Don't use a Firewall other than Windows Firewall?

[Sam]

Archived from groups: comp.security.firewalls (More info?)

Ok, so Volker Birk makes what seem to me to be some pretty good
arguments why it's a waste of time running software firewalls offering
outbound protection (on the basis that any software wanting badly enough
to "call home" would in any case be able to bypass that firewall).

But I haven't seen anyone supporting or for that matter refuting
Volker's view. I'm talking here about basic firewalls such as ZA free,
not something like ZASS which may well offer other advantages.

So what's the view - should I reclaim much-needed cpu cycles by ditching
ZA free or any other basic 2-way firewall altogether and just rely on
Windows Firewall, and of course an antivirus scanner? And, of course,
not installing anything I don't trust.

You views very much appreciated.
--
Sam

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Sam wrote:

>Ok, so Volker Birk makes what seem to me to be some pretty good
>arguments why it's a waste of time running software firewalls offering
>outbound protection (on the basis that any software wanting badly enough
>to "call home" would in any case be able to bypass that firewall).
>
>

The guy is a nut, or perhaps a shill for MS.

>But I haven't seen anyone supporting or for that matter refuting
>Volker's view.
>

I guess most here ignore him, as I have long done.

>So what's the view - should I reclaim much-needed cpu cycles by ditching
>ZA free or any other basic 2-way firewall altogether and just rely on
>Windows Firewall, and of course an antivirus scanner? And, of course,
>not installing anything I don't trust.
>
>

If you do you will regret it. MS knows as much about security as horses
do about crocheting.

--
Godwin is a net-nazi

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Sam" <sam.sam@sam.samsam.com> wrote in message
news:dgdsuf$m9p$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com...
> Ok, so Volker Birk makes what seem to me to be some pretty good
> arguments why it's a waste of time running software firewalls offering
> outbound protection (on the basis that any software wanting badly enough
> to "call home" would in any case be able to bypass that firewall).
>
> But I haven't seen anyone supporting or for that matter refuting
> Volker's view. I'm talking here about basic firewalls such as ZA free,
> not something like ZASS which may well offer other advantages.
>
> So what's the view - should I reclaim much-needed cpu cycles by ditching
> ZA free or any other basic 2-way firewall altogether and just rely on
> Windows Firewall, and of course an antivirus scanner? And, of course,
> not installing anything I don't trust.

I'm currently sitting at a P3 550MHz with 256MB RAM and Radeon 7000
graphics.
The OS is Windows 2000.
It cost nothing to build because it's built of a mixture of parts discarded
by others.
It has no personal firewall software, no anti-virus software, no unnecessary
services and no unnecessary running processes.
Its performance at anything I want to use it for, including DVD playback, is
mostly indistinguishable from a recent 3GHz P4. No doubt there are tasks
which would go faster on a 3GHz P4, but it can work on those while I'm
asleep and have the result ready in the morning.
I don't believe in increasing complexity without good reason.
A system is easier for me to understand if it's less complex.
This makes it easier for me to secure it.
Increasing the complexity by adding more software would therefore make it
_less_ secure.

Jason

>
> You views very much appreciated.
> --
> Sam

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Sam <sam.sam@sam.samsam.com> wrote:
> But I haven't seen anyone supporting or for that matter refuting
> Volker's view.

In de.comp.security.*, this is common sense. I'm wondering, why here
in the international groups it isn't yet.

The arguments are obvious.

> So what's the view - should I reclaim much-needed cpu cycles by ditching
> ZA free or any other basic 2-way firewall altogether and just rely on
> Windows Firewall, and of course an antivirus scanner? And, of course,
> not installing anything I don't trust.

A virus scanner can be a good help, if you know the constraints any
virus scanner has to face.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Sam <sam.sam@sam.samsam.com> wrote in news:dgdsuf$m9p$1
@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com:

> Ok, so Volker Birk makes what seem to me to be some pretty good
> arguments why it's a waste of time running software firewalls offering
> outbound protection (on the basis that any software wanting badly
enough
> to "call home" would in any case be able to bypass that firewall).
>
> But I haven't seen anyone supporting or for that matter refuting
> Volker's view. I'm talking here about basic firewalls such as ZA
free,
> not something like ZASS which may well offer other advantages.
>
> So what's the view - should I reclaim much-needed cpu cycles by
ditching
> ZA free or any other basic 2-way firewall altogether and just rely on
> Windows Firewall, and of course an antivirus scanner? And, of course,
> not installing anything I don't trust.
>
> You views very much appreciated.

