Depends... far too many people seem to think that merely installing a desktop firewall will magically protect them from all evil. Obviously (and I think you'll agree) this is not the case.
All in all, it's much safer to configure and run your machine in a way that is safe even if no additional firewall is in place - no unnecessary services, no "I'll just click on that file, if it's dangerous my virus scanner would have caught it". You can install a desktop firewall on top of that - but you should act as if it's not there, and you should always remember that every software has bugs that can be exploited, therefore by adding software you add to the number of possible exploitable holes in your machine.
But a spammer who does that would be dumb - the recipient mailserver would notice that the From is invalid and could filter on that.
The whole concept of faking from-lines is used in the hope that the recipient mailserver will assume that the mail is legitimate as it's from an existing domain.
Very comforting for the guy who receives tens of thousands of bounces overloading his mailserver... not only is somebody abusing his address, he also gets DDoSed.
Use a valid email address. Nobody ever demanded that you should actually READ what's in there :-)
Why not just set up a Gmail-account specifically for that purpose? It doesn't cost you anything, and if you never log in you don't get troubled by the amount of spam accumulating in it either.
1) All access is blocked by default - not just web.
2) Services are permitted as needed, for business reasons - like SMTP to/from the mail server only, https inbound for email web connections, outbound DNS only from the DNS server...
3) Generic Web access is permitted to "approved" sites and content filtering blocks downloading of files not on the approved list (very short list).
4) Select users are given a ID/Key that permit them to authenticate with the firewall to have additional permissions from any location in the network - these users could be Administrators, Teachers, IT Staff, etc... Each would most likely have it's own group and own set of restrictions.
5) Users are permitted to request additions to the white-list, but requesting does not mean it will be granted.
7) Some users, based on location in the networks, will not be granted access to the Internet at all.
8) Internal portals provide information as approved by the company/school, these portals are all the outside and internal information that generic users can reach, in addition to #3 above. So, not that it would be approved, but, the nytimes content "might" be replicated to the portal in some cases, but links would not go anywhere.
9) Lots of other means enacted to limit exposure and liability.
So, if we understand, it's no better or worse than Windows Firewall according to you, but since it CAN inform users in real time, of inbound and outbound connections, it's already better than Windows Firewall.
Yes it is, and we do it all the time - and the firewall is the first layer in the method, and it provides 99% of the solution if setup and configured properly.
Oh, and one other thing - I have 67 machines at one location, not one of them has detectable malware on them - not by any of the commercial detection methods, not by any of the AdAware/SBS&D, Symantec, Mcafee.... If I didn't have a firewall in place, filtering content, blocking access, etc... it would not be possible to achieve that success in a semipublic setting.
that's rich, when someone sees that he doesn't understand, and then mentions it, he KF them so that he doesn't have to see that he's wrong. It's almost the same as Tracker.
Just because there is an RFC, it doesn't mean we have to follow it in order to maintain a secure solution. As an example, most of our networks block all inbound ICMP types without any issues that we care about.
Yep, but the from/headers should be read and rejected if not a valid address.
I use to get email where it appeared to be sent from myself to myself, in those days I just ignored it, then I got tired of it and started blocking it, and since outsiders can't send mail with a from of my address through my server, it means I can delete all inbound email from outside my server that has a from of my account before I ever see it.
The nice thing about this part of the discussion is that using an "invalid" address does NOT increase spam, it is the same level of spam.
Close the gateways. Have a look onto how malware is propagating and prevent from having this attack vectors open.
This is the basic idea, and the topic we should concentrate our discussion on IMHO.
The basic ideas are:
1) Don't use Microsoft Windows in the Internet as a home user
If you're a home user, buy a Macintosh. Macs are far from being perfect. They're not half as good as the Macintosh religion will tell you. But they're far from Windows concerning usability and security for home users in a very positive way.
If you're a home user, and you already have a PC, which you don't want to sell, use Free Software. Free Software like FreeBSD, SuSE Linux, Mandrake or Xandros, for example, are easy enough to handle. They're all far from being perfect, but they're far from Windows concerning security for home users in a very positive way.
2) Don't use Internet Explorer or Outlook or Outlook Express in the Internet
If you're using Microsoft Windows, don't use Internet Explorer, and don't use Outlook or Outlook Express in the Internet.
