About to get Broadband : Adequate Firewall protection

Hiya all.

My bumblef**k neighbourhood telephopne exchange has FINALLY been upgraded to allow broadband connection.

I have jumped on the bandwagon, but need some advise on adequate firewall protection for my system.

I will not be using any p2p file sharing applications whatsoever.

Would a software firewall IE Zonealarm be ok or would I need some fancy hardware doohicky? Or perhaps a mixture of both?

Any advise would be greatly appreciated.

many thanks in advance.

 

Hi brian,

Might I STRONGLY suggest both a hardware and a software solution, for the following reasons:

Hardware is invariably based on LINUX (uCLinux in most embedded solutions), SMOOTHWALL is professional level protection.

This will allow you full control over INCOMING connections.

A software firewall on your pc will then not have to handle incoming and can then be used to concentrate on OUTGOING requests.

possibilities are:

1 - ADSL ROUTER as the hardware part with a personal firewall as the software part, e.g.:
[bold]Mercury ADSL Router[/bold]
http://www.kobian.com/products.php?productid=376

[bold]Mentor ADSL Router[/bold]
http://www.gladiatorcomputers.com/support/index.php?page=22&code=MODMENADSLROUT1

Both the above are available from many different dealers online, I have used both but if you have support issues the Mercury (KOBIAN) has MUCH better support.

Both are easy to setup & administer.

Both are available from a supplier I use
http://www.anglianinternet.co.uk

2 - If you have an old pc lying around, download SMOOTHWALL EXPRESS
http://www.smoothwall.org/

very good, very easy to setup & administer etc.

If you need to know more, let me know..

Have Fun...
_X_X_X_X_X_[small]Life is just more of the same:[/small]

 

Yeah, i suggest a router also. Not only do they have good firewalls, you can also share your internet connection with other computers in your house (if you have more than 1). I have a linksys router and it works great.

 

Drchips & Sly

Many thanks for the, as usual, expert advise !. I will follow your recommendations to the letter.

I will purchase the item that you recommended. I will keep you updated as to how I get on.

Cheers again lads.

 

Hey lads,
this may come as a surprise but I've tried about seven different firewalls and run each one of them through the symantec security check.
The only one that gave me a 100% perfectly safe score was the Windows own XP firewall.
Apparently my computer is completely invisible on the internet and when scanned does not scan back which would give itself away.
All I use is Norton Antivirus 2004 and the XP firewall. I don't want to speak too soon but I've never picked up a virus or any other problem and my pc is on broadband about 20 hours a day.

 

[bold]agent-k[/bold],

each of which would be a SOFTWARE firewall running on your own workstation, yes??
would you consider a sample size of seven to be representative?

a reasonable quick-n-dirty check, you could also try the ShieldsUP! test from GRC.COM for another basic test (NOTE: they only test incoming!!!)

Hahaha..
What a paragon of security WindowsXP firewall is !LOL!

The proposal put forward was for the firewalling functions to be split between a hardware solution for INCOMING (NAT, Firewall & Routing etc....) and a PROPER software firewall/IDS-type solution on the pc to take care of OUTGOING connection requests & authorisations - WindowsXP firewall DOES NOT DO ANY CHECKING of outgoing requests...

If you want to learn about decent firewall/security solutions (not mickey-mouse ones) you will have to do a LOT of reading...

BEFORE you get all miffed and fire off a reply, consider the possibility that I might be someone who deals with network security (and the breaking of same) as a job.

Have Fun...

 

Dr chips

This software firewall you mentioned "SMOOTHWALL EXPRESS". How does it compare to existing software forewall's?. Not that i don't trust you, but I would be very interested in your opinion.

Thanks in advance.

That router is a good price at £45, i ordered one tonight.

 

drchips,

yes.

I prefer to try them and test them firsthand rather than read about them.

I never doubted your authority on the matter. I was simply relaying my experiences and taking part in the thread, hoping to learn from it.
And I have, thanks mainly to you.

 

[bold]Brian[/bold],

The Smoothwall Express was an alternative to a hardware router:

basically you use an old/redundant pc, put a network card & ADSL modem on it & load up the software.

The software is a custom configured version of Linux that can be configured/controlled from your pc
- it is a hardened (security-wise) setup and provides ALL the functionality of a hardware router/firewall/NAT etc.

