're trying to do with it, we'll be able to best advise you on if hardware is the only solution, or if a feature is missing from the default firewall, or if your expectations are even on par.

 

Regarding Eset, how do you know it is the best? Have you guys seen a comparison?

Its 'good' there is no way to know if its 'best' (whatever that means to you; we'll see when you answer my question).

Its pretty easy to test; install the firewall; pick your favorite set of penetration testing tools, and have at it. If you can hack yourself, so can others.

If you cant; then others likely cant too.

Share this post


Link to post
Share on other sites

TBH if you are running windows 7 or above just use the firewall that comes with it.

 

Most of extras you get with commercial firewalls are generally just things like AV or if you're lucky some hack job IDS.

 

Set the firewall to block all incoming and outgoing then just allow the specific programs or ports / protocols you want to use.

 

And yes sticking a linux distro onto a dedicated box makes it as much a hardware firewall as cisco PIX or a juniper firewall, the only difference is the hardware used and the software that implements the filtering.

Share this post


Link to post
Share on other sites

Yep; but we'll see when he answers the

"What do you want your firewall to do? "

question. Since he clearly has a feature set or a task in mind that the windows firewall wont work for.

Share this post


Link to post
Share on other sites

This is the part where he never returns to his own thread...

I always try to come back and thank whomever has helped.

Share this post


Link to post
Share on other sites

So what is this flawless operating system you use, MS?

 

What do you want your firewall to do?

Intrusion prevention and intrusion detection at least. I don't know a lot about the subject which is why I started the thread. I don't know how to answer in more than one line other than to communicate that I don't know how to answer in more than one line which would just waste everyone's time.

 

Is a gateway computer that does lots of things including firewalling a hardware firewall or a software firewall?

Share this post


Link to post
Share on other sites

So what is this flawless operating system you use, MS?

 

What do you want your firewall to do?

Intrusion prevention and intrusion detection at least. I don't know a lot about the subject which is why I started the thread. I don't know how to answer in more than one line other than to communicate that I don't know how to answer in more than one line which would just waste everyone's time.

 

Is a gateway computer that does lots of things including firewalling a hardware firewall or a software firewall?

 

The problem with recommending the "best" firewall is that all firewalls are technically the same. They enforce a network policy either at the network level or on specific machines. Any modern firewall will filter packets based on a policy. Most come with a predefined policy with various degrees if strictness. Most professional firewalls will block everything in and out as a default policy. It is then up to the administrator to configure the policy to their needs.

 

A "Gateway" would be a machine that is setup to filter/route traffic coming from one network into another (usually internet to an internal network). A gateway machine can be a purchased device from a company or you can build one yourself. One could say that a hardware firewall is a dedicated machine and a software firewall is software running on a client operating system, however everything runs in software no matter what type of deployment you take. Functionality to the software can be expanded with additional software to make it more "feature rich", for example:

*Spam filter

*Antivirus

*IDS (see below)

*IPS (see below)

*QOS

*Reporting and logging

*NTP

*NAT

*Web filtering

and much much more.

 

Most home users are behind a router which employs NAT. That means that all inbound traffic that hasn't been initiated (that you haven't started/asked for) will be dropped. So for most the Windows firewall or a 3rd party firewall is usually what's used on each specific machine. The windows firewall in nearly all cases is more than good enough.

 

Intrusion Detection(IDS) and Intrusion Prevention(IPS) systems are functionality that firewall software/devices can implement. Most perimeter defense (gateway) machines have something like this implemented. However it's worth noting that systems implementing IDS and/or IPS can degrade throughput as each packet and session is inspected for malware/exploits.

 

I think what you want is good protection for your personal device. In that case still suggest what i mentioned in post #2. Use the Windows Firewall with your favorite antivirus or buy Eset Smart Security. The reason I suggest Eset smart security is because i have used it before and found it to be a high quality product. It also has good reports from system administrators in corporate environments, both from people i know and on forums such as SpiceWorks.

