Looking for software firewall that uses the least system resources

[Super Mario]

I'm looking for a software firewall that is very basic and only provides the ability to monitor inbound and outbound traffic from your PC. I don't want all the extras that many software firewalls have. I just want something that does what the Windows XP SP2 firewall does, but also monitors outbound traffic for applications trying to connect to the Internet without my consent. I'm looking for something that takes the least amount of system resources and is very clean and isn't bloated. I also want something that runs only one system process. Any ideas and which software firewall would give me this?

 

[Met-AL]

I just want something that does what the Windows XP SP2 firewall does, but also monitors outbound traffic for applications trying to connect to the Internet without my consent.

That's exactly what Windows firewall does.....

 

[Super Mario]

That's exactly what Windows firewall does.....

But it only monitors inbound connections and doesn't monitor oubound connections.

 

[number69]

Sygate personal firewall(free version) is good, I use it. I dumped Zone Alarm for it after using ZA for three + years. ZA 5.5 Pro had too many bells and whistles for me and I got tired of the "page cannot be found" BS I was getting everyday with it. I uninstalled it and never had that problem again.

Only reason I even use Sygate is to monitor outbound connections since I'm behind a router. I don't think the Windows XP SP2 firewall monitors all outbound connections.

 

[GreNME]

But it only monitors inbound connections and doesn't monitor oubound connections.

I beg to differ.

Someone lied to you.

 

[Whatsisname]

kerio is good and I've never noticed it using obscene system resources. No guarentee that it uses the least but you should choose the one that does it job the best first.

 

[Super Mario]

I beg to differ.

Someone lied to you.

I don't think that is true. Those messages are asking if you want those programs to accept connections from the network, (thus incoming connections), but the WIndows Firewall doesn't stop a program from initiating an outgoing connection to the Internet. That is the only feature the Windows firewall is missing that I want. I don't want any piece of software just phoning home without my consent. Believe me, I have installed software before and found it to be connecting to a URL without my knowledge or any indication that it was doing so. I don't want that happening without me knowing so.

 

[GreNME]

I don't think that is true. Those messages are asking if you want those programs to accept connections from the network, (thus incoming connections), but the WIndows Firewall doesn't stop a program from initiating an outgoing connection to the Internet. That is the only feature the Windows firewall is missing that I want. I don't want any piece of software just phoning home without my consent. Believe me, I have installed software before and found it to be connecting to a URL without my knowledge or any indication that it was doing so. I don't want that happening without me knowing so.

You don't seem to understand how TCP/IP connections work. There is a "three-way handshake" that must take place before a connection could be made. The Windows firewall can stop that from happening, hence the messages. What you are arguing is semantics: Windows Firewall stops outbound connections by disallowing outside connections to be made without authorization. Theoretically, UDP could bypass this, but even then it would show up if not on the allow list. The programs you were noticing were either added to the exception list or were using an exception you already allowed.

You've already made your mind up to forego the Windows firewall. It's your machine, do what you want. All I am doing is pointing out that Windows Firewall does block unauthorized outbound TCP/IP attempts by not allowing the "TCP three-way handshake" to take place. Use Sygate if you want.

 

[gerbiaNem]

There are three that I recommend, for best security/system resources (i did a lot of research on firewalls lately).

First there's regular sygate firewall, on my system it uses on avg 12-16mb of ram. I used it for a long time, however it hasn't been updated lately and has a few more security issues than the following two firewalls.. Homepage

Second there's Look 'n' Stop firewall. It is one of the most secure, if not the most secure, and on avg takes up about 3mb of ram. It's still in beta however so be careful if you use it. Homepage

Then there is also Outpost firewall. It is about as secure as Look 'n' Stop and uses on avg (if you disable some plugins you don't use like i did) about 5-10mb. Homepage

Any of these firewalls will work well.

