Why using Windows Firewall ONLY is a bad idea?

(Sidenote: You may wish to read this thread as well which is about "Do you use Wins Firewall(WF) ONLY?"
http://www.wilderssecurity.com/showthread.php?p=548761 )

Hi.
Currently I would like to gather info why it is a bad idea to rely on Windows Fiewall ONLY.

Instruction
It would be great if you could:
- provide reasons with good depth of explanation
- provide evidence/hard facts to support the above (if applicabe)
- provide links/reference as a proof (if applicable)

Avoid giving:
- subjective comments (with no explanation) (eg no Wins Firewall[WF] because they *****). Hard facts are preferred.
- personal comments (eg no WF because it is made by Microsoft)
- merely figurative/metaphor (with no explanation) (eg using WF is just equal to shutting the door without locking it.

Hopefully these guidelines will not discourage you from posting.
After all, you don't need to satisfy all the above. They are merely guidelines.
You don't need to be too worried. Feel free to post if you have any reason in mind.


Note
- Please don't make any irrelevant comment or reply (eg discuss about which is the best third-party firewall). It's because I wish to keep this thread clean without cluttering up with lots of irrelevant info.

- If you are too eager to do so, consider opening another thread or private messaging.


=================================

EDIT:
- Now it seems people are talking about the point that "Windows Firewall is designed not to have Feature XX, eg outbound protection, security configuration" should or should not be a defense against the claim that "Windows Firewall is bad since it has no outobund protection". Apparently it seems to be a valid discussion, but it is indeed a vlaue judgement in my opinion.

The fact is here - Windows Firewall provides NO SINGLE outbound protection or any other features mentioned above, in which it is fundamental to network security precautions (it may not be true for real security experts. Anyway some of them may even think anti-virus is not necessary).

It is up to you to make your own value judgement that if these points are justified as "classifying Windows Firewall as bad/ineffective" in any perspective.

So it would be great if you make another thread to discuss this particular point, should you wish to.

Here I go.

{The following article is not complete, still working in progress}
(Thanks to HandsOff, FatalChaos for some of their contributions)
(The post becomes a bit too large. Browser for bold letters to get some ideas about points made in this article)

Reasons:

Security Performance
- Windows Firewall(WF) only has inbound portection, but not outbound protection.
From Microsoft Website (http://www.microsoft.com/technet/prodtechnol/winxppro/plan/icf.mspx):
-{ Quote: "
Q: How does ICF compare to third-party firewalls?
A: In many cases ICF does not have the rich feature set provided by these products. This is because ICF is intended only as a basic intrusion prevention feature. ICF prevents people from gathering data about the PC and blocks unsolicited connection attempts...

Q: Does ICF do outbound packet inspection?
A: Other than checking the source IP address, ICF does not do any outbound packet inspection." }-

- As to inbound protection, it is still worse than all other famous Firewalls.

- since Windows Firewall(WF) is the default firewall for every Windows user, it implies it has huge market shares. It further implies hackers will be (nearly) always eager to hack/bypass this firewall, in which it is simliar to the cases why Microsoft Outlook (Express) or Internet Explorer usually get hacked.

- There are news that WF have been exploited previously.
- It doesn't provide protection against attacks (like kerio or outpost does). Exampes of attacks are DoS attacks, winNuke attacks, etc. You can find lists in Kerio personal firwewall NIPS and Oupost Attack Prevention or w/e plugin.

Limited Configuration
- WF is not easy to configure and is not customizable. It means you will have a hard time to stricten your security by WF. Also it is still limited at what security configurations you can set (eg we can't really set rules for related programs).

Few Update & Improvement
- Microsoft hardly improve Windows Firewall (as all other thrid-party software does all the tme to incorpate new anti-hacking techniques in their Firewall)
Windows firewall is almost never updated (except patches when, say, they have been exploited by hackers etc.), which means it can't adapt to hacker's using new techniques precautively beforehand.

Other third party software can be free
- There are many excellent AND free Firewall available (eg ZoneAlarm Free, Outpost Free). They are much better than WF.

Other third party software can have light resource usage
- it is true that WF is light. However there are light third-party firewalls which re light too.

I'm safe even if using WF only
- You may say "my computer is still safe even if I use only WF. There's no alert that I get intruded."

According to nowadays technique, it is not difficult for a hacker to bypass this flawed firewall and intrude your system easily AND without getting you notice.

Since their objective is to sneak into you computer, so if they succeed, it is normal that you will never notice of this intrusion or implantation of any troajns/backdoors etc.

In the above cases, "nothing seems happen" does not guarantee securty. Rather it is just a false sense of security.

How easy is it? Well, it is diffiuclt to answer since different poeple have different vlaue judgement. But the fact is it is possible for even beginner hackers too since:
1) some handy and free advanced hacker tools are available on the Internet. 2) Also they can do it themselves when they are willing to search for freely available hacker articles.
For more descriptions on how powerful hackers can be, see [#1]


Careful user with safe browsing may not help either. Extra protection is definitely beneficial
- You may say I am a careful user which practice safe browsing and will not go to warez websites, don't use P2P/BT, only browse legimitate websites, or I will not install/execute any malware etc.

However the truth is hackers don't need to ask for your permissions to intrude your computer, nor they can only trouble you in passive ways.
Indeed there are many ways in which a hacker can attack your computer:
- simply online. That's it.
- when you make mistakes [humans will make careless mistakes. Software will not make on its own (eg humans, any calculate wrongly, say 2+3=6; but software will never make this kind of mistake)]
- by the way, even if you don't online, you may get malware when you install infected disks/CD (from your friends etc.)

How come? See [#2] for details.


I don't bother to install any third-party firewall
- You may say "The fact is I haven't get intruded yet. So I don't bother to install any third-party firewall."

