Firewall Security

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've got conflicting advice re firewall security. I have SP2 and all
necessary security updates should I load Zone Alarm Pro 4 or will this cause
me problems.
--
Aileen
15 answers Last reply
More about firewall security
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You shouldn't run 2 firewalls on your desktop. They won't work right together
    and have potential resource and function conflicts.

    If you are an intermediate-to-advance user, use ZA or another firewall that
    provides egress/ingress filtering.

    A regular home user should stick with built-in XP SP2 firewall.


    "Aileen" wrote:

    > I've got conflicting advice re firewall security. I have SP2 and all
    > necessary security updates should I load Zone Alarm Pro 4 or will this cause
    > me problems.
    > --
    > Aileen
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The build in XP firewall is a good start but ZoneAlarm does a much better
    job at it.
    ZA covers things that XP does not..........like outgoing mail,specific
    blocking of programs so that they cannot access the net,making your system
    invisible to the net and much much more.
    How secure do you wish to be??
    I recommend ZA..........but then I have it running on my machines
    peter
    "Aileen" <Aileen@discussions.microsoft.com> wrote in message
    news:EFD48241-48C4-4976-AB5E-0AD20A7768C5@microsoft.com...
    > I've got conflicting advice re firewall security. I have SP2 and all
    > necessary security updates should I load Zone Alarm Pro 4 or will this
    > cause
    > me problems.
    > --
    > Aileen
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    A) Zone alarm doesn't do "outgoing mail". It does egress (outbound)
    filtering, which the XP2 firewall does not. This is generally considered a
    good thing, but in my mind, once something is on your machine, you're
    screwed anyway.

    B) The XP firewall can make your computer "invisible" to the net.

    C) I recommend the XP2 firewall for the average home user.

    Matt Gibson - GSEC

    "peter" <peter@nomalarky.net> wrote in message
    news:y5CPd.45618$gA4.28619@edtnps89...
    > The build in XP firewall is a good start but ZoneAlarm does a much better
    > job at it.
    > ZA covers things that XP does not..........like outgoing mail,specific
    > blocking of programs so that they cannot access the net,making your system
    > invisible to the net and much much more.
    > How secure do you wish to be??
    > I recommend ZA..........but then I have it running on my machines
    > peter
    > "Aileen" <Aileen@discussions.microsoft.com> wrote in message
    > news:EFD48241-48C4-4976-AB5E-0AD20A7768C5@microsoft.com...
    >> I've got conflicting advice re firewall security. I have SP2 and all
    >> necessary security updates should I load Zone Alarm Pro 4 or will this
    >> cause
    >> me problems.
    >> --
    >> Aileen
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Matt Gibson" wrote:

    > A) Zone alarm doesn't do "outgoing mail". It does egress (outbound)
    > filtering, which the XP2 firewall does not. This is generally considered a
    > good thing, but in my mind, once something is on your machine, you're
    > screwed anyway.

    > B) The XP firewall can make your computer "invisible" to the net.

    > C) I recommend the XP2 firewall for the average home user.

    Exactly. Using a third party firewall to block outbound communications by
    rogue programs is a bit like locking the front door of your house after it
    has already been infiltrated by vandals or criminals. You are already
    screwed anyway. The best solution is to use antivirus, antispyware, and
    anti-adware software that keeps the rogues out of your house in the first
    place, and use your firewall primarily to keep your computer invisible and
    prevent unauthorzed inbound communications. Moreover, even as they prevent
    illegitimate outbound communications, they also prevent many legitimate ones
    (e.g. update programs that automatically update software) and sometimes cause
    software conflicts.

    Ken
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Ken Gardner wrote:

    >
    >
    > Exactly. Using a third party firewall to block outbound communications by
    > rogue programs is a bit like locking the front door of your house after it
    > has already been infiltrated by vandals or criminals. You are already
    > screwed anyway.


    So, instead of calling the police or chasing the malefactors out of
    your house, you prefer to just surrender and let them have a free rein?.
    That's an abysmally poor analogy.


    > The best solution is to use antivirus, antispyware, and
    > anti-adware software that keeps the rogues out of your house in the first
    > place, ....


    Those are all valuable tools, and they should be used by everyone, but
    they're hardly a panacea. How do these "reactive" applications deal
    with a brand new Trojan or spyware product about which they have no
    information in their definition databases? How do they prevent the
    uninformed computer user from deliberately installing adware/spyware by
    breezing past the EULA that accompanies that cool new screensaver or
    collection of emoticons that he/she just has to have? A firewall can
    detect the presence of the new malware by its actions, rather than
    relying upon a 3rd party to provide prescient definition files, or the
    user to update to new virus definition files the instant they become
    available.