All other Webbrowsers and all other MUAs are far from being perfect, too, but they're far from those programs concerning security for home users in a very positive way.
3) Don't offer services to the Internet
There is malware, which we call network worms. Network worms are spreading onto computers, which offer services to the Internet and have exploits or weak passwords.
As a home user, there is no need for doing so. Be sure, to offer a service to the Internet in a secure way, you need too much knowledge. You will not manage to do so.
Unfortunately, if you're using Microsoft Windows, then this operating system is offering services to the Internet, and you even will not know. Stop these services i.e. using
formatting link
or filter them away using Windows XP SP2 and the Windows-Firewall.
4) Keep your software up to date
Especially the software programs you're using in the Internet like your browser or your MUA _must_ be up to date at any point of time you're using them. But also every other software program you're using for viewing data you got from the Internet must be up to date.
At least keep up to date your browser, your MUA, your PDF viewer, your music and video playing software and your Office suite.
Switch on every auto-update function of every such program. Just ignore everybody who tells you not to do so because of "phoning home" or "outbound connection" nonsense.
5) Don't trust any people you're communicating with except people you personal know or someone knows whom you're trusting in
The Internet is full of people who want to fool you. This is the basic problem of every public communication.
At least you have to think about the motivation of every person who you're communicating with.
6) Understand, that Internet mail and the Web are not mediums you can trust in at all.
Everything, which is on a E-Mail can be a false assertion, including the address of the sender.
With the exception of complicated cryptography systems like PGP and HTTPS there are no ways to guarantee anything, which is on a web-page or in a mail.
And even PGP and HTTPS are much too complicated to understand for the home user. You just will not understand them completely, and therefore you will not gain real security from them. They're better to have than nothing, and that's it. Your only possibility as a home user is to give up and know that, or to learn. And learn. And learn.
These are some important points I find a good idea to start with.
What complete and utter BS - I know lots of non-technical users that run Windows 2000 and XP without any problems, without understanding security, without any background in computer. They do so without any malware or compromise of their machines.
I also know of MAC users that have constant problems with their computers, now OS/X caused many problems when they moved to it, that I see posted exploits for OS/X every couple months....
I also see how most of the business world and most public organizations used Microsoft products to produce documents that would not open properly on a MAC or Linux machines as the conversion process is nowhere near perfect, and doesn't look like it will be any time soon.
And lets not forget the kids - you need a Windows based machine to play most of the games that kids want to play.
A MAC is not a good choice for most homes where people interact with other people that might/do use Windows based solutions/products.
Funny, I've used Outlook and IE for years without any problems. I know hundreds of home users that use IE and Outlook without problems, although I would rather they use FireFox.... There are exploits for non- MS applications too.
Strange, you say that Windows Firewall is good on another thread, then say that it's not here... And I agree, nothing Windows offers is good for security when concerning connecting the machine to the Internet, that's why all ISP's should implement NAT at the DSL/Cable modem for all users by default and allow them to request a Public IP is they are smart enough to know the difference. At the least, if there is a public IP, then there should be some NAT Appliance in between the computer and the internet connection.
Hey, we completely agree on this - and lets not forget the easy to use Office Update method that most people forget.
And lets not forget that they need to delete posts from ANYONE that have attachments that they didn't request. Many malware spread between friends in email, as attachments. If the friend really sent it, they will be able to send it again when you ask them about it.
I completely agree with this.
I completely disagree with this - I've seen people use PGP that didn't know what a floppy disk was/is, that didn't know the difference between the CPU and that big box on their desk, that thought connecting a printer to the power would allow it to print (without a printer cable), that thought that their computer was broke and called for service because they didn't see that the monitor power was off... They were able to use PGP with just a couple minutes effort.
Except that most home users will decided to remain ignorant by choice.
Wrong. Obviously it's making an invulnerable computer become vulnerable. No thanks!
Eh, no! In fact, if your computer is endangered without a packet filter, your security sucks. If it's not, then ZA can't add any security, as stated above.
It hasn't been that long since Google introduced the feature to actually delete mails and even setting automated delete rules. After all, 2GB aren't that much, it's only about one or two month of unfiltered spam accumulating.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.