Solved

Firewall choice question

Posted on 2003-12-09
11
1,806 Views
Last Modified: 2013-11-16
hello all,
we have a remote 2000 standalone server server which we administer using pc anywhere.  We access info on the server via the web (http not https).  We are currently using Zone Alarm Pro but are not entirely happy with it and are considering changing to Black Ice.

Will someone please give advice on if Black Ice is appropriate,  I thought that something like ISA on a seperate box would be the better approach
0
Comment
Question by:Chris_m
  • 4
  • 4
  • 3
11 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 100 total points
ID: 9903538
Hi Chris_m,
I Always used to swear by black Ice but I only use Zone Alarm on small systems now, its a lot easier to configure and gives you better quality feedback.

Though if its a corporate network Id be looking at a hardware firewall. (PIX rules :0)

Firewalls (Hardware or Software?)

Software Firewalls

ZoneAlarm
The basic version is still free!
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp;jsessionid=10lfaHFKttIAMkUvvZm1xhWKVLKHVeYPMJpXB1I1UxUpAC2ZioSE!1284415661!-1062696903!7551!7552!1822958594!-1062696904!7551!7552?lid=home_zainfo
Zone Labs offers a complete range of firewall products, from the free ZoneAlarm, to the comprehensive protection of ZoneAlarm Plus, to the ultimate privacy and security tools in ZoneAlarm Pro.

Black Ice Defender
http://blackice.iss.net/
BlackICE teams a personal firewall with an advanced intrusion detection system to constantly watch your Internet connections for suspicious behavior.

Symantec's Norton™ Personal Firewall
http://www.symantec.com/sabu/nis/npf/
Keeps hackers out and personal data in. It makes robust firewall protection easy by automatically hiding your PC on the Internet and blocking suspicious connections. Norton Personal Firewall also protects your privacy by preventing confidential information from being sent out without your knowledge.

McAfee Personal Firewall
http://us.mcafee.com/root/package.asp?pkgid=101&WWW_URL=www.mcafee.com/myapps/firewall/ov_firewall.asp
Personal Firewall places a barrier between the Internet and your PC, helping to block hackers from accessing your computer and allowing you to digitally 'fingerprint' trusted applications. Every time your computer is probed or attacked, you get detailed reports and clear follow-up options.



HardWare Firewalls

Cisco PIX
http://www.cisco.com/go/pix
The world-leading Cisco PIX® Security Appliance Series provides robust, enterprise-class, integrated network security services including stateful inspection firewalling, protocol and application inspection, virtual private networking (VPN), in-line intrusion protection, and rich multimedia and voice security-in cost-effective, easy-to-deploy solutions.

SonicWall
http://www.sonicwall.com/
SonicWALL Internet firewall/VPN security appliances support an array of security applications and deliver powerful firewall and VPN performance. SonicWALL appliances are built on stateful inspection firewall technology, and a dedicated security ASIC designed to ensure maximum performance for VPN enabled applications.

3Com
http://www.3com.com/prod/en_EU_EMEA/prodlist.jsp?tab=cat&cat=134482&subcat=134490
3Com perimeter firewalls and website filters cost-efficiently secure Internet access and give IT managers a critical first line of defense against network attacks and unauthorized access. For protecting the perimeter of your network, choose the 3Com® SuperStack® 3 Firewall for enterprise

NetGear
http://www.netgear.com/products/routers/firewallvpn.asp

PeteL
0
 
LVL 2

Expert Comment

by:Raybans
ID: 9912170
for a software firewall I would suggest sygate www.sygate.com

the personal edition is free.

from my point of view it has been a better option then zone alarm, nortons or black ice, every time I have had a reason to recompare.

for a firewall appliance/hardware

suiggest also comparing Watchguards SOHO and Firebox series and NETSCREEN.
0
 

Author Comment

by:Chris_m
ID: 9912237
ISA is a software firewall too, but if I am not mistaken, it has to be installed on a sepereate machine or one with 2 network cards.  That is an important requirement for Stateful Packet Inspection which Zone Alarm etc do not fulfill -- or so i am told.  I believe that buffer overflow attacks are difficult to prevent if the firewall is on the machine that is being protected.

