What made you choose the firewall you use over other firewalls?

r3nu4l

I'm currently using Comodo firewall, quite a simple firewall that does the job I want it to.

I used to use ZoneAlarm and while it also did the job I wanted I found it to be far too intrusive, interrupting me all the time with trivial (in my opinon ) matters.

Now I do miss some aspects of ZoneAlarm but I find myself far less frustrated by Comodo.

I've never tried Keiros firewall so can't comment.

What firewall are you using and what, in your opinion, makes it better or more useful to you than the others?

Ruu_Old

Same as yourself. I used to have Sygate was it was excellent for my needs, easy to use and secure. That was until support for it was dropped because Symantec swallowed it up.

I tried numerous others including Zone Alarm that frustrated me to no end. A few months ago I saw Comodo in another boards member signature and haven't looked back.

Capt'n Midnight

Interesting
http://www.personalfirewall.comodo.com

Why is it free?
...
Simply, Comodo's main revenue comes from authenticating web business with SSL certificates (e.g. we put the padlock on websites). The more consumers are comfortable being online and shopping online, the more businesses that will be created that will need our services.

DonkeyStyle \o/

I use Kerio Personal Firewall (30-day expired version).
Steve Gibson was raving about it in a few of his podcasts, so I thought I'd at least see what all the fuss was about... as well as that, I got sick of Nortons pop-ups rudely interrupting me at random intervals nagging at me to subscribe or the bad men would get me. :rolleyes:
I'm not as worried about it since I got a proper NAT router anyhoodles.

mick.fr

I am using ISA Server 2006, which is an excellent firewall.
Been a while I get rid of personnal firewalls installed on desktops. I am still using the one on XP, but my Lan at home/office is protected with ISA Server.

ISA is extremelly powerfull, has a lot of features (VPN, Proxy, NAT...), and is extremelly secure. In 7 years ISA Server only had 10 security issues, where 3 only where flagged as critical.
It is running on a dedicated desktop in my office on the top of Windows 2003 Server R2 and has 3 NICS (Internet, Lan, DMZ).

ISA is not free but I got my "free" license through the Microsoft Action Pack as I am a Microsoft partner.

Fanny Cradock

r3nu4l wrote:

I'm currently using Comodo firewall, quite a simple firewall that does the job I want it to.

I used to use ZoneAlarm and while it also did the job I wanted I found it to be far too intrusive, interrupting me all the time with trivial (in my opinon ) matters.

Now I do miss some aspects of ZoneAlarm but I find myself far less frustrated by Comodo.

I've never tried Keiros firewall so can't comment.

What firewall are you using and what, in your opinion, makes it better or more useful to you than the others?

Funnily enough I found the opposite to this (OK, it's not that funny really). I liked Comodo, but I found it considerably less user friendly then ZoneAlarm. I had a great deal of trouble trying to get permission for certain applications to run, so I eventually had to get rid of it and go back to ZA.

Capt'n Midnight

mick.fr wrote:

ISA is extremelly powerfull, has a lot of features (VPN, Proxy, NAT...), and is extremelly secure. In 7 years ISA Server only had 10 security issues, where 3 only where flagged as critical.
It is running on a dedicated desktop in my office on the top of Windows 2003 Server R2 and has 3 NICS (Internet, Lan, DMZ).

ISA is not free but I got my "free" license through the Microsoft Action Pack as I am a Microsoft partner.

Just how many critical security issues have Windows Server and Internet Explorer had in the last 7 years ? I think it's a fair question seeing as how you can't run ISA on it's own without them. And yes I know places that use ISA server for remote access but they have it behind a firewall.

It's not really that practical as a home user solution.
http://www.microsoft.com/isaserver/howtobuy/default.mspx

ISA Server 2006 Standard Edition $1,499 per processor
Microsoft Windows Server 2003 $999 per server
IAG 2007 User CAL $22 per user

mick.fr

Capt'n Midnight wrote:

Just how many critical security issues have Windows Server and Internet Explorer had in the last 7 years ? I think it's a fair question seeing as how you can't run ISA on it's own without them. And yes I know places that use ISA server for remote access but they have it behind a firewall.

It's not really that practical as a home user solution.
http://www.microsoft.com/isaserver/howtobuy/default.mspx

Sure it is not for home users at all.

ISA Server is a firewall for sure, but usually companies implements it behind a 3rd party firewall, not because it is not reliable/secure enough, simply because a basic packet filtering firewall such as a Cisco PIX 500 series will offer a first layer of security and will focus on this only. ISA is usually implemented as a back end firewall because it offers out of the box features that other firewalls only provides as optional components and at a really expensive price such as application filtering, VPN...compared to an ISA firewall.