    > and use your firewall primarily to keep your computer invisible and
    > prevent unauthorzed inbound communications.


    That is the primary purpose of a firewall, certainly, but hardly the
    only one.


    > Moreover, even as they prevent
    > illegitimate outbound communications, they also prevent many legitimate ones
    > (e.g. update programs that automatically update software) and sometimes cause
    > software conflicts.
    >


    Grossly incorrect. This doesn't happen if the firewall used is
    compatible with the OS and is properly configured.


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Bruce Chambers" wrote:

    > > Exactly. Using a third party firewall to block outbound communications by
    > > rogue programs is a bit like locking the front door of your house after it
    > > has already been infiltrated by vandals or criminals. You are already
    > > screwed anyway.

    > So, instead of calling the police or chasing the malefactors out of
    > your house, you prefer to just surrender and let them have a free rein?.
    > That's an abysmally poor analogy.

    Because I have never had a single piece of adware or spyware on my machine
    using my approach -- is there a lesson here? -- I'm not sure how to react to
    this comment. Because an unauthorized break-in has never occurred in my
    house in the first place, due to the other strong security measures that I
    have already implemented, I don't need to call the police. But if one did
    take place, I would do the equivalent of arresting the imposter or dealing
    with him myself -- with extreme prejudice -- by using antivirus, anti-adware,
    or anti-spyware software to remove the imposter.

    > > The best solution is to use antivirus, antispyware, and
    > > anti-adware software that keeps the rogues out of your house in the first
    > > place, ....

    > Those are all valuable tools, and they should be used by everyone, but
    > they're hardly a panacea. How do these "reactive" applications deal
    > with a brand new Trojan or spyware product about which they have no
    > information in their definition databases?

    Obviously they can't, so part of dealing with the problem is (1) regularly
    updating anti-crudware software on a daily basis (if not even more frequent),
    (2) regularly scanning for such crudware (I scan for antivirus crud weekly
    and antispyware crud nightly), (3) learning when to recognize the signs of
    malware doing bad stuff, and (4) staying up to date on emerging security
    threats. I'm confident in my own ability to do all of these things. But...

    > How do they prevent the uninformed computer user from deliberately installing
    > adware/spyware by breezing past the EULA that accompanies that cool new
    > screensaver or collection of emoticons that he/she just has to have? A firewall
    > can detect the presence of the new malware by its actions, rather than
    > relying upon a 3rd party to provide prescient definition files, or the
    > user to update to new virus definition files the instant they become
    > available.

    I agree to this extent. Any crudware, whether new or old, isn't going to
    install itself by magic on your machine without the active participation of
    the user. So the single best step anyone can take is to educate himself on
    how to avoid downloading and installing crudware in the first place. Now, if
    someone isn't going to take the trouble to do this, then I would agree that
    he better get a third party firewall that blocks outbound communications.
    But that's not me.

    In other words, third party firewalls aren't for everyone, but only for
    people who practice unsafe computing practices and therefore need the
    protection of a more agressive firewall. That's not everyone, or even most
    people.

    > > and use your firewall primarily to keep your computer invisible and
    > > prevent unauthorzed inbound communications.

    > That is the primary purpose of a firewall, certainly, but hardly the
    > only one.

    It comes down to how conservative and cautious you want to be. I am very
    conservative and cautious about downloading, opening, installing, or clicking
    on stuff I don't know or trust, and as a consequence I can afford to be a bit
    less conservative and cautious about my choice of firewall.

    This hasn't always been my attitude. I also used to use third party
    firewalls as well, including both Norton and Zone Alarm. Invariably I would
    discover that some program that was supposed to update didn't update, or for
    some reason I would have trouble connecting to the Internet and the problem
    turned out to be that the firewall was blocking a perfectly legitimate
    program that it didn't recognize. Given how careful and cautious I already
    was in other areas, I didn't see the point of spending additional time
    messing with the firewall.

    > > Moreover, even as they prevent
    > > illegitimate outbound communications, they also prevent many legitimate ones
    > > (e.g. update programs that automatically update software) and sometimes
    > > cause software conflicts.

    > Grossly incorrect. This doesn't happen if the firewall used is
    > compatible with the OS and is properly configured.

    I dont use any third party utility software of any kind unless it has the
    "Designed for Windows XP logo." The problems I always had with third party
    firewalls was that the software was not properly configured -- by the
    program, not by me. As a result, it would block many legitimate outbound
    communications, so I would constantly be reconfiguring the firewall. Also,
    these programs did a generally poor job in advising me whether I should allow
    or block a particular attempt to access the Internet. As a result, I would
    have to go on Google, or to Microsoft's support site, or these newsgroups, to
    get straight information that I could understand. To be sure, all of this
    was a minor hassle, but it was still a hassle and it was often
    time-consuming. Cleaning my sock drawer is also a hassle, especially when
    -- to use another analogy -- the socks are already neatly arranged in the
    first place and I know that they are. I would rather spend my time arguing
    with bright computer guys like you over Usenet. :)

    Ken
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:

    > I've got conflicting advice re firewall security. I have SP2 and all
    > necessary security updates should I load Zone Alarm Pro 4 or will this cause
    > me problems.

