NIS will not let me synchronize the PC Date/Time

If you subscribe to the idea that no PFW is effective in any manner, then yes, that would be one reason. If you believe that a PFW can offer "Some" benefit over Windows Firewall, that would be incorrect and they need to be answered.

In most cases, I would tell a person the corrective action and then warn them about the exploits/dangers of X, not just tell them to uninstall it

- unless I was positive that it offered NO BENEFIT.

Yes, many people won't take the time to explore the claims from a differing side, some will remain blinded by their own testing - which could have been flawed. So, there are people that will always fail to reason, they will stick with one position no matter what they are presented with, and they may suffer or not for their decision.

So, what it really comes down to is you either answer their question and then provide them with reasons to switch so that the user can make a decision based on good information, or you rant to them and get ignored as a loon.

I definately agree that just saying "uninstall" without knowing the users environment is'nt very clever.

On the other hand, many users of PFW's are not able to explain precisely what BENEFIT they gain from *having* it installed. So there must also be people out there blindly shouting "install".

Yes, that would be the ideal, but it seldom works that way. Many will be gone again as soon as they get their initial question answered. To convince people that there are other ways requires an ongoing dialogue. And, in my experience, very few are prepared for that when they have already gotten a "quick fix".

I hopefully never ranted anybody seeking advice. But I do like to argue with people claiming that a PFW is the answer.

/B. Nice

I'm still missing your argument. And the point that this all applys to state-of-the-art computers and networks as well. And that none of these are addressed by PFWs.

No, that's the wrong approach, as the proper approach would be to educate the user to the exact exploits, the scope of those exploits, and what if any that means to the user. Constantly ranting that you need to uninstall X product and use Windows firewall is counter productive to that group of peoples message.

I guess this part really depends on your "belief" that Windows Firewall is better at protecting users than product X, or windows firewall is better at protecting all users than any other product is.

I'm not part of the group that believes Product X can't protect users better than Windows Firewall does, I guess, because I've seen product X do things that Windows Firewall doesn't, and I've never seen a user with product X compromised with my own eyes (note that I didn't say it doesn't happen, just that I've not seen it, and I've seen a LOT of computers).

The guru/higher than god way they talk to people does not serve their message well. The fact that they won't discuss anything and that they ignore real-world cases that disprove what they say, well, that doesn't do their message any good either.

Don't get me wrong, I don't approve of PFW's as quality solutions, in fact, I classify them as a last resort type option. I would rather see a user without a PFW and using a NAT appliance, since I can just about be sure I can block outbound connections based on port, can log in/out traffic, can block inbound traffic unless mapped for a clear reason, can in some NAT devices I can even filter http sessions for proper content.

My group of guys use PFW solutions on all of their laptops, because we go into clients network and new clients network were there MAY be something we don't want to hit our machines or where we want to monitor the internal traffic not hitting the firewall.... I have used Kerio, Tiny, ZA, ZAP, etc... I've even used Windows Firewall, but WF doesn't tell me what is happening and I trust it as much as I trust IE. In my experience Kerio, Tiny, ZA, ZAP have never let me or anyone I know down and have never been exploited on their machines.

I'll stick with something I've seen work quite well in the field vs something that MS claims will protect me "well enough".

Educate. Exactly. I doubt teaching them about exploits will make sense though, but teaching them some decent user behaviour will.

Agree.

I don't share that belief. I do believe, however, that the windows firewall gives decent protection when used properly.

This is one scenario were even I could get convinced that a PFW might not be a bad choice - again depending on the circumstances, I am not a fanatic. Until now we have mainly been discussing average users, though. You and Your guys can probably not be considered average.

I also have a laptop that I ocasionally pull out of my home network to take out and plug directly on to the internet somewhere. Since I am not running XP I cannot use the windows firewall for that purpose, but if I could, that would probably do the job for me. I get along fine with a very simple packet filter.

Fine with me.

Sorry, this is wrong.

Sybase and Outpost, for example, add potential privilege elevation threats by having the design flaw of installing system services, which open windows (a thing which a service never should do for security reasons, which you can read in Windows developer's documentation).

Zone Alarm and Norton InSecurity i.e. are adding danger to the user by entraping him to enter his PINs into the software, which filters then the PIN in outgoing traffic - a thing which shows, that Zone Labs and Symantec (or at least the "Personal Firewall" developers there) have no clue of data security at all. Why this is true, you can read in

All of the above for example are adding vulnerability to the SelfDoS attack to the PC they should protect.

