What is your input on the best Firewall or type of protection?

Snowball

I was thinking about it. I'm on the very paranoid side of things and have always used a firewall but never though about it.

I want your viewsm, experiances and help. Recomend your method, combo or system to secure your PC.

Also, which is the most secure OS (apart from Linux and Unix). ie: 3.11, 95, 98, ME 2k, NT1, NT2, NT3, etc...

Snowball

Oh and MindPhuck, u said in http://www.boards.ie/vbulletin/showthread.php?s=&threadid=38320&highlight=Firewall that MiCr0 needed to get rid of XP home. That I understand but what about XP pro? what experiance do u have with it. its just that I wanna have a secure system but I cant find any flays with it yet. A bit of a pain to network but apart from that no prob

theciscokid

vote = za

i use xp home and find it great, as well as linux

most ppl will answer 2000 pro , but you know what?

i use that in college and still find xp home/pro better

different strokes for different folks

rob1891

Is the last version of at guard still considered as a good personal firewall, I know it got integrated into Norton Firewall, but Norton stuff is a little too intrusive for my liking.

Rob

Tenshot

Rather than bog down my PC with all sorts of firewall products etc., I find an external router with NAT is plenty of protection (as long as you don't enable DMZ forwarding of course).

Ethernet-to-Ethernet routers are pretty cheap now and will completely stop any would-be hackers from running port scans against the PCs on your LAN. They also make it a lot easier to share the Internet connection between multiple PCs.

Snowball

Originally posted by Tenshot
Rather than bog down my PC with all sorts of firewall products etc., I find an external router with NAT is plenty of protection (as long as you don't enable DMZ forwarding of course).

Ethernet-to-Ethernet routers are pretty cheap now and will completely stop any would-be hackers from running port scans against the PCs on your LAN. They also make it a lot easier to share the Internet connection between multiple PCs.

If I'm not wrong a router that is not very carefully configured is an open door for any decent hacker. Apart for the price of them which is still more expensive than going only :ninja: "Some Download" :ninja: program and getting a firewall for :ninja: .... :ninja: free :ninja:

Anyways someone will correct me soon anyways

theciscokid

lol..

yes please install a cisco router!!

Snowball

Originally posted by theciscokid
lol..

yes please install a cisco router!!

see what I mean Tenshot. Something like 60% of all cisco routers in the country are not configure properly including a certan router that controls a, way to big, number of college networks.

theciscokid

Snowball are you doing a soho or you're own single compy?

rob1891

Originally posted by theciscokid
Snowball are you doing a soho or you're own single compy?

either way he shouldn't be aquiring firewalls ninja style

:ninja:

Carnate

I use a hardware and software firewall

Smoothwall - hardware and Za Pro software,

Smoothwall can be installed on a very low spec pc, and is easy to

set up. have a look here;

http://www.smoothwall.org/

Yes i am Paranoid,

but hey i'll be right once

Tenshot

Originally posted by Snowball
see what I mean Tenshot. Something like 60% of all cisco routers in the country are not configure properly including a certan router that controls a, way to big, number of college networks.

Well, I'd hardly recommend a Cisco to a home user! Lots of network engineers are making good money as a result of them being tricky to configure.

I'm talking about the cheap LinkSys/DLink/Netgear/etc devices that Amazon sell in the $50-$100 range. These all come with a simple web interface and are pretty straightforward to set up. (If you don't change the default password, you get everything you deserve.) When you're running with NAT enabled, there is no direct path from the Internet back to your PC so you're a lot safer than when your PC is directly exposed.

(Of course, this won't protect you from the adware crap that installs itself on your local PC and then creates outbound connections back to its home base; PC-based firewall software can be useful for catching these.)

Snowball

Originally posted by Tenshot
Well, I'd hardly recommend a Cisco to a home user! Lots of network engineers are making good money as a result of them being tricky to configure.

Dont get me wrong, I am not saying that is it not a bad idea because it is its just that i recon that your average joe soap would not be all that good at configuring routers.

I'm a networking student in Carlow it (have worked for a few years in Admin before) and have seen most companies use routers. Apart from their cost I have and the fact that they are not the easiest to use I never knew how effective they were compared to software solutions. So, how efective are they compared to software?
(

Originally posted by Tenshot
Of course, this won't protect you from the adware crap that installs itself on your local PC and then creates outbound connections back to its home base; PC-based firewall software can be useful for catching these.)

I use Norton at the mo and it seems very good at that

STaN

I would recommend Norton Internet Security and Antivirus 2003

However i find the ad blocking to be not configurable enough to allow save pop-ups. It also likes to block MSN file sends and DCC's on IRC. Advice?

how should i configure a DLINK 504 for security

screenshot below

irishgeo

Zonealarm with Adaware.

I have windows Xp home and the first thing i did was disable the so called firewall.

A firewall that doesnt even stop IPv6 traffic. :rolleyes:

Snowball

irishgeo, if you can upgrade to XP pro. If u cant pm me.

XP home is one of the worst for networking and has serios problems on occasion, esspecially with 98

Tripkipke

I use the firewall in my router and Kerio firewall on my system as backup.

The reason I prefer kerio is that its very secure, highly configurable and doesn't use alot of resources.

Capt'n Midnight

ie. there is a GAP of AIR between the NIC and its connector.
No jokes about RF

Gnatbox lite on a 486 with two different models of NIC - has a nice feature where you can block activex / java at the firewall - or indeed most of the LPR stuff that is web managable.

Anyone had any dealings with bridges ? - ie no IP addreses - it just passes packets from one NIC to the Other , well only the ones that match the rules

Disabling as many holes on a pc is as important as using zonealarm or similar.

