Firewall for Windows XP + 98 + broadband

liz_davidson snipped-for-privacy@hotmail.com skrev:

Hi Liz D :-)

In those days I used ATGuard which was a perfect firewall for Win98 :-)

My regards Søren

Bullshit. It doesn't have privilege separation and therefore is anything but usable for multiuser environments.

That's its job!

Definitely. But you should still disable unnecessary services.

Eh... no? That's just a very common stupid idea.

What's about it? Disabling NetBIOS is already sufficient, that's far easier than on a WinXP system.

Eh... because it doesn't need any?

Why? I though you'd require a firewall, not a personal network disco.

Yes, you should install another firewall. Windows XP firewall only does 1/2 the job, (inbound not outbound). Zone Alarm should be fine on an XP machine.

There's absolutely no need nor any advantage in doing outbound filtering on a home computer.

Fine for messing up the system.

Wrong. You don't need to allow much outbound, and you would be monitoring what leaves your network.

No, it works fine for most customers.

I disagree, especially on a new computer.

And of course you have some facts to go with that disagreement?

cu

59cobalt

Eh... why? What exactly do you want to filter?

I could only imagine few scenarios:

- egress filtering

- unreliable filtering on SMTP when using Submission or IMAP

- limiting wanted services against accidential misconfiguration

- limiting broadcasts

And hardly any of those are interesting for a casual user.

I was thinking that I would only need outbound filtering in the event of some malicious torjan or similar getting onto my system. The old 98 PC will primarily be used by my kids who will soon be teenagers and may not always adhere to safe online practices as I do.

Thanks for the responses, though there seems to be 2 equally strong schools of thought here:

1) Software firewall is unnecessary 2) Software firewall is essential

So I'm not sure I am any the wiser.

Here's what I think I will do.

On the XP, keep with Windows Firewall and replace IE with Firefox, though I will keep Outlook Express for the time being as I have a Hotmail account I still check fairly regularly.

On the 98, replace IE & OE with Firefox & Thunderbird. Hopefully it will be more robust for my kids to use & less likely to let something nasty through.

On both, run anti-virus & check for spyware regularly.

How does that sound? (Please be nice)

Liz D

Perhaps you would count me to group 1). But this is wrong.

The question has to be:

"What threats do I want to be secure from?"

Threat: abusing network services offered by your machine, and/or exploiting them

Possible solution: do not offer network serives. Possible solution: filter away the traffic to your network services.

Good idea.

Checking for viruses can be a good idea, if you know the constraints this concept has.

Not so bad.

Yours, VB.

The comment about a new computer is rather odd. But that not withstanding, egress filtering is a very important principle as applied to securing a system. Which btw, egress is synonmous with outbound.

The data transmitted from egress packets can be just as much as risk as ingress packets. For instance, a connection can be initiated to a POP3 server to retrieve emial. Now due to the firewall ruleset this protocol(POP3) is authorized for this and only this POP3 server. That is a great start to securing the POP3 protocol.

However, what resulting implications does this have? So let's say the end-user is utilizing a version of Outlook to read their now access email messages. Now this application has been known for a decade or more to have serious security vulnerabilities -- and probably will continue to in the near future. The end-user opens an email with a obfuscated malicious script that activates and access sensitive portions of the end-users system. It compiles this sensitive information, packages it, and transmits it out to an open-relay SMTP server, and then installs a bot.

A feasible scenario, correct?

All these threats can be mitigated by the use of egress filtering. Sure you may still be compromised, or infected; however if a connection cannot be initiated to the outside world; your sensitive data has been protected.

Simply, egress filtering is another layer in the technique known as "layered security". With further research you may find that this term is accepted as the suggested technique by industry accepted standards bodies.

Try Sygate Personal Firewall (free) v5.6 build 2808. It works well on Win 98. I have had Sygate on my Win98(fe) for about four years without any problems.

Unofficial help:

This is a dumb start for securing POP3. POP3 should not be used any more, or at least it should be used with SSL only.

