In the thread http://www.wilderssecurity.com/showthread.php?t=5091;start=0;boardseen=1
wizard stated "For the personal firewall: for home users I would recommend not to use one except there is a real need. There is a lot of hype regarding personal firewalls these days but when it comes to the point what level of additional security they really bring it shows up that they are more or less useless."
I don't think I've ever read this. Seems to go contrary to everything I've heard. Could wizard, or someone, explain the reasons for this thinking about firewalls?
Thank you,
Scotcov

P.S. I put this question here because the original statement is in the AV section. Hope I did OK :)

-{ Quote: " quoting: Scotcov link=board=23;threadid=5098;start=0#33315 date=1038142444]
In the thread http://www.wilderssecurity.com/showthread.php?t=5091;start=0;boardseen=1
wizard stated "For the personal firewall: for home users I would recommend not to use one except there is a real need. There is a lot of hype regarding personal firewalls these days but when it comes to the point what level of additional security they really bring it shows up that they are more or less useless."
I don't think I've ever read this. Seems to go contrary to everything I've heard. Could wizard, or someone, explain the reasons for this thinking about firewalls?

" }-

I cannot agree with the statement of wizard, I don't know why he did such a statement because without a firewall you leave your door from and to internet complete wide open. :'(

I complete agree with the statement of Wilders.org about firewalls:

"Firewalls are a special way of security, offering a specific way to protect one's system and
are not configured that easily, if they are "rule-based". Because a bad configured firewall
would just create a fals feeling of security, what follows is an explanation to what a firewall
actually does, providing a simplified explanation about TCP/IP and Networking.

A firewall takes care of filtration from data, accepting or denying request to communicate
with several applications and machines, keeping a log file and alarming if something in
this traject seems to be wrong."

Because many people configured their firewall bad, just like Paul Wilders says, it creates a false feeling of security, but a good configured firewall gives a lot more protection for the bad and ugly on internet then without firewall.

Nothing is perfect, included firewalls, but doing nothing against attacks is completely wrong!

What you've said is what I've always thought, Smokey. But I really would like to hear from someone who understands the other viewpoint. It always seems to help my understanding when I hear different views (as long as everyone stays nice :))
Scotcov

I agree ;) very home user should have a software firewall.
In the ideal world , every home user would have one old 486 running Linux as a server before their main PC. OR a good (hardware firewall) I don't even think you find these classes in your local high-schools. Isn't that strange since a person could take alternative energy classes in the early 80's
these were classes that taught you how to make solar panels from next to nothing and get a 40 percent TAX break for installing on on your home.
I think we need these HOW-TO classes on home security.
What is the cheapest ways for the home user to protect their family from the evil forces on the internet? Class 1a
Then offer a nice tax break as an incentive for those that
implement these protective techniques... ;D

-{ Quote: " quoting: Scotcov link=board=23;threadid=5098;start=0#33322 date=1038147432]
What you've said is what I've always thought, Smokey. But I really would like to hear from someone who understands the other viewpoint. It always seems to help my understanding when I hear different views (as long as everyone stays nice :))

" }-

Maybe wizard can explain here why he cames to his point of view about firewalls?.... ;)

BTW Everybody on this board is always nice ;D

Everyone has opinions on such things. I have seen discussions on the need for firewall, is stealth necessary, should firewalls also incorporate content filtering, and many more related items.
I use Win 2k and with a little tweaking, I could secure it from most exploits, without a firewall. But I cannot tweak it to stop a trojan from connecting out while I am online. That and many other reasons prompt me to not only use a firewall myself, but also to highly recommend it to everyone else.
It is another line of defense in my layered protection, and I would not throw it away for anything.
Just my .02

I agree !
I think a FW is extremely important. I would feel very vulnerable without it, especially after seeing all those portscans and such that are in my ZA logs.
They serve they're purpose just as AVs' ans ATs' do !
You need them if you are planning to connect to the "outside" world !!

regards,
bill ;)

I think Wizards very brave in saying how he feels lol and i think theres a grain of truth in what he says . Especially if you live in the USA currently with all the controlls an monitoring of ones privacy that is in swing . Sometimes loading up ones system with all the best security measures can indeed give one a false sense of security , in that you trust that these security measures will not be utilised to your disadvantage by those who know how to do so with out any awareness on your part , just my halfpenny thrown into this really interesting thread , regards , Robert

-{ Quote: "I think Wizards very brave in saying how he feels lol and i think theres a grain of truth in what he says." }-Yes, there is truth in what he says. And, yes, in a security forum, it is a hard stance to take when the popular thing is to just say "Yes, you need a firewall in all cases and circumstance."

** Warning!! Long post ahead. Proceed with caution ** ;)

Edit: Just for clarification, per jvmorris' next post, in this post I am talking solely about "personal software firewalls" that run directly on your general purpose PC, along side your browser, email and other client applications. Products like: Zone Alarm, Tiny, Kerio, NPF, Outpost, etc. Not the so called "hardware firewalls."

Thinking for a minute about this topic's specific question...

"Are Firewalls Useless?"

No, they are not "of no use". They do in fact have uses, some very good ones. But, like everything else, they have limits and associated problems. So, like many things, there are tradeoffs.

Root is correct. With a bit of work and the necessary information, you could secure your system against inbound scans. Effectively a scan is looking for an open port, behind which sits some kind of exploitable service. If you can shutdown all listening services, leaving all your ports closed, nothing can break from the outside into your system. But, do you want to do this? Do you know how? Do you want to take the time to learn it all and do it all? And, would it still be possible to accidentally run a program that opens a port that you don't know about? Would an upgrade of an application suddenly re-enable something you had disabled (no, not a Microsoft update ;) )?

A personal software firewall can help with the above things. But again, these packages are not fool-proof. They could fail, and leave you exposed. They could have their own flaw that allows the introduction of a new exploit. Also, a number of people have problems on their systems just from installing a firewall. How many times have we seen people asking why when they installed their firewall, it broke several other programs. Their instant messenger no longer works, they can't ftp, websites don't work right. Some of these people think a firewall is more trouble than it is worth.

What about outbound protection? One view says a firewall can notify you when a trojan tries to contact some outside server. The opposing view says that some malware programs can disable your firewall (and AV and AT, etc.) These are both true. A piece of malware may not need to contact a remote server and it certainly can do a lot of damage locally, regardless of the presence of a firewall. But, another "bad boy" just might be caught by your firewall, because it can't disable your firewall.

What other "use" might a software firewall provide? Well, it can help you to learn more about what your OS and applications are doing networking wise. By example, if you don't know, they can tell you when some application is trying to get an automatic update or if it's making some other kind of network connection. This is of value, too, but, it is not essential to your computer's operation.

