Hi, Vista FW with advanced security comes with an outbound traffic default setting "allow everything which is not denied". I think this is completely useless, because the main reason for outbound traffic filter is to block UNKNOWN programs (worm, trojans ....) so it is impossible to make a rule to deny an unknown program/destination port. On the other hand if I change the outbound setting to "block everything that does not match a rule" it is nearly impossible to design a rule for legitimate programs because, as far as I understand, there is no "display notification" for outbound breaking rule, and it is not simple to know applications/services/ports of the majority of legitimate applications (apart from browser mailer and few others). My question is: is there a way to have a kind of display notification of the outbound offended rule with applications/services/ports of the offending programs? Thanks in advance Riccardo
That's not true, because you can run something like Currports, which runs on Vista, and look at all connections being made by a program, what port it's using and whether it is TCP or UDP.
formatting link
You can find Currports here too.
formatting link
So, you can know all the programs that are running on your machine and stop outbound traffic for everything, execpt for the known/accepted programs.
I myself, I don't need more questions being asked by Vista. I see enough of them. So that will never be enabled or some kind of rules set.
I don't think this NG is ready to help you with Vista and its FW, so maybe, you should post to Microsoft.Public.Windows.Vista General or Security NG where there are people that know how to set the rules you're looking to implement, and the popup FW messages too.
OTOH, if the trojan is already running on your machine and wants to connect outbound, how's a piece of software going to distinguish wether you want that to happen or not?
Outbound filtering sounds like a nice idea, but it really only adds a little bit more complexity to trojans. If you install a trojan that says "I need to connect to my website to check for updates" - just what are you going to do? ;-)
"Outbound protection is security theater-it's a gimmick..."
Personal FW's are packet filters running at the machine level.
For the most part, the 3rd party solutions are doing the same thing as Vista's FW in their ability to set packet filtering rules to stop inbound or outbound packets to and from the machine, which is no different than Vista's FW/packet filter.
Granted, 3rd party solutions have some snake-oil in them too, beyond just being simple packet filters and so does Vista's FW/packet filter as well with its WPF and BEF, which malware can cut right through it if it can get on the machine and execute.
As far as outbound filtering by setting packet filtering rule to stop traffic for a 3rd party solution, then there is nothing wrong with it.
The difference is that the in-built f/w (p/filter) is an integrated part of the OS.
No debate here, 'some' snake-oil is too much already.
True, didn't imply otherwise.
PFW is not a solution, it's an illusion. 'Hardening' of OS plus reviewing and implementing different/proven security measures (which among other things excludes PFW) *is* the right way striving to a safer computing environment.
I have to disagree with you now, as 3rd party vendors will be able to intergate their solutions.
formatting link
I knocked WPF and BEF a little bit. They are not bullet proof but nothing is that in the first place, nor will it every be that. But it's better than nothing.
Some parts of a personal FW/packet filter shouldn't be implemented as it gives a false sense of security. I agree with that, but I don't agree with your conclusion of its role of being a basic packet filter if all else is removed or disabled in the solution, and it's just in a role of being a packet filter running at the machine level.
Well, IMO and in this particular case, nothing is better than 3rd party PFW.
Good to know.
I reiterate, it's not a solution, it's a night mare for the users as most of them are inexperienced; they just want to click and go and are incapable to dissect a software (in this case fantasyware) application...
...that's why they're better off with built-in f/w (p/sniffer) in the first place.
I am running Vista, and from what I have heard from an MVP over in the Vista, security NG, some 3rd party solutions are already using it and the Vista FW is using it right now.
I don't even know what you're talking about, and I don't think you know about the purpose of the WPF and BEF solutions and features that the Vista FW is already using and other solutions will be able to use them.
Sorry, I'll simply have to disagree with you. You have shown no proof to show otherwise.
Well, it's not going to happen no matter how much you don't like, and I don't think anyone that's using the solutions are going to listen to it anyway.
It's just a suggestion. You might want to keep the negative in check and on a low heat, thus you will be viewed in that same bad light as Sebastian G. is with his ramblings to the point that he is being ignored by many, as not credible.
In other words, we have already been there, done that, seen that, and read that.
What are you, some kind of a Nazi control freak? Ooooh, I'm so afraid! I can't help if you deem my post to the OP as negative because you don't happen to agree. You call it rambling, I call a good factual response [Period].
I don't care about you, your imperious views and SG; Are you on medication? I am talking about a 3rd party firewall and you're jabbering about a 3rd person. You are turning this thread into a psychedilic rainbow of confusion. Why don't you just put a sock over your typing fingers.
Huh, *we*? But you haven't got the T-Shirt, have you...and *we* all know why. Hint: just measure the circumference of your head.
Well folks, we have been hammered for well over a year with this, and I think we more in store for more.
It looks like we'll have another one of these lunatics loose in the NG, again, that really doesn't have anything to say, doesn't know anything about security, he's an expert's expert, and he'll ramble about his security concepts to the point that he becomes boring.
Does it sound familiar and you heard it first?
I tried to tell the old boy, but is head is ten bricks hard.
