Ok, so Volker Birk makes what seem to me to be some pretty good arguments why it's a waste of time running software firewalls offering outbound protection (on the basis that any software wanting badly enough to "call home" would in any case be able to bypass that firewall).
But I haven't seen anyone supporting or for that matter refuting Volker's view. I'm talking here about basic firewalls such as ZA free, not something like ZASS which may well offer other advantages.
So what's the view - should I reclaim much-needed cpu cycles by ditching ZA free or any other basic 2-way firewall altogether and just rely on Windows Firewall, and of course an antivirus scanner? And, of course, not installing anything I don't trust.
I'm currently sitting at a P3 550MHz with 256MB RAM and Radeon 7000 graphics. The OS is Windows 2000. It cost nothing to build because it's built of a mixture of parts discarded by others. It has no personal firewall software, no anti-virus software, no unnecessary services and no unnecessary running processes. Its performance at anything I want to use it for, including DVD playback, is mostly indistinguishable from a recent 3GHz P4. No doubt there are tasks which would go faster on a 3GHz P4, but it can work on those while I'm asleep and have the result ready in the morning. I don't believe in increasing complexity without good reason. A system is easier for me to understand if it's less complex. This makes it easier for me to secure it. Increasing the complexity by adding more software would therefore make it _less_ secure.
Running a personal firewall is always a crap-shoot, if you run as administrator on your machine you have additional problems. If you run the PFW without understanding what you are allowing then you are going to defeat the reason to have a firewall.
The Windows Firewall is a minimal service that doesn't do a lot, and it requires that you TRUST Microsoft to have created something that is worthy of protecting your PC and all it's data without any flaws or exploits that would allow some known and unknown through.
The other firewall, as an example Zone Alarm, is written by a vendor that has one product to design/test, has an interest in providing the most security you can get, and is based around that one goal. I would trust ZA over anything MS produces to protect my personal computer.
If you trust ZA, then you are not really wasting any CPU cycles.
If you machine is slow due to load of being protected, then it's not wasted. You should not have enough outbound traffic that it's outbound features are causing the load.
As for the inbound load, what makes you think that ZA will cause any more load than the Windows Firewall?
What you really need to do is protect your machine/network with a border device - such as a NAT router (which is not to be confused with a firewall) so that things that you don't invite don't make it to your PC to be rejected in the first place.
In many cases you can run a NAT Router and then not need a PFW solution, especially the Windows Firewall since it doesn't do outbound, but there are times when you do stupid things and you don't monitor the traffic logs in the router, when a PFW that does Outbound can save our butt.
So, keep believing that the Windows Firewall is worth something, so is Commodore Computer Stock Shares right now too :)
Sam wrote in news:dgdsuf$m9p$1 @nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com:
I myself see no reason to NOT use MS's XP FW. Sure it has some kind of application control but it has no means to stop outbound by settings rules.
However, there is another element that can do it on the XP O/S and that's IPsec that can be used to supplement any PFW MS's FW or NOT. I'll be using Ipsec behind BlackIce that cannot stop outbound traffic by setting filtering rules on my laptop at a client's site in a hotel I'll be in that as dial-up for the next six months.
Ipsec can stop inbound or outbound traffic by port, protocol or IP behind the XP FW or a solution like BI.
I'll be implanting the AnalogX SecPol rules again on the XP Pro laptop.
The only thing about the AnalogX rules is that they prevent file downloads on High ports > 1024 so you either disable IPsec or learn the rules to open the required port. I use Active Ports to tell me the port to open.
Using Ipsec to supplement a PFW solution that cannot stop outbound is solid protection as far as I am concerned.
Volker's preference for the XP firewall merely reflects the POV that inbound packet filtering solves a problem that would be difficult to manage otherwise. Outbound packet filtering or application control is no more effective than the implementation of Safe Computing Practices.
To be safe and effective one must totally reject this belief. Outbound application control is the essence of stopping spyware. Anyone who advocates not using it must be a spammer spreadying spyware, hijacking machines thereby. Or just plain stupid.