Now you can implement ISA as a front end firewall, there is no problem at all.

But it is usually recommended to implement two different firewall vendors.

Now I have to say I am happy MS provides regulars security updates, as many other companies do not do it, or not fast enough (Redhat...).
And I am sure you have also noticed there is less and less updates
Windows 2000 : 4 Services Pack, Windows 2003 : 1 Service Pack.

And from the number of updates, or post Service Pack updates, only a few are actually considered as critical security updates. Most of them are actually fixes, optional updates, device driver updates, new features ...

Capt'n Midnight

mick.fr wrote:

But it is usually recommended to implement two different firewall vendors..

By whom ?
Also one of the reasons for less and less service packs is that NT3/NT4/2000/XP are are on the same code base. So they have had plenty of time to get the basics right.

Vista has a re-written networking stack so early days yet.

I used to use gnatbox the five user version was free and runs on a 486, (BSD based)
I don't like relying only on a software firewall in windows as zonealarm used to crash or not startup on a montly basis ( once is far too often )

Tried coreforce but doesn't feel stable enough yet.
But zonealarm is easy to setup and since it's behind NAT it's acceptable.

mick.fr

Capt'n Midnight wrote:

By whom ?
QUOTE]

It is an industry standard good practice and is part of any proper technical recommendation.
Now saying a software firewall running on Windows is not reliable and not secure is a non sense, this is an urban legend.
It is technically easier to hack a Cisco PIX or some well known Linux/FreeBSD firewalls than an ISA Server.

ntlbell

mick.fr wrote:

Capt'n Midnight wrote:

By whom ?
QUOTE]

It is an industry standard good practice and is part of any proper technical recommendation.
Now saying a software firewall running on Windows is not reliable and not secure is a non sense, this is an urban legend.
It is technically easier to hack a Cisco PIX or some well known Linux/FreeBSD firewalls than an ISA Server.

Which industry is this? What define's a "proper technical recommendation" ?

mick.fr

ntlbell wrote:

mick.fr wrote:

Which industry is this? What define's a "proper technical recommendation" ?

This is what consultants are doing all over the world based on IT industry standards and good practices.
This is what general and in deep security approach are dicting us.

I have only seen a couple of companies reliying on only one firewall. Having one only is clearly suicidal. And I always recommend them to implement a second one.

This is what the Irish gouvernemental agencies are implementing here.
Some of them have even 3 different firewall vendors before reaching the LAN.
Do not ask I will not name them.

Basically a proper technical recommendation will work torwards the customer to help him to get the best of the new architecture by providing him a lower Total Cost of Ownership, the best security and reliability possible.

Make sense ?

ntlbell

mick.fr wrote:

This is what consultants are doing all over the world based on IT industry standards and good practices.
This is what general and in deep security approach are dicting us.

Are you saying security consultants are dictating to you a defense in depth model? I don't understand.

Who are these consultants? What are they doing? What are they protecting? for what type of companies? What standard's? Who decides what's a good practice for a given situtation?

Are these the same morons who tell people to rename the Administrator account on a windows machine and call it good "security" practice?

Do you know these consultant's personally? have you worked with them? have they worked on your network?

Are you following these consultant's and best practice's blindly?

mick.fr wrote:

I have only seen a couple of companies reliying on only one firewall. Having one only is clearly suicidal. And I always recommend them to implement a second one.

You haven't seen many companies then.

mick.fr wrote:

Basically a proper technical recommendation will work torwards the customer to help him to get the best of the new architecture by providing him a lower Total Cost of Ownership, the best security and reliability possible.

Make sense ?

I understand what a "proper technical recommendation" is I don't see what it has to do with your point in the previous post you made to Captain that's why I asked you just seem to throwing out jargon with no thought process and hope everyone nods and smiles in agreement.

ntlbell

mick.fr wrote:

It is technically easier to hack a Cisco PIX or some well known Linux/FreeBSD firewalls than an ISA Server.

Can you provide some proof for this statment? Do you have any statistic's?

Have you tested this personally?

If so can you provide the steps and results of these test's?

mick.fr

Well ntlbell there are many things you do not understand and are completely unaware of.
We are not living in the same real world so I am not gonna argue with you and lose my time.

Capt'n Midnight

mick.fr wrote:

We are not living in the same real world

qft

mick.fr

Capt'n Midnight wrote:

qft

What you do for a living ?

ntlbell

mick.fr wrote:

Well ntlbell there are many things you do not understand and are completely unaware of.
We are not living in the same real world so I am not gonna argue with you and lose my time.