The Windows-Firewall does not add this extra attack vectors to a PC it should protect. AFAICS it adds _not_ _a_ _single_ extra attack vector to a Windows PC.

And the Windows-Firewall does not have the b0rken concept to ask the user security related important questions for decisions, which can bring her/him into trouble. This is a major design flaw, because the user should not be responsible for protection, but being protected.

Yours, VB.

What do you call it when any application that the user is running can add exceptions to the Windows Firewall rules? Even if the users is made aware of it, isn't that the same as you complain about the other solutions?

Now this is interesting, you think that user should be out of security related question. Well I don't, I'm home user you are talking about, really I am, I'm not expert or computer geek I'm only a home user. So now you telling me that I should leave my confidential data to a software which will make decisions by not consulting me, no thank you. That is software I don't need, and a concept I don't approve. You just pointed main Windows firewall weaknees, it make its own decisions, which are not always correct, it may allow malware to work without informing user i.e. me about anything. That selfdecision nature of Windows firewall is justified reason to drop it and use Personal not selfdecision firewall despite extra attack vectors. Probabilty to get compromised by malware is much higher for me then probabilty that I will be compromised trough any of additional attack vectors mentioned. But that is my case only.

Now I will quit this disscution since it is pointless, I don't trust PFW or Windows firewall and I never will. Volker will never stop to glorify Windows firewall as only and universal personal firewall solution despite Windows firewall don't deserve such a glory. Home I have NAT Router with a built-in firewall that is enought for me, I'm home user with no interesting or financial data on disk. When I'm working with my laptop on a public wi-fi I have sharing and not needed network services off I work on a limited account and I usually employ ZA since it has "LAN issue" :-) (I use bug as a protection, funny). Also, I never transmmit any personal data, passwords (check e-mail) account numbers etc. over unprotected wi-fi connection, it can be sniffed. Just for info., example I gave about user connecting to public wi-fi comes from my expirience (I travell a lot, that is part of my job), majority of connected machines firewalls keep wi-fi network in trusted zone, users are usually not aware of that. Firewall developers should do something about that. I know that ZA can be configured to put unprotected wi-fi networks in internet zone automatically, I don't know about rest PFW.

P.S. I aplogise to everybody on this group for posting replies to myself. My ISP have troubles with news server. I made a complain and they answered that they are working on it. I read articles on a read only news server, but I have to post on this one. Sorry.

Little did I realise what I was starting with the original question.... However, from keeping a close eye on this thread I think it is probably best if I use the FW built into my wireless router (3Com 3CRWE754G72-A) and just disable both NIS and Windows FW's. Would all you knowledgeable folks in here agree? Regards Patrick.

It would be a good idea, while it will do no harm to let the Windows-Firewall on.

Yours, VB.

If you don't trust your software provider, you will be lost anyways. How do you want to control anything?

And if you're using a "Personal Firewall", you're completely lost, too. They're only taking you for a ride, because you then not only have no control about what your operating system does, but have no control about what your "Personal Firewall" _really_ does, too.

It makes _no_ decisions. It just filters anything away, which wants to use network services on your machine, and that's it. And this is a good idea, because as a home user you should not offer network services to the Internet at all.

I don't want to glorify anything, and not the Windows-Firewall at all. The most sensible solution would be not to offer network services at all, and if you want to glorify anybody's work, then chose Torsten's script for stopping network services. This is the reason, why I implemented

Since WiXP SP2 you have such security by default, because unfortunately Microsoft made the mistake not to stop starting unwanted network services in this release, too, but instead decided for implementing the second best solution, a default filter in front of all network services: the Windows-Firewall.

Good idea, too.

This, again, is not the problem. The problem is, that your box could become part of a botnet and abused as a zombie endangering other systems, and you even don't realize.

Yours, VB.

It consulted you: by allowing to define additional rules. It will, however, silently apply those rules and silently log their application. Which is exactly how it should be.

It doesn't allow it, it simply understands that it cannot prohibit it in any effective, serious and/or reliable manner. Instead of adding much additional bullshit trials, it simply skips bullshitting around.

So extra attack vectors are an argument to add something that is superfluos?

Could be, but how could a PFW change that? Once the malware is running, you have already lost, no matter how hard you try.

Still you're twisting the lesser evil and lack of evil. Volker's argument is that if you want to use a host-based packet filter, Windows Firewall is usually a good choice.