I myself see no reason to NOT use MS's XP FW. Sure it has some kind of
application control but it has no means to stop outbound by settings
rules.

However, there is another element that can do it on the XP O/S and that's
IPsec that can be used to supplement any PFW MS's FW or NOT. I'll be
using Ipsec behind BlackIce that cannot stop outbound traffic by setting
filtering rules on my laptop at a client's site in a hotel I'll be in
that as dial-up for the next six months.

Ipsec can stop inbound or outbound traffic by port, protocol or IP behind
the XP FW or a solution like BI.

http://www.petri.co.il/block_ping_traffic_with_ipsec.htm

I'll be implanting the AnalogX SecPol rules again on the XP Pro laptop.

http://www.analogx.com/contents/articles/ipsec.htm

The only thing about the AnalogX rules is that they prevent file
downloads on High ports > 1024 so you either disable IPsec or learn the
rules to open the required port. I use Active Ports to tell me the port
to open.

http://support.microsoft.com/?id=813878

Using Ipsec to supplement a PFW solution that cannot stop outbound is
solid protection as far as I am concerned.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Sam wrote:
> Ok, so Volker Birk makes what seem to me to be some pretty good
> arguments why it's a waste of time running software firewalls offering
> outbound protection (on the basis that any software wanting badly enough
> to "call home" would in any case be able to bypass that firewall).
>
> But I haven't seen anyone supporting or for that matter refuting
> Volker's view. I'm talking here about basic firewalls such as ZA free,
> not something like ZASS which may well offer other advantages.
>
> So what's the view - should I reclaim much-needed cpu cycles by ditching
> ZA free or any other basic 2-way firewall altogether and just rely on
> Windows Firewall, and of course an antivirus scanner? And, of course,
> not installing anything I don't trust.
>
> You views very much appreciated.

Volker's preference for the XP firewall merely reflects the POV that
inbound packet filtering solves a problem that would be difficult to
manage otherwise. Outbound packet filtering or application control is no
more effective than the implementation of Safe Computing Practices.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Quaestor <no-spam@my.place> wrote:
> The guy is a nut, or perhaps a shill for MS.

I'm a shill for MS? How amusing ;-)

> MS knows as much about security as horses
> do about crocheting.

Ah, is this the reason, why you're using their software?

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Gecko/20040804 Netscape/7.2 (ax)

SCNR,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

optikl wrote:

> Outbound packet filtering or application control is no more effective
> than the implementation of Safe Computing Practices.


To be safe and effective one must totally reject this belief. Outbound
application control is the essence of stopping spyware. Anyone who
advocates not using it must be a spammer spreadying spyware, hijacking
machines thereby. Or just plain stupid.

--
Godwin is a net-nazi

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <EaKdnSi5te6AE7beRVn-pg@comcast.com>, optikl@invalid.net
says...
> Sam wrote:
> > Ok, so Volker Birk makes what seem to me to be some pretty good
> > arguments why it's a waste of time running software firewalls offering
> > outbound protection (on the basis that any software wanting badly enough
> > to "call home" would in any case be able to bypass that firewall).
> >
> > But I haven't seen anyone supporting or for that matter refuting
> > Volker's view. I'm talking here about basic firewalls such as ZA free,
> > not something like ZASS which may well offer other advantages.
> >
> > So what's the view - should I reclaim much-needed cpu cycles by ditching
> > ZA free or any other basic 2-way firewall altogether and just rely on
> > Windows Firewall, and of course an antivirus scanner? And, of course,
> > not installing anything I don't trust.
> >
> > You views very much appreciated.
>
> Volker's preference for the XP firewall merely reflects the POV that
> inbound packet filtering solves a problem that would be difficult to
> manage otherwise. Outbound packet filtering or application control is no
> more effective than the implementation of Safe Computing Practices.

