Which Firewall is best for Vista?

  • Thread starter Thread starter Mike Dymond
  • Start date Start date
M

Mike Dymond

Hi:

Which Firewall is best for Vista?

Norton?

Zone Alarm?

Windows?

Other?

All opinions appreciated.



Mike
 
Hi:

Which Firewall is best for Vista?

Norton?

Zone Alarm?

Windows?

Other?

All opinions appreciated.


Opinions are what you will get, and probably at least one for every
product that works with Vista.

A question like this isn't much different from asking which is the
best automobile. Every product has its partisans, and when you get
recommendations for almost everything available, you are no better off
that when you started.
 
Mike said:
Hi:

Which Firewall is best for Vista?

Norton?

Avoid any Norton products, entirely. They consume far too many system
resources for what they do.

Zone Alarm?


A good product, and much easier to configure than Vista's built-in
firewall. I had no problems beta testing the Vista-compatibile version,
but I don't know if it's gone "Gold," yet.



Vista's built-in Windows Firewall is adequate for most users, but not
particularly easy to configure. Vista's built-in firewall, although
superior to that of WinXP, is of a rudimentary nature, intended to meet
the simpler needs of most home consumers (or business/enterprise clients
already ensconced behind more advanced perimeter defenses).

One 3rd-party add-on (Sphinx's Vista Firewall Control
http://sphinx-soft.com/Vista/) might make the Vista Firewall a bit more
useful to you, but nothing but a completely independent product will be
able to provide the detailed control you want.

There are two interfaces for Vistas built-in firewall:

1) A simplified one accessed through the Control Panel that is the only
one most people see.

2) And the more advanced "Windows Firewall with Advanced Security
(WF.msc)," accessed via the Start Menu's Administrative Tools folder,
for the experienced user who wants better control.



--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 
OK

How about if I re-phrase
Does anyone know of any conflicts or problems with the listed programs?
Any known compatabilty issues?

Thanks
Mike
 

Vista's FW, because it can protect network connection at system boot, when
the machine has a direct connection to the modem,and therefore to the
Internet. No 3rd party personal FW can do it.


Or if you can get a cheap NAT router, then put the machine behind its
protection.
 
Mike Dymond said:
Hi:

Which Firewall is best for Vista?

Norton?

Zone Alarm?

Windows?

Other?

All opinions appreciated.

I've tried PC Tools Firewall Pro, ZoneAlarm Free (ZAF), and Look & Stop.
L&S was the only one that "just worked", but it was beta and payware. PC
Tools Firewall required a fair bit of customization to get it to stop
blocking the internet connection - I never got it completely reliable. ZAF
slowed down browsing to an unacceptable degree. Comodo is currently testing
it's Vista compatible firewall, but it's still pretty rough around the
edges. I've gone back to using the Windows Firewall with the "Vista
Firewall Control" front-end.
 
On my Home PC (Vista Home Premium) the Vista Firewall blocked every port
when assaulted by
everything I could throw at it. For most that it is all that should be
needed. "IF" someone needs more
security then I suggest a hardware solution in addition to the Windows Vista
Firewall.
 
Actually many of the new Vista firewalls are able to actively protect at
boot time. I'm pretty sure Symantec, Zone, and McAfee are doing this. Others
can 'non-actively' protect as well by usually just blocking everything with
exceptions for some basic ports like dhcp and dns.
 
Actually many of the new Vista firewalls are able to actively protect at
boot time.

How do they achieve this?
I'm pretty sure Symantec, Zone, and McAfee are doing this. Others
can 'non-actively' protect as well by usually just blocking everything with
exceptions for some basic ports like dhcp and dns.

What does "non-active" protection mean?
 
David Beder said:
Actually many of the new Vista firewalls are able to actively protect at
boot time. I'm pretty sure Symantec, Zone, and McAfee are doing this.
Others can 'non-actively' protect as well by usually just blocking
everything with exceptions for some basic ports like dhcp and dns.

Not according to this link, unless the information in the link is wrong.

http://www.support4vista.com/tutorial/windows-firewall.htm

If the solutions you're talking about can do it, then can you provide
documentation stating that they can protect at system boot?

The were never doing it before. I don't see why they would be doing it on
Vista.

The only other two firewalls that I know of that can also protect at system
boot are XP's FW, which has documented proof of this.