What do I not understand? What am I unaware of?

You're not going to argue with me because you can't answer the questions I've put to you? Or you're not going to argue because you have realised you're talking nonsense?

ntlbell

mick.fr wrote:

What you do for a living ?

What does it matter what he does for a living?

Capt'n Midnight is one of the most helpfull/technical users on boards will his job title give his argument more weight?

Come on Mick, you've made some statments all I ask is you back them up.

r3nu4l

Jaysus lads, all I did was ask about why you chose the firewall you are using This world-wide-intarweb sure is pioneer country

quinta

mick.fr wrote:

Capt'n Midnight wrote:

By whom ?
QUOTE]

It is an industry standard good practice and is part of any proper technical recommendation.
Now saying a software firewall running on Windows is not reliable and not secure is a non sense, this is an urban legend.
It is technically easier to hack a Cisco PIX or some well known Linux/FreeBSD firewalls than an ISA Server.

Have to say that is a sweeping statement backed up by, well, nothing.

Cisco PIX's configured properly are as robust as any Enterprise level firewall.
A FW is only as secure as the competency level of the person that implemented it.

Urban Legend? Strange statement, so are you saying you never patch the Windows installation your ISA server is sitting on? How does that affect your downtime? Don't get me wrong, we use them, but not for Internet facing systems.

mick.fr

I am surprised to discover that nobody actually understood my point about Cisco/Linux/ISA Server.
I guess this is because nobody who replied actually knows at which OSI layer the different products are doing the job plus do not really know what a basic Cisco firewall, Linux really does and does not out of the box compared to an ISA Server.

Also about the best practices, I am really surprised and was wondering if I should even reply to this, to people telling I am talking nonsense and bulls*** basically.

Most likely those people are working with no framework and methodology.
I suppose ITIL and ISC2 does not ring a bell at all to those people, fair enough. That's a reason why I said "we are not living in the same real world".

I mean there is a huge difference being a computer enthousiast with some knowledge and actually working on infrasructure design and security for companies and gouvernemental entities with over 10.000 employes at least.

This is what I am implementing for the Irish gouvernemental organisations and other big companies, I mean they are all ok with what I am saying, of course it is justified, and I have to prove them, but they pay the price for it, so why you guys would not agree ? Are you better that a group of 10 consultants all saying to the the head of IT for the Departement of xxxx or Ministry of xxxxx they should have 3 firewalls for example ?

I mean don't you guys know the internal network attacks represents over 50% of the cyber crimes ? In the US at least. I do not know the figures for Ireland. Don't you guys know an Application Layer filtering firewall is a mandatory component to any packet filtering firewall, and that is making the pipe more secure than a basic firewall that will only open or close ports.
I mean of course ISA is not the only one to do that, but I said "basic" Cisco, Linux firewall.

Several huge Irish governemental organisations are using ISA Server. The process went through many tests (Several months) and this is extremelly secure, so why would the Irish gouvernement bother if this was not true.
?
The Irish gouvernement has done a phenomenal job compared to many other EU countries in term of Online Services, do you really think they would blindly compromise their network with cheap and insecure firewalls ?

And yes Windows is extremelly secure, the amount of service packs is not relevant to compare this OS to any other BSD/Linux OS.
Windows is far more stable and secure than any other Linux solution available out there. I mean there are tons of studies available on the web, by independant groups, tons of real world issues raised on Linux. I mean many people actually think Linux is more secure because :

- They do not know how to secure a Windows Server (Netbios, Registry settings...)
- Linux has less security fixes because none of the community has the means to develop and fix everything in a short time.
- Windows is more opened from base with many useless services running, so yes in a sense it is less secure than a Linux out of the box, but this is for compatibility issue, having legacy services are just here to make things easier. But when you really want to secure a Windows server, it is pretty easy, but many people do not bother to look at some articles.

And I also want to point out the fact that only a very little amount of fixes are actually broadcasted for Windows, I mean all the fixes available regularly are optional or just updates. You can have a really secure Windows server with not even 5 security updates a year, because all the others are application patches, device drivers udpates and are no relevant to actually secure your Windows Server.

Clearly here, people are blindly applying MS patches without really knowing and testing them. This is a mistake, but do not say I am not patching my ISA Servers or my Windows Servers, I am simply doing it the best way possible to insure the stability and security of the servers.
So there is a huge difference in essence here.