 

[Super Mario]

You don't seem to understand how TCP/IP connections work. There is a "three-way handshake" that must take place before a connection could be made. The Windows firewall can stop that from happening, hence the messages. What you are arguing is semantics: Windows Firewall stops outbound connections by disallowing outside connections to be made without authorization. Theoretically, UDP could bypass this, but even then it would show up if not on the allow list. The programs you were noticing were either added to the exception list or were using an exception you already allowed.

You've already made your mind up to forego the Windows firewall. It's your machine, do what you want. All I am doing is pointing out that Windows Firewall does block unauthorized outbound TCP/IP attempts by not allowing the "TCP three-way handshake" to take place. Use Sygate if you want.

Actually, I am very interested and want to use the Windows firewall if it will indeed prevent outbouind connections. Are you sure it does provide some oubound monitoring capability? Everywhere I have read said it lacks this feature and will only monitor inbound connections? Will the Windows firewall block an application from trying to initiate an Outgoing connection and contact a URL without you knowing?

 

[Met-AL]

It does block outbound connections. That is why when you start something new up such as a FTP client, it asks you if you want to allow it to connect to something on the internet.

Windows firewall is all you need.

 

[Super Mario]

It does block outbound connections. That is why when you start something new up such as a FTP client, it asks you if you want to allow it to connect to something on the internet.

Windows firewall is all you need.

Here is a question I have as to why I don't think it blocks outbound connections. Download the program CloneDVD 2 from http://www.elby.ch/en/products/clone_dvd/index.html. Install it on your computer in WIndows XP SP2. Open the program, and if you have Sygate FIrewall installed, it will give you a message saying that CloneDVD2.exe is trying to contact update.elby.ch when you first launch the program, It tries to contact update.elby.ch everytime you open the program, and it gives you no indication that it will do that. And it will try to contact that url in the middle of the program every know and then when it is running. With the Windows firewall on, it GIVES NO indication to block this program from accessing the Internet. Make sure the Windows firewall is on, and bring up Windows Task Manager and view the Networking Tab. Open this program, click Continue to bypass the trial message, and you will see some network activity takes place after a few seconds. That is why I am worried the Windows firewall doesn't block outbound connections. What do you think? Try installing this program and you will see for yourself what I am talking about. I mean programs that do something like that without your consent or knowledge whern first launching it or during the install make me worried.

 

[GreNME]

Actually, I am very interested and want to use the Windows firewall if it will indeed prevent outbouind connections. Are you sure it does provide some oubound monitoring capability? Everywhere I have read said it lacks this feature and will only monitor inbound connections? Will the Windows firewall block an application from trying to initiate an Outgoing connection and contact a URL without you knowing?

Has for my clients and myself. I have a pretty full exception list on my computer now to allow what I want to allow, and the firewall disallowing TCP connections has caused some problems for client software, most notably a terminal-style banking software a credit union had as their main teller program.

I can recreate that same message if I uncheck Filezilla, pretty much any games, iTunes, or any messaging client. Perhaps the program you are using is taking advantage of an outbound opening already allowed, in which case Windows isn't alerting you. I will say that those others are more stateful than Windows Firewall, so if you want to have a more strict firewall connection policy then perhaps one of those other programs will make you feel more comfortable, and in that case go right ahead. Your machine == your comfort level, no one else's.

 

[gerbiaNem]

Windows Firewall pales in comparison to other firewalls in security.

 

[GreNME]

Windows Firewall pales in comparison to other firewalls in security.

I love it when people say this shit. I tell you what: I'll stick an XP machine in DMZ some time and let you bang on it all you want, and I'll give you the machine if you can so much as place a text file on the root of C: drive.

It isn't about one measure being the one catch-all to your machine's security. Along with all of the other built-in security measures available to all flavors of XP, the firewall is more than sufficient. What many people want, however, is the fancy pop-up notification that ZoneAlarm popularized as a show that connections are being blocked. Perhaps MS will make their firewall more inclusive in this manner, perhaps not. If you want that visual affirmation, then by all means use what blows your skirt up, because running a firewall of any kind is recommended and all the popular ones are quite decent. Saying one is "more secure" than the other because of the visual interface aspects is not a very informed assessment, and in that case the simplest firewalls in Linux would seem "insecure" by those standards (very much not true).