Is there hype associated with the marketing of software firewalls? You bet there is. Just like there is hype with selling Anti-Virus and Anti-Trojan software. Is it all hype? No, of course not. There are real viruses and trojans, just as there are real remote access service exploits.

Can a particular system survive (have no security related intrusion) without a firewall? Yes, it could. Just like a particular system might be able to do without an AV, AT or spyware checking application. But, can "all" systems operate without a security incident without a firewall, AV, AT, etc? No. Some systems will be exploited - that's the way the world is. Either by luck or by way of good computing habits, some people will never have a problem. But, some people, even with every type of protective software, will still be compromised. Either through bad luck or bad computing habits.

I've only just scratched the surface in the debate on this, but, you can see there are two sides to all these arguments. And you know what, they are both right - but, each depends upon the person, system, specific circumstances, and much more. I've seen people with "nothing" as far as protection, operate for years, even on AOL, and never even get a piece of adware, never mind any other exploit. And, I've seen people who took great care get hit several times.

So given all that, I take the stance and recommend wholeheartedly, that people use layers of protection (like root). Considering things like money, time, complexity and knowledge, my list of recommended security software components, in order of importance is: 1. Anti-Virus 2. Firewall 3. Sandbox and/or Anti-Trojan 4. Privacy software (things like Ad-Aware, SpyBot S&D, etc.) 5. Specialty tools (misc: script protection, proxy software, registry key watchers, and on and on).

A personal software firewall is just a piece of an overall security setup. Like all software, it must be installed, configured and used properly, while also being updated and maintained over time, or it is of little value. Without proper handling, it might even hurt your security.

Final thought: Knowledge is actually the best protection, and as my sig says: "Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily!"

Best Wishes,
LowWaterMark

I'm going to make several responses to this thread (unless I get distracted!).

First, it seems to me that many of the respondents have totally missed the fact that Wizard said "personal firewalls". He didn't say firewalls in general and he didn't (so far) say anything about alternatives to firewalls that are readily available (and often considerably less complex, and cheaper, i.e., free and already available on most Windows platforms) to provide the same functionality.

Also, he qualified his statement (not as well as he probably should have, but nevertheless ....) Specifically, most home/personal/small office users relying on an ISP for their Internet connection are not knowingly running a web server, an e-mail or newsgroup server or an FTP server. Indeed, for most such users to do so would violate their ISP's ToS/AUP. (You do this, knowingly or unknowingly, and you're dead meat anyway in most instances. The only question is who shuts you down first? Your ISP or some skiddy or cracker?)

Moving on to the next response ...

These are the most common 'exploits' reported by (or simply alarming) people using personal software firewalls. They are launched, for the most part, by clueless skiddies who just got a new 'toy' from one of their buddies in an IRC chat room. No real 'cracker' has used this method in probably years. Furthermore, you can get these scans from your own ISP! (Mine, for example, has a tendency to scan regularly looking for illegal -- under the ToS/AUP agreement under which I operate-- Web, mail, news, and FTP servers at irregular intervals.)

And, if you're relying on GRC, Sygate, Symantec, DSLR, PCFlank, HackerWhacker, or whatever to 'scan your ports', that all they're doing themselves. Do you need a personal software firewall (PSF) to 'protect' you from these kinds of 'intrusion attempts'? Not hardly. For the most part a NAT router will serve quite well -- and that explicitly includes the software-based NAT router included (free of charge) in every Windows OS since Win 98 SE. It works perfectly well even if you're on a stand-alone machine using a dialup connection.

Other options? Well, a hardware NAT router can do the job, also (again even if you're stand-alone) and it also gives you a nice option for building an in-home LAN. Hardware routers are as cheap, if not cheaper, than the bleeding PSFs these days and far simpler to set up and configure -- at least as far as these particular vulnerabilities are concerned. Actually, several companies now make combined hardware routers/firewalls that are cheaper than the current crop of 'pay for use' software firewalls. You don't have to worry about 'upgrading' (and paying for it) or buying additional licenses for additional machines, either.

Okay, now, let's move onto the vaunted 'outbound' threats for which PSFs are deemed so essential. Next post . . . .

My thanks for all these superb responses. Discussions like you gentlemen have carried on are what makes this forum great for learning. I think that maybe I understand firewalls just a little bit better.

My appreciation to you all!
Scotcov

I would have to agree with root as security is a major issue and one can't have enough in my opinion. I for one am running OutPost Firewall, Norton Anti-Virus, Trojan Remover, and use Spyware Blaster and MRU Blaster....overkill?? maybe...but let me say this gentlemen...I've been using the net for 3-1/2 years now have blocked numerous attacks with my firewall....blocked numerous virus's and have stopped and disabled trojans with my trojan software...... ;D Without these tools in my humble opinion your asking for trouble while surfing the net. Its best to be armed than defensless!For all our members here is a great security site one can read up on security http://www.computercops.biz/index.php
I hope this small contribution helps :)

-{ Quote: " quoting: tsr link=board=23;threadid=5098;start=0#33380 date=1038190405]
I would have to agree with root as security is a major issue and one can't have enough in my opinion. " }-
Look, I understand what you are saying. I probably use more security utilities than most of the people who frequent this forum. All I'm trying to do at the moment is explain where wizard was coming from (as I understand it). He has a point; I just wish he had made it a bit better.
-{ Quote: "... I've been using the net for 3-1/2 years now have blocked numerous attacks with my firewall....blocked numerous virus's and have stopped and disabled trojans with my trojan software...... ;D Without these tools in my humble opinion your asking for trouble while surfing the net. Its best to be armed than defensless!For all our members here is a great security site one can read up on security http://www.computercops.biz/index.php" }-
Ahh, Zhen-Xjell's website! Okay, I'll try to cover this stuff shortly and explain what (I think) wizard's point was.

