Go Premium for a chance to win a PS4. Enter to Win


Firewall choice question

Posted on 2003-12-09
Medium Priority
Last Modified: 2013-11-16
hello all,
we have a remote 2000 standalone server server which we administer using pc anywhere.  We access info on the server via the web (http not https).  We are currently using Zone Alarm Pro but are not entirely happy with it and are considering changing to Black Ice.

Will someone please give advice on if Black Ice is appropriate,  I thought that something like ISA on a seperate box would be the better approach
Question by:Chris_m
  • 4
  • 4
  • 3
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 400 total points
ID: 9903538
Hi Chris_m,
I Always used to swear by black Ice but I only use Zone Alarm on small systems now, its a lot easier to configure and gives you better quality feedback.

Though if its a corporate network Id be looking at a hardware firewall. (PIX rules :0)

Firewalls (Hardware or Software?)

Software Firewalls

The basic version is still free!
Zone Labs offers a complete range of firewall products, from the free ZoneAlarm, to the comprehensive protection of ZoneAlarm Plus, to the ultimate privacy and security tools in ZoneAlarm Pro.

Black Ice Defender
BlackICE teams a personal firewall with an advanced intrusion detection system to constantly watch your Internet connections for suspicious behavior.

Symantec's Norton™ Personal Firewall
Keeps hackers out and personal data in. It makes robust firewall protection easy by automatically hiding your PC on the Internet and blocking suspicious connections. Norton Personal Firewall also protects your privacy by preventing confidential information from being sent out without your knowledge.

McAfee Personal Firewall
Personal Firewall places a barrier between the Internet and your PC, helping to block hackers from accessing your computer and allowing you to digitally 'fingerprint' trusted applications. Every time your computer is probed or attacked, you get detailed reports and clear follow-up options.

HardWare Firewalls

Cisco PIX
The world-leading Cisco PIX® Security Appliance Series provides robust, enterprise-class, integrated network security services including stateful inspection firewalling, protocol and application inspection, virtual private networking (VPN), in-line intrusion protection, and rich multimedia and voice security-in cost-effective, easy-to-deploy solutions.

SonicWALL Internet firewall/VPN security appliances support an array of security applications and deliver powerful firewall and VPN performance. SonicWALL appliances are built on stateful inspection firewall technology, and a dedicated security ASIC designed to ensure maximum performance for VPN enabled applications.

3Com perimeter firewalls and website filters cost-efficiently secure Internet access and give IT managers a critical first line of defense against network attacks and unauthorized access. For protecting the perimeter of your network, choose the 3Com® SuperStack® 3 Firewall for enterprise



Expert Comment

ID: 9912170
for a software firewall I would suggest sygate www.sygate.com

the personal edition is free.

from my point of view it has been a better option then zone alarm, nortons or black ice, every time I have had a reason to recompare.

for a firewall appliance/hardware

suiggest also comparing Watchguards SOHO and Firebox series and NETSCREEN.

Author Comment

ID: 9912237
ISA is a software firewall too, but if I am not mistaken, it has to be installed on a sepereate machine or one with 2 network cards.  That is an important requirement for Stateful Packet Inspection which Zone Alarm etc do not fulfill -- or so i am told.  I believe that buffer overflow attacks are difficult to prevent if the firewall is on the machine that is being protected.

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

LVL 57

Expert Comment

by:Pete Long
ID: 9914455
>>ISA is a software firewall too

:0) that could start a debate, LOL

Yes ISA has some firewall funtionality, but at £568.00 sterling (per processor - and thats what I pay at a discounted rate)
you could put a hardware firewall in.


Expert Comment

ID: 9916483
ISA is a software firewall, but it is usually setup on a different box, and usually people set it up as part of the domain, which means if the domain accounts are compormised, so is ISA
ans if ISA is compromised so is the domain

a seperate firewall is the best option

if your firewall gets compromised then your network security should give you another layer of protection

if your network gets compromised, then your firewall should still be secure, while you get control of your servers back

Author Comment

ID: 9934419
But is ISA superior -- offers better protection etc than the software firewalls such as Zone Alarm and Black ICE?

Expert Comment

ID: 9936223
All depends on who you ask, yes I would say ISA correctly setup is more secure and more flexable then Zone Alarm and Black ICe and most software firewalls in that  category

but I would suggest Checkpoint running on Windows is a more secure software firewall then any of those.

It depends on the environment and how your going to set it up.

LVL 57

Expert Comment

by:Pete Long
ID: 9941658
I agree with Raybans, and I wouldnt trust both my authentication and firewalling to the same directory security for the same reason pointed out above, Yes ISA will perform firewall functionality and there are many who swear by it, but where does it sit in the network? usually on a proxy server in your rack, and usually NOT directly next to your router, which is the BEST place for a firewall.

It sounds as though you are quite keen to go with an ISA solution and I dont want to disuade you, ZA, black Ice are cheap and cheerfull software firewall solutions, ISA has some filtering ability built onto what was essentially "Proxy Server 2.0"

If youve allready bought ISA then roll with it, if not buying hardware will work out cheaper.

good luck

Author Comment

ID: 9947971
I haven't bought anything yet, I just want to be absolutely certain about what is really the best.  You explain it well with ZA, black Ice are cheap, cheerful etc and that makes me wonder why anyone would buy more expensive solutions if software firewalls provided the same functioality.


Accepted Solution

Raybans earned 400 total points
ID: 9948144
well it depends on what standard you want

a mini minor does the job of getting you from A to B

a Rolls does it in style

a Tank does it with full armourment

http://www.icsalabs.com/, is a site about standards in security.

http://www.icsalabs.com/html/communities/firewalls/index.shtml has a link to their buyers guide.

This sort of certification is gained by a certain standard of testing and some organizations require you to have it.

EG Watchguard 700 series firewalls have ICSA firewall, IPSEC and Cryptography certification

this says it has a certain level of dependability beyond what the sales person will tell you, as an independant organization has rated it in a range of the top security tools.

http://www.icsalabs.com/html/communities/firewalls/newsite/cert.shtml is a page that links to 2 levels of firewalls that have recently passed muster

if your protecting your office or corporate enviornment, you want to be able to say, I bought the tank for the company, or the royles royce, as it was one of the best standards,

you dont want to be in a position where, you say, gee sorry they got past the firewall, but I did save the company some money when we bought it. Sorry about what we lost now.

they all do the same job, but some do it better, and some are stronger, or harder to break.

some crash less often

and others can slow down your connection, more then others, as it runs through the process of checking or processing every packet that travels through it.

best practices places a firewall, as a seperate entity (either appliance, or running on a standalone server), with minimum 2 connections, one for trusted side and one for untrusted, so that there is a phyisical as well as logical routing, seperation of the networks.

this allows greater security and control,

remember, if you have a security/doorman, you place him at the door, not inside were people can crowd around him and get past as they are already in the foyer.

you want him to stop people outside your door/gateway, with no option to get in if permission is not granted.
LVL 57

Expert Comment

by:Pete Long
ID: 9979314

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question