Sign in with
Sign up | Sign in
Your question

Firewall Security

Last response: in Windows XP
Share
Anonymous
a b 8 Security
February 13, 2005 12:29:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've got conflicting advice re firewall security. I have SP2 and all
necessary security updates should I load Zone Alarm Pro 4 or will this cause
me problems.
--
Aileen

More about : firewall security

Anonymous
a b 8 Security
February 13, 2005 4:25:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You shouldn't run 2 firewalls on your desktop. They won't work right together
and have potential resource and function conflicts.

If you are an intermediate-to-advance user, use ZA or another firewall that
provides egress/ingress filtering.

A regular home user should stick with built-in XP SP2 firewall.


"Aileen" wrote:

> I've got conflicting advice re firewall security. I have SP2 and all
> necessary security updates should I load Zone Alarm Pro 4 or will this cause
> me problems.
> --
> Aileen
February 13, 2005 9:04:14 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The build in XP firewall is a good start but ZoneAlarm does a much better
job at it.
ZA covers things that XP does not..........like outgoing mail,specific
blocking of programs so that they cannot access the net,making your system
invisible to the net and much much more.
How secure do you wish to be??
I recommend ZA..........but then I have it running on my machines
peter
"Aileen" <Aileen@discussions.microsoft.com> wrote in message
news:EFD48241-48C4-4976-AB5E-0AD20A7768C5@microsoft.com...
> I've got conflicting advice re firewall security. I have SP2 and all
> necessary security updates should I load Zone Alarm Pro 4 or will this
> cause
> me problems.
> --
> Aileen
Related resources
Anonymous
a b 8 Security
February 13, 2005 9:04:15 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

A) Zone alarm doesn't do "outgoing mail". It does egress (outbound)
filtering, which the XP2 firewall does not. This is generally considered a
good thing, but in my mind, once something is on your machine, you're
screwed anyway.

B) The XP firewall can make your computer "invisible" to the net.

C) I recommend the XP2 firewall for the average home user.

Matt Gibson - GSEC

"peter" <peter@nomalarky.net> wrote in message
news:y5CPd.45618$gA4.28619@edtnps89...
> The build in XP firewall is a good start but ZoneAlarm does a much better
> job at it.
> ZA covers things that XP does not..........like outgoing mail,specific
> blocking of programs so that they cannot access the net,making your system
> invisible to the net and much much more.
> How secure do you wish to be??
> I recommend ZA..........but then I have it running on my machines
> peter
> "Aileen" <Aileen@discussions.microsoft.com> wrote in message
> news:EFD48241-48C4-4976-AB5E-0AD20A7768C5@microsoft.com...
>> I've got conflicting advice re firewall security. I have SP2 and all
>> necessary security updates should I load Zone Alarm Pro 4 or will this
>> cause
>> me problems.
>> --
>> Aileen
>
>
Anonymous
a b 8 Security
February 13, 2005 1:11:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Matt Gibson" wrote:

> A) Zone alarm doesn't do "outgoing mail". It does egress (outbound)
> filtering, which the XP2 firewall does not. This is generally considered a
> good thing, but in my mind, once something is on your machine, you're
> screwed anyway.

> B) The XP firewall can make your computer "invisible" to the net.

> C) I recommend the XP2 firewall for the average home user.

Exactly. Using a third party firewall to block outbound communications by
rogue programs is a bit like locking the front door of your house after it
has already been infiltrated by vandals or criminals. You are already
screwed anyway. The best solution is to use antivirus, antispyware, and
anti-adware software that keeps the rogues out of your house in the first
place, and use your firewall primarily to keep your computer invisible and
prevent unauthorzed inbound communications. Moreover, even as they prevent
illegitimate outbound communications, they also prevent many legitimate ones
(e.g. update programs that automatically update software) and sometimes cause
software conflicts.

Ken
Anonymous
a b 8 Security
February 13, 2005 2:34:50 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ken Gardner wrote:

>
>
> Exactly. Using a third party firewall to block outbound communications by
> rogue programs is a bit like locking the front door of your house after it
> has already been infiltrated by vandals or criminals. You are already
> screwed anyway.


So, instead of calling the police or chasing the malefactors out of
your house, you prefer to just surrender and let them have a free rein?.
That's an abysmally poor analogy.


> The best solution is to use antivirus, antispyware, and
> anti-adware software that keeps the rogues out of your house in the first
> place, ....