JVM,
I'm sorry, but I must be missing the point.....do you think their is a need for a PFW ?(no router)
You may be trying to explain Wizard's post but it almost seems you are in agreement.
As for your mention of GRC, PC Flank, Sygate, etc., portscan tools and exploit tests....are you saying that those types of tests are not similar to say...a real hacker's attempts to exploit a PC ?

thanks and regards,
bill :)

-{ Quote: " quoting: eyespy link=board=23;threadid=5098;start=0#33384 date=1038199531] . . . . I'm sorry, but I must be missing the point.....do you think their is a need for a PFW ?(no router)
You may be trying to explain Wizard's post but it almost seems you are in agreement." }-
Hold on, first, let's go back and re-read (carefully) what wizard said (probably off the cuff, admittedly). . . .
-{ Quote: ""For the personal firewall: for home users I would recommend not to use one except there is a real need. There is a lot of hype regarding personal firewalls these days but when it comes to the point what level of additional security they really bring it shows up that they are more or less useless."
" }- (emphasis added)
First, his comment is quite clearly addressed to 'personal firewalls'. This thread, however, seems (at least to me) to be taking it as a blanket denunciation of all firewalls (and some seem to be taking it as a dismissal of all security measures whatsoever). Just note the thread title: "Firewalls useless?"
Second, he expressly made the point "except there is a real need". Oddly, no one at all seems to be picking up on that part of his statement. What constitutes a 'real need'?
Third, he references "additional security", but again no one has broached the question of "in addition to what?" An increment over what? What's readily available as part of OS security measures? An increment over that AV (and preferably at least with some AT capability) that all of us have been universally recommending for the past twenty years or so? (And why am I answering these questions instead of wizard himself? ::) )

Yes, I use a PSF, but I also understand the thrust of his comments (I think!) I believe his main thesis is that the majority of people who think "I've got a firewall; I don't have anything to worry about!" are as misguided as those who say "Oh, I don't need a firewall; I don't have anything here that someone would want and I'm not going out of my way to irritate people on the Internet!" In other words, I think he's saying that the subjective assessment of the value of having a firewall (and nothing more) is as misguided as the subjective presumption that since your machine came with an AV software application, you don't need to worry about viruses (or Trojans, or worms, or spyware, or key-loggers). I think he's saying that an awful lot of people simply think you need to have a firewall -- that you don't have to configure it; you don't have to update it; you don't have to maintain it, and (in certain hopefully rare situations), you don't even have to use it! It's just there (somewhere on the machine); so what's to worry?

Why aren't we talking about what (i.e., under what circumstances) makes a software firewall advantageous? Again, probably 90 % of the people reading this thread here at Wilders have access to Microsoft's Internet Connection Sharing (ICS) or Sygate's Home Network (SHN) or WinRoute, or a hardware router that's inline as part of their cable or DSL hookup.

Let me make sure I've got this straight: These people have probably already got one of the above but can't be bothered to set it up (correctly). Obvious solution: Install a software firewall and bother to set it up (correctly, I hope). (Am I the only one that sees a problem here?) And if they do set this stuff up correctly, just how much additional protection does the software firewall provide? Well, that's what I'm trying to explore here, nothing more, nothing less.

-{ Quote: " As for your mention of GRC, PC Flank, Sygate, etc., portscan tools and exploit tests....are you saying that those types of tests are not similar to say...a real hacker's attempts to exploit a PC ?" }-The answer to this question is fairly involved. Let me pick it up in another post shortly, okay?

-{ Quote: "Just note the thread title: "Firewalls useless?"" }-
I'm sorry, JVM :(. I wish I could change it.
Scotcov

-{ Quote: " quoting: Scotcov link=board=23;threadid=5098;start=15#33443 date=1038248926]
-{ Quote: "Just note the thread title: "Firewalls useless?"" }-
I'm sorry, JVM :(. I wish I could change it. . . . " }-

Hey, guy, ain't no big thang! :) You should check out the titles I've put on some of the threads I've started! :D

Hi Joseph,

Thank you for that post (no, I don´t mean the one directly above ;))
I wish I could express myself like that. Glad you did it for me.

~applaud~

Pieter

-{ Quote: " quoting: eyespy link=board=23;threadid=5098;start=0#33384 date=1038199531]. . . . As for your mention of GRC, PC Flank, Sygate, etc., portscan tools and exploit tests....are you saying that those types of tests are not similar to say...a real hacker's attempts to exploit a PC ? . . . ." }-

Okay, back to this part of your prior post. I'm not real happy with the way I've formulated my response, but I guess it will have to do for now.

Now, let's all remember one thing: My prior post (to which you responded) had to do with unsolicited inbound probes against your machine. I haven't yet gotten to the 'outbound' threat.

Bottom Line?: No; no real hacker (I prefer the term cracker, but nevertheless...) is going to be so stupid as to assault you with such a blunt-edged tool as unsolicited probes of your TCP/UDP ports. All that does is make him (or her) stand out like a sore thumb. Between MyNetWatchman, dShield.org, and those large ISPs and corporate blocks that report directly to SANS or CERT (not to mention the individual user who simply fires off an abuse notice to the relevant ISP), this approach is now sheer madness. (Oh, they 'spoofed' their IP address? Well, then they didn't get any information back anyway, now did they?) True, the entire world is not hiding behind a firewall or an IDS or possessed with a memory-resident AV/AT/Registry monitoring utility. Still, how do they know that you aren't? (Think about that last question; it has some serious implications.) None of these crackers are going to take the chance that you've got such defensive measures in place (which they don't know about) and will consequently be able to 'back-trace' them. How do they know you haven't set up a honey-pot, that you're not running a router and logging unsolcited inbound? Well, really, there's only one way: Because you've told them you aren't (knowingly or unknowingly). Save for some third-world countries, any idiot who would be stupid enough to do this is likely to find him/herself in a world of hurt in very short order -- especially today.

No, no, no, the real crackers (as opposed to the skiddies and the wannabees) are using entirely different approaches to messing with your head (and your PC). They're relying on 'social engineering' to allow them into your system as part of a communication transaction that you have authorized. And, of course, if you're authorized the communication, the firewall itself (strictly defined) isn't going to do a damn thing to prevent the 'intrusion/insertion''. At that point, as the security guys warning about Code Red II and Nimda pointed out, "You've just been scr*wd -- by Grandma!" You're 'own3d', my man. Game over -- time to re-format, re-boot, re-install (and kiss all your saved work behind -- because "Who knows what evil (now) lurks in all those previously saved work files?").

Okay, now I want to go back to one of your previous postings in this thread, where you said -{ Quote: " ... I would feel very vulnerable without it, especially after seeing all those portscans and such that are in my ZA logs...." }-
You didn't elaborate on that statement, so I need to ask. Are you talking about multiple (and unsolicited) 'probes' against a particular local port -- or are you talking about 'multi-port' scans?

I have to ask because 'multi-port' scans are rare as hen's teeth in my own personal experience. Indeed, if I eliminate those from MY OWN ISP (looking for unauthorized Internet servers in contravention of the ToS/AUP agreement under which I am blessed with their services), I typically only see this once or twice per month.

