Atguard?

Atguard is no firewall, it's a host-based packet filter. And yes, there are many others implementations with the same level of lousiness as Atguard and Norton, however this is quite offtopic here.

I haven't and I won't.

This would not be advisable; The retail version of Norton is next to useless.

Use the in-build application. Windows Firewall: the best new security feature in Vista?

You are not going to find anything better than the Vista FW and Vista in itself due to the advanced features the FW and Vista are using.

Thanks for the links. Jesper's main argument seems to be that outbound filtering is basically useless against trojans for various reasons. That may be true. But I mainly use software firewalls to block regular software from connecting out. IMHO there is no legitimate reason for Windows Media Player to connect to Microsoft everytime I play a song or video. Microsoft isn't the only offender. So many third party programs do the same thing. So, for example, my newsreader is alowed to connect to my newsserver on the correct port ONLY, and it is not allowed to connect anywhere else. Same with my email client. And the various media players are only allowed to make outbound connections when I want them to.

So what I want is something that will allow me to easily create the necessary rules with sufficient detail. Not a simple "block" or "allow."

Well, but shouldn't you first find any such software? So far this remains a myth.

There is: Your configured it to do so. Change the configuration according to the documentation and such a thing won't occur. Ever.

Microsoft is no offender. The software behaves as documented.

Now excluding your stupidity to configure them correctly, how many are left? I give you an approximate figure: 0

That doesn't make sense. What remains a myth - that software makes connections?

Once again Sebastian, you fail to recognise the difference between a real-world scenario with an average user and the Utopian computing experience you have invented for yourself. There are many applications that one may want to use, but may not want the network capabilities of. One example of a type of software would be ad-ware. A host-based packet filter can be effective in blocking the unwanted network connections. I appreciate that if you are going to use ad-ware, you should accept the advertisement but I can envisage scenarios where this is unwanted.

As we have discussed before, there are useful, security applications for a host-based packet filter. As long as the user is aware of the capabilities and limitations of the software, it is not up to you to say whether the user uses the software or not.

Bogwitch.

That there's legitimate software the makes connection even when being properly configured. We've yet to see any such application.

Sure.

Definitely not.

Normally it isn't. And a much more appropriate way is to simply configure the software accordingly. Why don't you use a software which does exactly that?

Then your definition of legitimate and my definition of legitimate are different. And who are _we_? You most certainly are not speaking for the whole group!

Why not? I have used several utilities in the past that the author released as ad-ware. Rather than charge for the software using one of the 'regular' licensing models, it was made clear at the time of installation that occasional advertising banners would adorn the software. It did not make the software any less legitimate.

Normally it is. It is only when software is *specifically* written to bypass/ disable host-based packet filters that is isn't.

Because occasionally, the functionality required comes from software that does to fit into your utopian view of computer use.

Bogwitch.

I'm sorry for trying to be reasonable. If you're too stupid to configure your application correctly, then you shouldn't blame it on the software.

This just makes it legitimate in a juristic sense. From the application perspective, the advertisement is superfluos stuff that doesn't benefit the user at all, consumes bandwidth, wastes space on the GUI and annoys.

Such as Real Player, who considers such blocking as a network error and tries to bypass it? Like Adobe License Manager, who uses raw sockets because it detects that something is broken in the NDIS LSP layer? Beside that, most implementations are horribly broken. Not to mention stupid defaults like allowing access to Internet Explorer, Outlook Express, MSN Messenger, ...

?

Trying to be reasonable? Your posting style is aggresive and condescending. I have yet to see you post reasonable comments. And then you call me stupid. As I explained below, it is not always a case of configuring the software correctly. I have no problems configuring my systems correctly.

Is ligitimate in a juristic sence not legitimate then? Maybe you should refer to applications YOU are happy to use as 'Sebastian legitimate'? Benefit to the user: The user has an application that they may not have otherwise had. The author gats paid, the user gets free-to-use software.