Those are all valuable tools, and they should be used by everyone, but
they're hardly a panacea. How do these "reactive" applications deal
with a brand new Trojan or spyware product about which they have no
information in their definition databases? How do they prevent the
uninformed computer user from deliberately installing adware/spyware by
breezing past the EULA that accompanies that cool new screensaver or
collection of emoticons that he/she just has to have? A firewall can
detect the presence of the new malware by its actions, rather than
relying upon a 3rd party to provide prescient definition files, or the
user to update to new virus definition files the instant they become
available.


> and use your firewall primarily to keep your computer invisible and
> prevent unauthorzed inbound communications.


That is the primary purpose of a firewall, certainly, but hardly the
only one.


> Moreover, even as they prevent
> illegitimate outbound communications, they also prevent many legitimate ones
> (e.g. update programs that automatically update software) and sometimes cause
> software conflicts.
>


Grossly incorrect. This doesn't happen if the firewall used is
compatible with the OS and is properly configured.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
Anonymous
a b 8 Security
February 13, 2005 2:34:51 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Bruce Chambers" wrote:

> > Exactly. Using a third party firewall to block outbound communications by
> > rogue programs is a bit like locking the front door of your house after it
> > has already been infiltrated by vandals or criminals. You are already
> > screwed anyway.

> So, instead of calling the police or chasing the malefactors out of
> your house, you prefer to just surrender and let them have a free rein?.
> That's an abysmally poor analogy.

Because I have never had a single piece of adware or spyware on my machine
using my approach -- is there a lesson here? -- I'm not sure how to react to
this comment. Because an unauthorized break-in has never occurred in my
house in the first place, due to the other strong security measures that I
have already implemented, I don't need to call the police. But if one did
take place, I would do the equivalent of arresting the imposter or dealing
with him myself -- with extreme prejudice -- by using antivirus, anti-adware,
or anti-spyware software to remove the imposter.

> > The best solution is to use antivirus, antispyware, and
> > anti-adware software that keeps the rogues out of your house in the first
> > place, ....

> Those are all valuable tools, and they should be used by everyone, but
> they're hardly a panacea. How do these "reactive" applications deal
> with a brand new Trojan or spyware product about which they have no
> information in their definition databases?

Obviously they can't, so part of dealing with the problem is (1) regularly
updating anti-crudware software on a daily basis (if not even more frequent),
(2) regularly scanning for such crudware (I scan for antivirus crud weekly
and antispyware crud nightly), (3) learning when to recognize the signs of
malware doing bad stuff, and (4) staying up to date on emerging security
threats. I'm confident in my own ability to do all of these things. But...

> How do they prevent the uninformed computer user from deliberately installing
> adware/spyware by breezing past the EULA that accompanies that cool new
> screensaver or collection of emoticons that he/she just has to have? A firewall
> can detect the presence of the new malware by its actions, rather than
> relying upon a 3rd party to provide prescient definition files, or the
> user to update to new virus definition files the instant they become
> available.

I agree to this extent. Any crudware, whether new or old, isn't going to
install itself by magic on your machine without the active participation of
the user. So the single best step anyone can take is to educate himself on
how to avoid downloading and installing crudware in the first place. Now, if
someone isn't going to take the trouble to do this, then I would agree that
he better get a third party firewall that blocks outbound communications.
But that's not me.

In other words, third party firewalls aren't for everyone, but only for
people who practice unsafe computing practices and therefore need the
protection of a more agressive firewall. That's not everyone, or even most
people.

> > and use your firewall primarily to keep your computer invisible and
> > prevent unauthorzed inbound communications.

> That is the primary purpose of a firewall, certainly, but hardly the
> only one.

It comes down to how conservative and cautious you want to be. I am very
conservative and cautious about downloading, opening, installing, or clicking
on stuff I don't know or trust, and as a consequence I can afford to be a bit
less conservative and cautious about my choice of firewall.

This hasn't always been my attitude. I also used to use third party
firewalls as well, including both Norton and Zone Alarm. Invariably I would
discover that some program that was supposed to update didn't update, or for
some reason I would have trouble connecting to the Internet and the problem
turned out to be that the firewall was blocking a perfectly legitimate
program that it didn't recognize. Given how careful and cautious I already
was in other areas, I didn't see the point of spending additional time
messing with the firewall.

> > Moreover, even as they prevent
> > illegitimate outbound communications, they also prevent many legitimate ones
> > (e.g. update programs that automatically update software) and sometimes
> > cause software conflicts.

> Grossly incorrect. This doesn't happen if the firewall used is
> compatible with the OS and is properly configured.

