DDOS anecdotes

Sun Jun 24 20:16:50 UTC 2001

> > ... and recommends ZoneAlarm as a solution to the problem.
> It is better than BlackIce, is there anything better than ZoneAlarm?
> I am building a new Win98 machine for our accountant and even
> behind a firewall, I'd like to put some good tools on it.
It depends on what you want from it - ZoneAlarm is very much "personal
firewalling for lusers" rather than an industry leader these days. how clued
is the Accountant?

ZA standard has two sliders - one marked "internet" and one marked "lan" -
and you get to define a list of hosts / network interface to be defined as
"lan" (note that defining the hosts/interface is labeled an ADVANCED task -
and that there is no nice convenient popup to let you decide per event).
then, per app, you get to define
a) if the app can connect out to the lan/internet (six checkboxes,
yes/no/ask every time for either route)
b) if the app can "act as a server" (not defined, but means opening ports;
six checkboxes in the *latest* version, used to be one checkbox covering
both the routes, then one checkbox meaning "yes" per route, in both cases
unchecked meant ask - so something like IE would bug you each time it
started until you made it an automatic server). the sliders are basically
three position - "unprotected" "medium" (139 etc autoblocked, nothing much
else done) and "high" (unused ports stealthed, but otherwise see "medium")
the PRO addition allows you to define ports for each app. not hosts
(although you can do this vaguely with the local zone defs) but it gives you
some crude filtering that standard doesn't (not worth the extra money in
MHO)

BlackIce is an IDS - it repeatedly claims to have told GRC it isn't a
firewall (although of course its marketing claims it is - marketdroids in
action) and concentrates almost exclusively on logging inbound per port and
per host, with a bit of filtering thrown in.

Tiny PFW (free for home use - and I admit it is my current personal firewall
so I may be a little biased here) is everything ZA pro should have been, but
without the luser-friendly interface - it blocks per app, per host, per port
(both local and remote) in either direction, is ICMP aware for rules , and
the latest version has a nice "other protocols" section that can (for
example) be set to protocol 2 for IGMP packets... and has a similar popup
interface to ZA (accept/deny buttons and a checkbox for create rule) but
there is a major philosophy difference between ZA and Tiny - Tiny filters
packets (and is app aware, but doesn't care that much - you can create rules
for "any" as an app, and any app can open a port - just can't use it to get
packets if the rule isn't in place) while ZA filters apps (it doesn't care
about actual traffic - just if a app can send, and if an app can open a
port)

Look'n'stop is a new contender and worth watching - originally a packet-only
firewall (but one with a good default rulebase against common internet
attacks like teardrop) it has the interesting distinction of binding to a
single network interface - so you can bind it to your dialup, and filter
traffic between that interface and the web, while leaving the Lan interface
untouched. The latest version has some crude application filtering, but
isn't in the same league as even ZA standard for that. Probably going to be
held back by the fact it is payware for the home market - not something its
user base can currently sustain, given there is no "grassroots" support for
it the way there is for Zone Alarm (and even ZA has a free for home use
"standard" version - LnS "lite" is the old pre-app aware version)

PGP firewall is pretty crude, and only worth considering if you are buying
it anyway (it comes bundled with the current release of PGP for corporate
security; I won't have it installed though because of the PKZ/closed source
issue)

There are a few other firewalls I will not review per each - Conseal &
Sygate are good examples - but I regard them as being inferior to Tiny but
superior to ZA standard (the jury is still out for one or two of them vs ZA
pro) but of course I stress that that is just *my* honest opinion - you may
wish to try them (each has a free trial you can use; ZA pro also has a (code
limited - key requred) 30 day trial, and Tiny gives their main product for
free for non-commerical use, with a 30 day trial licence for commercial (so
the licencing is administrative/paper, and has no effect on the package; no
keys or anything to fiddle with); most of the others follow one or the other
model (Conseal and sygate are unlimited, Look'n'stop is time-limited
shareware) And most of them have additional non-firewall "added features" -
ZA has a POP3 filter that will rename attachments on the fly to
non-executable names; one of the others (sygate or conseal - I can't
remember which) has what amounts to the webwasher http ad removal proxy
built in, and so forth (Tiny has no additional features; I believe this is a
good thing, but some may disagree - I do like having my firewalls just be
firewalls though :)