Re: It seems every firewall is slagged as snake oil. So how should it be done?

Kayman wrote:
On 13 Mar 2009 10:57:02 GMT, Rick wrote:

"Martin C" <martinC@xxxxxxxxxxx> wrote in
news:49ba16d9$1_1@xxxxxxxxxxxxxxxxxxxxxx:
From reading this newsgroup, there seem to be an incredible number of postings that basically say that no personal firewall should be used
on a PC as they are all basically snake oil and don't really do much.

Personal firewalls are one of those things that people love to argue back and forth. Both sides have some validity to their views so the argument goes on ad infinitum. Sort of like asking "which auto brand is better, Ford, Chevy or Chrysler?"

This therefore leads to the following question.

If the personal firewalls like Kerio, Comodo, Zone Alarm, Online Armor
etc are no good, then what should be used? Or are these guys saying
that we should just stick with a normal router and the Windows
Firewall? Or are we talking about a major investment in hardware?

IMHO - Security cannot be guaranteed by any single thing or even any combination of things, whether they be hardware, software or both. That's what makes it difficult for many people. They come in here or other newsgroups/forums and ask whether "this product" or "that software" will keep them safe. More often than not, someone will jump in and give you their recommendation and someone else will jump in and tell you that recommendation isn't effective.

For what little it is worth, here are my recommendations for home users with moderate needs for security:

#1) use an NAT router. while these are NOT the same as a real firewall, they do tend to block a number of avenues of attack. Make sure you change any default passwords that the router uses to control access to its configuration menus and turn off UPnP unless you really need it (the vast majority of home users will not need it).

#2) make sure you have all available Windows security updates installed, including IE7 if you use Internet Explorer as a browser (you might want to consider using a different browser such as Firefox).

#3) make sure you have the latest updates for Java, Acrobat Reader, Firefox (if you use it) and Flash since they are popular avenues of attack. Be aware that when Java updates are installed, the older versions are not removed. Unless you have a real need for the older versions, it is usually best to remove them and only run the latest version.

#4) run a decent quality antivirus program with background scanning. For home users on a tight budget and with modest security needs, the free AV software from Antivir (has an annoying nag screen), Avast (the one I usually recommend for home users) or AVG are available. For a reasonable (IMHO) cost, Antivir, NOD32, or Kaspersky are good choices for an AV program (the latest version of Norton may move into that category but I haven't seen any good reviews of its effectiveness yet). For what it's worth, I'm not fond of "Internet Security Suites" regardless of the manufacturer. I find them to mostly be bloated hogs that really drag down system performance without adding much in the way of real security. Use the built-in Windows firewall instead.

#5) use a dedicated antimalware program as a "second opinion" security scanner just in case. Since no single AV scanner is 100% effective, it is a good idea to run one of these on occasion. I tend to recommend the free version of either SuperAntispyware or Malware Byte's AntiMalware for home users on a tight budget. They have to be run manually but that should be sufficient. The for-pay versions of those programs offer real-time scanning for those who don't want to deal with remembering to run the manual scans.

#6) if you use Outlook Express, Outlook or one of their derivatives (such as Incredimail) for your email, I recommend turning off the preview pane.

#7) consider additional software/configuration changes such as:

- running services
http://www.blackviper.com/WinXP/servicecfg.htm)

- autoplay/autorun
http://antivirus.about.com/od/securitytips/ht/autorun.htm

- codecs
http://community.winsupersite.com/blogs/paul/archive/2007/10/15/finding-a-
good-and-safe-codec-package.aspx


Of course, nothing can guarantee security. Regardless of how well the system is set up an imaginative idiot can always find a way to circumvent things. Using the above guidelines and keeping in mind the maxim of "it it sounds too good to be true it probably is" will go a long way towards keeping you trouble-free. Avoiding risky behavior also goes without saying. Those who cruise a lot of porn sites and/or those who do a lot of file sharing without knowing exactly what they are doing tend to be the ones who get into trouble the most.

Just my 2 cents worth.....

Deconstructing Common Security Myths.
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Scroll down to:
"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."

Exploring the Windows Firewall.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theater—it’s a gimmick that only gives the
impression of improving your security without doing anything that actually
does improve your security."

Managing the Windows Vista Firewall
http://technet.microsoft.com/en-us/magazine/cc510323.aspx
*(read twice!)*

Of course it must be THE TRUTH, it is written by a Firewall vendor that are not competent enough to provide two-way filtering.
.