wizard's thoughts on Personal Firewall

This is the answer to the following threat:
http://www.wilderssecurity.com/showthread.php?t=7310

Basically if you just run one single PC connected to the internet you do not need a firewall. Depending on your windows version you have to close several services (ports) and your computer is as secure as with a personal firewall. But you save plenty of resources.

If you run a network the thing gets a little bit more difficult but what I found is that a hardware router (or even a software router on an old PC) provide far more protection than a personal firewall. And in terms of a hardware router these are far more easy to setup than an average Personal firewall.

For personal firewalls I think a free solution is definitly the best somebody should looking for. Besides ZoneAlarm (free) you can choose between nearly everyone: SyGate, Outpost, Keiro.

wizard

 

Dear Wiz,

May I ask: I thought windows OS not easy to close ports for users, that's how whole genre of personal firewall softwares came to pass,after "Moses" Gibson gave masses a glimpse of the "hackers desert" and then parted the "seas" of internet to the oasis - the one true outbound firewall(ZA) !! I mean no disrespect for he surely be honorable man.<I come not to bury BlackIce but to ....>

How to close ports w/o use s/w like port scanner/personal firewall on windows 98/ME/2000/XP - any tips ?

SKA

 

Win98 is easy: no open ports
WinME: just port 5000 is open. This can be closed by disabling the autorun of ssdpsrv.exe

For Win2k and WinXP there is a real nice - but only in German - description how to close ports. May babelfish (or another online translator) and the screenshots can help to understand it also for non German speaking persons.

Win2k: http://www.kssysteme.de/s_content.php?id=fk2002-02-02-3414
WinXP: http://www.kssysteme.de/s_content.php?id=fk2002-01-31-3823

Please notice that the description works only for single computer connected to the internet and not for computers in a local network.

wizard

 

Wow !

Wiz - thsi is amazing ! I must really thank you for these links !
I just can't believe that Win98 has no open ports and later versions are less secure by default !

Thanks again, thou truly be the White Wizard indeed !

SKA

 

An open port just does not mean something is not secure. As long there is no exploit (security hole) in the service that responds to the open port no hacker will find his way through. But the strategy is right to close as much open ports as possible: because where nothing is running (open), nothing can be attacked.

wizard

 

Here is Google's translated link

Be careful,,, If you look at some of the translated screen shots
The active ports are in swear words

http://translate.google.com/translate?u=http%3A%2F%2Fwww.kssysteme.de%2Fs_content.php%3Fid%3Dfk2002-01-31-3823&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools



Added URL tags

 

Yes, but if a malicious software misuses (tunnels) a valid program (like internet explorer) there is nothing you could do with a PF.

A pure netstat -a command would have done the same.

Do you think these kind of people could proper configure a firewall I doubt that. Just install and be safe does not work with any firewall.

Firewalls are important to protect a network I agree but for a single pc connected to the internet it is a pure waste. And if I have setup a network I personally would recommend to protect it with something more reliable than a windows based personal firewall. For example an old pc with one of those linux firewall systems you get for free all over the web or just a hardware router (like I do at the moment) gives much better protection. Just my personal thoughs on this topic.

wizard

 

Right now, these so-called tunneling 'exploits' are only theoretical: firehole, tooleaky, etc. There is nothing out there in the wild that uses these exploits, to piggyback on trusted apps like IE and tunnel through the firewall. What's more: see this pcflank leaktest study, http://www.pcflank.com/art21.htm -- and you'll see that the latest versions of popular firewalls are detecting and preventing these exploits, even when/if they do become prevalent in the wild. Software firewalls are continually evolving and improving: forex, I get notices of new beta-tests from ZoneLabs fairly often.

but not in real time: a software firewall that provides outbound control will alert you immediately when an unknown program (e.g. trojan) tries to get out to the Net. Besides, I don't make a habit of running "netstat -a" very often on my box. (using ZAP 3.5 as firewall, btw).

ZoneAlarm is about as close to set-it-and-forget-it as you can get: and other firewalls, such as Sygate and Outpost, aren't hard to configure either. Even rules-based firewalls like Norton and Kerio can be configured with a little learning curve: and there are plenty of forums and helpful aids available to help folks configure these firewalls. Most of these products have their own forums; e.g. dslreports has a Kerio-Tiny support forum; there is the Yahoo Keriofirewall group; there is a Sygate forum and a ZoneLabs forum; etc.

Agreed, that a dedicated hardware firewall is less vulnerable than a software firewall that runs on the same machine it protects; but I still think software firewalls are useful, and the market for them is legitimate and growing. A local network is really not that much harder to protect: you mainly need to protect the "gateway" or host computer that connects out directly to the Net. That's actually what I have, an internet connection sharing (ICS) home network, with a host and two clients. I have ZAP 3.5 installed on my host, and ZAF 2.6 installed on my two clients.

And as for a standard inexpensive SOHO NAT router: it has no outbound control, only inbound. A NAT router will merrily allow a trojan or worm to connect out to the Net, so long as the communication originates from within the local network running behind the router.

A hardware router that performs sophisticated 'stateful inspection' (not just NAT) is more expensive; and the most expensive, albeit also safest and most secure, is a full-blown dedicated hardware firewall: more appropriate for a corporate rather than SOHO solution.

 

Win2K and WinXP are much harder to close ports on, because of needed services:

Win2K Services: http://www.blkviper.com/WIN2K/win2k.htm
WinXP Services: http://www.blkviper.com/WinXP/servicecfg.htm

Forex, it's next to impossible to close port 135 on these OSes.

 

it is possible and quite easy to do.

 

apparently closing the port is much easier than trying to explain how to do it...

how about a more informative post SpaceCowboy ?

 

the instructions i am going to post i found in the Kerio forum at dsl reports. i have XP PRO and was able to close port 135 without any problems at all. back up your registry before you try it.


Closing port 135-
Simple fix:

Run: regedt32

I suggest you export your RPC branch before you make
any changes. That way you can fix any errors.

Go to the registry under hkey local machine:
go under software\microsoft\RPC\ClientProtocols\

You will notice a couple of different RPC protocals.
Basically we want to remove the value
which is equivalent to a dll name under two of these:
1. ncacn_ip_tcp = nothing/blank/empty
2. ncagd_ip_udp = nothing/blank/empty

Next you want to go up a level to
software\microsoft\RPC\DCom Protocols.
Remove ncacn_ip_tcp.


thats it

 

k, simple enuff

thanks

 

Now that we are on this subject again, I wanted to repost some screen shots. The second screenshot takes it a step further than the German site. I didn't see the German site explain anything about setting rules for the UDP and TCP ports.
These options are found on my Windows XP home. I have still not seen anyone comment on these. XP has these features besides
it's builtin firewall.

 

From the lastg screen shot you click on properties to get here

 

Ha ha

I wanted to bring this thread back again till I get an answer to my question on,,, Has anyone used the TCP/IP Filtering that I posted the
screen shots above? and or in conjunction with the built in firewall
and if so is it only inbound filtereing?

Over?

 

I believe that is the same as IPSEC, or IP security policy in Win2K.
There is a nice writeup on using it as a firewall at analogx.
http://www.analogx.com/contents/articles/ipsec.htm
I haven't really read all that yet, so I don't know if it covers outgoing or not. Seems a nightmare to configure, especially if its for outgoing too.
Also, regarding another part of this thread. On Win2K when I disabled port 135, I could not even boot up. Had to go to safe mode and enable it again. FWIW.
I'll stick with a firewall.