I have a hardware firewall (a real one, not just a router). But I'd like to run a software firewall too, to protect my computer from other computers on my home network. There wouldn't be a problem with having both a hardware and software firewall, would there? Does anyone have any suggestions for a free software firewall for Windows 2000?
"Trusting" any computer/network is what leads to compromised computers.
While I have 5 networks in my home, I have at least one computer in each network that looks for traffic in their network, in addition to the firewall logs. I don't see why I should "Trust" any computer in my network at any time.
As a matter of fact, each server has the admin account renamed, not the same name as any other, and a different password than any other server. None of the public facing servers/devices share names/passwords....
Trust is what gets you into trouble - always suspect.
Well, that was my point, too. Too many people set up home networks, for convenience and think that by just installing an AV utility and a personal firewall, they can trust the network is secure.
Maybe you can post the design flaws and your testing methods to prove them or a link to a reputable site that tested it and provides the analysis for the design flaw?
Did you know that another web site carries this entire group as though it's their forum?
One Design Flaw of the 5.5 version is, that it installs a system service, which opens Windows.
This is a security design flaw; to understand, why it is, you should first read the security considerations of Microsoft for interactive services:
formatting link
From there:
| Security Considerations for Interactive Services | | Services running in an elevated security context, such as the | LocalSystem account, should not create a window on the interactive | desktop, because any other application that is running on the | interactive desktop can interact with this window. This exposes the | service to any application that a logged-on user executes.
To see, that Sygate installs such a service, i.e. use Spy++ to indentify the Popup-Windows and their related process:
formatting link
Then you'll see yourself, that theses Windows are opened by a system service.
And this means, that Sygate's programmers never read the mandatory documentation about basic security design for Windows services, or did not understand it or just ignored it.
May I ask again: has the 5.6 version of Sygate the same design flaw?
No, it means that they may have followed this information, as linked by you - why don't you tell us what specific method they used:
Security Considerations for Interactive Services
Services running in an elevated security context, such as the LocalSystem account, should not create a window on the interactive desktop, because any other application that is running on the interactive desktop can interact with this window. This exposes the service to any application that a logged-on user executes. Also, services that are running as LocalSystem should not access the interactive desktop by calling the OpenWindowStation or GetThreadDesktop function.
The following list identifies the two ways that a service can interact with a user without creating an interactive service:
Display a message box by calling the MessageBox function with MB_SERVICE_NOTIFICATION. This is recommended for displaying simple status messages. Do not call MessageBox during service initialization or from the HandlerEx routine, unless you call it from a separate thread, so that you return to the SCM in a timely manner. * Create a separate hidden GUI application and use the CreateProcessAsUser function to run the application within the context of the interactive user. Design the GUI application to communicate with the service through some method of interprocess communication (IPC), for example, named pipes. The service communicates with the GUI application to tell it when to display the GUI. The client communicates the results of the user interaction back to the service so that the service can take the appropriate action. Note that IPC can expose your service interfaces over the network unless you use an appropriate access control list (ACL).
Future versions of Windows may not support interactive services. Therefore, it is better to use another approach to support interaction between a user and a service.
Following our tests, at least Outpost, Sygate and Tiny have this flaw. We have tested Outpost 2.5, Sygate 5.5 and Tiny 6.0.
Kerio seemed to be the best one of the worse, to say it clear: the less bad one :-/
Also Kerio had strange flaws, like that this program opens a socket itself bound to 0.0.0.0. (?)
The rest was just catastrophic, including errors like filtering away the data which should be protected (like Symantec Norton and Zone Alarm do), which potentially can be used to get to know this data (for Symantec Norton, there is an easy attack already).
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.