S
Sharon T
Would it be better to use the firewall on Kapersky Internet Suite or the
Windows Vista Firewall?
Windows Vista Firewall?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
F
f/fgeorge
Kaspersky, it is more responsive to change and a better productWould it be better to use the firewall on Kapersky Internet Suite or the
Windows Vista Firewall?
overall.
S
Straight Talk
Would it be better to use the firewall on Kapersky Internet Suite or the
Windows Vista Firewall?
The Vista one.
* It's already there and therefore doesn't introduce further
vulnerabilities and questionable features.
* Any security product containing the word "suite" should be looked at
with great scepticism.
* One must assume that MS knows about the environment it's supposed to
protect in greater detail than any third party.
G
Guest
What specific feature set are you looking for? Without a proper understanding
of the features you need and the risks you are trying to mitigate all you
will get is a popularity contest.
of the features you need and the risks you are trying to mitigate all you
will get is a popularity contest.
C
CZ
Would it be better to use the firewall on Kapersky Internet Suite or the
Windows Vista Firewall?
Sharon:
Or run both.
The Vista f/w is nicely integrated with its Private/Public Profiles and is
stateful.
I run the ZA beta with the Vista f/w to have convenient outbound control.
Works great
Windows Vista Firewall?
Sharon:
Or run both.
The Vista f/w is nicely integrated with its Private/Public Profiles and is
stateful.
I run the ZA beta with the Vista f/w to have convenient outbound control.
Works great
M
Mr. Arnold
CZ said:Windows Vista Firewall?
Sharon:
Or run both.
The Vista f/w is nicely integrated with its Private/Public Profiles and is
stateful.
I run the ZA beta with the Vista f/w to have convenient outbound control.
Works great
Most will tell you not to run two personal FW(s) because a doubled FW
situation can prevent inbound packets/traffic from reaching the machine.
C
CZ
Most will tell you not to run two personal FW(s) because a doubled FW
situation can prevent inbound packets/traffic from reaching the machine.
Mr. Arnold:
Technically, that should be a very rare experience for two simple packet
filtering f/ws if the rules are setup correctly.
I have run as many as three f/ws concurrently w/o problems (just to prove
the concept).
situation can prevent inbound packets/traffic from reaching the machine.
Mr. Arnold:
Technically, that should be a very rare experience for two simple packet
filtering f/ws if the rules are setup correctly.
I have run as many as three f/ws concurrently w/o problems (just to prove
the concept).
M
Mr. Arnold
CZ said:situation can prevent inbound packets/traffic from reaching the machine.
Mr. Arnold:
Technically, that should be a very rare experience for two simple packet
filtering f/ws if the rules are setup correctly.
I have run as many as three f/ws concurrently w/o problems (just to prove
the concept).
May ask why the reasoning behind 3?
I run two packet filters myself Vista's FW and IPsec. But that's for a
dial-up connection for a laptop.
K
Ken Blake, MVP
situation can prevent inbound packets/traffic from reaching the machine.
Mr. Arnold:
Technically, that should be a very rare experience for two simple packet
filtering f/ws if the rules are setup correctly.
I have run as many as three f/ws concurrently w/o problems (just to prove
the concept).
Many people have run more than one firewall at once without a problem.
However the *risk* of a problem is always there, and that's why it
shouldn't be done.
Here's what Microsoft has to say about running two software firewalls
at once:
http://www.microsoft.com/athome/security/protect/firewall.mspx
"Q. Should I use both the built-in firewall and a software firewall
from a different company on my Windows XP computer?
"A. No. Running multiple software firewalls is unnecessary for typical
home computers, home networking, and small-business networking
scenarios. Using two firewalls on the same connection could cause
issues with connectivity to the Internet or other unexpected behavior.
One firewall, whether it is the Windows XP Internet Connection
Firewall or a different software firewall, can provide substantial
protection for your computer."
C
CZ
Many people have run more than one firewall at once without a problem.
However the *risk* of a problem is always there, and that's why it
shouldn't be done.
Here's what Microsoft has to say about running two software firewalls
at once:
http://www.microsoft.com/athome/security/protect/firewall.mspx
"Q. Should I use both the built-in firewall and a software firewall
from a different company on my Windows XP computer?
