Windows XP firewall any good?

Discussion in 'other firewalls' started by Spanky, May 11, 2003.

Thread Status:
Not open for further replies.
  1. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi wizard,
    O.K., but Look'n'Stop nevertheless gives an alert because the signature of this process has changed. Well, by the way I doubt that TDS-3 doesn't find this out, but let's assume this would be the case.

    There you are completely right! For further information go here: ;)

    https://www.wilderssecurity.com/showthread.php?t=7680

    Regards,

    Patrice
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Yes, this is a key issue with trying to run fully stealthed.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Well, I've never heard that a port would just open because something from outside sent data to it. If there is nothing running on the system to listen on that port, exactly what does the port open into?
     
  4. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Patrice: he sends code to an already compromised computer? Is that what you meant? If the computer's already compromised so that communication is possible in spite of the firewall, you're already screwed IMO. That's getting even further into the realm of what if's, it seems to me . More likely that the trojan or bot will find it's own way to communicate under or through your firewall and no need for a patient hacker collecting IP's of people with closed ports. The trojan will give him whatever he needs.

    All this because a certain type of ping might show you're online? Assuming an uncompromised computer, what then?
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Patrice,

    It is rock solid as far as IN is concerned, no problem at all ;)

    It's a bit strange to be sure without any test, clue or known exploits :cool:

    I know people using it with NIS to be stealth for NIS always leaves (left ?) a port non stealth on the range 1024-1040 whatever the settings are (were ?)

    Cheers,
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi all,

    wow, let's see if I can give answers to all your questions... JacK, I'm sure because I've read an article about this firewall somewhere in a computer magazine (c'T, CHIP or whatever). It's not just an assumption because it's Microsoft! ;) This firewall doesn't have stateful packet inspection as far as I know. Do you know more about this issue?

    LowWaterMark, you can send some code to a computer which will lead to the crash of several applications. Because of that, the hacker will be able to overtake the computer. You will find more information about that on Windows TechNet, theses issues can be found in the Update Section for example. There are some patches which are providing security against such attacks. But I'm sure that there are some possibilites which they haven't found until now as well...

    Sig, with a compromised computer I meant a computer which is known to be up and running. Not a computer which has a trojan installed. Then the situation would be really bad. Sure, this isn't an easy task for a hacker to hack into a computer with closed ports, but it's still possible.

    So, hope I answered all questions and remarks until now. ;)

    Best regards,

    Patrice
     
  7. _anvil

    _anvil Guest

    @Patrice
    You are surely talking about exploitable internet services here, which might be found everywhere but _not_ on a system without _any_ service running - and that's the reason why everybody gives advice to stop any (unneeded) services.
    A computer with no open ports (no running services) can't be just 'hacked' from the outside - no matter, if there is a firewall, or not. :)

    The problem is, that WinNT/XP/2000 runs a bunch of internet services (-> open ports) in its default config! These can even be exploitable (see TechNet.)
    And unfortunately, it is a bit tricky to stop all these (unneeded) services without causing system instabilities. :doubt:
     
  8. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Patrice,

    You don't know far enough ;)

    Stateful Packet Filtering
    At the core of ICF is a stateful packet filter. Unlike a static packet filter, which decides whether or not to drop a packet based solely on that packet’s addressing information, a stateful packet filter bases its decisions on both a packet’s state and the context information of a session. This stored state provides the filter the means to enforce a richer and more comprehensive set of rules than a static filter.

    More info on ICF :
    http://www.microsoft.com/windowsxp/pro/techinfo/planning/firewall/icf.doc

    Rgds,
     
  9. Ph33r_

    Ph33r_ Guest

    Personally I feel the XP Built-In Software Firewall is inefficient, it has its advantages for being Integrated part of Windows but then again Look ‘n’ Stop in particular also designed for PC use as an Integrated part of Windows also. Look ‘n’ Stop is like 100% Driver based, No security elements is handled by the application part. And In case of the unlikely event that the user interface is deleted it will have no effect on the functionality and security of the firewall, and if Look ‘n’ Stop Personal Firewall was deleted by accident or deliberately – "Persistant Internet Filtering" When enable, Internet filtering is still active (still securing your box).

    And thus is one of the reasons why Look ‘n’ Stop and firewalls alike are so small & stable and provide Ultimate security Levels.

    Then again in reference to Look ‘n’ Stop specially; it’s got some disadvantages such like the Non-use of settings encrypting, so a malicious code was deliberately targeting Look ‘n’ Stop whelp… Let’s say there is Risk to consider of its settings being manipulated if the Application Module was terminated.

    -

    There are a lot of “OLD” Sophisticated TCP, UDP port Scanners which verifies if the Machine Exists by sending ICMP Packets, and in fact there are a lot of domain scanning systems for linux and so on which does the very thing. But besides the point Hackers scan domain ranges for specific exploitable services, if the port is seen Open or even Closed you will most likely be a quick fix for these folks. And if you have somewhat static IP your domain could be scanned one day and your box exploited the next day, because they go through possibly a large list of founds.

    Only way you be an interested target even if you port or ports were seen as “Stealthed” is if you were intentionally a specific target for thrills, one way or another you pissed off a Hacker or Hax0r who’s attempting to revenge by doing thorough Scans to find any means possible to make you pay, even if you didn’t do anything just your presents alone in an IRC Chat room for instance would piss off these nutz…

    I have much to say in reply to all these posts in this topic but I’m not here to attempt to bore people. :blink:

    Regards,
     
  10. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    "Sig, with a compromised computer I meant a computer which is known to be up and running. Not a computer which has a trojan installed. Then the situation would be really bad. Sure, this isn't an easy task for a hacker to hack into a computer with closed ports, but it's still possible"

    I find that debatable if you're running no services to exploit. And generally when people refer to "compromised" pc's in security forums they mean pc's whose security has actually been compromised by malware such as a trojan. It's not "compromised" by simply being online and detectible by a port scan, although I imagine some firewall vendors would like people to think so. ;)

    For example, would you say a pc running ZA at medium (showing closed ports on the internet) is a "compromised" pc?