Remember that there can be no obvious/easy sign to notify you when you get intruded. So better safe than sorry & intall good security software.

And how hard is it to install a third-party software? Just a few clicks. You will find it worthwhile when your newcomer firewall tells you that it blocks something which your WF misses.

It is not really difficult to use as some people claim which makes software Firewall scary to beginners/noivces. Simple guides:
- use learning mode or anything simliar if the firewall has this function. It will save you the trouble and self-configure it for you.
- even if it doesn't have. It doesn't matter. (Read on :P)
- When an alert occurs, choose "deny once" first.
- If the program cannot function as what you intends, it implies you need it. Close the program and reopen it. Choose "Accept always" now.
- Otherwise, choose "deny always".
[Note: It is very often some people may use "imperfection" as a point to negate the use of this method (eg this method cannot help users to get 100% correct choice).
True is that it is not perfect.
False is that they forget Windows Firewall is not perfect either. "Not perfect" is never an excuse to negate/discourage something.
And when comparing wth both options, it is definitely the former method is far better in providing protection and keep learning at a minimum at the same time. If you wish to have maximum security, surely you need to learn (a bit). There's no free lunch in the world :P]

Even if you are an advanced or careful user, why not save your trouble to install a third-party software to do these jobs automatically and nicely? You don't need to be too alert or worried when you browse, read email and so on (although I'm not going to tell you you can indulge yourselfwith doing everything).

It's no hurt to install a third-party firewall. Why do you need to be too hesitant at it? Go try and I can guarantee that you will see its value in the near future.


Features-related
- If Windows Firewall unfortunately block your legitimate programs from functioning (eg by blocking their required ports or connections), you need to go into some technical configuration of the firewall, in order to make it work with these programs. For other third-party firewalls, they usually have easier ways to do these kinds of things (eg permission list, learning mode).

The foolowing points are contributed by HandsOff:
- The interface for setting the firewall on or off (sp1) requires prior knowledge of where and how to do so and several steps. and...

- You do not have a tray icon to indicate firewall is activated or not, and...

- The firewall is a service that depends on other services that have to be in abled in order for it to run. This means that you have to run additional services that (in my case) I did not need for anything else.

- Since the default firewall (sp1) setting is off, I would not be the least bit suprised if some updates return it to the default off, and as I said there is no try icon you may not be away of its deactivation.

- I think it is perfectly legitimate to point out it is made by Microsoft, since Microsoft has demonstrated, time and again, a willingness to subordinate the clients security to their own interests.



Hard Fact:
If using XP2 Firewall, nono of leak attacks can be blocked.
If using others, it can block up to about 50% leak attacks depending on what firewalls you choose.
If using Firewall + Intrusion Prevention System, it can block up to 90-100% leak attacks.
Ref: http://www.firewallleaktester.com/tests.htm


New MyDoom knocks through Windows weak firewall
http://www.pcpro.co.uk/news/63211/new-mydoom-knocks-through-windows-weak-firewall.html?searchString=firewall+firewall

Critical hole found in Windows XP SP2 firewall
http://www.pcpro.co.uk/news/67270/critical-hole-found-in-windows-xp-sp2-firewall.html?searchString=firewall+firewall

Windows Firewall Has A Backdoor
http://habaneronetworks.com/viewArticle.php?ID=144

Conclusion
Windows Firewall, as a software firewall, is a misnomer.
Uisng it is no difference from shutting the door without locking it.

Since third-party firewalls are better, can be no-cost, light, and boost your comptuer security to much higher level, why you still insist in NOT installing third-party Firewalls?
It's no hurt to install one. I highly recommend you trying it out. You will be satisfied.

{Work in Progress}

----------------------
#1:
Here's some "achievements" hackers have made:
- do you realise security companies cannot protect themselves either? No matter how they protect their software, hackers can steal them very easily. When a new version is released, it is not uncommon that hackers can crack their protection within a short period (eg 24 hours). It is really hard to imagine how all these crazy tihngs can happen all the time.

- do you realise there is the news that hackers manage to steal 40 millions credit cards numbers? It is already too late when they discover that.

- in case if you don't know what hackers can do, http://www.pcworld.com/resource/bro...x,1,pg,1,00.asp is a good start. There are more advanced articles about hackers elsewhere. You may google them yourself.


#2:
Let's tell you briefly why hackers can hack you simply if you are online:
- if you are online, they can manage to find you easily with lots of free hacker tools available in the Internet.
- Windows vulnerabilities can be exploited to intrude your system. There are no need to do anything except online t be intruded.
- malicious codes embedded in email, webpages etc. What you need to do is to reading email or browsing websites as usual. Note that malicious codes can even affect the display of a legitimate website and you may get trapped and infected/intruded.
- beginner hackers can still manage to hack your computer since 1) there are free handy hacker tools available fr beginners 2) there are also articles avaiable on the Internet for them to hack you
So the best way to help you to minimize the threats exploited on the Internet. You should install security software AND they have to be good in order to stop most attacks, and save you from trouble.

Wai Wai -

Nice post, with a refreshing determination not to get too much in depth, nor loose sight of the objective. I would cry foul for answering your own post, and not adherely to your own guidelines, if you had not written the clause dealing with not being afraid to post, and don't be constrained by the guidelines. I have a feeling you may be more familiar with the details of how windows works than I am, however I will attempt to add a couple other reasons.

By the way, your article should provide enough reason to motive any doubters that they should have a firewall. Mine just reflect areas that have caused probems for me at times:

- The interface for setting the firewall on or off (sp1) requires prior knowledge of where and how to do so and several steps. and...

- You do not have a tray icon to indicate firewall is activated or not, and...

