Sign in with
Sign up | Sign in
Your question

SOHO Firewall Recommendations

Last response: in Networking
Share
Anonymous
April 3, 2004 7:47:07 PM

Archived from groups: comp.security.firewalls (More info?)

I know this subject crops up often, but I'm looking for
recommendations for a software based firewall solution for SOHO that
meet the following criteria

- Runs on Win XP or 2000 clients, not for a server application
- The only network shared resource is a printer, no disc sharing.
- Remote access via Tight VNC
- Something in the same light as Kerio 2.1.5 including the ability
to import an ASCII rules database
- A simple GUI that is a not a resource hog like later versions of
Kerio or ZoneAlarm
- Linux using iptables is not option
- The users are network, and OS literate

TIA

Frank
Anonymous
April 4, 2004 1:20:34 AM

Archived from groups: comp.security.firewalls (More info?)

<snip>

Duane -

Thanks for your suggestion, have been waiting for Google to catch up
and hope I do not screw-up this thread. I have lurked in this group
for awhile, and your advice and technical expertise is greatly
appreciated.

I'm not worried about users changing rules, but the ability to
customize rulesets and propagate to other users on the LAN side is
important. That is why I was looking for the ability to import and
export ASCII rule files.

I was very happy with Kerio 2.1.4/5, but the well documented program
fault that happens with XP eliminates it for my use. It was a lite,
solid, and with a few add-in, it is a more than capable program for
the novice or expert user.

I wish that Kerio had remained on this track. IMHO, I feel Kerio fell
into the hype of over emphasis on the GUI development, and not the
core engine. I think that is why KPF as it stands today has not been
largely accepted or recommended by this community.

I hope that Sponge still lurks here His knowledge and expertise is
also greatly appreciated. I would love to here a product suggestion
from him.

Thanks,

Frank L.
Anonymous
April 4, 2004 3:57:08 AM

Archived from groups: comp.security.firewalls (More info?)

f.long wrote:

> I know this subject crops up often, but I'm looking for
> recommendations for a software based firewall solution for SOHO

SOHO -- such an over-used word.

> that
> meet the following criteria
>
> - Runs on Win XP or 2000 clients, not for a server application

Obviously. Windows is the worst choice for a server of any kind, IMO.

> - The only network shared resource is a printer, no disc sharing.

This is normal for LAN -- I've never seen a hardware router filter out
connections between PC's, but I could be wrong. Printer sharing should
work fine.

> - Remote access via Tight VNC

Sounds like you need to get a linux-based PC-router solution, like SonicWall
or SmoothWall.

> - Something in the same light as Kerio 2.1.5 including the ability
> to import an ASCII rules database
> - A simple GUI that is a not a resource hog like later versions of
> Kerio or ZoneAlarm

I've used smoothwall, and that GUI isn't a resource hog. However, it's
browser-based. Nothing installs on the client.

> - Linux using iptables is not option

It's not? Oh well, have a good life. Smoothwall is very simple to use, and
requires no iptables understanding. However, if I can teach myself
IPTables in an hour, so can you....

> - The users are network, and OS literate

That's a scary thought in my opinion -- the more they know, the more they
will push the boundaries. However, the reverse can also be true -- the
less they know, the more likely they are to do stupid things.

>
> TIA
>
> Frank

--
Who made the world I cannot tell;
'Tis made, and here am I in hell.
My hand, though now my knuckles bleed,
I never soiled with such a deed.
-- A. E. Housman
Related resources
Anonymous
April 4, 2004 5:50:57 AM

Archived from groups: comp.security.firewalls (More info?)

"f.long" <footslong@hotmail.com> wrote in message
news:96965018.0404031547.6350d07f@posting.google.com...
> I know this subject crops up often, but I'm looking for
> recommendations for a software based firewall solution for SOHO that
> meet the following criteria
>
> - Runs on Win XP or 2000 clients, not for a server application
> - The only network shared resource is a printer, no disc sharing.
> - Remote access via Tight VNC
> - Something in the same light as Kerio 2.1.5 including the ability
> to import an ASCII rules database
> - A simple GUI that is a not a resource hog like later versions of
> Kerio or ZoneAlarm
> - Linux using iptables is not option
> - The users are network, and OS literate
>

Although BlackIce has had some issues as of late, I think they have been
corrected by ISS. BI has the BlackIce.ini and Firewall.ini text based rule
files.