As you have ordered a router, Smoothwall is of no use to you.

You can use whatever software firewall you want on your own pc, as the router takes over the job of handling all INCOMING.

My personal choice is Kerio Personal Firewall V4.

There are updated versions of that firewall about, but they look and act a bit too much like Norton/McAfee/ZoneAlarm etc. etc.
(pretty buttons, fancy GUI and designer skins that get in the way of the job of administering)

BTW; Norton, McAfee & ZoneAlarm have all had security vulnerabilities published - so they cannot be relied upon to be the primary/only defence.

In simple terms my systems are such:

Cable Modem -> Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX
Hardware Router -> Bandwidth Arbitrator (pc running custom Linux with Firewall)
Bandwidth Arbitrator -> Switch -> rest of network

Sitting on the network is an IDS (intrusion Detection System) with permission to break the internet link if it detects a break-in.

Each pc (workstation/server) also runs Kerio Personal Firewall in NON-TRUSTED mode (paranoid) AND TRUST-NO-EXE in paranoid mode.

Never mind all the anti-spyware/anti-trojan etc stuff on each machine.

Any malicious code has to beat 3 DIFFERENT firewalls, on at least 3 different machines, all of which are paranoid - as well as the IDS etc...

I take my security seriously !LOL!

[bold]agent-k[/bold],
Good on ya, a healthy attitude.
If only there were more people like yourself on the internet, willing to learn, interested in security & how things work...

Unfortunately there are MILLIONS of Joe-Sixpacks out there, who connect their machines to the internet with NO thought whatsoever about security

- RESULT: millions of 0Wn3D machines, DDoS'ing, spamming, spreading viruses and other exploits.

And the horrible thing is: most of those idiots DON'T WANT to learn, or plain JUST DON'T CARE!!!!

You have to have training, licence & insurance to drive a car; why not a pc on the internet??

My apologies to you guys for ranting, but that is one of my pet hates :-o

Have Fun...

 

Dr chips

Thanks for the detailed explanation. The "penny" has finally dropped for me. I have had suspicions about Zonealarm & Norton in the past.

Many thanks.

PS. I sometimes get the impression that you've forgotten more about PC's than I will ever know. It's depressing, to tell the truth, but I will have to live with it.

 

Yeah, maybe...

There is only so much that the mind can reasonably hold, and I have filled mine with technical stuff.

As a result I am cr*p at dealing with people!!

Swings & roundabouts....

Have Fun...

 

drchips, I have cable modem broadband. I use the Windows XP firewall, and the firewall on my Linksys router (WRT54G).

I ran some tests at Shieldsup, with both of the above mentioned, in place. The result was Stealth status.

When I ran the test with either one of them down, I failed. With both down, I failed.

Should I be doing more than I am, with both firewalls up? I would tell you that I play one game online, and for the folks that I play with, I use DMZ, but I know you would shoot me. LOL I don't know how to open ports, even though I have read which ones to open.

 

drchips

I tried that sheilds up and thats the one that gave me the 'perfect' status.
But following your advice I have just installed Kerio Personal Firewall version 4. I have used this before but after one of my regular reformats never bothered to put it back in as I couldn't see the point when the XP one was doing such a good job.
It was only after you pointed out that the XP firewall only protects from incoming stuff that I re-installed Kerio to protect from outgoing stuff.
Not explaining this very well am I?

Anyway, this is my new question:
When I tried various firewalls in the past I noticed that some of them significantly slowed down my internet browsing.
When I use the Kerio one it seems to be a lot faster.
Why is this?
And is this one of the reasons why it's one of your personal favourites?

 

[bold]GrandpaBW[/bold],

As you say you don't know how to open ports, I assume you know very little about how your router works & is set up (if that is not the case, let me know).

Putting yourself into the DMZ with only the XP firewall as protection is a [bold]NO-NO[/bold].

Ideally you would have the Linksys set:
as a Gateway,
radio off,
no DHCP,
uPnP DISABLED,
MAC filtering ON (your pc in the MAC table, natch!),
deault Linksys passwords CHANGED,
remote administration DISABLED,
block WAN requests ENABLED.
etc.
etc.
with your pc linked to the linksys via one of the RJ45 ports,
your pc with a static I.P. (correct subnet/gateway etc),
NOT running under Administrator account,
Administrator account password changed,
proper software firewall.
etc.
etc.