    Aileen, if you have a DSL or Cable modem connection you should install a
    router that provides NAT for your protection. While personal firewalls
    like the SP2 one or the ZAP firewall are nice they can be compromised from
    user misconfiguration or from you starting a rogue application on your
    computer. For most users the personal firewall PF give a false sense of
    security, as the firewall is only as good as the user clicking allow/deny
    for alerts.

    A router with NAT is a small box that sits between your computer and the
    internet device (modem) and blocks all unsolicited inbound traffic - this
    means that the only things to reach your computer are things you've
    requested (even things you didn't know you were requesting). You can still
    run a PF with a router, but it will be mostly limited to doing just
    application/outbound filtering at that point.

    The SP2 firewall isn't much of a firewall, it's like a cheap/poor inbound
    filter only, ZAP would be a much better choice if you want a PF.

    Don't forget about the Antivirus solution - AVG 7 is free and it scans
    inbound and outbound email for Outlook users, but I would rather see you
    use something like Norton Antivirus 2005, not a Norton suite like NIS or
    one that has their firewall, just the Antivirus product.

    If your computer is the only computer on the network (in the house) you
    might not need to have "File and Printer" sharing enabled in your network
    settings - if you're not sharing files/printers across your internal
    network or the internet (and across the internet would be a bad idea) then
    you can uncheck the "File and printer" sharing box in your network
    settings - this makes it just a little harder for people to access your
    computer.


    --
    spam999free@rrohio.com
    remove 999 in order to email me
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Strange then that MS should send out a CD alongside the SP1a/win9x update CD
    that contained CA's anti-virus and firewall..

    NATs do seem to stop inbound events ever registering on a personal firewall,
    but there is little doubt that personal firewalls do warn of some malicious
    events created by the user executing bad stuff from behind one.. that can't
    be a bad thing..

    Personal firewalls do at least warn that accepting some criteria could land
    a user in hot water.. without one, they have no concept at all..


    --
    Mike Hall
    MVP - Windows Shell/user

    http://dts-l.org/goodpost.htm


    "Leythos" <void@nowhere.lan> wrote in message
    news:pan.2005.02.13.14.22.04.607310@nowhere.lan...
    > On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:
    >
    >> I've got conflicting advice re firewall security. I have SP2 and all
    >> necessary security updates should I load Zone Alarm Pro 4 or will this
    >> cause
    >> me problems.
    >
    > Aileen, if you have a DSL or Cable modem connection you should install a
    > router that provides NAT for your protection. While personal firewalls
    > like the SP2 one or the ZAP firewall are nice they can be compromised from
    > user misconfiguration or from you starting a rogue application on your
    > computer. For most users the personal firewall PF give a false sense of
    > security, as the firewall is only as good as the user clicking allow/deny
    > for alerts.
    >
    > A router with NAT is a small box that sits between your computer and the
    > internet device (modem) and blocks all unsolicited inbound traffic - this
    > means that the only things to reach your computer are things you've
    > requested (even things you didn't know you were requesting). You can still
    > run a PF with a router, but it will be mostly limited to doing just
    > application/outbound filtering at that point.
    >
    > The SP2 firewall isn't much of a firewall, it's like a cheap/poor inbound
    > filter only, ZAP would be a much better choice if you want a PF.
    >
    > Don't forget about the Antivirus solution - AVG 7 is free and it scans
    > inbound and outbound email for Outlook users, but I would rather see you
    > use something like Norton Antivirus 2005, not a Norton suite like NIS or
    > one that has their firewall, just the Antivirus product.
    >
    > If your computer is the only computer on the network (in the house) you
    > might not need to have "File and Printer" sharing enabled in your network
    > settings - if you're not sharing files/printers across your internal
    > network or the internet (and across the internet would be a bad idea) then
    > you can uncheck the "File and printer" sharing box in your network
    > settings - this makes it just a little harder for people to access your
    > computer.
    >
    >
    >
    > --
    > spam999free@rrohio.com
    > remove 999 in order to email me
    >
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks everyone for your helpful suggestions. I do have Norton Anti-Virus
    2005 and run Spybot and AdAware regularly.