I agree, only a fool would trust a MS Firewall product after the history
MS has in providing secure operating systems, secure applications,
secure - well, nothing they provide is secure.

I would never trust a MS product to protect me against anything directed
at MS.

--

spam999free@rrohio.com
remove 999 in order to email me

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <11ioilmkp80pt94@news.supernews.com>, no-spam@my.place
says...
> optikl wrote:
>
> > Outbound packet filtering or application control is no more effective
> > than the implementation of Safe Computing Practices.
>
>
> To be safe and effective one must totally reject this belief. Outbound
> application control is the essence of stopping spyware. Anyone who
> advocates not using it must be a spammer spreadying spyware, hijacking
> machines thereby. Or just plain stupid.

If you have your network setup properly, your users not running as
Admins, and your firewall filtering content, you don't need any
application to stop spyware - it will be stopped before it reaches a
computer that can run it.

--

spam999free@rrohio.com
remove 999 in order to email me

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Quaestor <no-spam@my.place> wrote:
> Outbound
> application control is the essence of stopping spyware.

No. It's just misunderstanding the situation. But don't be too unhappy,
you're not the only person who is falling for advertizing tricks from
time to time.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

>In article <11ioilmkp80pt94@news.supernews.com>, no-spam@my.place
>says...
>
>
>>optikl wrote:
>>
>>
>>
>>>Outbound packet filtering or application control is no more effective
>>>than the implementation of Safe Computing Practices.
>>>
>>>
>>To be safe and effective one must totally reject this belief. Outbound
>>application control is the essence of stopping spyware. Anyone who
>>advocates not using it must be a spammer spreadying spyware, hijacking
>>machines thereby. Or just plain stupid.
>>
>>
>
>If you have your network setup properly, your users not running as
>Admins, and your firewall filtering content, you don't need any
>application to stop spyware - it will be stopped before it reaches a
>computer that can run it.
>

That's a lot of If's. Suppose someone brings in an outside machine,
such as a laptop used in the field (common practice these days)?
Suppose someone brings in an infected disk? Suppose that someone is
deliberately trying to infect your system? I know, no one would ever do
such a thing, but you see, they DO, all the time (industrial espionage
and sabotage, they call it).

--
Godwin is a net-nazi

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Sun, 18 Sep 2005 12:49:01 -0700, Quaestor <no-spam@my.place> wrote:

>Leythos wrote:
>
>>In article <11ioilmkp80pt94@news.supernews.com>, no-spam@my.place
>>says...
>>
>>
>>>optikl wrote:
>>>
>>>
>>>
>>>>Outbound packet filtering or application control is no more effective
>>>>than the implementation of Safe Computing Practices.
>>>>
>>>>
>>>To be safe and effective one must totally reject this belief. Outbound
>>>application control is the essence of stopping spyware. Anyone who
>>>advocates not using it must be a spammer spreadying spyware, hijacking
>>>machines thereby. Or just plain stupid.
>>>
>>>
>>
>>If you have your network setup properly, your users not running as
>>Admins, and your firewall filtering content, you don't need any
>>application to stop spyware - it will be stopped before it reaches a
>>computer that can run it.
>>
>
>That's a lot of If's. Suppose someone brings in an outside machine,
>such as a laptop used in the field (common practice these days)?
>Suppose someone brings in an infected disk? Suppose that someone is
>deliberately trying to infect your system? I know, no one would ever do
>such a thing, but you see, they DO, all the time (industrial espionage
>and sabotage, they call it).

And your solution is a sw firewall that will likely be disabled by
malicious code?

Art

http://home.epix.net/~artnpeg

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Sam wrote:
> Ok, so Volker Birk makes what seem to me to be some pretty good
> arguments why it's a waste of time running software firewalls offering
> outbound protection (on the basis that any software wanting badly enough
> to "call home" would in any case be able to bypass that firewall).
>
> But I haven't seen anyone supporting or for that matter refuting
> Volker's view. I'm talking here about basic firewalls such as ZA free,
> not something like ZASS which may well offer other advantages.
>
> So what's the view - should I reclaim much-needed cpu cycles by ditching
> ZA free or any other basic 2-way firewall altogether and just rely on
> Windows Firewall, and of course an antivirus scanner? And, of course,
> not installing anything I don't trust.
>
> You views very much appreciated.
> --
> Sam

if using a windows firwall to block incoming. you can do that witha NAT
device anyway. so no need even for te windows firewall, but it adds
another layer of protection.
suppose the windows firewall has an exploit. then maybe better to use
sygate. sygate also has a great port logger. My NAT device doesn't
have a port logger, but even if it did, sygate's is really nice.