If you have your network setup properly, your users not running as Admins, and your firewall filtering content, you don't need any application to stop spyware - it will be stopped before it reaches a computer that can run it.
That's a lot of If's. Suppose someone brings in an outside machine, such as a laptop used in the field (common practice these days)? Suppose someone brings in an infected disk? Suppose that someone is deliberately trying to infect your system? I know, no one would ever do such a thing, but you see, they DO, all the time (industrial espionage and sabotage, they call it).
if using a windows firwall to block incoming. you can do that witha NAT device anyway. so no need even for te windows firewall, but it adds another layer of protection. suppose the windows firewall has an exploit. then maybe better to use sygate. sygate also has a great port logger. My NAT device doesn't have a port logger, but even if it did, sygate's is really nice.
That is all regarding incoming which you wan to block.
If you want to block outgoing, then the windows firewall won't do it. VB has it seems shown that if spyware cannot get past a firewall and make an outgoing connection then it's not v. cleverly written. so if it can't, then it's nothing to be afraid of security wise. It's jstu sending some marketting info. And you should notice anyhow it'd be a process using ports and slowing your connection down, sending frames over the net. Many ways to see this happening and catch it. If you wanted to catch it before it starts, then maybe block outgoing. But there's no need to catch it efore it starts. Let it start, and notice it. Anyhow, only a careless user would get a comp slowed down from spyware, or get lots of spyware installed and not notice.
If you're the only user of the computer then why create all these self imposed restrictions. you're hassling yourslf more than the spyware hassles you.
If you've got a network with stupid users that will fill their comps with spyware to the poitn that it really hassles them and slows down their Internet connection then you want to stop spyware communicating. And put in some safer practices, like get them using a browser other than IE.
But as another poster has said. there's an argument that if you've got it properly set up. And your users (whome we must treat the same and thus have to assume idiocy for them all) aren't administrators, apparently they can't do much, they don't have enough rope to hang themselves.
so, as an individual that cares enough to post to this newsgroup, I doubt you ever really got into a situation where your comp was so full of spyware and you didnt' know what to do. If it realyl botherd you then you'd just run some spyware removal programs. big deal. And if you did have spyware, you'd want to get rid of it properly anyway. Not just block it. Sicne what it sends isn't really important.
sygate gives the process name that is sitting at the local port (if there is a process sitting therhe). Ethereal does not
sygate tells you clearly whether it's incoming or outgoing. ethreal you gotta check the ip addresses of the frames initiating TCP connections. Or the IP addresses of UDP frames.
ethernet bombards you with all the frames being sent when all that is required here are those indicating connections being initiated. So, how do you get around this? Well, apply filter tcp.flags.syn == 1 && tcp.flags.ack==0
ok, so now i have ethereal behaving a little bit more like a port logger ;)
so that gets around the main issues I had with ethereal as a port logger
Regarding sygate if one wanted to only use the port logger, one can click security..allow all it wo'nt close any ports, certainly won't stealth any ports, and I think it's not blocking ICMP either.
maybe if sygate is allowing everything then it's not open to be exploited remotely either.
So, I figured out how to use Ethreal like a port logger in the end!
But Ethereal still doesn't display the process names. sygate does.
And Ethreal still doesn't display date/time. Sygate does. Really it's trying to make Ethereal into something that it's not. At least by using sygate as just a humble port logger, you're not making it something it isn't. Sygate does the job well. the ability is designed in there .
the other competitor is ms port reporter.
MS Port Reporter is ok, but it's not a log that you can view in real time. and it gives local and remote. not source and dest. so you can't even decipher for sure if it's incoming or outgonig.
Tiny Personal Firewall blocks by application, and can stop any application from being able to "call home". Forget other firewalls. Forget hardware appliances, and use Tiny. It is just simply the BEST at what it does, period.
And even if a newer Release of Tiny "Personal Firewall" will prevent this, then there are so many differnt ways to tunnel, that it's possible to find another way to ignore the "call home" filtering of any "Personal Firewall", including Tiny.