Which firewall?

[DavidR]

My new T60p came with the Windows firewall and a Symantic firewall - which is worth keeping? Surely not both!

[jdhurst]

You really need to know conclusively which Symantec product you have.

If it is Symantec Client Security (Version 3, 3.1, or thereabouts), then it is best in class. Despite some dumb comments in here about it (indicating a total lack of understanding), Symantec Client Security will quietly work away at about zero CPU, not much memory and not much "in your face". It provides very effective protection. I have been using this product since V1 and know whereof I speak. Highly recommended and worth keeping. It will (should) disable the Windows Firewall.

If it is the Norton Consumer product (Version 2006, 2007, or thereabouts), then it is not best in class and lots of people don't like it with good reason. I can make it work smoothly, but it tends to use a lot of resource and has to be set carefully. Also, it bogs down any machine on startup. But work it does, so make your own decision. I no longer use the consumer product because the Corporate product I described above is easily 100 times better.
... JD Hurst

[DavidR]

I bought a new T60p 11 Dec 2006. It came with the Symantec Client Firewall version 8.6.0.134. It did not disable the Windows firewall, so I did. The laptop also came with Symantec Anti-Virus full version 10.0.0.846 (OEM) and the license expires March 30, 2007. I have always used ZoneAlarm's best suite so I have no basis with which to make a decision on the Symantec products. Your comments are very valuable. Thanks!

[jdhurst]

Those version numbers are the separate version numbers for the AntiVirus piece and Firewall piece of the collective Product Symantec Client Security. I have V3.1 and the A/V piece is 10.1.x and the Firewall piece is 8.7.x, so I am about a subversion ahead of you.

You should be able to do the following: Set a task in the Windows Scheduler as follows "C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPDN_LU.exe" /s
The task forces the updater to run (I run it daily at 10:00am) and the /s forces it to run silently (you will never see it again).

Symantec Client Security is one of the very few computing tool that: runs, works well, works silently, ever vigilant, and trouble-free.

... JD Hurst

[Ken Fox]

You really need to know conclusively which Symantec product you have.

If it is Symantec Client Security (Version 3, 3.1, or thereabouts), then it is best in class. Despite some dumb comments in here about it (indicating a total lack of understanding), as to be set carefully. Also, it bogs down any machine on startup. But work it does, so make your own decision. I no longer use the consumer product because the Corporate product I described above is easily 100 times better.
... JD Hurst

I don't know what Lenovo is bundling with their laptops these days given that my most recent purchases were my X32 and T42 about 18 months ago (however I have two laptops on order as I type this).

Prior Thinkpads I've received (X31, X32, T40, T42) and that I've helped my parents purchase (T40, T43) have come with the Norton versions which personally I would not retain on a machine. I have no experience with the corporate products which some here state are being bundled with T6x systems (and maybe X6x ones also).

That having been said, several points need to be considered before one decides to use these bundled products. For one, they are generally time limited, and unless this has changed, they are limited to around 90 days. This means that if you want to continue using them you will probably end up having to pay a high price vs. what you might well pay buying the products yourself in the aftermarket at competitive prices.

In addition, I personally believe that much of this security type software is unnecessary for an intelligent careful user outside of an environment where gobs of private personal information resides on your laptop, such as those news reports where government laptops were misplaced, having hundreds of thousands of clients' social security numbers and other such data cavalierly residing on a laptop hard disk.

The security software industry, with such big players as Symantec, make a business out of scaring people into buying their antivirus and firewall software. If the intelligent user will use a modern router with a hardware firewall, will avoid navigating to unknown websites, to opening emails and attachments from unknown senders, and to using basic but good (and free) antivirus software such as AVG Free, I think one is in fine shape and doesn't need this other software.

I have 4 computers that operate behind hardware firewalled router(s), which includes my 2 Thinkpads. I was a relatively early adopter when it comes to internet usage and always on broadband connections. I have never had a virus or worm or other attack I could not easily deal with using AVG Free.

I have had two systems ruined by Zonealarm, to the point where after uninstallation I was unable to use them and had to reinstall all the software from scratch or an old disk image. I am very skeptical about the need for this software for the intelligent user, whether it is best in class or simply the horrid consumer versions.