This is going to totally be a personal preference thing, not a security pissing match.

 

[Super Mario]

Read this: http://www.flexbeta.net/forums/index.php?act=ST&f=25&t=4184

That is why I don't think the Windows Firewall monitors outgoing connections. If the Windows firewall doesn't monitor outbound traffic by itself, are there any plugins that add that capability to it? Because I know there is a service that specifically states its meant for third party plugins for the Windows firewall and ICS service?

 

[GreNME]

Thanks for the reference.

However, the user who seems to be asserting that it does not monitor outbound connections is completely ignoring how TCP/IP works to begin with, and basing if Windows Firewall does handle outgoing connection attempts on how he/she observes the GUI interface of programs like ZoneAlarm, that have a popup window from the taskbar to alert the user. Windows Firewall does indeed not have those GUI interactive alerts, and perhaps it should, but that is outside of the scope of the real issue: does Windows Firewall allow anonymous outbound connections or not?

The answer to that is a caveated yes, just the same as any other consumer-level firewall software. A program can utilize another program's connection (most popular being a browser, most popular of which is IE), though it depends on whether or not the program will be able to connect. It certainly cannot open miscellaneous ports at will to connect. Furthermore, on their own review, the site explicitly states:

There aren’t any luring features in Windows Firewall, it contains just the basics of a firewall, blocking inbound attacks and monitoring outbound traffic.

Still, this doesn't mean much. The difference between Windows Firewall and other popular firewall programs is what they do with what they monitor. With Windows Firewall, it simply prompts when a TCP connection is requested (which is what an outbound connection tries to do) and answered. The other popular programs have running processes that will alert you on every instance unless you have told it to allow, disallow, or whatever. Windows Firewall only raises an alert window when a new program that has not already been allowed or disallowed. It's a small difference, but it's large enough to set it apart and make it seem like it's less persistent (and, indeed, it is somewhat less stateful) than others and less secure. This is not so—it just doesn't have as many GUI widgets as the other programs do.

Any exploit that can take advantage of Windows Firewall can be used to take advantage of, say, Sygate or ZoneAlarm. A firewall is not the only line of defense, it's simply one of the lines of defense that should be standard on a system. If you are uncomfortable with Windows Firewall, use something else. If you aren't using something else, use Windows Firewall. It's that simple.

So, the real question would be if you want those GUI addittions to the firewall, which one is least resource-intensive?

 

[gerbiaNem]

I love it when people say this shit. I tell you what: I'll stick an XP machine in DMZ some time and let you bang on it all you want, and I'll give you the machine if you can so much as place a text file on the root of C: drive.

I love it when people talk out of their ass. http://www.firewallleaktester.com/tests.htm
http://www.windowsitpro.com/Article/ArticleID/43846/43846.html


And let's see the windows firewall stop a DDOS

 

[GreNME]

I love it when people talk out of their ass. http://www.firewallleaktester.com/tests.htm
http://www.windowsitpro.com/Article/ArticleID/43846/43846.html

The first link's test is a loaded one (specifically to make one product look better), and the second link affirms what I said that one should at least be running a firewall, regardless of what they run. Also, the second link goes on to say the same thing I did in that a firewall is not the only line of defense, and that it is a firewall only, not an intrusion detection for bad software. Windows Firewall will not stop a PEBKAC fuck-up.

Like I said: if you're feeling froggy, let's see you leap. I'll place my machine in a DMZ and let you kick at it. Hell, if you are anywhere in the D/FW area I'll connect with you on a closed switch and let you give it a try. If you get in, I'll give you the machine. If you cannot, you give me yours.

