It's very unlikely if his shares are configured correctly. Admitted, the NetBIOS and SMB stuff in Windows is pretty lousy, but so far you could only expect some DoS, but not remote compromise.
Beside that hardening makes it even less problematic.
Argh! Where exactly do you think is the difference between your home computer at 192.168.0.5 connecting to your shares in your local wi-fi LAN and a malicious computer at 192.168.0.5 in a company wi-fi LAN doing the same?
It has.
Well, then why not doing it correctly instead of choosing another evil?
A user running a laptop on a clients network, such as a contractor that must furnish their own laptop, needing to print to the clients network printer.
In this case the PFW would block inbound connections and alert the contractor of all connections reaching their laptop, it would also allow the contractor to selectively allow inbound access to their laptop, lets say via FTP, from a single node in the customers network, while blocking all others access to it. It could also allow SQL Data (1433) access from several nodes while blocking access from all other nodes.
It would also allow the contractor to see each connection that was approved, in real time, and to monitor those connections.
Windows Firewall would not allow monitoring of the inbound connections, although the scope would meet part of the requirement, and it would not allow monitoring of other attempted connections to the contractors computer that may indicate a compromised computer(s) on the clients network.
Complexity -> Simple sharing off. Will user understand new approach he is going to share folders, he don't know how to configure connection.
AP IP is hardly to be same, and ZA put unprotected wi-fi to internet zone no metter what AP IP is.
Explain how, many wi-fi users will thank you. You have to configure it to put unprotected wi-fi to protected zone and protected wi-fi to unprotected zone, regardless AP IP, automatically. SSID are different for public wifi and you don't know what SSID will be.
BTW to somebody I don't know. Stop performing port scan on me, it is unlegal so please stop. I have no network services running so it is unusefull, there is nothing to connect to.
How exactly would Joe Average determine if he was safe with it or not?
So if Joe Average is not sure if windows firewall works for him, he should go search for something even more complex?
And furthermore You expect him to be able to make a good choice based on product reviews and not least their history of vulnerabilities? - Come on, we are way way ahead of "Average" already.
Oh, I need to apologize here. I'm afraid I have misunderstood the definition of a Joe Average. If Joe Average is in for experiments no firewall will protect him anyway, so in that case You are right - He can just pick anyone. My guess is he will end up with the one providing the most bells and whistles and reporting the most attacks.
Yes, and You are right, it is not always good advice. It even sometimes comes close to being rude. But in many cases it actually
*is* good advice if people would just allow themselves to learn. It is'nt exactly wrong, it just is'nt the full picture. But if Joe Averages would just take some time to read a little back in this group, the same arguments and counter-arguments are repeated again and again.
I have'nt seen anyone make that claim!
Just the basics will do.
Yep, some basics will definately be great.
Now You are stretching the "Average" part again, are'nt You? ;-)
... bye bye "Average".
True, actually. Except that for Joe Averages I would say: in many cases.
Nonsense.
And of course You also neglect the most important thing: Be willing to learn - also even though You may already be influenced by marketing hype.
Maybe, but I have many connection attempt/min TCP 1001, TCP 1002, TCP
1003... UDP 1001, UDP 1002, UDP 1003... and so on. I think it is a port scan of somebody on me. It start to happen after I post to this group _only_ , it doesn't happening when I post to other groups or doing something else, that is why I'm changing my IP, check my headers.
Well, I can allways abuse, but I have to know non spoofed IP first. :-(
Maybe, but I have many connection attempt/min TCP 1001, TCP 1002, TCP
1003... UDP 1001, UDP 1002, UDP 1003... and so on. I think it is a port scan of somebody on me. It start to happen after I post to this group _only_ , it doesn't happening when I post to other groups or doing something else, that is why I'm changing my IP, check my headers.
Well, I can allways abuse, but I have to know non spoofed IP first. :-(
Ummm... IBTD. I see at least two possible scenarios:
- User must (for whatever reason) use a program that cannot be replaced and has one or more process(es) which cannot be unbound from the external interface.
- Road-Warrior has a notebook and wants an easy way to maintain different configurations for the company's LAN as well as customer networks.
> In addition inform yourself about problems and additional attack vectors
If he like gambling, why not. Maybe he will win. :-) In a case of a Joe Average, means system filled with malware, network services are running software is misconfigured, anything is possible.
Depend on how good student he will be, maybe he will not need firewall.
I made it little dramatic.
OK, yes it is bye bye "average", but for somebody with will to learn that would be good.
I already answered to Sebastian, if you don't experiment and work with network services how are you going to learn. It is not stupid only if you give up from learning. Another compromise.
I said that at the beggining. To the user who like to learn.
What about using (safe) passwords on shares? A trusted computer can store them as well.
man IP spoofing man automated scanning
Eh, what? Wait a moment, just for clarification:
If you have shares on that Wi-Fi connection, you cannot put it into internet zone without breaking it.
If you don't want shares on that connection, why don't you simply bind them to the approciate local connection? Especially NetBIOS is trivial to bind, SMB can be safely deactivated.
It has zoning options.
Hm... this is new in that discussion. ZA doesn't do so either.
The SSID has at most 88 bits of secret and can be trivially sniffed from your local secure wi-fi connection.
MUAHAHA. Now knocking on the door of your appartment is illegal as well?
Stupid bots are not intelligent enough to recognize that you're no relevant target. :-)
Volker Birk wrote: > BTW: does Zone Alarm implement this in a secure way, or is this effectless
No, but if IP is different, and usually is. It will ask you to choose zone or you can set it up to automatically add every new network to internet zone.
Yes, Privacy off, Program Control off, and you have firewall only.
Heck, you cannot even send TCP-RST. You cannot refer to any states, f.e. to do something like
| checkstate | allow tcp from $other to me 21,990 setup keep-state | deny tcp from any to me 1-1023 setup keep-state | reject tcp from any to setup keep-state
which makes it pretty unusable in any serious configuration scenario.
And I wonder why not even disabling it switches off the internal "f*ck up my network capabilities" rule.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.