Avoiding the "which firewall is better" argument I want YOUR all advice on a firewall and actions. I extensively used (and configured on a per packet basis) the old Tiny personal firewall (to version 2) and I now use kerio v.4 (which is still good if you ignore their defaults and configure it totally yourself). Although much "fatter" than the old Tiny, I like Kerio 4 because as well as the "pure" firewall job it does (port, protocol and IP rules for incoming and outgoing (as well as MD5 hash monitoring), it also monitors apps that start in my system and let's me control which (and when) apps can start. Processes lauching other processes is key to check in security and Tiny could not do this (Kerio's ad blocking and further bells and whistles I do not need).
Only I use my computer. Although I log on as a restricted user, I (and therefore any malicious code) can still make all the changes I (they) want to kerio 4 (once the 30 day password has run out - I cannot afford the Pro version) thus leaving the firewall very vulnerable to a direct internal attack, no? Is there anyway to limit Kerio from being modified when I am logged on as a user? I have looked a little at the software restriction policy under XP but can't see a way to do this. Even if I did pay for the pro version how can the password protection really stop malicious code (it seems to me this is just for administrators to stop users making changes).
Maybe it is not possible with Kerio 4. Maybe you think I should move to a different firewall. Although the new learning curve would be steep for other firewalls, some (e.g. Outpost, Look n' stop) have got better leaktesting results than Kerio 4 (and MUCH better than Kerio 2 which is a favourite here, I understand). There has been a lot of criticism (e.g. "these are extreme hacking") over firewall leaktests using DDL code injected into the process of a permitted "allow-all" outgoing rule. [e.g. I use Mozilla to browse the internet, so "always allow Mozilla MD5 blah, blah outgoing TCP to any IP, port 80" is set]. If Outpost Pro, Look n' stop, Tiny6 etc, pass these tests then good. But surely these firewalls must be HUGE if they monitor ALL the dll activity??? (dll monitoring can also be done in XP but even Microsoft say it will slow XP down!). Kerio 4 is already big enough for me. There are other watcher of applications that claim to be small and monitor activity including dll's (software like System Safety Monitor 1.9.4). Would this be a method?
What do you think? Can I limit all (most) changes to Kerio in the user mode? Do you recommend (and why) another firewall that is stronger than Kerio against any changes (caused by via internal code or whatever) that is not greedier than Kerio in use of resources (I DO NOT want any non-firewall extras like script or attachment content checkers, pop-up blockers, etc, etc). I take care of all my other security perfectly well. Really appreciate any thoughtful input on these issues.
Martin