 

Firewalls aren't magic, they follow a paradigm for network protection. Any modern firewall will give you as much protection as it's policy allows.

Edited by smakme7757

Share this post


Link to post
Share on other sites

Most home users are behind a router which employs NAT. That means that all inbound traffic that hasn't been initiated (that you haven't started/asked for) will be dropped.

You thinking of stateful packet inspection (SPI)?

Share this post


Link to post
Share on other sites

Most home users are behind a router which employs NAT. That means that all inbound traffic that hasn't been initiated (that you haven't started/asked for) will be dropped.

You thinking of stateful packet inspection (SPI)?

 

NAT and SPI are two separate things.

 

Generally for a home user you won't be allowing external access to anything, if you are let us know and we might be able to help with that.

 

Most basic firewalls you are going to get for a windows machine just simply block all connections inbound and then allow you to specify programs / ports that are allowed in addition to a basic list of common protocols allowed out by default.

 

IDS will detect any anomalous activity but provide no protection, IPS is just IDS that actually acts on the information.

 

I would say with no uncertainty that any basic IDS/IPS you get will be pretty much useless, we run snort at my work running in IPS mode along with things like AIDE, Tripwire, SELinux.... etc.

 

For you as a home user if you are not forwarding ports the main threats you will have are browser exploits, worms and viruses.

 

I would get a basic firewall pretty much anything will do and a decent antivirus, you really don't need anything more.

 

If you are really paranoid then get yourself a spare box and a minimal linux distro (Debian would do fine) and set it up as a gateway firewall and hand build the iptables ruleset.

 

Add on the things ive mentioned (snort, AIDE, Tripwire...etc) and follow the Debian security manual http://www.debian.org/doc/manuals/securing...o/index.en.html.

 

Then add some integrity checking to the workstation and keep the checksums of the files on an external media such as a DVD.

 

Remove any software you really don't need and then see if you can search out hardened versions of the ones you do.

 

I don't know if you can sandbox programs in windows like in the way you can chrootjail services on *NIX but see if you can do that.

 

The real question you need to answer is what threats are you trying to protect against? a 13 year old script kiddy that didn't like getting beaten on some game, some random person scanning for exploitable machines or a full blown attack by an advanced persistent threat?

 

That is what will determine the level of security you will need.

Share this post


Link to post
Share on other sites

What does "*NIX" mean?

 

Some software like Comodo has a "sandboxing" feature.

 

I know NAT and SPI are two different things.

 

TBH if you are running windows 7 or above just use the firewall that comes with it.

What firewall should Vista users use?

Share this post


Link to post
Share on other sites

*NIX simply stands for any OS which operates similarly to Unix. The Linux distros, Mac OS 10.5 or later, BSD, etc etc etc....

 

 

Vista Firewall is basically same thing as Windows 7 firewall. (That's coz, despite what peeps like to think, Windows 7 is basically same thing as Vista, just with a few things tidied up a bit.) Windows 7 Firewall only adds MAC source/destination filtering to the mix.

 

 

You really DO need to let people know what kind of harm you're trying to protect against. Coz sounds to me like you're just throwing out some buzz-words you've heard, without really understanding them, and assuming that they're what you need. It's quite possible, for example, that the problems you're trying to avoid are ones of your own making, which no 'Firewall' could adequately protect you against. A Firewall can't protect you against stuff you've already allowed on the computer, so if you have (even inadvertently) allowed software to be installed which opens an already authorised connection then the Firewall is kinda buggered!

 

 

I'd suggest you do this, for the level of protection a private/personal user needs:

 

  • Stop paying heed to the scare-mongering you see in TV/Movie depictions of internet threats, and in the marketing hype of security software publishers.
  • Use a modem/router with (at minimum) NAT Firewall protection.
  • Bung UAC back up a notch to 'Always Notify'. You'll get more prompts, but amongst them will be prompts regarding programs which are trying to install additional software and/or make system changes. A quick googlecheck and you're alerted to unwanted and/or potentially harmful sneak-ins.
  • Use Windows Firewall, in combination with an easy-interface add-on such as Windows Firewall Notifier. (The add-on doesn't extend the capabilities - it merely simplifies the firewall configuration for both inbound and outbound connections.)
  • Install and use decent antivirus/anti-malware software, and have it configured for background scanning. (MSE is best of the freebies, and better than some of the commercial offerings.)