[Outlook]

Dumb again.

No. All those threats can be mitigated by not using Outlook as a MUA, at least not using with unencrypted POP3.

Oh yes, this "layered security" nonsense. The thing, people think of like "if you don't understand the threats, and you don't understand the provisions against them, then use many of those provisions you don't understand, maybe this will help better. Better than only the provisions you have already (which you don't understand), because those are failing regulary."

'Great'.

Yours, VB.

old Sygate versions also at

Try Sygate Personal Firewall (free) v5.6 build 2808.

official help also in :

Sygate Personal Firewall Pro User Guide Version 5.5 (1327KB)

Sygate Personal Firewall User Guide Version 5.5 (1351KB)

There is a big difference between the POP3 protocol and SSL+POP3(which happens to be called SPOP3 when utilized in conjunction with one another) protocol suite. You will NOT be able to analyze SPOP3 traffic on a firewall unless one of two scemarios are in place:

1) The firewall is located on the receiving node. 2) You utilize a SSL proxy.

So how would one filter against an encapsulated activeX script if they could not read the payload of an encrypted SSL packet? hhmmm.

Your statements that securing POP3 is useless, are completely absurd. Every attempt to contribute another layer to a security posture is by no means at all useless. The fact that you believe that a "layered approach" is not a worthy security principle; simply shows your inability to understand the sole purpose of information security. Which is to secure data with the following two results in mind:

1) based on its "value" 2) based on the effort needed to compromise the data

Otherwise we could all just utilize resource intensive encrypted protocols all the time. Let's all generate 15,000 bit assymetric keys and then calculate our encryption utilizing gigaflops of processing power to send a 100KB email to the group. That is pretty farfetched, but so are your statements.

Not everyone here can call up their ISP and elicit them to alter their standard operating procedures to the liking of a single client. Maybe they just happen to have an administrator on hand with nothing to do at the time; and just so happens they have a free SSL certificate laying on their desk. Wouldn't that be grand.

Anybody in this mailinglist can blurt out the most obvious of security measures to secure a system in a perfect world. The 1000-pound gorilla stance on security might work in your world, but not in mine or anyone elses for that reason. Wait --- if you really wanted to be secure why are you connected to the internet? You had better go pull the plug right away!

hhmmpphh...

Furthermore, your statements that the aforementioned threats cannot be mitigated through egress filtering is completely wrong. I think you are confused here. The egress filtering is for "outbound" traffic. This has absolutely nothing to do with someone reading your POP3 traffic -- which was your reasoning for utilizing SSL correct?. When you discuss securing POP3 with SSL tunneling you are referring to ingress traffic(minus the traffic need to facilitate transport). Your statement that not utilizing outlook will mitigate a malicious script is unfounded. So you are saying that if I utilize another MUA that there are not any vulnerabilities for the selected application. Great where do we sign up for that?! Obviously this is untrue ... even to the most basic end-user. Another MUA could be compromised just as easily as outlook --- therefore it too could allow transmission of outbound traffic. That is why egress filtering is important. Remember VB; egress--out, ingress--in. We are talking about egress traffic.

Also, I don't recall the end-user stating that they happened to have an SSL "provision"(as you call it) available to them. So you would have them utilize a "provision" that they don't have? Interesting. While I am at it ... I am sending this message on a computer that I don't have as well.

You really should review your statements more carefully before posting. At a minimum, you may want to research who's comments you are referring to as being "dumb". Your outspoken and inflammatory comments may make sense to individuals with lesser experience in the realm of information security; but alot of us here make a living playing with packets --- we know what is BS and what is not.

Yes. Of course.

The complete MUA/MTA setup described by you is unusable. POP3 transfers authentication in cleartext, that means you must not use POP3 over an unsecure network like the Internet.

The opposite is true.

BTW: there is no need for filtering out ActiveX components out of a POP3 communication. Just don't use a MUA which implements ActiveX or COM.

Yours, VB.

Wrong. The malware will simply shut down the host-based packet filter.