    But in any case, the instance which started this discussion is that you claimed the ICF was unsafe because it allowed responses to certain pings (and someone pointed out how the ICF can be set not to return a response). So are you maintaining that just by the port returning a response to a syn ping (but showing closed) that will allow a hacker to blast his way through the running firewall?
     
  11. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi _anvil, JacK and Ph33r_,

    thanks for the information they were very useful. _anvil, yeah that's exactly what I meant! But who is able to turn off all the services. I guess most of the users haven't done so yet.

    Sig, yeah we can discuss about the word "compromised". Let say you're right. I just used a more dramatic word to show you that they know that you are up and running. ;)
    Certainly it's a difficult task to pass a firewall, but as I already said, a simple trick is to send a huge amount of packets within some seconds. Ph33r_ once tested Look'n'Stop like that. This firewall didn't crash at all. But I know that there are others which would crash... I don't know about ZA, but this is certainly a good firewall as well!

    You have to understand it like this. Hackers are pinging a whole range of IP-numbers. They save all the results and come back later to these systems they got a response. If your computer has closed ports, he has your IP as well. Do you see why I say you should have stealthed ports. Then he doesn't have your IP, he already has enough other IP's to work on... :D Do you get it what I wanted to say? ;)

    Regards,

    Patrice
     
  12. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    _anvil,
    Actually, I'm not so sure about this statement... I already read about some post of hackers which proves the contrary.

    Regards,

    Patrice
     
  13. Ph33r_

    Ph33r_ Guest

    You in reference too;

    ;)
     
  14. Ph33r_

    Ph33r_ Guest

    Hey Patrice

    He’s right a System without Running Services cannot be “Hacked” remotely...

    Regards,
     
  15. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Ph33r_,

    thanks for the info! Is it possible to have a Windows with no services running on it. I just checked my services, there are quite some running there. And some of them you absolutely need to be able to work with the computer...

    Best regards,

    Patrice
     
  16. Ph33r_

    Ph33r_ Guest

    Depending on the stability of your Software Firewall; stealthing the ports you could withstand great deal more amount of Attacks then what you normally would without stealthing the ports.

    SO ICF Isn’t properly blocking Inbounds but you configure it to properly block the ICMP Outbounds to prevent replying to malicious TCP Flags Scans Packets then imagine what would happen if one Attacks you using those type TCP Flags from an Hi Box? You’ll System would quickly take up 100% CPU Usage and Generate a System Failure which normally by users particular unmodified setting, you’d be Automatically re-booted…

    This kind of tests allows you to determine the stability of your Software Firewall too, but u see more then 1 way to kill a cat… ;)
     
  17. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Mhh... sounds interesting to me! Would love to see that! ;)
     
  18. Ph33r_

    Ph33r_ Guest

    Patrice like you said you have quite a number of services which provides necessary functionality you require to be happy user, you can do quite a number of ports disabling by Registry Tweaking without necessarily disabling the entire Services. But it all depends really on what your requirements are, but knowing whether your requirements involve Local Area or Internet you can determine the appropriate actions. And you have to know which ports are remote accessible too, you can Listen on Ports and still only apply to Internal Connections (Local Area Networks) without needing to use a Software Firewall to Shield them from the Internet…
     
  19. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Ph33,

    Could you give any link wher it is said ICF does not block properly Inbounds ?

    TIA

    You can only configure ICF to block Outbounds ICMP IF you first accepted Inbounds and so you are not in stealth mode (accepting IN Echo request for instance), otherwhise, there is nothing to configure if you filter ICMP inbounds.

    Rgds,
     
  20. Ph33r_

    Ph33r_ Guest

    JacK

    When configured and tested at pcflanks for an example using “Stealth Test” do you have TCP Non-Stealth indications?

    If not, then does it block by the TCP Inbounds? Or do you suppose it doesn’t block TCP Inbounds but still you considered Stealthed due to not responding to the half-open TCP Scan Packets because you are blocking the specific Outgoing ICMP Type and Code which states otherwise?


    Regards,
     
  21. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Nite Ph33r,

    I don't use it for me as I need Outbound control, I just tested it in the very beginning about 2 years ago and it passed all the stealth test on PCflank with flying colours (with the default configuration as far as I remember but maybe I went to the advanced setting to tune the ICMP), as well the stealth tests with TCP ping packet, TCP NULL packet, TCP FIN packet, TCP XMAS packet, UDP packet or SYN Packet : nothing appears closed or open : everything Blocked.
    I cannot rerun the test on this machine for I disabled a lot of useless or potentially dangerous services according to my needs.

    Cheers,
     
  22. Ph33r_

    Ph33r_ Guest

    Guess we both in a situation; 1stly my Networks Adapters are binded and if I try to unbind it my Internet Connection becomes un-repairable. And if I was to put my PC in Pre-Install state then I have my Internet Connection Filtering invalid TCP Flag Combinations. :(
     
  23. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
  24. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Patrice,

    I know that ;)

    IPv6 Protocol is only installable on WinXP and Win2k3 and you have to install it by command line : it's not installed by default. I doubt any lambda user runs it.

    BTW I don't know which current FWs for Windows OS support IPv6 by now. I know some for LINUX

    Rgds
     
  25. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Outpost 2 is supposed to be compatible. Can test it, though... my windows is not :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.