Questions for beginners,.. Ask away

Thanks Meltdown.
CrazyM's posts are very useful.
That is just the type of thing only with more of the common services and components that end users will likely have popups for. Maybe put into a compact chart so more services could be listed. It would be like a generic firewall cheat sheet.

 

What is the most efficient process for a beginning firewall user to make the decision to allow or deny a program?

 

I am putting together a list of windows applications that ask for internet connection, with info on what it is for etc. But it will take me a bit of time to put together. (have not a lot of spare time at the moment)

 

Not to complicate an already daunting task. You may want to include whether they may\do require Servers rights as well. Going only from ZA experience I know this question may crop up. Many thanks for the effort.

 

This would be an excellent quick reference resource. I would refer to such a chart many times when setting up firewalls because it would be faster and easier than researching or remembering each service/component/program when configuring.
If possible, it should be non-firewall specific.
This could be as useful as Black Viper's site (was) for services configuration.

Zone Alarm would benefit from such a list as well with the "Expert Rules" in ZA.

 

OT in this thread, but usefull.

There's still some sites that mirror Black Vipers service configuration.

http://majorgeeks.com/page.php?id=12
http://www.dead-eye.net/WinXP Services.htm
Black Viper's site from the archives:
http://web.archive.org/web/20041128084144/www.blackviper.com/WinXP/servicecfg.htm
http://web.archive.org/web/*/http://www.blackviper.com

This one has nothing to do with our Black Viper
http://hometown.aol.co.uk/brianthebeaver/?272,437

 

I'd suggest sticking to the essential ones only (browser and email plus services.exe for Win2K, svchost.exe for WinXP) which would allow a user to get online and query Google for information on any others.

One point to bear in mind is that there is plenty of malware using the name svchost (or scvhost, etc) so it is important to include folder locations as well (e.g. %systemroot%\system32\svchost.exe)

 

Just another thought...... The manner in which it will be written. The, say, average user (however that is defined) will stop reading in a second if to thechnical a terms are used. I know over the years as my knowledge, there fore my language has changed when speaking about PCs` and related topics I found it harder to speak understandably to the Novice. A target audience may need to be decided on. Finding the medium for Novice\Middle-of-the-Road\Advanced\Certified Tech. will be a very difficult. Also, just throwing a bunch of links can discourage a person too. Getting it all consolidated (with links provided for additional info). IMO, is the way to go.

 

Thanks Tommy.

 

Excellent idea, Stem!

Adding to this topic, why not make a very simple site or a Wiki with all the main questions for Basic, Intermediate and Advanced users? I think that this will be much easier to consult...

I don't have time for that on the next couple of months...

 

Sharalike's question and related replies as to his privacy protection problem has been moved here with title changed to( problem with privacy protection )
https://www.wilderssecurity.com/showthread.php?p=810421#post810421

 

For the question about what to use to test your firewall, you mention some online tests. What if you want to test a firewall on your PC, but you are also behind a hardware firewall/router? I installed nmap onto another PC behind the hardware firewall/router, and used that to test my PC firewall. Does anyone have any opinions about nmap? Is it good or should I use something else?

Also, I'm currently thinking that I don't need a firewall that has outbound application protection. I agree with the people who say that if something bad has gotten onto your computer, then at that point it's too late already... your system is already compromised, so outbound app protection won't help. So I'm just going to use a packet filter. I also practice "safe hex", so it's unlikely that something bad would get onto my computer. Do you agree with my thinking, or do you think outbound app protection is still important?

 

That situation is covered in the thread linked to under "How can I test my firewall?". The solutions may be a little complex for beginners so I'd think it better to keep them separate from the basic answer.

 

Depending on what gets into your PC, a firewall can still help you. If we're dealing with a kernel rootkit, then a firewall won't do much good. If the infiltrating item is adware or a simple trojan, a firewall that controls outbound traffic can make all the difference. Most adware and conventional trojans will establish an outbound connection. Adware basically "calls home" and requests the next round of ads it's going to display. The typical trojan tries to open a port on which it listens for instructions. A firewall that controls outbound traffic can prevent both of these from happening.
As for whether it's "too late" depends on how you define that phrase. Yes, your system has been compromised and you do have unwanted software running on your PC, but if the compromising item is adware or a conventional trojan, it can't connect out to its adserver or owner respectively. If nothing else is done, the situation is a stalemate. Your system is technically compromised but the unwanted material can't do anything but wait for a connection that isn't coming, so your security wasn't compromised. If you didn't shut off the alerts, your firewall should alert you to the new items trying to connect out, naming the process and where it wants to connect. In this manner, a firewall acts like a malware detector, alerting you to the new items. In more than one instance I've installed a firewall on a PC the various scanners reported as clean only to be alerted to a trojan wanting to connect out.
If one is assuming that they'll be compromised by the worst possible items like a kernel rootkit, then it's too late for a firewall, but with most conventional pests a firewall will still defend you. It should also be said that this answer is operating system dependent. With the older DOS based system which I still use where kernel rootkits are not a problem, the firewall is much more able to defend you. On these systems, it's seldom ever "too late" to do something about it, especially when your defenses are layered. What may be hidden from windows can ususally be found with DOS, and DOS can be used to defend your registry and core system files in ways that aren't possible on the newer "more secure" systems.
In my opinion, too many newer users are being fed the gloom and doom scenario of "once something gets in, you've had it." This not usually the case and we don't need to give them that impression. They need to learn how to protect themselves with more than one layer of protection so that even if one layer gets compromised or penetrated, it doesn't mean they've lost the battle.
Rick

 

?
Do I need a router/hardware firewall and why, if I already have software FW?
How do they work?
How hard is it to configure for really low level user?
Any recommended hardware: single user soon to upgrade to "copper wired" home network for significant other and tinlids to share cable connection?

