The Coalition against Personal Firewalls

Well said.

Notan

Ditto.

I posted what I thought was a helpful comment and got only a bunch of snide and critical comments from "Sebastian Gottschalk" and "Ansgar-59cobolt-Wiechers". Instead of being constructive or helpful, they only sneered at "Joe Average" (me) and his (my) ignorance. I've watched the newsgroup for a few days now and that seems to be the only kind of comment "Gottschalk" makes to anyone.

Although I use a router at home, a software firewall on my laptop is currently my only protection against port scans and similar intrusions when I travel. These are coming in at my home at a rate of about one every five seconds, yet the PFW effectively blocks them. I know that these very modest measures wouldn't be effective against an attack personally directed toward me, but they're sure way better than nothing and have been completely effective -- so far -- at blocking the general background of intrusion attempts.

I'd like to know how to best use what I've got and what other means are available for the average user like me. I keep my system backed up and don't have state secrets on my machine, so I'm not trying to build Fort Knox. But I'd like to get some constructive and useful tips I could put to work to improve what I've got. Those don't seem to be forthcoming here from the folks who style themselves as experts.

Is there a newsgroup or other forum where a non-expert can get useful information or just lurk and learn? This apparently isn't it.

I just killfile the idiots.

At the risk of making you say "What the h***??!!"...

The port scans are almost entirely harmless as long as you have no open ports. Hackers are glorified in the movies but in reality they're probably the least of your worries.

The built-in Windows firewall is completely adequate to keep people

*out*. In fact, I would trust it more than any third-party firewall product. The primary criticism that is leveled at it is that it doesn't provide any outgoing filtering or application control. To my mind, outgoing filtering is of little value; at best it can control damage if you get infected, but since you're infected you can't really trust it anyway. Application level control *could* be very effective *but* it would need to be hardware or at least firmware based. I believe Intel and MS are working on that (but of course they also tie it into a bunch of other really obnoxious DRM crap).

The single most important thing you can do is to run your computer day-to-day as a Limited User. It's easier to run as an admin, but then anything *you* can do as an admin a malicious program can do as well. As opposed to hackers, your biggest threat is picking up a virus or trojan. If you're running as a limited user you can't install most software, you can't affect operating system level files, and you can't touch the files of other users. If you can't do it, then files you deliberately or accidentally download from the Internet can't do it either (in theory). At least use a limited user account when you're using the Internet and if you have a program that just won't work right as a limited user then you can right click on the icon and choose "Run As..." to run that one thing as an admin.

Don't use Internet Explorer or Outlook/Outlook Express. Instead use Firefox and Thunderbird. You'll automatically be immune to about 99% of the crap you would otherwise accidentally pick up from the Internet because the crap is designed to work with IE and OE.

When you're out on the road with your laptop turn off all services that you would ordinarily use at home like file and printer sharing. Then go into the controls for the Windows firewall and check the box that says "No Exceptions".

Physically protect your laptop but assume that it will be stolen. Use strong passwords on all accounts and turn off Fast User Switching. Make sure the administrator account isn't called Admin, God, Master, or anything like that. Password protect the BIOS. Choose decent passwords and don't write them down. Use a password manager for Firefox to help you use unique, strong passwords on all web accounts. I recommend the Password Maker extension. If you have any personal information like financial stuff on the machine consider encrypting the files with a program like TrueCrypt (Google for it.) The main goal here is to prevent identity theft and data theft (you don't work for the VA do you?).

HTH

No.

[...]

Because we provide reasons why Personal Firewalls are dysfunctional and counter-productive. However, everyone is free to ignore that.

Yeah, be good lemmings, will ya?

cu

59cobalt

There's a way to teach without being an asshole, something that your little group seems incapable of.

Notan

Ask me if I care.

You have a killfile. If you don't like what I'm saying: use it.

cu

59cobalt

Another case of dickless little boys, trying to act like men.

NOtan

New Rule:

You don't have to take personally every remark you deem to be rude. Consider that the OP may not have well developed people skills, or that his/her native language takes a more direct, less tactful approach. In any event, you're in control of your own emotions. Words can only bother you if you let them. Or, as we say where I come from:"f*ck 'em".

See, I like your honesty. And I happen to agree with your position on PFW's. You're people skills appear to suck, but, hey, you're German :).

