Don't use a Firewall other than Windows Firewall?

Ok, so Volker Birk makes what seem to me to be some pretty good arguments why it's a waste of time running software firewalls offering outbound protection (on the basis that any software wanting badly enough to "call home" would in any case be able to bypass that firewall).

But I haven't seen anyone supporting or for that matter refuting Volker's view. I'm talking here about basic firewalls such as ZA free, not something like ZASS which may well offer other advantages.

So what's the view - should I reclaim much-needed cpu cycles by ditching ZA free or any other basic 2-way firewall altogether and just rely on Windows Firewall, and of course an antivirus scanner? And, of course, not installing anything I don't trust.

You views very much appreciated.

Reply to
Sam
Loading thread data ...

The guy is a nut, or perhaps a shill for MS.

I guess most here ignore him, as I have long done.

If you do you will regret it. MS knows as much about security as horses do about crocheting.

Reply to
Quaestor

I'm currently sitting at a P3 550MHz with 256MB RAM and Radeon 7000 graphics. The OS is Windows 2000. It cost nothing to build because it's built of a mixture of parts discarded by others. It has no personal firewall software, no anti-virus software, no unnecessary services and no unnecessary running processes. Its performance at anything I want to use it for, including DVD playback, is mostly indistinguishable from a recent 3GHz P4. No doubt there are tasks which would go faster on a 3GHz P4, but it can work on those while I'm asleep and have the result ready in the morning. I don't believe in increasing complexity without good reason. A system is easier for me to understand if it's less complex. This makes it easier for me to secure it. Increasing the complexity by adding more software would therefore make it _less_ secure.

Jason

Reply to
Jason Edwards

Running a personal firewall is always a crap-shoot, if you run as administrator on your machine you have additional problems. If you run the PFW without understanding what you are allowing then you are going to defeat the reason to have a firewall.

The Windows Firewall is a minimal service that doesn't do a lot, and it requires that you TRUST Microsoft to have created something that is worthy of protecting your PC and all it's data without any flaws or exploits that would allow some known and unknown through.

The other firewall, as an example Zone Alarm, is written by a vendor that has one product to design/test, has an interest in providing the most security you can get, and is based around that one goal. I would trust ZA over anything MS produces to protect my personal computer.

If you trust ZA, then you are not really wasting any CPU cycles.

If you machine is slow due to load of being protected, then it's not wasted. You should not have enough outbound traffic that it's outbound features are causing the load.

As for the inbound load, what makes you think that ZA will cause any more load than the Windows Firewall?

What you really need to do is protect your machine/network with a border device - such as a NAT router (which is not to be confused with a firewall) so that things that you don't invite don't make it to your PC to be rejected in the first place.

In many cases you can run a NAT Router and then not need a PFW solution, especially the Windows Firewall since it doesn't do outbound, but there are times when you do stupid things and you don't monitor the traffic logs in the router, when a PFW that does Outbound can save our butt.

So, keep believing that the Windows Firewall is worth something, so is Commodore Computer Stock Shares right now too :)

Reply to
Leythos

In de.comp.security.*, this is common sense. I'm wondering, why here in the international groups it isn't yet.

The arguments are obvious.

A virus scanner can be a good help, if you know the constraints any virus scanner has to face.

Yours, VB.

Reply to
Volker Birk

Sam wrote in news:dgdsuf$m9p$1 @nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com:

I myself see no reason to NOT use MS's XP FW. Sure it has some kind of application control but it has no means to stop outbound by settings rules.

However, there is another element that can do it on the XP O/S and that's IPsec that can be used to supplement any PFW MS's FW or NOT. I'll be using Ipsec behind BlackIce that cannot stop outbound traffic by setting filtering rules on my laptop at a client's site in a hotel I'll be in that as dial-up for the next six months.

Ipsec can stop inbound or outbound traffic by port, protocol or IP behind the XP FW or a solution like BI.

formatting link
I'll be implanting the AnalogX SecPol rules again on the XP Pro laptop.

formatting link
The only thing about the AnalogX rules is that they prevent file downloads on High ports > 1024 so you either disable IPsec or learn the rules to open the required port. I use Active Ports to tell me the port to open.

formatting link
Using Ipsec to supplement a PFW solution that cannot stop outbound is solid protection as far as I am concerned.

Duane :)

Reply to
Duane Arnold

Volker's preference for the XP firewall merely reflects the POV that inbound packet filtering solves a problem that would be difficult to manage otherwise. Outbound packet filtering or application control is no more effective than the implementation of Safe Computing Practices.

Reply to
optikl

I'm a shill for MS? How amusing ;-)

Ah, is this the reason, why you're using their software?

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Gecko/20040804 Netscape/7.2 (ax)

SCNR, VB.

Reply to
Volker Birk

To be safe and effective one must totally reject this belief. Outbound application control is the essence of stopping spyware. Anyone who advocates not using it must be a spammer spreadying spyware, hijacking machines thereby. Or just plain stupid.

Reply to
Quaestor

I agree, only a fool would trust a MS Firewall product after the history MS has in providing secure operating systems, secure applications, secure - well, nothing they provide is secure.

