Looking for internet security software

Post by **Dare2** » Tue Sep 14, 2004 12:12 pm

Specifically I am looking for something that can:

Identify processes/threads that are going online.
Quantify the data volume or bandwidth used by these processes.
Identify which ports are being used.
Identify the destination IP address.
Log the above.
Report daily (or on a scheduled basis).

(fairly important)

Anything else done is a bonus. Especially sending the electronic equivalent of WMD to selected intruder destinations.

Does anyone have any links, suggestions or recommendations?

Thanks.

GreenGiant · Post by **GreenGiant** » Tue Sep 14, 2004 12:29 pm

I'm using the free version of zone alarm, which I think does everything except the second one in your list. There is also a payed version which is probably a fair bit more sophisticated. http://www.zonelabs.com/

Edit: This pages shows the differences between the various products. http://www.zonelabs.com/store/content/c ... submit.y=7

Post by **Dare2** » Tue Sep 14, 2004 12:59 pm

Hi GreenGiant,

Thanks for the link. I will try ZoneAlarm.

I currently use Tiny Personal Firewall which, to date, has done an excellent job.

I am looking for something additional that will passively monitor ports and do some or all of the following: Detect incoming and outgoing connections, identify files and folders and users involved, IP addresses involved, processes/threads involved. Log it. Any intrusion, and any legit, including "heartbeats" from ISP, etc.

GreenGiant · Post by **GreenGiant** » Tue Sep 14, 2004 1:07 pm

The log in zone alarm (can only speak for the free version) gives you the source and destination ip (inclucing port number) of an event, a rating of how serious it is, the protocol it was using (TCP etc), the program causing it if it was outgoing, the action zone alarm took (normally just says blocked) and the source and destination DNS (if it can get them). So not bad for a free program I think.

Post by **Fred** » Tue Sep 14, 2004 3:17 pm

I would suggest Kerio Personnal Firewall which has a very good reputation.

thefool · Post by **thefool** » Tue Sep 14, 2004 3:23 pm

I removed Zonealarm, because it want to have the control somewhere i did not want it to have. It blocked more than i would have it to.

so i switched to Kerio Personal Firewall, and i have used that for 3 months, without just a single problem.

so if i should list free firewalls, kerio would be as number 1 and zonealarm as number 2

Codemonger · Post by **Codemonger** » Tue Sep 14, 2004 3:25 pm

I used to use Tiny Personal Firewall v2.0 It was the best firewall software for personal use because it was free ... anyway 6.0 is out now and I'm sure it has millions of extra features and it's tiny.

http://www.tinysoftware.com/home/tiny2?la=EN

Post by **Dare2** » Wed Sep 15, 2004 5:02 am

Hi Guys,

Thanks. I have added ZoneAlarm (so now Tiny and ZA both running) and have downloaded Kerio, will try it later. Tiny has been on my system for zonks, and logging, but misses something. ZA appears to be missing the same thing.

I am really looking for some good sniffers, tracker, intrusion logging, whatever the jargon is, software.

Things like NST and Snort and the gadgetry you get from places like insecure.org.

I want to track actual connections, files transferred, where they went, who (IP or user) put them there or downloaded them again, etc.

I do not want to stop this happening (which might alert some bods) until I have enough info to act on a number of fronts.

Thanks for any other links, ideas, etc.

thefool · Post by **thefool** » Wed Sep 15, 2004 1:22 pm

you run 2 firewalls at same time? Well i can only strongly say that is for no need. I belive the help file of the firewalls says the same.

Post by **Dare2** » Wed Sep 15, 2004 2:51 pm

Hi thefool,

How you going?

Two firewalls? Yes - just temporarily (less than 24 hours). It has been interesting to see which reports what.

So far both are doing the same job, although ZoneAlarm (pro/commercial) sure calls home a lot, going online to talk to base even though I requested not.

(Tiny's logs tell me this). ZoneAlarm logs Tiny Personal Firewall as setting up as a server on bootup. Thereafter it does not try to go online. Good little fellow.

ZoneAlarm does a heap of stuff Tiny doesn't (or doesn't report), some of it pretty unexpected for a firewall.

I will run Kerio in conjunction with one of them later.

When I've settled on one, I'll stick with it. For the last few years I've run Tiny.

PS: Right now I want to get something beyond a firewall. Problem is I don't know what the correct terminology is for what I'm looking for. I know what I want. I don't know how to describe it to search engines and other people.

Moonshine · Post by **Moonshine** » Wed Sep 15, 2004 4:03 pm

Im running a hardware firewall on a wireless router and the standard WinXP firewall (SP1). Since March Ive had maybe 4 viruses MAX and about the same amount of spyware - also running AVG Antivirus 6 Free edition.

Sparkie · Post by **Sparkie** » Wed Sep 15, 2004 4:47 pm

I haven't tried it out yet, but I stumbled accross this little gem called Ethereal. Maybe it has some features you're looking for.

Post by **Dare2** » Wed Sep 15, 2004 11:02 pm

Hi Sparkie,

That looks good. I'll try it. Thanks!

thefool · Post by **thefool** » Thu Sep 16, 2004 12:53 pm

@dare2: im fine, thanks

well for a product that lists programs that uses the net, kerio also does that.
It shows how much of the connection it uses, too.

blueznl · Post by **blueznl** » Fri Sep 17, 2004 6:37 pm

i'm a registered user of both (kerio and zonealarm pro

) so here are the verdicts...

zonealarm is easier to use (for beginners), free version is good enough for most applications, it is slightly less stable but (here it comes) severely sucks when using LARGE numbers of ports / HUGE amounts of traffic (think anything p2p, after a few days you have to reboot the machine if, for example, you're running something like emule 24/7)

i found it easier to get zonealarm to work with games, and managing security levels is a bit easier as well

kerio may be a little less friendly (imho ymmv etc.) but it works fine as a gateway firewall, and doesn't give any troubles with p2p stuff

kerio did f* up with the last update though, classifying all windows (os, filesharing, etc.) traffic as 'medium severity intursions' means the latest version is pretty much useless for anyone running a homenetwork, must be a bug (i hope) and i expect them to fix it soon... duh

another thing i didn't like about kerio is the way they handle vpn's... on the dutch kpn adsl network ppoe is used by default, declaring all that traffic as 'secure' if you use the default ruleset (this does not apply to those not using ppoe / pptp)

both packages are supposed to support ics stuff only in their pro versions, well, this is and is not true, it just depends on what you're doing... i got both of them working in their free versions on an ics machine

if you're using something like nat32plus, you can use the standard versions, as they don't check traffic 'going through', remember these are 'personal' firewalls, and do little to protect machines behind the gateway

just need a simple client firewall? go for zonealarm... need it for a small homenetwork on the gateway machine? go for kerio (perhaps registered)

you can always mix and match