Well done. You have named two applications that are written to attempt to bypass host-based packet filters. Now, if you had any kind of idea of how a properly configured installation of AtGuard works, you would know that both bypasses would not work with AtGuard. Did I mention OE, IE etc.?

To explain myself better. In your utopian view of computer usage, no-one would want to use ANY software that did not comply with the 'Sebastian' view of software. That is, software that had configurabe options for every concievabe function of the software. We are not all you, however much you may want it.

As I mentioned before, there is a legitimate purpose for using a host-based packet filter such as AtGuard. Your aggresive refusal to accept this and deriding of anyone who uses such a tool is counter-productive. Only your general knowledge of the subject matter puts you (slightly) above the position of group troll.

Bogwitch.

As long as you cannot present any case of a legitimate software that is not supposed to communicate via network, can be configured to not do so, but actually does (in violation of the configuration), it will always be.

Is that even a question? Of course there's a huge difference between law and moral. Do you think that the Iraq war is legitimate just because it is juristically legitimate?

Nonsense. Free alternatives exists. Beside that, as long as there's no explicit need for the software, this would be no benefit at all.

Who cares for the author?

Why don't you rather try it yourself?

Anyway, you're contradicting yourself. Any software that does not try to bypass your strange restrictions is legitimate, but then it doesn't require any control at all. Any software that does shouldn't be considered legitimate, and thus control isn't effective.

Not to mention known security vulnerabilities introduced by AtGuard. Where's the problem with running Driver Path Exerciser with the full HCT tests until you'll find the very fine blue screen?

Oh, that's it. Why don't your simply tag it as "bullshit"?

Sure. But not the one you claimed, and not for such a broken implementation like AtGuard.

Your aggresive refusal to understand that additional software introduces complexity which reduces security and therefore the explicit need to justify that by actually verifying the proclaimed increase of security, that's the only thing going wrong here. And especially with AtGuard you're definitely making the system more insecure.

I have presented an entire *class* of software. I'm not going to go into specifics.

Iraq war != software. Not possible to compare the two. You're clutching at straws.

Not always, and if a user installs a specific piece of software, they have a perceived explicit need for it. I'm sure you would call them stupid for doing so.

Anyone who wants the author to continue writing software? Or have you written all your own OS and apps?

Because I don't need to. I've seen AtGuard working for many years. I know it's strengths and weaknesses.

No, I have cited an example of a *group* of software.

Do you mean the Device Path Exerciser? Wow, that's really obscure. Is that the best you can do? Please explain the security vulnerability that introduces, citing REAL WORLD examples.

It is what it is.

I was not the OP. I do agree however that the use to which the OP puts AtGuard is legitimate. AtGuard is not so broken. It was, at it's time, a fantastic piece of software, it is sadly no longer supported. Hence the OP asking if there was a modern alternative that is as configurable as AtGuard was.

Just where did I refuse to understand that introducing new software increases complexity and *potentially* reduces security? I am advocating the use of AtGuard (or, if a better supported product of a similar ilk is produced) for *specific* purposes as part of a layered security approach. Where did you get the idea that I meant anything else?

Bogwitch.

Sure you won't, since you'd find that this class is empty.

Now, I'm just illustrating how broken your argument is, by analogy. There is in fact no difference between how moral and law are different on any issue, may it be Iraq war or software.

Yes, always. Would also be quite non-plausible how domain-specific software with no alternatives could be ad-ware supported. Doesn't this sound stupid even to you?

Or they're just idiots. Best example so far: Skype.

And what about other authors?

Hm? Missing the logic in there...

Obviously not, and obviously you didn't bother to audit it properly. Sure you won't see any but the obvious defects until you're actually searching for it.

Without any (meaningful) definition.

Buffer overflow in handling the FsSetVolumeInformation-FsSetDirectoryInformation IOCTL in the NDIS filter driver.

Is the best you can do ignoring everything?

Right. Bullshit spelled out by you, claiming things about what other people are thinking, just some miles away from reality, for cascading your lack or arguments.

Unless you actually think about it.

Is that political correctness for "horribly broken"?

Unless you took a look a any not so broken implementation.

