XP(home) firewall good?

Archived from groups: comp.security.firewalls (More info?)

Greetings!

My neighbor has XP and a cable modem connection to the 'net, and till today
no firewall. I installed ZoneAlarm [free] until I find out whether the
firewall that comes in XP is better than/worse than or about the same as
ZoneAlarm [free]. I would like to impress her with my knowledge of
firewalls, but I am relying on you experts for your input and opinions. I
still use Win98SE so have no XP experience. Please share?

Thanks for your time and attention.

PJ
9 answers Last reply
More about home firewall good
  1. Archived from groups: comp.security.firewalls (More info?)

    "Patrik" <rana@mts.net> wrote in news:epwpc.10$Hj5.178@news1.mts.net:

    > Greetings!
    >
    > My neighbor has XP and a cable modem connection to the 'net, and till
    > today no firewall. I installed ZoneAlarm [free] until I find out
    > whether the firewall that comes in XP is better than/worse than or
    > about the same as ZoneAlarm [free]. I would like to impress her with
    > my knowledge of firewalls, but I am relying on you experts for your
    > input and opinions. I still use Win98SE so have no XP experience.
    > Please share?
    >
    > Thanks for your time and attention.

    The Windows XP "ICS" firewall offers very good incoming protection, but has
    no outgoing protection regarding spyware, worms, etc., that nearly all
    other software firewalls have (such as the freeware ZA). So, although the
    WinXP firewall is certainly better than no firewall, I would prefer any of
    the other well recognized freeware firewalls - I have a current preference
    for Sygate.

    --
    Tom McCune
    My PGP Page & FAQ: http://www.McCune.cc/PGP.htm
  2. Archived from groups: comp.security.firewalls (More info?)

    Tom McCune schrieb:
    >>My neighbor has XP and a cable modem connection to the 'net, and till
    >>today no firewall. I installed ZoneAlarm [free] until I find out
    >>whether the firewall that comes in XP is better than/worse than or
    >>about the same as ZoneAlarm [free]. I would like to impress her with
    >>my knowledge of firewalls, but I am relying on you experts for your
    >>input and opinions. I still use Win98SE so have no XP experience.
    >>Please share?

    >
    > The Windows XP "ICS" firewall offers very good incoming protection, but has
    > no outgoing protection regarding spyware, worms, etc., that nearly all
    > other software firewalls have (such as the freeware ZA). So, although the
    > WinXP firewall is certainly better than no firewall, I would prefer any of
    > the other well recognized freeware firewalls - I have a current preference
    > for Sygate.

    That is certainly true as long as you want to install spyware, worms,
    etc. And then again, as the user can turn off the firewall and program
    running on your computer can do that, too. And there are tricks to
    circumvent the outgoing "protection". So, properly shutting down all
    unnecessary services that windows runs by default and the ICF will do
    great. A browser that supports decent privacy settings helps, too, and
    is much better than have one software trying to prevent the mess some
    other software does.

    Gerald
  3. Archived from groups: comp.security.firewalls (More info?)

    Gerald Vogt <vogt@spamcop.net> wrote in news:66xpc.260660$e17.22342
    @twister.nyroc.rr.com:

    > That is certainly true as long as you want to install spyware, worms,
    > etc. And then again, as the user can turn off the firewall and program
    > running on your computer can do that, too. And there are tricks to
    > circumvent the outgoing "protection". So, properly shutting down all
    > unnecessary services that windows runs by default and the ICF will do
    > great. A browser that supports decent privacy settings helps, too, and
    > is much better than have one software trying to prevent the mess some
    > other software does.

    Yes, outgoing firewall protection is not a cure all, but is a helpful extra
    layer of protection. Layered protection is wise. I provide other helpful
    (certainly the "paranoids" among us would like even more) recommedations at
    http://www.mccune.cc/WindowsXP.htm

    --
    Tom McCune
    My PGP Page & FAQ: http://www.McCune.cc/PGP.htm
  4. Archived from groups: comp.security.firewalls (More info?)

