| Author |
Message |
acmac
Guest
|
 Posted:
Tue Dec 13, 2005 5:08 am Post subject:
WinXP SP2 firewall |
|
|
I do use WinXP SP2 firewall which I've read in many places that's not good
enough. Unfortunately, I do not understand whether it is up to the work or
not so I'd like to read your comments.
I use the computers (2 not fisically connected between them -- office and
home) for office work, Internet, ... and got one dsl and one dial-up.
I tried Zone Alarm Prop (trial) and Kerio, the latest one seemed to me that
used less resources and, somehow, better runner but harder to figure out how
to set it up.
To end with this post, I must stay with WinXP SP2 firewall or I must migrate
to something else? |
|
| Back to top |
|
 |
Duane Arnold
Guest
|
| Posted:
Tue Dec 13, 2005 10:39 am Post subject:
Re: WinXP SP2 firewall |
|
|
"acmac" <cotefene@yahoo.com> wrote in message
news:dnkvu8$1a4$1@nsnmrro2-gest.nuria.telefonica-data.net...
| Quote: | I do use WinXP SP2 firewall which I've read in many places that's not good
enough. Unfortunately, I do not understand whether it is up to the work or
not so I'd like to read your comments.
I use the computers (2 not fisically connected between them -- office and
home) for office work, Internet, ... and got one dsl and one dial-up.
I tried Zone Alarm Prop (trial) and Kerio, the latest one seemed to me
that used less resources and, somehow, better runner but harder to figure
out how to set it up.
To end with this post, I must stay with WinXP SP2 firewall or I must
migrate to something else?
|
No you don't have to migrate. The XP FW is just as good as the rest of the
crap that's out there. However, you can supplement the XP FW since it cannot
stop outbound traffic. I use IPsec to supplement the personal FW I use as it
will supplement any PFW solution to further protect the machine that has a
direct connection to the Internet (no device such as a router between the
modem and the computer).
http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
I implemeted the Analogx rules for IPsec, which IPsec can stop inbound and
outbound traffic by port, protocol or IP behind the XP FW. You look at the
Analogx rules to learn how to make the rules a piece of cake.
http://www.analogx.com/contents/articles/ipsec.htm
http://support.microsoft.com/kb/813878
And where you must go and try to implement some of it is below.
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
Duane :) |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Tue Dec 13, 2005 5:21 pm Post subject:
Re: WinXP SP2 firewall |
|
|
acmac <cotefene@yahoo.com> wrote:
| Quote: | I do use WinXP SP2 firewall which I've read in many places that's not good
enough.
|
Why should it not be good enough? I never read anything substantial.
There really is no reason to think so.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Jeff B
Guest
|
| Posted:
Wed Dec 14, 2005 3:13 am Post subject:
Re: WinXP SP2 firewall |
|
|
Volker Birk wrote:
| Quote: | acmac <cotefene@yahoo.com> wrote:
I do use WinXP SP2 firewall which I've read in many places that's not good
enough.
Why should it not be good enough? I never read anything substantial.
There really is no reason to think so.
|
MS mananges only the inbound connections, and not very well at that.
A *real* Firewall has control of
deny/allow
ip address or address range
inbound/outbound directions
protocols tcp/upd or both
one or more ports
it (MS) is better than nothing, but if there's an infection, it will not
assist you in containing it to only the infected machine.
--
---
Jeff B (remove the No-Spam to reply) |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Wed Dec 14, 2005 3:34 am Post subject:
Re: WinXP SP2 firewall |
|
|
Jeff B <jbeardNo-Spam1185@adelphia.net> wrote:
| Quote: | I do use WinXP SP2 firewall which I've read in many places that's not good
enough.
Why should it not be good enough? I never read anything substantial.
There really is no reason to think so.
MS mananges only the inbound connections
|
Yes, and this is OK.
| Quote: | and not very well at that.
|
The next unfounded claim. What exactly is your critics on that topic
in _technical_ _detail_, please?
| Quote: | A *real* Firewall has control of
|
Oh-my-FSM. A "real" Firewall. What I'm doing here, discussion on this
niveau?
| Quote: | it (MS) is better than nothing, but if there's an infection, it will not
assist you in containing it to only the infected machine.
|
Yes. And _any_ "Personal Firewall" will not manage to do this, too.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Jeff B
Guest
|
| Posted:
Wed Dec 14, 2005 4:52 am Post subject:
Re: WinXP SP2 firewall |
|
|
Volker Birk wrote:
| Quote: | Jeff B <jbeardNo-Spam1185@adelphia.net> wrote:
I do use WinXP SP2 firewall which I've read in many places that's not good
enough.
