Kapersky firewall or windows firewall?

Discussion in 'Windows Vista Security' started by Sharon T, Jun 4, 2007.

  1. Sharon T

    Sharon T Guest

    Would it be better to use the firewall on Kapersky Internet Suite or the
    Windows Vista Firewall?
     
    Sharon T, Jun 4, 2007
    #1
    1. Advertisements

  2. Sharon T

    f/fgeorge Guest

    Kaspersky, it is more responsive to change and a better product
    overall.
     
    f/fgeorge, Jun 4, 2007
    #2
    1. Advertisements

  3. The Vista one.

    * It's already there and therefore doesn't introduce further
    vulnerabilities and questionable features.

    * Any security product containing the word "suite" should be looked at
    with great scepticism.

    * One must assume that MS knows about the environment it's supposed to
    protect in greater detail than any third party.
     
    Straight Talk, Jun 4, 2007
    #3
  4. Sharon T

    Jesper Guest

    What specific feature set are you looking for? Without a proper understanding
    of the features you need and the risks you are trying to mitigate all you
    will get is a popularity contest.
     
    Jesper, Jun 4, 2007
    #4
  5. Sharon T

    CZ Guest

    Would it be better to use the firewall on Kapersky Internet Suite or the
    Windows Vista Firewall?

    Sharon:

    Or run both.

    The Vista f/w is nicely integrated with its Private/Public Profiles and is
    stateful.
    I run the ZA beta with the Vista f/w to have convenient outbound control.
    Works great
     
    CZ, Jun 6, 2007
    #5
  6. Sharon T

    Mr. Arnold Guest

    Most will tell you not to run two personal FW(s) because a doubled FW
    situation can prevent inbound packets/traffic from reaching the machine.
     
    Mr. Arnold, Jun 6, 2007
    #6
  7. Sharon T

    CZ Guest

    Most will tell you not to run two personal FW(s) because a doubled FW
    situation can prevent inbound packets/traffic from reaching the machine.

    Mr. Arnold:

    Technically, that should be a very rare experience for two simple packet
    filtering f/ws if the rules are setup correctly.

    I have run as many as three f/ws concurrently w/o problems (just to prove
    the concept).
     
    CZ, Jun 7, 2007
    #7
  8. Sharon T

    Mr. Arnold Guest

    May ask why the reasoning behind 3?

    I run two packet filters myself Vista's FW and IPsec. But that's for a
    dial-up connection for a laptop.
     
    Mr. Arnold, Jun 7, 2007
    #8


  9. Many people have run more than one firewall at once without a problem.
    However the *risk* of a problem is always there, and that's why it
    shouldn't be done.

    Here's what Microsoft has to say about running two software firewalls
    at once:
    http://www.microsoft.com/athome/security/protect/firewall.mspx

    "Q. Should I use both the built-in firewall and a software firewall
    from a different company on my Windows XP computer?

    "A. No. Running multiple software firewalls is unnecessary for typical
    home computers, home networking, and small-business networking
    scenarios. Using two firewalls on the same connection could cause
    issues with connectivity to the Internet or other unexpected behavior.
    One firewall, whether it is the Windows XP Internet Connection
    Firewall or a different software firewall, can provide substantial
    protection for your computer."
     
    Ken Blake, MVP, Jun 7, 2007
    #9
  10. Sharon T

    CZ Guest

    Many people have run more than one firewall at once without a problem.
    However the *risk* of a problem is always there, and that's why it
    shouldn't be done.

    Here's what Microsoft has to say about running two software firewalls
    at once:
    http://www.microsoft.com/athome/security/protect/firewall.mspx

    "Q. Should I use both the built-in firewall and a software firewall
    from a different company on my Windows XP computer?

    "A. No. Running multiple software firewalls is unnecessary for typical
    home computers, home networking, and small-business networking
    scenarios. Using two firewalls on the same connection could cause
    issues with connectivity to the Internet or other unexpected behavior.
    One firewall, whether it is the Windows XP Internet Connection
    Firewall or a different software firewall, can provide substantial
    protection for your computer."


    Ken:

    Do you know of a technical reason for not running two simple packet
    filtering f/ws concurrently?
     
    CZ, Jun 8, 2007
    #10
  11. Sharon T

    CZ Guest

    May I ask the reasoning behind 3 [f/ws running concurrently]?

    Mr Arnold:

    To prove that it can be done.

    The self-serving MS comment that you should not do two f/ws because it is
    unnecessary, and those who merely repeat MS comments, do end users a grave
    disservice.

    F/ws can use different technologies, and some f/ws have shortcomings; both
    of these issues can be addressed by running two f/ws concurrently. Is there
    a risk? Yes, but what do you do that does not involve a risk? Per my own
    experience and per NG posts that I have read over the years, most people
    running two f/ws do so w/o problems.

    IMO, a significant shortcoming of the Vista f/w is the lack of a user
    friendly outbound control. There are several 3rd-party f/ws that in my
    experience can be run concurrently with the Vista f/w to address the
    outbound control issue, and I am using the ZA beta f/w to do just that.

