I have a hardware firewall (a real one, not just a router). But I'd like to run a software firewall too, to protect my computer from other computers on my home network. There wouldn't be a problem with having both a hardware and software firewall, would there? Does anyone have any suggestions for a free software firewall for Windows 2000?
Are the machines sharing resouces on the LAN. Would you have the PFW(s) on the machines configures to share resources?
Duane :)
If *you* can't trust the other computers on *your* home network, then
*you* need to take a solid look at why you have a home network in the first place.
"Trusting" any computer/network is what leads to compromised computers.
While I have 5 networks in my home, I have at least one computer in each network that looks for traffic in their network, in addition to the firewall logs. I don't see why I should "Trust" any computer in my network at any time.
As a matter of fact, each server has the admin account renamed, not the same name as any other, and a different password than any other server. None of the public facing servers/devices share names/passwords....
Trust is what gets you into trouble - always suspect.
Well, that was my point, too. Too many people set up home networks, for convenience and think that by just installing an AV utility and a personal firewall, they can trust the network is secure.
Try free Sygate Personal Firewall v5.6 b2808.
Does it have the same security design flaws as version 5.5, or are those fixed now?
Yours, VB.
Maybe you can post the design flaws and your testing methods to prove them or a link to a reputable site that tested it and provides the analysis for the design flaw?
Did you know that another web site carries this entire group as though it's their forum?
Yes, please do! Casey
One Design Flaw of the 5.5 version is, that it installs a system service, which opens Windows.
This is a security design flaw; to understand, why it is, you should first read the security considerations of Microsoft for interactive services:
| Security Considerations for Interactive Services | | Services running in an elevated security context, such as the | LocalSystem account, should not create a window on the interactive | desktop, because any other application that is running on the | interactive desktop can interact with this window. This exposes the | service to any application that a logged-on user executes.
To see, that Sygate installs such a service, i.e. use Spy++ to indentify the Popup-Windows and their related process:
And this means, that Sygate's programmers never read the mandatory documentation about basic security design for Windows services, or did not understand it or just ignored it.
May I ask again: has the 5.6 version of Sygate the same design flaw?
Yours, VB.
No, it means that they may have followed this information, as linked by you - why don't you tell us what specific method they used:
Security Considerations for Interactive Services
Services running in an elevated security context, such as the LocalSystem account, should not create a window on the interactive desktop, because any other application that is running on the interactive desktop can interact with this window. This exposes the service to any application that a logged-on user executes. Also, services that are running as LocalSystem should not access the interactive desktop by calling the OpenWindowStation or GetThreadDesktop function.
The following list identifies the two ways that a service can interact with a user without creating an interactive service:
Future versions of Windows may not support interactive services. Therefore, it is better to use another approach to support interaction between a user and a service.
Most likely nothing has changed much from 5.5 to 5.6 Volker, at least in that respect..
Do any other free firewalls have this flaw, like Kerio 2.1.5 or Outpost or = Tiny?
Kerodo wrote: [One of Sygate's security design flaws]
How sad. They really should know now.
Yours, VB.
Following our tests, at least Outpost, Sygate and Tiny have this flaw. We have tested Outpost 2.5, Sygate 5.5 and Tiny 6.0.
Kerio seemed to be the best one of the worse, to say it clear: the less bad one :-/
Also Kerio had strange flaws, like that this program opens a socket itself bound to 0.0.0.0. (?)
The rest was just catastrophic, including errors like filtering away the data which should be protected (like Symantec Norton and Zone Alarm do), which potentially can be used to get to know this data (for Symantec Norton, there is an easy attack already).
Yours, VB.
Is that a problem?
This is still Kerio you are talking about? What do you mean by "filtering away the data which should be protected"? Which data is that?
Do you have a recommendation for a free firewall for Windows 2000?
Thanks.
It's exaclty the opposite a "Personal Firewall" should do. And if it's only for local communication:
- Why aren't they binding to and interface of 127.0.0.0/8?
- Why are they using TCP at all and not one of the purely local IPC methods?
- And how can you trust into the programmers of a security tool, which are designing such nonsense?
No. About the others.
The functionality to secure PINs and passwords, Symantec Norton and Zone Alarm are offering; please read
Unfortunately, I haven't. This is, why I'm recommending Torsten's script at
There are two way: 1) Split your network into subnets and filter among them ;-). wipfw may be a good thing to do that.
2) "Harden" your or better each of your computers against attacks from the LAN:- Use a access authorisation / role concept to manage your access rights (it's an immanent part of WindowsNT/2k/XP).
- Only offer such shares / services you want.
- Stay secure up to date.
see above (wipfw).
Wolfgang
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.