Why should it not be good enough? I never read anything substantial.
There really is no reason to think so.
MS mananges only the inbound connections
Yes, and this is OK.
and not very well at that.
The next unfounded claim. What exactly is your critics on that topic
in _technical_ _detail_, please?
A *real* Firewall has control of
Oh-my-FSM. A "real" Firewall. What I'm doing here, discussion on this
niveau?
|
once again, the controls of a *real* Firewall are:
deny/allow
ip address or address range (both source and dest)
inbound/outbound directions
protocols tcp/upd or both
one or more ports
--
---
Jeff B (remove the No-Spam to reply) |
|
| Back to top |
|
|
Kyle Stedman
Guest
|
| Posted:
Wed Dec 14, 2005 6:29 am Post subject:
Re: WinXP SP2 firewall |
|
|
"acmac" <cotefene@yahoo.com> wrote in
news:dnkvu8$1a4$1@nsnmrro2-gest.nuria.telefonica-data.net:
| Quote: | I do use WinXP SP2 firewall which I've read in many places that's not
good enough. Unfortunately, I do not understand whether it is up to
the work or not so I'd like to read your comments.
I use the computers (2 not fisically connected between them -- office
and home) for office work, Internet, ... and got one dsl and one
dial-up.
I tried Zone Alarm Prop (trial) and Kerio, the latest one seemed to me
that used less resources and, somehow, better runner but harder to
figure out how to set it up.
To end with this post, I must stay with WinXP SP2 firewall or I must
migrate to something else?
|
Only idiots use personal software firewalls. Get a NAT router with SPI.
See this, from http://www.samspade.org/d/firewalls.html
"Personal Firewalls" are mostly snake-oil
A 'personal firewall' isn't a firewall. A firewall is a dedicated box
with (usually) two or three ethernet ports running no services other
than a firewall. My preferred configuration is an x86 box with a couple
of tulip cards running FreeBSD or OpenBSD and ipf, though you can do OK
with Linux and iptables too. You can run either on a $100 obsolete PC.
(*BSD is better, but Linux is easier for a new user to configure).
Even the little hardware NAT boxes that you can get for sharing a DSL
connection or cable modem are way better than any 'software firewall'
(The NetGear RT311 and RT314 are extremely sophisticated and flexible
NATs and start at less than $100 - they do full NATing, allow port
forwarding and filtering to a protected network (NetGear Firewalls and
NATs).
So... what does a 'personal firewall' actually do? Well, effectively it
listens on all the ports on your system. This provides no real
additional security over turning off the services that you don't use.
I'll repeat that - it provides no real additional security over turning
off the services that you don't use. (Maybe it'll block trojans from
phoning home, but A) if you've run a trojan your system is completely
compromised and B) http://cyberpunks.org/display/356/article/).
What it does do is break standard network applications (such as
traceroute) and, more importantly, if badly written it will claim normal
background network traffic is some sort of attack, alarming the user for
no good reason. I've never heard of a 'personal firewall' that isn't
badly written in this way. That doesn't mean one doesn't exist.
Why do the authors do this? Two reasons, as far as I've been able to
gather.
The first is that most of the people writing these applications know
next to nothing about IP networking. They may be pretty good windows
developers, but they have no idea what normal network traffic looks
like. That should make you nervous about their ability to block any real
malicious intent.
The second is more insidious... Why is an end user going to buy /
register / upgrade their 'personal firewall'? They're not going to do so
if they don't perceive any benefit from it. If it were a properly
written application that just sat there, doing its job quietly in the
background, users would forget it was there. But if it pops up warnings
about 'attacks' all the time then it's clearly Doing Something. Most of
those warnings are entirely frivolous - normal network traffic. And the
remaining few... well... if the 'personal firewall' has protected your
system from the supposed 'attack'... why do you care about it? You're
safe from that supposed 'attack', right? So why pop up warnings and
alerts? To make you feel you're getting a service from this program and
so you'll pay for updates or 'Pro' versions.
The bottom line is this... If you care about your home network security
a lot, and you're interested in it, spend the time to learn about
networking and build yourself a standalone firewall.
If you don't want to spend that amount of energy on it, buy a standalone
dedicated NAT or NAT+firewall box. I like the NetGear RT-311 and its
siblings, but there're a bunch of others out there too. It'll sit there,
do its job and never bother you again.
If you want to play with a piece of windows software that makes you
click all over the place, there's always minesweeper.