To each his own.

[GomJabbar]

I too have had some problems with ZoneAlarm, but none so drastic as Ken Fox reports. I use Sunbelt Kerio Personal Firewall and am well-pleased with it. Being behind a hardware firewall is good, but a hardware firewall does not completely replace a software firewall. This is especially true if you connect to the internet away from home - as many notebook users do.

AVG Free seems OK, and I do admit to using it on my teenagers notebooks to save some money. No complaints.

Personally I use Kaspersky Anti-Virus 6.0 on my T42. I also installed Kaspersky on my wife's T42. I do all my financial transactions from my T42, and I certainly do not want to be compromised and suffer from identity theft. I just "feel" more secure with Kaspersky.

I did read recently in an online article that Symantec Client Security does not automatically update it's program. You have to manually run the update checker. The article did say the virus signature updates are automatic. I have not used Symantec Client Security. Perhaps there is a setting to have automatic software updates occur. To see the article, look for the topic: "Big Yellow Worm" in the Off Topic Stuff forum.

[jdhurst]

<snip>
I did read recently in an online article that Symantec Client Security does not automatically update it's program. You have to manually run the update checker. The article did say the virus signature updates are automatic. I have not used Symantec Client Security. Perhaps there is a setting to have automatic software updates occur. To see the article, look for the topic: "Big Yellow Worm" in the Off Topic Stuff forum.

As I noted above, you put the updater into scheduler and set it for silent, and Bob's your uncle. My Client Security is always up-to-date and I don't look at it, see it, or bother with it any way. It usually updates itself about 4 times weekly (scheduler runs the updater daily).
... JD Hurst

[Ken Fox]

One regularly reads posts (here and elsewhere) from people who seem certain that they require software firewalls and paid antivirus programs such as Norton and others.

What one does not read with any frequency is posts from knowledgeable computer users detailing stories of, "if I'd only had XXX firewall or antivirus program installed, YYYY disaster would not have happened."

People take the need for these things on faith. As it is taken on faith, it is like religion and not subject to scrutiny other than scary reports generated by this software about how it saved you from this or that attack or disaster.

I have been, am, and remain very skeptical of this sort of self-promotional warning from software made by these purveyors. If this software was anywhere as necessary as its proponents make it out to be, then we users who eschew this stuff would be constantly victimized by all sorts of online plagues. I have never had this sort of experience and there are a boatload of people just like me similarly unaffected. Either we are just lucky, or a lot of the promotion of this sort of software program is very misleading.

That's my take.

And just to clarify, I use my laptops on public networks, in fast food restaurants in France, and other such locales. To date I have suffered no ill effects from my seemingly cavalier attitude.

[GomJabbar]

Sorry I missed your earlier comment JD Hurst. I am afraid I am guilty of skimming.

[acasto]

I agree with Ken Fox, most of the hype around commercial anti-virus and firewall is just that, hype. If you was to setup something like Snort on a system in a DMZ, or even just set a firewall to log everything, you would be surprised just how much crap comes in. The vast majority of it though is just automated script-kiddy stuff.

A simple firewall to keep things out, and some simple anti-virus/anti-spyware software to make sure nothing gets in, combined with a little common sense (don't open attachments you don't know), will pretty much cover everything. If someone/something gets through that, then you have problems that Norton/Mcafee are probably not going to help much.

If your system if for personal use, I would recommend AntiVir from free-av.com, the built in Windows Firewall, maybe an occasional run with AdAware just to check, and frequent backups. If the system is compromised, the best and really only way to go should be to just wipe it clean and start fresh.

I'm only exaggerating a bit when I say Norton and Macafee will protect you about as well as decals and lights will make your car go faster.

The most popular antivirus applications on the market are rendered useless by around 80 percent of new malware, according to AusCERT.

[meshua]

All those called Personal Firewalls are crappy - one more and one less. But what they have in common: they cannot keep their promises they give (control outbound traffic, protect against viruses, block attacks (what kinda "attacks"?). And they can harm your system while running with system privileges and allow not fully thought-thru user interactive. Serious "Firewalls" wouldn't allow that - never. The Windows Firewall is the most suitable one for stand-alone workstations. It is built in Windows and it's free. Just use it, work with restricted user rights, update your system and software on a regular basis and - maybe the most important fact: use your Brain anytime!

