Best Vista-compatible software firewall?

[DJFuji]

Zone alarm is ok but the free version only has basic port filtering. IOW, i can't keep it running when i RDP in because there's no way to open port 3389 to everyone.

Windows firewall doesnt have sufficient outgoing protection.

What are you guys using?

Software -> Security

-Schadenfroh

 

[stash]

Windows firewall doesnt have sufficient outgoing protection.

There is no such thing.

 

[DJFuji]

That's the point. I want outgoing protection. Zone alarm is the only mainstream firewall that support vista that i know of.

 

[stash]

No, you misunderstand me. There is no such thing as sufficient outgoing protection with a host based firewall. It doesn't matter who makes it. Outbound host based filtering is not a security feature.

Jesper had an excellent post on this topic recently: http://msinfluentials.com/blog...snake-oil-is-free.aspx

 

[blackangst1]

Originally posted by: DJFuji
That's the point. I want outgoing protection. Zone alarm is the only mainstream firewall that support vista that i know of.

huh?

There are 5 or 6 that are compatable..I use and prefer Norton's. Very customizable down to packet type if you wish.

If you learn how to configure it, Vista's firewall is a close 2nd.

 

[DJFuji]

that must be a recent thing. A few months ago the only firewall compatible with vista was zonealarm.

 

[DJFuji]

Stash, fascinating article, but it's a bit like saying Anti Virus is snake oil because nothing can stop 100% of virus attacks. Ditto for firewalls, patriot missiles, and anti spyware. The outgoing protection application might not offer 100% protection but it's probably better than nothing.

And that said, i'd like to know what the best option is for maximizing protection.

I'm actually not even that concerned with spyware or viruses. I'm more concerned with knowing what legitimate applications are trying to dial home without my knowledge.

 

[nova2]

you might like comodo firewall 3, but it might still be in alpha

 

[hans007]

i have worked with the CA hips SDK and it works great in vista and has support for all outgoing rules. I would assume that the CA internet firewall (i think thats what they call their consumer product) would have all these features. the firewall used to be called the "tiny firewall" or something before CA bought them.

 

[stash]

The outgoing protection application might not offer 100% protection but it's probably better than nothing.

If your firewall didn't block 100% of the inbound traffic you told it to block, would that make you feel very secure?

Regardless, even if outbound filtering did provide you with 100% effectiveness, it's still an idea that is inherently flawed. Outbound filtering is trying to stop something malicious on your computer from getting out. Think about that for a second. You already have something malicious on your machine. What makes you think you will ever have any success at preventing it from doing anything?

It's a massive violation of the first law of computer security: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

 

[hans007]

Originally posted by: stash

The outgoing protection application might not offer 100% protection but it's probably better than nothing.

If your firewall didn't block 100% of the inbound traffic you told it to block, would that make you feel very secure?

Regardless, even if outbound filtering did provide you with 100% effectiveness, it's still an idea that is inherently flawed. Outbound filtering is trying to stop something malicious on your computer from getting out. Think about that for a second. You already have something malicious on your machine. What makes you think you will ever have any success at preventing it from doing anything?

It's a massive violation of the first law of computer security: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

thats not entirely true.

most malware unless it was really complex and well written would not be able to compromise all yoru security.

some malware contacts external servers to update itself, or to send your information away to, or say to go to IRC to contact a bot channel if its a zombie. if you can do an outgoing firewally with support for application level outgoing filters, then if some malware wants to contact say a mail server to email info about your computer you will know and can stop it before it does what it needs to do.

 

[mechBgon]

I ran across some malware in the wild that uses BITS to get updates. It doesn't appear to be stupendously-complex malware. a little more info I don't know whether this particular malware runs on Vista, but I suspect most firewalls will not detect that traffic. An ounce of prevention...

 

[stash]

some malware contacts external servers to update itself, or to send your information away to, or say to go to IRC to contact a bot channel if its a zombie. if you can do an outgoing firewally with support for application level outgoing filters, then if some malware wants to contact say a mail server to email info about your computer you will know and can stop it before it does what it needs to do.

Like I said before, and as mech points out, if you think you can stop a malicious process from communicating by using an outbound filtering firewall, you're deluding yourself. Like mechBgon says, malware can just use a legitimate process that is already allowed through the firewall (such as BITS or your browser). There's no vulnerability in BITS, it's doing exactly what it is designed to do.

A firewall cannot distinguish intent. There's no way for your outbound filter to determine if a process using BITS or a browser is doing so for malicious or legitimate purposes. Which is why outbound filtering useless as a security feature.

 

[DJFuji]

I wouldn't say USELESS. That's like saying a well trained unit can infiltrate a security perimeter so the security perimeter is worthless....we should just leave ourselves wide open. Even if it's only 10% effective, a software firewall with outbound filter will always be of SOME use. It just won't ever secure your system 100%.

 

[hans007]

Originally posted by: stash

some malware contacts external servers to update itself, or to send your information away to, or say to go to IRC to contact a bot channel if its a zombie. if you can do an outgoing firewally with support for application level outgoing filters, then if some malware wants to contact say a mail server to email info about your computer you will know and can stop it before it does what it needs to do.

