Which Firewall is best for Vista?

Discussion in 'Windows Vista Security' started by Mike Dymond, Jun 29, 2007.

  1. Mike Dymond

    Mike Dymond Guest


    Which Firewall is best for Vista?


    Zone Alarm?



    All opinions appreciated.

    Mike Dymond, Jun 29, 2007
    1. Advertisements

  2. Opinions are what you will get, and probably at least one for every
    product that works with Vista.

    A question like this isn't much different from asking which is the
    best automobile. Every product has its partisans, and when you get
    recommendations for almost everything available, you are no better off
    that when you started.
    Ken Blake, MVP, Jun 29, 2007
    1. Advertisements

  3. Mike Dymond

    gizbug Guest

    Use a hardware firewall.
    gizbug, Jun 30, 2007
  4. Avoid any Norton products, entirely. They consume far too many system
    resources for what they do.

    A good product, and much easier to configure than Vista's built-in
    firewall. I had no problems beta testing the Vista-compatibile version,
    but I don't know if it's gone "Gold," yet.

    Vista's built-in Windows Firewall is adequate for most users, but not
    particularly easy to configure. Vista's built-in firewall, although
    superior to that of WinXP, is of a rudimentary nature, intended to meet
    the simpler needs of most home consumers (or business/enterprise clients
    already ensconced behind more advanced perimeter defenses).

    One 3rd-party add-on (Sphinx's Vista Firewall Control
    http://sphinx-soft.com/Vista/) might make the Vista Firewall a bit more
    useful to you, but nothing but a completely independent product will be
    able to provide the detailed control you want.

    There are two interfaces for Vistas built-in firewall:

    1) A simplified one accessed through the Control Panel that is the only
    one most people see.

    2) And the more advanced "Windows Firewall with Advanced Security
    (WF.msc)," accessed via the Start Menu's Administrative Tools folder,
    for the experienced user who wants better control.


    Bruce Chambers

    Help us help you:

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. -Benjamin Franklin

    Many people would rather die than think; in fact, most do. -Bertrand Russell
    Bruce Chambers, Jun 30, 2007
  5. Mike Dymond

    Mike Dymond Guest


    How about if I re-phrase
    Does anyone know of any conflicts or problems with the listed programs?
    Any known compatabilty issues?

    Mike Dymond, Jun 30, 2007
  6. Richard G. Harper, Jun 30, 2007
  7. Mike Dymond

    Mr. Arnold Guest

    Vista's FW, because it can protect network connection at system boot, when
    the machine has a direct connection to the modem,and therefore to the
    Internet. No 3rd party personal FW can do it.

    Or if you can get a cheap NAT router, then put the machine behind its
    Mr. Arnold, Jun 30, 2007
  8. Mike Dymond

    Victek Guest

    I've tried PC Tools Firewall Pro, ZoneAlarm Free (ZAF), and Look & Stop.
    L&S was the only one that "just worked", but it was beta and payware. PC
    Tools Firewall required a fair bit of customization to get it to stop
    blocking the internet connection - I never got it completely reliable. ZAF
    slowed down browsing to an unacceptable degree. Comodo is currently testing
    it's Vista compatible firewall, but it's still pretty rough around the
    edges. I've gone back to using the Windows Firewall with the "Vista
    Firewall Control" front-end.
    Victek, Jun 30, 2007
  9. Mike Dymond

    Spirit Guest

    On my Home PC (Vista Home Premium) the Vista Firewall blocked every port
    when assaulted by
    everything I could throw at it. For most that it is all that should be
    needed. "IF" someone needs more
    security then I suggest a hardware solution in addition to the Windows Vista
    Spirit, Jul 2, 2007
  10. Actually many of the new Vista firewalls are able to actively protect at
    boot time. I'm pretty sure Symantec, Zone, and McAfee are doing this. Others
    can 'non-actively' protect as well by usually just blocking everything with
    exceptions for some basic ports like dhcp and dns.
    David Beder [MSFT], Jul 2, 2007
  11. How do they achieve this?
    What does "non-active" protection mean?
    Straight Talk, Jul 2, 2007
  12. Mike Dymond

    Paul Smith Guest

    The built in firewall is perfectly adequate and non-annoying like so many

    Paul Smith,
    Yeovil, UK.
    Microsoft MVP Windows Shell/User.

    *Remove nospam. to reply by e-mail*
    Paul Smith, Jul 2, 2007
  13. Mike Dymond

    Mr. Arnold Guest

    Not according to this link, unless the information in the link is wrong.


    If the solutions you're talking about can do it, then can you provide
    documentation stating that they can protect at system boot?

    The were never doing it before. I don't see why they would be doing it on

    The only other two firewalls that I know of that can also protect at system
    boot are XP's FW, which has documented proof of this.

    The other one is Wipfw with its STARTUP_BOOT_START setting.
    Mr. Arnold, Jul 2, 2007
  14. The tcp/ip stack was re-writen for Vista. Part of this rewrite includes a
    new set of apis/hooks/etc called Windows Filtering Platform (WFP). The
    platform allows firewall drivers to link into the packet processing flow
    during boot-time as well as post-boot.

    During the time that firewall drivers are loading, which could end up being
    after tcpip is loaded, pre-established behavior can be stored (from the last
    boot) to block traffic until the firewall driver can take over.

