Di need another firewall as well as the Win XP one?

So, does that mean you are using DSL/Cable?

If so, the router method (NAT device) acts as the first layer in your security. While they are not configured to block outbound by default, they block inbound that you didn't ask for - which means that things like worms and others that browse the Internet looking for open computers don't see your system.

Many of those NAT devices also allow you to block outbound ports, still not a firewall, but it helps keep things from breaking out of your network a little - block outbound ports 135~139,445, 1433,1434 once you get one.

If all you have is Dial-Up service, then XP SP2 firewall will get you online long enough to get something like ZoneAlarm.

If you have DSL or Cable, purchase a cheap NAT appliance, sometimes improperly maked as a Cable/DSL Firewall, from your local computer place. With the NAT router installed between your network and the cable/dsl modem, you won't see any unsolicited inbound traffic inside your network (unless you forward inbound ports).

I personally never use the Windows XP SP2 firewall as I've seen programs create exceptions and changes in the firewall settings without asking the users permission. I've never had a system running ZoneAlarm compromised yet.

I've just installed Windows XP. How good is the Windows XP firewall? I've read some comments that it's not up to much. Is this true, and anyway, would it be advisable to use another one, like Zone Alarm. instead of, or as well as, XP?

yes that's right. I'm a home user though, not on a network.

excuse my relative ignorance, but can you expand on the outbound element a bit? why would I want to block outgoing traffic?

If something does manage to get installed on your lapop, do you want it to have complete freedom to reach out to anybody in any way? To upload files or establish a remote control link for example?

Or would you rather restrict such outbound activity?

-Russ.

If you are connected to the Internet you are ON a network. If you install a router/NAT you are still on a network, just a somewhat protected network.

As an example, there is no reason for your computer to open File/Printer sharing connections to other computers on the Internet - so you block that outbound. Same with other services. If you block outbound ports to others, while it does little to help you if compromised, it does have an impact on your machine infecting others.

As an example of that protection, if everyone blocked outbound

1433/1434, the SQL Slammer worm would not have left their internal networks and infected other machines.

If you can block SMTP outbound, except to the specific IP of your ISP's mail server, you can stop your machine from sending (if compromised by a SMTP enabled virus) the virus directly to other users. It also helps stop people from using your computer as a SMTP relay if they compromise it.....

There are ways around the above examples, but it's just another step in making things a little harder for the malware.

yes that's right. I'm a home user though, not on a network.

excuse my relative ignorance, but can you expand on the outbound element a bit? why would I want to block outgoing traffic?

it blocks incoming connections well. which is extremely important.

it doesn't block outgoing so well. it has issues with blocking outgoing.

you would only benefit from blocking outgoing if your system has already been compromised. And if the software that compromised it does not know how to break out. So a security professional that knows exactly what is going on, may not bother blocking outgoing. But anothert security professional may just still block outgoing to be on the safe side, just in case he has a lapse !

It's good to have layers of security. So, run tests on your system to make sure your not making outgoing connections. And perhaps also, have a firewall blocking a few known outgoing ports (i'll paste leythos's useful info here before his post disappears) "block outbound ports 135~139,445, 1433,1434 "

i'll just add. when you get a personal firewall, like zone alarm. or any other alternative to the windows firewall. It will kep prompting you about outgoing. it's a major hassle to start with. As every time a piece of sofftware it doesn't recognise sends data over the internet,, it'll prompt you to see if it's ok. Once it recognises those programs it'll be ok. it won't prompt you. you can tell it not to prompt you again and it'll add those progs to your exceptions list.

Expect LOADS of false alarms . Most users wouldn't understand the messages. it'll tell you some process is sending data on some port. Just google the name of the process if you're suspicious. it might be a standard piece of spyware. It won't hurt you anyway even if you let it send ;) becuase really clever software can get past these things.

So the windows firewall is extremely safe. I use it. And it's convenient, it doesn't bother the uesr as much as other personal firewalls.

Sygate is the nicest most ussable personal firewall i ever used. but VB has written many times that it has security issues.

A NAT router will block outgoing that you ask it to(via the firewall function built in), without telling you. No prompts wil come up. And it'll block all incoming (without telling you(an accident of the NAT functionality).

James, Many thanks for all that. I'm saving all of this information.

no provision is 100% secure. You may combine 2 or 3 very secure provisionss - against the same attack. And that can be more secure. The effeciveness of their defence may vary. One provision may have one problem, another provision may have another problem. A hacker may get through one but not through the other. So, in this way, overall security is increased. Like having to open 2 doors to get into your house. And like having 2 locks on a door instead of just one. People do!

by the way. I have zero experience. i'm just looking at this logically!

howso? I guess that's possible if it it were possible to exploit the 'first' provision and then through that exploit, to get through all the other provisions. I wouldn't know if that were the case. Perhaps that was what you were getting at

ppl often use many similar tools for the same job. dealing with viruses. So the philosoophy would be the same here. 2 tools won't suffer from the same exploit.

Or if the added complexity caused confusion. But as I think you said once. Any system is vulnerable to PEBKAC and social engineering

can you name some books ion the subject that describe this philosophy of security? and better still. discuss zones vs layers. At the moment it seems to me that you can have many layers in one zone.

Another person, not quoting a book or source, wrote a philosophy in another thread whilst defending layers "You are looking at the question from a topological/segregational point of view. Layering is not about point A and point B and zones. Rather, an integrated approach combining hardware, software, peopleware, policies, education, monitoring and about a dozen other things"

So, I guess your zone concept has to be reconciled here. What books discuss layers and zones. (I guess the q about book discussing layers should be to leythos) . is there any classic layers/zones debate.