Finally I am sorry to have hijacked this thread, but I have been attacked, so I simply replied.
I mean guys come on, when I am wrong I always say it, I even post my apologies here.

quinta

ITIL yes have been using this framework for many years, nothing to do with firewalls and is not security focused what so ever. ISC2 yes I hold many of their certs, CISSP, ISSEP and ISSAP, still don't know why you mentioned these and why you think you were attacked? (I have many more but they don't make me better than anyone else with the same experience).

Well aware that ISA sits on layer 7 nowadays as it is an application layer firewall, most other firewalls sit at layer 3 or 4 (packet filters / stateful ). I would not deploy ISA at my perimeter for performance reasons when a stateful, circuit level, firewall would do the job better and faster. I use ISA as a reverse proxy to restrict the requests that go to my webservers or to segment off departments only.

Again I certainly wasn't attacking you I based my response on your comment that one is easier hacked than the other with no basis for your comment.

mick.fr

quinta wrote:

ITIL yes have been using this framework for many years, nothing to do with firewalls and is not security focused what so ever. ISC2 yes I hold many of their certs, CISSP, ISSEP and ISSAP, still don't know why you mentioned these and why you think you were attacked? (I have many more but they don't make me better than anyone else with the same experience).

Well aware that ISA sits on layer 7 nowadays as it is an application layer firewall, most other firewalls sit at layer 3 or 4 (packet filters / stateful ). I would not deploy ISA at my perimeter for performance reasons when a stateful, circuit level, firewall would do the job better and faster. I use ISA as a reverse proxy to restrict the requests that go to my webservers or to segment off departments only.

Again I certainly wasn't attacking you I based my response on your comment that one is easier hacked than the other with no basis for your comment.

Was not talking about you.
I am sorry but ITIL talks about security and redudancy. But as I said these are only some examples of the framework we are using in the industry, concept that is new to the other people who replied, a part from you.

I was saying having 2 different firewall vendors is recommended and this is an IT industry good practice, then people became ballistic about this statement and said I was speaking non-sense, reason why I have quoted some of the framework such as ISC2.

Anyway your conception about ISA Server is wrong, ISA is actually primarly working on the same layers as the other firewalls + it does application filtering, and it is faster, this is a fact, check out some online documents.

Anyway I respect your choice about ISA, the problem is not ISA is weaker, the problem is that people do not trust it because it is new (7 years, and I would like to speak about 2004 version and above only, as 2000 was extremely weak, which brings ISA to a 3 years product in a way) and working on Windows.

So yes spectic you are, and I respec that. But this is a fact this is an extremelly secure product and faster in many situations, much more than usual other firewall with their basic features.

Mick

ntlbell

mick.fr wrote:

Was not talking about you.
I am sorry but ITIL talks about security and redudancy. But as I said these are only some examples of the framework we are using in the industry, concept that is new to the other people who replied, a part from you.

I was saying having 2 different firewall vendors is recommended and this is an IT industry good practice, then people became ballistic about this statement and said I was speaking non-sense, reason why I have quoted some of the framework such as ISC2.

Anyway your conception about ISA Server is wrong, ISA is actually primarly working on the same layers as the other firewalls + it does application filtering, and it is faster, this is a fact, check out some online documents.

Anyway I respect your choice about ISA, the problem is not ISA is weaker, the problem is that people do not trust it because it is new (7 years, and I would like to speak about 2004 version and above only, as 2000 was extremely weak, which brings ISA to a 3 years product in a way) and working on Windows.

So yes spectic you are, and I respec that. But this is a fact this is an extremelly secure product and faster in many situations, much more than usual other firewall with their basic features.

Mick

You're very good at avoiding answering simple direct questions.

You're also very good at assuming people's lack of technical knowledge and changing the argument to suit yourself.

You have no idea what I do for a living so don't make silly assumptions.

Let me clear a few things up, I've worked for Microsoft for a number of years as a Network security consultant. I now work for one of the biggest IT security firms in the world.

Now that we have established how big my security balls are I'll try and get you to understand what you were questioned on.

For the most part there is no standard "good prcactices" every single situation/network is differnt and should be treated as such.

UNDERSTAND THIS.

No one is claiming using multiple firewall vendor's is good or bad or in different.

Let that sink in for a few minutes.

Now......


You cannot come out with a statment " It is technically easier to hack a Cisco PIX or some well known Linux/FreeBSD firewalls than an ISA Server."

Without having something to back it up with, telling me there's documents that prove it online is moronic.