See: you do. Advocating the use of a superfluos piece of software without considering the implications.

Ah, the "layered security" buzzword. Of c'mon, you can do better.

Really? You're a fool.

You said *FREE* alternatives. Not always.

Once again, anyone not agreeing with you is an idiot?

Without authors, no apps. *You* don't care for authors.

It is clear to all must the most narrow-minded among us.

Remotely exploitable? C'mon. Refer back to the original post. This is on an individuals workstation.

It is you that needs to considerthe OPs situation, not just the generic best practice as put forward by yourself.

No, it's not so broken as to make it insecure for relevant applications.

Again, we have had this discussion before. A layered securty approach is not a broken approach.

Bogwitch.

Strange enough, no one, including you, could even state an example.

I proclaim that every software for which no free alternative exists is not ad-ware supported.

No. It's simply a fact that ~90 % of all computer users are idiots wrt computers. And those idiots typically install software without seeing any need for it, without any reasonable evaluation of their problem and without considering alternatives.

Who said that I don't care for authors? I just don't care for specific authors. The authors of ad-ware supported software particularly I don't care for, for the authors of free alternatives I do.

No. You're yourself confusing the subject. How do you define legitimacy of software? Even though 90% of users think that software is illegitimate if it sends data due to the user being too stupid to configure it correctly, this definition wouldn't be reasonable at all (since the software behaves as documented).

I didn't claim that this is remotely exploitable. As if locally exploitable wasn't worse enough, there are many other remotely exploitable security vulnerabilities including DoS with SYN, UDP and ICMP flooding or bypassing the filtering with overlapping IP fragments.

Could it be that your argument makes no sense? The OPs situation is that his software doesn't work as he wants due to misconfiguration. Reasonable solution would be configuring the software correctly or simply replacing the software with alternatives.

Trying to filter at the network stack is a rather stupid approach.

Hm? Local privilege escalation and trivial bypassing is not exactly irrelevant.

It is. Introducing superfluos layers to address misunderstood problems doesn't increase security, but just increases complexity. You're twisting it with "defense in depth", which works quite differently.

Have you investigated the functionality of *EVERY* package available? If not, you are speaking out of the top of your head.

Which leaves a sizeable 10%. (Your statistics - I would put it closer 10

99% vs. 1%)

"Who cares for the author? "

Leaving a sizeable 10% again.

And the OP was referring to his own installaiton, local escalation is not an issue.

The OP did not state what software he was using. It was your assumption that he could not either configure his software properly or was not using an application from the 'Sebastian' list of approved applications.

But effective in certain circumstances.

Local escalation *IS* irrelevant on a single-usetr workstation that is under the control of the user. This is a home installation. I would not support the use of a host-based packet filter in a corporate environment.

The understanding of a layered approach and defence in depth is regarded by all but the most pig-headed to be the same. It's all semantics and not relevant to this discussion. Introducing additional layers does not imply a misunderstanding of the problem.

Bogwitch.

Only because trial lawyers like John Edwards have sold their souls to the devil in order to rape and pillage the citizens of a country by the so called laws that these lawyers like to dream up.

Do you think that the Iraq war is legitimate

Yep, unless you want to fight the terrorists in your home town, vice over in Iraq.

You did eariler in the thread. Now from your posting history, you will deny this. You act just like a sleezy lawyer with a leftist socialist bent, hitler would have loved you.

Actually his group is quite clear.

"Every" as in "generally every, there may be some exceptions, but they're rare."

So you have a problem understanding text...

For those 10% the problem doesn't exist.

Now you're definitely making a fool out of yourself. The problem is malware, and privilege separation is supposed to limit the impact upon infection. Privilege escalation vulnerabilities directly impact this design.

A very reasonable assumption, since there is no legitimate software that misbehaves as described. Unless you can actually name any example.

Except the one we're discussing. Or mostly any other.

Utter bullshit. See above.

What a nonsense.

Defence in depth has nothing to do with layering, and if you had a clue you'd understand where the difference is.

I'll just put you where you belong.