Re: How does outpost compair to ZAP?

From: Michail Pappas (invalid@dot.invalid)
Date: 12/19/01


From: Michail Pappas <invalid@dot.invalid>
Date: 19 Dec 2001 10:39:12 +0200


"Ice Cap" <icecap85@nospam.hotmail.com> writes:

| There are two diffrent kinds of outgoing protection. One the firewall or ids
| scans incoming and outgoing packets or connections for attacks and blocks
| them.

Indeed, most PFs basically perform a packet filtering role: one
specifies ports/protocols/hosts to constrain access. IDSs are useful
here since they inspect the actual contents of IP encapsulated traffic
like TCP and UDP. They peek inside and perform
alerting/logging/capturing functions. Snort is a good example.

Couple these IDS features with a packet filtering engine and you've
got a product like BID. In spite of a recent thread over BID I must
say I agree with most of the points in the original poster. Yet I must
disagree on the usefulness of application awareness, that is how
useful it is for a PF to be aware of the actual program that requested
access.

| Two A firewall can do that and a diffrent kind of outgoing protection,
| thats the application level of filtering, which might I add is useless.

You must be referring to application comandeering, like the one
performed by tooleaky, for example. Indeed, all software firewalls are
not useful in that respect, yet quite some controversy was generated
over whether blocking this type of "unsolicited" activity should be a
feature of a PF, an AV or an AT product.

In any case, Providing network access to specific applications _is_
useful in another context. It does provide software firewalls with
an advantage that hardware firewalls do not have, though: take a H.323
application for example. For most entry-level hardware firewalls
supporting these applications would mean that a wide range of ports
should be opened. More expensive HW firewalls do exist that can
accept/drop traffic, using SPI, even for tough cases like H.323.

On a software firewall one still has to allow access to a large number
of ports. However, if the application is closed, most PFs are able to
close all ports associated with that same application. On a hardware
firewall they would remain open.

IMO, a good SOHO LAN connected to the net would have a NAT router, BID
in front of it (if at least a system within the LAN exports some
network service) and a good PF (Tiny, Outpost ...) running on each
Windows platform.

-- 
Michael.-



Relevant Pages

  • Re: [fw-wiz] Evaluating Firewall
    ... If any state is being kept, only the initial packet / connection traverses ... TCP has more state setup work than UDP, ... Most firewalls have to do a connection lookup for established sessions. ... Do existing connections or old ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall rules order and performance
    ... Some firewalls no longer parse the configuration ... New connections / s is generally limited by ruleset size and complexity. ... As I recall, several years ago Lucent had an Oalgorithm for packet filtering on some of their high end routers that leveraged some tricky algebra, but it was limited to 256 not very complex rules. ... This is why every vendor specifies throughput based on large packets - ask them for 64-byte packet throughput and watch them squirm. ...
    (Firewall-Wizards)
  • Re: Firewall for win95?
    ... :they must provide to secret service and law ... windows firewalls. ... packet against a particular firewall rule configured by the user. ... a 'back door'): when you are using a firewall ...
    (comp.security.misc)
  • Re: Firewall for win95?
    ... :they must provide to secret service and law ... windows firewalls. ... packet against a particular firewall rule configured by the user. ... a 'back door'): when you are using a firewall ...
    (comp.security.firewalls)
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... a spoofed packet, which seems to come from inside, and sniff inside, if the ... a NAT router can provide good security ... > between NAT routers and firewalls. ... The rest of the features of the "Personal Firewalls" ...
    (comp.security.firewalls)