I know that ZA cannot even be configured with rules refering to TCP states, making it unusable for any serious packet filtering.

Not really, at the least I would suggest the following:

On a single computer network:

NAT Router for connection to internet Windows Firewall File/Printer sharing disabled/removed additional security settings, browser, email, AV software, updates, etc...

On a multi computer network:

NAT Router for connection to internet ROUTER blocking outbound ports 135-139, 445 Windows Firewall on all machines, File/Printer sharing exception if needed File and Printer sharing enabled (if needed) additional security settings, browser, email, AV software, updates, etc...

If you want more security, remove Windows Firewall and install a Quality PFW of your choice.

All solutions would also include WallWatcher so that you could monitor in/out bound traffic in real time.

If you want one better than a cheap NAT router, which offers little protection, get the D-Link DFL-700 Firewall Router.

So it allows.

I didn't mean that. I did compromise between them. Any selfdecision software which can be controled by another software or remote user is possible attack vector too. Windows firewall _is not_ attack vector, but it is not very far from one either. Imagin situation where malware reconfigure Windows firewall and establish communication with a remot user. Remote user then using malware built-in routines reconfigure Windows firewall to block legal communication of some software what will cause a delay in communication which will result in a financial damage to a user. Isn't in that case Windows firewall software used to do damage.

It is anti-virus job not firewall's. But some PFW start complaining about something when malware is running. In a case of an avarage user (means more than one malicius process is running) PFW will do "pop-up flood" after that user is usually seeking for help.

That is true and I said that too, in one of my previus post.

Yes, and this is fully intended because there's nothing else to achieve.

As a restricted user you cannot control Windows Firewall.

Where's the difference to PFWs, serious host-based packet filters or no packet filter at all? The only noticeable difference would be a NAT router with a firewall and active UPnP support.

No, it's the user's and/or the admin's job. A virus scanner is merely a host-based IDS.

In case of average malware the PFW is already shut down at this moment. If not, f.e. due to restricted rights, it simply clicks the Allow Button and goes on.

I like UPnP off, but that is me.

Only I tried to said is that no one can advice to nobody PFW without informing himself with a poster situation, and I still belive in that. Means you cannot advice Windows Firewall or any other PFW without informations about poster, and his/her situation, like some on this group do. Help if you can, but don't force posters to use solution that maybe don't fit their needs. Now I have to quit disscusion since becouse of nature of job I'm doing I will not be able to access internet for a while, starting tommorow.

To all Joe Average: Use NAT router with firewall when ever you can. If you can't, Windows firewall is usually good alternative, but if you have problems with it or you think you are not safe with it, pick up PFW of your choice. You can start from here:

addition inform yourself about problems and additional attack vectors (vulnerabilities) for each of them and pick what you think that will fit your needs.

To Joe Average like myself (means one who like to learn things and experiment with technologies)

Some people on this group would tell you something like:

And that should solve all your firewall problems.

I will say, learn things about OS you use, networking, learn some programming language and make your own utilites. You may found that in some cases on some OS-es you don't need firewall at all (but also you will realise how stupid would be to work like that). Try Linux. You can start from any Live Linux Distribution. All that geek stuff ain't that complicated so that you shouldn't at least try to learn some of them. Try not to be a sheep be a watch dog. But note that there is tin border between a dog and a wolf.

P.S. I'm going to use another ISP next time. This replies to myself become shame.

Please outline a situation, where a "Personal Firewall" will be sensible and why. I never met a person, who was able to show that.

Yours, VB.

You have unexperienced user who will have to frequently connect to a public unprotected wi-fi network and he will have to have sharing and NetBios over TCP enabled since he will also connect to a company wi-fi to share data, he don't know how to configure wi-fi connection by himself. While working on public wi-fi there is high probability that he will be compromised over LAN. I would choose ZA since it has option to put any unprotected wi-fi automatically to internet zone. So user don't have to touch anything. Windows firewall don't have that option. Probability to be compromised over LAN in wi-fi network is for that user higher than any other offered by ZA additional attack vectors.

Argh! A NAT router is no security measure and there are certain conditions where it will forward unsolicited incoming connections. Windows firewall at least doesn't do so.

What about no packet filter at all? Why harassing with networking stuff they don't understand?

No. It will solve problems with a chronically defective piece of a useless software.

Stupid? This is even fine on Windows, and works so well because it doesn't require anything but one-time configuration, and additionally it increases stability.