He ain't got the nothing to say. It's all about don't, don't, don't, do this, do this, this if phoney baloney, that's crap, this is snak-oil, do this, do this and do that, because listen to me now, I know what's good for you.
Sorry to say, but Kayman has also plagued alt.comp.freeware, various newsgroups at news.grc.com and msnews.microsoft.com, and who knows where else of late with the same gibberish. All *any*one needs to do
*any*where is bring up *any*thing about *any* PFW and there's Kayman, popping up to blab on and on about phoney-baloney this and snake-oil that and do this and don't do that and then listing a hundred links to follow. He's a troll and hard to get rid of, so others elsewhere have been finding that it's best to just ignore him.
Yeah, he is going to be ignored, because the tap dance and song has been seen just a little too much, by another tap dance and song security artist and his tired show. :)
Your thoughts are of no consequence and irrelevant, nor do they matter.
Your patronizing messages run off like water of a duck's back (nice try though). And who's *we*?
What there is to say has already be said; I do not reinvent the wheel and/or restate what's already written. If this befits your description of an expert's expert, so be it. And if the content of the article as provided are boring to you, so be it. Other n/g participants may find the articles interesting, stimulating and educational - but you evidently don't comprehend - what a shame. To refresh your memory here is my response to the OP: (one hardly has to be an expert to provide appropriate information)
QUOTE Learn how to configure Vista Firewall to suit your computing habits.
Interesting/educational reading:
formatting link
down to: "Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."
formatting link
"Outbound protection is security theater-it's a gimmick..." "...the Windows firewall will provide the protection you need..."
Stay away from 'Phoney-Baloney' 3rd party PFW's - use your brain and filter out the absurd advertisement hype created by these makers.
formatting link
"Personal Firewalls" are mostly snake-oil" UNQUOTE
And where did I ramble about my security concept to the OP? You are becoming a bore with your innuendos which appears to be some kind of a paranoia. There is help out there, you know.
To whom are you talking to?
Your innuendos say absolutely nothing and you have not provided anything useful to assist the OP; You contribution to this discussion is despicable.
Haven't counted, but I know it fits thru a T-Shirt.
You are repeating yourself and what did you say anyway?
And where in my response to the OP did I say that? (and who is rambling here?)
Yes, I said "3rd party PFW are phoney-baloney" (but never said it's snake-oil) and provided pertinent links. You disagree, oh well. And yes, I said "Learn how to configure Vista Firewall to suit your computing habits" and provided pertinent links. You object, oh well (again). Why don't you do some reading, and if you oppose the content create a new discussion pertaining to this subject matter?
Well, it's evident that you are delusional; My response to the OP does not indicate any of this. (and who is rambling here again?)
"Stay away from 'Phoney-Baloney' 3rd party PFW's - use your brain and filter out the absurd advertisement hype created by these makers."
The above is my opinion which is based, among other things, on the articels as provided. The OP is free to read the articles and is old enough to decide as to which avenue he wishes to proceed. If he is in doubt he can continue posting to various befitting n/g's and I am sure appropriate advice/clarification will be provided.
Fat chance. I will continue to provide informative/educational links as I deem appropriate. Why don't you start up a forum, you as the moderator....but the again you'd probably talk to yourself.
"Outbound protection is security theater-it's a gimmick..."
Thanks a lot to you all for the useful suggestions. I read the Microsoft opinion on the subject and I disagree. I still would appreciate an optional display notification on outgoing packets, not just for Worm/Trojans etc but also to be able to know what happen to my computer when I run a program. On my old XP box I used kerio FW and it was very instructive to see (and block) many unsolicited outgoing connections that legitimate programs make (not just to check for new version) but may be to stole my personal data or habits or who knows. I still hope Microsoft will include this option on SPx
> "Outbound protection is security theater-it's a gimmick..."
You're welcome.
This is your prerogative. What are your technical reason arriving to your conclusion?
Sure, it gives that 'comfortable' feeling :)
So you think, (remember the illusion bit?) :)
Won't happen (please do some more research on this).
Below are a couple of additional write-ups which you may also find interesting and educational. BTW - I have yet to see reports challenging these views from the makers of PFW's (aka Phoney-Baloney Ware) :).
Please take some time to read this article by Bruce Schneier about why bad security products tend to beat the good ones in the market place:
formatting link
Some interesting extracts:
"Why are there so many bad security products out there? Why do mediocre security products beat the good ones in the marketplace?"
"In a market where the seller has more information about the product than the buyer, bad products can drive the good ones out of the market."
"In the late 1980s, there were more than a hundred competing firewall products. The few that "won" weren't the most secure firewalls - they were the ones that were easy to set up, easy to use, and didn't annoy users too much. Because buyers couldn't base their buying decision on the relative security merits, they based them on these other criteria."
-- And an article by Jesper Johansson:
"There are several serious flaws in the reasoning that outbound, host-based firewalls will actually stop attacks."
"Since there is no application isolation between applications running within the same user context there is no real way to prevent this from happening. Only by completely re-architecting Windows could this be prevented, and even then, it would only truly work if everything we know about computers, from the hardware on up, changed fundamentally."
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.