Is Windows Firewall "Enough"?

Discussion in 'other firewalls' started by MarcGabi, Feb 19, 2010.

Thread Status:
Not open for further replies.
  1. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    thers 2 groups of people i see, the ones who are paranoid about wats going out regardless if its malicious or not, they just want full control. and the people who dont care as long as their system stays infection free and running smooth and dont care about full control.
     
  2. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    re-read the post. Malware can make outbound connections completely disguised as normal windows services once you are infected. Your time is better spent preventing infection in the first place.
     
  3. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    im totally in agreement with u. i dont care about my programs connecting to auto update, i like my privacy, but the CIA hasnt come knocking on my door ever, so i dont think thers any prob letting my apps update on their own and such.
     
  4. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
    I guess we will just to have to disagree on this topic. I want full control in & out, just my preference.
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I think the point is, you will never have that....
     
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    using the winwall on xp is bit funny - upper&equal vista i would say yes - but not on xp.
    but a firewall is only one wheel of the whole security package.
    OA is a good recommendation - but i dont like the ++ part of it.
    i ever had separated parts of firewall & av.
    nevertheless oa++ is beside Kaspersky the best suite - get it - test it - 30 days.
    on win7 i have another combination but that wasnt the question.
     
  7. wat0114

    wat0114 Guest

    The point is simple: you control (no need to monitor) when and where a so called trusted process connects to. As for malware disguising itself as a trusted process, there's a lot involved before this subterfuge can even occur. If you allow it to sneak past your basic defences, then the firewall is redundant anyway.
     

    Attached Files:

  8. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    not sure if you are disagreeing with me or agreeing with me? Regardless, you aren't controlling anything and Windows firewall is sufficient for inbound threats.
     
  9. wat0114

    wat0114 Guest

    Yes, I'm controlling phone mothership comms from svchost. I "Allow" only when I want to run updates.
     
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Hi Brummelchen.
    Which bit exactly is funny to you?

    If you're referring to Vista and Win7 added outbound control, this bit is disabled by default. You would need to do some manual configuration to set it properly, so some networking knowledge is assumed.

    And a question, if I may - since I often see you post in "other firewalls" board, you specialize in supporting what exactly? Thanks.

    Cheers,
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    last first - i support becky internet mail.
    those who are with me are also here and gave me that title honorary.
    additional i test a lot of software - in first for myself to have an opinion
    - for myself - for my needs. that may differ from others.

    Winwall - in XP it was implemented afterwards while vista/win7 it was already
    from the beginning. also since vista the UAC was present. so security is more
    deeply implemented than in Xp so any test about winwall on xp failed over and
    over again due that reason.
    unfortunately the control options for the winwall since vista are poor,
    compared with windows firewall control or malware defender.

    ofc - security suites offer more security that any winwall. on the other side
    they need to be installed and they gear into system processes and they are
    not that deep layered as the winwall - figure out the OSI modell.
    in fact you can see that activity when you have two firewalls installed and
    which one of them is acting first. (my conculsion)
    next point - updates: due to the basics how many updates does it need?
    Updates for the security engine - or updates for the engine itself - vulnerability!?

    compare onlienarmor with outpost or malware defender or windows firewall control
    how many updates and whatfor they had?
    my idea behind is that i have to work with a system - not for my system.
    set it and forget it - for a while.

    last and important - all is working togehter - a firewall is only one part.
    you cannot really rely on itself - it makes decisions user(s) had set.
    advertising should make us believe "we give 100% security" - they cant.
    anyway user had to fill the gap - with brain - or another program
    (not with tons of tools he can not handle).

    ok, now - last - i read an article on german heise.de - was about data recovery
    with an own build recovery cd based on win7. lots of tips how to build an
    implement any possible antivirus tool and other tools.
    nice so far - but my thoughts:
    - what do i do if a system is really infected?
    - how and how often do i recover data?
    - how many time is it worth to spend on?
    - how many data do i need to download?
    - how many cd or dvd do i need to burn?
    till i have the reward...
    or do i just download a 50/60 meg iso from avira or kaspersky to determine
    and use my acronis, ghost whatever backup iso for backup on external drive?
    what may be faster and at least less expensive (in time and price)?


    >> you aren't controlling anything and Windows firewall is sufficient for inbound threats.

    what is not present cant be compromised, such as deactivated services
    or not running or not neccessary programs which are leaky.

    great sorry for a mistake
    the "windows firewall" is based on the windows filtering plattform (WFP),
    last is always present. service and frontend of the build in "windows firewall"
    are only additional programs sponsored by microsoft.
    malware defender, pctools (!) and windows 7/vista firewall control use the WFP
    for their work - so they store their own settings, there is NO common place.

    the build in winwall is only defended with a LUA or the UAC - malware defender
    secures itself - no access to running files and processes - either no script
    driven shutdown with password.
     