- The firewall is a service that depends on other services that have to be in abled in order for it to run. This means that you have to run additional services that (in my case) I did not need for anything else.

- Since the default firewall (sp1) setting is off, I would not be the least bit suprised if some updates return it to the default off, and as I said there is no try icon you may not be away of its deactivation.

- I think it is perfectly legitimate to point out it is made by Microsoft, since Microsoft has demonstrated, time and again, a willingness to subordinate the clients security to their own interests.


Question: Is the built in firewall listed as firewall in the taskmanager, or does it just have some generic name that makes monitoring your processes that much more difficult? I will prolly know the answer soon since I happen to be experimenting with ICF and related services for an unrelated reason.

Question 2: I have heard to differing view on whether it is desirable to run the windows firewall, in addition to a commercial firewall. Is this a definite no, no?


- HandsOff

I personally wouldn't rely on the Windows Firewall either, but you have to admit that for the millions of users that can't handle a real firewall and have never even considered installing a better one, it's better than nothing for sure. At the very least it will keep the majority of worms out.

-{ Quote: " - Windows Firewall(WF) only has inbound portection, but not outbound portection." }-
What criterion are using for what a firewall should or should not do? Are you suggesting a good firewall has to have outbound application control? The definition of firewall nowadays will be as varied as the number of users.

-{ Quote: " - As to inbound protection, it is still worse than all other famous Firewalls." }-
Perhaps you could follow your own guidelines and provide details as to where inbound only protection is lacking compared to other firewalls.

-{ Quote: " According to nowadays technique, it is not difficult for a hacker to bypass this flawed firewall and intrude your system easily AND without getting you notice. You may never notice that you get hacked/intruded, or your computer is implanted with troajns/backdoors etc." }-
Intrude how, inbound through the firewall? As for trojans or other malware being implanted how is this the job of the firewall? This will usually result from user interaction (downloading unknown software/opening attachments), is this not the job for your AV?

-{ Quote: " New MyDoom knocks through Windows weak firewall
http://www.pcpro.co.uk/news/63211/n...rewall+firewall" }-
If you run with Administrator privileges then the Windows Firewall exceptions can be modified by third party software, which includes malware. This is a sore point with many and can be mitigated by using a limited account for regular use. Using a limited account also helps prevent malware from being able to install in the first place.

-{ Quote: " Critical hole found in Windows XP SP2 firewall
http://www.pcpro.co.uk/news/67270/c...rewall+firewall" }-
This was patched some time ago.

-{ Quote: " Conclusion
Windows Firewall is a misnomer.
Uisng it is no difference from shutting the dorr without locking it." }-
I disagree. The Windows Firewall serves it purpose in providing basic protection to systems/users who would not have otherwise installed a third party software firewall or those that may only want inbound protection. For those that want more out of a firewall, there is plenty to choose from.

Regards,

CrazyM

well for one I think a major flaw is that it can only protect against inbound protections, which means trojans will bypass it with ease. Secondly, it doesn't provide protection against attacks (like kerio or outpost does). Third, as stated before, it has been exploited before. Also, it can't limit port ranges for programs and is is not very customizable, which means it will be less flexible to your needs. Fourth, as shown before hackers are looking for exploits in the Windows firewall, because usually people who use it are not experts at security and tend not to be well protected. However, hacker's rarely ever look for or find major exploits in third party firewalls. Finally, the firewall is almost never updated, which means it can't adapt to hacker's using new techniques.

-{ Quote: "well for one I think a major flaw is that it can only protect against inbound protections, ..." }-
Not a flaw, it was never intended to deal with outbound control. If outbound control is something you want, then the Windows Firewall is not the one for you.

-{ Quote: "... which means trojans will bypass it with ease." }-
Is there any guarentee that a third party software firewall will see this trojan? If you have allowed this trojan (unknown/untrusted .exe) to run, how much security do you have once your system has been compromised?

-{ Quote: "Secondly, it doesn't provide protection against attacks (like kerio or outpost does)." }-
What kind of attacks?

-{ Quote: "Third, as stated before, it has been exploited before. Also, it can't limit port ranges for programs and is is not very customizable, which means it will be less flexible to your needs." }-
Again, something it was not designed to do and not the choice for those that want this kind of ability/configuration in their firewall.

-{ Quote: "Fourth, as shown before hackers are looking for exploits in the Windows firewall, because usually people who use it are not experts at security and tend not to be well protected. However, hacker's rarely ever look for or find major exploits in third party firewalls." }-
Trojans, viruses, malware will target well known Windows services as well as third party security applications (AV's, firewalls, etc.), but need to make their way on to your system and be run.

-{ Quote: "Finally, the firewall is almost never updated, which means it can't adapt to hacker's using new techniques." }-
Inbound only configuration/exceptions, permit all outbound, not much to update there.

You just need to know the limitations of the Windows Firewall. If you want more, you can always use something else.

Regards,

CrazyM

The command line interface.

Already there are malicious applications in the wild that drop an exe, and then use to commandline interface to give the exe they just dropped nice permissions.

While the settings can only be modified by an administrator, most home users still run as admin.

I find posts like these mildly amusing to say the least.

-{ Quote: "According to nowadays technique, it is not difficult for a hacker to bypass this flawed firewall and intrude your system easily AND without getting you notice. You may never notice that you get hacked/intruded, or your computer is implanted with troajns/backdoors etc.
Nothing seems happen in does not equal to safe. Rather it is just a false sense of security.
How easy is it? Well, it is diffiuclt to answer since different poeple have different vlaue judgement. But I would say even a beginner hacker can do so if he can reach some free hacker tools, or is willing to search for freely available hacker articles." }-

I'd really like to know how to perform these mysterious 'voodoo' acts, voodoo because it really sounds like some kind of magic with the details just abstracted away, because they are, of course, not important it seems.