    Tom McCune schrieb:
    > Gerald Vogt <vogt@spamcop.net> wrote in news:66xpc.260660$e17.22342
    > @twister.nyroc.rr.com:
    >
    >
    >>That is certainly true as long as you want to install spyware, worms,
    >>etc. And then again, as the user can turn off the firewall and program
    >>running on your computer can do that, too. And there are tricks to
    >>circumvent the outgoing "protection". So, properly shutting down all
    >>unnecessary services that windows runs by default and the ICF will do
    >>great. A browser that supports decent privacy settings helps, too, and
    >>is much better than have one software trying to prevent the mess some
    >>other software does.
    >
    >
    > Yes, outgoing firewall protection is not a cure all, but is a helpful extra
    > layer of protection. Layered protection is wise. I provide other helpful
    > (certainly the "paranoids" among us would like even more) recommedations at
    > http://www.mccune.cc/WindowsXP.htm

    Well all commercial firewalls with that outgoing functions are very
    complex, not easy to configure, have bugs, vulnerablilties and exploits
    itself, with little added value that is not really necessary and can be
    circumvented. What is the "extra layer of protection" to the "extra
    layer of insecurity"? (That's one of the important lessons learned in
    security service design and security evaluations: simple effective
    measures are always better than highly complex stuff that nobody really
    understands and that only add more problems...)

    Gerald
  5. Archived from groups: comp.security.firewalls (More info?)

    In article <v5ypc.192141$M3.3746@twister.nyroc.rr.com>, vogt@spamcop.net
    says...
    > Tom McCune schrieb:
    > > Gerald Vogt <vogt@spamcop.net> wrote in news:66xpc.260660$e17.22342
    > > @twister.nyroc.rr.com:
    > >
    > >
    > >>That is certainly true as long as you want to install spyware, worms,
    > >>etc. And then again, as the user can turn off the firewall and program
    > >>running on your computer can do that, too. And there are tricks to
    > >>circumvent the outgoing "protection". So, properly shutting down all
    > >>unnecessary services that windows runs by default and the ICF will do
    > >>great. A browser that supports decent privacy settings helps, too, and
    > >>is much better than have one software trying to prevent the mess some
    > >>other software does.
    > >
    > >
    > > Yes, outgoing firewall protection is not a cure all, but is a helpful extra
    > > layer of protection. Layered protection is wise. I provide other helpful
    > > (certainly the "paranoids" among us would like even more) recommedations at
    > > http://www.mccune.cc/WindowsXP.htm
    >
    > Well all commercial firewalls with that outgoing functions are very
    > complex, not easy to configure, have bugs, vulnerablilties and exploits
    > itself, with little added value that is not really necessary and can be
    > circumvented. What is the "extra layer of protection" to the "extra
    > layer of insecurity"? (That's one of the important lessons learned in
    > security service design and security evaluations: simple effective
    > measures are always better than highly complex stuff that nobody really
    > understands and that only add more problems...)

    Spoken like someone that doesn't understand security or networks.

    Commercial firewall devices are no more complex than any other
    programmable device, and in some cases are less complex than personal
    firewall software. In most cases, a properly configured firewall can
    stop the spread of many of todays worms, even from infected machines
    protected behind the firewall. If you don't have outbound protection you
    only have a small part of the security that most people should have.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  6. Archived from groups: comp.security.firewalls (More info?)

    "Patrik" <rana@mts.net> wrote in news:epwpc.10$Hj5.178@news1.mts.net:

    > Greetings!
    >
    > My neighbor has XP and a cable modem connection to the 'net, and till
    > today no firewall. I installed ZoneAlarm [free] until I find out
    > whether the firewall that comes in XP is better than/worse than or
    > about the same as ZoneAlarm [free]. I would like to impress her with
    > my knowledge of firewalls, but I am relying on you experts for your
    > input and opinions. I still use Win98SE so have no XP experience.
    > Please share?
    >
    > Thanks for your time and attention.
    >
    > PJ
    >
    >
    >

    I don't use XP's FW. But I may be using it on one machine sometime in the
    near future -- just to be using it. :)

    It's no worst than the others. The release of SP 2 for XP's FW will have
    application control (which I consider app control) in the wrong hands
    (that is 99% of home users) to be useless. For some users, simple is
    better. And sometimes, it's best not to be asked too many questions.