Thankyou.

 

No, you do not need a router.
A router/firewall is a good layer of defence against inbound scans/attacks and can save the software firewall work.
A router is also good if you have a need to share an internet connection (but you could also use a "hub" or "switch", or even ICS for sharing connections)

some info here and here

The majority of routers are now simply "Plug`n`Play" and normally require no adjustment for Internet access once the cables are correctly connected.

 

The way I usually explain a firewall is this. Consider your computer (or your network) as your house. You have a lot invested in this house and don't want to see someone break in and steal everything. So you build a high wall around the house and put a gate in the wall, with your own personal security guard standing at the gate. The wall is a bit like a hardware firewall -- it is pretty dumb but effective at keeping intruders out. The guard is a bit like a software firewall -- to keep intruders out he needs to ask a few questions. Obviously he's a bit more intelligent than a dumb wall but then again perhaps he doesn't have the same brute strength as the wall has! The gate is like your ports -- it allows friendly visitors to come in and out without having to climb the wall!

So your house is pretty secure from the outside and you feel safe in the knowledge your possessions are protected. So you decide to go on holiday with the wife and leave the kids behind. They're teens so they're able to look after themselves. But they decide to have a party while you're away and they invite their friends in. (You could liken this to your kids downloading virus-ridden games off the net.) Needless to say the friends are allowed through the gate and the guard, once he knows they're you're friends, doesn't kick up a fuss. But while they're in the house some of them go rambling and take a fancy to some of your possessions. By the time the party is over a number of items have been put into people's pockets. The thieves can't leg it over the wall as it's too high (ports are blocked) so they have to make their way out the way they made their way in. Your teenage daughter, unaware that her friends have taken some of your prized possessions, accompanies them to the gate and tells the security guard to open it up and let them out. And in so doing she has just authorised your software firewall to let a trojan out and phone home to base! She tells the guard to allow these people back in anytime they want and with that your whole security has been crippled, not from the outside but from the inside! Next time her friends come around they will bring tools under their coats to pick the lock in your safe! (You could liken this to a downloader trojan being authorised to go out and then bringing other, deadlier trojans back in.)
Well, I hope this sheds some light on firewalls for those who are unsure. It's not an ideal analogy and some points of course are simplified but it usually helps people to understand the importance of a firewall not just for protecting you from the outside but also, and perhaps more importantly these days, from those "friends" you bring into your computer who work their evil from the inside.
Regards,
Gez

 

What is loopback?
Is there a difference between a local loopback and a remote loopback?
What is the best way to deal with DNS loopback?
Say the rules allow outbound DNS, but shortly after there is an inbound DNS popup (from the DNS server) often on different ports than the previous request, so an inbound rule created on on port will not work for the next DNS request.

Should these inbound DNS requests be allowed or blocked?
What are appropriate rules for this?

 

To ping or not to ping?

If you do not use VOIP(internet telephony) or online games that require ICMP(ping), why should we allow ICMP?
If I block ICMP in the router, does it need to be blocked in the software firewall?

 

What are appropriate rules for alg.exe - Application Layer Gateway?
It is needed for Windows Firewall and ICS, but if you are using Windows Firewall, then you don't need any rules for it because you won't be using an outbound firewall anyway.
But if you use an outbound rule based firewall and ICS, what are appropriate rules for alg.exe?

 

Hi Devinco,

As your need for alg.exe would be only for the ICS, then any rule for comms sould be bound to the lan (for ICS this is normally 192.168.0.1/255.255.255.0). Meaning: to allow outbound/inbound only from the PC that is connected, any rules should contain the lan IP/mask

Does this explain?

 

Yes, Thank you Stem.
So the idea is to restrict the allowed communications as much as possible and still have it working properly.

Other then the IP mask, should alg.exe have any port, protocol, direction restrictions?

 

Are any special rules needed for these?
wuauclt.exe - Automatic Updates
csrss.exe - Client Server Runtime Process
explorer.exe - Windows Explorer
iedw.exe - IE Crash Detection
mdm.exe - Machine Debug Manager
spoolsv.exe - Spooler SubSystem App
userinit.exe - Userinit Logon Application
wmplayer.exe - Windows Media Player
winlogon.exe - Windows NT Logon Application
drwtsn32.exe - Dr. Watson Postmortem Debugger
dwwin.exe - Microsoft Application Error Reporting

For example, I noticed the spoolsv.exe always requests network access whenever printing to a printer on the LAN. The document prints just fine if it is restricted to just the printer's IP and a specific port.

 

Yes, for me, this applies to any application. (I hope you can understand, I believe that comms should be resticted when they are leaving/entering a users PC.)

alg.exe uses FTP both in/out (but of course, resticted to user firewall rules in this instance). If using with ICS (as with you question) then allowing FTP server/client to bound IP is correct/O.K.

 

Thank you!