If your pc is connected to the Linksys using Wireless:
radio on,
wireless MAC filtering ON (your pc in the table),
SSID changed,
SSID broadcast disabled,
shared key authentication,
WPA pre-shared key.
etc.
etc.

Those are the requirements for BASIC security [bold]BEFORE[/bold] you consider opening ports for gaming etc..

As you have probably guessed by now, it is a tad complicated (especially so when using wireless).

Setting the whole thing up properly is a step-by-step process, skip a step (or use the wrong settings) and it either won't work right OR you are vulnerable...

If you are prepared for considerable work and the frustration when it doesn't work right straight away, then it can be done....

Have Fun..

 

[bold]agent-k[/bold],

Quite common.
(quite used in the English sense - more than noticable, but not drastically so:
Americans use the word "quite" in a different sense - very noticable, critical, important)

Definately so

Lack of fancy cr*p in the GUI?
Better core engine?
Concentration on the core of the program as opposed to other "functionality"?

One of the reasons...

I have been using it (and its predecessors) for a number of years, since it was Tiny Personal Firewall..

Kerio bought the program from Tiny to add to their portfolio, and kept to the core value of the program.

It is small,
fast,
easy to maintain,
easy to configure (for those who can think past "Look, Shiny!!!"),
secure (unlike the XP firewall which loads AFTER the TCP/IP stack has initialised and connection is made),
stable,
reliable,
uses little resources,
has some of the functionality of an Intrusion Detection System,

I could go on and on.

Now before all you others start flaming me about your own personal favourites, consider the following:

XP Firewall - loads AFTER the TCP/IP stack has initialised and connection is made, that means there IS a period of time where TCP/IP is working and the firewall is not (on a slower machine that can be a few seconds)

McAffee Firewalls - If you use the web-base/loadable version, you are unprotected until it is installed & running (how FAST is your connection?)
If you are using their CD based product, how often do you upgrade it? (there have been exploits that affect those).

Norton Firewalls - Slow your machine down, intrusive, resource hungry (at times), exploited..
Good points are: updateable, easily configured..

Agnitum Outpost (free version) - Don't go there, trust me.
The Pro version (that you pay for) is GOOD, but not the free one..

Have Fun...

 

Thanks drchips. You are right, I have some learning to do. All this stuff is fun to learn, though.

 

Hi DrChips,
You state;

In simple terms my systems are such:

Cable Modem -> Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX
Hardware Router -> Bandwidth Arbitrator (pc running custom Linux with Firewall)
Bandwidth Arbitrator -> Switch -> rest of network

I was wondering what the "Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX " bit consisted of? and also what you think of "Sygate Personal Firewall Pro".

Thanks for the interesting and informative ideas.

 

[bold]cosmikel[/bold],

The "Hardware Router (NAT/Firewall/Router/DoS protection) running uCLINUX " consists of a custom board that I built & ported uClinux onto.

There are a number of commercial products available that use uClinux, for example, you could have a look at:
http://www.sweexeurope.com/content.asp?pcID=80
the top listed model is extremely good value for money, costing only £29 (53 USD, 43 EURO), with amazing functionality for the price.

It is available here:
http://www.anglianinternet.co.uk
and many other suppliers online.

If you want to read up on uClinux:
http://www.uclinux.org

As for "Sygate Personal Firewall Pro", I cannot really comment upon it as I have not had sufficient exposure to it yet - though initial impressions are that it offers similar levels of control / customisation / granularity of rulesets to Kerio.

It would probably require a bit of knowledge to get the best out of it (not an install & forget/Joe-Sixpack no-brainer program).

Have Fun...

 

Hi drchips
Your reference to Zone Alarm security issues. Is that the Zone Alarm freeware or the Zone Alarm Pro.
I have been using Zone Alarm for 5 or 6 years now and for the last 4 years running Zone Alarm Pro with a Linksys router. I have tested the firewall with Shieldsup and seem to be rated as stealth.
From what you are saying - it may be time to change the software firewall. Am I right ??
Thanks for the advice in advance