    Many thanks

    "Mike Hall (MS-MVP)" wrote:

    > Strange then that MS should send out a CD alongside the SP1a/win9x update CD
    > that contained CA's anti-virus and firewall..
    >
    > NATs do seem to stop inbound events ever registering on a personal firewall,
    > but there is little doubt that personal firewalls do warn of some malicious
    > events created by the user executing bad stuff from behind one.. that can't
    > be a bad thing..
    >
    > Personal firewalls do at least warn that accepting some criteria could land
    > a user in hot water.. without one, they have no concept at all..
    >
    >
    > --
    > Mike Hall
    > MVP - Windows Shell/user
    >
    > http://dts-l.org/goodpost.htm
    >
    >
    >
    >
    >
    > "Leythos" <void@nowhere.lan> wrote in message
    > news:pan.2005.02.13.14.22.04.607310@nowhere.lan...
    > > On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:
    > >
    > >> I've got conflicting advice re firewall security. I have SP2 and all
    > >> necessary security updates should I load Zone Alarm Pro 4 or will this
    > >> cause
    > >> me problems.
    > >
    > > Aileen, if you have a DSL or Cable modem connection you should install a
    > > router that provides NAT for your protection. While personal firewalls
    > > like the SP2 one or the ZAP firewall are nice they can be compromised from
    > > user misconfiguration or from you starting a rogue application on your
    > > computer. For most users the personal firewall PF give a false sense of
    > > security, as the firewall is only as good as the user clicking allow/deny
    > > for alerts.
    > >
    > > A router with NAT is a small box that sits between your computer and the
    > > internet device (modem) and blocks all unsolicited inbound traffic - this
    > > means that the only things to reach your computer are things you've
    > > requested (even things you didn't know you were requesting). You can still
    > > run a PF with a router, but it will be mostly limited to doing just
    > > application/outbound filtering at that point.
    > >
    > > The SP2 firewall isn't much of a firewall, it's like a cheap/poor inbound
    > > filter only, ZAP would be a much better choice if you want a PF.
    > >
    > > Don't forget about the Antivirus solution - AVG 7 is free and it scans
    > > inbound and outbound email for Outlook users, but I would rather see you
    > > use something like Norton Antivirus 2005, not a Norton suite like NIS or
    > > one that has their firewall, just the Antivirus product.
    > >
    > > If your computer is the only computer on the network (in the house) you
    > > might not need to have "File and Printer" sharing enabled in your network
    > > settings - if you're not sharing files/printers across your internal
    > > network or the internet (and across the internet would be a bad idea) then
    > > you can uncheck the "File and printer" sharing box in your network
    > > settings - this makes it just a little harder for people to access your
    > > computer.
    > >
    > >
    > >
    > > --
    > > spam999free@rrohio.com
    > > remove 999 in order to email me
    > >
    >
    >
    >
  10. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Ken Gardner wrote:

    >
    >
    > But if one did
    > take place, I would do the equivalent of arresting the imposter or dealing
    > with him myself -- with extreme prejudice -- by using antivirus, anti-adware,
    > or anti-spyware software to remove the imposter.
    >
    >


    All of which begs the question, somewhat. How do you detect the
    presence of malware that your antivirus and anti-spyware applications
    don't recognize as such? The experienced, advanced computer user may
    well notice subtle odd behaviour and investigate, but what about the
    average consumer? Most lack the technical knowledge, the inclination,
    or even the desire to have that level of understanding. Unless some
    goes egregiously awry, the average computer user simply won't be aware
    that he's just sent his credit card info off to Eastern Europe. A 3rd
    party firewall at least tells them that there's something wrong, even if
    they don't quite know what to do about it.


    >
    > Obviously they can't, so part of dealing with the problem is (1) regularly
    > updating anti-crudware software on a daily basis (if not even more frequent),
    > (2) regularly scanning for such crudware (I scan for antivirus crud weekly
    > and antispyware crud nightly), (3) learning when to recognize the signs of
    > malware doing bad stuff, and (4) staying up to date on emerging security
    > threats. I'm confident in my own ability to do all of these things. But...
    >
    >


    I can't argue with any of that; it mirrors my own opinions and
    practices. Most other people, however, are nowhere near as
    conscientious about performing these hygienic chores.


    >
    >
    > I agree to this extent. Any crudware, whether new or old, isn't going to
    > install itself by magic on your machine without the active participation of
    > the user. So the single best step anyone can take is to educate himself on
    > how to avoid downloading and installing crudware in the first place. Now, if
    > someone isn't going to take the trouble to do this, then I would agree that
    > he better get a third party firewall that blocks outbound communications.
    > But that's not me.
    >

    Yes, I think we're both in agreement on this. Unfortunately, the
    overwhelming majority of computer users don't think the same way we do.