    Note that MS has told people that it is ok to run ISA on the same computer
    with Small Business Server 2003.
    IMO, most IT security pros would challenge that comment.
     
    CZ, Jun 8, 2007
    #11


  12. No, I have no other details to provide.
     
    Ken Blake, MVP, Jun 8, 2007
    #12
  13. I think there are a couple motivators for the suggestion to not run multiple
    packages simultaneously:

    1) configuration of one UI can be tricky for a large population of users;
    getting two sets of UI in sync could be almost impossible.

    2) everything comes with a perf hit. there are certain packages that I will
    not name, which on their own can cause a machine to be noticibly slower. If
    you get two of them on the same box, you're better off not connecting to
    anything at all.

    3) not all packages play nice. it would be very frustrating to be paying
    monthly subscriptions to both vendor A and B only to eventually realize that
    B effectively turned A off.
     
    David Beder [MSFT], Jun 8, 2007
    #13
  14. Sharon T

    Sharon T Guest

    Hmmm I see. Thanks everyone.

     
    Sharon T, Jun 8, 2007
    #14
  15. Sharon T

    CZ Guest

    David:
    getting two sets of UI in sync could be almost impossible.

    IMO:
    a) The complexity of the Vista f/w is probably only exceeded by that of NIS.
    b) Simple packet filtering f/ws pass the packets sequentially, so trouble
    shooting can be as simple as disable one while you test the other. This
    assumes that the user can read/edit/write f/w rules.
    not name, which on their own can cause a machine to be noticeably slower. If
    you get two of them on the same box, you're better off not connecting to
    anything at all.

    IMO:
    a) the unnamed f/w is probably NIS. I ran the pre-release version of NIS on
    Vista and thought that Symantec had improved the product substantially by
    removing some extraneous features that were in the previous versions. NIS
    is a sophisticated f/w that does a lot, but requires a degree of knowledge
    to setup properly, and to maintain. However, there are much simpler f/ws
    than either NIS or Vista's that are available (e.g., ZA (still in beta), PC
    Tools, and Vista Firewall Control).
    The challenge is to find a 3rd party f/w that works well with Vista's f/w,
    as I think the Vista f/w is well done overall (is stateful for example)
    except for the absence for "useable" outbound control. I Think highly
    enough of Vista's f/w that I would not recommend disabling it, but running a
    second f/w with it. Per testing, NIS disables Vista's f/w, ZA beta, PCT and
    VFC do not. Also, I would not recommend running NIS with Vista's f/w (even
    if you could) as NIS is more than a simple packet filtering f/w, and you
    would be much more likely to have issues with running the two together.

    The issue is that a user should not run two complex f/ws together, running
    one complex and one simple f/w together has never been a problem in my
    experience of doing so for 10 (??) years. Of course, the next issue is what
    is a complex f/w.

    As much as I like ZA, I have been reluctant to run it by itself, as it has
    been more of an application gate type of f/w ( the weakest type?) rather
    than a packet filtering f/w (plus XP's and Vista's f/ws have been stateful).

    Re: a performance hit: in general, that is secondary to the value of
    increase security/control within reason; ZA beta in Vista does load slowly,
    but I want the control that ZA provides, so I wait.
    monthly subscriptions to both vendor A and B only to eventually realize that
    B effectively turned A off.

    That is the value of the 30 day trial period (and Google). I am impressed
    enough with ZA running with Vista's f/w that I plan to buy the released
    product (it is still in beta) just to have the Expert rules feature that
    will not be part of the free ZA version. I use ZA Expert rules to block all
    Windows networking ports on my wired/wireless portable in case I forget to
    change Vista's network profile from Private to Public when switching from a
    wired network to a wireless network. That is just another example of the
    value of running two f/ws, as one can cover for a user config error in the
    other.

    Summary: IMO, it can be very beneficial to run a 2nd f/w with Vista's f/w
    enabled. Per my experience if the 2nd f/w is a simple f/w (e.g.., ZA (still
    in beta), PC Tools, and Vista Firewall Control) I would not expect any
    problems due to running two f/ws concurrently.
     
    CZ, Jun 9, 2007
    #15
  16. Sharon T

    Sharon T Guest

    So if I enable the kapersky firewall, will the Vista firewall get disabled?
     
    Sharon T, Jun 17, 2007
    #16
  17. Sharon T

    fosb[f2s] Guest

    Off at a slight tangent but a very simple yet, as far as I can tell,
    effective firewall, is Sphinx Vista Firewall Control. I have been using the
    free version in addition to the Windows Firewall with no conflict. From:
    http://www.sphinx-soft.com/Vista/index.html
    It downloads and installs very quickly and starts working immediately. As
    each application tries to communicate you can allow it inwards, outwards,
    both or neither, either on just that single occasion or more permanently.
    The resultant growing list of applications can be pruned and edited easily.
    In unusual circumstances you can set it to block all or to allow all via the
    system tray. Starkly minimal and very nice to use. - Doug.
     
    fosb[f2s], Jun 19, 2007
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.