Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: MayuraDeSilva on December 29, 2011, 12:10:50 PM

Title: avast! Firewall vs Windows XP Firewall
Post by: MayuraDeSilva on December 29, 2011, 12:10:50 PM
Hi Guys,

I just wanna know, is it alright to keep Windows XP (SP3) Firewall ON while I using avast! Firewall? I mean is there any PLUS point (More secure or ....) of having both ON? Else can I save more resources by turning off Windows Firewall?

Cheers...
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 29, 2011, 01:19:13 PM
Avast IS firewall is compatible with the windows firewall, so it shouldn't be an issue leaving it on.

Title: Re: avast! Firewall vs Windows XP Firewall
Post by: MayuraDeSilva on December 29, 2011, 01:30:01 PM
Yeah... But David, does Windows FW has anything special to improve security other than avast FW? If there is nothing special, I can turn it off N save up more resources nah?

Cheers...
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 29, 2011, 01:52:02 PM
I believe it is able to handle the IPv6 IP protocol avast currently only IPv4, but that shouldn't be an issue as many ISPs are not geared up for IPv6 either.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: MayuraDeSilva on December 29, 2011, 02:16:20 PM
I did some search online and found that disabling Windows FW deactivate IPSec feature which encrypt LAN and VPN communications (Except for Win 7). So I think it's better to keep Windows FW active. Does it count or avast FW has it's own functionality similar to IPSec?

Cheers...
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 29, 2011, 03:36:09 PM
I don't use the security suite so I'm not that familiar with its internal functioning.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: Lisandro on December 29, 2011, 03:39:59 PM
Mayura, I use AIS but I'm not sure about this particular information. We need Lukor here...
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: MayuraDeSilva on December 29, 2011, 03:56:01 PM
@ DavidR: Alright mate :)

@Tech: Hi Tech, Where can we find him? Can we post our problem or invite him to look upon this thread? :)

Cheers...
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 29, 2011, 04:01:35 PM
You're welcome,

I have tried to attract Lukor's attention ;D
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: lukor on December 29, 2011, 04:05:37 PM
I don't think IPSEC on VPN is affected by turning avast firewall off. However currently the limitation of avast firewall is the lack of IPv6 features, so I generally suggest to leave them both on. They work pretty ok together.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DonZ63 on December 29, 2011, 04:38:00 PM
Quote
I did some search online and found that disabling Windows FW deactivate IPSec feature which encrypt LAN and VPN communications (Except for Win 7).
If you check out WIN 7 firewall documentation, it will state the WIN 7 firewall is always running in the background when a third party firewall is installed for encrypt LAN and VPN communications functions. Security Center will state it is in an off state as to not conflict with the third party firewall but its service is still running.

As far as the XP firewall goes, I wouldn't say the above applies since I beleive this functionality was added when the firewall was redesigned for Vista and subsequently carried over to WIN 7.

Finally, encrypt LAN and VPN communications are only used for the most part on corporate networks. The only time a home user would use VPN comm generally would be to connect to his workplace computer.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: MayuraDeSilva on December 29, 2011, 05:13:11 PM
@DavidR: Wow :) That's great... You see, it worked ;)

@lukor: Oops... What if I turn off Windows FW mate? it affects on IPSec? If so avast FW do encrypt LAN and VPN communications?

@DonZ63: Yeah mate :) That's why I include "(Except for Win 7)" N basically home user wouldn't need encrypted VPN communication. But I couldn't mention that I do need it to establish remote connection :)

Cheers...
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: norel on December 29, 2011, 11:54:07 PM
You might as well disable Windows Firewall, especially on XP, it's useless garbage.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: YoKenny on December 30, 2011, 12:24:03 AM
You might as well disable Windows Firewall, especially on XP, it's useless garbage.
As Mayura is using avast! IS then he should follow DavidR's advice. :) 
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: MayuraDeSilva on December 30, 2011, 02:59:09 PM
@norel: I'm gonna keep both ON for now mate :)

@YoKenny: Ya mate :) It's better to have both ON to be on safe side until I find avast FW able to encrypt VPN communications.

Cheers...
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 30, 2011, 03:31:06 PM
I'm not sure the firewall has anything to do with encrypting the VPN communication, it just allows the traffic through, you set up the VPN and if you elect for it to be secure (encrypted) then that is done at that setup level and of it goes through the firewall (assuming that kind of connection isn't blocked by any firewall rule). Hence lukor's mistaken comment that "I don't think IPSEC on VPN is affected by turning avast firewall off" as I believe they are independent of one and other. I have never had to use of setup a secure VPN, so I'm not speaking from personal experience.

http://en.wikipedia.org/wiki/VPN (http://en.wikipedia.org/wiki/VPN)
http://en.wikipedia.org/wiki/IPsec (http://en.wikipedia.org/wiki/IPsec)

So I'm not really sure what it is that you are waiting for ?
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DonZ63 on December 30, 2011, 05:27:15 PM
Here's a bit better explanation: http://technet.microsoft.com/en-us/library/cc958037.aspx (http://technet.microsoft.com/en-us/library/cc958037.aspx).

Main point to remember is that the only thing the firewall sees related to VPN is it's headers. The data is encrypted and transmitted in a "tunnel." Firewalls(except WIN 7) are incapable of monitoring tunnel IP traffic.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 30, 2011, 07:30:49 PM
Which is basically what I was saying in reply to Mayura's post:

<snip>
@YoKenny: Ya mate :) It's better to have both ON to be on safe side until I find avast FW able to encrypt VPN communications.

