Firewall choice question

hello all,
we have a remote 2000 standalone server server which we administer using pc anywhere.  We access info on the server via the web (http not https).  We are currently using Zone Alarm Pro but are not entirely happy with it and are considering changing to Black Ice.

Will someone please give advice on if Black Ice is appropriate,  I thought that something like ISA on a seperate box would be the better approach
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Hi Chris_m,
I Always used to swear by black Ice but I only use Zone Alarm on small systems now, its a lot easier to configure and gives you better quality feedback.

Though if its a corporate network Id be looking at a hardware firewall. (PIX rules :0)

Firewalls (Hardware or Software?)

Software Firewalls

The basic version is still free!;jsessionid=10lfaHFKttIAMkUvvZm1xhWKVLKHVeYPMJpXB1I1UxUpAC2ZioSE!1284415661!-1062696903!7551!7552!1822958594!-1062696904!7551!7552?lid=home_zainfo
Zone Labs offers a complete range of firewall products, from the free ZoneAlarm, to the comprehensive protection of ZoneAlarm Plus, to the ultimate privacy and security tools in ZoneAlarm Pro.

Black Ice Defender
BlackICE teams a personal firewall with an advanced intrusion detection system to constantly watch your Internet connections for suspicious behavior.

Symantec's Norton™ Personal Firewall
Keeps hackers out and personal data in. It makes robust firewall protection easy by automatically hiding your PC on the Internet and blocking suspicious connections. Norton Personal Firewall also protects your privacy by preventing confidential information from being sent out without your knowledge.

McAfee Personal Firewall
Personal Firewall places a barrier between the Internet and your PC, helping to block hackers from accessing your computer and allowing you to digitally 'fingerprint' trusted applications. Every time your computer is probed or attacked, you get detailed reports and clear follow-up options.

HardWare Firewalls

Cisco PIX
The world-leading Cisco PIX® Security Appliance Series provides robust, enterprise-class, integrated network security services including stateful inspection firewalling, protocol and application inspection, virtual private networking (VPN), in-line intrusion protection, and rich multimedia and voice security-in cost-effective, easy-to-deploy solutions.

SonicWALL Internet firewall/VPN security appliances support an array of security applications and deliver powerful firewall and VPN performance. SonicWALL appliances are built on stateful inspection firewall technology, and a dedicated security ASIC designed to ensure maximum performance for VPN enabled applications.

3Com perimeter firewalls and website filters cost-efficiently secure Internet access and give IT managers a critical first line of defense against network attacks and unauthorized access. For protecting the perimeter of your network, choose the 3Com® SuperStack® 3 Firewall for enterprise


RaybansTechnical ManagerCommented:
for a software firewall I would suggest sygate

the personal edition is free.

from my point of view it has been a better option then zone alarm, nortons or black ice, every time I have had a reason to recompare.

for a firewall appliance/hardware

suiggest also comparing Watchguards SOHO and Firebox series and NETSCREEN.
Chris_mAuthor Commented:
ISA is a software firewall too, but if I am not mistaken, it has to be installed on a sepereate machine or one with 2 network cards.  That is an important requirement for Stateful Packet Inspection which Zone Alarm etc do not fulfill -- or so i am told.  I believe that buffer overflow attacks are difficult to prevent if the firewall is on the machine that is being protected.

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Pete LongTechnical ConsultantCommented:
>>ISA is a software firewall too

:0) that could start a debate, LOL

Yes ISA has some firewall funtionality, but at £568.00 sterling (per processor - and thats what I pay at a discounted rate)
you could put a hardware firewall in.

RaybansTechnical ManagerCommented:
ISA is a software firewall, but it is usually setup on a different box, and usually people set it up as part of the domain, which means if the domain accounts are compormised, so is ISA
ans if ISA is compromised so is the domain

a seperate firewall is the best option

if your firewall gets compromised then your network security should give you another layer of protection

if your network gets compromised, then your firewall should still be secure, while you get control of your servers back
Chris_mAuthor Commented:
But is ISA superior -- offers better protection etc than the software firewalls such as Zone Alarm and Black ICE?
RaybansTechnical ManagerCommented:
All depends on who you ask, yes I would say ISA correctly setup is more secure and more flexable then Zone Alarm and Black ICe and most software firewalls in that  category

but I would suggest Checkpoint running on Windows is a more secure software firewall then any of those.

It depends on the environment and how your going to set it up.

Pete LongTechnical ConsultantCommented:
I agree with Raybans, and I wouldnt trust both my authentication and firewalling to the same directory security for the same reason pointed out above, Yes ISA will perform firewall functionality and there are many who swear by it, but where does it sit in the network? usually on a proxy server in your rack, and usually NOT directly next to your router, which is the BEST place for a firewall.

It sounds as though you are quite keen to go with an ISA solution and I dont want to disuade you, ZA, black Ice are cheap and cheerfull software firewall solutions, ISA has some filtering ability built onto what was essentially "Proxy Server 2.0"

If youve allready bought ISA then roll with it, if not buying hardware will work out cheaper.

good luck
Chris_mAuthor Commented:
I haven't bought anything yet, I just want to be absolutely certain about what is really the best.  You explain it well with ZA, black Ice are cheap, cheerful etc and that makes me wonder why anyone would buy more expensive solutions if software firewalls provided the same functioality.

RaybansTechnical ManagerCommented:
well it depends on what standard you want

a mini minor does the job of getting you from A to B

a Rolls does it in style

a Tank does it with full armourment, is a site about standards in security. has a link to their buyers guide.

This sort of certification is gained by a certain standard of testing and some organizations require you to have it.

EG Watchguard 700 series firewalls have ICSA firewall, IPSEC and Cryptography certification

this says it has a certain level of dependability beyond what the sales person will tell you, as an independant organization has rated it in a range of the top security tools. is a page that links to 2 levels of firewalls that have recently passed muster

if your protecting your office or corporate enviornment, you want to be able to say, I bought the tank for the company, or the royles royce, as it was one of the best standards,

you dont want to be in a position where, you say, gee sorry they got past the firewall, but I did save the company some money when we bought it. Sorry about what we lost now.

they all do the same job, but some do it better, and some are stronger, or harder to break.

some crash less often

and others can slow down your connection, more then others, as it runs through the process of checking or processing every packet that travels through it.

best practices places a firewall, as a seperate entity (either appliance, or running on a standalone server), with minimum 2 connections, one for trusted side and one for untrusted, so that there is a phyisical as well as logical routing, seperation of the networks.

this allows greater security and control,

remember, if you have a security/doorman, you place him at the door, not inside were people can crowd around him and get past as they are already in the foyer.

you want him to stop people outside your door/gateway, with no option to get in if permission is not granted.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.