-{ Quote: "If using XP2 Firewall, none of leak attacks can be blocked." }-

Wow, I wouldn't have expected that....from an inbound only firewall!

Wouldn't have been much easier to just say "ICF is not a good firewall because it does not have outbound protection" without the added nonsense/fictional padding?

I will attempt to restate the foregoing points in outline form:

Wai, Wai: Are there compelling reasons to scrap XP'S Built in firewall, or does the appearance of a growing industry that seems to be distributing a whole lot of firewalls to people that already have them point to the gross inadequacy of Microsofts firewall?

----------
Intermission
----------

Wai Wai: and the answer is, drum roll please...
XP's firewall is not a very good value for the price...which is zero.

HandsOff: Nice of you to point that out, Wai Wai, I wish I had found that out sooner than I did. (A wish that untold thousands have probably made). You may have noticed that there is a very understated control interface for XP's firewall. Coninuing unobtrusively, in this distincly unMicrosoft-like fashion, the firewall does not presumptuously assume that you would even want it to run. Therefore it sits, silently, out of sight, as alone and dejected as a Maytag repair man, as all manner of atrocity is committed agains who knows how many unsuspecting victims. As they say, discretion is the better part of valor.

Notok: You wouldn't catch me using it a second longer than necessary, however, it is better than nothing. (good point!)

CrazyM: I have heard some hints that Microsoft's firewall suck's. What are you using as a standard to compare it with? Are you merely comparing its capabilities with the capabilities of the other firewall choices that one could make? Are you mudding the waters by pointing out that competing products provide better protection against malware. Those things are beside the point, I say! Microsoft built its firewall so that it does what it does, no more, no less. Since you must admit that it does what it does, you are as much as confirming that it is a microsoft firewall. When you think of it this way it performs flawlessly. Let's not drag port steathing, custom blocking, recogniton of patterns matching know exploit behavior, intrusion detection, port assignment and monitoring, event logging, ongoing developement or any other protection past, present, or future that any other firewall has to offer its users into this. Those things are irrelevent as long as you just force yourself to embrace a particular definiton you will see, in the end, that Microsoft's firewall is the true, old-school, no nonsense firewall.

I will grant you that there was a hole in microsofts firewall, but, dammit, they fixed it! Well okay, I know that won't help people who didn't get the patch for whatever reason. I know that such people are probably be screwed even as I write this, but for our purposes ... they don't count.


FatalChaos: MSF is better than nothing, however, allow me to point out that there are better better options out there. compared with other firewalls they...

CrazyM: Don't start rattling off what other features are enjoyed by the user's of non-microsoft FW's. It's not being a good sport to point out that these other's didn't have to wait for Microsoft security patch number 57 billion in order to be protected. After all, who in there right mind would have even guessed that a microsoft product would have vulnerabilities. It was just stupid blind luck that this people looked elsewhere to secure their computers. Also bear this in mind: If you create and use an additional user account with limited priveledges, you can trade inconvenience and waste time instead of putting yourself at risk. In fact, if you want to go that extra yard, don't use your computer at all! Watch TV instead.

MikeNash: People are going to continue to use administrator accounts. And even if they didn't they will still be marked for death so long as they look to microsoft's firewall as a pillar of there security.

HandsOff: Well, I still don't think you should use Microsofts firewall in conjuction with your own third party firewall. and, bad as the unimposing sp1 firewall was, at least it had good manners. Something definitely lacking in the sp2 itteration.

---

That was just for fun. I hope I didn't go too far. Crazy-M is THE authority on firewalls, as far as I am concerned. And I mostly admire the champions of hopeless causes. Now his sense of humor is being put to the test. Could this be his achilles heel? I do know MS firewall should be invoked the second someone's finds their first line firewall is down, or before they have a chance to install a firewall, or if they are simply morons who don't want to install another firewall. I think Crazy-M and Notok are right to emphasize that they firewall we love to hate, is also the one firewall that will always be there. And Notok, I do recall your references to doing so in your guidelines for securing XP. And Crazy-M, I have downloaded and studied the ebook on NPF and related firewalls that you co-authored. Probably most of the protection that my firewall provides would not be there if I were running the default settings. And I was using the default settings until I read your posts and your book.

Is it just my imagination, or are security programs a) Getting easier to install. And b) installing with weaker default settings. If this keeps up we will all end up with firewalls already built in, that are set to do nothing.

Back to the Future!


HandsOff

-{ Quote: "At the very least it[Windows Firewall] will keep the majority of worms out." }-

This point is doubtful. According to firewall tests, even the best firewall miss 50% or more in leaktests. So it has some good indicators (Note that I say good indicators![#1]) that Windows Firewall will not keep most worms out. Anyway, I think I should confront with what I said, so I save the details and not to digress.

EDIT:
#1: I know the results of leaktests are not directly related to worms. However from the poor results obtained in leaktests, it may give us some good indicators that simliar things can happen to worms where they manage to bpyass the firewalls in other ways. That's why I say "good indicators".

Wow! Extremely informative thread...never knew that WinXP SP2 Firewall is so shoddy!

-{ Quote: "Not a flaw, it was never intended to deal with outbound control. If outbound control is something you want, then the Windows Firewall is not the one for you.


Is there any guarentee that a third party software firewall will see this trojan? If you have allowed this trojan (unknown/untrusted .exe) to run, how much security do you have once your system has been compromised?


What kind of attacks?


Again, something it was not designed to do and not the choice for those that want this kind of ability/configuration in their firewall.


Trojans, viruses, malware will target well known Windows services as well as third party security applications (AV's, firewalls, etc.), but need to make their way on to your system and be run.