That is all regarding incoming which you wan to block.

If you want to block outgoing, then the windows firewall won't do it.
VB has it seems shown that if spyware cannot get past a firewall and
make an outgoing connection then it's not v. cleverly written. so if it
can't, then it's nothing to be afraid of security wise. It's jstu
sending some marketting info. And you should notice anyhow it'd be a
process using ports and slowing your connection down, sending frames
over the net. Many ways to see this happening and catch it. If you
wanted to catch it before it starts, then maybe block outgoing. But
there's no need to catch it efore it starts. Let it start, and notice
it. Anyhow, only a careless user would get a comp slowed down from
spyware, or get lots of spyware installed and not notice.

If you're the only user of the computer then why create all these self
imposed restrictions. you're hassling yourslf more than the spyware
hassles you.

If you've got a network with stupid users that will fill their comps
with spyware to the poitn that it really hassles them and slows down
their Internet connection then you want to stop spyware communicating.
And put in some safer practices, like get them using a browser other
than IE.

But as another poster has said. there's an argument that if you've got
it properly set up. And your users (whome we must treat the same and
thus have to assume idiocy for them all) aren't administrators,
apparently they can't do much, they don't have enough rope to hang
themselves.

so, as an individual that cares enough to post to this newsgroup, I
doubt you ever really got into a situation where your comp was so full
of spyware and you didnt' know what to do. If it realyl botherd you
then you'd just run some spyware removal programs. big deal. And if
you did have spyware, you'd want to get rid of it properly anyway. Not
just block it. Sicne what it sends isn't really important.

 

[Sam]

Archived from groups: comp.security.firewalls (More info?)

Sam said ...
> Ok, so Volker Birk makes what seem to me to be some pretty good
> arguments why it's a waste of time running software firewalls offering
> outbound protection (on the basis that any software wanting badly enough
> to "call home" would in any case be able to bypass that firewall).
>
> But I haven't seen anyone supporting or for that matter refuting
> Volker's view. I'm talking here about basic firewalls such as ZA free,
> not something like ZASS which may well offer other advantages.
>
> So what's the view - should I reclaim much-needed cpu cycles by ditching
> ZA free or any other basic 2-way firewall altogether and just rely on
> Windows Firewall, and of course an antivirus scanner? And, of course,
> not installing anything I don't trust.
>
> You views very much appreciated.
>
Many thanks to all who have responded to this - makes very interesting
reading, and helpful too. Keep your views coming please.
--
Sam

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> suppose the windows firewall has an exploit. then maybe better to use
> sygate.

In fact, it's more likely that Sygate has an exploit again then the
Windows-Firewall (though both is possible), because Sygate is much more
complex:

http://www.google.de/search?q=sygate+site%3Asecurityfocus.com%2Fbid

> sygate also has a great port logger. My NAT device doesn't
> have a port logger, but even if it did, sygate's is really nice.

Seems to be true for what all people are telling ;-) I prefer Ethereal
any way, but if one likes this, why not?

> And if
> you did have spyware, you'd want to get rid of it properly anyway. Not
> just block it. Sicne what it sends isn't really important.