Now, as for the others (multiple probes against a single local Port from a single remote IP address), almost all the ones I'm seeing can be attributed to: Worms -- and especially worms such as Code Red, Nimda, and MS SQLSnake. (I don't see OPASERV and BugBear for the simple reason that my ISP has apparently shown the foresight to block them.) Point-to-Point File Sharing Requests I'm not quite sure why I see these, inasmuch as no one here uses any of these applications. I would assume it's because I'm on a dynamically assigned IP address -- still, that address doesn't get changed all that frequently, but the suckers still keep rolling in. Skiddies -- Looking for a RAT Trojan that someone else might have been kind enough to install on my box(es) (with my collusion, of course) and relying on a default 'listening' service for the RAT in question. For the most part, the skiddies themselves couldn't install the frigging RAT in the first place even if it would get them a spot on "Would you like to marry a millionaire". All of the above can be handled adequately by a hardware or software-based router on your end. (And they will do it far better and more simply than a PSF.) Some will simply show 'Closed' whereas others will show 'Stealthed'. I think this was a considerable part of Wizard's point. How much 'incremental' protection does a PSF provide over what's readily available to you, simply using the utilties readily available to every Win OS user since Win 98 SE? (Again, in the terms of 'unsolcited inbound intrusion attempts'.)

So, okay, now you're starting to think "Okay, bright guy, just how do these guys penetrate your system?" Well, that's a whole 'nother topic, now isn't it? Watch this space ...

" They're relying on 'social engineering' to allow them into your system as part of a communication transaction that you have authorized. And, of course, if you're authorized the communication, the firewall itself (strictly defined) isn't going to do a damn thing to prevent the 'intrusion/insertion''. At that point, as the security guys warning about Code Red II and Nimda pointed out,"


I only wanted to mention All you want to know about Social Engineering
can be found in Kevin Mitniks book.

He seems to be a regular guest on Tech TV these days.
They still don't allow him to touch a PC while on the show.

I am really intrigued by this discussion. It's a good one with well thought out positions. LowWaterMark, as have others, have done a fine job of refuting the statement by Wizard.

To me, in reality, it's a common sense issue.

Many people opt for a dead-bolt lock on their front doors. However, many don't have them on their back doors. In fact, I don't. When I think about it, it's rather silly not to. Are we just going to give the best protection available to the front door? It only takes a thief ten seconds to come around back and do his thing. So, frankly, I would recommend to anybody (If I were a home security expert) to put a dead-bolt on the back door as well. Some would argue it's not needed. Maybe it is, maybe it isn't. However, what harm could it do to put a dead-bolt on the back door? There is no way to tell someone it's not needed "except under certain circumstances" because that brings up a whole new issue of what "circumstances" bring about the "exception." If it can do no harm, yet potentially do great good (alerting on outbound connections) why not recommend the personal firewall???? If I put that dead-bolt on my back door, I have no way of knowing if I ever deter an attempt to break into my home. But I know this: it's sure not going to make me any less safe for having done so! Once the doors are secure - remember the windows. Can we do too much to keep our families safe? Can we do too much to keep our data safe?

I think not.

I would highly recommend a personal firewall without hesitation.

All the best,
John
Luv2BSecure

Useless? Maybe not the best choice of words, as there are things that can be gained from running a personal software firewall.

Are personal software firewalls necessary? Perhaps this may be more to the point.

In a public forum such as this, one has to take into account your audience. The experience level of persons participating here will vary from the newest users, to professionals, and all of us in between. The manner in which all these user systems are being used will be just as varied.

When discussing the risks associated with the Internet and educating new users in securing their systems, I recommend the use of a personal software firewall as part of the layered approach to system security.

Encouraging users to take time and learn a little more about how things work is also important. Software firewalls will form part of this learning process and provide them with insight as to how their system and applications are interacting with the Internet.

Some users may not want to go beyond a set it and forget it type approach.

Others will gain experience and become more conversant with computer security. These users will discover the flexibility and control software firewalls and other utilities afford and use them to their fullest in securing and auditing their systems.

Experienced users can easily secure systems (OS) from unsolicited connection attempts, monitor outbound traffic and may be quite comfortable in running without a personal software firewall. But this does not mean they are not using other essential applications/utilities to keep their systems secure. And this approach is definitely not for everyone.

But all these unsolicited connection attempts (the scans most news users are alarmed to see in their logs) are basically harmless and the least of our worries. As JV is starting to touch on, social engineering is a greater threat.

As mentioned above, the manner in which all these systems are being used will vary greatly. One has to take this into account when recommending what may or may not be required. How many different users will be using this system? How many different users and systems are on the home LAN? All it takes is one inadvertent click to compromise the system and/or LAN.

As we are likely to see multiple users with varied experience/knowledge and more home set-ups with multiple systems, the layered approach is probably best for most home users and this includes a personal software firewall.

As LowWatermark commented:
-{ Quote: "Knowledge is actually the best protection, and as my sig says: "Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily!"" }-

When it comes to knowledge and experience, there is a lot of it here on this forum. Likely one of the reasons most of us participate here, to learn and share our experiences and make knowledge the number one tool in our system security.

I really hesitate to post an opinion, since I know I have only a fraction of the knowledge of those who have posted. But what luv2bsecure said makes the most sense to me:
-{ Quote: " what harm could it do to put a dead-bolt on the back door? " }-
Nevertheless, I want to express how fascinating and thought-provoking JVM's posts have been.
For that matter, everyone's posts have been fascinating!
Scotcov

After typing a 15min response, I looked up at the screen and it was gone !! ARGGGHHH !! Here's a shorter version !!

JVM,
<<<<You didn't elaborate on that statement, so I need to ask. Are you talking about multiple (and unsolicited) 'probes' against a particular local port -- or are you talking about 'multi-port' scans? >>>>

I was talking about the Worms and P2P. I also agree that multiport scans are rare. Occassionally I get hit with a scan for a Rat or Bot on the higher port scale but none too often. Harmless ? Perhaps...but "the Devil you KNOW is better than the Devil you DON'T !!"

<<<< They're relying on 'social engineering' to allow them into your system as part of a communication transaction that you have authorized. And, of course, if you're authorized the communication, the firewall itself (strictly defined) isn't going to do a damn thing to prevent the 'intrusion/insertion''>>>>

Are you referring to ICQ, MSN Mess., MIRC, P2P, etc.... ?
If one of the above programs becomes infected and I run say MSN Mess, my Firewall's MD5 Checksum will advise me that the program has changed. Of course I would investigate.
If you are stating that a Trojan or Bot might be dropped in a PC using one of the above utilities, than a properly configured Firewall should alert the user of the connection attempt.
I'm willing to bet that at least 75% of experienced users have and use a Firewall.

thanks and regards,
bill :)

BTW.... I'm not being argumentative, It's just part of the learning experience and all comments are related to the learning curve !! ;)

-{ Quote: " quoting: eyespy link=board=23;threadid=5098;start=15#33561 date=1038333410]
After typing a 15min response, I looked up at the screen and it was gone !! ARGGGHHH !! Here's a shorter version !!" }-
I hate it when that happens myself (luckily it hasn't happened to me here in several months).
-{ Quote: "JVM,
<<<<... Are you talking about multiple (and unsolicited) 'probes' against a particular local port -- or are you talking about 'multi-port' scans? ...>>>>

I was talking about the Worms and P2P. I also agree that multiport scans are rare. Occassionally I get hit with a scan for a Rat or Bot on the higher port scale but none too often. Harmless ? Perhaps...but "the Devil you KNOW is better than the Devil you DON'T !!"" }-
Okay, just requesting clarification as to which subset you were referring. Just quickly re-checked my numbers for the last month. Well over 70% of the probes I see can be immediately ascribed either to my ISP, Worms, or P2P. Half of the remainder all skiddies, in all probability. It's only after digging through all this that the truly interesting stuff turns up.

