wizard's thoughts on Personal Firewall

Discussion in 'other firewalls' started by wizard, Feb 16, 2003.

Thread Status:
Not open for further replies.
  1. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    This is the answer to the following threat:
    http://www.wilderssecurity.com/showthread.php?t=7310

    Basically if you just run one single PC connected to the internet you do not need a firewall. Depending on your windows version you have to close several services (ports) and your computer is as secure as with a personal firewall. But you save plenty of resources.

    If you run a network the thing gets a little bit more difficult but what I found is that a hardware router (or even a software router on an old PC) provide far more protection than a personal firewall. And in terms of a hardware router these are far more easy to setup than an average Personal firewall.

    For personal firewalls I think a free solution is definitly the best somebody should looking for. Besides ZoneAlarm (free) you can choose between nearly everyone: SyGate, Outpost, Keiro.

    wizard
     
  2. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    152
    Dear Wiz,

    May I ask: I thought windows OS not easy to close ports for users, that's how whole genre of personal firewall softwares came to pass,after "Moses" Gibson gave masses a glimpse of the "hackers desert" and then parted the "seas" of internet to the oasis - the one true outbound firewall(ZA) !! I mean no disrespect for he surely be honorable man.<I come not to bury BlackIce but to ....>

    How to close ports w/o use s/w like port scanner/personal firewall on windows 98/ME/2000/XP - any tips ?

    SKA
     
  3. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Win98 is easy: no open ports
    WinME: just port 5000 is open. This can be closed by disabling the autorun of ssdpsrv.exe

    For Win2k and WinXP there is a real nice - but only in German - description how to close ports. May babelfish (or another online translator) and the screenshots can help to understand it also for non German speaking persons.

    Win2k: http://www.kssysteme.de/s_content.php?id=fk2002-02-02-3414
    WinXP: http://www.kssysteme.de/s_content.php?id=fk2002-01-31-3823

    Please notice that the description works only for single computer connected to the internet and not for computers in a local network.

    wizard
     
  4. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    152
    Wow !

    Wiz - thsi is amazing ! I must really thank you for these links !
    I just can't believe that Win98 has no open ports and later versions are less secure by default !

    Thanks again, thou truly be the White Wizard indeed !

    SKA
     
  5. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    An open port just does not mean something is not secure. As long there is no exploit (security hole) in the service that responds to the open port no hacker will find his way through. But the strategy is right to close as much open ports as possible: because where nothing is running (open), nothing can be attacked. :)

    wizard
     
  6. controler

    controler Guest

  7. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Yes, but if a malicious software misuses (tunnels) a valid program (like internet explorer) there is nothing you could do with a PF.

    A pure netstat -a command would have done the same. :)

    Do you think these kind of people could proper configure a firewall I doubt that. Just install and be safe does not work with any firewall.

    Firewalls are important to protect a network I agree but for a single pc connected to the internet it is a pure waste. And if I have setup a network I personally would recommend to protect it with something more reliable than a windows based personal firewall. For example an old pc with one of those linux firewall systems you get for free all over the web or just a hardware router (like I do at the moment) gives much better protection. Just my personal thoughs on this topic. :)

    wizard
     
  8. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Right now, these so-called tunneling 'exploits' are only theoretical: firehole, tooleaky, etc. There is nothing out there in the wild that uses these exploits, to piggyback on trusted apps like IE and tunnel through the firewall. What's more: see this pcflank leaktest study, http://www.pcflank.com/art21.htm -- and you'll see that the latest versions of popular firewalls are detecting and preventing these exploits, even when/if they do become prevalent in the wild. Software firewalls are continually evolving and improving: forex, I get notices of new beta-tests from ZoneLabs fairly often.

    but not in real time: a software firewall that provides outbound control will alert you immediately when an unknown program (e.g. trojan) tries to get out to the Net. Besides, I don't make a habit of running "netstat -a" very often on my box. (using ZAP 3.5 as firewall, btw). ;)

    ZoneAlarm is about as close to set-it-and-forget-it as you can get: and other firewalls, such as Sygate and Outpost, aren't hard to configure either. Even rules-based firewalls like Norton and Kerio can be configured with a little learning curve: and there are plenty of forums and helpful aids available to help folks configure these firewalls. Most of these products have their own forums; e.g. dslreports has a Kerio-Tiny support forum; there is the Yahoo Keriofirewall group; there is a Sygate forum and a ZoneLabs forum; etc.

