Just got DSL. Do I really need a firewall? And recommend free software :)

I’m sure this has been discussed before. Just looking for a quick and dirty answer.

I just got DSL. (It rocks. I don’t know how I lived without it.) And, of course, everyone says, set up a firewall.

Question 1: What’s so different about a DSL connection (versus a dial-up connection) that necessitates a firewall?

Question 2: Please recommend some good, free firewall software that won’t annoy me with security prompts at every turn.

Thanks!

ZoneAlarm is a free, easy to use personal firewall. It is rated as one of the very best firewalls available.

All connections should have a firewall up, even dialup. DSL and cable hookups have “always on” avaliablilty, so there is a larger window of opportunity for malicious worms and crackers to attack your system.

I agree ZoneAlarm is the best.

Another vote for ZoneAlarm.

Zone alarm, just got it and it’s great.

Sadly, there are a lot of dinks out there with too much time on their hands and anti-social personality disorders. More than a few of them spend a lot of time “port-scanning” blocks of IPs, looking for vulnerabilities, active trojans, what have you. If you’re on dial-up you’re something of a moving target, you connect for an hour (or whatever) then drop off. The next time you connect, chances are you have a different IP. Also, you’ve got way less bandwidth, making you not as valuable for certain purposes. DSL and cable are “always-on”, have the same IP for large blocks of time, and have a fair amount of available bandwidth.

Firewalls do three things. The first is that (presuming for all three that you’re using a decent one and it’s properly configured) they make you essentially “invisible” on the net. To a port scanner it looks like the IP isn’t in use, makes it look like there’s no computer there. The second thing is that they can protect you from some kinds of attacks. The third thing is that they only allow authorized programs to access the net - useful in stopping trojans, malware, and various such annoyances from being able to phone home.

There are two kinds of firewalls. The first is hardware based, these days most routers have a built-in firewall/NAT server. A properly configured hardware firewall makes things extremely difficult - darn near impossible - for an outside attack to effect your internal network. The only problem is that a hardware firewall can’t do #3 above. Since the hardware firewall has no way of knowing where the packets are coming from on the internal network, it can’t limit what programs can access the net. The other type is a software firewall that runs on your system. A software firewall isn’t quite as good at protecting your system as a hardware firewall, but since it is running on your system it does know what programs are attempting to access the net and it can (and should) limit that to those programs you have identified as having reason to do so.

As far as software firewalls are concerned, there are a number of them out there, many of which have a “free” version. ZoneAlarm is probably the most popular because it’s extremely easy to use. Myself, I don’t like it much, it’s a resource hog and I’ve had problems with it in the past. Be that as it may, if you’re not familiar with how things work on the 'net, ZA may be your best choice.

Anyway, a few of the popular software firewalls with freeware versions -

ZoneAlarm
Sygate Personal Firewall
Agnitum Outpost

Once you’ve got things set up Gibson Research has a test called “Sheilds Up” that will scan your system for vulnerabilities. There are several such tests out there, it’s worth trying them before and after to see what it is your firewall is doing for you.

A couple of notes - WinXP has a built-in firewall, but it’s not worth much as it doesn’t give you any way of controlling outbound traffic. Also, the tests above are not worth a lot if you’re sitting behind a hardware firewall.

FWIW, hope that helps a little.

Myria

Personal firewalls like Zone Alarm won’t give you much protection against outbound connections anyway, because those connections will usually be made by local programs (including viruses, trojans, worms and spyware) running with administrator privileges and such programs won’t necessarily be stopped by the firewall anyway.

The thing is, personal firewalls adds little or no security. They might stop some unwanted connections, but you are much better off disabling the software listening on those ports rather than running even more software - don’t forget that all software have bugs. If you can’t or don’t want to spend time keeping the machine secure, use a real firewall (it does not need to be dedicated hardware, but it does need to be separate from the network it’s protecting).

I guess that’s one vote against Zone Alarm.

Are you sure about that? I log in with admin privileges on my Windows XP machine, and ZoneAlarm stops outgoing traffic from any program I run and pops up a window asking me to authorize access.

This is incorrect. Obvously you have never used ZoneAlarm, or you’d know that when you first run it, it asks you each time a different program attempts to acces the internet. And it’s not fooled by a worm which tries to pretend to be an authorized program. Nothing–and I do mean nothing–gets by ZoneAlarm unless you allow it. Install it and then download LeakTest, which simulates may types of worms and trojans to guage the effectiveness of your firewall. XPs firewall fails this test miserably. ZoneAlarm doesn’t.

