George
as I understand it (and I won't pretend I do), kerio/tiny allows you
to 'fine tune' your firewall to block traffic to/from specific IP
addresses/DNS names.
I think Ip addresses only (though it catchs domain names indirectly, if you
do a dns lookup and enter the ip address into the filters).
Hosts files on the other hand filters on Domain names. So if spyware
directly connects using ip addresses, without the need to do a domain name
lookup it will bypass the hosts file.
Here's a list of common security software used, and the pros and cons as i
understand them. I'm here what i say contain inaccuracies, so please
correct them if you spot any.
To illustrate the differences let us pretend that some spyware is trying to
connect outwards to
www.microsoft.com or 207.46.134.155
Host files - Filters on domain names, protects outbound on all ports. Slow,
Have to specify the full domain name to block. Allowed :
"
www.advertisements.com" , not allowed "advertisments" (which will block
all domains with the phrase adverts in them i.e myadvertisement.com)
If the spyware connects directly to 207.46.134.155 (which means the spyware
is hardcoded with the ip address and does not have to look it up), hosts
files dont block it. But if the spyware connects to
www.microsoft.com, the
computer will try to do a DNS look up (the ip address that correpsonds to
the ip address), it looks in the hosts file first sees microsoft.com, and
sends microsoft.com to the loopback address 127.0.0.1 hence blocking it.
This works regardless of what ports or apps the spyware is running through.
PAC file - Filters on domain names, only protects the browser - Faster then
Hosts file ,more flexible since you can block domain names which contain
terms like "ads" "adverts" as well as allow wildcards
Similar to hosts files except that it prevents the browser from connecting
if the spyware is indepdeent of the browser it's not blocked.
Proxomitron - Filters on domain names, only filters on HTTP ports (I
believe other apps other then web-browsers will be filtered by it) , -
Other advanatages are similar to PAC
Proxomitron filters all outward connections to port 80. Any software that
tries to connect there will be filtered by proxomitron. So spyware that
attempts to connect to
www.microsoft.com:80 (port 80) via http will be
blocked. (assuming microsoft is in the filters)
DNS kong - DNS server that does the DNS lookups. So like hosts file,pac
files etc it filters on domain names. However it has the advanatage of the
hosts files in that it filters all DNS lookup requests (unlike proxomitron
which does only http streams), yet has the advanatages of proxomitron in
that it is faster then hosts files, and you can specific phrases to block.
(I think it can't block specfic urls or use wildcards i'm not sure )
One indidivual on the net, the much mentioned "Sponge" highly promotes
this product. In my experience it's hardest to get working though espically
on Win2k.
Firewall - Filters on IP addresses directly, all ports.
A spyware that tries to connect directly via the ip address will be blocked
of course. But I suspect even if it's done via the domain name, eventually
the request still has to be sent using the ip address of the domain name
and the firewall will still catch it.
It might seem it's better to block ip ranges and forget domain name
blocking.
Still there are advanatages to blocking sites by domain names rather then
ip addresses ranges, depending on whether it's harder for spyware makers to
change their ip addresses or domain names.
Aaron
will work again in next