I dont use any third party utility software of any kind unless it has the
"Designed for Windows XP logo." The problems I always had with third party
firewalls was that the software was not properly configured -- by the
program, not by me. As a result, it would block many legitimate outbound
communications, so I would constantly be reconfiguring the firewall. Also,
these programs did a generally poor job in advising me whether I should allow
or block a particular attempt to access the Internet. As a result, I would
have to go on Google, or to Microsoft's support site, or these newsgroups, to
get straight information that I could understand. To be sure, all of this
was a minor hassle, but it was still a hassle and it was often
time-consuming. Cleaning my sock drawer is also a hassle, especially when
-- to use another analogy -- the socks are already neatly arranged in the
first place and I know that they are. I would rather spend my time arguing
with bright computer guys like you over Usenet. :) 

Ken
Anonymous
a b 8 Security
February 13, 2005 5:17:53 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:

> I've got conflicting advice re firewall security. I have SP2 and all
> necessary security updates should I load Zone Alarm Pro 4 or will this cause
> me problems.

Aileen, if you have a DSL or Cable modem connection you should install a
router that provides NAT for your protection. While personal firewalls
like the SP2 one or the ZAP firewall are nice they can be compromised from
user misconfiguration or from you starting a rogue application on your
computer. For most users the personal firewall PF give a false sense of
security, as the firewall is only as good as the user clicking allow/deny
for alerts.

A router with NAT is a small box that sits between your computer and the
internet device (modem) and blocks all unsolicited inbound traffic - this
means that the only things to reach your computer are things you've
requested (even things you didn't know you were requesting). You can still
run a PF with a router, but it will be mostly limited to doing just
application/outbound filtering at that point.

The SP2 firewall isn't much of a firewall, it's like a cheap/poor inbound
filter only, ZAP would be a much better choice if you want a PF.

Don't forget about the Antivirus solution - AVG 7 is free and it scans
inbound and outbound email for Outlook users, but I would rather see you
use something like Norton Antivirus 2005, not a Norton suite like NIS or
one that has their firewall, just the Antivirus product.

If your computer is the only computer on the network (in the house) you
might not need to have "File and Printer" sharing enabled in your network
settings - if you're not sharing files/printers across your internal
network or the internet (and across the internet would be a bad idea) then
you can uncheck the "File and printer" sharing box in your network
settings - this makes it just a little harder for people to access your
computer.



--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
February 13, 2005 5:17:54 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Strange then that MS should send out a CD alongside the SP1a/win9x update CD
that contained CA's anti-virus and firewall..

NATs do seem to stop inbound events ever registering on a personal firewall,
but there is little doubt that personal firewalls do warn of some malicious
events created by the user executing bad stuff from behind one.. that can't
be a bad thing..

Personal firewalls do at least warn that accepting some criteria could land
a user in hot water.. without one, they have no concept at all..


--
Mike Hall
MVP - Windows Shell/user

http://dts-l.org/goodpost.htm





"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.13.14.22.04.607310@nowhere.lan...
> On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:
>
>> I've got conflicting advice re firewall security. I have SP2 and all
>> necessary security updates should I load Zone Alarm Pro 4 or will this
>> cause
>> me problems.
>
> Aileen, if you have a DSL or Cable modem connection you should install a
> router that provides NAT for your protection. While personal firewalls
> like the SP2 one or the ZAP firewall are nice they can be compromised from
> user misconfiguration or from you starting a rogue application on your
> computer. For most users the personal firewall PF give a false sense of
> security, as the firewall is only as good as the user clicking allow/deny
> for alerts.
>
> A router with NAT is a small box that sits between your computer and the
> internet device (modem) and blocks all unsolicited inbound traffic - this
> means that the only things to reach your computer are things you've
> requested (even things you didn't know you were requesting). You can still
> run a PF with a router, but it will be mostly limited to doing just
> application/outbound filtering at that point.
>
> The SP2 firewall isn't much of a firewall, it's like a cheap/poor inbound
> filter only, ZAP would be a much better choice if you want a PF.
>
> Don't forget about the Antivirus solution - AVG 7 is free and it scans
> inbound and outbound email for Outlook users, but I would rather see you
> use something like Norton Antivirus 2005, not a Norton suite like NIS or
> one that has their firewall, just the Antivirus product.
>
> If your computer is the only computer on the network (in the house) you
> might not need to have "File and Printer" sharing enabled in your network
> settings - if you're not sharing files/printers across your internal
> network or the internet (and across the internet would be a bad idea) then
> you can uncheck the "File and printer" sharing box in your network
> settings - this makes it just a little harder for people to access your
> computer.
>
>
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
a b 8 Security
February 13, 2005 5:17:55 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks everyone for your helpful suggestions. I do have Norton Anti-Virus
2005 and run Spybot and AdAware regularly.