With that level of protection you've basically already covered all bases. Unless, maybe, the 'potential harm' you're trying to protect yourself is realistic and introduced by some activity outside the range of normal, everyday computer usage.

Share this post


Link to post
Share on other sites

  • Stop paying heed to the scare-mongering you see in TV/Movie depictions of internet threats, and in the marketing hype of security software publishers.
  • Use a modem/router with (at minimum) NAT Firewall protection.
  • Bung UAC back up a notch to 'Always Notify'. You'll get more prompts, but amongst them will be prompts regarding programs which are trying to install additional software and/or make system changes. A quick googlecheck and you're alerted to unwanted and/or potentially harmful sneak-ins.
  • Use Windows Firewall, in combination with an easy-interface add-on such as Windows Firewall Notifier. (The add-on doesn't extend the capabilities - it merely simplifies the firewall configuration for both inbound and outbound connections.)
  • Install and use decent antivirus/anti-malware software, and have it configured for background scanning. (MSE is best of the freebies, and better than some of the commercial offerings.)

^ This.

 

There is not much more you need to do than that.

 

The above is going to protect you from 99% of issues you are likely to face.

 

I would also recommend running Chrome as your browser as it seems to be the "more" secure browser, more being subjective but in most of the paid attempts to exploit browsers it seems to have less exploits found.

Share this post


Link to post
Share on other sites

I would also recommend running Chrome as your browser as it seems to be the "more" secure browser, more being subjective but in most of the paid attempts to exploit browsers it seems to have less exploits found.

 

I'd actually dispute that advice too, especially when provided to a seemingly naïve end-user.

 

For starters, that subjective bit. When you look a bit deeper into the 'evidence' often trotted out to support such claims, imo it more often than not stems from events sponsored by/run by Google, and from research commissioned by Google. Google, in other words, sets the terms of reference from which conclusions are drawn.

 

For seconds, it's not actually true that IE-alternatives are "more secure" in real-world usage. It used to be true, but that's a relic of Windows XP/IE6 days. Software technologies used in more recent versions of IE consistently have it performing best of the browsers at blocking actual 'known' malicious intrusions, and the security update service provided by Microsoft is pretty damned good at blocking new exploits before they become actual real-world threats.

 

2013 overview of Browser security provided by NSS Labs, for example, found IE to be the most effective browser with respect to malware intrusion. Context Agnostic Malware Protection technology included in IE blocked 99.96% of the large sample (700+) of malware exploits thrown at it, whilst Chrome's version of the technology had it at 83.16% effectiveness. (Firefox and Opera, which rely upon url lists, exhibited success rates of ~10%.) Take CAMP out of the equation, and IE still displays a block rate of 83.17% using url reputation alone, whilst Chrome drops back to the pack with around 10% effectiveness too.

 

All of that's pretty much by-the-by, of course, when it's a genuinely tech-savvy end-user who maintains safe browsing habits meticulously. Add-ons can be found to add missing capabilities to browsers natively lacking them, and religious diligence to safe browsing habits is best protection of all. but, let's face it, even on forums like this we find a substantial amount of peeps who've "heard stuff" rather than "know stuff", and genuinely tech-savvy peeps don't generally have to post up threads like this'n. When you examine the "IE sucks!" nerdrage (with respect to browser security) more closely, it doesn't really stand up to scrutiny. Instead, it stems from tremendously outdated information, and a general resentment at having choice removed in Corporate environs.

 

 

In truth, the best 'security advice' you could provide to more naïve end-users with respect to browser choice would be "Use IE, keep it updated, and don't disable its safety features."

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×