Brgds, Torsten.

[jdhurst]

All those called Personal Firewalls are crappy - one more and one less. But what they have in common: they cannot keep their promises they give (control outbound traffic, protect against viruses, block attacks (what kinda "attacks"?). And they can harm your system while running with system privileges and allow not fully thought-thru user interactive. Serious "Firewalls" wouldn't allow that - never. The Windows Firewall is the most suitable one for stand-alone workstations. It is built in Windows and it's free. Just use it, work with restricted user rights, update your system and software on a regular basis and - maybe the most important fact: use your Brain anytime!

Brgds, Torsten.

Have you actually used extensively and evaluated each and every firewall out there? Please let us know.

The one I use (Symantec Corporate [not consumer] Client Security *does* protect against viruses, attacks and intruders. It runs under restricted user permissions and from V2 on, I have had no occasion of client systems being harmed from this product.

I do not use all firewalls, but I have used Client Security extensively myself and with clients. Your assessment that "all personal firewalls are crappy" is indeed misguided. I do agree with you that common sense is the best protection.

... JD Hurst

[meshua]

Have you actually used extensively and evaluated each and every firewall out there? Please let us know.

Not by myself but one colleague/friend over Germany (Volker Birk) and member of the CCC (the Chaos Computer Club) did run a test with the most popular personal firewalls. Conclusion was that basically none of them could keep promise but most of them opened the gates and brought systems into a dangerous state. As I find the link I'll post it over here.

The one I use (Symantec Corporate [not consumer] Client Security *does* protect against viruses, attacks and intruders. It runs under restricted user permissions and from V2 on, I have had no occasion of client systems being harmed from this product.

With restricted permissions the user level the firewall services run on was meant. If you have any user interaction or other leaks you can face a syndrom called "privilege escalation" that might harm your system. The XP Firewall doesn't allow user interaction so far.

I do not use all firewalls, but I have used Client Security extensively myself and with clients. Your assessment that "all personal firewalls are crappy" is indeed misguided. I do agree with you that common sense is the best protection.

Ok, let me substitute "crappy" with "broken by design". The concept of most of the PFWs in wildlife is broken.

Brgds, Torsten.

[Scratch]

but to call all software firewalls crap would seem to be a bit of an overstatement.

If the Windows firewall allows no user interaction how does one go about making port and program exceptions and the like which are required for various services to run. If I'm not mistaken there's a user applet in the Control Panel specifically designated to control the XP firewall configuration.

I personally have only used the original XP firewall, McAfee FW, Norton FW, Black Ice and ZoneAlarm Pro. I like the functionality of ZA Pro the best as it provides the user copious feedback on incoming and outbound traffic, it allows for the greatest (in my limited experience) program control and is highly configurable for the experienced user.

I've not had any issues with it destroying any of my last 4 and current 2 workstations and its auto update, spyware control and linkage to my Sophos AV has been the least intrusive of any product used to date.

YMMV

[Ken Fox]

I've not had any issues with it destroying any of my last 4 and current 2 workstations and its auto update, spyware control and linkage to my Sophos AV has been the least intrusive of any product used to date.

YMMV

My experience (2 trashed systems) was 2 or 3 years ago with a trial version of Zonealarm. It was well documented at the time that if you then tried to uninstall it, you were left with a system that couldn't use any outgoing ports, could not browse the internet, etc. etc. etc.

Fortunately, I did have some old ghost images and was able to format the disks and not have to start absolutely from scratch. I don't know if their current software does this or not.

I'd just add that whether these products work or not is only one question; the other question is whether they provide anything of value to a careful reasonably experienced user who isn't using their systems for purposes of national security or exchanging large quantities of privileged information. I think most users (especially enthusiast users like you find on this board) aren't carrying information of grave importance on their computers and won't find the inconvenience of using these products to be rewarded in any real or measurable way.

[meshua]

but to call all software firewalls crap would seem to be a bit of an overstatement.

Not at all.

If the Windows firewall allows no user interaction how does one go about making port and program exceptions and the like which are required for various services to run.

