My roommate is a cyber security risk, and I want a firewall on his system. He doesn't want to spend money, and I'm sure as Hell not going to pay to cover his ***. So, he's got the MS firewall, and I know about ZoneAlarm, and I know they don't like to play with others. Anyone have recommendations of free, good software firewalls? He's behind a Netgear router with SPI and NAT, but that's obviously not enough, as evidenced by the over-30 viruses found on his computer.

Firewalls don't stop viruses. And that router has infinately better firewall protection than any software firewall will provide him. Not to mention, software firewalls tend to screw up the system more than they help (such as ZONEALARM OMFG)

Software firewalls stop unauthorized users from getting into your system and planting viruses. Software firewalls stop unauthorized programs from going out (assuming that you properly manage your exceptions).

My Norton firewall has done me just fine - it even stopped a DoS attack that took down a Mediacom nameserver. Software firewalls add that little bit more of protection to your system - another point in defense in-depth.

I know that a hardware firewall provides better protection than a software firewall. But it's not necessarily a bad idea have multiple firewalls between you and the router.

Somehow I don't think you need to stop "unauthorized users" unless you are trying to stop your friend :p

No one is breaking into his PC, he's just downloading crap.

avg?

avg doesn't have a firewall, just a live protection thing.

[QUOTE=Cool Matty] he's just downloading crap.[/QUOTE]

well then that's his own damn fault, and a firewall won't stop it :p

Correct. In which case, AVG would be a good idea.

What web browser is this friend using? If the answer is "Internet Explorer", then I think you know what you need to do...

Wolfy, I think you need an IQwall.

I forced him to switch to Firefox, much to his complaining.

These are just two ways where unauthorized programs tunneled a firewall:
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-11/0176.html
http://hackingspirits.com/vuln-rnd/vuln-rnd.html

One of the easiest would be that the program just authorises itself. That's why user-interaction with a firewall is bad.



A hardware firewall is better because it cannot be manipulated from the computer(s) it's supposed to protect.

I would take away admin-privileges from your roommate. Most malware needs administrator-privileges to install and if they don't you just have to delete the compromised account and its data and you're rid of it.

I'd set up a firewall between your computers.

Sygate rox! Best firewall I ever used, will question everything that trys to connect to Internet, good for getting those pesky trojans and hackers.


-KnightRider2000

I know that software firewalls should not be an only means of defense, but that doesn't mean to toss them aside.



I know.



Hmm. A nice hardware firewall between me and the rest of the network. Well, it'd definitely get a point across to my roommates.

How about that they can be a security risk by themselves?
IE: http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html

A software firewall hightens the code-base of the system, thus leaving more room for vulnerabilities.
I'd rather run less software and thus giving a narrower attack-window. In that way I also get better performance out of my machine. If I want to waste resources, I run Seti@home.

So, instead of a stone wall around you with a few (fixed) exploits, you simply tear the wall down?

No. Instead of leaving doors in my wall open and relying on faulty alarm-systems I simply close the doors.
Meh, we could throw comparisons like that around all day...

But you do know, that you don't need a firewall to close a port?

Bad analogy--instead of a few decently protected passes through a mountain range, you let the virus traverse the mountains on its own.

Seriously, software firewalls are really not that great, and they don't help much at all for network attacks. The best way is a hardware firewall between you and your friends. Hell, most software firewalls are useless period, because you have to open some ports anyways.

GOOD software firewalls are pretty damn good, but you'll have to pay, "pay" or use Linux.

Outside of closing the ports on a router, I'm not aware of another method.

Well, a port is just a number assigned to a program so that the operating system can identify it.
So if you've got a webserver running at port 80 and the operating system gets a request for port 80 it looks if there is a program running on that port and if it reports the port as open and forwards the request there.
But if there is nothing running and the OS gets a request for port 80 it reports the port as closed, because there is no program listening on it.

So, no program listening --> port closed.

Firewalls are usefull, when you want to have a service (like the Windows shares) only in your local network, but not outside. Perhaps there are some uses for running a firewall on a single machine, but I can't imagin any.

Well, of course, if there's nothing listening for the packet, it'll get lost. But PAT isn't really something I'm interested in setting up. :p

The problem is that a person could have a program (anything from spyware, to adware, to something more malicious) listening on any of the (what is it, 65,535?) ports, and, without a software firewall to at least try and catch programs listening on those ports, you've left yourself open. Even programs that close ports are still acting effectively as firewalls in that regard, even if they themselves are not classified as firewalls.

Of course, the first step would be to prevent the installation of these programs on your system, but I'm dealing with the lowest common denominator in cyber security here.

The packet won't get lost when nothing is listening. The OS just tells the sender that the port is closed and that's it.

And firewalls can be tunneled.
These were unfortunately the only English resources I could find: http://www.pcflank.com/art21.htm
But you can theoretically tunnel everything through any protocol that is allowed to connect outside. So unless you use Knipex you are screwed.

But you are correct that the first step would be to prevent installation of malicious programs. As I already said in your case that would be teaching him not to use an account with administrator privileges.

I totally agree. I use this firewall and it works great. It's free and it can be customized very well. It can keep logs of just about all forms of traffic. I accually caught my brother looking at pr0n on his pc through the logs.

If you wan't a good free firewall go Sygate.

I use ZoneAlarm :em321:

By "lowest common denominator," I meant English and Business majors.

I use OneCare Firewall. :p

I got Kerio Personal Firewall, and it must work because I haven't had worms, viruses, or popups on my computer ever since.

What are you talking about? I never wrote that sentence.

Or perhaps it doesn't work, because I haven't had them here either, and I don't use a pfw