Alternatives to using a Personal Firewall

Portable Firewall - Ethernet for data, USB for Power:

I have no personal experience with it, but it seems like a good idea to use this when you're in the field/wild.

Oops, typo error: The untrusted (or restricted sites) zone normally is set at the highest already. What I meant was setting also the "Internet Zone" to the highest level of security.

/B. Nice

Duane :)

B. Nice wrote: [IE]

Better don't trust into this zone concept of IE. The history shows us, that this is nothing one should trust in at all.

Yours, VB.

Good idea.

Please consider, that filtering is indispensable to filter, too. NAT is not enough, because it was not intended as a security feature, and often can be circumvented.

Yes. Not ideal, but very good.

Very good idea.

ACK.

ACK.

Don't use Internet Explorer, but any other browser.

And don't use Outlook or Outlook Express.

Thank you for bringing good ideas to this group!

Yours, VB.

You may be right, but I have chosen to give it try (trust it), and surely I may get my but kicked at some time, but until now it has turned out to work well for quite a long time.

What else can You do? - Shift to another browser? - I have seen enough security patches released for the alternatives available too.

If You can't rely on the built in security concept of a product from the vendor responsible for Your very OS, what can You trust? You need to make some choices - otherwise You will end up getting paranoid.

A lot of users get compromised because they simply don't know the possibilities available to them.

If You can provide a link to further details about why the zone concept should not be trusted, I will be happy to learn.

/B. Nice

On Wed, 07 Jun 2006 05:31:44 GMT, Duane Arnold

B. Nice wrote: [IE]

Yes.

Yes. But I don't know other browser with so much flaws already in concepts.

I don't call you to use Microsoft's products, it' your choice ;-) No, really, Microsoft sometimes is a little bit strange. Some of their products seem to be very good, others seem to be very strange. Internet Exploder seems to be catastrophic.

The problem is, that it regulary is corrupted by some kind of cross site scripting. It just seems to be flawed at all, like ActiveScripting is and ActiveX.

Yours, VB.

I know You don't :-) And it is not that I have a preference to MS products, it is just that I prefer trying to use what I already have the way it was meant, before solving a problem by installing something new. And I as said, it has worked well. As soon as it fools me, it goes.

Maybe.

How does that show? - Will sites I have "banned" suddenly have unrestricted rights or something?

/B. Nice

You are right. However, I will hold on to my claim that a properly configured NAT router with some firewall capabilities gives a home user a decent level of protection from incoming connection attempts.

And if by accident You install something on Your PC that opens an inbound port that You won't allow, You are not immediately exposed.

I hope the forum will help me suggest some good devices.

Okay, what would be the ideal, then :-)

Thank You for contributing!

/B. Nice

I agree.

Yours, VB.

Something like that. For detailed information, I'd prefer Sebastian to explain, because he has had a very close look onto Internet Explorer's flaws.

What I can say is, that ActiveScripting and ActiveX are concepts, which should not be used in the Internet at all. And already therefore I would not use Internet Explorer, because I want to have i.e. Flash in my browser, but without implementing an interface for every COM object on my machine.

Yours, VB.

Thank you very much for taking the time and trouble to help us novices. I've tried to make constructive use of Sebastian's terse comments, but they seem to be directed to people with a lot more knowledge of operating systems than I have. Not only am I not an OS expert, but I don't have the time to take on another major hobby, which this seems to require.

The point I keep getting stuck at is the part about "disabling unnecessary services". On my machine right now, there are 109 services listed, of which 61 are running. In the past I've tried disabling various ones, and often discovered some time later that some application or other has stopped working properly. I never get an error message that the reason is due to a stopped service, so end up burning a lot of time discovering that, then figuring out which one(s) I have to restart. I see that I could easily spend a very great deal of time doing this "disabling unnecessary services" bit which the experts toss off as a trivial matter.

My main machine is behind a hardware router and is on all day every day. So far, nothing malicious has gotten in. So I'm satisfied with the security the router provides. Like some other folks who've commented here, I like to know what's "phoning home" and often prohibit it -- Windows Media Player, Windows Genuine Advantage Notification (every time I boot), PGP Tray, Real Player, and on and on. Windows (the MS DTC Console) even tries to call home every time I compile a VB program. This is maybe not a security issue, but neither is closing my window shades at night when everybody walking by can look in -- and I do that, too. A number of desktop firewalls give me the ability to stop at least some of this "phoning home".