I have a sneaking suspicion you won't take me up on the challenge. I'll put my money where my mouth is. Will you?

And let's see the windows firewall stop a DDOS

Now who's talking out of their ass? For your information, no firewall can stop a DDOS attack, spunky. A DDOS is independant of what firewall software you are running. The only way to cut off such an attack is to turn off and back on the network connection, and even then there is no guarantee if the attack is persistent enough or is trying to spoof your IP (man-in-the-middle is a common follow-up). I could flood any consumer-level firewall and DDOS the machine.

You should learn more about how the attacks work before running your mouth about shit you have no knowledge of.

 

[gerbiaNem]

How is the first test made to make any product look better? Look at the link before you say something.

And outpost has successfully blocked a DDOS on a test I personally did on it.

Now who talks out of their ass?

 

[Met-AL]

The first link's test is a loaded one (specifically to make one product look better),

I don't know about that, but I did run the GRC Leaktest and it was allowed a connection to the internet. I even tried it a second time with "Do Not Allow Exceptions" enable and it still let it out.

My opinion on Windows Firewall is changing.....

 

[ksar123]

To the guy who keeps insisting that Windows Firewall blocks outbound traffic - you are completely wrong. Windows Firewall only blocks inbound traffic. And yes I know exactly how TCP/IP works (I have written numerous network applications)... Windows Firewall blocks programs that attempt to put a port into winsock's "listen" state. When a port is listening the application is acting as a server and will accept incoming connections. AOL Instant Messenger does this because of its integrated p2p system, as well as many other applications that you wouldn't normally think have any inbound(*listening) connections, which is why you get a warning from Windows Firewall. It has nothing to do with the messenging client.

When a client performs a TCP handshake with the server, it never goes into listen mode and therefore would never trigger Windows Firewall...

 

[Steel Chicken]

I use Kerio Personal Firewall. allows very detailed control of in and out connections, by IP address, etc. allows controls the launching of programs from other programs, such as some of the spyware that try to use the winlogin.exe process to do their dirty work.

 

[MartinX]

I've always been sceptical of outbound traffic blocking in non enterprise environments.

Keep windows up to date.
Keep your AV up to date.
Leave the dodgy warez/pr0n sites alone.
If you're worried about what a piece of software will do, don't install it.

Problem solved.

 

[dmonkey]

So what is best for free solutions? Zone Alarm doesn't seem to allow configuration of ports.

 

[gerbiaNem]

I would go with outpost free.

 

[dmonkey]

How is Outpost Free 1.0 with port control? Will the free version let you unblock the ports required for Bit-Torrent?

Also, when setting the Bittorrent client for "allow" in Zone Alarm, does that automatically allow traffic to come in on port 6881?

 

[GreNME]

How is the first test made to make any product look better? Look at the link before you say something.

In the case of the link you gave, it would be products. Plural. Notice how they proprietary pay-for programs score noticably better there (when in other cases they fall about even).

And outpost has successfully blocked a DDOS on a test I personally did on it.

You alone, eh? That's not a DDOS (ephasis on the distributed), and I'm positive that if even hardcore enterprise firewalls get worked on DDOS attacks, your little attempt was not indicative of real situations. Sorry to question your credibility, but you've done nothing—no explainations, no tactics or tools used, nor any control situation in the test—to establish even a hint of credibility here.

Now who talks out of their ass?

So I tell you what: you take up my challenge, and when you're packing up your machine and sending it to me because you don't know what you're talking about, maybe then you will stop trying to sound like you know more than you actually do.

Windows Firewall monitors outgoing connections. Windows Firewall is as good a firewall as any other commercial brand. Windows Firewall does not include the IDS-like widgets because it is a firewall only, which is what makes some people decide to use other programs (which is a good enough reason).

I don't know about that, but I did run the GRC Leaktest and it was allowed a connection to the internet. I even tried it a second time with "Do Not Allow Exceptions" enable and it still let it out.

