SOHO Firewall Recommendations

Archived from groups: comp.security.firewalls (More info?)

I know this subject crops up often, but I'm looking for
recommendations for a software based firewall solution for SOHO that
meet the following criteria

- Runs on Win XP or 2000 clients, not for a server application
- The only network shared resource is a printer, no disc sharing.
- Remote access via Tight VNC
- Something in the same light as Kerio 2.1.5 including the ability
to import an ASCII rules database
- A simple GUI that is a not a resource hog like later versions of
Kerio or ZoneAlarm
- Linux using iptables is not option
- The users are network, and OS literate

TIA

Frank
6 answers Last reply
More about soho firewall recommendations
  1. Archived from groups: comp.security.firewalls (More info?)

    <snip>

    Duane -

    Thanks for your suggestion, have been waiting for Google to catch up
    and hope I do not screw-up this thread. I have lurked in this group
    for awhile, and your advice and technical expertise is greatly
    appreciated.

    I'm not worried about users changing rules, but the ability to
    customize rulesets and propagate to other users on the LAN side is
    important. That is why I was looking for the ability to import and
    export ASCII rule files.

    I was very happy with Kerio 2.1.4/5, but the well documented program
    fault that happens with XP eliminates it for my use. It was a lite,
    solid, and with a few add-in, it is a more than capable program for
    the novice or expert user.

    I wish that Kerio had remained on this track. IMHO, I feel Kerio fell
    into the hype of over emphasis on the GUI development, and not the
    core engine. I think that is why KPF as it stands today has not been
    largely accepted or recommended by this community.

    I hope that Sponge still lurks here His knowledge and expertise is
    also greatly appreciated. I would love to here a product suggestion
    from him.

    Thanks,

    Frank L.
  2. Archived from groups: comp.security.firewalls (More info?)

    f.long wrote:

    > I know this subject crops up often, but I'm looking for
    > recommendations for a software based firewall solution for SOHO

    SOHO -- such an over-used word.

    > that
    > meet the following criteria
    >
    > - Runs on Win XP or 2000 clients, not for a server application

    Obviously. Windows is the worst choice for a server of any kind, IMO.

    > - The only network shared resource is a printer, no disc sharing.

    This is normal for LAN -- I've never seen a hardware router filter out
    connections between PC's, but I could be wrong. Printer sharing should
    work fine.

    > - Remote access via Tight VNC

    Sounds like you need to get a linux-based PC-router solution, like SonicWall
    or SmoothWall.

    > - Something in the same light as Kerio 2.1.5 including the ability
    > to import an ASCII rules database
    > - A simple GUI that is a not a resource hog like later versions of
    > Kerio or ZoneAlarm

    I've used smoothwall, and that GUI isn't a resource hog. However, it's
    browser-based. Nothing installs on the client.

    > - Linux using iptables is not option

    It's not? Oh well, have a good life. Smoothwall is very simple to use, and
    requires no iptables understanding. However, if I can teach myself
    IPTables in an hour, so can you....

    > - The users are network, and OS literate

    That's a scary thought in my opinion -- the more they know, the more they
    will push the boundaries. However, the reverse can also be true -- the
    less they know, the more likely they are to do stupid things.

    >
    > TIA
    >
    > Frank

    --
    Who made the world I cannot tell;
    'Tis made, and here am I in hell.
    My hand, though now my knuckles bleed,
    I never soiled with such a deed.
    -- A. E. Housman
  3. Archived from groups: comp.security.firewalls (More info?)

    "f.long" <footslong@hotmail.com> wrote in message
    news:96965018.0404031547.6350d07f@posting.google.com...
    > I know this subject crops up often, but I'm looking for
    > recommendations for a software based firewall solution for SOHO that
    > meet the following criteria
    >
    > - Runs on Win XP or 2000 clients, not for a server application
    > - The only network shared resource is a printer, no disc sharing.
    > - Remote access via Tight VNC
    > - Something in the same light as Kerio 2.1.5 including the ability
    > to import an ASCII rules database
    > - A simple GUI that is a not a resource hog like later versions of
    > Kerio or ZoneAlarm
    > - Linux using iptables is not option
    > - The users are network, and OS literate
    >

    Although BlackIce has had some issues as of late, I think they have been
    corrected by ISS. BI has the BlackIce.ini and Firewall.ini text based rule
    files.