You cannot modify the firewall rules without having administrator privileges. Once you're configuring a firewall (it's the wrong term, but nevermind) you define RULES for each port or a range of ports. You shouldn't make application exeptions since it is a hot issue doing this.

If I'm not mistaken there's a user applet in the Control Panel specifically designated to control the XP firewall configuration.

Correct but without administrator permissions you're not allowed to alter anything.

[...]ZA: it allows for the greatest (in my limited experience) program control and is highly configurable for the experienced user.

If you are interested in security seriously you might not have this rights to alter the rules (permanently). Basic rule when you start from scratch: deny everything and release tensions step by step: Port 25; 80, 110, 119 and so on.

And another issue: you cannot contol outbound traffic. If a program won't be controlled by another program it will find its way...

Brgds, Torsten.

[acasto]

I like the functionality of ZA Pro the best as it provides the user copious feedback on incoming and outbound traffic, it allows for the greatest (in my limited experience) program control and is highly configurable for the experienced user.

If a user has to rely on overly verbose feedback from a firewall to know what their system is broadcasting to the world, then I doubt any software solution is going to help them much. And if they know enough about network security to be able to get usable knowledge from the incoming alerts, then I doubt they would need something that tells them what it just saved them from.

I believe in just a simple firewall to block incoming traffic, but even that is an added layer of complexity that could potentially open up new areas to attack.

[rmendoza]

And another issue: you cannot contol outbound traffic. If a program won't be controlled by another program it will find its way...

Brgds, Torsten.

I am really not as experienced about computers as most everyone here, but I use Kerio (the full version) firewall, and you CAN control outbound traffic. You can control every single program, whether they have both inbound and outbound access, or just one, what type of access, etc. You can adjust the level of control, from being auotmatic (minimal pop ups, if at all) to the point where Kerio tells you every time any program attempts to access the internet or any site tries to establish a connection with your computer, and you can decide whether to allow it that one time, permanently, or deny the access. Of course this all relates to personal preference and/or level of functionality one wants.

I must say that overall most of the opinions expressed here are reasonable. One has to be careful and have common sense when surfing the net. Nonetheless, I have read about other users in this forum who have had positive experiences with firewall and AV software, maybe they have set up systems with AV and firewalls for their relatives or friends, and have been satisfied with the results.

I believe that one of the most common mistakes we (people in general) make is thinking that our habits, attitudes, and experiences are the standard. Many a time I have heard mathematicians, literature professors, computer enthusiasts, etc. say "I can't believe he/she does not know X, or hasn't read Y," etc. I think the average Joe just wants to surf the net, type stuff, and maybe do his banking online, but at the same time has limited knowledge to configure his computer in an ultrasecure way.

With all these considerations in mind, to say that nobody needs AV or firewall software, or that all those programs are useless IS an overstatement. One would have to wonder why universities, companies, government agencies, etc. encourage their employees to use such software and in fact most times provide it for free (which is how I get Kerio Pro). I agree that companies like Symantec and McAffee make boatloads of money. So the free programs are enough for most users. And maybe not everyone needs them, but they sure are not useless.
Just my two cents.

[Scratch]

Ken and Torsten,

Thanks for your comments and "advice" I will most definitely re-examine my "configurations" and choices in light of your thoughts on the matter.

I do have one very basic question that I'd appreciate your further thoughts on...In your opinion are software firewalls with appropriately restrictive rules of any benefit to users (with varying levels of experience and sense) that operate on various commercial and open wireless networks?

These users regularly have sensitive data on their portables and it's been a painful process to get them to understand the need for and the use of encryption for security purposes. Firewalls have historically been thought to provide at least a modicum of a barrier when the system is potentially exposed on public networks.

Thanks...

[Scratch]

I like the functionality of ZA Pro the best as it provides the user copious feedback on incoming and outbound traffic, it allows for the greatest (in my limited experience) program control and is highly configurable for the experienced user.

If a user has to rely on overly verbose feedback from a firewall to know what their system is broadcasting to the world, then I doubt any software solution is going to help them much. And if they know enough about network security to be able to get usable knowledge from the incoming alerts, then I doubt they would need something that tells them what it just saved them from.

I believe in just a simple firewall to block incoming traffic, but even that is an added layer of complexity that could potentially open up new areas to attack.