Removing IE / Outlook Express / VB scripting & turning off file sharing would get rid of Most veunerabilities you are trying to protect from. Uninstalling M$ Office and any M$ program that allows macros in data files would also help. Removing all M$ will not make you safe but less chance of getting caught between M$ hole and a script kiddie. (not that other vendors write better sw - it's just that non-internet programs from other vendors aren't as likely to automatically open dodgy files and make undocumented API calls to ring zero in the OS...) And I just love the way the way some programs will overwrite patches and reinstall features you've disabled...

I am just so sick beng told of security updates in the os when in reality it is just another 8MB patch for I bloody E.

For browsing booting off a Knoppix CD after disabling the HDD in the BIOS should be resonably secure (as long as you don't save bookmarks and do cold boots. - ie. unplug the power cable )

Shanerie

Smoothwall is the bomb diggy.

Lemming

I use iptables/netfilter running off a low-end linux box w/ 2 NICs. One to the wireless box, the other running into a switch to which my other machines (mixed O/S) are hooked up.

Completely free and I log my traffic too

Typedef

I normally use the same setup as Lemming outlined above.

FreeBSD can be good for this too, in fact, there are a couple of extremely small (floppy disk sized) out of the jar firewalling distros based around the FreeBSD kernel.

ClosedBSD
and
PicoBSD springing to mind or the OpenBSD based emBSD

dmd

Can a firewall really beat education?

ecksor

Education doesn't enforce anything.

dmd

True.

At the other end of the scale you setup portsentry tomorrow,
and why wouldn't you?

Then it goes and blocks your DNS servers from giving you any replies.

ecksor

Er, I wouldn't set it up because it's complete muck.

On the other hand, if I have services that only need to be accessed from a limited set of IP addresses, then I feel a lot better about using a basic packet filter to restrict that access than relying on the education of a potential attacker.

I think the education argument has more merit in relation to anti-virus technologies.

dmd

Er, I wouldn't set it up because it's complete muck.

Exactly, that's my whole point.

On the other hand, if I have services that only need to be accessed i from a limited set of IP addresses, then I feel a lot better about using a basic packet filter to restrict that access than relying on the education of a potential attacker.

Once again you hit my point. If you take a stock firewall with it's rules,
who is to say what it will or will not do. You need education to see
what you need to have open and block the rest. You could do this
with many many products, both free and commercial, the one thing
that doesn't change is knowing what to do, what to block and what
to leave open to what addresses. Which was my first point.

Capt'n Midnight

RE: Can a firewall really beat education?

Question who to educate - you or microsoft ?
'cos if you use Windows you are stuck with IE.

This means that if their security design pomises are kept and done properly and they ditch ALL the old code then sometime after mid 2004 there is a chance they will release something that does not need a new security patch every two weeks. There is even a chance that all the patches will work. There is a chance that the OS won't re-enable options you have disabled. There is even a chance that it won't automatically download and update new features. There is even a chance that other applications won't open new holes (netmeeting ) - check out SOAP / remote assistance etc. (a real bend over if not configed properly)

In short if you use M$ expect wopping great big holes all over the place for the foreseeable future.

Yeah XP has a firewall
- just count the number and severity of the security patches for it and IE... (Loads of full rights stuff)

=======================================
True a firewall won't protect you from a dodgy website or clicking on a funny attachement.

In short Firewalls and Education are complimentry..

ecksor

Originally posted by dmd
Exactly, that's my whole point.

Oh, it's you.

Jaden

Smoothwall on a P120 with 32 Megs of RAM - Bullet proof. Tis a piece of piss to set up, even a marketing manager could do it.


Summary - Smoothwall Good, everything else not so.

"Firewall, we don't need to stinking firewall".....

Carnate

Originally posted by Carnate
I use a hardware and software firewall

Smoothwall - hardware and Za Pro software,

Smoothwall can be installed on a very low spec pc, and is easy to

set up. have a look here;

http://www.smoothwall.org/

Yes i am Paranoid,

but hey i'll be right once

YUP

Typedef

Originally posted by Jaden
Smoothwall on a P120 with 32 Megs of RAM - Bullet proof. Tis a piece of piss to set up, even a marketing manager could do it.


Summary - Smoothwall Good, everything else not so.

"Firewall, we don't need to stinking firewall".....

Well lets be serious for a second.

Marketing managers think that mucking about with excel is programming "Hey... input that turnaround time on that project of yours into this 'spreadsheet' I 'programmed'"... *ahem*.


I was about to mention IPCop, which is a not so bad, out of the jar firewall, even if the last time I set it up, it was still running ipchains.

conor-mr2

i didnt find smoothwall as configurable as i would have liked. I wanted to be able to configure the firewall to allow/deny/drop certain icmp types but it didnt allow me do that from the nice gui they have.
And before ya say --no i didnt want to go delving around in the underlying iptables files to try and configure it manually.
I like shorewall which, like the latest smoothwall, is based on iptables, but i find its easier to configure.

Typedef

It'd be pointless to try and do that in smoothwall (or the like).

Because you'd have to rewrite the lexicon of scripts the nice web-gui calls... so that your own custom modifications wouldn't get overwritten.

*hassel* ...

It'd probably be easier to install Debian ...
or a 'real' os like Slackware... but, basically 'not' IPCop/Smoothwall e-smith etc, due to the fact they are designed to be configured from the gui.

Hell Red Hat would almost be 'easier' to write good iptables based icmp type filters in.

Typedef : Recommended use of Red Hat... I feel... dirty, somehow