    Also, with BlackIce running on an NT based O/S, you can use NTFS to only
    allow a Desktop Admin to run the BlackIce.exe UI program to set the rules
    but disallow non desktop users from running the BlackIce.exe UI making any
    changes to BI. The BlackIce Service on the NT based O/S is still running
    protecting the machine with the IDS/FW. You can implement VisualIce (free)
    to review the BI logs.

    I have used BI with Netmeeting's RDS on the XP and Win 2K and PCanywhere on
    Win 2K and didn't have any problems while BI was running. So, I don't think
    there will be an issue in that area with Tight VNC.

    If the users are literate, then if allowing them to view the BI UI you can
    disable Application Control and questions as what can and cannot access the
    Internet are not asked, if they are so literate, they won't know what to do
    in this area with any solid knowledge anyway.

    BI will meet the above requirements.

    I have also implemented IPsec on the XP and Win 2k machines to supplement
    BI, which BI will also report on IPsec taking protection measures in its
    logs.

    IPsec is one powerful piece of software on the XP and Win 2K O/S(s) that can
    be implemented in the protection scheme to supplement any host based FW
    solution.

    The rules are simple with the help of the AnalogX base template of SecPol
    rules which can be implemented and expanded upon.

    basics
    http://www.petri.co.il/block_ping_traffic_with_ipsec.htm

    advanced
    http://www.analogx.com/contents/articles/ipsec.htm

    The SecPol rules supplied have rules created for Server and Client.

    I like to set additional rules with BI to Reject all IP(s) on TCP/UDP ports
    1-65535 even with BI in the Paranoid mode.

    BlackIce does have a 30 day trialware.

    Duane :)
  4. Archived from groups: comp.security.firewalls (More info?)

    correction

    <snip>

    If the users are not literate, then if allowing them to view the BI UI you
    can
    disable Application Control and questions as what can and cannot access the
    Internet are not asked, if they are not so literate, they won't know what to
    do
    in this area with any solid knowledge anyway.

    <snip>

    Duane :)
  5. Archived from groups: comp.security.firewalls (More info?)

    "f.long" <footslong@hotmail.com> wrote in message
    news:96965018.0404032120.5762c791@posting.google.com...
    > <snip>
    >
    > Duane -
    >
    > Thanks for your suggestion, have been waiting for Google to catch up
    > and hope I do not screw-up this thread. I have lurked in this group
    > for awhile, and your advice and technical expertise is greatly
    > appreciated.
    >
    > I'm not worried about users changing rules, but the ability to
    > customize rulesets and propagate to other users on the LAN side is
    > important. That is why I was looking for the ability to import and
    > export ASCII rule files.

    With BI, you can make a set of rules on one machine that would be contained
    in the BlackIce.ini and Firewall.ini files and populate the files to other
    machines running BI. Through the BI UI you can disable the Protect Agent
    File switch that will allow the two .ini files to be overlaid. The BI
    service on the NT based O/S may need to be stopped as well.

    >
    > I was very happy with Kerio 2.1.4/5, but the well documented program
    > fault that happens with XP eliminates it for my use. It was a lite,
    > solid, and with a few add-in, it is a more than capable program for
    > the novice or expert user.

    Kerio is a good product and I have trialed the 2.x version a few months ago.

    >
    > I wish that Kerio had remained on this track. IMHO, I feel Kerio fell
    > into the hype of over emphasis on the GUI development, and not the
    > core engine. I think that is why KPF as it stands today has not been
    > largely accepted or recommended by this community.
    >
    > I hope that Sponge still lurks here His knowledge and expertise is
    > also greatly appreciated. I would love to here a product suggestion
    > from him.

    Sponge is one of the Top Guns in the NG and I respect his advise as well.

    You should consider using IPsec to supplement any host based FW as it is a
    stateful and a solid solution that is overlooked, IMHO.

    Duane :)
  6. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 03 Apr 2004 22:57:08 -0700, NeoSadist spoketh


    >> - Runs on Win XP or 2000 clients, not for a server application
    >
    >Obviously. Windows is the worst choice for a server of any kind, IMO.
    >

    Windows is a good choice for ANY type of server, assuming the person in
    charge of it knows what they are doing. The same goes for linux. A
    clueless person behind a linux box are just as bad (if not worse) than a
    clueless person behind a Windows server...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
Ask a new question

Read More

Firewalls Networking