Inbound only configuration/exceptions, permit all outbound, not much to update there.

You just need to know the limitations of the Windows Firewall. If you want more, you can always use something else.

Regards,

CrazyM" }-

1) I'm just pointing out the WF flaws, and this is one of them. Sure it was never designed to do this, but that's like saying XP was never designed to be secure. Still a bad thing :).

2) no guaruntee that the firewall will 100% prevent the torjan from doing harm, but its got a lot better chance of preventing the torjan than windows firewall.

3) DoS attacks, winNuke attacks, etc. You can find lists in Kerio personal firwewall NIPS and Oupost Attack Prevention or w/e plugin.

4) True, but this is still a reason why you shouldn't use WF.

5) And if they do make their way onto your system, you had better be prepared. Plus exploits found in thrid party AV's and FireWalls tend to be les widespread

6) I realize that windows firewall was never designed to do all these things and most of these problems are not glitches but rather design limitations, but i feel these design limitations are all reasons that WF is not very good.

-{ Quote: "This point is doubtful. According to firewall tests, even the best firewall miss 50% or more in leaktests. So it has some good indicators (Note that I say good indicators!) that Windows Firewall will not keep most worms out. Anyway, I think I should confront with what I said, so I save the details and not to digress." }-Leaktests test the ability to block trojans connecting out once they're already in.. you do know what a worm is and how they work, right? If the netstat ports are blocked from any incomming traffic, then you are safe against most network worms.

-{ Quote: "But it appears you do not understand much about Firewall if judging only from your replies " }-Wei Wei, you would be seriously well advised to take a step back here and reassess things here.. you can't seriously think that you know more than an accredited expert on the subject?

Your argument could just as well be applied to an external hardware firewall.. which is no less a firewall than your software one (some would argue that it is moreso than a software fw). I guess the question is; where are you really trying to go with this?

Wai Wai your last post was removed ... the thread starter does not have ownership of the thread, whatever is posted has a public ownership - And any decision in regards to content moderation is Wilders' ... We have moderators in place to maintain our standards, and It will be done by us.

Any post with the content of the one removed will also be removed.

Regards;

Steve

The thing you have to remember is that the Windows Firewall is designed for the people that don't know anything about firewalls, and many times don't even know how to install or configure a third party one. For those people, the Windows Firewall is probably the best solution, with the exception of maybe an SPI router that someone can set up for them. Of course that person really should set up a limited user account for those folks, but that doesn't happen much either. Most of the people on this forum know enough to use a third party firewall, if not then they generally know what they're doing.. but for the tons of users that don't run anything at all, the Windows Firewall is a very good start. I don't think many will argue that the Windows Firewall leaves a lot to be desired in comparison to many other third party ones, but for the non-technical user it may, in fact, be the best choice. If Windows Vista ships with a bi-directional firewall then I expect that we can see a big shift in third party firewall design, as what we know to be firewalls now will probably become just as vulnerable, and so on it goes.. there will probably be a repeat of this thread topic with entirely different content.

Hi Dog-

I hope I did not offend anyone with my posts. I don't even say I don't agree with what anyone has said. I only try to express how it seems to me, and I am fully aware that disagreeing often reveals my ignorance. I can live with that. If I don't say what I don't agree with, then I am not better off than before I read a response. On the other hand, if I appear not to weigh expert advice carefully, then I wouldn't expect anyone to bother responding.

I know a little about firewalls. Enough to know that Crazy-M, Notok, and Ghost should all be regarded as experts.

I hope I did not fan the flames.

where I am going with this is:

- xp's firewall lacks many features found in other firewalls
- The features are of little value if you do not understand what they do and how to customize it for your needs.
- The best way to find out is to ask a specific question right in this forum. I can tell you for a fact the makers of my product will not answer your question unless you pay them extra to do so!
- its fun to criticize what we think are inferior products to what we use, but I try to come prepared to learn.

Dog mentioned something in the antivirus forum how quickly things can evolve into a battle. And I was surprised to realize I was starting to simmer. Don't let this happen to you.

And my hat is off to Crazy-M and Notok because they have given freely of their knowledge. Not just in the forum but providing addition content that I will use as a resource long after this thread has been forgotten. Anybody can figure a firewall out if it is important to them. Not just anyone could raise the awareness of countless people. I truly respect them for what they have done. Everyone says, thankyou, or thanks in advance. I don't know how to say it differently. Crazy-M, thank you. Notok, thank you.

- HandsOff

-{ Quote: " Of course that person really should set up a limited user account for those folks, but that doesn't happen much either. " }-


Okay, Okay...It doesn't take a truckload of bricks dumped on my head to get me to thinking. I of course will follow your advice. At some point it may happen that I present this as my idea!

- HandsOff

On setting up a limited user account:
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx

May not agree with all that's presented but food for thought.

There's one generic point to make, it is clearly germane to the present firewall discussion, but it is pertinent to a discussion of any security application: a high degree of configurability and power is a sharp double edged sword. I can't recall the number of times I witnessed threads in which new and naive users to firewalls have effectively shutdown connectivity in one, multiple, or all applications simply because they did not appreciate the detailed operation and nuances of the tools they were using. If you are trying to design for the mass market, as MS is, there is a downside to some types of functionality.

Within the scope of its design and purpose, the native XP firewall is fine. My own recommendation would be to dispense with the XP firewall and rely on the functionality of a hardware router. I'd also recommend that course to any other user prior to their installation of any complete software firewall. In fact, I view software firewalls as a completely optional component in any security set-up if a decent hardware router is employed. Off hand, I can think of only one circumstance in which I'd qualify this recommendation.

