Troubleshoot Fort Knox Firewall

[AtlBo]

Anyone used FK lately? A member asked me if I knew anything about FK and linked a pdf with great information here:

http://www.fortknox-firewall.com/download/manual.pdf

It's about $22 for 5 lifetime keys, so I want to see if it's as good as the pdf makes it appear to be. Process defense looks possibly very good, but I really liked the ability to monitor Windows settings all in one place like sharing etc.

What I would really like is an application that monitored net facing elements of Windows like remote desktop and FTP and file sharing settings that made it possible to manage them separately from svchost or whatever like most firewalls seem to do. The usual way doesn't work. Monitoring the actual element of Windows would make it possible to enable with confidence even remote desktop (if certain protocols had to be met for a connection to complete). However, finding this is another story I guess for now...

 

[Deletedmessiah]

I've known of Fortnox for years and to be honest I've never known it to be any good. It's not about what features a product has it's how effective those features are. It would be good to see CruelSister test this product out. I just don't see any need to pay for a stand alone firewall when there's Comodo for free. And for the people making claims that it's better than Comodo firewall because of it's features I'd like to see you prove that with all of the features in Comodo firewall enabled too. Anyone who wants to argue the point that Fortnox is better than Comodo prove it and if I'm wrong I'll hold my hands up, but Fornox firewall has always been sub-par.

I have some questions. Note that I'm a total noob when it comes to Comodo.
Can you use only the firewall component of Comodo and disable HIPS, Sandbox and all the rest of Comodo's components?
Are the infamous Comodo bugs and annoyance still there even if you use firewall component only?

 

[ZeroDay]

Are you talking of the malware-blocking capability of the FWs or are you talking of the protection capability (against network attacks) of the network features of the FWs?

If the malcious software is sandboxed and auto denied internet access it doesn't matter.We can argue back and forth all day, but Fortnox has never been any good.Like I say it's one thing having features but how capable are said features? No very capable from my experiance testing Fortnox years ago. It's just not a good third party firewall.

 

[Deleted member 178]

The only software firewalls worth to be installed are the ones in endpoint solutions, those really monitor traffic and can detect malicious packets.
There is no need of some fancy HIPS or Sandbox with a firewall, those features has nothing to do with a firewall, you can get them without even a firewall.
For example, the FW in Symantec EP or Sophos (if properly configured) are way above the home users one, which are like babies compared to them.
And software firewalls can't even compare with hardware ones.

 

[shmu26]

I have some questions. Note that I'm a total noob when it comes to Comodo.
Can you use only the firewall component of Comodo and disable HIPS, Sandbox and all the rest of Comodo's components?
Are the infamous Comodo bugs and annoyance still there even if you use firewall component only?

Yes, you can use it as firewall alone, I know people who do so, because it is light and effective.
You will have less bugs, I don't know if you will have zero bugs. @SHvFl would know better.

 

[AtlBo]

All the home firewalls have a weakness that is hard to overcome. They don't separate svchost and the services into separate entities, each with its own ability to use Windows based components to make contact via the internet. And then all of those component applications should be further monitored (like any installed/user introduced executable) as a single unique application for any other associated activity they may have, whether or not the application ever runs standalone or of user choice. They should be monitored like any other application and then their connections listed as one of two things. For services: Windows process->associated with BITS service (etc)->connection rule. For installed programs: Program/user installed process etc.->rule. So the user should see the rules presented this way by responsible application and should be easily able to see and manage the activities of the Windows process/component process (if present) for the connection.

This is the only way we can come up with powerful enough sets of rules for normal Windows activity for firewalling to be really effective.

Comodo actually has made an effort with these things. If you follow this trail you end up realizing how cripplingly difficult it is to firewall systems that aren't properly connected formally to a network...even if it's a homegroup/whatever. So Comodo did something about that by sensing when you are connected to a new router/gateway etc. Huge for laptops. Also, the considerations for laptops about being connected public/private are not always known or understood. Comodo helps with that too. On down the line, you do end up with a crapshoot of things calling themselves svchost with the sweeping rules for their use and so on. Again, improving those would mean more refined monitoring and more refined presentation of the monitoring (in more organized and greater detail)...

What I have drawn over the last 4-5 years. Possible and practical are two very different things...

 

[Deletedmessiah]

Yes, you can use it as firewall alone, I know people who do so, because it is light and effective.
You will have less bugs, I don't know if you will have zero bugs. @SHvFl would know better.

Thanks. If it have less bugs which aren't major or annoying, then I may try Comodo with firewall component only someday.

