Hey guys, don't have much time to respond thouroughly now, but wanted to say thank you for all of your input.
I do perform much of what Jason said and will promote the importance of hardware firewalls further.
Spyware is a serious issue because children and teens often don't know what is valid and a threat... They often are the targets as well of malicious spyware due to the content that attracts the stuff. i.e. video gaming cheat sites, and other inappropriate sites.
This maybe has its reason in the faulty quality of your "whitepaper", which just consists of Zone Labs advertisment.
You just didn't answer one of my questions. You refused to comment one of my critics.
The opposite is true.
Then nobody needs your "whitepaper". A simple link to a Zone Labs advertisment will do.
Such an application is unusable for the audience, about whom we agree, that they don't have a clue of what to do for computer security.
No. It even "phones home" itself. And the rest you can read here in this group, if you ever will make the effort to have a look what people are writing here beside your advertisments.
I doubt that.
If this would be true, you sincerely would have read what people are writing in this group the last weeks before posting your advertisments.
The very fact, that Zone Alarm does alert inbound traffic at all, and not just filter away the unwanted (and potential dangerous) traffic without bothering the user shows, that Zone Alarm is badly designed.
With the same arguments you can argue against any security provision. Then security provisions are totally impossible for home users.
BTW: I agree with you, that it's Microsoft's responsibility to deliver Windoze in a way, that it' secure by default. Fortunately, the Windows-Firewall is the very first step in the right direction. Unfortunately the only so far, which I can see to be a good idea.
Many people forget, or perhaps never conclude, that the real reason for many home security problems is that the operating system needs fixing. It's not because several anti-somethingware programs haven't been installed.
Right. That's probaply why they seek advice from consultants.
If You decide to come in here claiming to have the answer to most home users security concerns, You must also be prepared to be "flamed" ;-)
My guess would be that it would pretty much depend on his way of entrance. Does'nt life in general work that way?
Why should we trust statements from a company making a living of it.
Yup.
What makes You believe that Your average user can make that distinction?
Exactly.
What makes You believe that a single solution is better than different ones?
And what about all the security issues it does not handle? Social engineering, phishing, backups.......
If installing a security suite on a computer makes Your clients consider You a good security consultant then everything is fine.
Who told You that it should be straightforward? It is not. But it is not that hard either. Furthermore, users tend to have individual needs and behaviors that should be dealt with individually and not solved by a magic bullet like Your security suite.
Exactly. And that is the key problem. A problem that cannot be solved by adding more programs. It is like driving a car without learning the basic traffic rules first. You don't solve that problem by installing an air-bag.
The biggest problem with computer security is that the computer is the most powerful and versatile tool ever invented. And still we expect our 4-year old son and our old grandmother who has hardly used a typewriter before to be able to drive along on the information highway. That does'nt add up. But it's a very convenient attitude. And when something goes wrong, blame Microsoft :-)
Another problem added to the list.
And they force You to install a quick (cheap) solution instead of asking You to teach them about security. That's their choice.
Not that long.
Longer.
Is'nt it Your responsibility as a consultant to give them some good advice?
Then think for them when asked for consultancy. Is'nt that what true consultancy is all about?
What exactly do You mean by the term "business guy"?
You should be able to do that for them. You were their consultant, right? If You can teach them how to correctly use a personal firewall, You can defintely also teach them Sebastians suggestions.
Now we are finally starting to get somewhere :-)
Don't be too thin-skinned. If You can't handle to be contradicted don't post in the first place. I admit that some comments can seem a little rude or harsh, but then again, welcome to usenet.
Windows firewall is the worst of personal firewalls: any application can install and dd an exception to open an inbound port, without requiring user autorization.
For example, just try to install skype. You will see that it self allows inbound connections.
And what a legitimate application can do, a malware can also do.
Wrong. Only users from the Network Configuration Group (which, by default, no restricted user is) can change the configuration.
As one can clearly see this doesn't happen, so skype initiates all connections themself. BTW, Skype is malware.
A malware can circumvent any local host-based packet filter, and your stupid PFWs are no exception. Windows Firewall is actually good because it doesn't increase complexity with such useless trials of application control.
It claims to be a firewall, and it's on a personal OS, as it's not network class, so that makes it a personal firewall.
Except that almost all users with XP Home are running as Windows Administrator level accounts. Oh, and if you install AOL you will be allowing exceptions into the Windows Firewall rules.
Many services that are installed by users, when they are not behind a NAT, will phone home and get updates, they in essence, allow inbound connections due to the way they request data and it's passed to them (while actually requested, not direct inbound).
Other applications, IM, etc... will auto start and allow connections to the host machine.
Windows firewall is actually bad, it doesn't alert the user, has no information the user can see, and allows outbound connections without any warning to the user. At least with a PFW solution other than Windows, the user has a hope of seeing what is happening to their computer.
This *does* happen; Windows XP Home (SP2 with full updates), under an admin session (necessary to install almost softwares).
When you install Skype 2 (exact version 2.0.0.97), you can check after install that Skype has added a new exception for itself in the list of windows firewall exceptions. And so, *inbound* connexion has been allowed to Skype, with user never been requested to autorize it (or simply informed) by Windows firewall.
This is a feature voluntarily incorporated into Windows firewall by Microsoft, in order to allow other applications (presumed legitimate) to install themselves without requiring anything from "Joe User", once more considered as an idiot by Microsoft. The problem, of course, is that this feature cans also be used by malwares.
So, by design:
- Windows firewall doesn't block outbound connexions,
- Windows firewall allows programs to add exceptions allowing inbound connexions,
--> Windows firewall is not a firewall, it is like a sieve!
What you keep ignoring is the fact that regular users can't allow programs to listen on ports, because - as Sebastian had already pointed out - it requires a user to be at least in the Network Configuration (if not Administrators) group.
The Skype installation OTOH is done with administrative privileges, in which case the installer can do anything it wants anyway. With any Personal Firewall. Meaning you don't have a point here at all.
Ah, admin session. Not this is where your entire argument fails.
Works as supposed, where's the point?
You have authorized it by entering your admin passwort and logging on. If it wanted, it could add itself to certain other PFWs' rule databases as well.
So where exactly is the point? When running malware as an admin, you've already lost.
And what you missed is that if you were running ZAP, it would alert you to Skype wanting to make changes, even if you were logged in as an Administrator, where Windows Firewall would not alert you.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.