    There are several essential components to computer security: a
    knowledgeable and pro-active user, a properly configured firewall,
    reliable and up-to-date antivirus software, and the prompt repair (via
    patches, hotfixes, or service packs) of any known vulnerabilities.

    The weakest link in this "equation" is, of course, the computer
    user. No software manufacturer can -- nor should they be expected
    to -- protect the computer user from him/herself. All too many people
    have bought into the various PC/software manufacturers marketing
    claims of easy computing. They believe that their computer should be
    no harder to use than a toaster oven; they have neither the
    inclination or desire to learn how to safely use their computer. All
    too few people keep their antivirus software current, install patches
    in a timely manner, or stop to really think about that cutesy link
    they're about to click.

    Firewalls and anti-virus applications, which should always be used
    and should always be running, are important components of "safe hex,"
    but they cannot, and should not be expected to, protect the computer
    user from him/herself. Ultimately, it is incumbent upon each and
    every computer user to learn how to secure his/her own computer.


    > In other words, third party firewalls aren't for everyone, but only for
    > people who practice unsafe computing practices and therefore need the
    > protection of a more agressive firewall...


    While it certainly true that there's no "one size fits all" solution to
    computer security, I have to disagree with your contention that only
    people who practice unsafe computing need a firewall. Anyone is capable
    of making a mistake; it only makes good sense to have a mechanism in
    place that can detect that mistake. Do you disdain the use of seat
    belts because you've never been involved in a traffic accident, and you
    have an air-bag to protect you if necessary? (Shaky analogy, but I like
    it.) Although, by my lights, anyone who connects a computer to the
    Internet without first having a properly configured firewall in place
    *is* using unsafe computing practices, so I guess we're actually in
    agreement on this point, as well. (And I've just contradicted myself, in
    a manner of speaking, haven't I?) We just haven't agreed upon the
    definition of "unsafe computing."


    > ... That's not everyone, or even most people.
    >
    >


    Here, I must vehemently disagree. Having spent the past several years
    supporting all levels of computer users in multiple environments, I've
    observed that the vast majority of people don't know how to practice
    safe hex, and really aren't particularly interested in learning.


    >
    > It comes down to how conservative and cautious you want to be. I am very
    > conservative and cautious about downloading, opening, installing, or clicking
    > on stuff I don't know or trust, and as a consequence I can afford to be a bit
    > less conservative and cautious about my choice of firewall.
    >


    If everyone were as cautious as you, there'd very probably be no need
    for this discussion to have taken place, or for the subject to ever
    arise, for that matter.


    > This hasn't always been my attitude. I also used to use third party
    > firewalls as well, including both Norton and Zone Alarm. Invariably I would
    > discover that some program that was supposed to update didn't update, or for
    > some reason I would have trouble connecting to the Internet and the problem
    > turned out to be that the firewall was blocking a perfectly legitimate
    > program that it didn't recognize.


    Having used both products, my experiences differed. I never found them
    to cause problems of that sort, at all. Of course, my experiences are
    obviously going to be different, so this is something of a moot point.


    > Given how careful and cautious I already
    > was in other areas, I didn't see the point of spending additional time
    > messing with the firewall.
    >
    >


    You're making an informed decision, after having weighed all of the
    factors that apply in your case. Most people don't do that.


    >
    >
    > The problems I always had with third party
    > firewalls was that the software was not properly configured -- by the
    > program, not by me. As a result, it would block many legitimate outbound
    > communications, so I would constantly be reconfiguring the firewall.


    How do you mean "the software was not properly configured -- by the
    program?" We you expecting that the firewall's default settings would
    be universally applicable and require no user intervention, no fine
    tuning, as it were? If I'm understanding you correctly, that strikes me
    as a rather naive outlook for someone who is as knowledgeable and
    experienced as you seem. And were you really "constantly"
    reconfiguring the firewall, or was it only after you'd made changes to
    one or more of the applications? There's always a brief period during
    which a new firewall must be "taught" about your computing habits and
    your applications, but after that initial "burn-in" period, it really
    shouldn't be necessary to constantly reconfigure the firewall.


    > Also,
    > these programs did a generally poor job in advising me whether I should allow
    > or block a particular attempt to access the Internet. As a result, I would
    > have to go on Google, or to Microsoft's support site, or these newsgroups, to
    > get straight information that I could understand. To be sure, all of this
    > was a minor hassle, but it was still a hassle and it was often
    > time-consuming.


    This is because the firewall is reacting to the potentially dangerous
    behavior of an application, rather than checking a list to see if a
    program is one of the pre-defined bad guys. The firewall doesn't "know"
    that a program is a good guy until you tell it so. (And your definition
    of an acceptable outbound connection may well vary from any one else's.)
    The inconvenience of having to research the source of the firewall's
    alarm is, to me, just one of the prices that must be paid to have a
    secure computer. I look upon such an event as an educational opportunity.