    The XP FW does its job, which is to stop unsolicited inbound traffic.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;q321050#appliesto

    Duane :)
  7. Archived from groups: comp.security.firewalls (More info?)

    Leythos schrieb:
    >>>Yes, outgoing firewall protection is not a cure all, but is a helpful extra
    >>>layer of protection. Layered protection is wise. I provide other helpful
    >>>(certainly the "paranoids" among us would like even more) recommedations at
    >>>http://www.mccune.cc/WindowsXP.htm
    >>
    >>Well all commercial firewalls with that outgoing functions are very
    >>complex, not easy to configure, have bugs, vulnerablilties and exploits
    >>itself, with little added value that is not really necessary and can be
    >>circumvented. What is the "extra layer of protection" to the "extra
    >>layer of insecurity"? (That's one of the important lessons learned in
    >>security service design and security evaluations: simple effective
    >>measures are always better than highly complex stuff that nobody really
    >>understands and that only add more problems...)
    >
    >
    > Spoken like someone that doesn't understand security or networks.

    That is exactly what I could say about you. ;-) I know security and
    networks for many years, from theory and practice.

    > Commercial firewall devices are no more complex than any other
    > programmable device, and in some cases are less complex than personal
    > firewall software. In most cases, a properly configured firewall can
    > stop the spread of many of todays worms, even from infected machines
    > protected behind the firewall. If you don't have outbound protection you
    > only have a small part of the security that most people should have.

    I never talked about commercial firewall devices! Most end-user
    firewalls aren't that complex either and already do a terrific job for
    inbound protection. I also never claimed that a properly configured
    firewall does not protect you from incoming worms.

    But if you rely on a personal firewall running on a infected computer to
    protect you from a work than the results are as arbitrary as they could
    be: you don't know what happens. Any worm running on your computer can
    easily reconfigure the firewall the same way you can do and there are
    many ways to circumvent a personal firewall for the outgoing traffic.
    And even worse: most users don't know what to do with all the outgoing
    warnings and basically allow any traffic for any program that pops up a
    message (one reason for example why after a while most Internet
    Explorers run with "Allow all" instead of the standard auto config:
    there was a website the user wanted to see on port 7828 and the annoying
    messages just kept popping up until the allow all (which normal user
    does take the time to configure a rule through a 8(?) step dialog like
    NIS does??))

    Relying on a security mechanism to work on a compromised system is an
    extremely unsecure thing to do. Hackers know that. Script kiddie have
    toolkits that help them doing it. It's not hard. The moment you have a
    compromised machine you have to fix it and it is no good saying: it is
    not a problem because I have this firewall with outgoing protection...

    And the complexity of the software introduces new bugs and exploits as
    we have seen this month with Symantec NIS. And all these configuration
    options that users can easily play around with and all these pop-ups
    that require user interaction make it hard to configure it properly...

    The thing you have to fight is the infection not to suppress the
    symptoms of a disease...

    Gerald
  8. Archived from groups: comp.security.firewalls (More info?)