Many thanks

"Mike Hall (MS-MVP)" wrote:

> Strange then that MS should send out a CD alongside the SP1a/win9x update CD
> that contained CA's anti-virus and firewall..
>
> NATs do seem to stop inbound events ever registering on a personal firewall,
> but there is little doubt that personal firewalls do warn of some malicious
> events created by the user executing bad stuff from behind one.. that can't
> be a bad thing..
>
> Personal firewalls do at least warn that accepting some criteria could land
> a user in hot water.. without one, they have no concept at all..
>
>
> --
> Mike Hall
> MVP - Windows Shell/user
>
> http://dts-l.org/goodpost.htm
>
>
>
>
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:p an.2005.02.13.14.22.04.607310@nowhere.lan...
> > On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:
> >
> >> I've got conflicting advice re firewall security. I have SP2 and all
> >> necessary security updates should I load Zone Alarm Pro 4 or will this
> >> cause
> >> me problems.
> >
> > Aileen, if you have a DSL or Cable modem connection you should install a
> > router that provides NAT for your protection. While personal firewalls
> > like the SP2 one or the ZAP firewall are nice they can be compromised from
> > user misconfiguration or from you starting a rogue application on your
> > computer. For most users the personal firewall PF give a false sense of
> > security, as the firewall is only as good as the user clicking allow/deny
> > for alerts.
> >
> > A router with NAT is a small box that sits between your computer and the
> > internet device (modem) and blocks all unsolicited inbound traffic - this
> > means that the only things to reach your computer are things you've
> > requested (even things you didn't know you were requesting). You can still
> > run a PF with a router, but it will be mostly limited to doing just
> > application/outbound filtering at that point.
> >
> > The SP2 firewall isn't much of a firewall, it's like a cheap/poor inbound
> > filter only, ZAP would be a much better choice if you want a PF.
> >
> > Don't forget about the Antivirus solution - AVG 7 is free and it scans
> > inbound and outbound email for Outlook users, but I would rather see you
> > use something like Norton Antivirus 2005, not a Norton suite like NIS or
> > one that has their firewall, just the Antivirus product.
> >
> > If your computer is the only computer on the network (in the house) you
> > might not need to have "File and Printer" sharing enabled in your network
> > settings - if you're not sharing files/printers across your internal
> > network or the internet (and across the internet would be a bad idea) then
> > you can uncheck the "File and printer" sharing box in your network
> > settings - this makes it just a little harder for people to access your
> > computer.
> >
> >
> >
> > --
> > spam999free@rrohio.com
> > remove 999 in order to email me
> >
>
>
>
Anonymous
a b 8 Security
February 13, 2005 5:20:30 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ken Gardner wrote:

>
>
> But if one did
> take place, I would do the equivalent of arresting the imposter or dealing
> with him myself -- with extreme prejudice -- by using antivirus, anti-adware,
> or anti-spyware software to remove the imposter.
>
>


All of which begs the question, somewhat. How do you detect the
presence of malware that your antivirus and anti-spyware applications
don't recognize as such? The experienced, advanced computer user may
well notice subtle odd behaviour and investigate, but what about the
average consumer? Most lack the technical knowledge, the inclination,
or even the desire to have that level of understanding. Unless some
goes egregiously awry, the average computer user simply won't be aware
that he's just sent his credit card info off to Eastern Europe. A 3rd
party firewall at least tells them that there's something wrong, even if
they don't quite know what to do about it.


>
> Obviously they can't, so part of dealing with the problem is (1) regularly
> updating anti-crudware software on a daily basis (if not even more frequent),
> (2) regularly scanning for such crudware (I scan for antivirus crud weekly
> and antispyware crud nightly), (3) learning when to recognize the signs of
> malware doing bad stuff, and (4) staying up to date on emerging security
> threats. I'm confident in my own ability to do all of these things. But...
>
>


I can't argue with any of that; it mirrors my own opinions and
practices. Most other people, however, are nowhere near as
conscientious about performing these hygienic chores.


>
>
> I agree to this extent. Any crudware, whether new or old, isn't going to
> install itself by magic on your machine without the active participation of
> the user. So the single best step anyone can take is to educate himself on
> how to avoid downloading and installing crudware in the first place. Now, if
> someone isn't going to take the trouble to do this, then I would agree that
> he better get a third party firewall that blocks outbound communications.
> But that's not me.
>

Yes, I think we're both in agreement on this. Unfortunately, the
overwhelming majority of computer users don't think the same way we do.