Just a personal story…
I turned off Zone alarm for three minutes a few weeks ago, and almost instantly got hit with the msblaster trojan. Get at the very least, the free version of Zone Alarm, and never NEVER turn it off. Chances are, you’ve been hacked already. I knew better then to turn off my firewall, nd I’m lucky nothing worse than that pesky trojan happened to me.

Jon

Didn’t you get free software to do that when you got DSL? I noticed our local company gives that with your modem.

      • Another zonealarm vote, if you don’t want to pay for a hardware firewall.
  • I got infected with a worm once and Zonealarm popped up when it began to try to connect, and ten after about twenty attempts at that, Zonealarm began popping up messages asking if another program had permission to shut it down. … I have read that it is -possible- to create a trojan capable of silently defeating Zonealarm, but I have not read of any in the wild that yet can.
    ~

I have a hardware firewall, but all the people I know that don’t use a router/gateway use ZoneAlarm.

I have tried Zone Alarm and while I don’t claim to have studied its design in detail I know fairly well how it works. It hooks into Windows’ TCP/IP code in order to check inbound connections and also tries to keep track of what local processes are making outbound connections.

There’s nothing magic about the way Zone Alarm works. Once run by a user with administrative privileges, a malicious program can do/undo/bypass any of those things. Furthermore, the local security model of Windows is sufficiently weak to allow circumventing the checks by a variety of methods (injecting code into a process already trusted by Zone Alarm, for example).

If your machine is clean you can improve security by more carefully checking inbound data. But as soon as untrusted code is allowed to run on your system all bets are off. The vast majority of trojans (etc) are still rather badly written and personal firewalls may have been able to stop them, but relying on this to remain true in the future is very dangerous.

I paid $39 for ZoneAlarm Pro (preferring to pay for what I want and expect it to work) and I have just uninstalled it.

All sorts of problems with web sites not working, network not working, and computer unable to turn off. Worked for several hours fooling with ZoneAlarm settings, making progress on some problems but not others.

After uninstalling, I can now turn my computer off again. And, now I can get back on SDMB!

Simple, just compile your kernel (2.4.x of course) with the NAT options, enable connection tracking and netfilter. Then install the latest version of IPTables and you’re good to go, just write a simple script to activate your ACL’s on startup and you have yourself a world class stateful firewall at no cost. Works fine for protecting the local machine or the whole network if you make that machine your gateway.

This is of course only valid if you’re running Linux, but it is a Free Software recommendation, which you did ask for…

A problem is that the makers of ZoneAlarm agreed after Sept. 11 to put a backdoor into their product so that the government could access your computer if it wanted to. If you value your privacy, ZoneAlarm is not something to get.

UnuMondo

It doesn’t try to track local processes, it DOES. It enumerates every program that attempts to access your internet connections and assigns a unique hash to each program. If the executable changes it revokes permissions until you re-allow those permissions. This was an important step for zone-alarm, as it prevented executables that are named the same as a permitted process access. Virus ridden iexplore.exe is not the same hash as the original, therefore no access for virus ridden iexplore.exe.

Zone alarm will pop up a dialogue if a program (or even you) attempts to stop the vsmon.exe, the engine behind the program. This was a response to malware stopping the firewall silently. It’s no longer an issue. Again, you cannot ‘inject’ code into a compiled executable, but if you remade an executable with the same name as a permitted executable, zone alarm would still pop and ask for permissions, as this new executable is not the same to zone alarm. Even if it’s named the same.

And the ‘local security model of Windows’ is not any ‘weaker’ than any other OS. Yes, the default is to run with full admin permissions. This is not so much a flaw of windows as a flaw of users, who could use a weaker account, they just chose not to(or don’t knowhow to) change the default. It’s no better or worse, right or wrong, than running as ROOT.

Education is the best defense against the crap being spewed around the public networks today. Most people aren’t going to parse snort logs 2-3 hours a day looking for potential ‘issues’.

Zone Alarm is a fine, free tool that should keep you safe on the public networks.

on preview, ** UnuMondo**, cite?

I concur with cite request, Unu.

Yeah, you’re going to need to back this statement up, because it sounds like pure bullshit to me. I’m curious as to where you came by this tidbit.