But I think your last statement is the interesting one! (I was trying to hold this back, but I suppose I might as well mention it now.) Yes, it's the record that I find interesting. And relying on ICS produces no record (a hardware router could be enabled to do so, of course). It's that ability to peer under the hood and see what's happening that I find so interesting, but many of the PSFs are sorely deficient in this capability and we have to rely on third-party log analyzers to do this. Indeed, for those who haven't already picked up on it, that's one of the reasons I stopped with NIS 3/4 -- in those contexts I have a good log analyzer; in NIS 6, the capability is pitiful. Of course, an IDS would also provide this capability (and even better, I might add), but they're not well understood (apparently) in the community at large.
-{ Quote: " <<<< They're relying on 'social engineering' to allow them into your system as part of a communication transaction that you have authorized. . . .>>>>

Are you referring to ICQ, MSN Mess., MIRC, P2P, etc.... ?" }-
Yes, and no. ;) Sure, they'll ride in if you give them the chance on IM programs, P2P programs (including, now, the RIAA, I note), chat utilities, but they will also ride in on your newsreaders, e-mail clients and even your browser -- if you give them a chance. For the most part, a traditional firewall (hardware or software) isn't going to stop this. And when I say 'traditional firewall', I'm talking about what CrazyM brought up in another thread, not one of the 'latter day' firewalls with all sorts of additional bells and whistles. If you Internet-enable Windows Explorer (especially the good ole web folders), your word processing or spreadsheet or DBMS app, they'll be perfectly happy to ride in on those, too!

It's not necessary to give these applications 'server rights' for them to do this, either. (And I fear that far too many PSF users think that's the magic bullet to avoid.) All you have to do is give any of these apps more or less unrestricted client rights and you can very easily end up as dead meat. You go 'somewhere', you request something. If it's the 'wrong place', you're just as vulnerable as if you're running the app in server mode. You asked for it? You got it! Uh-ohhh. What's the solution? Well, that's why many of the PSFs are now moving beyond traditional firewall protective measures (but only if those additional methods are invoked, of course). And, for the most part, many of these 'other' protective measures have been available for sometime from non-firewall utilities (including in some instances existing OS utilities). For example, you just gave me a gold mine in your following comment.
-{ Quote: "If one of the above programs becomes infected and I run say MSN Mess, my Firewall's MD5 Checksum will advise me that the program has changed. Of course I would investigate. " }-
Okay, I hit this one hard -- must have been two years ago -- with all of Steve Gibson's ballyhoo about Leaktest. Can you identify a single exploit (before or since the Leaktest freak-out) that relied on tampering with the main executable for which a firewall rule had been set? I can't; I've asked (repeatedly); if one is out there in the wild that actually tries to do this, I've never heard of it. (Of course, there's probably not gonna be one now, either. 8) )

But, Is a software firewall the only solution to this problem; and, indeed, is a software firewall a solution to this kind of problem? No, (on both counts).

Again, I've never seen or heard of a 'masquerading executable' identified in the firewall ruleset and I've asked. What I have heard about is corrupted main OS utilities (technically, having no Internet access capabilities whatsoever), and I have heard about corrupted DLLs, OCXs, VBXs and SYS files used by such utilities. In the former case, I've got a guy who sat there and watched his DUN monitor go crazy with outbound traffic (this on a stand-alone PC), while his software firewall showed no untoward activity whatsoever. In the latter case, MSIE (iexplore.exe) is nothing but a stub program; all the real work is done via DLLs , OCXs, etc. You bust one of these, you're good to go -- over the connections PERMITTed for MSIE itself!

Yeah, yeah, yeah, I know ... the newer releases of the major PSFs will also check for (and authenticate) the DLLs. Ummm, just which called routines are they checking; are they checking OCXs and VXDs and SYS files? Are they also checking core OS components? Are people actually using this functionality or are they being told to turn it 'off' because it's such a 'hassle' and raises so much havoc with throughput? All I can say is check the posts on these subjects. If it ain't on, it ain't working.

Now, (even if it's being used) the above functionality is not part of the core functionality of a PSF (and certainly not of a hardware firewall which doesn't even have access to such information). Is there nothing we can do about such problems? Of course not; that's where memory-resident registry monitors, AV/AT/Spyware/keylogger utilities come into play. There's also file authentication software which is far more sweeping in its power. (No, this is not a plug for NIS File Check; there are any number of freeware/shareware/payware alternatives to NIS File Check -- and I'm still trying to work my way through all of them.) All of these do a better, more comprehensive job that the latest generation of PSFs -- and they do it with far less of a performance hit.) I suspect (but at the moment cannot confirm) that this was part of what wizard was referring to. All of which brings us back to his statement about the incremental advantage of using a software firewall.

Finally, there's one particular threat against which the current crop of PSFs is largely useless -- these are the memory-resident (RAM only) exploits. For those who may have missed it, these have been 'out there' since at least CRv1 and CRv2. In this instance, there ain't no "file on disk" for an AV/AT/spyware/keylogger program to pick up. And it doesn't screw with the registry, so even a registry monitor isn't going to pick it up. The only solution (of which I am aware) to this vulnerability is to run a locked-down version of Win NT/2000/XP (and with non-supervisory privileges) while on the Internet. And quite frankly, I'm not going to maintain that even this is sufficient.
-{ Quote: " If you are stating that a Trojan or Bot might be droped in a PC using one of the above utilities, than a properly configured Firewall should alert the user of the connection attempt." }-
Disagree. the kinds of threats I'm talking about here ride piggy-back on the existing authorized application, using the ports and IP addresses for which the authorized Internet-enabled application has been authenticated. That's precisely what CRv1 and CRv2 did; indeed, it's precisely what most of the e-mail borne viruses and worms do. A standard firewall (hardware or software) has no capability whatsoever to 'block' these communications. You have to go to the exotics and you have to have the functionality enabled (assuming it exists in the first place).
-{ Quote: " I'm willing to bet that at least 75% of experienced users have and use a Firewall." }-
Agreed, no argument whatsoever.
-{ Quote: "BTW.... I'm not being argumentative, It's just part of the learning experience and all comments are related to the learning curve !! ;) " }-
I never took your comments any other way. For those who may be wondering (and haven't figured it out yet), someone (who shall rename nameless) asked for someone to take the counterpoint in this discussion. I waited, no one else really picked up on it, so I decided to do it. (Yes, I do use a PSF, but we'll get to why much later in this thread.)