There are several essential components to computer security: a
knowledgeable and pro-active user, a properly configured firewall,
reliable and up-to-date antivirus software, and the prompt repair (via
patches, hotfixes, or service packs) of any known vulnerabilities.

The weakest link in this "equation" is, of course, the computer
user. No software manufacturer can -- nor should they be expected
to -- protect the computer user from him/herself. All too many people
have bought into the various PC/software manufacturers marketing
claims of easy computing. They believe that their computer should be
no harder to use than a toaster oven; they have neither the
inclination or desire to learn how to safely use their computer. All
too few people keep their antivirus software current, install patches
in a timely manner, or stop to really think about that cutesy link
they're about to click.

Firewalls and anti-virus applications, which should always be used
and should always be running, are important components of "safe hex,"
but they cannot, and should not be expected to, protect the computer
user from him/herself. Ultimately, it is incumbent upon each and
every computer user to learn how to secure his/her own computer.


> In other words, third party firewalls aren't for everyone, but only for
> people who practice unsafe computing practices and therefore need the
> protection of a more agressive firewall...


While it certainly true that there's no "one size fits all" solution to
computer security, I have to disagree with your contention that only
people who practice unsafe computing need a firewall. Anyone is capable
of making a mistake; it only makes good sense to have a mechanism in
place that can detect that mistake. Do you disdain the use of seat
belts because you've never been involved in a traffic accident, and you
have an air-bag to protect you if necessary? (Shaky analogy, but I like
it.) Although, by my lights, anyone who connects a computer to the
Internet without first having a properly configured firewall in place
*is* using unsafe computing practices, so I guess we're actually in
agreement on this point, as well. (And I've just contradicted myself, in
a manner of speaking, haven't I?) We just haven't agreed upon the
definition of "unsafe computing."



> ... That's not everyone, or even most people.
>
>


Here, I must vehemently disagree. Having spent the past several years
supporting all levels of computer users in multiple environments, I've
observed that the vast majority of people don't know how to practice
safe hex, and really aren't particularly interested in learning.


>
> It comes down to how conservative and cautious you want to be. I am very
> conservative and cautious about downloading, opening, installing, or clicking
> on stuff I don't know or trust, and as a consequence I can afford to be a bit
> less conservative and cautious about my choice of firewall.
>


If everyone were as cautious as you, there'd very probably be no need
for this discussion to have taken place, or for the subject to ever
arise, for that matter.


> This hasn't always been my attitude. I also used to use third party
> firewalls as well, including both Norton and Zone Alarm. Invariably I would
> discover that some program that was supposed to update didn't update, or for
> some reason I would have trouble connecting to the Internet and the problem
> turned out to be that the firewall was blocking a perfectly legitimate
> program that it didn't recognize.


Having used both products, my experiences differed. I never found them
to cause problems of that sort, at all. Of course, my experiences are
obviously going to be different, so this is something of a moot point.


> Given how careful and cautious I already
> was in other areas, I didn't see the point of spending additional time
> messing with the firewall.
>
>


You're making an informed decision, after having weighed all of the
factors that apply in your case. Most people don't do that.


>
>
> The problems I always had with third party
> firewalls was that the software was not properly configured -- by the
> program, not by me. As a result, it would block many legitimate outbound
> communications, so I would constantly be reconfiguring the firewall.


How do you mean "the software was not properly configured -- by the
program?" We you expecting that the firewall's default settings would
be universally applicable and require no user intervention, no fine
tuning, as it were? If I'm understanding you correctly, that strikes me
as a rather naive outlook for someone who is as knowledgeable and
experienced as you seem. And were you really "constantly"
reconfiguring the firewall, or was it only after you'd made changes to
one or more of the applications? There's always a brief period during
which a new firewall must be "taught" about your computing habits and
your applications, but after that initial "burn-in" period, it really
shouldn't be necessary to constantly reconfigure the firewall.


> Also,
> these programs did a generally poor job in advising me whether I should allow
> or block a particular attempt to access the Internet. As a result, I would
> have to go on Google, or to Microsoft's support site, or these newsgroups, to
> get straight information that I could understand. To be sure, all of this
> was a minor hassle, but it was still a hassle and it was often
> time-consuming.