"A. No. Running multiple software firewalls is unnecessary for typical
home computers, home networking, and small-business networking
scenarios. Using two firewalls on the same connection could cause
issues with connectivity to the Internet or other unexpected behavior.
One firewall, whether it is the Windows XP Internet Connection
Firewall or a different software firewall, can provide substantial
protection for your computer."
Ken:
Do you know of a technical reason for not running two simple packet
filtering f/ws concurrently?
However the *risk* of a problem is always there, and that's why it
shouldn't be done.
Here's what Microsoft has to say about running two software firewalls
at once:
http://www.microsoft.com/athome/security/protect/firewall.mspx
"Q. Should I use both the built-in firewall and a software firewall
from a different company on my Windows XP computer?
"A. No. Running multiple software firewalls is unnecessary for typical
home computers, home networking, and small-business networking
scenarios. Using two firewalls on the same connection could cause
issues with connectivity to the Internet or other unexpected behavior.
One firewall, whether it is the Windows XP Internet Connection
Firewall or a different software firewall, can provide substantial
protection for your computer."
Ken:
Do you know of a technical reason for not running two simple packet
filtering f/ws concurrently?
C
CZ
May I ask the reasoning behind 3 [f/ws running concurrently]?
Mr Arnold:
To prove that it can be done.
The self-serving MS comment that you should not do two f/ws because it is
unnecessary, and those who merely repeat MS comments, do end users a grave
disservice.
F/ws can use different technologies, and some f/ws have shortcomings; both
of these issues can be addressed by running two f/ws concurrently. Is there
a risk? Yes, but what do you do that does not involve a risk? Per my own
experience and per NG posts that I have read over the years, most people
running two f/ws do so w/o problems.
IMO, a significant shortcoming of the Vista f/w is the lack of a user
friendly outbound control. There are several 3rd-party f/ws that in my
experience can be run concurrently with the Vista f/w to address the
outbound control issue, and I am using the ZA beta f/w to do just that.
Note that MS has told people that it is ok to run ISA on the same computer
with Small Business Server 2003.
IMO, most IT security pros would challenge that comment.
Mr Arnold:
To prove that it can be done.
The self-serving MS comment that you should not do two f/ws because it is
unnecessary, and those who merely repeat MS comments, do end users a grave
disservice.
F/ws can use different technologies, and some f/ws have shortcomings; both
of these issues can be addressed by running two f/ws concurrently. Is there
a risk? Yes, but what do you do that does not involve a risk? Per my own
experience and per NG posts that I have read over the years, most people
running two f/ws do so w/o problems.
IMO, a significant shortcoming of the Vista f/w is the lack of a user
friendly outbound control. There are several 3rd-party f/ws that in my
experience can be run concurrently with the Vista f/w to address the
outbound control issue, and I am using the ZA beta f/w to do just that.
Note that MS has told people that it is ok to run ISA on the same computer
with Small Business Server 2003.
IMO, most IT security pros would challenge that comment.
K
Ken Blake, MVP
However the *risk* of a problem is always there, and that's why it
shouldn't be done.
Here's what Microsoft has to say about running two software firewalls
at once:
http://www.microsoft.com/athome/security/protect/firewall.mspx
"Q. Should I use both the built-in firewall and a software firewall
from a different company on my Windows XP computer?
"A. No. Running multiple software firewalls is unnecessary for typical
home computers, home networking, and small-business networking
scenarios. Using two firewalls on the same connection could cause
issues with connectivity to the Internet or other unexpected behavior.
One firewall, whether it is the Windows XP Internet Connection
Firewall or a different software firewall, can provide substantial
protection for your computer."
Ken:
Do you know of a technical reason for not running two simple packet
filtering f/ws concurrently?
No, I have no other details to provide.
D
David Beder [MSFT]
I think there are a couple motivators for the suggestion to not run multiple
packages simultaneously:
1) configuration of one UI can be tricky for a large population of users;
getting two sets of UI in sync could be almost impossible.