Also, with BlackIce running on an NT based O/S, you can use NTFS to only
allow a Desktop Admin to run the BlackIce.exe UI program to set the rules
but disallow non desktop users from running the BlackIce.exe UI making any
changes to BI. The BlackIce Service on the NT based O/S is still running
protecting the machine with the IDS/FW. You can implement VisualIce (free)
to review the BI logs.

I have used BI with Netmeeting's RDS on the XP and Win 2K and PCanywhere on
Win 2K and didn't have any problems while BI was running. So, I don't think
there will be an issue in that area with Tight VNC.

If the users are literate, then if allowing them to view the BI UI you can
disable Application Control and questions as what can and cannot access the
Internet are not asked, if they are so literate, they won't know what to do
in this area with any solid knowledge anyway.

BI will meet the above requirements.

I have also implemented IPsec on the XP and Win 2k machines to supplement
BI, which BI will also report on IPsec taking protection measures in its
logs.

IPsec is one powerful piece of software on the XP and Win 2K O/S(s) that can
be implemented in the protection scheme to supplement any host based FW
solution.

The rules are simple with the help of the AnalogX base template of SecPol
rules which can be implemented and expanded upon.

basics
http://www.petri.co.il/block_ping_traffic_with_ipsec.ht...

advanced
http://www.analogx.com/contents/articles/ipsec.htm

The SecPol rules supplied have rules created for Server and Client.

I like to set additional rules with BI to Reject all IP(s) on TCP/UDP ports
1-65535 even with BI in the Paranoid mode.

BlackIce does have a 30 day trialware.

Duane :) 
Anonymous
April 4, 2004 6:15:10 AM

Archived from groups: comp.security.firewalls (More info?)

correction

<snip>

If the users are not literate, then if allowing them to view the BI UI you
can
disable Application Control and questions as what can and cannot access the
Internet are not asked, if they are not so literate, they won't know what to
do
in this area with any solid knowledge anyway.

<snip>

Duane :) 
Anonymous
April 4, 2004 5:32:03 PM

Archived from groups: comp.security.firewalls (More info?)

"f.long" <footslong@hotmail.com> wrote in message
news:96965018.0404032120.5762c791@posting.google.com...
> <snip>
>
> Duane -
>
> Thanks for your suggestion, have been waiting for Google to catch up
> and hope I do not screw-up this thread. I have lurked in this group
> for awhile, and your advice and technical expertise is greatly
> appreciated.
>
> I'm not worried about users changing rules, but the ability to
> customize rulesets and propagate to other users on the LAN side is
> important. That is why I was looking for the ability to import and
> export ASCII rule files.

With BI, you can make a set of rules on one machine that would be contained
in the BlackIce.ini and Firewall.ini files and populate the files to other
machines running BI. Through the BI UI you can disable the Protect Agent
File switch that will allow the two .ini files to be overlaid. The BI
service on the NT based O/S may need to be stopped as well.

>
> I was very happy with Kerio 2.1.4/5, but the well documented program
> fault that happens with XP eliminates it for my use. It was a lite,
> solid, and with a few add-in, it is a more than capable program for
> the novice or expert user.

Kerio is a good product and I have trialed the 2.x version a few months ago.

>
> I wish that Kerio had remained on this track. IMHO, I feel Kerio fell
> into the hype of over emphasis on the GUI development, and not the
> core engine. I think that is why KPF as it stands today has not been
> largely accepted or recommended by this community.
>
> I hope that Sponge still lurks here His knowledge and expertise is
> also greatly appreciated. I would love to here a product suggestion
> from him.

Sponge is one of the Top Guns in the NG and I respect his advise as well.

You should consider using IPsec to supplement any host based FW as it is a
stateful and a solid solution that is overlooked, IMHO.

Duane :) 
Anonymous
April 4, 2004 10:57:31 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 03 Apr 2004 22:57:08 -0700, NeoSadist spoketh


>> - Runs on Win XP or 2000 clients, not for a server application
>
>Obviously. Windows is the worst choice for a server of any kind, IMO.
>

Windows is a good choice for ANY type of server, assuming the person in
charge of it knows what they are doing. The same goes for linux. A
clueless person behind a linux box are just as bad (if not worse) than a
clueless person behind a Windows server...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
!