This is because the firewall is reacting to the potentially dangerous
behavior of an application, rather than checking a list to see if a
program is one of the pre-defined bad guys. The firewall doesn't "know"
that a program is a good guy until you tell it so. (And your definition
of an acceptable outbound connection may well vary from any one else's.)
The inconvenience of having to research the source of the firewall's
alarm is, to me, just one of the prices that must be paid to have a
secure computer. I look upon such an event as an educational opportunity.


In the end, computer security boils down to a decision to compromise
between convenience and security. One has to decide just how much
inconvenience is acceptable, as well as choosing a comfortable level of
risk. Nearly everyone who makes a conscious effort will, I think,
settle at a different level of compromise, which works best in his
individual situation.


> I would rather spend my time arguing
> with bright computer guys like you over Usenet. :) 
>


Thank you for the kind words. I've enjoyed our exchange of ideas, as well.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
Anonymous
a b 8 Security
February 13, 2005 9:39:16 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sun, 13 Feb 2005 12:31:37 -0500, Mike Hall (MS-MVP) wrote:

> Strange then that MS should send out a CD alongside the SP1a/win9x update CD
> that contained CA's anti-virus and firewall..
>
> NATs do seem to stop inbound events ever registering on a personal firewall,
> but there is little doubt that personal firewalls do warn of some malicious
> events created by the user executing bad stuff from behind one.. that can't
> be a bad thing..

No, NAT's don't stop inbound events from registering, if the event makes
it past the routers NAT it will register on the PF. NAT blocks
"unsolicited" inbound, so there are many things that still make it into
the network for the firewall to deal with, but they are things that the
user invited in to it. I know it's a subtle difference in terms/method,
but it makes a BIG difference in security.

> Personal firewalls do at least warn that accepting some criteria could land
> a user in hot water.. without one, they have no concept at all..

Personal firewalls more often than not, just give the uninformed user a
false sense of security - as evidenced by the number of machines that are
still compromised after they use a firewall. Many people are just not
properly doing research on what to allow/disallow and blindly accept
connections. There is also the problem where a exploit in the browser
could render the firewall disabled on a persons computer, which opens it
to the world.

A NAT device for home users should be the minimum first line of defense,
then a personal firewall if they want one. I know of lots of people not
using any soft-firewalls that run just NAT boxes and have not been
compromised, but I don't know many home users that run PF's without NAT
that have not been compromised.

As security professionals we should advocate a barrier method first and
then a detection method followed with securing the systems.

--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
February 14, 2005 12:53:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Bruce Chambers" wrote:

> All of which begs the question, somewhat. How do you detect the
> presence of malware that your antivirus and anti-spyware applications
> don't recognize as such? The experienced, advanced computer user may
> well notice subtle odd behaviour and investigate, but what about the
> average consumer? Most lack the technical knowledge, the inclination,
> or even the desire to have that level of understanding. Unless some
> goes egregiously awry, the average computer user simply won't be aware
> that he's just sent his credit card info off to Eastern Europe. A 3rd
> party firewall at least tells them that there's something wrong, even if
> they don't quite know what to do about it.

I don't think we disagree as much as I earlier thought we did. My view is
that if someone isn't really sure that they have the knowledge and
inclination to protect themselves from crudware, then a third party firewall
is a better choice than the Windows firewall.

> I can't argue with any of that; it mirrors my own opinions and
> practices. Most other people, however, are nowhere near as
> conscientious about performing these hygienic chores.

It really comes down to this very point. For these others, a third party
firewall is a better solution.

[...]

> While it certainly true that there's no "one size fits all" solution to
> computer security, I have to disagree with your contention that only
> people who practice unsafe computing need a firewall. Anyone is capable
> of making a mistake; it only makes good sense to have a mechanism in
> place that can detect that mistake. Do you disdain the use of seat
> belts because you've never been involved in a traffic accident, and you
> have an air-bag to protect you if necessary? (Shaky analogy, but I like
> it.)

My response to this is that the anlogy doesn't hold up because I already use
seatbelts and airbags, i.e. antivirus software, antispyware software,
anti-adware software, and regular XP updates. Adding a third party firewall
to this setup would be more like adding extra armor plating, which will make
your vehicle safer but also result in a performance hit because the car is
heavier, less fuel efficient, etc. On the other hand, if I could be
convinced that a third party software doesn't result in a transparent
performance hit (other than the necessary "training" that goes with any such
firewall), then my analogy doesn't hold up, either. I have to confess that
you now have me thinking about this issue a bit more closely.

[...]