    For the purpsoses of this part of the thread, an active firewall is one with
    a driver that actively inspects traffic by looking through all the header
    and data values, while a non-active firewall is one which simply blocks all
    traffic from given addresses/ports/etc. without any inspection.
    David Beder [MSFT], Jul 2, 2007
  15. At the time of this article's authoring, the statement might have been
    accurate. The software packages which are making use of the boot-time
    interfaces with the new Vista tcpip stack might have still been in Beta

    I'm not certain the statement was completely true for XP, but there's room
    for symantic differences on what's a firewall and what's an IDS. eg, I think
    Black Ice was able to protect during boot-time, though not necessarily at
    the exact second we'd consider boot-time as beginning.

    Microsoft Windows Networking
    This posting is provided "AS IS" with no warranties, and confers no rights.
    David Beder [MSFT], Jul 3, 2007
  16. Mike Dymond

    Mr. Arnold Guest

    I am not certain that WFP and BEF are bullet proof protection due to the
    fact that BEF is a service. I have not tested it, but if that BEF service is
    knocked out, and I don't see why malware couldn't knock out that BEF
    service, then it's over. I would say the same thing about a 3rd party FW
    service interfacing with WFP is if that FW service can be knocked out, it's
    over on any type of protection.
    Well, I can tell you that Black Ice wasn't stopping anything on XP at system
    boot when I was using it, which I used Black Ice for many years and knew how
    to use it very well.

    I tested BI's boot security using Gator at the time. I set all kind of FW
    rules to stop Gator on inbound from its site IP(s) and went to BI's
    Application Control and set rules to stop Gator. Then I installed Active
    Ports and put it in the start-up folder so that I could see connections when
    I booted and logged into the machine.

    Active Ports showed that connections were established by Gator, and its
    subcomponents via Svchost.exe to its sites. Black Ice wasn't stopping
    anything at system boot.

    Nor were any of the other 3rd party solutions that I tested like ZA,
    Sysgate, Norton, McAfee, Outpost etc, etc were stopping Gator at system

    That's when I decided that in order to protect what I needed to protect,
    like IIS, SQL Server, etc, etc, I needed put the machines behind a FW
    appliance like the Watchgurad that I use. Any host based FW solutions
    running on the machine are disabled as they are not needed from my viewpoint
    sitting behind the FW appliance.

    Don't get me wrong now, when a machine has a direct connection to the modem
    and to the Internet when I do that, I need a personal FW running to protect
    from the Internet. But I also know that nothing that's running with the O/S
    such as a personal host based FW/packet filter is not bullet proof.
    Mr. Arnold, Jul 3, 2007
  17. Agreed, nothing is going to be bullet proof and host firewalls are just an
    extra layer of protection. Every year the industry innovates, so even if
    there wasn't boot-time support before, you're going to start seeing it more
    as time goes by.

    There might also be differences in what various products are willing to
    block outbound during boot, so Gator might still make it out during that
    time simply because the firewall isn't in a position to recognize that it's
    not a connection that should be allowed from svchost. Give them a couple
    more years and they'll eventually solve this too.:)

    As for WFP/BFE, WFP is integrated into the tcpip stack so can't be removed
    from play. If BFE is knocked out, WFP is left in its last-known state. If
    BFE is blocked from ever starting up, then the system is essentially left in
    boot-time forever. (Note, if it's disabled by an administrator like through
    the services control panel, then WFP won't invoke any boot-time or
    post-boot-time policy and firewalls will have to move below or above the
    tcpip stack to inspect packets.)

    Depending on how firewalls invoke WFP, their policy could survive having
    their service knocked out.

    Microsoft Windows Networking
    This posting is provided "AS IS" with no warranties, and confers no rights.
    David Beder [MSFT], Jul 4, 2007
  18. Mike Dymond

    Mr. Arnold Guest

    And every year the hackers are going to be just one step ahead with zero day
    exploits, and they will find a way through it. As long as there are Human
    Beings involved with it, nothing is infallible, because we are not
    infallible as Human Beings.
    I don't see how that's going to ever happen when Svchost is the messenger
    for the O/S programs and other non O/S programs to communicate. Yes, you can
    talk about something like IDS that's using signatuers and protocol analysis,
    but all of that can be defeated too. There is no stops all and ends all
    solution. It will never be that, as long as a Human Being is invloved in it.
    But in the meantime, malware if it hits the machine and can be executed,
    which doesn't seem to be a problem with those that have the happy fingers
    that will click on everything under the Sun, then the malware can set it's
    own rules, punch out, and circumvent it all.
    It will remain to be seen. But remember this, nothing absolutely nothing is
    bullet proof as long as Human Beings are involved.
    Mr. Arnold, Jul 4, 2007
  19. Mike Dymond

    Robert Moir Guest

    Of course if malware can "knock out" the service that means that the malware
    is running locally on the target computer does it not? If it's already in
    your base, haxoring your computer anyway, then I might suggest boot time
    firewall protection is the least of the worries you will have.
    Robert Moir, Jul 5, 2007
  20. Mike Dymond

    Mr. Arnold Guest

    Yes, you got a real problem if the service can be knocked out, no doubt
    about it, like I have seen other 3rd party FW services knocked out by
    malware. :)
    Mr. Arnold, Jul 5, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.