The firewall isn't responsible for creating the secure VPN connection, that is down to the VPN software being used, it is independent of the firewall.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: MayuraDeSilva on December 30, 2011, 10:23:21 PM
Quote
VPN Encryption

To help ensure confidentiality of the data as it traverses the shared or public transit network, it is encrypted by the sender and decrypted by the receiver. Because data encryption is performed between the VPN client and VPN server, it is not necessary to use data encryption on the communication link between a dial-up client and its Internet service provider (ISP). For example, a mobile user uses a dial-up networking connection to dial in to a local ISP. Once the Internet connection is made, the user creates a VPN connection with the corporate VPN server. If the VPN connection is encrypted, there is no need to use encryption on the dial-up networking connection between the client and the ISP.

Remote access data encryption does not provide end-to-end data encryption. End-to-end encryption is data encryption between the client application and the server that hosts the resource or service being accessed by the client application. To get end-to-end data encryption, use IPSec to help create a secure connection after the remote access connection has been made.

Source: http://technet.microsoft.com/en-us/library/cc779919(WS.10).aspx#w2k3tr_vpn_how_rffz


Yeah guys, I believe avast! firewall doesn't interact with VPN, but IPSec has a responsibility for creating end-to-end data encryption. However in Windows XP, IPSec affected by turning off Windows FW. So I can't turn off Windows Firewall to save up resources, neither can turn off avast! firewall as it is far superior.

So I'm not really sure what it is that you are waiting for?

DavidR,

I was doubtful and wonder is there any unique feature of Win FW that avast! firewall can't be covered. If avast! firewall cover features of Win FW, then no point of having Win FW enabled. But the problem was VPN encryption and IPSec. However IPSec is compulsory as I make use of VPN connections. So I just wanna know even after turning off Win FW, avast! FW or AIS itself can handle the IPSec functionality. However now I know they are different lessons on same book ;)

Cheers...


Thanks guys... :)

Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 30, 2011, 10:25:35 PM
You're welcome.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DonZ63 on December 30, 2011, 10:36:06 PM
To clarify, there is a difference between "turning off" the WIN 7 firewall and disabling it. MS never recommends disabling the WIN 7 firewall service since it is needed to support IPSec and VPN transmissions if required.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 31, 2011, 12:36:58 AM
I don't believe there is a difference in disabling or switching off, I believe it is either on or off no in between. I don't see any disable option when checking the windows XP or Win7 firewalls (which I have off, using Outpost Firewall) and nothing in the help about disabling it.

In fact if you open the XP or win7 Firewall there is only Turn the windows firewall on of off.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: Para-Noid on December 31, 2011, 03:24:29 AM
This is getting a little off topic...but, if a user has an active third party firewall (OA Free, Private Firewall Free or Outpost Firewall Free) wouldn't that cover VPN and IPsec pretty well?  ???

Just asking.  :)
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 31, 2011, 04:31:11 AM
The VPN and IPSec are independent of your firewall, I have the XP firewall disabled as I have Outpost Pro and for me the IPSEC service is still started automatically and running, see image.

So this kind of negates what Mayura mentioned in in his post above on switching off the XP firewall.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: iroc9555 on December 31, 2011, 04:56:45 AM
@ DavidR

This may not be related to all the topic above, but still, even if I deactivate Windows Firewall trough security center, I got Firewall service running and automatic in services.msc. So, should I also stop that service if running a third party firewall ?
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 31, 2011, 01:43:19 PM
Generally the third party firewall should take care of whatever needs disabling, with the known exception of the avast! Internet Security firewall as it is compatible.

If you actually read what that service name says "Windows Firewall/Internet Connection Sharing (ICS)" it is also required for Internet Connection Sharing (ICS), so perhaps that is why it is still enabled.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: iroc9555 on December 31, 2011, 02:14:02 PM
Thank you. That's what I thought.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DavidR on December 31, 2011, 02:17:07 PM
You're welcome.
Title: Re: avast! Firewall vs Windows XP Firewall
Post by: DonZ63 on December 31, 2011, 03:27:13 PM
Note the bold section below. Again, turning off the Win firewall via the Security Center is perfectly fine when using a third party firewall. However, never disable the firewall service if you plan on using IPSec.

Dusty Harper [MSFT]
Microsoft Corporation

2,060 Recent Achievements 10 2 0 Proposed Answerer I Forums Replies III Forums Answerer II Dusty Harper [MSFT]'s threads View Profile Microsoft Corporation2,060 Moderator
   
2Sign In to Vote 

If you decide to turn off the Windows Firewall, you need to make sure you disable it  in the proper manner, otherwise you will have persistent filters affecting your traffic.  In the Windows Firewall control panel (firewall.cpl), make sure you select 'Turn Windows Firewall on or off' and select 'Off (Not Recommended)'.  Alternatively you can use netsh.exe and run

'Netsh.exe AdvFirewall Set CurrentProfile State Off'.

MPSSvc is a required service for IPsec Policy to continue to function.  It also just happens to house Windows Firewall functionality as well.  If using IPsec, do not turn off this service.  Additionally if you do not turn off Windows Firewall, and just stop this service, you will be hit with Windows Firewall's persistent policy (hence the reason to disable the firewall as stated above).

Not also that there is a period of time when you start your machine and TCPIP.sys is loaded until the BFE service successfully starts.  This is known as boottime.  This period of time will enforce any boottime filters on the box, but will stop enforcing them when BFE starts successfully.

You can programmatically add filters to Windows Firewall to explicitly allow the traffic you are seeing blocked.

http://msdn.microsoft.com/en-us/library/aa366453.aspx is a good place to start for this.

I hope this helps.