>Here, I must vehemently disagree. Having spent the past several years
> supporting all levels of computer users in multiple environments, I've
> observed that the vast majority of people don't know how to practice
> safe hex, and really aren't particularly interested in learning.

Well, I'm not a computer professional, although I am a computer enthusiast
and have been extensively messing, er, tinkering and experimenting with every
version of Windows since 3.1. So I would agree at least to this extent: my
way of doing things is not for everyone, and certainly not for the computer
novices that you are describing here.

[...]

> Having used both products, my experiences differed. I never found them
> to cause problems of that sort, at all. Of course, my experiences are
> obviously going to be different, so this is something of a moot point.

Right. And I don't mean to imply that the problems I encountered were major
problems. I would classify them as minor annoyances -- e.g., occasions when
the firewall blocked Internet access because of network changes at my ISP
level, or prevented legitimate programs it didn't recognize from accessing
the Internet.

[...]

> > The problems I always had with third party
> > firewalls was that the software was not properly configured -- by the
> > program, not by me. As a result, it would block many legitimate outbound
> > communications, so I would constantly be reconfiguring the firewall.
>
> How do you mean "the software was not properly configured -- by the
> program?" We you expecting that the firewall's default settings would
> be universally applicable and require no user intervention, no fine
> tuning, as it were?

Yes, that's what I meant, although I can see that "not properly configured"
probably overstates my case. And no, I don't expect the software's default
settings to be universally applicable and require no user intervention.
Incidentally, this is a problem that your novice users are going to have with
these third party firewalls. I personally found Norton sometimes hard to
use, and Zone Alarm even harder to use -- and I am one of those guys who
actually researched on Google and elsewhere what programs it was blocking to
see if I should allow them to access the Internet. Most users, I suspect,
would block the communication rather than to take the trouble to find out
that they should allow the communication.

> If I'm understanding you correctly, that strikes me
> as a rather naive outlook for someone who is as knowledgeable and
> experienced as you seem. And were you really "constantly"
> reconfiguring the firewall, or was it only after you'd made changes to
> one or more of the applications? There's always a brief period during
> which a new firewall must be "taught" about your computing habits and
> your applications, but after that initial "burn-in" period, it really
> shouldn't be necessary to constantly reconfigure the firewall.

Again, that's all I'm talking about here. Eventually one can "train" these
firewalls, at which point they don't bother you again unless there is some
major change to your network, or you add new software.

> This is because the firewall is reacting to the potentially dangerous
> behavior of an application, rather than checking a list to see if a
> program is one of the pre-defined bad guys. The firewall doesn't "know"
> that a program is a good guy until you tell it so. (And your definition
> of an acceptable outbound connection may well vary from any one else's.)
> The inconvenience of having to research the source of the firewall's
> alarm is, to me, just one of the prices that must be paid to have a
> secure computer. I look upon such an event as an educational opportunity.

To be honest, this is one of the things I really liked about using third
party firewalls. I did learn much about Windows by researching which
programs should be permitted to access the Internet.

[...]

> > I would rather spend my time arguing
> > with bright computer guys like you over Usenet. :) 

> Thank you for the kind words. I've enjoyed our exchange of ideas, as well.

And you have me thinking about this entire issue again. If I could be
convinced that there really is no downside in performance to adding a third
party firewall to everything else I do, I will probably concede defeat and
reinstall NIS. :) 

Ken
February 14, 2005 1:59:33 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