If you'll feel safer sleeping at night knowing there's a 'personal
firewall' running on your system, then install one. As long as you pay
no attention to the "hack attacks" it reports it's better than nothing.
A free one, ideally, as few of them are worth paying for. Turn off all
the alerts and logging - you'll just waste your time (and, more
importantly to me, my time and the time of other network administrators
your complaints go to) increase your blood pressure and provide no
benefit to you. If you really want to leave them turned on and see where
traffic is coming from, feel free, but remember that most of the traffic
you see is harmless, and that even if it isn't harmless it can't affect
your system (if it could, it wouldn't be logged). Oh, and try not to
waste admins time with frivolous complaints.
"But, but, but reporting these alerts to network administrators will
help them catch crackers!"
Uhm, no. I know a whole bunch of network security and abuse staff. The
response to any complaint with ZoneAlarm, BlackIce etc logfiles in it is
to close the ticket, usually with an annotation like 'GWF' (Goober with
Firewall). 99% of those reports are frivolous, about normal network
traffic. In the remainder of cases there's nowhere near enough data in
the logfiles to provide any idea of why the end user is upset. If you
send frivolous complaints that just wastes the time of the staff
receiving them and prevents them from handling real security issues. How
do you tell if a complaint is frivolous? If the sender doesn't
understand basic networking, it's almost certainly frivolous. If the
sender is complaining based on 'personal firewall' logs, it's definitely
frivolous.
The abuse desk staff I talk with hate users of 'personal firewalls' more
than they hate spammers. That should tell you something about how useful
your complaints will be.
"You're just a unix bigot and don't like Windows applications!"
I don't like Windows applications for networking, no, as Windows isn't
very good at it in general (with a few exceptions - some of the kernel
level networking code in NT4 and NT5 is extremely sophisticated). As for
being a unix bigot... I'm a Microsoft Independent Software Vendor,
subscribe to Microsoft Developers Network and in my spare time produce
Windows Network Applications.
Sam Spade Home - © - FAQ |
|
| Back to top |
|
|
Quaestor
Guest
|
| Posted:
Wed Dec 14, 2005 9:23 am Post subject:
Re: WinXP SP2 firewall |
|
|
Kyle Stedman wrote:
| Quote: | Only idiots use personal software firewalls. Get a NAT router with SPI.
|
Only idiots post such crap.
--
Godwin is a net-nazi |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Wed Dec 14, 2005 9:23 am Post subject:
Re: WinXP SP2 firewall |
|
|
Kyle Stedman <kyle_st@yahoo.com> wrote:
| Quote: | Only idiots use personal software firewalls.
|
This is not true. Many people use them, because they don't understand
what's going on and are believing the manufaturors of "Personal Firewalls",
what they're promising.
Those people aren't idiots. The manufacturors are messing around with
those people.
| Quote: | "Personal Firewalls" are mostly snake-oil
|
Yes.
| Quote: | A 'personal firewall' isn't a firewall.
|
That depends on the definition.
| Quote: | So... what does a 'personal firewall' actually do? Well, effectively it
listens on all the ports on your system. This provides no real
additional security over turning off the services that you don't use.
|
Yes. Exactly.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Wed Dec 14, 2005 9:23 am Post subject:
Re: WinXP SP2 firewall |
|
|
Jeff B <jbeardNo-Spam1185@adelphia.net> wrote:
| Quote: | A *real* Firewall has control of
Oh-my-FSM. A "real" Firewall. What I'm doing here, discussion on this
niveau?
once again, the controls of a *real* Firewall are:
deny/allow
ip address or address range (both source and dest)
inbound/outbound directions
protocols tcp/upd or both
one or more ports
|
OK. Forget that. When I'm reading your list, I'm getting sick. Please
stop posting it or I cannot read your postings any more.
"deny/allow"? Drop or reject?
"ip address or address range"? What's with netmasks?
"inbound/outbound directions" - yes. "Phoning home", of course. What's
with routing?
"tcp/upd or both"?! Hello?! There are much more protocols than
those two.
"one or more ports"? Oh-my-FSM. Other protocols sometimes even don't have
the concept of ports.
This is the usual incompetent drivel. But what should I expect?
Giving in,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Somebody.
Guest
|
| Posted:
Wed Dec 14, 2005 5:21 pm Post subject:
Re: WinXP SP2 firewall |
|
|
"Ansgar -59cobalt- Wiechers" <usenet-2005@planetcobalt.net> wrote in message
news:40at1dF19h0avU1@individual.net...
| Quote: | Alan Illeman wrote:
"Kyle Stedman" <kyle_st@yahoo.com> wrote in message
news:Xns972BC66354474kylest@69.28.186.158...
