Do not use free firewalls !

formatting link
I´ve decided to uninstall zonealarm, and start using windows xp´s own firewall. There´s too much danger with other firewalls, and the commercial ones are 99% crap, and expensive.

formatting link
Free Firewalls - The Dark Side:

Here's the catch that most free firewall vendors don't tell you about. Their software will prompt you when it detects an outbound connection (outbound connections happen regularly). Here's an example:

Notice: svchost.exe is attempting to communicate with the internet. Should this be permitted? [Yes] [No]

The majority of computer users have no idea if they should allow this or not. At first, the average user will choose [no] only to discover that they can no longer visit internet sites or have prevented needed communication.

Want to guess what they'll choose next time they are prompted - [yes]. Chances are that one of the times, it will be spy ware trying to communicate and because they choose [yes], they set a rule that allows the wrong program to access the internet.

.
Reply to
Johnny
Loading thread data ...

Bullshit. If it's spyware, then it will click [yes] itself.

BTW, by allowing svchost.exe you've already digged a big hole under your fence.

Reply to
Sebastian Gottschalk

A valid statement, yet it has nothing to do with the quality of firewalls (free or otherwise).

In my experience, I've never had any trouble accessing internet resources after blocking svchost.

That's a user error, if they don't pay attention to what programs they're blocking and/or allowing then this is what happens. You don't blame the car for following orders when a driver directs it to hit a tree, do you?

Reply to
prophet

No, but it is blindingly obvious to even the most inept driver that steering the car into a tree is bad news. It is not so obvious to an unenlightened computer user whether or not to allow internet access to svchost.exe. The original poster's point is valid in my view, software firewalls can be rendered useless.

Reply to
Mr. Slow

Of course they can be rendered useless but it is *always* the responsibility of the user to make a decision about what can or can't get in or out. The rules is, if you don't know don't allow it access - if you can't do that get advice and make your decision based on that.

Regards

Bill

Reply to
phoenix

Based on what information? The data presented by a PFW are usually totally useless for even a very competent user.

Point is that with svchost.exe and alikes you don#t have any good choice. Deny it and it will break your network - allow it and you've punched a hole into your firewall.

Reply to
Sebastian Gottschalk

Keyword being "unenlightened" :-) A driver has usually had some driving lessons, and passed an exam before using a car. The same can not be said of most computer users. So I would say that users should learn how to use firewalls. Or any program, for that matter. Don't complain afterwards that it's not doing what you want it to do. 9 times out of 10, it's doing what you TOLD it to do.

Indeed they can, but I got the notion that the OP's point was that all firewalls ARE useless, and went back to using the one built into Windows XP (since SP2). But that firewall is very, very basic. I'm not convinced that it provides enough security.

Reply to
prophet

I think the OP was trying to say the PFW doesn't provide enough info to make a choice on whether to allow this. "Allow svchost.exe?" is a lot different to "Allow c:\\docs and sets\\cluebie luser\\local settings\\temp\\mymalware\\svchost.exe" or "allow c:\\windows\\system32\\svchost.exe access to on UDP 53?"

I saw windows defender (a most fwapworthy name, I might add) ask "A new Winsock LSP has been added. Allow access?" recently. The user hit the 'f*ck orf i'm busy button' as per usual.

PFW's and anti-malware proggies are fantastic at providing not enough info to make an informed decision to people who don't have a clue and care even less. Cheers, E.

Reply to
E.

That was qualified by the 'get advice' that you accidentally slipped into the following quote instead of here, where it belonged.

No, it doesn't break your access to the internet. I've never had problems blocking svchost and neither has the poster 'prophet', a couple of posts above this.

Makes no difference what you say, it's still the users responsibility. Don't you take responsibility for your system?

Regards

Bill

Reply to
phoenix

D'oh. You never noticed the slowdown of denying DnsCache service? What about ICS? What about UPnP?

I take responsibility to not install any utterly useless software. ;-D

Reply to
Sebastian Gottschalk

I disagree completely - they present the user with a lot of information and can also help identify a compromised network in addition to inbound and outbound traffic. Why they may have their own set of exploits, unless they are exploited, which appears to happen very infrequently, they do serve quite well.

I've used a PFW on every laptop at every clients location and at new clients locations where we've not redone the firewalls/security and never experienced a compromised PFW on any of our laptops.

Reply to
Leythos

Ah, but this is a logical fallacy. This functionality (prompting on outbound connections) is not the problem. The problem is matching the quality of the prompts to the knowledge of a user. As an expert user, I want such prompts. Actually, I want more detailed prompts such as "svchost.exe is attempting to connect to 10.10.10.10 port 1024" with options "Allow, Deny, Customize" where customize would have the functionality to set a full rule (IP range, ports, etc that are allowed or denied). But such a prompt would completely confuse a novice user.