The other one is Wipfw with its STARTUP_BOOT_START setting.
 
The tcp/ip stack was re-writen for Vista. Part of this rewrite includes a
new set of apis/hooks/etc called Windows Filtering Platform (WFP). The
platform allows firewall drivers to link into the packet processing flow
during boot-time as well as post-boot.

During the time that firewall drivers are loading, which could end up being
after tcpip is loaded, pre-established behavior can be stored (from the last
boot) to block traffic until the firewall driver can take over.

For the purpsoses of this part of the thread, an active firewall is one with
a driver that actively inspects traffic by looking through all the header
and data values, while a non-active firewall is one which simply blocks all
traffic from given addresses/ports/etc. without any inspection.
 
At the time of this article's authoring, the statement might have been
accurate. The software packages which are making use of the boot-time
interfaces with the new Vista tcpip stack might have still been in Beta
stages.

I'm not certain the statement was completely true for XP, but there's room
for symantic differences on what's a firewall and what's an IDS. eg, I think
Black Ice was able to protect during boot-time, though not necessarily at
the exact second we'd consider boot-time as beginning.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.
 
David Beder said:
At the time of this article's authoring, the statement might have been
accurate. The software packages which are making use of the boot-time
interfaces with the new Vista tcpip stack might have still been in Beta
stages.

I am not certain that WFP and BEF are bullet proof protection due to the
fact that BEF is a service. I have not tested it, but if that BEF service is
knocked out, and I don't see why malware couldn't knock out that BEF
service, then it's over. I would say the same thing about a 3rd party FW
service interfacing with WFP is if that FW service can be knocked out, it's
over on any type of protection.
I'm not certain the statement was completely true for XP, but there's room
for symantic differences on what's a firewall and what's an IDS. eg, I
think Black Ice was able to protect during boot-time, though not
necessarily at the exact second we'd consider boot-time as beginning.

Well, I can tell you that Black Ice wasn't stopping anything on XP at system
boot when I was using it, which I used Black Ice for many years and knew how
to use it very well.

I tested BI's boot security using Gator at the time. I set all kind of FW
rules to stop Gator on inbound from its site IP(s) and went to BI's
Application Control and set rules to stop Gator. Then I installed Active
Ports and put it in the start-up folder so that I could see connections when
I booted and logged into the machine.

Active Ports showed that connections were established by Gator, and its
subcomponents via Svchost.exe to its sites. Black Ice wasn't stopping
anything at system boot.

Nor were any of the other 3rd party solutions that I tested like ZA,
Sysgate, Norton, McAfee, Outpost etc, etc were stopping Gator at system
boot,

That's when I decided that in order to protect what I needed to protect,
like IIS, SQL Server, etc, etc, I needed put the machines behind a FW
appliance like the Watchgurad that I use. Any host based FW solutions
running on the machine are disabled as they are not needed from my viewpoint
sitting behind the FW appliance.

Don't get me wrong now, when a machine has a direct connection to the modem
and to the Internet when I do that, I need a personal FW running to protect
from the Internet. But I also know that nothing that's running with the O/S
such as a personal host based FW/packet filter is not bullet proof.
 
Agreed, nothing is going to be bullet proof and host firewalls are just an
extra layer of protection. Every year the industry innovates, so even if
there wasn't boot-time support before, you're going to start seeing it more
as time goes by.

There might also be differences in what various products are willing to
block outbound during boot, so Gator might still make it out during that
time simply because the firewall isn't in a position to recognize that it's
not a connection that should be allowed from svchost. Give them a couple
more years and they'll eventually solve this too.:)

As for WFP/BFE, WFP is integrated into the tcpip stack so can't be removed
from play. If BFE is knocked out, WFP is left in its last-known state. If
BFE is blocked from ever starting up, then the system is essentially left in
boot-time forever. (Note, if it's disabled by an administrator like through
the services control panel, then WFP won't invoke any boot-time or
post-boot-time policy and firewalls will have to move below or above the
tcpip stack to inspect packets.)

Depending on how firewalls invoke WFP, their policy could survive having
their service knocked out.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.
 
David Beder said:
Agreed, nothing is going to be bullet proof and host firewalls are just an
extra layer of protection. Every year the industry innovates, so even if
there wasn't boot-time support before, you're going to start seeing it
more as time goes by.