 

[cruelsister]

Messiah- The strength of Comodo is the sandbox. The Firewall is actually inferior to others as Comodo expects that either the HIPS or Containment will be used. NEVER EVER use only the Firewall!!!!! Trust me on this! I would rather have you use Anything else!

About "bugs". People often will self-create issues by happily checking things in the Comodo setup that they don't fully understand. I'll be releasing a Setup video this weekend (from starting the installer). Try my settings and if you have issues then you can berate me to no end.

 

[TairikuOkami]

I just don't see any need to pay for a stand alone firewall when there's Comodo for free.

Some people do not trust Comodo, I consider it as bad as Iobit, even worse actually, and I generally recommend to avoid it.

 

[ForgottenSeer 69673]

Don't most home users have a hardware firewall built into their routers? I know I have had one for years.

 

[cruelsister]

A hardware firewall really does not track Outbound connections from your system- and this is what you need to worry about.

 

[ForgottenSeer 69673]

A hardware firewall really does not track Outbound connections from your system- and this is what you need to worry about.

And so this setting would not work? The checked box is for outgoing.

 

[ForgottenSeer 58943]

Don't most home users have a hardware firewall built into their routers? I know I have had one for years.

People get confused by this. A hardware firewall is usually just some SPI L2 rules to examine deformed packets and simple NAT to ghost the internet subnet/ips of devices exiting the network. Otherwise, a firewall isn't going to do anything and really isn't any security other than the most basic. Networks have a public and private IP structure, the internal network under the assumption it has a private address space CANNOT be addressable from outside of the local network. The 'router' sits at the border between your public and private address space routing traffic based on the DHCP pool and ARP tables. Sessions are created locally on the PC. For example when you go to Microsoft.com a session is created between your computer and Microsoft, the router NAT's your internal and the firewall handles the traffic coming for malformations but does not examine outbound traffic.

Outbound traffic falls under L3-L7, which are UTM/NGFW areas.. To examine outbound traffic your 'firewall' on the network would need to actually have DPI in the L3-L7, then at that point it can control egress from your network. That's why companies have UTM/NGFW appliances to help control egress and examine not only inbound traffic at a deeper level, but outbound as well. In the modern age, firewalls (SPI etc) are largely obsolete in terms of any effective security. A lot of 'old' guys in IT still think NAT and SPI are effective solutions, and we spend most of our days cleaning up from those guys.

Opening ports on a hardware firewall is almost always a bad idea. FORWARDING ports is better but unless explicitly needed should be avoided. Once you start forwarding external ports to your internal network you start opening security holes. Unless you have a L3-L7 device examining that traffic you've opened a door wide and anyone can come in. Businesses are hacked because they do things like open SMB445 or SSH22, then a script kidding can load your gateway IP into their system and spend the next few years slamming it until they find a hole and you'll never notice it unless your router has decent logging and you watch those logs.

Software firewalls are really like little UTM's on your machine with IPS, L3/L7 inspection of traffic, application firewalling, etc. Ideally you want a UTM AND a good Software Firewall, in the perfect world. But for consumers, I'd advocate a far far better software firewall if you are just using a router/firewall on your gateway, it becomes even more critical for you. Also, most software firewalls are laden with false positives flagging internal ARP, ICMP and SYN activity as malicious attacks, when they are just network noise. So don't get too excited if they start popping off alerts.. It's not the NSA bothering you, it's probably our Fire Stick.

 

[AtlBo]

Not much gets discussed with laptops it seems. I don't have one, but for those, isn't firewall software like Comodo a primarily important thing to have?...or something with good firewalling capabilities.

I'd like to hear experiences of laptop users working with Comodo. Might be some good stories, and I am curious about how good it is with MIM attacks etc...

 

[cruelsister]

Tickle- This comment is simplistic after the above excellent post by ForgottenSeer 58943 (SmartGuy), but in short a consumer level Hardware Firewall really won't differentiate between a Browser connecting out to MT and a Keylogger sending your Banking credentials to me.

AtlBo- No difference between CF on a Desktop or Laptop. Just remember that Comodo Firewall is composed of 4 separate security layers (in order of importance): Sandbox, HIPS, Firewall, Cloud AV. Personally I wished they named it Comodo Sandbox (with a Firewall) instead of Comodo Firewall (with the sandbox). The strength of CF is virtualization.

 

[Deleted member 178]

Personally I wished they named it Comodo Sandbox (with a Firewall) instead of Comodo Firewall (with the sandbox). The strength of CF is virtualization.

+1

 

[HarborFront]

If the malcious software is sandboxed and auto denied internet access it doesn't matter.We can argue back and forth all day, but Fortnox has never been any good.Like I say it's one thing having features but how capable are said features? No very capable from my experiance testing Fortnox years ago. It's just not a good third party firewall.

