Does anyone know of Windows software that will serve as a firewall that is not computationally expensive with high network traffic?
I would like it to do the following:
Close ports/ monitor port scans.
Selectively allow programs to access the internet, and only on ports I choose.
NOT analyze all data running through the network connection (I don’t know if this is even possible. It may be inherent in the way that such firewalls monitor things)
I am running a fileserver on the local network, and at times there is high network traffic on my machine. I have tried Sygate Personal Firewall and one other (Black Ice, maybe?), and both had the problem that, when network traffic got high, the firewall program took up large amounts of my processor, making it essentially impossible for me to use my computer for much. Yes, it’d be nice if I could afford a separate computer to operate as fileserver, but I can’t. I can, however, shell out $50 for a firewall, especially if there’s a free trial I can try out first.
Well, it’s not Windows - My 50$ firewall is a P200 running Debian. It runs a bunch of other stuff on the side, and I’m pretty sure I could saturate the connection w/o slowing anything down. It does take slightly more time, somewhat more intelligence, and much more 3rd party help to administer though. There’s a new interesting application layer filter released recently, if that helps.
I’m not very familiar with Win32 stuff in this area - sorry!
UDP packets are IP packets. And ping will typically use ICMP, not UDP.
“Personal firewalls” like ZoneAlarm are packet filters; they need to examine all packets in order to work. I’m a bit surprised that you have found the performance impact to be that significant, but such software is pretty much pointless for improving security anyway so you could consider not using it.
Firewall programs by definition must do some packet analysis. If the current ones are too computationally intensive, you’d be infinitely better off spending the effort to get a $29 Linksys BEFSR41 and dropping your computational hit to “0”, and getting better security from many standpoints.
The very concept of using Windows to secure anything gives me hives.
I strongly recommend either a dedicated hardware firewall or a cheap PC running some flavor of either Linux or FreeBSD. I generally disrecommend Linksys because their boxes are underengineered and tend to die young, but that’s just personal experience (and besides now that Cisco owns Linksys maybe their product will get better now). I personally run Debian on an old P120 for my cable connection, and it holds up just fine.
I totally agree with everyone else in this thread. A hardware router will work better, be more reliable, just as, if not, easier to set up and will cost about the same as a software package. I tend to go with D-link’s (the di-7xx family) myself–they work fine, they’re cheap and they’re easily available just about everywhere. The later model ones even have a extraordinarily easy to use web interface.
For the linux types in this thread–how hard is setting up a linux box as a firewall? I’ve never tried it myself. I noticed the option in the Mandrake setup, so I assume it’s automated in the install process?
I used to have the old 486 box as a firewall. I got rid of it for the linksys box discussed above. The linksys box is better in terms of space in terms of noise and in terms of electricity consumed and ease of use.
Ok. Looks like strong consensus that I should just run an actual hardware firewall. I’m sure I can come up with a spare crappy pc somewhere.
Next question: Any website with nice tutorials for setting such a thing up? Or any Linux distro that is either tending toward this kind of use or newbie friendly?
I’m not totally Linux-ignorant, but I don’t want to have to spend umpteen hours on some mailing list trying to figure out why my browser can’t get through.
I have a Linksys BEFSR41. I’m also having computational issues with my firewall, ZoneAlarm, and would like to use only the router’s firewall.
In the documentation (which can be found at ftp://ftp.linksys.com/pdf/befsr11_befsr41ug.pdf ) it is not clear at all to me what I need to do to make sure the Linksys is performing its firewall duty, without using its built-in cooperation with ZoneAlarm PRO (which I never used; I only used the free version).
It does say “The Router provides a built-in Internet NAT firewall.”
Perhaps some of you folks can give me some advice how I need to set up the thing so that it’s functioning as a good stand-alone firewall?
I originally purchased the thing to share a cable modem connection between to machines.
FWIW, I have a Netgear combination firewall/router, and it is absolutely useless when it comes to blocking attacks, even after updating to the latest firmware. I won’t so much as plug in the ethernet cable without a software firewall up and running.
Have you considered adding RAM to your system to improve overall performance, and leaving the software intact? I’d at least recommend leaving the software firewall in place for a week or two after the hardware firewall is set up, and check the logs to see whether the software has detected any attacks. If not, you’re probably fine with the hardware firewall alone.
Adding more RAM won’t help (I don’t think), because during high traffic periods, the firewall software is using up 90% of the CPU cycles.
Wow Caldazar, that is one massive site. I’ll definitely take a look at it. My only worry is that there will be too much information. So much that I have difficulty just getting it done. Thanks, all, for the suggestions so far.
It might. I’m no expert, but as I understand it, the CPU is hit much harder when your RAM is all used up. (Put data in RAM, look at data in RAM, clear out data, add more data, repeat – versus put data in RAM, look at data in RAM.) Could be wrong.
You may want to try one of the Linux distros that boots off a CD or floppy and is designed to be a dedicated firewall. Check out thisarticle on slashdot.
If you’re accessing the Internet through it, it should already be functioning as a NAT firewall. Check your IP address to be sure. To do this in Win9x/Me, go to Start->Run, type winipcfg, and press enter. In Win2000/XP, go to Start->Run and type cmd. From the resultant command prompt, type ipconfig /all and press enter. If your IP address starts with 192.168.1 (or really any address starting in 192.168, but 1 is default for the third octet on recent Linksys router models), then the NAT router is functioning properly.
If there is anything else you need to configure on the router, you’ll have to type your router’s IP address into your browser and configure it from there. This procedure is described in chapters 8 and 9 of the document you linked to.
A little alert popped up from my system tray and informed me that an attack had been detected and blocked. Some of the attacks have occured when I’m not doing anything else; all browser windows closed, the connection is just sitting idle, so it’s unlikely that these were false alarms from harmless web pages. To the best of my knowledge, a hacker has never actually gotten through to me (but I’ve stupidly downloaded the occasional virus without help from anyone else).
A friend once discovered that she was being used as a file server for german pr0n – this within two hours of installing XP (before she downloaded the updates that fix many of the security holes). But she had no firewall up at all at the time. I don’t have any anecdotes of successful attacks through hardware firewalls, but the fact that my software firewall catches anything at all is enough to destroy my trust in the hardware one.