Do I really need a FW besides WXP

I never install firewall software on Windows XP. Not even if it has a public IP address. But I do make sure that the built in firewall is turned on. In the case of a home user I will make sure a virus scanner is installed, that all updates from windows update are installed, that automatic updates is turned on, and that the user knows how to log in as a user instead of an administrator. I might also advise the user that an external firewall box (minimum of nat/spi) should be used and that if they can afford a better external firewall and are prepared to learn how to use it then they should get one. Sometimes I have to advise removal of certain firewall software were the user can't get any work done because they're being flooded with more useless popups than the average advertising trojan produces.

Jason

My personal preference, after 20 years of being online, is to never trust the OS and settings on a computer that is used by anyone. If you can't build a firewall computer to use in a dedicated position then purchase a cheap NAT Appliance and learn how to configure it - it's the best $50 you may spend.

No.

For filtering your services: yes.

Yours, VB.

I would get a cheap NAT router that did logging where you use something like Wallwatcher. The NAT router does the same thing as XP's FW, which is it stops unsolicited inbound traffic from reaching the machine.

You could use IPsec that's on the O/S that does something that neither XP's FW or the cheap NAT router can do, which is stop outbound traffic by setting filtering rules. IPsec to supplement the NAT router or XP's FW.

You can implement the AnalogX rules learn from them and set new rules that you may need.

Duane :)

One of the biggest problem with XP's built-in firewall is it lets all inside traffic go out. MS weinered out and said that blocking outbound traffic would be too confusing. Not.

Since XP Home doesn't really have good security like XP Pro, if you do get infected with malware or a trojan, the built-in firewall is going to let it send all of your passwords to the Motherland without letting you know.

A real firewall would pop up a warning that "program xxxxx is trying to connect to the Internet." You would naturally get paranoid (rightfully so), deny it access to the Internet and then check your computer over very closely.

The advice about being behind a router is a great help and I do it as well. But if malware gets installed on your computer, the NAT router is also going to let it happily send your passwords away without warning you as well.

Ray

Netgear FR114P. It's an ICSA certified firewall. There relatively cheap. You can probably get one on ebay. Or just get something that does NAT/SPI.

That's a problem with any user that is clueless no matter what the solution maybe..

What are you talking about?

No a real FW doesn't have such snake-oil in it. :)

And secondly, a PFW is not a real FW solution as it doesn't separate two networks. The network it's protecting from the WAN and the network it's protecting the LAN. The PFW solutions only provides machine level protection at the machine level and doesn't separate anything. The NAT router comes closer to the definition of a FW than a PFW solution as it does separate two networks the WAN from the LAN.

And so can that snake-oil being used in the PFW solution be beaten. As malware can go under, over around and through a PF and that Application Control snake-oil.

That's why one gets a packet filtering FW router or a FW appliance that meets the specs in the link.

What does a FW do?

You should learn about FW(s).

Duane :)

No, this is not a problem. Controlling aleady running programs what they're sending out is a b0rken concept anyway.

In what way?

Only a "Personal Firewall" with the design flaw to make the person responsible for security decisions of all the people, who should be protected and protect, the user, asks in such a absurd way.

A sensible implementation of a security system for home users offers protection for them without making those people responsible for security related decisions, who don't have a clue of what's going on.

If the "router" is running a packet filter and maybe NAT, then this is a good idea, if the packet filter is well configured by default.

Yes. And this is a very good idea, because filtering the PINs and passwords directly leads into attacks to find them out. It's just misunderstanding data security to filter away to hide something.

An example; say, I have a two digit PIN. And I'm filtering it away to hide it. Well, which one was it?

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99

Complete this yourself for usual PINs with 4 or 5 digits and a small computer program, which does the job of counting. Then you'll have your homework ;-)

Anybody, who offers filtering data away as a solution to hide this data, has no clue of data security at all.

Yours, VB.

Please read the links below.

Wayne McGlinn Brisbane, Oz

Ray,

Which of these features, available in WinXP Pro but _not_ WinXP HE, would lead you to such a conclusion?

Ron :)

BIG GRIN :-) well I agree on this one VB! I always got a laugh when the GUI asks for information that should be protected, eg: dob, ssn, back account#, et al. huh? you want me to enter the data that should not be sent. Give me $10.00usd and make sure this precious data NEVER leaves your system! (aw heck, I'll give to you for free) NEVER ENTER THE DATA! period.

make sure brain is active before the fingers go into motion :-)