RE: [fw-wiz] Annoying pop-ups

From: Ames, Neil (NAmes@anteon.com)
Date: 10/29/02


From: "Ames, Neil" <NAmes@anteon.com>
To: "'Paul D. Robertson'" <proberts@patriot.net>, Mikael Olsson <mikael.olsson@clavister.com>
Date: Tue Oct 29 12:37:19 2002


        What Mikael said with a two-by-four is what I was hinting at. Paul
laid down the law with, "Don't open Windows without a screen" and I couldn't
agree more. I am still trying to figure out which screen (for *my*
purposes)--being fed up with trying to manage remote (as in "no inward
access") systems running ZoneAlarm Pro. I am about to end a pleasant eval.
experience with "Cyberwall Plus" and try Okena's "Stormwatch." My
experience with Cyberwall Plus makes me wonder if I really have to worry
about controlling network access for every single application and DLL. (It
makes a case for the NIC-based firewalls too.) Anyway, here are some notes
on host-based firewalls. (I will add any new comments to this list if any
discussion arises, or if I get more comments sent off-list.)

NOTE: [F] Means my comments. All other stuff, in quotes, was sent along
by folks on the list.

3Com Embedded Firewall (3Com)
"Hardware based, centrally managed, difficult to disable
unless the administrator installs a new card."
This approach has significant appeal to me.[F]

Conseal PC Firewall (Signal9)
"I've known folks that have used this for a number of years
with great success, never tried it myself."

CyberwallPlus (Network-1)
"Network-1 was a product we used for doing host-level
firewalling."
I used this while at SANS and it did a great job of
blocking the Nessus crowd-and was not too hard for me
to configure to do my own labs. It's not like Zone and
Sygate-controlling application access-but it is very
practical and it's manageable remotely.

GNAT Box Light (Global Technology Associates)
"Many folks in the old firewalls list recommend this
product, never used it here though."

ISA (Microsoft)
Several people said that this is not a full-fledged firewall,
and that the cost is significant. [F]

Kerio Personal Firewall (Kerio)
"We looked at this, it was limited in usefulness and fairly
inflexible. Not easy for beginners to work with at all."

OmniCluster SlotShield 1000 (Checkpoint)
"It is a PCI card that replaces the server NIC with a fully
functional Checkpoint firewall."

Outpost
"Outpost seems to be the 'hot' firewall now. I'm using it
but it has some very silly bugs. They say it will be fixed
in the next release but they won't tell me when the next
release will be out."

NukeNabber (DSI)
"Nuke nabber is useful, but, requires the engineer know a
tad about networking and specific services, as well as the
difference between udp and tcp. The defaults are not
much good, and I don't recall it being able to handle alot
of port mappings. We use it as a backup under sygates
product."

Stormwatch (Okena)
"You might want to look at Okena Stormwatch."
I have not evaluated it yet, but this looks like Zone on
steroids. I look forward to taking it for a spin. [F]

Sygate Personal Firewall Pro
"We use and like this product, it's interface is easy to
figure out, even for beginners and can deal with outgoing
as well as incoming packets. When something new to the
rulebase hits it, it offers a choice to deny,
accept, or accept for this session only. We've never even
tried to mange it remotely, not sure if it has much of that
capability, but, it is pretty clear and easy for a beginner to
be walked through. Even the unregistered product is quite
useable."
"Sygate looks like a good product if you are will to spend
some time working it."
I had a one-day eval. (go figure) and felt that it is very
much like ZoneAlarm in terms of sophistication--and
issues. (Who's idea is a one-day eval? Must have been a
bug.) ;)

Tiny Personal Firewall (now Kerio ?)
"Tiny seemed okay, but not great."
Marcus Ranum said, in Oct. issue of InfoSecurityMag,
that he's used it for a year. [F]

Win Route Pro 4.0 (Kerio)
"I've seen lots of alerts on this product out of bugtraq, I'd
avoid it."

ZoneAlarm (Zone Labs)
"I've seen perhaps the most alerts on bugtraq on this
offering, I avoid it. I've heard lots of folks having troubles
with it too."
"I keep coming back to it."
"I like Zone because it is easy to use and they keep
upgrading it. Their technical support is quite bad; expect
an email reply within 3 days. I don't think any of the
companies offer good technical support."
I am tired of trying to keep up with the pop-ups-without
Turning protections off. [F]

--Fritz

-----Original Message-----
From: Paul D. Robertson [mailto:proberts@patriot.net]
Sent: Tuesday, October 29, 2002 9:32 AM
To: Mikael Olsson
Cc: Ames, Neil; 'David Hawley'; firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Annoying pop-ups

On Tue, 29 Oct 2002, Mikael Olsson wrote:

> This is somewhat disconcerting.
>
> You _REALLY_ should be blocking all of 135--139, TCP as well as UDP,
> PLUS port 445, that got introduced in windows 2000.
>
> Windows networking is a lot more than just port 139, folks.
> Some of the not-so-clueful hackers haven't picked up on that yet,
> but it's a safe bet that the clueful ones have.

[snip]

The real message here is "Don't open Windows without a screen."

Given the prevalance of "personal firewalls" and their low to free cost
points, it *really* doesn't make sense not to provide protection at the
filtering layer. *Expecially* if it's a laptop and you're hauling it
around to foreign networks[1]. Double-especially if you're administering
firewalls, routers, or other core infrastructure from the device.

Paul
[1] Foreign as in "client, hotel, airport..." not "Swedish." ;)
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation



Relevant Pages

  • Re: WHY!!! My comp Wont allow pop ups
    ... If you still have problems after checking your firewall and ... anti-virus software, then look for the post that talks ... about solving a similar problem with Javascript (which is ... >> My computer won't allow me open windows ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: SYSVOL not replicating
    ... The section I focused on was "Troubleshooting FRS Events 13508 without ... thing I need to check is if its being blocked by a firewall. ... I am assuming this is ntfrs. ... When I open windows ...
    (microsoft.public.windows.server.active_directory)
  • RE: Personal Firewalls
    ... One I don't list out below which I like the best is Outpost Firewall by ... Network Ice http://www.networkice.com/ ... The CyberArmor system is a personal firewall suite. ... In addition to protection from outside attacks, ...
    (Security-Basics)
  • Re: MAJOR Hacking
    ... > efforts with router, personal firewalls, etc. Brand new computer ... > (AIM, internet expplorer, svchost.exe etc) accessing the internet ... > server whose IP seems to be masked to my firewall logs. ... Kerio Personal Firewall ...
    (microsoft.public.security)
  • Re: thanks and Happy New Year
    ... The same is true for ones that shut down the firewall applications. ... > to the airport no longer has his home router to protect him, and, without ... we're back to people understanding how to use personal firewall ... Third would be to install a personal firewall ...
    (microsoft.public.windowsxp.general)