My opinion on Windows Firewall is changing.....

Well, this is the first reasonably user-friendly version of what is a rather simple firewall, so yeah, I'd say it's changing as well. However, I'm suspicious of that GRC test. It seemed legit enough, but the explanation site neither really explained nor gave a breakdown of what it did or how it did it. That kind of non-disclosure is dangerous when information is the key to maintaining security.

How is Outpost Free 1.0 with port control? Will the free version let you unblock the ports required for Bit-Torrent?

Dunno, but here is what looks like a user's guide.

Also, when setting the Bittorrent client for "allow" in Zone Alarm, does that automatically allow traffic to come in on port 6881?

If a program masks itself as the BT client then yes. Coincidentally, that's exactly how trojans and other malicious software often try to do it (usually by using 80 or 25 or other commonly-used ports and programs).

 

[drdeutsch]

Windows Firewall monitors outgoing connections. Windows Firewall is as good a firewall as any other commercial brand. Windows Firewall does not include the IDS-like widgets because it is a firewall only, which is what makes some people decide to use other programs (which is a good enough reason).

From page 160 of the May 2005 issue of PC World (just got it today):

First full paragraph on the page:
"Windows XP's firewall monitors only inbound connections, offering no protection from malware already on your PC. The latest versions of my favorite free firewalls - Kerio Personal Firewall, Outpost Firewall Free, Sygate Personal Firewall, or Zonealarm - are all effective, so if one conflicts with your system, try another."

Case closed to me. Can we move on now?

 

[GreNME]

From page 160 of the May 2005 issue of PC World (just got it today):

First full paragraph on the page:
"Windows XP's firewall monitors only inbound connections, offering no protection from malware already on your PC. The latest versions of my favorite free firewalls - Kerio Personal Firewall, Outpost Firewall Free, Sygate Personal Firewall, or Zonealarm - are all effective, so if one conflicts with your system, try another."

Case closed to me. Can we move on now?

Yawn.

From this:

(Windows Firewall Can: )
Create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer. This can be useful as a troubleshooting tool.

Windows Firewall monitors everything and logs it.

It does not do the IDS-like filtering, because it is not meant to "fix" an already infected machine, it is meant to help keep it from getting hacked. There are other tools MS makes that fight malicious software infections (AntiSpyware), and I can just imagine the antitrust lawsuits were they to include them.

PCWorld was wrong. Dead wrong. If you don't believe it monitors outbound connections, enable logging and check for yourself in the event logs. People making spurious claims based on rumor and conjecture are exactly what spreads misinformation.

Do not spread misinformation.

Case closed.

 

[O[H]-Zone]

Jeez, is it time for GreNME to assert that he's smarter than M$, PC World and everybody else put together already? I guess daylight savings time must have thrown me off...

 

[gerbiaNem]

For your information I had many friends of mine pound my computer with packets to test the DDOS.

And Windows Firewall does NOT block outbound connections, how can we pound that into your think skull? It will log them, not block them.

And for your test, just put a nice software like sub7 I send you and see how well windows blocks that outbound connection when I tell everyone your ip address.

 

[GreNME]

Jeez, is it time for GreNME to assert that he's smarter than M$, PC World and everybody else put together already? I guess daylight savings time must have thrown me off...

Um, Microsoft has stated that it monitors outbound traffic. In case you didn't notice, they are the ones who state that it logs all traffic. Once again, your lack of reading and hard-on for trying to start fights with me has blinded you from the facts. I'll trust Microsoft's word on their own product than I will from a rag like PC World any day.

For your information I had many friends of mine pound my computer with packets to test the DDOS.

What kinds of packets? How were they delivered? Were all of the computers on the same subnet? How many different sources at once?

Trust me, with the right delivery and number, any machine can be disabled from a DDOS. There is absolutely nothing impressive about your claim and it says jack shit about security.