Blue

Now it seems people are talking about the point that "Windows Firewall is designed not to have Feature XX, eg outbound protection, security configuration" should or should not be a defense against the claim that "Windows Firewall is bad since it has no outobund protection". Apparently it seems to be a valid discussion, but it is indeed a vlaue judgement in my opinion.

The fact is here - Windows Firewall provides NO SINGLE outbound protection or any other features mentioned above, in which it is fundamental to network security precautions (it may not be true for real security experts. Anyway some of them may even think anti-virus is not necessary).

It is up to you to make your own value judgement that if these points are justified as "classifying Windows Firewall as bad/ineffective" in any perspective.

So it would be great if you make another thread to discuss this particular point, should you wish to.

-{ Quote: "- xp's firewall lacks many features found in other firewalls
- The features are of little value if you do not understand what they do and how to customize it for your needs.
- The best way to find out is to ask a specific question right in this forum. I can tell you for a fact the makers of my product will not answer your question unless you pay them extra to do so!
- its fun to criticize what we think are inferior products to what we use, but I try to come prepared to learn.

Dog mentioned something in the antivirus forum how quickly things can evolve into a battle. And I was surprised to realize I was starting to simmer. Don't let this happen to you." }-That's a very good summary, IMO.. and the second point is worth repeating. :) (thanks for the kind words, too.. very much appreciated, although I don't know about the expert part :) )

-{ Quote: "Okay, Okay...It doesn't take a truckload of bricks dumped on my head to get me to thinking. I of course will follow your advice. At some point it may happen that I present this as my idea!" }-Hehe, I just don't understand why those that build/repair computers don't do this for the 'ma & pa' types that only want to surf the internet and read their email.. no reason those types can't do so under a limited user account. I did this on the 'in-law's' machine a while ago, and they really haven't had any problems with the (otherwise) most basic setup.

-{ Quote: "On setting up a limited user account:
http://blogs.msdn.com/aaron_margosi.../17/158806.aspx

May not agree with all that's presented but food for thought." }-Awesome link, thanks!

-{ Quote: "The fact is here - Windows Firewall provides NO SINGLE outbound protection or any other features mentioned above, in which it is fundamental to network security precautions .... " }-Wai_Wai,

Since there are alternate ways to operationally deal with this, it's a bit of a leap to state that it is fundamental aspect of network security. In fact, this strikes at the implicit premise of your thread - that you can render an assessment of the appropriateness of any single component of a security set-up in isolation. Simply put, you can't, it's a flawed premise from the start.

Since there are multiple components working in unison in any coherently considered security set-up, you really do have to examine the entire assembly to render a judgement on functional fitness.

Blue

-{ Quote: "This point is doubtful. According to firewall tests, even the best firewall miss 50% or more in leaktests. So it has some good indicators (Note that I say good indicators![#1]) that Windows Firewall will not keep most worms out. Anyway, I think I should confront with what I said, so I save the details and not to digress.

EDIT:
#1: I know the results of leaktests are not directly related to worms. However from the poor results obtained in leaktests, it may give us some good indicators that simliar things can happen to worms where they manage to bpyass the firewalls in other ways. That's why I say "good indicators"." }-

No, this is completely wrong. Worms need a) inbound access to infect machines and b) outbound access to infect others. Leaktests test outbound access only. Leaktests results are not an indicator of inbound worm protection. The main reason for Microsoft's increasing emphasis on ICF is that it is very good at mitigating worm outbreaks on the network. I really haven't seen any detailed inbound tests against ICF using a packet mangler to indicate otherwise.

is this old news? is not, is it serious:

Windows Firewall Flaw Hides Open Ports (http://www.betanews.com/article/Windows_Firewall_Flaw_Hides_Open_Ports/1125675279)

-{ Quote: "is this old news? is not, is it serious:

Windows Firewall Flaw Hides Open Ports (http://www.betanews.com/article/Windows_Firewall_Flaw_Hides_Open_Ports/1125675279)" }-
The part about the registry is new, what can be done when running as Admin is not. As noted earlier in the thread when running with Admin account any program, including malware, can make changes to the Windows Firewall.

Regards,

CrazyM

-{ Quote: "- The firewall is a service that depends on other services that have to be in abled in order for it to run. This means that you have to run additional services that (in my case) I did not need for anything else." }-
Bit of a moot point I think as any software firewall is going to require additional services/processes.

-{ Quote: "Question: Is the built in firewall listed as firewall in the taskmanager, or does it just have some generic name that makes monitoring your processes that much more difficult? I will prolly know the answer soon since I happen to be experimenting with ICF and related services for an unrelated reason." }-
The Windows firewalls is dependant on a few services as well as starting it's own. Most will be included in one the svchost entries, others like the Application Layer Gateway (alg.exe) will show on their own in Task Manager. This should provide you with a little more detail: Windows Firewall Technical Reference - How Windows Firewall Works (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6490c9fc-6c06-4304-b61c-5577af1445d0.mspx). With SP2 the Security Center and/or control panel are the easiest ways to monitor the firewall.

-{ Quote: "Question 2: I have heard to differing view on whether it is desirable to run the windows firewall, in addition to a commercial firewall. Is this a definite no, no?" }-
MS recommends not running the Windows Firewall if using a third party one.

Regards,

CrazyM

-{ Quote: "Bit of a moot point I think as any software firewall is going to require additional services/processes.


The Windows firewalls is dependant on a few services as well as starting it's own. Most will be included in one the svchost entries, others like the Application Layer Gateway (alg.exe) will show on their own in Task Manager. This should provide you with a little more detail: Windows Firewall Technical Reference - How Windows Firewall Works (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6490c9fc-6c06-4304-b61c-5577af1445d0.mspx). With SP2 the Security Center and/or control panel are the easiest ways to monitor the firewall.