My main concern is my laptop machine, which I take when I travel. It has ample opportunity to pick up malware from the various wired and wireless networks I connect to when on the road. Without the benefit of a hardware router, it needs some kind of protection. Like my other machines, I keep it backed up. But it would be a genuine nuisance if it picked up some malware then distributed it to the other machines on my home LAN when I brought it back and hooked it in. So a layer of protection beyond the router for all the machines on my LAN seems prudent. My laptop, like my home machine, isn't just an email-and-surfing toy, but one with a large number of applications and the need to be able to ftp files to and from my web site, download software and patches, and the like.

So, is there any methodical way to close ports and disable unneeded services other than try this and that and see what it breaks, and "Search the net and seek help in relevant forums"? When faced with the task of doing that for 61 running services and another bunch of automatic ones which can be started without my explicitly starting them, I'd just about as soon take my chances with a personal firewall. It has been adequate so far, Sebastian's constant derision notwithstanding.

What I did some time ago was to use Black Viper's list of services and go thru that and try to see which ones I could safely disable or set to Manual. Here is a link to that info:

His site is no longer, but you can find his work posted on various sites if you Google for "black viper" etc.

It is somewhat of a time consuming process though, and some trial and error is still involved. Generally, I tried to follow the above list and disable ones that didn't appear to be needed by other services etc. I changed one at a time and rebooted, and then checked my Event Viewer Logs for problems. If I saw errors in the logs, I then turned that service back on. Eventually (after quite some time) I was able to disable quite a lot of unneeded services without creating problems or generating errors in the logs. Unfortunately, if you disable them all at once and reboot, then there's no way of telling what's going on and which one is causing a problem. So it's a step by step process.

There may be other easier and/or more automated ways of doing it, but this is at least one way. Takes some research, and trial and error, but you can get there eventually..

Perhaps someone else has a quicker automated way of doing it...

I get Your point. My idea was definately not to go through _all_ the services running, unless You are very sensitive to Your CPU usage. For a novice that will undoubtly lead to trouble with applications that suddenly won't work. Don't do that!

You just need to disable those services that are in a network listening state and that You don't need. I would like to be able to post links to good step-by-step guides but haven't done much googling for english ones. I have some very good guides that even a novice can use to harden his/her machine in less than half an hour. But unfortunately they are in my native language.

For me that does'nt make sense. If I don't trust the program vendor to be serious about my privacy I will not allow it on my machine. As PFW's are concerned, I personally would'nt install a big chunk of code just to be able to control "home phoning".

However, if it makes sense to You, that's fine. We are all different. As long as people don't put it into a security context claiming that they will prevent malware from doing nasty stuff it's fine with me. When malware is already run, damage is done. No matter what people claim. The hard but real trick is to prevent it in the first place.

If running TCP/IP on Your LAN, yes. In those cases I would recommend a simple packet filter like the windows firewall or as an alternative for non-XP's like W2K the CHX-I packet filter with "workstation" setup or, if You are a little techy, You could even configure the build-in IP filter. The reason I recommend those is, that they do what they are supposed to without asking silly questions.

Very good point. If You have it connected to Your LAN at home and ocassionally takes it outside there are special issue not covered by my guide. My guide, as posted, was targeted primarily at stand-alone machines with an internet-connection - which unfortunately was'nt too obvious. I am currently working on putting up a web-site with ground rules (or traffic rules) that even a novice should be able to follow. I am struggliing to make it very precise. But since english is'nt my native language it takes some time.

Yes. I will see if I can google You some good ones.

Very understandable.

Please read Torsten's site at

He even has a simple script to do the job for you.

Yours, VB.

B. Nice wrote: > On Wed, 28 Jun 2006 19:26:47 -0700, zzy wrote: > . . .

How do I tell which ones are in a network listening state?

Very noble. But Microsoft, for example, certainly isn't serious about users' privacy considering that the "Genuine Advantage Notification", MS DTC Console, Media Player, and other of their products phone home regularly without permission. I could be pure and stand on principle as you do and not allow any Microsoft software on my machine. (You must not have any on yours.) But I'm not willing to sacrifice my livelihood, which is primarily developing and selling Windows software, in order to be noble.

Again we differ in some basic values. But a question: How do you detect when an application or operating system component "phones home" without your permission, indicating that the vendor isn't serious about your privacy? I assume you don't use a PFW for this purpose, so what method do you use? I'd be happy to try it myself in place of the PFW.

Thanks again for all the help and good advice.

A good guide will tell You both what to disable, how to disable and how to check if You have succeeded.

I personally use netstat (dos command) or some third party products like Active Ports