Re: How does outpost compair to ZAP?

From: Michail Pappas (invalid@dot.invalid)
Date: 12/19/01

From: Michail Pappas <invalid@dot.invalid>
Date: 19 Dec 2001 10:39:12 +0200

"Ice Cap" <> writes:

| There are two diffrent kinds of outgoing protection. One the firewall or ids
| scans incoming and outgoing packets or connections for attacks and blocks
| them.

Indeed, most PFs basically perform a packet filtering role: one
specifies ports/protocols/hosts to constrain access. IDSs are useful
here since they inspect the actual contents of IP encapsulated traffic
like TCP and UDP. They peek inside and perform
alerting/logging/capturing functions. Snort is a good example.

Couple these IDS features with a packet filtering engine and you've
got a product like BID. In spite of a recent thread over BID I must
say I agree with most of the points in the original poster. Yet I must
disagree on the usefulness of application awareness, that is how
useful it is for a PF to be aware of the actual program that requested

| Two A firewall can do that and a diffrent kind of outgoing protection,
| thats the application level of filtering, which might I add is useless.

You must be referring to application comandeering, like the one
performed by tooleaky, for example. Indeed, all software firewalls are
not useful in that respect, yet quite some controversy was generated
over whether blocking this type of "unsolicited" activity should be a
feature of a PF, an AV or an AT product.

In any case, Providing network access to specific applications _is_
useful in another context. It does provide software firewalls with
an advantage that hardware firewalls do not have, though: take a H.323
application for example. For most entry-level hardware firewalls
supporting these applications would mean that a wide range of ports
should be opened. More expensive HW firewalls do exist that can
accept/drop traffic, using SPI, even for tough cases like H.323.

On a software firewall one still has to allow access to a large number
of ports. However, if the application is closed, most PFs are able to
close all ports associated with that same application. On a hardware
firewall they would remain open.

IMO, a good SOHO LAN connected to the net would have a NAT router, BID
in front of it (if at least a system within the LAN exports some
network service) and a good PF (Tiny, Outpost ...) running on each
Windows platform.