    Agreed, that a dedicated hardware firewall is less vulnerable than a software firewall that runs on the same machine it protects; but I still think software firewalls are useful, and the market for them is legitimate and growing. A local network is really not that much harder to protect: you mainly need to protect the "gateway" or host computer that connects out directly to the Net. That's actually what I have, an internet connection sharing (ICS) home network, with a host and two clients. I have ZAP 3.5 installed on my host, and ZAF 2.6 installed on my two clients.

    And as for a standard inexpensive SOHO NAT router: it has no outbound control, only inbound. A NAT router will merrily allow a trojan or worm to connect out to the Net, so long as the communication originates from within the local network running behind the router.

    A hardware router that performs sophisticated 'stateful inspection' (not just NAT) is more expensive; and the most expensive, albeit also safest and most secure, is a full-blown dedicated hardware firewall: more appropriate for a corporate rather than SOHO solution. ;)
     
  9. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Win2K and WinXP are much harder to close ports on, because of needed services:

    Win2K Services: http://www.blkviper.com/WIN2K/win2k.htm
    WinXP Services: http://www.blkviper.com/WinXP/servicecfg.htm

    Forex, it's next to impossible to close port 135 on these OSes. ;)
     
  10. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    it is possible and quite easy to do.
     
  11. jxx

    jxx Guest

    apparently closing the port is much easier than trying to explain how to do it...

    how about a more informative post SpaceCowboy ?
     
  12. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    the instructions i am going to post i found in the Kerio forum at dsl reports. i have XP PRO and was able to close port 135 without any problems at all. back up your registry before you try it.


    Closing port 135-
    Simple fix:

    Run: regedt32

    I suggest you export your RPC branch before you make
    any changes. That way you can fix any errors.

    Go to the registry under hkey local machine:
    go under software\microsoft\RPC\ClientProtocols\

    You will notice a couple of different RPC protocals.
    Basically we want to remove the value
    which is equivalent to a dll name under two of these:
    1. ncacn_ip_tcp = nothing/blank/empty
    2. ncagd_ip_udp = nothing/blank/empty

    Next you want to go up a level to
    software\microsoft\RPC\DCom Protocols.
    Remove ncacn_ip_tcp.


    thats it
     
  13. jxx

    jxx Guest

    k, simple enuff :)

    thanks
     
  14. controler

    controler Guest

    Now that we are on this subject again, I wanted to repost some screen shots. The second screenshot takes it a step further than the German site. I didn't see the German site explain anything about setting rules for the UDP and TCP ports.
    These options are found on my Windows XP home. I have still not seen anyone comment on these. XP has these features besides
    it's builtin firewall.
     

    Attached Files:

  15. controler

    controler Guest

    From the lastg screen shot you click on properties to get here
     

    Attached Files:

  16. controler

    controler Guest

    Ha ha

    I wanted to bring this thread back again till I get an answer to my question on,,, Has anyone used the TCP/IP Filtering that I posted the
    screen shots above? and or in conjunction with the built in firewall
    and if so is it only inbound filtereing?

    Over?
     
  17. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I believe that is the same as IPSEC, or IP security policy in Win2K.
    There is a nice writeup on using it as a firewall at analogx.
    http://www.analogx.com/contents/articles/ipsec.htm
    I haven't really read all that yet, so I don't know if it covers outgoing or not. Seems a nightmare to configure, especially if its for outgoing too.
    Also, regarding another part of this thread. On Win2K when I disabled port 135, I could not even boot up. Had to go to safe mode and enable it again. FWIW.
    I'll stick with a firewall.
     
Loading...
Thread Status:
Not open for further replies.