Good point. But please don't forget this:

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> jameshanley39@yahoo.co.uk wrote:
> > suppose the windows firewall has an exploit. then maybe better to use
> > sygate.
>
> In fact, it's more likely that Sygate has an exploit again then the
> Windows-Firewall (though both is possible), because Sygate is much more
> complex:
>
> http://www.google.de/search?q=sygate+site%3Asecurityfocus.com%2Fbid
>
> > sygate also has a great port logger. My NAT device doesn't
> > have a port logger, but even if it did, sygate's is really nice.
>
> Seems to be true for what all people are telling ;-) I prefer Ethereal
> any way, but if one likes this, why not?

sygate gives the process name that is sitting at the local port (if
there is a process sitting therhe). Ethereal does not

sygate tells you clearly whether it's incoming or outgoing. ethreal you
gotta check the ip addresses of the frames initiating TCP connections.
Or the IP addresses of UDP frames.

ethernet bombards you with all the frames being sent when all that is
required here are those indicating connections being initiated. So,
how do you get around this? Well,
apply filter
tcp.flags.syn == 1 && tcp.flags.ack==0

ok, so now i have ethereal behaving a little bit more like a port
logger

so that gets around the main issues I had with ethereal as a port
logger

Regarding sygate if one wanted to only use the port logger, one can
click security..allow all
it wo'nt close any ports, certainly won't stealth any ports, and I
think it's not blocking ICMP either.

maybe if sygate is allowing everything then it's not open to be
exploited remotely either.

So, I figured out how to use Ethreal like a port logger in the end!

But Ethereal still doesn't display the process names. sygate does.

And Ethreal still doesn't display date/time. Sygate does. Really
it's trying to make Ethereal into something that it's not.
At least by using sygate as just a humble port logger, you're not
making it something it isn't. Sygate does the job well. the ability is
designed in there .


the other competitor is ms port reporter.

MS Port Reporter is ok, but it's not a log that you can view in real
time. and it gives local and remote. not source and dest. so you can't
even decipher for sure if it's incoming or outgonig.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Sam" <sam.sam@sam.samsam.com> wrote in message
news:dgdsuf$m9p$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com...
> Ok, so Volker Birk makes what seem to me to be some pretty good
> arguments why it's a waste of time running software firewalls offering
> outbound protection (on the basis that any software wanting badly enough
> to "call home" would in any case be able to bypass that firewall).

Tiny Personal Firewall blocks by application, and
can stop any application from being able to "call
home". Forget other firewalls. Forget hardware
appliances, and use Tiny. It is just simply the
BEST at what it does, period.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Charles Newman <charlesnewman1@comcast.spamkiller.net> wrote:
> Tiny Personal Firewall blocks by application, and
> can stop any application from being able to "call
> home".

No, it cannot.

I tested my POC on http://www.dingens.org/breakout.c with Tiny "Personal
Firewall" 6.0, and it failed.

And even if a newer Release of Tiny "Personal Firewall" will prevent
this, then there are so many differnt ways to tunnel, that it's possible
to find another way to ignore the "call home" filtering of any "Personal
Firewall", including Tiny.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[mark]

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:432d2cd8@news.uni-ulm.de...
> Quaestor <no-spam@my.place> wrote:
>> Outbound
>> application control is the essence of stopping spyware.
>
> No. It's just misunderstanding the situation. But don't be too unhappy,
> you're not the only person who is falling for advertizing tricks from
> time to time.
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"

LOL. Sounds like a spammer trying to keep a few zombies going.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Mark <nothere@notthere.com> wrote:
> >> Outbound
> >> application control is the essence of stopping spyware.
> > No. It's just misunderstanding the situation. But don't be too unhappy,
> > you're not the only person who is falling for advertizing tricks from
> > time to time.
> LOL. Sounds like a spammer trying to keep a few zombies going.

No. Sounds like a person, who presents the proof for this:

http://www.dingens.org/breakout-en.c
http://www.dingens.org/breakout-en.exe

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[mark]

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:4333d49c@news.uni-ulm.de...
> Mark <nothere@notthere.com> wrote:
>> >> Outbound
>> >> application control is the essence of stopping spyware.
>> > No. It's just misunderstanding the situation. But don't be too unhappy,
>> > you're not the only person who is falling for advertizing tricks from
>> > time to time.
>> LOL. Sounds like a spammer trying to keep a few zombies going.
>
> No. Sounds like a person, who presents the proof for this:
>
> http://www.dingens.org/breakout-en.c
> http://www.dingens.org/breakout-en.exe
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"

Sorry, we're talking different things. You're talking personal firewalls -
I'm talking appliances.

I agree with personal firewalls - I lost a lot of faith in them some time
ago.