I would never trust a MS product to protect me against anything directed at MS.

Reply to
Leythos

If you have your network setup properly, your users not running as Admins, and your firewall filtering content, you don't need any application to stop spyware - it will be stopped before it reaches a computer that can run it.

Reply to
Leythos

No. It's just misunderstanding the situation. But don't be too unhappy, you're not the only person who is falling for advertizing tricks from time to time.

Yours, VB.

Reply to
Volker Birk

That's a lot of If's. Suppose someone brings in an outside machine, such as a laptop used in the field (common practice these days)? Suppose someone brings in an infected disk? Suppose that someone is deliberately trying to infect your system? I know, no one would ever do such a thing, but you see, they DO, all the time (industrial espionage and sabotage, they call it).

Reply to
Quaestor

And your solution is a sw firewall that will likely be disabled by malicious code?

Art

formatting link

Reply to
Art

if using a windows firwall to block incoming. you can do that witha NAT device anyway. so no need even for te windows firewall, but it adds another layer of protection. suppose the windows firewall has an exploit. then maybe better to use sygate. sygate also has a great port logger. My NAT device doesn't have a port logger, but even if it did, sygate's is really nice.

That is all regarding incoming which you wan to block.

If you want to block outgoing, then the windows firewall won't do it. VB has it seems shown that if spyware cannot get past a firewall and make an outgoing connection then it's not v. cleverly written. so if it can't, then it's nothing to be afraid of security wise. It's jstu sending some marketting info. And you should notice anyhow it'd be a process using ports and slowing your connection down, sending frames over the net. Many ways to see this happening and catch it. If you wanted to catch it before it starts, then maybe block outgoing. But there's no need to catch it efore it starts. Let it start, and notice it. Anyhow, only a careless user would get a comp slowed down from spyware, or get lots of spyware installed and not notice.

If you're the only user of the computer then why create all these self imposed restrictions. you're hassling yourslf more than the spyware hassles you.

If you've got a network with stupid users that will fill their comps with spyware to the poitn that it really hassles them and slows down their Internet connection then you want to stop spyware communicating. And put in some safer practices, like get them using a browser other than IE.

But as another poster has said. there's an argument that if you've got it properly set up. And your users (whome we must treat the same and thus have to assume idiocy for them all) aren't administrators, apparently they can't do much, they don't have enough rope to hang themselves.

so, as an individual that cares enough to post to this newsgroup, I doubt you ever really got into a situation where your comp was so full of spyware and you didnt' know what to do. If it realyl botherd you then you'd just run some spyware removal programs. big deal. And if you did have spyware, you'd want to get rid of it properly anyway. Not just block it. Sicne what it sends isn't really important.

Reply to
jameshanley39

Many thanks to all who have responded to this - makes very interesting reading, and helpful too. Keep your views coming please.

Reply to
Sam

In fact, it's more likely that Sygate has an exploit again then the Windows-Firewall (though both is possible), because Sygate is much more complex:

formatting link

Seems to be true for what all people are telling ;-) I prefer Ethereal any way, but if one likes this, why not?

Good point. But please don't forget this:

formatting link
Yours, VB.

Reply to
Volker Birk

sygate gives the process name that is sitting at the local port (if there is a process sitting therhe). Ethereal does not

sygate tells you clearly whether it's incoming or outgoing. ethreal you gotta check the ip addresses of the frames initiating TCP connections. Or the IP addresses of UDP frames.

ethernet bombards you with all the frames being sent when all that is required here are those indicating connections being initiated. So, how do you get around this? Well, apply filter tcp.flags.syn == 1 && tcp.flags.ack==0

ok, so now i have ethereal behaving a little bit more like a port logger ;)

so that gets around the main issues I had with ethereal as a port logger

Regarding sygate if one wanted to only use the port logger, one can click security..allow all it wo'nt close any ports, certainly won't stealth any ports, and I think it's not blocking ICMP either.

maybe if sygate is allowing everything then it's not open to be exploited remotely either.

So, I figured out how to use Ethreal like a port logger in the end!

But Ethereal still doesn't display the process names. sygate does.

And Ethreal still doesn't display date/time. Sygate does. Really it's trying to make Ethereal into something that it's not. At least by using sygate as just a humble port logger, you're not making it something it isn't. Sygate does the job well. the ability is designed in there .

the other competitor is ms port reporter.

MS Port Reporter is ok, but it's not a log that you can view in real time. and it gives local and remote. not source and dest. so you can't even decipher for sure if it's incoming or outgonig.

Reply to
jameshanley39

Tiny Personal Firewall blocks by application, and can stop any application from being able to "call home". Forget other firewalls. Forget hardware appliances, and use Tiny. It is just simply the BEST at what it does, period.

Reply to
Charles Newman

No, it cannot.

I tested my POC on

formatting link
with Tiny "Personal Firewall" 6.0, and it failed.

And even if a newer Release of Tiny "Personal Firewall" will prevent this, then there are so many differnt ways to tunnel, that it's possible to find another way to ignore the "call home" filtering of any "Personal Firewall", including Tiny.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.