Sign in with
Sign up | Sign in
Your question

XP(home) firewall good?

Last response: in Networking
Share
May 15, 2004 9:00:07 PM

Archived from groups: comp.security.firewalls (More info?)

Greetings!

My neighbor has XP and a cable modem connection to the 'net, and till today
no firewall. I installed ZoneAlarm [free] until I find out whether the
firewall that comes in XP is better than/worse than or about the same as
ZoneAlarm [free]. I would like to impress her with my knowledge of
firewalls, but I am relying on you experts for your input and opinions. I
still use Win98SE so have no XP experience. Please share?

Thanks for your time and attention.

PJ

More about : home firewall good

Anonymous
May 16, 2004 2:38:25 AM

Archived from groups: comp.security.firewalls (More info?)

"Patrik" <rana@mts.net> wrote in news:epwpc.10$Hj5.178@news1.mts.net:

> Greetings!
>
> My neighbor has XP and a cable modem connection to the 'net, and till
> today no firewall. I installed ZoneAlarm [free] until I find out
> whether the firewall that comes in XP is better than/worse than or
> about the same as ZoneAlarm [free]. I would like to impress her with
> my knowledge of firewalls, but I am relying on you experts for your
> input and opinions. I still use Win98SE so have no XP experience.
> Please share?
>
> Thanks for your time and attention.

The Windows XP "ICS" firewall offers very good incoming protection, but has
no outgoing protection regarding spyware, worms, etc., that nearly all
other software firewalls have (such as the freeware ZA). So, although the
WinXP firewall is certainly better than no firewall, I would prefer any of
the other well recognized freeware firewalls - I have a current preference
for Sygate.

--
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc/PGP.htm
Anonymous
May 16, 2004 2:47:30 AM

Archived from groups: comp.security.firewalls (More info?)

Tom McCune schrieb:
>>My neighbor has XP and a cable modem connection to the 'net, and till
>>today no firewall. I installed ZoneAlarm [free] until I find out
>>whether the firewall that comes in XP is better than/worse than or
>>about the same as ZoneAlarm [free]. I would like to impress her with
>>my knowledge of firewalls, but I am relying on you experts for your
>>input and opinions. I still use Win98SE so have no XP experience.
>>Please share?

>
> The Windows XP "ICS" firewall offers very good incoming protection, but has
> no outgoing protection regarding spyware, worms, etc., that nearly all
> other software firewalls have (such as the freeware ZA). So, although the
> WinXP firewall is certainly better than no firewall, I would prefer any of
> the other well recognized freeware firewalls - I have a current preference
> for Sygate.

That is certainly true as long as you want to install spyware, worms,
etc. And then again, as the user can turn off the firewall and program
running on your computer can do that, too. And there are tricks to
circumvent the outgoing "protection". So, properly shutting down all
unnecessary services that windows runs by default and the ICF will do
great. A browser that supports decent privacy settings helps, too, and
is much better than have one software trying to prevent the mess some
other software does.

Gerald
Related resources
Anonymous
May 16, 2004 3:29:42 AM

Archived from groups: comp.security.firewalls (More info?)

Gerald Vogt <vogt@spamcop.net> wrote in news:66xpc.260660$e17.22342
@twister.nyroc.rr.com:

> That is certainly true as long as you want to install spyware, worms,
> etc. And then again, as the user can turn off the firewall and program
> running on your computer can do that, too. And there are tricks to
> circumvent the outgoing "protection". So, properly shutting down all
> unnecessary services that windows runs by default and the ICF will do
> great. A browser that supports decent privacy settings helps, too, and
> is much better than have one software trying to prevent the mess some
> other software does.

Yes, outgoing firewall protection is not a cure all, but is a helpful extra
layer of protection. Layered protection is wise. I provide other helpful
(certainly the "paranoids" among us would like even more) recommedations at
http://www.mccune.cc/WindowsXP.htm

--
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc/PGP.htm
Anonymous
May 16, 2004 3:55:07 AM

Archived from groups: comp.security.firewalls (More info?)