    In article <DEKpc.262962$e17.237907@twister.nyroc.rr.com>,
    vogt@spamcop.net says...
    > Leythos schrieb:
    > >>>Yes, outgoing firewall protection is not a cure all, but is a helpful extra
    > >>>layer of protection. Layered protection is wise. I provide other helpful
    > >>>(certainly the "paranoids" among us would like even more) recommedations at
    > >>>http://www.mccune.cc/WindowsXP.htm
    > >>
    > >>Well all commercial firewalls with that outgoing functions are very
    > >>complex, not easy to configure, have bugs, vulnerablilties and exploits
    > >>itself, with little added value that is not really necessary and can be
    > >>circumvented. What is the "extra layer of protection" to the "extra
    > >>layer of insecurity"? (That's one of the important lessons learned in
    > >>security service design and security evaluations: simple effective
    > >>measures are always better than highly complex stuff that nobody really
    > >>understands and that only add more problems...)
    > >
    > >
    > > Spoken like someone that doesn't understand security or networks.
    >
    > That is exactly what I could say about you. ;-) I know security and
    > networks for many years, from theory and practice.
    >
    > > Commercial firewall devices are no more complex than any other
    > > programmable device, and in some cases are less complex than personal
    > > firewall software. In most cases, a properly configured firewall can
    > > stop the spread of many of todays worms, even from infected machines
    > > protected behind the firewall. If you don't have outbound protection you
    > > only have a small part of the security that most people should have.
    >
    > I never talked about commercial firewall devices! Most end-user
    > firewalls aren't that complex either and already do a terrific job for
    > inbound protection. I also never claimed that a properly configured
    > firewall does not protect you from incoming worms.
    >
    > But if you rely on a personal firewall running on a infected computer to
    > protect you from a work than the results are as arbitrary as they could
    > be: you don't know what happens. Any worm running on your computer can
    > easily reconfigure the firewall the same way you can do and there are
    > many ways to circumvent a personal firewall for the outgoing traffic.
    > And even worse: most users don't know what to do with all the outgoing
    > warnings and basically allow any traffic for any program that pops up a
    > message (one reason for example why after a while most Internet
    > Explorers run with "Allow all" instead of the standard auto config:
    > there was a website the user wanted to see on port 7828 and the annoying
    > messages just kept popping up until the allow all (which normal user
    > does take the time to configure a rule through a 8(?) step dialog like
    > NIS does??))
    >
    > Relying on a security mechanism to work on a compromised system is an
    > extremely unsecure thing to do. Hackers know that. Script kiddie have
    > toolkits that help them doing it. It's not hard. The moment you have a
    > compromised machine you have to fix it and it is no good saying: it is
    > not a problem because I have this firewall with outgoing protection...
    >
    > And the complexity of the software introduces new bugs and exploits as
    > we have seen this month with Symantec NIS. And all these configuration
    > options that users can easily play around with and all these pop-ups
    > that require user interaction make it hard to configure it properly...
    >
    > The thing you have to fight is the infection not to suppress the
    > symptoms of a disease...

    I don't like personal firewall applications myself, I'm for an appliance
    for everyone. Even a simple NAT router (not a firewall device in my
    book) is a start.

    For most users there are two ways they are going to get infected:

    1) Worm finds a hole in the OS/Application and installs something
    2) Email message with attachment that contains a worm/virus

    In the first example, a NAT router would prevent a worm from reaching
    their machines.

    In the second example, AV software, while still reactionary, would
    eliminate most of those - so would a properly patched MS Office system.

    The third one, a malicious web site can be fixed by running in HIGH
    SECURITY mode with IE and disabling all scripting. This method breaks
    normal web sites, but if you set the TRUSTED Zone to MEDIUM and add your
    trusted sites to it, you can easily train IE to work for your daily
    needs while still having a secure experience.

    As for personal firewall appliances, there are many SOHO units in the
    $300~$500 price range, but most people won't purchase one in that cost
    range. Even a simple router with NAT, at $40, is to much for most. The
    personal firewalls, free ones, don't really offer that much protection
    since they users never take the time to learn what they are "allow"ing
    when they click allow - kind of makes the point of having a firewall
    mute.

    The simplest method would be to enable XP Firewall and sit behind a
    simple router with NAT.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  9. Archived from groups: comp.security.firewalls (More info?)

    Leythos schrieb:
    > The third one, a malicious web site can be fixed by running in HIGH
    > SECURITY mode with IE and disabling all scripting. This method breaks
    > normal web sites, but if you set the TRUSTED Zone to MEDIUM and add your
    > trusted sites to it, you can easily train IE to work for your daily
    > needs while still having a secure experience.

    Or a different browser that does not uses so many dangerous technologies
    like ActiveX.

    > The simplest method would be to enable XP Firewall and sit behind a
    > simple router with NAT.

    Yeah, that is simple. I found spending some time closing down
    unnecessary services helps a lot, too. Why running a service that
    listens to a port that you don't need??

    Gerald
Ask a new question

Read More

Firewalls Windows XP Networking Product