Like I said before, and as mech points out, if you think you can stop a malicious process from communicating by using an outbound filtering firewall, you're deluding yourself. Like mechBgon says, malware can just use a legitimate process that is already allowed through the firewall (such as BITS or your browser). There's no vulnerability in BITS, it's doing exactly what it is designed to do.

A firewall cannot distinguish intent. There's no way for your outbound filter to determine if a process using BITS or a browser is doing so for malicious or legitimate purposes. Which is why outbound filtering useless as a security feature.

actaully a firewall like CA HIPS , you can actually do a hash signature of known files to make sure its not just a renamed version of the same file.

besides you'd still know what port it was connecting on if it was some bizarro port.

 

[stash]

Even if it's only 10% effective, a software firewall with outbound filter will always be of SOME use. It just won't ever secure your system 100%.

Sigh.

The mere fact that you have something malicious on your machine in the first place means your machine is not secure. Outbound filtering, and any other security measure (real or theater) is irrelevant at that point. The game is over. You put protection on the thing you are trying to protect, not the already compromised thing you are trying to protect against, to paraphrase Jesper. Which is more effective? Asking someone not to steal anything after they've broken into your house or keeping them out of the house to begin with?

actaully a firewall like CA HIPS , you can actually do a hash signature of known files to make sure its not just a renamed version of the same file.

besides you'd still know what port it was connecting on if it was some bizarro port.

Please read what I wrote again. There's no renaming of files going on here, no bizarro port usage. A malicious process can simply use an existing legitimate process (like IE, Firefox or BITS) to communicate. These legitimate processes are ALREADY allowed out through the firewall. At least in Vista there is service isolation, so that one service running in a user context doesn't have access to other services running in that context, but it is still not enough, since an administrative user or a malicious process running as that user can work around service isolation without much trouble.

I'll say it again: protection belongs on the asset you are trying to protect, not the asset you are trying to protect against. It's a pretty simple concept, but so far, a lot of companies have made a lot of money exploiting people's ignorance of that concept.

 

[hans007]

i still think an outgoing firewall is useful.

granted, stash, has pointed out ways that a piece of malware could be written to get around it. but DJFuji is right it still is some use. Because not all malware authors know of every secret way to get around an outgoing firewall.

I mean thats like saying cops shouldnt wear bullet proof vests because criminals could just get really good at aiming so they could just shoot cops in the eye and not the chest. An outgoing firewall will still let you know if malware that say an av / spyware scanner doesnt have defs for or say a brand new exploit is getting out if it trips it up and doesnt user every clever tactic out there.

 

[stash]

I give up. Well, no, not really.

Outbound filters are useful. Just not for security.

As far as malware getting "tripped up" by an outbound filter, have you ever seen a prompt from one of these firewalls? They are completely useless to almost everyone (including power users). They make all kinds of assumptions (because they can't determine intent), and they usually default to the "allow this connection and all connections from this process on all ports and stop bugging me" option. I wonder what the user is going to click on?

Also, a lot of malware does something seemingly normal to trick people into configuring their firewall for it. For example, dancing_pigs.exe makes a connection to a DNS server. Hey that sounds like something I should allow (DNS is good right? Or, does your mom even know what DNS is?) and besides, the box is defaulting to the option to allow this and all connections from dancing_pigs.exe. Sweet! So by clicking this, the user never sees the second dialog that would show what dancing_pigs was really trying to do.

These aren't super clever or complex tactics. These are things that malware do *today* all the time. Given the market penetration these outbound filtering products have (can you buy a computer without a security suite on it?), doesn't it make you wonder why malware is still a huge and growing problem?

Your police officer analogy makes no sense. A bulletproof vest is more analogous to inbound filtering. The fact that he could still get shot in the head is analogous to the fact that the user could still click on something stupid (dancing_pigs.exe) and own themselves. But that doesn't make the bulletproof vest (inbound filtering firewall) a bad idea.

I can't say this enough: the goal is to protect your computer from getting owned in the first place, not to protect something that is already owned!

 

[mechBgon]

An outgoing firewall will still let you know if malware that say an av / spyware scanner doesnt have defs for or say a brand new exploit is getting out if it trips it up and doesnt user every clever tactic out there.

I see holes in that. In the first place, borrowing a program that is pre-approved to pass through the firewall, such as your browser, IM or P2P program, is not a clever new tactic. If I did a little clever Googleing I could probably kick out a list of hundreds of types of malware that do that, just off Symantec's site alone.

Secondly, one of the first things many malware attacks do is to TKO your security software or add themselves as exceptions to your firewall, before they get down to business in earnest. You cannot safely assume that your defenses will even be running once the "infantry" malware has a foothold. I'm making some gaping generalizations, of course, but I would put the bulk of my efforts into prevention strategies, including risk avoidance. You can do so much in that area if you're willing to lay aside "the way things have always been done."