Tom McCune schrieb:
> Gerald Vogt <vogt@spamcop.net> wrote in news:66xpc.260660$e17.22342
> @twister.nyroc.rr.com:
>
>
>>That is certainly true as long as you want to install spyware, worms,
>>etc. And then again, as the user can turn off the firewall and program
>>running on your computer can do that, too. And there are tricks to
>>circumvent the outgoing "protection". So, properly shutting down all
>>unnecessary services that windows runs by default and the ICF will do
>>great. A browser that supports decent privacy settings helps, too, and
>>is much better than have one software trying to prevent the mess some
>>other software does.
>
>
> Yes, outgoing firewall protection is not a cure all, but is a helpful extra
> layer of protection. Layered protection is wise. I provide other helpful
> (certainly the "paranoids" among us would like even more) recommedations at
> http://www.mccune.cc/WindowsXP.htm

Well all commercial firewalls with that outgoing functions are very
complex, not easy to configure, have bugs, vulnerablilties and exploits
itself, with little added value that is not really necessary and can be
circumvented. What is the "extra layer of protection" to the "extra
layer of insecurity"? (That's one of the important lessons learned in
security service design and security evaluations: simple effective
measures are always better than highly complex stuff that nobody really
understands and that only add more problems...)

Gerald
Anonymous
May 16, 2004 4:08:03 AM

Archived from groups: comp.security.firewalls (More info?)

In article <v5ypc.192141$M3.3746@twister.nyroc.rr.com>, vogt@spamcop.net
says...
> Tom McCune schrieb:
> > Gerald Vogt <vogt@spamcop.net> wrote in news:66xpc.260660$e17.22342
> > @twister.nyroc.rr.com:
> >
> >
> >>That is certainly true as long as you want to install spyware, worms,
> >>etc. And then again, as the user can turn off the firewall and program
> >>running on your computer can do that, too. And there are tricks to
> >>circumvent the outgoing "protection". So, properly shutting down all
> >>unnecessary services that windows runs by default and the ICF will do
> >>great. A browser that supports decent privacy settings helps, too, and
> >>is much better than have one software trying to prevent the mess some
> >>other software does.
> >
> >
> > Yes, outgoing firewall protection is not a cure all, but is a helpful extra
> > layer of protection. Layered protection is wise. I provide other helpful
> > (certainly the "paranoids" among us would like even more) recommedations at
> > http://www.mccune.cc/WindowsXP.htm
>
> Well all commercial firewalls with that outgoing functions are very
> complex, not easy to configure, have bugs, vulnerablilties and exploits
> itself, with little added value that is not really necessary and can be
> circumvented. What is the "extra layer of protection" to the "extra
> layer of insecurity"? (That's one of the important lessons learned in
> security service design and security evaluations: simple effective
> measures are always better than highly complex stuff that nobody really
> understands and that only add more problems...)

Spoken like someone that doesn't understand security or networks.

Commercial firewall devices are no more complex than any other
programmable device, and in some cases are less complex than personal
firewall software. In most cases, a properly configured firewall can
stop the spread of many of todays worms, even from infected machines
protected behind the firewall. If you don't have outbound protection you
only have a small part of the security that most people should have.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
May 16, 2004 6:51:47 AM

Archived from groups: comp.security.firewalls (More info?)

"Patrik" <rana@mts.net> wrote in news:epwpc.10$Hj5.178@news1.mts.net:

> Greetings!
>
> My neighbor has XP and a cable modem connection to the 'net, and till
> today no firewall. I installed ZoneAlarm [free] until I find out
> whether the firewall that comes in XP is better than/worse than or
> about the same as ZoneAlarm [free]. I would like to impress her with
> my knowledge of firewalls, but I am relying on you experts for your
> input and opinions. I still use Win98SE so have no XP experience.
> Please share?
>
> Thanks for your time and attention.
>
> PJ
>
>
>

I don't use XP's FW. But I may be using it on one machine sometime in the
near future -- just to be using it. :) 

It's no worst than the others. The release of SP 2 for XP's FW will have
application control (which I consider app control) in the wrong hands
(that is 99% of home users) to be useless. For some users, simple is
better. And sometimes, it's best not to be asked too many questions.