    In the end, computer security boils down to a decision to compromise
    between convenience and security. One has to decide just how much
    inconvenience is acceptable, as well as choosing a comfortable level of
    risk. Nearly everyone who makes a conscious effort will, I think,
    settle at a different level of compromise, which works best in his
    individual situation.


    > I would rather spend my time arguing
    > with bright computer guys like you over Usenet. :)
    >


    Thank you for the kind words. I've enjoyed our exchange of ideas, as well.


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
  11. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    On Sun, 13 Feb 2005 12:31:37 -0500, Mike Hall (MS-MVP) wrote:

    > Strange then that MS should send out a CD alongside the SP1a/win9x update CD
    > that contained CA's anti-virus and firewall..
    >
    > NATs do seem to stop inbound events ever registering on a personal firewall,
    > but there is little doubt that personal firewalls do warn of some malicious
    > events created by the user executing bad stuff from behind one.. that can't
    > be a bad thing..

    No, NAT's don't stop inbound events from registering, if the event makes
    it past the routers NAT it will register on the PF. NAT blocks
    "unsolicited" inbound, so there are many things that still make it into
    the network for the firewall to deal with, but they are things that the
    user invited in to it. I know it's a subtle difference in terms/method,
    but it makes a BIG difference in security.

    > Personal firewalls do at least warn that accepting some criteria could land
    > a user in hot water.. without one, they have no concept at all..

    Personal firewalls more often than not, just give the uninformed user a
    false sense of security - as evidenced by the number of machines that are
    still compromised after they use a firewall. Many people are just not
    properly doing research on what to allow/disallow and blindly accept
    connections. There is also the problem where a exploit in the browser
    could render the firewall disabled on a persons computer, which opens it
    to the world.

    A NAT device for home users should be the minimum first line of defense,
    then a personal firewall if they want one. I know of lots of people not
    using any soft-firewalls that run just NAT boxes and have not been
    compromised, but I don't know many home users that run PF's without NAT
    that have not been compromised.

    As security professionals we should advocate a barrier method first and
    then a detection method followed with securing the systems.

    --
    spam999free@rrohio.com
    remove 999 in order to email me
  12. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Bruce Chambers" wrote:

    > All of which begs the question, somewhat. How do you detect the
    > presence of malware that your antivirus and anti-spyware applications
    > don't recognize as such? The experienced, advanced computer user may
    > well notice subtle odd behaviour and investigate, but what about the
    > average consumer? Most lack the technical knowledge, the inclination,
    > or even the desire to have that level of understanding. Unless some
    > goes egregiously awry, the average computer user simply won't be aware
    > that he's just sent his credit card info off to Eastern Europe. A 3rd
    > party firewall at least tells them that there's something wrong, even if
    > they don't quite know what to do about it.

    I don't think we disagree as much as I earlier thought we did. My view is
    that if someone isn't really sure that they have the knowledge and
    inclination to protect themselves from crudware, then a third party firewall
    is a better choice than the Windows firewall.

    > I can't argue with any of that; it mirrors my own opinions and
    > practices. Most other people, however, are nowhere near as
    > conscientious about performing these hygienic chores.

    It really comes down to this very point. For these others, a third party
    firewall is a better solution.

    [...]

    > While it certainly true that there's no "one size fits all" solution to
    > computer security, I have to disagree with your contention that only
    > people who practice unsafe computing need a firewall. Anyone is capable
    > of making a mistake; it only makes good sense to have a mechanism in
    > place that can detect that mistake. Do you disdain the use of seat
    > belts because you've never been involved in a traffic accident, and you
    > have an air-bag to protect you if necessary? (Shaky analogy, but I like
    > it.)

    My response to this is that the anlogy doesn't hold up because I already use
    seatbelts and airbags, i.e. antivirus software, antispyware software,
    anti-adware software, and regular XP updates. Adding a third party firewall
    to this setup would be more like adding extra armor plating, which will make
    your vehicle safer but also result in a performance hit because the car is
    heavier, less fuel efficient, etc. On the other hand, if I could be
    convinced that a third party software doesn't result in a transparent
    performance hit (other than the necessary "training" that goes with any such
    firewall), then my analogy doesn't hold up, either. I have to confess that
    you now have me thinking about this issue a bit more closely.

    [...]

    >Here, I must vehemently disagree. Having spent the past several years
    > supporting all levels of computer users in multiple environments, I've
    > observed that the vast majority of people don't know how to practice
    > safe hex, and really aren't particularly interested in learning.

