Recurrent question

No. Both filter inbound connections. That can be done reliably. The Windows Firewall prevents applications from listening on ports. That can be done reliably as well. Personal Firewalls try to prevent applications from communicating outbound. That cannot be done reliably. Which is why the Windows Firewall is sufficient.

cu

59cobalt

No. They're implementing a host based packet filter, just as the Windows- Firewall do.

And most of them implement much more - and ALL of this is crap, misunder- standing data security, and incompetency. All, what I saw was one of this.

This is what we tested:

• Kerio Personal Firewall 4.1.2 * Norman Personal Firewall 1.42 * Agnitum Outpost Firewall Pro 2.5 * Sygate Personal Firewall Pro 5.5 * Tiny Firewall 6.0 * Zone Labs ZoneAlarm Pro 5.5 * Symantec Norton Personal Firewall 2005

Yours, VB.

You sound like offspring of VB's.

Windows firewall can be programatically changed without the user knowing about it - try installing AOL and see if it doesn't make exceptions in the Windows Firewall.

That means that Windows firewall is not acceptable under your definition.

The only effective firewall is one that someone understands, can monitor easily, can see/change rules for as needed, and is likely to be used properly.

The problem is, older versions of Windows (pre-XP) don't have the built-in firewall.

Yes. Here the ICF can be enabled manually - or the filtering stuff, which is called "IPSec" by Microsoft (I don't understand why).

Or you could use

or Yours, VB.

No, the problem is, XP does. This leads people to believe they have security when they don't.

The key to your argument is the word "reliably". So it depends on what exactly you mean by that. It goes back to that AV being useless argument. By your definition of "reliably" then all AVs are useless too because they don't catch 100% of the threats and hence are not "reliable". Yet we still use them don't we? Why? Because they will and do catch a high percentage of the threats. And catching most is better than catching none.

Also to say that the reason why Windows Firewall is sufficient is because Personal Firewalls can't catch all outbound, is another illogical and silly argument. What does one have to do with the other?

I would say that the Windows Firewall is not sufficient because it makes no attempt to try to catch outbound. Some attempt is better than none. Why do you think people "try" at things? Nobody is perfect, yet we keep trying simply because some success is better than none, and to give up entirely is unacceptable. You would have everyone give up the attempt to catch outbound simply because it might be difficult at times.

I like reading his posts, although I disagree with his opinion that PFW's are completely useless. It could be down to a language/subjective difference. One extreme would say if a thing doesn't do exactly the job it is intended to do, it is useless. The other extreme would say It's not useless, at least I can use it as a doorstop.

At least he has actually experimented with PFW's, instead of just pasting links and quoting other peoples work. Do yourself a favor and unplonk him, he has some interesting things to say.

Ric

PFW, anti-virus, spam filter. They all seem similar in this respect. Each one can only be partially effective.

So you agree in the right situation, and in the right hands, a PFW can prevent _some_ malware, and therefore be useful?

I thought PFW's stopped most trojans connecting out.

People want to learn though, and some will grasp it. I know a few people who have benefited from PFW's, even if their security hasn't been enhanced much, their knowledge has.

Agreed. Yet that seems the only option to me. Only I can decide what is to run on my computer. I wouldn't accept a piece of software or hardware telling me what I can run or where I can go. That sounds like the Microsoft Dream. The workplace would be a different matter.

I can answer it for my situation. Deny it. I don't use any Microsoft network protocols (except TCP/IP), so I deny svchost all access, and allow access to my DNS servers in a lower rule. If the user can be bothered to search for it they will soon find the answer.

The alerts could be a lot more helpful instead of spreading FUD. It doesn't help when they say you have just been attacked by 3 echo request packets or some UDP packets to port 1026. They always seem to think messenger spam is a port scan.

While many people are happy with a Microsoft OS they often look elsewhere for their security products. Can't say I blame them. :)

Ric

He can be somewhat interesting, however, his stance and arguments are way too black and white. He leaves no room for anything else.. which is not good.

This has nothing to do with security.

Yours, VB.

Please explain, what exactly should be unsecure with the host based packet filter, Windows implements as the "Windows-Firewall".

Hint: it is intended to control, which TCP server on the local machine can be reached from the network.

Yours, VB.

The difference is:

If an Anti-Virus program knows how to detect a specific virus, this virus loses.

It does not matter, that virus programmers know how Anti-Virus products work. It does not matter, what the virus code looks like. If an Anti-Virus program scans all incoming data, _before_ code out of this data can be executed, the Anti-Virus program wins. It makes your computer secure against well-known viruses. There is no way, how viruses could circumvent this, if the Anti-Virus software is well designed.

The opposite is true for "Personal Firewalls" and their attempt to control malware, which already is running.

If the malware is not written too dumb, the malware wins. The "Personal Firewall" has no chance to win that battle, and it does not matter, if the malware programmer knows, how exactly a "Personal Firewall" looks like (as I proofed with

There is no way to implement this securely, because of the design of Microsoft Windows. No "Personal Firewall" provider can change this fact. It only can be changed by Microsoft by dropping the core Windows concepts.

These are the reasons why I'm saying, that Anti-Virus programs can help with security, if they're well designed and are used to scan any incoming data before code out of this data can be executed, while "Personal Firewalls" and "controlling outbound traffic" is a useless attempt.

No. A security system cannot be designed for "can control everything, which let itself being controlled". This has nothing to do with security.

A security system has to control _especially_ those, who do not want to be controlled.

You're wrong. Only very dumb designed or old malware can be controlled, because it lets itself being controlled.

Yes, I do. Hint: I just offered the worst example a "Personal Firewall" can alert - nobody can find out useful information of this special alert, because there is nothing like that in it ;-)

I believe you, that with better and more useful alerts you can deal with ;-)

TCP/IP is not a network protocol. It's a family of many network protocols. And it's not from Microsoft. Not even Windows' implementation of the TCP/IP network protocol stack originally is from Microsoft - it's a modified BSD stack.

Yes. For an experienced user, who knows about network protocols. Or, to say this another way: for a very small group of users.

Yours, VB.

Exactly. Security needs to be reliable otherwise you don't have security. And IIRC this group is still comp.SECURITY.firewall rather than comp.PROBABILITY.firewall, isn't it?

Look it up in a dictionary.

Signature-based detection is reliable, it will detect every matching pattern (though it will sometimes produce false-positives), hence I consider AV software useful.

No. Because they are reliable in the scenarios they are made for. Why do people always come up with this "high percentage of the threats" bullshit? A security (counter-)measure does not have to be reliable for

100% of all imaginable scenarios, but it has to be reliable for 100% of the scenarios it is designed for, otherwise it is useless.

Not from a security PoV.

A security measure has to be reliable. Outbound control is not reliable, hence it cannot be a security measure. Period. Plus, once you run malicious code on your system, you're toast anyway.

You are wrong.

Software isn't people. Software is not supposed to try, but to DO.

It's not "difficult at times", it's impossible unless Microsoft re-designs the IPC in Windows.

cu

59cobalt

Security is binary. Either you are secure in a given scenario, or you are not. There's no middle ground.

cu

59cobalt

Could you please instruct me on how to do that? I have Win98SE, so I can't use your programs (they are for Win2000 and XP).

With Windows 98 you don't need a firewall. Just unbind anything except the Internet protocol familiy / TCP/IP from your external interface, and that's it.

Yours, VB.

Nonsense.. Things will always be changing, and although you may be secure one day, tomorrow you may not.

Neither do all your arguments.. :)