The XP FW does its job, which is to stop unsolicited inbound traffic.

http://support.microsoft.com/default.aspx?scid=kb;en-us;q321050#appliesto

Duane :) 
Anonymous
May 16, 2004 6:11:47 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos schrieb:
>>>Yes, outgoing firewall protection is not a cure all, but is a helpful extra
>>>layer of protection. Layered protection is wise. I provide other helpful
>>>(certainly the "paranoids" among us would like even more) recommedations at
>>>http://www.mccune.cc/WindowsXP.htm
>>
>>Well all commercial firewalls with that outgoing functions are very
>>complex, not easy to configure, have bugs, vulnerablilties and exploits
>>itself, with little added value that is not really necessary and can be
>>circumvented. What is the "extra layer of protection" to the "extra
>>layer of insecurity"? (That's one of the important lessons learned in
>>security service design and security evaluations: simple effective
>>measures are always better than highly complex stuff that nobody really
>>understands and that only add more problems...)
>
>
> Spoken like someone that doesn't understand security or networks.

That is exactly what I could say about you. ;-) I know security and
networks for many years, from theory and practice.

> Commercial firewall devices are no more complex than any other
> programmable device, and in some cases are less complex than personal
> firewall software. In most cases, a properly configured firewall can
> stop the spread of many of todays worms, even from infected machines
> protected behind the firewall. If you don't have outbound protection you
> only have a small part of the security that most people should have.

I never talked about commercial firewall devices! Most end-user
firewalls aren't that complex either and already do a terrific job for
inbound protection. I also never claimed that a properly configured
firewall does not protect you from incoming worms.

But if you rely on a personal firewall running on a infected computer to
protect you from a work than the results are as arbitrary as they could
be: you don't know what happens. Any worm running on your computer can
easily reconfigure the firewall the same way you can do and there are
many ways to circumvent a personal firewall for the outgoing traffic.
And even worse: most users don't know what to do with all the outgoing
warnings and basically allow any traffic for any program that pops up a
message (one reason for example why after a while most Internet
Explorers run with "Allow all" instead of the standard auto config:
there was a website the user wanted to see on port 7828 and the annoying
messages just kept popping up until the allow all (which normal user
does take the time to configure a rule through a 8(?) step dialog like
NIS does??))

Relying on a security mechanism to work on a compromised system is an
extremely unsecure thing to do. Hackers know that. Script kiddie have
toolkits that help them doing it. It's not hard. The moment you have a
compromised machine you have to fix it and it is no good saying: it is
not a problem because I have this firewall with outgoing protection...

And the complexity of the software introduces new bugs and exploits as
we have seen this month with Symantec NIS. And all these configuration
options that users can easily play around with and all these pop-ups
that require user interaction make it hard to configure it properly...

The thing you have to fight is the infection not to suppress the
symptoms of a disease...

Gerald
Anonymous
May 16, 2004 6:48:06 PM

Archived from groups: comp.security.firewalls (More info?)