I think we all know that at least 90% of the people frequenting this forum use some sort of firewall. Most of the remaining 10% would probably take a look at the question that scotcov initially posed and simply say "Why bother? I'll be here for the next ten weeks!"

You've seen the "Of course, you need a (software?) firewall!" responses already. But, if I turn to you and ask "Why do you need a software firewall?", I'd really like to think you could provide a better answer than "Well, I asked in Wilders/GRC/DSLR Security and 90% of the respondents said I did!" In all honesty, that's not much of a response (and it don' sell real well if that's all you can say to your spouse, co-worker, or friend). So, yes, I'm playing counterfoil here. I don't really care if you agree or disagree with my position; I want you to think, decide, and then be able to defend your decision.

There are alternatives to a PSF (I think luv2besecure or LowWaterMark may have referred to them) and I think that wizard may well be basing a certain amount of his initial statement on the fact that many of them are readily available as freeware/shareware. Indeed, quite some time ago, I wrote a rather sardonic response (was it to Name Game, our very own PrimRose?) in the DSLR SEcurity Forum as to how one could live perfectly safely without a PSF. This solution is hardly for Joe User, however. I also initiated the "Stealthed vs Closed" debate in the DSLR Security Forum. While I have my own opinions on the value of 'Stealth', my primary intent was to make people think about just how much Stealth was really worth.

To me, your questions represent an "Inquiring minds want to know (understand)" position. I have used you as a foil (and I think you know that), but I'm not trying to convince you that I'm right and you're wrong. I'm simply trying to lay out an alternative so that you can make an 'informed' decision and then defend it, whatever it may be.

Peace.

:D

I read Scotcov's post that started out this whole thread 5 minutes after he edited it on the 24th.. I also had read before that which wizard had written and took nothing he said out of context. I thought about responding to Scotcov at that time, but the coffee was ready and I had to help 3 people clean up the trash the last software firewalls they were massaging... left on their system.

Now JV is taking my name in vain ;-)


Scotcov,
If you want to know how the Internet really works and also give yourself time to fully understand your OS and its architecture (No matter what you are running or who built the boxes) get yourself a software firewall and knock yourself out.

When you think you have it all figured out..;-) dump it.

It is really that simple.

MOST of the things that will get to you will be c o ckpit error and the rest you will be letting in the front 6,500+ doors all by your lonesome without any help from a hacker, an attack... much less any spyware or governmental entity trying to checkup on your mental/physical/ or spiritual health in cyberspace.

When you are satisfied you are ready:
Do not rely on third party software for what you KNOW can be solved with knowlege of your own OS. Do not run it "out of the box" after you understand how to customize it.

Best of Luck,

John

-{ Quote: " someone (who shall rename nameless) asked for someone to take the counterpoint in this discussion. " }-
Why remain nameless? It was ME! And I'll never regret it. You have made us think, and that's good.
Scotcov

JVM,
your detailed and in depth posts are appreciated more than you know. You do shed some light on some issues using Firewalls. You are also very knowledgeable in this area and I'm glad you responded as such !
And you can use my posts to continue the "foil" anytime ! ;)

Did I learn something here ?? Absolutely !!

Will I continue to use a software Firewall ?? Absolutely !!

And of course for your time and effort, a Karma (applaud of course!) is in order for you, from me and probably a few more posters . :)

With kindest regards,
bill ;)

Great disscussion ;D

Yea, being a client is bad. allows connection but on the other hand, being a server is worse. You then allow yourself to be part a a bigger
attack.
As for only relying on your OS to protect you. That is not possiable with
anything but NT. You sure couldn't lockdown your system with 98
or ME. Maybe you were refereing to a non Windows OS? I know
Wizard was. If I had to chose another ptogram and it couldn't be an AV or firewall ,,,
the only type program I would concider running without anything else is a file checking program. One that compares the files signature.
And preferably one that warns you when something has changed.
this does not stop the intrusion but sure lets you know you been had.
We are all keeping in mind this thread is speaking of a perfect world situation.
We aggree , our main goal here is to help all those that we can.
Education, Education, Education,
is a sales persons way of saying Location location location....
JVM How about refreshing RAM, Clearing RAM? over and over and over
A coded refreshing of the RAM.

My 2 cents....

First of all thanks to all who started and/or contributed to this discussion!

I’m still a little bit struggling with this:
“Finally, there's one particular threat against which the current crop of PSFs is largely useless -- these are the memory-resident (RAM only) exploits. For those who may have missed it, these have been 'out there' since at least CRv1 and CRv2. In this instance, there ain't no "file on disk" for an AV/AT/spyware/keylogger program to pick up. And it doesn't screw with the registry, so even a registry monitor isn't going to pick it up.“
If such an exploit is in your RAM, it must have come there in SOME way.
In which way? Couldn’t it have been picked up BEFORE it came in there?


I was expecting and hoping (grin) that Joseph would also bring this part to the discussion:
“the newer releases of the major PSFs will also check for (and authenticate) the DLLs. Ummm, just which called routines are they checking; are they checking OCXs and VXDs and SYS files?”


Were we talking about checking DLLs and EXEs with for example MD5-checking?
Then comes immediately the question how safe those checksums are stored!
It has to be done in a secure way! I have posted about that already in the past somewhere else.
OK, here goes again (although I might be repeating myself too much).


[hr]
How safe is a checksum stored?

Let’s say program P uses a checksum algorithm (like CRC32 or MD5) to check whether files have been changed.
Let’s say you want file F to be checked.
The first time you run program P on file F there will be a checksum C generated.
Then, after a while, you will check whether file F is changed.
So you run a second time program P on file F;
the algorithm used in program P makes a new checksum – let’s say C2 - ;
the checksums C and C2 are compared;
and then program P tells you whether file F has been changed or not, depending on whether C and C2 are the same or not.

So far so good, but the only way program P can perform this, is that it must compare these two checksums C and C2. That means that it after the generation of the first checksum C must store it somewhere….

Now I have a malicious program M (like some kind of a Trojan).
Malicious program M looks specific for file F and want to replace it with malicious file MF.
And malicious program M is made in that way that it already knows that changes in file F are being checked with program P. So it brings together with malicious file MF it’s checksum MC.
The only thing that malicious program M now has to do is to replace file F with file MF and replace checksum C with checksum MC.
And there is no way that program P ever can tell you that file F is changed…

Conclusion: the security that program P with its checksum algorithm can give you, depends heavily on the way how safe it stores checksums !