At the moment it seems to my ignorant self that the approaches can be integrated.

The 'layers of security' concept is very widespread. I'm sure you didn't invent a competing zone philosophy. There must be sources that discuss this / gives these subjects the proper treatment.

A security professional, on their own network, would block outgoing by default. While I don't enable any firewall on my computers inside my networks, the firewall appliance only allows a few outbound ports, and it checks to make sure the traffic is the specific type the port is suppose to he handling and drops it if not.

There is more to security than just limiting a little outbound when you're compromised, there is limiting outbound when you're not compromised also - you don't want any information leaving your network that could give anything to anyone that you don't want them to have.

Good enough as host based packet filter.

It's not advisable - "Personal Firewalls" do not add extra security compared with the Windows-Firewall, but many new extra problems.

Yours, VB.

No.

Usually, many people claim that, because they think, that if they're combining two unsecure provisions, they would increase overall security by doing so.

This is wrong.

In case of doubt, this will decrease overall security. Seldomly, it will help at all.

This is why I'm requesting to return back to the term of a zone concept. Every zone has well defined attributes, and it has to be clear, what is secured against what.

Yours, VB.

Also, it is a reason why it is called layers. Anyone ever seen an onion? Layers of security in terms of computer network security is more like using TCP-wrappers as well as a packet filter and a high-level protocol analyzer (IDS/IPS/ALG-ish systems). Security failure in one layer should not cause total disaster, because the measurements implemented protects against more or less the same threat in different layers.

This is where studying the layered networking models pays off. Considering the OSI model, the example above would have a packet filter at the Network layer, a TCP-wrapper at the Session layer, and a high-level protocol analyzer at the Application layer; and our system would survive both a fail-open packet filter and a crash in the high-level protocol analyzer without exposing our vulnerable service on port n to the entire world.

In a computer system, mixing several "security products" designed to work at the same layer in the OSI model protecting against the same threat, unless specifically designed to work together, is generally considered a bad idea.

I would advise people using "personal firewalls" who want layered security to rather add a stand-alone ("hardware", "appliance") network firewall to their configuration. If that seems too pricy, your losses if compromized is simply not high enough to defend layered security.

All very true.

I'll attempt an answer that'll hopefully work for common logic.. :)

The question is how the products are implemented. It is not like having two locks, but more like using two locks to construct a third. The result will probably be more complex and less secure. If you are a locksmith or just an expert on locks, you might get better security if you know in detail how the locks are secured themselfes.

Firewall A is probably designed to run as the sole firewall on the system, and Firewall B is probably also designed to run as the sole firewall. Adding them to produce something better is likely to be a terribly complex operation.

This is wrong, too. Of course, provisions can be 100% secure, because every provision in a security concept is related to a specific attack vector respectively.

No, unfortunately not in general, but only, if those provisions will not interfere, and any of them is secure. Then this may help against the case that a provision is not secure, but only misjudged as being secure (i.e., the implementation of the provision has an exploit).

Better use provisions, which make the protected system secure against a specific attack vector.

This is exactly, what I meant with the mentioned misunderstanding.

You're missing the point. Security within informatics can do, what security systems in pizza man's universe usually cannot.

Please read the following posting, too:

Because combining provisions which are unsecure even may open additional attack vectors.

Yes, of course.

Which philosophy?

The zone concept is reimplementing the ideas of defence in depth, a common military strategy. I'm sure, you'll find lots of books about that topic.

I'm not referencing the term "defence in depth", some AntiVirus providers are using today. Usually, this is based on a misunderstanding, too.

What people call "layered security" usually is a result of the misunderstanding of the strategy of defence in depth. They're using inappropriate provisions to "secure", and seem to think, that combining such useless provisions will result in something they call "security", and usually they're not able to define exactly.

We can find each other in this discussion, if we both agree, that it can be a good idea to have more than one provision for one single attack vector, if it can be made sure, that the implementations of those provisions will not interfere, and that every provision is capable to secure the attack vector completely, and, last but not least, the implementations of those provisions cannot be seen as proven.

If you want to call this "layered security", then I will agree with you, that this can be a good idea, but only if the mentioned constraints are obeyed.

Yes. And many, many other b0rken concepts and much other nonsense is very widespread, too.

How can you be so sure? ;-) But: you're right here.

Yours, VB.

Thanks, that was a great post. Your post here clarifies it and is a good followup!

cool, thanks.

ok, i'll avoid the AV providers for info on 'defence in depth' then!

But is it uncommon that when having more than one provision for one single attack vector every provision is cabapble to secure the attack vector completely. implmentation won't interfere implmentations cannot be proven

there are 2 cases

the case of 2 firewalls on the same comp. And the case of 2 firewall applicances chained together.

I think, if it's 2 firewall appliances chained together, it'd be ok. though a hassle to configure. A bit like 2 doors. ONe door guareds a slightly larger entity. The attack vector isn't the same. The fact that software/hardware is (almost?) always exploitable - implementation not proven, makes me ethink this is perhaps a must to have a really secure system.

But with 2 firewalls on the same comp. The attack vector is the same. Infact, if implementations aren't proven - in that functionality is ok but a bug opens them to exploit, then it's more insecure. Since the attacker could hit either of them and get in. So that one isn't really like a door iwth 2 locks). It's actually very insecure.