    Last edited: Feb 27, 2010
  12. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    point being, svchost can be malware if inbound protection is compromised. "Svchost using 100% cpu" is common problem after infection, this link is from 2004 when malware was no where near as advanced as today (http://www.bleepingcomputer.com/tutorials/tutorial83.html).

    So while you can "control" svchost, only by controlling inbound threats and preventing infection can you ensure that svchost isn't malicious. Back to original question, Windows firewall prevents inbound threats and combined with other methods is good a safe and stable system.stable system. Particularly for those who don't want to spend money, time configuring and dealing with pop-ups, or extra ram/cpu on other firewalls.
     
  13. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    166
    Location:
    Frankfurt, Germany
    I would always recommend a third party outbound-firewall. It's a shame that so many programs need to phone home and there's no need to have every software always up to date. And what data they send is also unknown to you. Depending on the number of background programs, they also can affect your bandwith and system performance.

    Saying that they are useless only because some viruses/malware can bypass them is imo wrong. Most members should agree that current systems are never 100% secure. The goal can only be to make them as secure as possible. Commodo, ZoneAlarm etc. just do very good to detect a majority of software trying to phone home.

    I would say it's not an unimportant security layer, if e.g. a keylogger is not detected by your antivirus/antimalware-software but is finally stopped by your desktop-firwall sending the data back to the "spy".
     
  14. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Great.
    Don't get me wrong, I have no intention to question your title, it is just that "support specialist" don't tell us much about your actual expertise. I'm glad we now clarified this.

    I agree. The current Windows Filtering Platform (in Vista/W7) is a far better way to implement a packet filter than the NDIS firewall-hook (filter-hook) driver as was the case with XP. I see you added this.

    I thought this thread was about Windows Firewall, not the security of the OS as a whole. But if we're talking limited privileges, then XP did give possibility to create policies. I see you also added this.

    The lack of "options" is not necessarily a bad thing, WFW was created to be as quiet and hassle-free as possible. Even the logging is disabled by default. But its strength lies in the stateful mechanism.

    Well of course they do, that's why they're called "suites".

    Not sure what you mean. XP Firewall is predominantly a layer 4 packet filter. There is ICMP filtering, but it is limited to common codes.

    I will, thanks.

    For a typical home user, on a trusted LAN, yes.

    But I still don't understand the "funny" part.
    XP firewall has its flaws, like any other fw out there, but at least it excels in its domain, layer 4 filtering. If outbound control or leak-protection (or AV, AS, etc.) is needed this can be added. But as I said, XP fw is a good transport layer firewall and as such an ideal tool for a home user. Vista/W7 did bring improvements to filtering platform, but even the old XP firewall is certainly not a funny one.
    Both still lack filtering of lower protocols, so that's something to improve upon.

    Cheers,
     
  15. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    Deconstructing Common Security Myths

    Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe.

    Speaking of host firewalls, why is there so much noise about outbound filtering? Think for a moment about how ordinary users would interact with a piece of software that bugged them every time a program on their computer wanted to communicate with the Internet. What would such a dialog box look like? "The program NotAVirus.exe wants to communicate on port 34235/tcp to address 207.46.225.60 on port 2325/tcp. Do you want to permit this?" Ugh! How would your grandmother answer that dialog box? Thing is, your grandmother just got an e-mail with an attachment that promises some rather sexy naked dancing pigs. Then this crazy dialog box appears. We promise: when the decision is between being secure and watching some naked dancing pigs, the naked dancing pigs win every time.

    The fact is, despite everyone’s best efforts, outbound filtering is simply ignored by most users. They just don’t know how to answer the question. So why bother with it? Outbound filtering is too easy to bypass, too. No self-respecting worm these days will try to communicate by opening its own socket in the stack. Rather, it’ll simply wait for the user to open a Web browser, then hijack that connection. You’ve already given the browser permission to communicate, and the firewall has no idea that a worm has injected traffic into the browser’s stream.

    Outbound filtering is only useful on computers that are already infected. And in that case, it’s too late—the damage is done. If instead you do the right things to ensure that your computers remain free of infection, outbound filtering does nothing for you other than, perhaps, to give you a false sense of being more secure. Which, in our opinion, is worse than having no security at all.