Though I'm sure many users consider ZA Pro overly verbose, I don't. Nor do I rely tremendously on its verbosity to set up my rules. It is, however, useful IMO when educating users on the function and ongoing maintenance of their systems SW firewall.

I'm with you on the simple aspect of it all. Most users that I've dealt with over time don't want to be interfacing with their security apps on a click-by-click basis and will eventually try to circumvent them.

[acasto]

Though I'm sure many users consider ZA Pro overly verbose, I don't. Nor do I rely tremendously on its verbosity to set up my rules. It is, however, useful IMO when educating users on the function and ongoing maintenance of their systems SW firewall.

But the problem is that the vast majority of the stuff being picked up by those types of firewalls are just random automated scans. From a network security point of view, there is very little useful data you could garner from 'pop-ups' from a software firewall. If anything, I would venture to say it harms security by placing a users focus on something that is really nothing more than a specific application advertising itself.

If someone really wanted to learn about that stuff, just run a packet sniffer, or to get more complex, a network intrusion detection system like Snort.

[Ken Fox]

Ken and Torsten,

I do have one very basic question that I'd appreciate your further thoughts on...In your opinion are software firewalls with appropriately restrictive rules of any benefit to users (with varying levels of experience and sense) that operate on various commercial and open wireless networks?

These users regularly have sensitive data on their portables and it's been a painful process to get them to understand the need for and the use of encryption for security purposes. Firewalls have historically been thought to provide at least a modicum of a barrier when the system is potentially exposed on public networks.

Thanks...

This is a tough question to answer and I may not even have enough knowledge to answer it. All I can tell you is what I do and what has and has not happened to me. My open network usage has been limited to some free WiFi spots in a few American and Canadian cafes, in French McDonalds ("McDo" as they call them there; in bigger cities they have free WiFi, a novelty in Europe), at my parents' house (although the router there, which I set up, is encrypted and uses Mac Address Filtering), a couple of airports, and some hotels, mostly in the USA.

As a general rule I avoid going onto financial websites or making online purchases in the more open of these situations, but in honesty I've violated this rule more often than I would care to admit. I surf the net and send and receive email in these venues.

To date, and I've had a LOT of usage in these sorts of places, I've never had any problem whatsoever, no virus attacks, worms, trojans, intercepted data, compromise of online financial accounts or credit card #s (which I sometimes input even in open networks, although only to secure receiving sites). Zip. Nada. Nyet. Rien. Nothing.

I do bring a spare ready to use hard drive along with me on long trips, like when I go to France. The worst thing that could happen would be that I'd have to swap hard drives if I couldn't get Rescue and Recovery to repair my system if compromised, but I've never had to do this.

I'm not saying that there aren't risks, or that someone might not set up a fake access point that could capture your passwords and other privileged data, but it hasn't happened to me. I reduce the risk of this sort of thing by being very careful of what networks I'll log onto, and going to these public venues when there is either no one else there or hardly anyone else there who might either intercept my data or be at another table broadcasting a fake node that I could accidentally log into. Knock on wood.

I do not have sensitive information in my laptop such as documents with my social security number, that sort of thing. I don't think that my emails are all that interesting that anyone else would want to read them.

So that's what I do, and what I've experienced, and I use nothing other than AVG Free antivirus (which I update daily) and the Windows XP firewall.

[tomh009]

[quote="jdhurst]Have you actually used extensively and evaluated each and every firewall out there? Please let us know.

The one I use (Symantec Corporate [not consumer] Client Security *does* protect against viruses, attacks and intruders. It runs under restricted user permissions and from V2 on, I have had no occasion of client systems being harmed from this product. [/quote]

JD, in your opinion, what are the key advantages that Symantec's Client Security firewall has over the built-in Windows one, for a "normal" user?

(I currently run just the Windows one, usually with brain engaged whenever on the Internet ...)

[meshua]

@Scratch: Thanks to bring up that fact when users try to circumvent the Firewall. For what reason? In most cases something is not working the course they wanna play. So what will happened? Either they keep clicking the YES Button or they'll completely turn of the Personal Firewall. I’m pretty sure you have seen that at least one time.