and you still have conflicting advice..........
peter
"Aileen" <Aileen@discussions.microsoft.com> wrote in message
news:AD334A35-D6B2-41C3-840F-C25455CCE2D3@microsoft.com...
> Thanks everyone for your helpful suggestions. I do have Norton Anti-Virus
> 2005 and run Spybot and AdAware regularly.
>
> Many thanks
>
> "Mike Hall (MS-MVP)" wrote:
>
>> Strange then that MS should send out a CD alongside the SP1a/win9x update
>> CD
>> that contained CA's anti-virus and firewall..
>>
>> NATs do seem to stop inbound events ever registering on a personal
>> firewall,
>> but there is little doubt that personal firewalls do warn of some
>> malicious
>> events created by the user executing bad stuff from behind one.. that
>> can't
>> be a bad thing..
>>
>> Personal firewalls do at least warn that accepting some criteria could
>> land
>> a user in hot water.. without one, they have no concept at all..
>>
>>
>> --
>> Mike Hall
>> MVP - Windows Shell/user
>>
>> http://dts-l.org/goodpost.htm
>>
>>
>>
>>
>>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:p an.2005.02.13.14.22.04.607310@nowhere.lan...
>> > On Sat, 12 Feb 2005 21:29:02 -0800, Aileen wrote:
>> >
>> >> I've got conflicting advice re firewall security. I have SP2 and all
>> >> necessary security updates should I load Zone Alarm Pro 4 or will this
>> >> cause
>> >> me problems.
>> >
>> > Aileen, if you have a DSL or Cable modem connection you should install
>> > a
>> > router that provides NAT for your protection. While personal firewalls
>> > like the SP2 one or the ZAP firewall are nice they can be compromised
>> > from
>> > user misconfiguration or from you starting a rogue application on your
>> > computer. For most users the personal firewall PF give a false sense of
>> > security, as the firewall is only as good as the user clicking
>> > allow/deny
>> > for alerts.
>> >
>> > A router with NAT is a small box that sits between your computer and
>> > the
>> > internet device (modem) and blocks all unsolicited inbound traffic -
>> > this
>> > means that the only things to reach your computer are things you've
>> > requested (even things you didn't know you were requesting). You can
>> > still
>> > run a PF with a router, but it will be mostly limited to doing just
>> > application/outbound filtering at that point.
>> >
>> > The SP2 firewall isn't much of a firewall, it's like a cheap/poor
>> > inbound
>> > filter only, ZAP would be a much better choice if you want a PF.
>> >
>> > Don't forget about the Antivirus solution - AVG 7 is free and it scans
>> > inbound and outbound email for Outlook users, but I would rather see
>> > you
>> > use something like Norton Antivirus 2005, not a Norton suite like NIS
>> > or
>> > one that has their firewall, just the Antivirus product.
>> >
>> > If your computer is the only computer on the network (in the house) you
>> > might not need to have "File and Printer" sharing enabled in your
>> > network
>> > settings - if you're not sharing files/printers across your internal
>> > network or the internet (and across the internet would be a bad idea)
>> > then
>> > you can uncheck the "File and printer" sharing box in your network
>> > settings - this makes it just a little harder for people to access your
>> > computer.
>> >
>> >
>> >
>> > --
>> > spam999free@rrohio.com
>> > remove 999 in order to email me
>> >
>>
>>
>>
Anonymous
a b 8 Security
February 15, 2005 11:14:20 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ken Gardner wrote:

>
>
> Adding a third party firewall
> to this setup would be more like adding extra armor plating, which will make
> your vehicle safer but also result in a performance hit because the car is
> heavier, less fuel efficient, etc.


There's always a trade-off between convenience, performance, and
security. If you're already operating at your "comfort level," you may
not need to change anything.


> On the other hand, if I could be
> convinced that a third party software doesn't result in a transparent
> performance hit (other than the necessary "training" that goes with any such
> firewall), then my analogy doesn't hold up, either. I have to confess that
> you now have me thinking about this issue a bit more closely.


Not all 3rd party firewalls carry the quite noticeable performance hit
of Norton's Personal Firewall. I use the free edition of Sygate,
myself. I find it to be easily configurable, and it has a much lower
impact upon performance then does the Symantec product.




> Most users, I suspect,
> would block the communication rather than to take the trouble to find out
> that they should allow the communication.
>
>


I don't see this as a necessarily bad thing. The more recent 3rd party
firewalls that I seen all seem to automatically allow the "normal"
Internet applications (Internet Explorer, Outlook Express, etc.), while
asking about unknown programs and those processes that can hijacked. If
the uniformed user does block the wrong application, it's usually a
simple matter to "unblock" it, once he realizes that something is no
longer working correctly. My biggest fear is the the uninformed user
will instead allow the unknown program access to the Internet. While
this option is also easily reversible, there's no telling what amount of
damage or system compromise has already taken place.


>
>
> To be honest, this is one of the things I really liked about using third
> party firewalls. I did learn much about Windows by researching which
> programs should be permitted to access the Internet.
>
......
>
> And you have me thinking about this entire issue again. If I could be
> convinced that there really is no downside in performance to adding a third
> party firewall to everything else I do, I will probably concede defeat and
> reinstall NIS. :) 
>


Don't reinstall NIS. instead try one or more of the free personal
firewalls, such as Sygate or Kerio. I think you'll be pleasantly surprised.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
Anonymous
a b 8 Security
February 16, 2005 3:14:22 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Bruce Chambers wrote:

[...]

>Don't reinstall NIS. instead try one or more of the free personal
>firewalls, such as Sygate or Kerio. I think you'll be pleasantly surprised.

If I decide to install a third party firewall, I will. Thanks.

Ken
!