CrazyM" }-


Working sort of backwords,

Crazy-M, first of all thanks for the information, and while it may seem trivial to you those details are bringing me important insight. I can recall many instances of having seen alg.exe running on machines with 3rd party firewalls and it never clicked that they might have the ICF firewall running concurrently.

secondly, and with all due respect the point is not moot to me regarding the extra services versus the extra services of another firewall. Again, it may be trivial to you, but from my vantage there is a clear difference between the two scenarios. In instance two, the commercial program is running services that are easily identifyable and are specific to the application. In instance one you are talking about having Microsoft services where the implications of them running as far as I know can effect entirely different and have unrelated (to the running of the firewall) effects.

I have studied, at great length, the Microsoft services that are necesarry to operate my computer and I must admit, that aside from some of the most notorious (UPnP, ect...) about all I can say is: I need this one or program x won't run, or, shutting this down does seem to have any negative effects. Within that framework, possibly you can understand my (and I clearly am not alone in this) determination to have as few of those services running as possible. However, I am not saying that any or all of the processes related to the firewall are bad. I am saying that some of them I can deactivate without the firewall running.

To Mem1-
Good link...now I don't feel quite so bad as apparently a lot of people were missing how easily this is implimented!

To BlueZannetti-
I am surprised at your position on this a little. While the firewall router has some very strong points, it does not go very far towards diagnosing and monitoring what is going on on your computer. Of course, if we roll back the firewall definition to what window's firewall does...than neither does the software firewall. Still, I was so pleased with my firewall router that I took advantage of a special rebate and got another one for my sister. Last I knew it was still in the box :(. I ask about it often, the way I would a dear friend I havent seen in ages. She has no guilt at all about relegating it to the closet.

To Notok-
Well lets face it, you are a paid professional working in a clearly related field. More importantly your advice seems to be pretty consistantly sound and I can't recall you going into a rampage. I should probably work on sticking to the issues but it does concern me that my dissent not be taken as disrespect.


- HandsOff

-{ Quote: "To BlueZannetti-
I am surprised at your position on this a little. While the firewall router has some very strong points, it does not go very far towards diagnosing and monitoring what is going on on your computer. Of course, if we roll back the firewall definition to what window's firewall does...than neither does the software firewall. Still, I was so pleased with my firewall router that I took advantage of a special rebate and got another one for my sister. Last I knew it was still in the box :(. I ask about it often, the way I would a dear friend I havent seen in ages. She has no guilt at all about relegating it to the closet." }-HandsOff,

I guess that, in a way, makes my point. With a separate piece of hardware, once it is installed, that is it. Have a problem with the install? No problem, just unplug the components, reconnect, and restart. The installation instructions can be understood by anyone. There is no issue with software compatibility, no issue of system load, no updates unless you want to reflash the firmware, and as wireless becomes more prevalent, it will be the norm for any home installation anyway.

I simply can't imagine a casual user pulling firewall logs to monitor and/or diagnose what is happening on their PC. I've never felt the need to do that myself either. They can be useful, but let's revisit the topic here. We're talking about the native Windows firewall - almost by default that puts up in the domain of the casual user.

Although there are numerous applications which provide information of your system operations in exquisite detail and provide notifications for nearly every byte passing through the CPU, I sit on the opposite end of the spectrum. I search out options that are powerful, but do not weigh you down with notification, that don't require extensive setup/configuration/learning to use, that are as set-and-forget as possible, but at the same time provide comprehensive coverage. I then trust these applications to work as they are designed and only infrequently check their status. With 5 PC's at home spread among 4 of us, I simply don't want to spend my time as the local support guru.

My experience is that I don't need to spend a lot of time monitoring and diagnosing what's going on with the other PC's, since I've done that wring out and stress testing on my own PC and configured the other installs with that information in mind.

There are lots of ways to approach the diagnostic/monitoring question, for example, each of my home PC's has Port Explorer installed (well, it didn't start that way - these are TDS3 conversions....). If I want to look at connections, I can use that, but I typically approach things from a process perspective. Worried about network traffic going through the roof due to one machine being hijacked? Well, my own PC runs a process which periodically polls the network router and downloads traffic load statistics once a minute or so. I'll know if something is seriously out of whack on the infrequent times I check aggregate traffic, but well before that time I would expect a comment on system responsiveness. I end up with a similar end result, but my path is different than the one followed by those focused on firewalls. Both paths work, but I feel the one I've taken is more suited to the casual user.

Blue

-{ Quote: "HandsOff,


I simply can't imagine a casual user pulling firewall logs to monitor and/or diagnose what is happening on their PC. I've never felt the need to do that myself either. They can be useful, but let's revisit the topic here. We're talking about the native Windows firewall - almost by default that puts up in the domain of the casual user.


Blue" }-


Actually, our philosophies are almost identicle. And i'm sure most casual users don't. The thing is my firewall logs are tied into the same viewer as the antivirus and the adblocking. It just sort of evolved that since I would want to read any detail about a virus, I would glance at the other logs while I was there. Later I got interested in identifying the remote sources of possible attacks. This was sort of a waste of time but I did notice that you could tell by the address what countries they were from which i found interesting. I dispise advertizers so I found myself trying to identify adds that I couldnt block to see if I could block them through some rule. another waste of time, but i did notice some stuff...and on and on.

Now I don't pour over them to study anything but it no longer seems odd to go to the firewall logs first when I think some malware has installed just to look quickly for activity. I don't claim to solve problems with the logs. I just like to know what's going on.

I would think you would use at least some logs like I do. Just to see if something is their...a few seconds at the most. Anyway, I do, and I am nowhere near a sophisticated user.