And every year the hackers are going to be just one step ahead with zero day
exploits, and they will find a way through it. As long as there are Human
Beings involved with it, nothing is infallible, because we are not
infallible as Human Beings.
There might also be differences in what various products are willing to
block outbound during boot, so Gator might still make it out during that
time simply because the firewall isn't in a position to recognize that
it's not a connection that should be allowed from svchost. Give them a
couple more years and they'll eventually solve this too.:)

I don't see how that's going to ever happen when Svchost is the messenger
for the O/S programs and other non O/S programs to communicate. Yes, you can
talk about something like IDS that's using signatuers and protocol analysis,
but all of that can be defeated too. There is no stops all and ends all
solution. It will never be that, as long as a Human Being is invloved in it.
As for WFP/BFE, WFP is integrated into the tcpip stack so can't be removed
from play. If BFE is knocked out, WFP is left in its last-known state. If
BFE is blocked from ever starting up, then the system is essentially left
in boot-time forever. (Note, if it's disabled by an administrator like
through the services control panel, then WFP won't invoke any boot-time or
post-boot-time policy and firewalls will have to move below or above the
tcpip stack to inspect packets.)

But in the meantime, malware if it hits the machine and can be executed,
which doesn't seem to be a problem with those that have the happy fingers
that will click on everything under the Sun, then the malware can set it's
own rules, punch out, and circumvent it all.
Depending on how firewalls invoke WFP, their policy could survive having
their service knocked out.

It will remain to be seen. But remember this, nothing absolutely nothing is
bullet proof as long as Human Beings are involved.
 
Mr. Arnold said:
I am not certain that WFP and BEF are bullet proof protection due to the
fact that BEF is a service. I have not tested it, but if that BEF service
is knocked out, and I don't see why malware couldn't knock out that BEF
service, then it's over.

Of course if malware can "knock out" the service that means that the malware
is running locally on the target computer does it not? If it's already in
your base, haxoring your computer anyway, then I might suggest boot time
firewall protection is the least of the worries you will have.
 
Robert Moir said:
Of course if malware can "knock out" the service that means that the
malware is running locally on the target computer does it not? If it's
already in your base, haxoring your computer anyway, then I might suggest
boot time firewall protection is the least of the worries you will have.

Yes, you got a real problem if the service can be knocked out, no doubt
about it, like I have seen other 3rd party FW services knocked out by
malware. :)
 
On Tue, 3 Jul 2007 22:38:21 -0700, "David Beder [MSFT]"
There might also be differences in what various products are willing to
block outbound during boot, so Gator might still make it out during that
time simply because the firewall isn't in a position to recognize that it's
not a connection that should be allowed from svchost.

That brings me to a problem with firewalls (and other software) and
the processes they attempt to identify...

1) Wrappers

Malware can act as the hand in a glove puppet if it can operate within
a container process, and process tracking just tracks the container:
- Explorer, IE, 3rd-party integrations e.g. BHOs, Word macros
- generic launchers e.g. RunDLL, SVCHost

2) Injection

If code injects itself into an in-memory process without "infecting"
the on-disk code file corresponding to that process, then will the
process be detected as altered?

3) ADS

If code is run as an ADS attached to some arbitrary file, is the
process tracked as the arbitrary file, or differenrtiated from it?

MD5-checking executable files doesn't help if the file you are
checking is not the (only) code that is running.

With respect to (3), I've tested this and seen XP's Task Manager
reporting my ADS as just the name of the file I attached it to. I've
seen ITW malware use of ADS attached to all sorts of files such as
Win/ini, System.ini and legit OS components.... beats me why the OS
allows code to run in an ADS in the first place.

I generally avoid the ADS mess by using FATxx instead ;-)
Give them a couple more years and they'll eventually solve this too.:)

Hopefully with some OS help, i.e. more accurate process reporting?
As for WFP/BFE, WFP is integrated into the tcpip stack so can't be removed
from play. If BFE is knocked out, WFP is left in its last-known state.

Error( BFE ): Context not found - is that Boot Firewall Engine?
If BFE is blocked from ever starting up, then the system is essentially
left in boot-time forever.

OK, that I've seen before :-)


---------- ----- ---- --- -- - - - -
On the 'net, *everyone* can hear you scream
 
Back
Top