I have been reading and occasionally posting in this newsgroup for almost 2 years now and I have to say that the traffic here seems to have diminished to almost nothing as of recent months. I think this is due to the fact that most folks who come here and try posting something relating to PFW's get the old "rude awakening" within minutes of their post.

I happen to tend to agree with their position also, but their manners could certainly use some work. Or perhaps just some silence as they let some of the PFW posts pass by for others to discuss... ;)

Then go away. Your ramblings are pointless.

Actually you provide very few reasons. Just your opinions in the form of snide and rude comments.

The thing is, I actually tend to believe you may be correct.

You're like a preacher getting up in people's faces:

"Hey, you sinning asshole! Pray to the Lord Jesus, you stupid piece of shit! How f****ng stupid are you?"

No, the primary criticism is that applications run by the user can place an exception in the firewall without the user being aware of it.

When you disprove the two chaps notions or when you prove that some PFW solutions are better than none or better than Windows firewall, they will kill file you and ignore you.

Even when vb posted his "proof of concept" and I said it didn't work on any of our computers, he ignored that fact and still says his proof of concept hack means your PFW does nothing.

Are personal firewalls really useless? If I disable the PFW on my laptop and connect it directly to the Internet, will all those port scans fail, and nothing pernicious ever get into my system?

I doubt it.

If there's something better that "Joe Average" can set up and use reliably without learning the minutia of Internet communications, what is it?

I take it that the chief function of a personal firewall is a way to close those ports. So why do some of the seeming experts here call personal firewalls "useless"? Is there a better way to close the ports? If so, better in what way?

Thanks for the insights. I do like outgoing notification, since I don't like my system contacting Microsoft every time I compile my program, for example, or Windows Media Player contacting it every time I load a tune. Just a twitch of mine, I guess. Without the notification, I wouldn't have known it was going on and so wouldn't have been able to prevent it.

Running as less than admin is a huge pain in the ass from my experience. I'd much rather concentrate my efforts instead on preventing the malicious software from getting onto my machine in the first place, rather than restricting what I'm able to do just to make sure that malware can't do it either. It's good to know something I could do to improve security if I absolutely had to, though -- thanks.

Thanks, been doing that for years. Incidentally, the PFW I use spots IE attempting to contact the Internet from time to time, under control of a different (non-malware) application, which I deny. It's necessary to use it once in a while, though, because some sites just won't work correctly with Firefox.

I allow sharing of only one folder, which is generally empty. Would this be risky to leave enabled?

I like Cryptainer for its convenience and use it for anything confidential. PGP is convenient for quick single file encryption/decryption, but some recent research indicates that even wiping might not be adequate to get rid of all traces of the original file on an XP system. The remainder I've done with the exception of the Password Maker extension. I'll look into that.

Thanks very much for taking the time and trouble to give some good, constructive advice that average users like me can put to use to improve the security of our systems!

That's never been the position of the vocal minority here. Their statement is to use the windows-supplied firewall to prevent incoming connections (such as port scans) instead of a third party app, rather than deluding oneself that the third party app also completely controls outbound connections.

Again, their position is that one should use the windows firewall. It enables by default, and "Joe Average" has to disable it or at least download and install something else, to get rid of it. Isn't default easier?

-Russ.

They say that commercial third party products are no more useful than the free firewall now built in to windows, and in fact in many cases open up additional vulnerabilities that don't exist in the MS product.

Those that claim that using a Microsoft security feature is a risk in itself are ignoring the fact that any third party app in fact depends on microsoft code in order to run, since MS has control of the OS.

The problem with this feature is that it can be circumvented by the user or

*by a program* without user intervention. So, it's like a lock that sometimes unlocks itself for no reason. People get a warm fuzzy feeling from watching things get blocked while they are in fact open for exploitation and, believing that they are not, have taken no additional steps to prevent it.

In the past, there have been exploits that start from a simple folder share and elevate things from there to gain access to additional areas on the drive. Perhaps such exploits will never occur again. I'd sure like to think so.

However, if the service is not enabled, then it's not available to be potentially exploited.

I hope I was able to shed a bit more light on what some of the vocal users have been saying in this group, without "being an asshole" or being a "dickless little boy" as alluded by Notan.

-Russ.

Disabling some unneeded services, restricting "administrative privileges" for general purpose computer use while on the internet and the use of a NAT router or firewall appliance is a more robust security plan than just the use of PFW's.