-HandsOff

-{ Quote: "Wai_Wai,

Since there are alternate ways to operationally deal with this, it's a bit of a leap to state that it is fundamental aspect of network security. In fact, this strikes at the implicit premise of your thread - that you can render an assessment of the appropriateness of any single component of a security set-up in isolation. Simply put, you can't, it's a flawed premise from the start.

Since there are multiple components working in unison in any coherently considered security set-up, you really do have to examine the entire assembly to render a judgement on functional fitness.

Blue" }-

Yes, I agree with what you say.

By the way, let me tell you the purpose of the above post & my article as well. The points are:
- if you read carefully, I have stated this (...it may not hold true for security experts. In thier cases, some of them may even claim anti-virus is not fundamental)
- the whole article is not intended to cover the rare/extreme cases or for experts. It is for beginners and advanced users.

- My 2 cents: In this regard, I think it is unwise to keep stressing on the fact that outbound protection can be NOT fundamental in some cases. This will give newbies/beginners a illusion or misunderstanding that it is not needed.

- By the way, it seems we all make these kinds of misunderstanding. When we see someone says "XX has Function A, b and C. In conclusion, it is very useful." We tend to feel that the author wrongly thought that XX is flawless, and argue that, "Youa re wrong! XX is not 100% useful, and blah blah blah...
From the statements alone, the author doesn't ever claim XX is flawless.


After all, thanks for pointing this out.
The info is useful. :P

-{ Quote: "No, this is completely wrong. Worms need a) inbound access to infect machines and b) outbound access to infect others. Leaktests test outbound access only. Leaktests results are not an indicator of inbound worm protection. The main reason for Microsoft's increasing emphasis on ICF is that it is very good at mitigating worm outbreaks on the network. I really haven't seen any detailed inbound tests against ICF using a packet mangler to indicate otherwise." }-

Good points. I completely agree with you.

By the way, let me tell you the purpose of the above post. Let's try to explain by analogy:
- Someone asks me if a student can score highly in maths test.
I told someone, "Hey man! The student was lazy. See how it performed at English and Biology - all failed!! I don't expect it is going to perform well at Math."
Someone, "That's completely wrong, buddy! Math is completely different from English and Biology. They are different subjects which require different knowledge. Your claim definitely wrong!"

- I reach my hypothesis by indirect inference. What I would like to say is, based on the facts that the student performed poorly at English and Biology, the likelihood is it's going to perform poorly again at Math. The relationship is indirect, but it is still one kind of reasoning, which has its advantages and disadvantages.

- By the way, although the someone made a good point that they are different subjects. It made a mistake to jump into conclusion immediately that my estimation is definitely wrong. The correct answer is my estimation can be correct or wrong, but there is higher likelihood for it to be correct.

===============

- I do wish to read some in-depth tests on inbound protection, so I can have direct proof/reference to this hypothesis. Currently, it seems testers focus on outbond protection of firewall ONLY (since I can't find even 1 test about inbound protection). But I could be wrong.

- After all, I would like to apologise that this post appears to be very misleading, leading people all on the wrong track (the EDIT won't work to make my purpose of this post clear). It seems the word "indicator" doesn't carry enough meaning to mean it is just a performance guess on another aspect by method of probability.

After all, thanks for your points and info.
They are very useful. :P

-{ Quote: "is this old news? is not, is it serious:

Windows Firewall Flaw Hides Open Ports (http://www.betanews.com/article/Windows_Firewall_Flaw_Hides_Open_Ports/1125675279)" }-

Interesting find.
It is found at Sep 2., 2005. Very new.

According to what it says, an exception could be created that would open a hole in the Windows Firewall, allowing an attacker access to the computer. But in order to exploit this hole, administrator privileges are required so that one can access to the target portion of Windows Registry.

The hole is recently found, so it is still open and valid (I haven't notiiced of Windows Update in Sept, I dont think it has been fixed).

As to the question whether it is a security flaw, it is up to you to decide. The fact is there's a flaw that will open up a hole which allow hackers to exploit freely on conditon that you are run as an admin account.

If you use Windows Firewall, the best workaround is not to use admin account. Although this will eliminate the exploit of the hole (the hole is still there, but hackers most probably cannot exploit it), it doesn't mean using a limited account will eliminate the possiblity of ALL exploits. [Don't make me wrong or misinterpret this statement.]

By the way, I find the following post interesting:
-{ Quote: "
Microsoft: "yes, the flaw is there and it will create a hole - however, this isnt a security issue"
Public: "what would you call it then ?"
"Microsoft: "A hidden feature? :)"
"Public: "Sorry, but anything that opens up a hole in a system allowing unauthorized access is indeed a security issue"
" }-

;D

-{ Quote: "On setting up a limited user account:
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx

May not agree with all that's presented but food for thought." }-

-----------------------------------

I also have some doubts about what at first blush looks like a really easy method to live with a limited access acount. It is another instance of what I was talking about when I said that when you run a service that requires that other services run then you may be introducing consequences the risks of which might not be easy to asses.

case in point, the article from about temps us with the prospect of both enabling Fast User Switching, and the convenience of no password. The think you may want to consider is that fast user switching runs as a dependancy to terminal services. In an uncharacteristally candid description of terminal services from the services.msc dialogues it describes it, among other things as the underpinnings of remoted desktop...Well I don't control my computer remotely, and I'd just as soon this feature was not enabled.

BTW, has anyone noticed (how could you not) some of the really stupid names that malware authors used to give there tools. I say stupid because when you notice a file called something like the black plauge death bomb or something...it does sort of draw attention to itself. unfortunately they are slowly becomeing more subtle...however...not before i have developed the habit of analysing the names of processes, services, and such to look for clues of evil intent. common TERMINAL services? sounds pretty fatal to me! I think I will stick to logging off the old fashioned way.

HandsOff