Regards
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9914455
>>ISA is a software firewall too

:0) that could start a debate, LOL

Yes ISA has some firewall funtionality, but at £568.00 sterling (per processor - and thats what I pay at a discounted rate)
you could put a hardware firewall in.

PL
0
 
LVL 2

Expert Comment

by:Raybans
ID: 9916483
ISA is a software firewall, but it is usually setup on a different box, and usually people set it up as part of the domain, which means if the domain accounts are compormised, so is ISA
ans if ISA is compromised so is the domain

a seperate firewall is the best option

if your firewall gets compromised then your network security should give you another layer of protection

if your network gets compromised, then your firewall should still be secure, while you get control of your servers back
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Chris_m
ID: 9934419
But is ISA superior -- offers better protection etc than the software firewalls such as Zone Alarm and Black ICE?
0
 
LVL 2

Expert Comment

by:Raybans
ID: 9936223
All depends on who you ask, yes I would say ISA correctly setup is more secure and more flexable then Zone Alarm and Black ICe and most software firewalls in that  category

but I would suggest Checkpoint running on Windows is a more secure software firewall then any of those.

It depends on the environment and how your going to set it up.

0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9941658
I agree with Raybans, and I wouldnt trust both my authentication and firewalling to the same directory security for the same reason pointed out above, Yes ISA will perform firewall functionality and there are many who swear by it, but where does it sit in the network? usually on a proxy server in your rack, and usually NOT directly next to your router, which is the BEST place for a firewall.

It sounds as though you are quite keen to go with an ISA solution and I dont want to disuade you, ZA, black Ice are cheap and cheerfull software firewall solutions, ISA has some filtering ability built onto what was essentially "Proxy Server 2.0"

If youve allready bought ISA then roll with it, if not buying hardware will work out cheaper.

good luck
Pete
0
 

Author Comment

by:Chris_m
ID: 9947971
I haven't bought anything yet, I just want to be absolutely certain about what is really the best.  You explain it well with ZA, black Ice are cheap, cheerful etc and that makes me wonder why anyone would buy more expensive solutions if software firewalls provided the same functioality.

Regards
0
 
LVL 2

Accepted Solution

by:
Raybans earned 100 total points
ID: 9948144
well it depends on what standard you want

a mini minor does the job of getting you from A to B

a Rolls does it in style

a Tank does it with full armourment

http://www.icsalabs.com/, is a site about standards in security.

http://www.icsalabs.com/html/communities/firewalls/index.shtml has a link to their buyers guide.

This sort of certification is gained by a certain standard of testing and some organizations require you to have it.

EG Watchguard 700 series firewalls have ICSA firewall, IPSEC and Cryptography certification

this says it has a certain level of dependability beyond what the sales person will tell you, as an independant organization has rated it in a range of the top security tools.

http://www.icsalabs.com/html/communities/firewalls/newsite/cert.shtml is a page that links to 2 levels of firewalls that have recently passed muster

if your protecting your office or corporate enviornment, you want to be able to say, I bought the tank for the company, or the royles royce, as it was one of the best standards,

you dont want to be in a position where, you say, gee sorry they got past the firewall, but I did save the company some money when we bought it. Sorry about what we lost now.

they all do the same job, but some do it better, and some are stronger, or harder to break.

some crash less often

and others can slow down your connection, more then others, as it runs through the process of checking or processing every packet that travels through it.


best practices places a firewall, as a seperate entity (either appliance, or running on a standalone server), with minimum 2 connections, one for trusted side and one for untrusted, so that there is a phyisical as well as logical routing, seperation of the networks.

this allows greater security and control,

remember, if you have a security/doorman, you place him at the door, not inside were people can crowd around him and get past as they are already in the foyer.

you want him to stop people outside your door/gateway, with no option to get in if permission is not granted.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9979314
ThanQ
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
FQDN config to internal server 3 37
Cisco ASA 1 54
DHCP lease issue ? 8 84
Windows Firewall Dropping Allowed Packets 7 139
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now