    Well, I'm not a computer professional, although I am a computer enthusiast
    and have been extensively messing, er, tinkering and experimenting with every
    version of Windows since 3.1. So I would agree at least to this extent: my
    way of doing things is not for everyone, and certainly not for the computer
    novices that you are describing here.

    [...]

    > Having used both products, my experiences differed. I never found them
    > to cause problems of that sort, at all. Of course, my experiences are
    > obviously going to be different, so this is something of a moot point.

    Right. And I don't mean to imply that the problems I encountered were major
    problems. I would classify them as minor annoyances -- e.g., occasions when
    the firewall blocked Internet access because of network changes at my ISP
    level, or prevented legitimate programs it didn't recognize from accessing
    the Internet.

    [...]

    > > The problems I always had with third party
    > > firewalls was that the software was not properly configured -- by the
    > > program, not by me. As a result, it would block many legitimate outbound
    > > communications, so I would constantly be reconfiguring the firewall.
    >
    > How do you mean "the software was not properly configured -- by the
    > program?" We you expecting that the firewall's default settings would
    > be universally applicable and require no user intervention, no fine
    > tuning, as it were?

    Yes, that's what I meant, although I can see that "not properly configured"
    probably overstates my case. And no, I don't expect the software's default
    settings to be universally applicable and require no user intervention.
    Incidentally, this is a problem that your novice users are going to have with
    these third party firewalls. I personally found Norton sometimes hard to
    use, and Zone Alarm even harder to use -- and I am one of those guys who
    actually researched on Google and elsewhere what programs it was blocking to
    see if I should allow them to access the Internet. Most users, I suspect,
    would block the communication rather than to take the trouble to find out
    that they should allow the communication.

    > If I'm understanding you correctly, that strikes me
    > as a rather naive outlook for someone who is as knowledgeable and
    > experienced as you seem. And were you really "constantly"
    > reconfiguring the firewall, or was it only after you'd made changes to
    > one or more of the applications? There's always a brief period during
    > which a new firewall must be "taught" about your computing habits and
    > your applications, but after that initial "burn-in" period, it really
    > shouldn't be necessary to constantly reconfigure the firewall.

    Again, that's all I'm talking about here. Eventually one can "train" these
    firewalls, at which point they don't bother you again unless there is some
    major change to your network, or you add new software.

    > This is because the firewall is reacting to the potentially dangerous
    > behavior of an application, rather than checking a list to see if a
    > program is one of the pre-defined bad guys. The firewall doesn't "know"
    > that a program is a good guy until you tell it so. (And your definition
    > of an acceptable outbound connection may well vary from any one else's.)
    > The inconvenience of having to research the source of the firewall's
    > alarm is, to me, just one of the prices that must be paid to have a
    > secure computer. I look upon such an event as an educational opportunity.

    To be honest, this is one of the things I really liked about using third
    party firewalls. I did learn much about Windows by researching which
    programs should be permitted to access the Internet.

    [...]

    > > I would rather spend my time arguing
    > > with bright computer guys like you over Usenet. :)

    > Thank you for the kind words. I've enjoyed our exchange of ideas, as well.

    And you have me thinking about this entire issue again. If I could be
    convinced that there really is no downside in performance to adding a third
    party firewall to everything else I do, I will probably concede defeat and
    reinstall NIS. :)