-{ Quote: " quoting: eyespy link=board=23;threadid=5098;start=15#33561 date=1038333410] . . .JVM,
<<<<You didn't elaborate on that statement, so I need to ask. Are you talking about multiple (and unsolicited) 'probes' against a particular local port -- or are you talking about 'multi-port' scans? >>>>

I was talking about the Worms and P2P. I also agree that multiport scans are rare. Occassionally I get hit with a scan for a Rat or Bot on the higher port scale but none too often. Harmless ? Perhaps...but "the Devil you KNOW is better than the Devil you DON'T !!" ... " }-

I thought it might be a good idea to give a simple example of a multi-port scan to those who may be reading this thread and may be a bit uncertain as to what we are talking about here. Luckily, someone was kind enough to oblige me, just this morning. 8) I should add that I think this is probably the only one I've seen this month!

This illustrates probes on four distinct ports originating from one IP address. All four of these probes occurred in approximately 0.2 seconds. You'll also note that it's a 'singleton' probe on each port, not the kind of triplet that one might think was unintentionally been released by a Windows box. There's a distinct reason for this subset and, indeed, it (or something very similar to it) is probably the most common multi-port scan that I and several others have observed in the past few months.

I'm going to illustrate this with the detailed output available from Sven Schaefer's Log Viewer (for NIS and Linksys Routers); other log analyzers can do something quite similar for other software/hardware firewalls or routers.
-{ Quote: "
11/28/2002 01:44:58:813 - Unused port blocking has blocked communications.

Action: ***Blocked Inbound TCP connection
Local Port: ***3128
Remote IP: ***216.112.103.21 (jurika18.dsl.concentric.net)

This is the default port for the "squid" HTTP proxy. An attacker scanning for this port is likely searching for a proxy server they can use to surf the Internet anonymously. You may see scans for other proxies at the same time, such as at port 8000/8001/8080/8888. Another cause of scans at this port, for a similar reason, is when users enter chatrooms. Others users (or the servers themselves) will attempt to check this port to see if the user's machines supports proxying.

11/28/2002 01:44:58:845 - Unused port blocking has blocked communications.

Action: ***Blocked Inbound TCP connection
Local Port: ***80 (http)
Remote IP: ***216.112.103.21 (jurika18.dsl.concentric.net)

http, aka www, www-http, World Wide Web. HTTP (Hypertext Transfer Protocol) is a protocol for transmitting messages from the client to the server and back. This port should be open only if you're running a Web server. Trojan Info: Commonly used by Code Red (Worm) and it's variants, Nimda (Worm) and it's variants, 711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader.

11/28/2002 01:44:59:005 - Unused port blocking has blocked communications.

Action: ***Blocked Inbound TCP connection
Local Port: ***8080
Remote IP: ***216.112.103.21 (jurika18.dsl.concentric.net)

This is a port commonly used by HTTP servers and proxies.

11/28/2002 01:44:59:005 - Unused port blocking has blocked communications.

Action: ***Blocked Inbound TCP connection
Local Port: ***1080
Remote IP: ***216.112.103.21 (jurika18.dsl.concentric.net)

socks, aka SOCKS. This protocol allows computers access to the Internet through a firewall. It is used when one IP address is shared among several computers. Most scans for port 1080 are actually looking for WinGate, a popular firewall/proxy for Windows. This protocol tunnels traffic through firewalls, allowing many people behind the firewall access to the Internet through a single IP address. In theory, it should only tunnel inside traffic out towards the Internet. However, it is frequently misconfigured and allows hackers/crackers to tunnel their attacks inwards through the firewall, or simply bounce through the system to other Internet machines, masking their attacks as if they were coming from you. WinGate, a popular Windows personal firewall, is frequently misconfigured this way. This is often seen when joining IRC chatrooms. " }-
Now, this is not Internet Background Radiation (IBR), by any means.

But, what does it signify and is it anything to worry me?

Well, it's not my ISP (that's for sure!); it's not some P2P file-sharing program looking for servers; it's not a worm (otherwise, I'd be seeing a lot more of it). It's probably not an entry-level skiddy who just got this neatso, keen tool, either. It could be a second-level skiddy, however. For that matter, it could be some perfectly innocent guy who just downloaded a certain nifty tool available from what is ostensibly a 'white-hat' site who's off on a crusade to save the Internet. (There are more of these than I care to think about.) And, finally, it might be someone who really knows what they're doing and is simply using this 'tool' to (more or less) innocuously pick up some tantalizing sites for future research. At this point (and with no more information to go on), it's difficult to say which of the above three possibilities might be correct.

Now, in all probability, the first two classes of prospective users wouldn't know what to do with this information even if they actually found something open somewhere! (I think we can rather safely assume my IP address wasn't the only one scanned, under any circumstances.) But, the man/woman behind Door Number Three would definitely have a very good idea as to what was going to come next! (And nothing did in my case, not surprisingly.)

I should, I suppose, point out that this guy has not only been very active; he just blabbed his little activity all over the place! Check the MyNetWatchman event at http://www.mynetwatchman.com/LID.asp?IID=13036918 , for example. No serious cracker would do that, these days. So I would have to assume this is one of the guys/gals behind either Door Number One or Door Number Two.

But, more to the point, let's assume -- purely as a working hypothesis -- that this fella actually found something during the course of his (or her) little odyssey. Would I (or you) be any safer if I (or you) had a software firewall than if I didn't? And the answer is: No! Okay, now, who knows why I say that?

[Leaving this one as an exercise for the reader.]

Addendum That IP address is listening on Port 80, incidentally, but it does not appear to be running a publicly accessible web server. Guess what that probably means! ::)

Does it mean he or she is comming tunneling through anothers server?
Ok How many guessing do I get here? ;D

-{ Quote: " quoting: controler link=board=23;threadid=5098;start=30#33809 date=1038527274]
Does it mean he or she is comming tunneling through anothers server?
Ok How many guessing do I get here? ;D
" }-Darn it, controler, it was a trick question! ::) I was sure you'd pick up on that one.

Yes, in this particular scenario, tunneling through anothers server could be a conceivable problem. I must admit I didn't think of that one.

And you get as many guesses as you want (as long as each response is correct)! ;D

Joseph,

I believe you mentioned OS hardening as a security measure. I am curious how complex of tweaking that would be. As a lay user (non IT prof, etc), I have done the following:

1. Disabled NetBios on my Local Are Connections
2. Disabled all non essential services (image of services at start-up below). This prior loading any security software, I keep a batch file on my desktop to start those apps at once prior to connecting to the net.
3. Switch ActiveX and Java off on IE when browsing unfamilar sites

How much farther should I be looking? Any particular sites or tutorals you can point towards?

