Firewall? Firewall!

[arch0nmyc0n]

I'm just wondering how many people here use firewalls? And if so which ones they would use. I imagine everyone in a business has one running at some level. But, do you think average users should have a firewall such as Zone Alarm (or whatever) installed on their computer?

Personally I don't think average users should bother with software firewalls. I usually tell people, if they really want a firewall to forego the software and buy a hardware router or something with one built in.

But for computer builders/techs, do you put one on outgoing computers or what?

[silencio]

I think zone alarm can be too much for the average user. You don't want them calling you all the time asking "should I let x application access the internet?" My advise, good antivirus on the box, keep it up to date and get an router/nat/switch if you're on broadband. If it's a dialup just use the firewall feature built into xp.

[NooNoo]

If they are on broadband, a firewall is a must - it is better to learn how to use a firewall than reinstalling everything after a script kiddie used them as a free ftp - or worse getting their connection removed because they unwittingly took part in a DDOS attack or have been used as a spam emailer.....

Kerio is nice and easy and free
Zone alarm also.

Dialup users - do not really need a firewall as for the most part they are not online long enough to be useful and their connection is too slow.

[craigmodius]

I think zonealarm is great for the home user. You just have to take a little time to educate them. I think it is an advantage over a hardware firewall that ZA asks you what to let access the internet.

Definately needed for DSL type connections, as far as dialup goes, up until Blaster made it's rounds I would agree with NooNoo, but since then it seems like on dialup at least the XP firewall.

[Stalemate]

I was building up a laptop last weekend and - I kid you not - 10 minutes after I gor DSL configured a virus found its way in (worm).

So aside from AV, I put in Kerio and leave a shortcut to the manual on the desktop on all my builds now.

[swamprat]

I usually put free version of Sygate on system builds, unless th ecustomer wants something else.

[kato2274]

I have a smoothwall router/firewall right after my cable modem. I reccomend the same for any client I have with broadband. a router / firewall right behind the cable modem before the client computer(s) It doesn't have to be smoothwall any linksys, dlink, or comparable broadband router functions just fine. they pretty much surf the web as normal. they don't have to answer questions about allowing X application to access the internet. they can add more computers to share the internet at any time.

a small dlink router saved my parents and more importantly me (from having to fix it) from the msblast virus even though they weren't patched. My smoothwall box also kept the worm out (I was patched) there was a ton of activity in my snort IDS logs that couple of weeks

[Tekboy]

For my network at home, I took an old MediaGX machine and installed Freesco as a router/firewall, and it has functioned flawlessly for over two years now. Just a headless box under the desk. For info go to:
http://www.freesco.org

For end users with any kind of Broadband, I encourage them to get a Linksys or D-Link router as soon as possible, or if they buy a laptop, one with wireless capability, as well as heavy duty encryption.

If this isn't feasible for any reason, I encourage them to get Zone Alarm, or I let them pay me to download it for them if I am onsite. Further, I ALWAYS make sure that their AV program is set to update whenever they are online, and I ALWAYS configure it to DELETE any virus it finds. That eliminates a whole lot of after-hours phone calls (Sole Proprietor), and prevents a great deal of issues.

PS: It took a long time for me to pony up the dues for this site. First post, blah, blah LOL

[hudsonsmith]

I use ZoneAlarm (free) at home and have found that once access is configured for the applications I run frequently, it doesn't require much user input. Usually I just run the programs most likely to require internet access right after installation and configure them all at once.

I think going without anything is asking for trouble if you have broadband. If you think average users are not at risk, take a look at the log zonealarm creates. I find dozens of attempts to connect per hour. Also take a look at the Shields Up test page at grc.com.

[arch0nmyc0n]

Wow, thanks for all the replies. Good arguements that are making me reconsider. Is there a software firewall that allows whatever you do OUT on any port, but no incoming connections (other than what you just sent out)? like the hardware firewalls do? I've used Zone Alarm in the past and found it to be just too many questions about everything. I didn't use it long enough to find out if it does what I need... any suggestions? Basically I just want something software that's quiet, as far as the user is concerned they barely know it exists...

[Matridom]

I was using ISA server for my firewall/NAT for the longest while, recently upgraded to a router, work beautifully (VPN issue's still need to be worked on).

If your on broadband, a firewall is a must, even if it's just the built in firewall that is included with XP. I think zone alarm is wonderfull *IF* you take an hour or two to learn it. It all starts with the user and educated them, after that, things are simple.

[Shard92]

personally I still use one on dial-up. i know a lot of you don't believe them necessary but with more and more virus' coming out that spead via ways other than e-mail ( direct ip connections etc.. ) I like having it up. Still get lots of blocked accesses to my computer, but I also like knowing when something is trying to access the net FROM my computer ....

[silencio]

tekboy made a great point. Wireless security is a huge problem. You can drive around atlanta with net stumbler all day long.

[Gollo]

tekboy made a great point. Wireless security is a huge problem. You can drive around atlanta with net stumbler all day long.

Whoo hoo! A compatriot! Next step is to get kismet running solid with gps

[craigmodius]

Is there a software firewall that allows whatever you do OUT on any port, but no incoming connections (other than what you just sent out)? like the hardware firewalls do? I've used Zone Alarm in the past and found it to be just too many questions about everything. I didn't use it long enough to find out if it does what I need... any suggestions? Basically I just want something software that's quiet, as far as the user is concerned they barely know it exists...

As Hudsonsmith is saying once you install it if you run the programs that need to access the internet you can tell it to "Allow this program to access the internet" and "Don't ask me this again" so it won't keep bugging you. And you can turn off notification for incoming connections so it won't bug you about those.

Then the user is left knowing what's going out the door which is better for you and them in my book. It is the RESPONSIBLE approach.

Say this out loud one time, "That PC Repair Guy installed a firewall on my system and HE configured it. I didn't know there was a trojan horse on my PC serving up webpages designed to steal credit card numbers Mr. FBI Man, that's why I'm suing him for every cent he's got"

oops I'm sorry was that a little pessimistic, or as I pronounce it 'realistic'