    Jesper Johansson, a senior security strategist in the Microsoft Security Technology Unit and contributing editor for TechNet Magazine, focuses on how customers should best deploy Microsoft products more securely. He has a Ph.D in MIS and has delivered speeches on security at conferences all over the world.

    Steve Riley, a senior security strategist in the Microsoft Security Technology Unit and contributing editor for TechNet Magazine, jets around the world to speak at conferences and spend time with customers to help them get and stay secure. His latest book is Protect Your Windows Network (Addison-Wesley, 2005). You can reach him at steve.riley@microsoft.com.


    http://207.46.16.252/en-us/magazine/2006.05.securitymyths.aspx
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    again - disagree.
    it supports unwanted connections - whatever they are caused by.

    - i dont want my browser to use more than standard ports for web: 80,81,8080,8081, 443,554, 21
    - additional ports for some streaming formats, eg 1935
    - any other might abuse
    - i dont want program xy have a look for updates
    -- i dont want
    -- i dont need
    -- i cannot turn off (happens sometimes)
    - prevent programm cd have phonehome (the discussion about is elsewhere,
    i dont want it - but i need the program for some reason)
    - some programs are really great but sniff personal data and send it to author, eg flashget 1.9 versions. bad, that behaviour was detected too late.

    there a more (good) reasons to have a bit control than only malware!

    @Seer - just found this table:
    http://en.wikipedia.org/wiki/Comparison_of_firewalls
    its like i wrote - and now some facts for it.
     
    Last edited: Feb 28, 2010
  17. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    Your main reason sounds like you are worried about your personal info being sent out via apps you have installed, which leads to threads like this - https://www.wilderssecurity.com/showthread.php?t=265502. Being selective about what you install in the first place keeps things 100X simpler and secure.

    HIPS and run 'safe feature' within Online Armor are main reasons why I think the original poster is getting a nice security boost with Online Armor, not because I think the Windows Firewall isn't sufficient for being secure. I'm a big fan of those features of the product, but that is a separate discussion.
     
    Last edited: Feb 28, 2010
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    i cannot speak for oa free - the premium version has the option for the
    ip detection (forgot the exact words - dont use it any longer).

    i am not afraid what my browser is carrying out - its this little bit more
    about my behavior i dont want someone to get it. although i have my
    doubts the microsoft denials about their words. the truth is somewhere
    between.

    about your last - acknowledge. at least i* dont need that much control,
    in any other case i would do same. :thumb:
     
  19. wat0114

    wat0114 Guest

    Thank you. You explained it for me as well :)

    Now I fully advocate the mantra of avoiding infection in the first place, but i have seen enough real world evidence to know that it's not necessarily too late to block malware-induced outbound connection attempts.
     
  20. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    I only use NAT on my router and Windows Firewall and I have never had any type of infection or compromise. But I never install or run anything in the first place unless it's from a well know, credible source.

    You only need NAT + Windows Firewall if you use common sense.

    Save your money.
     
  21. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Well said. And if someone is silly enough to let some nasty in in the first place, they are usually silly enough not to recognize it and give it full access permission anyway in their firewall.
     
  22. wat0114

    wat0114 Guest

    No $$ spent using two-way control in Vista/Win 7 firewall :) This statement may drive you nuts, but I'm only basing it on fact as stated above:

    :D
     
  23. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    As Jesper & Steve state in their blog 'No self-respecting worm these days will try to communicate by opening its own socket in the stack.' If you've noticed malware blatantly attempting to make outbound connections during real world usage then that is a huge red flag that very old and very basic malware got on the system and malware prevention needs serious improvement.

    There is real world evidence that millions use Windows firewall and remain malware free. For example, since 2004 I haven't ran any 3rd party programs in real time and haven't had anything more serious than a tracking cookie.

    Ultimately I'll just agree to disagree :thumb: .
     
  24. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    If you use the Windows Firewall, you will not notice it anyway. :rolleyes:

    However, there is a lot of malware around nowadays which is indeed very basic.
    Like rogues which do not much more than creating an autorun, a outbound connection and a lot of prompts.

    The only serious improvement needed to stop such software would be a Windows Firewall prompt for outbound connections.

    I think it's pretty ridiculous to see MS making a great fuss about their fight against Waledac botnet, when they are in fact not a part of the solution but a part of the problem.

    As long as they don't offer Windows Firewall prompts for outbound connections, they encourage the botnet business. And rogue business.

    Cheers
     
  25. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    right since no scanners catch very old & very basic malware that is hard to prevent :rolleyes:


    Right since so many users love prompts, I'm sure firewall prompts alongside UAC prompts would receive a warm response :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.