Show me how, show me the tests YOU have done and the results YOU produced from such tests. Telling me 10 security consultant's have tested this and have produced results is NONSENSE. SHOW ME.

Your ideals on Microsoft's security Vs Linux/BSD etc is out of this world, so yes we live in two totally differnt world's.

OpenBSD out of the box, one, ONE remote hole in TEN years.

How can you even start to compare this to MS product's, who released TWENTY patches TODAY with a large number of them marked critical.

Unless you're next reply has detailed information on how you came to the conclusion of " It is technically easier to hack a Cisco PIX or some well known Linux/FreeBSD firewalls than an ISA Server." then there's no real need to reply.

quinta

mick.fr wrote:

Was not talking about you.
I am sorry but ITIL talks about security and redudancy. But as I said these are only some examples of the framework we are using in the industry, concept that is new to the other people who replied, a part from you.

I was saying having 2 different firewall vendors is recommended and this is an IT industry good practice, then people became ballistic about this statement and said I was speaking non-sense, reason why I have quoted some of the framework such as ISC2.

Anyway your conception about ISA Server is wrong, ISA is actually primarly working on the same layers as the other firewalls + it does application filtering, and it is faster, this is a fact, check out some online documents.

Anyway I respect your choice about ISA, the problem is not ISA is weaker, the problem is that people do not trust it because it is new (7 years, and I would like to speak about 2004 version and above only, as 2000 was extremely weak, which brings ISA to a 3 years product in a way) and working on Windows.

So yes spectic you are, and I respec that. But this is a fact this is an extremelly secure product and faster in many situations, much more than usual other firewall with their basic features.

Mick

Ok sorry if I misread, I thought that was aimed directly at me. Gonna have to agree to disagree with you here. ISA 2004+ is a layer 7 firewall, which is slower than a layer 3/4 firewall, no escaping this fact, unless you can disable the application proxy functions and make it a pure stateful or packet filter firewall. Yes its secure, but is it more secure than Cisco PIX etc, that are used in some of the most hostile networks and high threat environments.

I do agree with you on the belt and braces approach to FW deployment, that just common sense and good practice, but may be overkill for some networks.

ITIL - Is not a security framework, it is solely for IT Service Management, yes it deals with Availability, Change control etc, but not security explicitly, you need something like 27001:2005 for that.

Anyway I think this thread can run and run to be honest.

Doodlebug

DonkeyStyle \o/ wrote:

I use Kerio Personal Firewall (30-day expired version).
Steve Gibson was raving about it in a few of his podcasts, so I thought I'd at least see what all the fuss was about... as well as that, I got sick of Nortons pop-ups rudely interrupting me at random intervals nagging at me to subscribe or the bad men would get me. :rolleyes:
I'm not as worried about it since I got a proper NAT router anyhoodles.

Pardon my stoopidity, but would it be a wise thing to rely on just the NAT features of my Eircom Netopia (3347NWG) wireless modem/router and ditch the software firewall?? (I am an ordinary "home" user). Donkeystyle, would that be considered a proper NAT router?

I used to use Zone Alarm several years ago. These days (after changing PC) I rely on the Eircom box (with pin-holes configured for a BitTorrent Client, games, etc.) and the bog standard Windows XP Firewall. I find Microsoft's solution to be clunky though (especially where you need to open a range of ports).

So what do yez think? Is it worth trying?

aidan_walsh

A NAT router is only going to protect you from incoming connections, it won't do anything about outgoing. Thats where a software firewall is going to be able to protect and warn you.

Doodlebug

Thanks for that aidan_walsh!

I lives and learns!

Jaden

The content of this thread is funny in some places, and hilarious in others. Some of the things being said here can't *possibly* come from the minds anyone who would be let near a network.

Want to secure your network as best you can? Two words:

"Default Deny".

DonkeyStyle \o/

Doodlebug wrote:

Pardon my stoopidity, but would it be a wise thing to rely on just the NAT features of my Eircom Netopia (3347NWG) wireless modem/router and ditch the software firewall??

I hear people recommending it alright, but as Aidan said, having a software firewall is also nice for outbound and application-specific connections... I want to make sure nothing is 'reporting home' or otherwise abusing my bandwidth, so I keep a software firewall running.
It's also nice because it allows me to monitor connection activity per application without farting around with netstat.

Doodlebug wrote:

(I am an ordinary "home" user). Donkeystyle, would that be considered a proper NAT router?

Yeah... well let me put what I said before in a better context... what I was using before wasn't actually a router... it was some heap of crap USB DSL modem that offered no inbound protection at all... so I was completely at the mercy of the software firewall.