It’s also tough for me to give you the right advise. As far as I know usage of Windows XP SP2 Firewall and Access Connection is one of the most common and simple solution. The main reason to run a Firewall is to prevent open ports from being attacked. An open port means that probably the service behind (i.e. your ICQ or eMail application) can be compromised if there are any vulnerabilities you don’t know about. You can either close the port by stopping the service or application behind that port or you put a packet filter (like the Windows Firewall is one) upfront the service/application to make the port unreachable from outside (means from the Internet, Local Network…)

Access Connection has the Advantage that you can not only define IP addresses or gateways but turn on/off the windows Firewalls protection capability for each connection as well. But first priority should be to close as much unnecessary ports as possible.

Unsecured Public WiFi connections are a serious problem if no encryption (WPA, WPA2, AES) is available. But even if you don’t know what’s going on behind the access point you’re connected to. Is there still a secured connection or not? Sensitive application like money transfers are a serious issue. I use a “closed solution” with a special software uses a special chip card to encrypt data on its way from my laptop to the bank’s server/workstation. In most cases you have to make sure using a secured SSL connection while doing your sensitive activities. If there is a “man in the middle or even you don’t trust your access point/internet provider that’s a good method avoiding data from being spied, manipulated or something like that.

Best Regards, Torsten

[acasto]

meshua, another interesting thing to try when security is needed form an open access point, is to setup a proxy in a trusted environment, such as your closet, and run something like openvpn. Then just vpn from any hotspot to the proxy and it will be just like browsing from home. Sure the upstream bandwidth limitations on many home connections will be a killer, but still not terrible for a specific transaction.

[jdhurst]

[

When I started using Symantec Client Security Corporate, it disabled the Windows Firewall. Now the Windows Firewall works (so I am not criticising it), but in my opinion, the Symantec Corporate Firewall works a treat as well. It protects me just fine.

For clients, they are routinely at home behind a router, so I configure network connections (default) to include the common ranges, and they have no problems. Beyond that, when they or I try to access something new in the way of software, the intrusion protection feature challenges the attempt, and I have trained people to (first) use their common sense and (second) permit those things that need permitting.

I generally have very few problems with client firewalls or client permissions of software with this protect. It does a good job of protecting against viruses.

A much shorter answer to your question is that the combined corporate product is a very good, trouble-free product on laptops.

On domain-connected desktops (behind a hardware firewall at all times) I use the server-based Corporate AntiVirus and the Windows Firewall (by default).
... JD Hurst

[claudeo]

Symantec Client Security is generally fine and works in concert with the Windows Firewall (you could call it delegation, so that it looks like the Windows Firewall is active but in fact it is Symantec's). It does much more than just the Windows Firewall, so the answer to the original question is "it depends". The Windows Firewall with a top notch antivirus like NOD32 and some other security provides a similar although not identical form of security.

I had one very bad experience with Symantec Client Security. This, coupled with the cost of upgrading from the trial version to a licensed version, made me decide to uninstall it and look elsewhere. When it worked, it worked very well. But I once had to do a system restore (using Windows system restore after some other software installed badly just after SCS had decided to update itself) and all hell broke loose, with Symantec Client Security entering a deadly spiral of self-corruption because its update records were out of sync. The only solution offered by Lenovo tech support (Symantec does not support it since it is an OEM product) was a full system rebuild from the original configuration. Not exactly a useful solution. If I were in a different situation like a corporate setting, with multiple identical systems with the same applications and configurations, that only differ by the daily data, with automatic centralized data backup independent of system configuration, Symantec Client Security would probably have been great. For a small business that does not use interchangeable standard laptops, IMHO it is not the right fit.

[meshua]

Symantec Client Security is generally fine and works in concert with the Windows Firewall (you could call it delegation, so that it looks like the Windows Firewall is active but in fact it is Symantec's). It does much more than just the Windows Firewall, [...]

The difference between them is that the XP Firewall does not promise anything it cannot keep. It can control all inbound traffic but no traffic outbound. Most Personal Firewalls pretend to fully protect you from outbound traffic as well - but this won't work. It's just not possible and that's Zonelabs, Symantec or whoever would never tell you. They all may control some applications they allow to do it. But this is not the main reason using firewalls/packet filters. Would you trust a person treating you that way?

Brgds, Torsten.