2) everything comes with a perf hit. there are certain packages that I will
not name, which on their own can cause a machine to be noticibly slower. If
you get two of them on the same box, you're better off not connecting to
anything at all.
3) not all packages play nice. it would be very frustrating to be paying
monthly subscriptions to both vendor A and B only to eventually realize that
B effectively turned A off.
packages simultaneously:
1) configuration of one UI can be tricky for a large population of users;
getting two sets of UI in sync could be almost impossible.
2) everything comes with a perf hit. there are certain packages that I will
not name, which on their own can cause a machine to be noticibly slower. If
you get two of them on the same box, you're better off not connecting to
anything at all.
3) not all packages play nice. it would be very frustrating to be paying
monthly subscriptions to both vendor A and B only to eventually realize that
B effectively turned A off.
S
Sharon T
Hmmm I see. Thanks everyone.
David Beder said:I think there are a couple motivators for the suggestion to not run
multiple packages simultaneously:
1) configuration of one UI can be tricky for a large population of users;
getting two sets of UI in sync could be almost impossible.
2) everything comes with a perf hit. there are certain packages that I
will not name, which on their own can cause a machine to be noticibly
slower. If you get two of them on the same box, you're better off not
connecting to anything at all.
3) not all packages play nice. it would be very frustrating to be paying
monthly subscriptions to both vendor A and B only to eventually realize
that B effectively turned A off.
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no
rights.
C
CZ
David:
getting two sets of UI in sync could be almost impossible.
IMO:
a) The complexity of the Vista f/w is probably only exceeded by that of NIS.
b) Simple packet filtering f/ws pass the packets sequentially, so trouble
shooting can be as simple as disable one while you test the other. This
assumes that the user can read/edit/write f/w rules.
not name, which on their own can cause a machine to be noticeably slower. If
you get two of them on the same box, you're better off not connecting to
anything at all.
IMO:
a) the unnamed f/w is probably NIS. I ran the pre-release version of NIS on
Vista and thought that Symantec had improved the product substantially by
removing some extraneous features that were in the previous versions. NIS
is a sophisticated f/w that does a lot, but requires a degree of knowledge
to setup properly, and to maintain. However, there are much simpler f/ws
than either NIS or Vista's that are available (e.g., ZA (still in beta), PC
Tools, and Vista Firewall Control).
The challenge is to find a 3rd party f/w that works well with Vista's f/w,
as I think the Vista f/w is well done overall (is stateful for example)
except for the absence for "useable" outbound control. I Think highly
enough of Vista's f/w that I would not recommend disabling it, but running a
second f/w with it. Per testing, NIS disables Vista's f/w, ZA beta, PCT and
VFC do not. Also, I would not recommend running NIS with Vista's f/w (even
if you could) as NIS is more than a simple packet filtering f/w, and you
would be much more likely to have issues with running the two together.
The issue is that a user should not run two complex f/ws together, running
one complex and one simple f/w together has never been a problem in my
experience of doing so for 10 (??) years. Of course, the next issue is what
is a complex f/w.
As much as I like ZA, I have been reluctant to run it by itself, as it has
been more of an application gate type of f/w ( the weakest type?) rather
than a packet filtering f/w (plus XP's and Vista's f/ws have been stateful).
Re: a performance hit: in general, that is secondary to the value of
increase security/control within reason; ZA beta in Vista does load slowly,
but I want the control that ZA provides, so I wait.
monthly subscriptions to both vendor A and B only to eventually realize that
B effectively turned A off.
That is the value of the 30 day trial period (and Google). I am impressed
enough with ZA running with Vista's f/w that I plan to buy the released
product (it is still in beta) just to have the Expert rules feature that
will not be part of the free ZA version. I use ZA Expert rules to block all
Windows networking ports on my wired/wireless portable in case I forget to
change Vista's network profile from Private to Public when switching from a
wired network to a wireless network. That is just another example of the
value of running two f/ws, as one can cover for a user config error in the
other.
Summary: IMO, it can be very beneficial to run a 2nd f/w with Vista's f/w
enabled. Per my experience if the 2nd f/w is a simple f/w (e.g.., ZA (still
in beta), PC Tools, and Vista Firewall Control) I would not expect any
problems due to running two f/ws concurrently.
getting two sets of UI in sync could be almost impossible.