And Windows Firewall does NOT block outbound connections, how can we pound that into your think skull? It will log them, not block them.

You are the one who needs to get shit through your thick skull. Monitors != blocks, and when you select "Block" on the prompts it abso-fucking-lutely will block.

And for your test, just put a nice software like sub7 I send you and see how well windows blocks that outbound connection when I tell everyone your ip address.

Now I know you don't know a thing about the shit you're spewing. No Sub7 around will make it past any antivirus worth running on a computer, and it sure as shit wouldn't make it on my machine.

So, the challenge is still there. Want to continue to run your mouth about skiddie tools that have been identified by antivirus for years and are useless on everyone but those who run with no A/V (and even then not always, since skiddies are fucking stupid), or are you going to prove me wrong and take my computer? All you have to lose is your own.

And threats like "I'll tell everyone your IP addy" are fucking lame. Not only is that information absolutely useless to you, but I can change the address at will and all you'll be hitting is some guy who will just as likely call the cops on you. Don't make ridiculous threats here, actually back up what you spew with something a little more credible than sub7.

 

[O[H]-Zone]

All I am doing is pointing out that Windows Firewall does block unauthorized outbound TCP/IP attempts

Note the word "block"

Um, Microsoft has stated that it monitors outbound traffic

Note that the word "block" has been replaced with the word "monitors".
Standard GreNME...

 

[Tordek]

As much as i hate to call "truth" to any of the garbage coming from O[H]-Zone posts, i just found this:


http://netsecurity.about.com/od/firewalls/a/aa081804b.htm

First of all, the Windows Firewall does not monitor or block outbound traffic. According to a PCWorld article, Microsoft technical specialist David Overton argues that "it is not the firewall's place to stop malicious code from sending outbound packets--Microsoft contends that companies should use perimeter technologies to examine outbound traffic."

and this

http://tinyurl.com/4wwgr

"An attacker could misuse that (administrative) capability," said Microsoft technical specialist David Overton. "But you're already in a compromised state, if you're at that point." He said that Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it's been infected.

If malicious code makes it past the firewall, it is the role of anti-virus software to protect the machine, Overton said. Likewise, it is not the firewall's place to stop malicious code from sending outbound packets - Microsoft argues companies should use perimeter technologies to examine outbound traffic. "The firewall is a management process, not a silver bullet," Overton said.

Overton implies Windows Firewall doesnt stop outbound packets.


*Edited for URL--BobSutan*

 

[gerbiaNem]

Sure, any antivirus blocks sub7, but we're talking about firewalls. Please, show me anywhere in the world besides your weirdo opinion that states windows blocks outbound traffic. And I was using the ip addy to show that I had succefully gotten outbound traffic from your system, not so that the "1337 h4x0rz" could take a shot at you.

So please show me an article that shows windows blocks outbound traffic.

 

[ksar123]

Jesus Christ. I am a network programmer and it is so easy to prove that windows firewall does not block outbound traffic. I've written tons of internet programs and windows firewall has never blocked a single one, UNTIL I set a tcp port into listen mode. This proves not only that windows firewall does not block outbound traffic, but that the only reason it blocks inbound traffic is because it is restricting a port from going into listen mode (which will prevent a remote peer from connecting to it). I can write you a demo app that proves this if you want.

I know its easy to say "I read somewhere that windows firewall blocks and monitors outbound traffic", but I have proven first hand that it does not. Believe what you want, but please don't spread your ignorance...

 

[ashmedai]

IANAP and I can probably prove that it doesn't work for blocking outbound OR inbound traffic after spending half an hour on Google and being told your IP address.

Windows Firewall is alot better than no firewall, but it's still a piece of crap.

 

[number69]

Windows Firewall is alot better than no firewall, but it's still a piece of crap.

lol, that's a good sig actually.

 

[O[H]-Zone]

So it's settled, then.
Windows firewall doesn't block outbound traffic, and GreNME is totally wrong.
Again.