In article <DEKpc.262962$e17.237907@twister.nyroc.rr.com>,
vogt@spamcop.net says...
> Leythos schrieb:
> >>>Yes, outgoing firewall protection is not a cure all, but is a helpful extra
> >>>layer of protection. Layered protection is wise. I provide other helpful
> >>>(certainly the "paranoids" among us would like even more) recommedations at
> >>>http://www.mccune.cc/WindowsXP.htm
> >>
> >>Well all commercial firewalls with that outgoing functions are very
> >>complex, not easy to configure, have bugs, vulnerablilties and exploits
> >>itself, with little added value that is not really necessary and can be
> >>circumvented. What is the "extra layer of protection" to the "extra
> >>layer of insecurity"? (That's one of the important lessons learned in
> >>security service design and security evaluations: simple effective
> >>measures are always better than highly complex stuff that nobody really
> >>understands and that only add more problems...)
> >
> >
> > Spoken like someone that doesn't understand security or networks.
>
> That is exactly what I could say about you. ;-) I know security and
> networks for many years, from theory and practice.
>
> > Commercial firewall devices are no more complex than any other
> > programmable device, and in some cases are less complex than personal
> > firewall software. In most cases, a properly configured firewall can
> > stop the spread of many of todays worms, even from infected machines
> > protected behind the firewall. If you don't have outbound protection you
> > only have a small part of the security that most people should have.
>
> I never talked about commercial firewall devices! Most end-user
> firewalls aren't that complex either and already do a terrific job for
> inbound protection. I also never claimed that a properly configured
> firewall does not protect you from incoming worms.
>
> But if you rely on a personal firewall running on a infected computer to
> protect you from a work than the results are as arbitrary as they could
> be: you don't know what happens. Any worm running on your computer can
> easily reconfigure the firewall the same way you can do and there are
> many ways to circumvent a personal firewall for the outgoing traffic.
> And even worse: most users don't know what to do with all the outgoing
> warnings and basically allow any traffic for any program that pops up a
> message (one reason for example why after a while most Internet
> Explorers run with "Allow all" instead of the standard auto config:
> there was a website the user wanted to see on port 7828 and the annoying
> messages just kept popping up until the allow all (which normal user
> does take the time to configure a rule through a 8(?) step dialog like
> NIS does??))
>
> Relying on a security mechanism to work on a compromised system is an
> extremely unsecure thing to do. Hackers know that. Script kiddie have
> toolkits that help them doing it. It's not hard. The moment you have a
> compromised machine you have to fix it and it is no good saying: it is
> not a problem because I have this firewall with outgoing protection...
>
> And the complexity of the software introduces new bugs and exploits as
> we have seen this month with Symantec NIS. And all these configuration
> options that users can easily play around with and all these pop-ups
> that require user interaction make it hard to configure it properly...
>
> The thing you have to fight is the infection not to suppress the
> symptoms of a disease...

I don't like personal firewall applications myself, I'm for an appliance
for everyone. Even a simple NAT router (not a firewall device in my
book) is a start.

For most users there are two ways they are going to get infected:

1) Worm finds a hole in the OS/Application and installs something
2) Email message with attachment that contains a worm/virus

In the first example, a NAT router would prevent a worm from reaching
their machines.

In the second example, AV software, while still reactionary, would
eliminate most of those - so would a properly patched MS Office system.

The third one, a malicious web site can be fixed by running in HIGH
SECURITY mode with IE and disabling all scripting. This method breaks
normal web sites, but if you set the TRUSTED Zone to MEDIUM and add your
trusted sites to it, you can easily train IE to work for your daily
needs while still having a secure experience.

As for personal firewall appliances, there are many SOHO units in the
$300~$500 price range, but most people won't purchase one in that cost
range. Even a simple router with NAT, at $40, is to much for most. The
personal firewalls, free ones, don't really offer that much protection
since they users never take the time to learn what they are "allow"ing
when they click allow - kind of makes the point of having a firewall
mute.

The simplest method would be to enable XP Firewall and sit behind a
simple router with NAT.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
May 16, 2004 10:51:24 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos schrieb:
> The third one, a malicious web site can be fixed by running in HIGH
> SECURITY mode with IE and disabling all scripting. This method breaks
> normal web sites, but if you set the TRUSTED Zone to MEDIUM and add your
> trusted sites to it, you can easily train IE to work for your daily
> needs while still having a secure experience.

Or a different browser that does not uses so many dangerous technologies
like ActiveX.

> The simplest method would be to enable XP Firewall and sit behind a
> simple router with NAT.

Yeah, that is simple. I found spending some time closing down
unnecessary services helps a lot, too. Why running a service that
listens to a port that you don't need??

Gerald
!