IMO:
a) The complexity of the Vista f/w is probably only exceeded by that of NIS.
b) Simple packet filtering f/ws pass the packets sequentially, so trouble
shooting can be as simple as disable one while you test the other. This
assumes that the user can read/edit/write f/w rules.
not name, which on their own can cause a machine to be noticeably slower. If
you get two of them on the same box, you're better off not connecting to
anything at all.
IMO:
a) the unnamed f/w is probably NIS. I ran the pre-release version of NIS on
Vista and thought that Symantec had improved the product substantially by
removing some extraneous features that were in the previous versions. NIS
is a sophisticated f/w that does a lot, but requires a degree of knowledge
to setup properly, and to maintain. However, there are much simpler f/ws
than either NIS or Vista's that are available (e.g., ZA (still in beta), PC
Tools, and Vista Firewall Control).
The challenge is to find a 3rd party f/w that works well with Vista's f/w,
as I think the Vista f/w is well done overall (is stateful for example)
except for the absence for "useable" outbound control. I Think highly
enough of Vista's f/w that I would not recommend disabling it, but running a
second f/w with it. Per testing, NIS disables Vista's f/w, ZA beta, PCT and
VFC do not. Also, I would not recommend running NIS with Vista's f/w (even
if you could) as NIS is more than a simple packet filtering f/w, and you
would be much more likely to have issues with running the two together.
The issue is that a user should not run two complex f/ws together, running
one complex and one simple f/w together has never been a problem in my
experience of doing so for 10 (??) years. Of course, the next issue is what
is a complex f/w.
As much as I like ZA, I have been reluctant to run it by itself, as it has
been more of an application gate type of f/w ( the weakest type?) rather
than a packet filtering f/w (plus XP's and Vista's f/ws have been stateful).
Re: a performance hit: in general, that is secondary to the value of
increase security/control within reason; ZA beta in Vista does load slowly,
but I want the control that ZA provides, so I wait.
monthly subscriptions to both vendor A and B only to eventually realize that
B effectively turned A off.
That is the value of the 30 day trial period (and Google). I am impressed
enough with ZA running with Vista's f/w that I plan to buy the released
product (it is still in beta) just to have the Expert rules feature that
will not be part of the free ZA version. I use ZA Expert rules to block all
Windows networking ports on my wired/wireless portable in case I forget to
change Vista's network profile from Private to Public when switching from a
wired network to a wireless network. That is just another example of the
value of running two f/ws, as one can cover for a user config error in the
other.
Summary: IMO, it can be very beneficial to run a 2nd f/w with Vista's f/w
enabled. Per my experience if the 2nd f/w is a simple f/w (e.g.., ZA (still
in beta), PC Tools, and Vista Firewall Control) I would not expect any
problems due to running two f/ws concurrently.
S
Sharon T
So if I enable the kapersky firewall, will the Vista firewall get disabled?
F
fosb[f2s]
Off at a slight tangent but a very simple yet, as far as I can tell,
effective firewall, is Sphinx Vista Firewall Control. I have been using the
free version in addition to the Windows Firewall with no conflict. From:
http://www.sphinx-soft.com/Vista/index.html
It downloads and installs very quickly and starts working immediately. As
each application tries to communicate you can allow it inwards, outwards,
both or neither, either on just that single occasion or more permanently.
The resultant growing list of applications can be pruned and edited easily.
In unusual circumstances you can set it to block all or to allow all via the
system tray. Starkly minimal and very nice to use. - Doug.
effective firewall, is Sphinx Vista Firewall Control. I have been using the
free version in addition to the Windows Firewall with no conflict. From:
http://www.sphinx-soft.com/Vista/index.html
It downloads and installs very quickly and starts working immediately. As
each application tries to communicate you can allow it inwards, outwards,
both or neither, either on just that single occasion or more permanently.
The resultant growing list of applications can be pruned and edited easily.
In unusual circumstances you can set it to block all or to allow all via the
system tray. Starkly minimal and very nice to use. - Doug.