Does this mean all prompts should be geared towards the novice? I don't think so. If a firewall product wishes to be everything to everyone, they could have a configuration option to select the prompt level. For example, the novice prompt might include a "More Information" button that would bring up a help file for that particular exe if it's a known exe or a help file that says it's an unknown exe and to treat it cautiously otherwise. The expert prompt would be like I said above. It would make sense to default the prompts to the novice level as the expert should have the knowledge to go in and change the prompt level. But for the love of Pete, do not dumb down the prompts for everyone just because it might confuse someone.

Reply to
Fishlover

Harassing the user with useless messages instead of silently logging in the background definitely is a serious problem.

Bad enough, in your rules you usually cannot even reference TCP states or certain header values. Utterly useless on any serious application. The messages won't help.

Reply to
Sebastian Gottschalk

Well now you're expecting Windows software to be of the same quality as Linux, BSD and so forth products *grin*. The closest I've found is the ability to select ICMP types and TCP/UDP port numbers (or port ranges), but does not have filtering on the TCP flags. At least I assume by "TCP states", you mean being able to check the TCP flags combinations. Or perhaps you mean stateful firewalls, which record the active connections in a table and use that as a basis. However, stateful firewalls would not apply to the scenario at hand as it was an initial outgoing connection (eg SYN flag set or a "NEW" state in certain stateful firewall terminology). It would be useful in other situations though. Certainly I'd love to see an iptables or ipfw style personal firewall for Windows, but not enough to develop one myself, heh.

Reply to
Cichlidiot

formatting link
:-)

Reply to
Sebastian Gottschalk

My router is also a caching DNS server, so there's no need for caching DNS entries locally :-) Besides, DNS caching was useful when we used 14.4K modems.

Never used them myself, but I've configured a couple of home networks using ICS and never noticed any performance degradation because of software firewalls. YMMV of course. I'd say most firewalls are smart enough to work with (or around ;-) ) ICS.

I fail to grasp what you're trying to accomplish with this thread though. You say software firewalls (with a focus on the free variety) are useless and too complex for the average user. Yet neither yourself nor anyone else here are average users. From your other posts I gather that you're quite knowledgable. So, as they say, you're preaching to the converted.

Reply to
prophet

The performance measures on my BIND tell me something different. Beside that, most router's DNS caches are absolutely lousy.

Yeah, basically they allow anything to bypass. ;-)

Anyway, there are certain network drivers that do interact with certain svchost processes in strange ways. It really is possible to kill of your connection like that.

Beside that one can simply configure the services correctly so there's no need for blocking svchost.

Ah, huh? I'm not the OP. I'm just discussing on his arguments.

Reply to
Sebastian Gottschalk

Really? I've never had problems with it, but then I haven't felt the need to test its performance. I used to dabble with freesco and other linux-based routers, but seeing as a router runs 24/7 I figured a small router/switch combo was more cost-efficient.

And for a simple home network my little SOHO router is more than adequate. It blocks ICMP and pretty much all other things I can think of (completely stealthed according to GRC.com). Beside that I use Sygate

5.6 on my workstation to control programs and services that want to communicate with the outside world.

Works well enough for me, although I realise a false sense of security is right around the corner. I simply try to configure my rig as good as I can, and exercise a little paranoia in all things internet-related.

lol :-)

Didn't know that. I wonder if such things are widespread (are they?). I've never seen it, but of course that doesn't mean it doesn't happen.

That's the meat of this whole discussion, isn't it? To us it may be simple, but I can imagine that an average joe wouldn't be able to see the difference between some firewall dialogs. "Do you want to allow xxx.exe to access the internet? Hmmm... [maybe]" ;-)

But to bluntly state "Do not use free firewalls", while the built-in FW in XP isn't exactly the pinnacle of security... I dunno. It just didn't sit well with me. A system is as safe as its configuration if you ask me. And that goes for any OS/firewall combination. Linux can be made a cracker's paradise and Windows can be made relatively safe if you know what to look for. Anyway, the safest system is one that's powered off :-)

Whoops, my bad :-) Now that I see it, the OP hasn't answered a single reply.

Reply to
prophet

Now this is rather bad, because you're shooting yourself in the foot and you verified that with the lousiest online portscan ever.

What a bullshit. Legitimate programs by definition and by fact don't need such a treatment, and malicious programs simply circumvent it.

No, it's already there. :-)

How should they do any way different? Without knowing the internal NAT state tables of ICS, every attempt would be either too sloppy or too strict. That's what routing firewalls are good for!

Reply to
Sebastian Gottschalk

How about nmap? Or foundstone's Superscan? I've scanned my network from the outside with those, and so far everything looks to be in order.

No? If I don't want a program to access the internet, then I'll block it. Maybe I'll feel differently tomorrow, or next week. I don't care if a program is legitimate or not, I want to be in control of its connections to other machines.

I have yet to see a program that was able to reach a server somewhere after blocking it with Sygate. Do you have an example of a program which is able to circumvent a (software or "personal") firewall?

Perhaps. Like I said, I try my best to lock everything down but I realise there could be a leak somewhere. With an OS like Windows, there's bound to be :-)

Honestly, I wouldn't know. I'm not an expert on the inner workings of firewalls or ICS (which I don't use), nor do I claim to be.

Reply to
prophet

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.