Joseph, are you getting paid by the word? ;)

Good stuff all.

speaking about hardened OSes, for those who want to add a level of protection likely to be sufficient against most hackers and lesser deities (and have some spare loot):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

I hope to pick one up this summer.

Quote from Joseph Morris:
-{ Quote: " Would I (or you) be any safer if I (or you) had a software firewall than if I didn't? And the answer is: No! Okay, now, who knows why I say that?

Addendum That IP address is listening on Port 80, incidentally, but it does not appear to be running a publicly accessible web server. Guess what that probably means! " }-

And so what are the answers?! I sure haven't figured it out!

-{ Quote: " quoting: Judge_Dee link=board=23;threadid=5098;start=30#34648 date=1039189688]
Quote from Joseph Morris:
-{ Quote: " Would I (or you) be any safer if I (or you) had a software firewall than if I didn't? And the answer is: No! Okay, now, who knows why I say that?

Addendum That IP address is listening on Port 80, incidentally, but it does not appear to be running a publicly accessible web server. Guess what that probably means! " }-

And so what are the answers?! I sure haven't figured it out!
" }-

Spyblocker?

Shoot, what a cliff hanger....come back JV and tell us the rest of the story. :'(

;)

-{ Quote: " quoting: sig link=board=23;threadid=5098;start=30#34773 date=1039261166]
Shoot, what a cliff hanger....come back JV and tell us the rest of the story.
" }-
Sig,

Well, I'm really not intentionally teasing; I'm just in the process of having a small war with Symantec over in DSLR Security. I can tell this is going to take a bit of time and attention to resolve.

There must be ten posts in this thread that already ask questions that I haven't had the time to get around to yet. Not to worry; I intend to pick up on every one of them.

I just took a look at DSLREPORTS FORUM for the first time. I see there is some posters from here that hang out there also.

JVM ???

Could you post the link to that discussion @ DSLREPORTS? or isn't that fair to WIlders?

I was interested in taking a peek at that thread over there also.

Thank You

-{ Quote: " quoting: controler link=board=23;threadid=5098;start=30#34825 date=1039284248]
I just took a look at DSLREPORTS FORUM for the first time. I see there is some posters from here that hang out there also." }-

Oh, there's quite a few posters here that also frequent (and post) on the DSLR Security Forum, including many of the mods and admins here.

-{ Quote: "Could you post the link to that discussion @ DSLREPORTS? or isn't that fair to WIlders? " }-

I don't think there's any problem in doing this. On many occasions threads at DSLR Security are referenced here and threads here are referenced at DSLR Security. The specific thread in question (at the moment) can be found at http://www.dslreports.com/forum/remark,5216811~root=security,1~mode=flat (http://www.dslreports.com/forum/remark,5216811~root=security,1~mode=flat). The brouhaha is concerned with the last few postings in that thread as of 1344 EST on 7 Dec 2002. Feel free to watch that space for additions. ::)

Can somebody fix that URL? I don't seem to be able to post it correctly?
Done :)

http://www.dslreports.com/forum/remark,5216811~root=security,1~mode=flat

Here is your fix..I tunnelled it through two of these puppies.

You get these in your post by hitting the thingie above with the world globe..


then you ever so gently in between the two "paste the link".

It takes a steady hand and a strong will...I do not think you will have any problem JV.

;D

-{ Quote: " quoting: Primrose link=board=23;threadid=5098;start=30#34830 date=1039286007]
http://www.dslreports.com/forum/remark,5216811~root=security,1~mode=flat

Here is your fix..I tunnelled it through two of these puppies.

You get these in your post by hitting the thingie above with the world globe.." }-

Danke, that's what I did; didn't work right here??? :'(

Read the IM at DSLR about hardening an OS (above in THIS thread)? I still can't find the URL on my box.

I think it was the second one here...NO?? It has great screen shot and you have to hit the page thing at the botton to do it all.


To enable/disable services in Windows 2000
http://www.henrique.bucher.com/windows_services.htm


Windows 2000 Services Tweak guide


Much like previous versions of Windows NT, Windows 2000 also uses system Services. These allow support for other Programs/Hardware, etc. to run correctly. Or you can configure them to improve system security. By default Windows 2000 automatically runs many of these services & consumes more memory than it actually may need to for your particular needs, E.g. If you don't intend to use Task Scheduler or Fax Service, then why waste memory on running them automatically?

In this guide I'll cover what each service does & whether or not you really need it. Currently this guide is (still) the most comprehensive of it's sort (In terms of content & amount of Services covered). Now, onto the guide itself.

http://www.3dspotlight.com/tweaks/win2k_services/



Windows XP Services Tweak Guide
http://www.techspot.com/tweaks/winxp_services/index.shtml

;D Cool, JV, I'll check out the thread at dslr. :)

Primrose: (cute ID ya got there, lol) I recently joined the herd and got a new PC with XP and I've bookmarked a number of the links you keep posting re: svs and the disabling thereof (good to have them so readily available, thanks). That's part of my homework for getting this system to where I want it, as much as I can, that is. Looks like ports 135 and 445 can only be blocked by using a firewall of some sort? (I really mean, one cannot close these open ports without disabling required services?) If so, Boo. ;)

Sig,

Just so you understand; I'm an "equal opportunity' bitcher. If I used Sygate, or Outpost, or Kerio or ..., well, the vendor would be susceptible to the same static.

Indeed, I suspect that many vendors are quite happy with the fact that I rely exclusively on the various releases of Symantec's NIS/NPF products. :D

I'm sure the other folks are indeed happy you stay with Symantec. ;D

But it's good that you keep them on their toes. They're a huge presence in the market and a lot of their customers simply don't have the skills (or the will) to keep at 'em. :)

-{ Quote: " quoting: Joseph V. Morris link=board=23;threadid=5098;start=15#33460 date=1038261221] real hacker (I prefer the term cracker, but nevertheless...) is going to be so stupid as to assault you with such a blunt-edged tool as unsolicited probes of your TCP/UDP ports...
No, no, no, the real crackers (as opposed to the skiddies and the wannabees) are using entirely different approaches to messing with your head (and your PC).
" }-

Although this is true, nevertheless, I'm still glad I have protection against "skiddies".
In life, a professional thief would probably never dare to break in where I live (it's too visible). Yet I still have a lock on my door for those stupid kids who would try anyway.
After wading through the theory, I like the practicality of having a firewall, as non-foolproof as it is (just as my lock on my door is non-foolproof).