Only idiots use personal software firewalls. Get a NAT router with SPI.
See this, from http://www.samspade.org/d/firewalls.html
"Personal Firewalls" are mostly snake-oil
Just one opinion, that's all.
It's more than "just one opinion". He gave a lot of good reasons, though
you obviously chose to ignore them.
I'm running Win2K Pro, SP4, FAT32 instead of the more complicated
NTFS, always run as Admin
Well, having different users on FAT32 would be utterly pointless anyway,
wouldn't it?
and have been virus free for three years - because of the so-called
"Personal" firewall, Kerio 2.1.5
That's plain wrong, because no firewall protects you from virii. When a
firewall detects an infection you're already toast.
cu
59cobalt
|
Correct -- a PFW *may* stop the outbound payload of a virus, depending what
it is and how the firewall is configured. But it does not stop most
incoming viruses unless their propagation method involves an unusual port
exploit. Which is often used by the fastest moving viruses, but the fast
majority are the old fashioned click to infect type which PFWs gleefully
pass, by design, just like any other attachment you download or recieve in
email. The personal firewall can't control the inter-process communication
that the malware gets to do once it's emailed itself to your system.
-Russ. |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Dec 14, 2005 5:21 pm Post subject:
Re: WinXP SP2 firewall |
|
|
In article <439fab4f@news.uni-ulm.de>, bumens@dingens.org says...
| Quote: | Kyle Stedman <kyle_st@yahoo.com> wrote:
Only idiots use personal software firewalls.
This is not true. Many people use them, because they don't understand
what's going on and are believing the manufaturors of "Personal Firewalls",
what they're promising.
|
Actually, many security types, people that make a living designing
secure solutions, run PFW solutions on their mobile devices with 100%
effectiveness. To bad people want you to believe that FPW are 100%
useless.
--
spam999free@rrohio.com
remove 999 in order to email me |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Wed Dec 14, 2005 5:21 pm Post subject:
Re: WinXP SP2 firewall |
|
|
Quaestor <no-spam@my.place> wrote:
| Quote: | Only idiots post such crap.
|
Questor is soliloquizing...
;-)
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Wed Dec 14, 2005 5:22 pm Post subject:
Re: WinXP SP2 firewall |
|
|
Jeff B <jbeardNo-Spam1185@adelphia.net> wrote:
| Quote: | once again, the controls of a *real* Firewall are:
deny/allow
ip address or address range (both source and dest)
inbound/outbound directions
protocols tcp/upd or both
one or more ports
OK. Forget that.
So sorry your emotions are running away. If you find some reference
materials on the subject, you will have some background to deal with the
technology and the interfaces used to make it work.
|
Please learn the basics of networking with the TCP/IP protocol family,
then try again.
If you're interested, you could start with Craig Hunts "TCP/IP", which
you can find at O'Reilly's.
And you should read the RFCs, too, of course.
Try to find out, why "deny/allow" does not make sense as a decision for
handling packets for a TCP connection for example. You can learn there,
that there are many protocols on the same layer beside UDP and TCP, too,
in the TCP/IP network protocol family. And you can learn, that some of
them don't have the concept of ports like ICMP and IGMP, for example.
When you learned all this, you will notice yourself, that the list you
offered is showing your incompetency.
After that point of time, and after you learned, what filtering packets
in an OS kernel is for and how is it done, we can discuss about different
firewalls again, OK?
Because then this discussion would make sense after all.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Jeff B
Guest
|
| Posted:
Wed Dec 14, 2005 5:22 pm Post subject:
Re: WinXP SP2 firewall |
|
|
Volker Birk wrote:
| Quote: | Jeff B <jbeardNo-Spam1185@adelphia.net> wrote:
A *real* Firewall has control of
Oh-my-FSM. A "real" Firewall. What I'm doing here, discussion on this
niveau?
once again, the controls of a *real* Firewall are:
deny/allow
ip address or address range (both source and dest)
inbound/outbound directions
protocols tcp/upd or both
one or more ports
OK. Forget that.
|
So sorry your emotions are running away. If you find some reference
materials on the subject, you will have some background to deal with the
technology and the interfaces used to make it work.
suffice it to say, the windows freebie firewall lacks at least 50% of
the controls of a competent product.
--
---
Jeff B (remove the No-Spam to reply) |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in