FortKnox Personal FW do not have a sandbox nor a built-in AV/AM. If you use FortKnox Personal FW then you NEED an AV/AM to complement it to handle your malware issue. This applies too to ZA Free and SpyShelter FW. Comodo FW is great at preventing malware infection as it has a sandbox, HIPS and a cloud AV. If you want to disable its cloud AV and use another AV by all means if you feel the need to do so.

I'm talking of a FW's network protection capability and not its malware protection capability. Don't mix up the two. As for the effectiveness of such network-protection features there's hardly any review on them. There was one, however, but it was done many years back. And improvement nowadays would have voided that review.

 

[Deletedmessiah]

Messiah- The strength of Comodo is the sandbox. The Firewall is actually inferior to others as Comodo expects that either the HIPS or Containment will be used. NEVER EVER use only the Firewall!!!!! Trust me on this! I would rather have you use Anything else!

About "bugs". People often will self-create issues by happily checking things in the Comodo setup that they don't fully understand. I'll be releasing a Setup video this weekend (from starting the installer). Try my settings and if you have issues then you can berate me to no end.

So I'll be better off with Windows Firewall(with Binisoft WFC) or henrypp's simplewall than using Comodo's firewall component only.
Thanks for all your work on making Comodo easier to use for others!

 

[shmu26]

My firewall needs are pretty humble, I am the kind of guy who is satisfied with Binisoft Windows Firewall Control. So for me, Comodo firewall module is a step up.
Comodo has lots and lots of bugs that are not user caused, but I think that a lot, if not most, will not affect a firewall-only user. It's kind of unpredictable, because every Windows update carries the potential for new conflicts with sensitive software such as Comodo.
CS is right in saying that one should not rely on the Comodo firewall component as one's only security protection. That would be suicide. But I don't think anyone participating in this discussion would be so silly. If you don't expect the firewall to be anything more than a firewall, it does the job quite nicely.

 

[cruelsister]

The issues that some have had with Comodo really are user related in that some not necessary and potentially conflicting options may be used. With just the cloud AV, Sandbox, and Firewall active CF essentially lies quiescent on the system; and I think that any Windows update issues may have a source other than Comodo.

But to the Firewall component- an assumption that Comodo makes (rightfully so) is that either the HIPS or Sandbox will also be active, whereas this is not the case for Stand-alone OutBound alerting firewalls. As I'm being (usually) vague, I guess an example is in order:

1). Consider the excellent WFC- the guys at BiniSoft realize that their users may have sub-optimal protection backing up their Firewall, so they have coded it so that all malicious mechanisms that they are aware of are covered. For instance, in the case of malware that will inject into another process, and that process tries to connect out, WFC will block this silently without any input needed from the user (like I said, the product is excellent).

2). With CF (using my setup as an example), the malicious attempt at injection will be stopped in Containment before it can occur, so there is no need for the Firewall to be overly burdened by things that it will never see.

So we have a different Philosophy here- one set of products (like WFC and other Outbound alerting firewalls) will attempt to stop stuff on an already infected system. CF, on the other hand, will prevent the system from getting infected in the first place. Either will prevent things like injectors from harming you, but I certainly know which method I prefer!

 

[shmu26]

The issues that some have had with Comodo really are user related in that some not necessary and potentially conflicting options may be used. With just the cloud AV, Sandbox, and Firewall active CF essentially lies quiescent on the system; and I think that any Windows update issues may have a source other than Comodo.

But to the Firewall component- an assumption that Comodo makes (rightfully so) is that either the HIPS or Sandbox will also be active, whereas this is not the case for Stand-alone OutBound alerting firewalls. As I'm being (usually) vague, I guess an example is in order:

1). Consider the excellent WFC- the guys at BiniSoft realize that their users may have sub-optimal protection backing up their Firewall, so they have coded it so that all malicious mechanisms that they are aware of are covered. For instance, in the case of malware that will inject into another process, and that process tries to connect out, WFC will block this silently without any input needed from the user (like I said, the product is excellent).

2). With CF (using my setup as an example), the malicious attempt at injection will be stopped in Containment before it can occur, so there is no need for the Firewall to be overly burdened by things that it will never see.

So we have a different Philosophy here- one set of products (like WFC and other Outbound alerting firewalls) will attempt to stop stuff on an already infected system. CF, on the other hand, will prevent the system from getting infected in the first place. Either will prevent things like injectors from harming you, but I certainly know which method I prefer!

Great explanation, Sis!