    Ken
  13. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    and you still have conflicting advice..........
    peter
    "Aileen" <Aileen@discussions.microsoft.com> wrote in message
    news:AD334A35-D6B2-41C3-840F-C25455CCE2D3@microsoft.com...
    > Thanks everyone for your helpful suggestions. I do have Norton Anti-Virus
    > 2005 and run Spybot and AdAware regularly.
    >
    > Many thanks
    >
    > "Mike Hall (MS-MVP)" wrote:
    >
    >> Strange then that MS should send out a CD alongside the SP1a/win9x update
    >> CD
    >> that contained CA's anti-virus and firewall..
    >>
    >> NATs do seem to stop inbound events ever registering on a personal
    >> firewall,
    >> but there is little doubt that personal firewalls do warn of some
    >> malicious
    >> events created by the user executing bad stuff from behind one.. that
    >> can't
    >> be a bad thing..
    >>
    >> Personal firewalls do at least warn that accepting some criteria could
    >> land
    >> a user in hot water.. without one, they have no concept at all..
    >>
    >>
    >> --
    >> Mike Hall
    >> MVP - Windows Shell/user
    >>
    >> http://dts-l.org/goodpost.htm
    >>
    >>
    >>
    >>
    >>
    >> "Leythos" <void@nowhere.lan> wrote in message
    >> news:pan.2005.02.13.14.22.04.607310@nowhere.lan...
    >> > On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:
    >> >
    >> >> I've got conflicting advice re firewall security. I have SP2 and all
    >> >> necessary security updates should I load Zone Alarm Pro 4 or will this
    >> >> cause
    >> >> me problems.
    >> >
    >> > Aileen, if you have a DSL or Cable modem connection you should install
    >> > a
    >> > router that provides NAT for your protection. While personal firewalls
    >> > like the SP2 one or the ZAP firewall are nice they can be compromised
    >> > from
    >> > user misconfiguration or from you starting a rogue application on your
    >> > computer. For most users the personal firewall PF give a false sense of
    >> > security, as the firewall is only as good as the user clicking
    >> > allow/deny
    >> > for alerts.
    >> >
    >> > A router with NAT is a small box that sits between your computer and
    >> > the
    >> > internet device (modem) and blocks all unsolicited inbound traffic -
    >> > this
    >> > means that the only things to reach your computer are things you've
    >> > requested (even things you didn't know you were requesting). You can
    >> > still
    >> > run a PF with a router, but it will be mostly limited to doing just
    >> > application/outbound filtering at that point.
    >> >
    >> > The SP2 firewall isn't much of a firewall, it's like a cheap/poor
    >> > inbound
    >> > filter only, ZAP would be a much better choice if you want a PF.
    >> >
    >> > Don't forget about the Antivirus solution - AVG 7 is free and it scans
    >> > inbound and outbound email for Outlook users, but I would rather see
    >> > you
    >> > use something like Norton Antivirus 2005, not a Norton suite like NIS
    >> > or
    >> > one that has their firewall, just the Antivirus product.
    >> >
    >> > If your computer is the only computer on the network (in the house) you
    >> > might not need to have "File and Printer" sharing enabled in your
    >> > network
    >> > settings - if you're not sharing files/printers across your internal
    >> > network or the internet (and across the internet would be a bad idea)
    >> > then
    >> > you can uncheck the "File and printer" sharing box in your network
    >> > settings - this makes it just a little harder for people to access your
    >> > computer.
    >> >
    >> >
    >> >
    >> > --
    >> > spam999free@rrohio.com
    >> > remove 999 in order to email me
    >> >
    >>
    >>
    >>
  14. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Ken Gardner wrote:

    >
    >
    > Adding a third party firewall
    > to this setup would be more like adding extra armor plating, which will make
    > your vehicle safer but also result in a performance hit because the car is
    > heavier, less fuel efficient, etc.


    There's always a trade-off between convenience, performance, and
    security. If you're already operating at your "comfort level," you may
    not need to change anything.


    > On the other hand, if I could be
    > convinced that a third party software doesn't result in a transparent
    > performance hit (other than the necessary "training" that goes with any such
    > firewall), then my analogy doesn't hold up, either. I have to confess that
    > you now have me thinking about this issue a bit more closely.


    Not all 3rd party firewalls carry the quite noticeable performance hit
    of Norton's Personal Firewall. I use the free edition of Sygate,
    myself. I find it to be easily configurable, and it has a much lower
    impact upon performance then does the Symantec product.


    > Most users, I suspect,
    > would block the communication rather than to take the trouble to find out
    > that they should allow the communication.
    >
    >


    I don't see this as a necessarily bad thing. The more recent 3rd party
    firewalls that I seen all seem to automatically allow the "normal"
    Internet applications (Internet Explorer, Outlook Express, etc.), while
    asking about unknown programs and those processes that can hijacked. If
    the uniformed user does block the wrong application, it's usually a
    simple matter to "unblock" it, once he realizes that something is no
    longer working correctly. My biggest fear is the the uninformed user
    will instead allow the unknown program access to the Internet. While
    this option is also easily reversible, there's no telling what amount of
    damage or system compromise has already taken place.


    >
    >
    > To be honest, this is one of the things I really liked about using third
    > party firewalls. I did learn much about Windows by researching which
    > programs should be permitted to access the Internet.
    >
    ......
    >
    > And you have me thinking about this entire issue again. If I could be
    > convinced that there really is no downside in performance to adding a third
    > party firewall to everything else I do, I will probably concede defeat and
    > reinstall NIS. :)
    >


    Don't reinstall NIS. instead try one or more of the free personal
    firewalls, such as Sygate or Kerio. I think you'll be pleasantly surprised.


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
  15. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Bruce Chambers wrote:

    [...]

    >Don't reinstall NIS. instead try one or more of the free personal
    >firewalls, such as Sygate or Kerio. I think you'll be pleasantly surprised.

    If I decide to install a third party firewall, I will. Thanks.

    Ken
Ask a new question

Read More

Security Firewalls Microsoft Windows XP