Are 3rd Party Firewalls really any better than Windows XP Firewall

Discussion in 'other firewalls' started by duke1959, Dec 3, 2006.

Thread Status:
Not open for further replies.
  1. webmedic

    webmedic Registered Member

    Joined:
    Nov 7, 2004
    Posts:
    123
    Location:
    just curious how much info you can get into here a
    http://www.matousec.com/projects/wi...ysis/leak-tests-results.php#firewalls-ratings

    you know this has some very good info on this subject.

    The link goes to the results. If you want to see those and the notes read down. If you want to learn all about the testing then read up.

    You are only as safe as YOU are. In my shop so much time is spent teaching people not to download things that off the net or else they will keep getting infected. Nothing can save you from being uninformed or missinformed. And to clarify my statement not I don't think all downloads are bad but that would take way to long to go into for an end user. Most of them simply don't get it and possibly never will because they think of a pc as an appliance to be used and something they dont have to think about.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    DVD+R, this is a bit alarmist for the average home user.

    If ports are closed, there is *no* threat... (you don't even need a firewall for that, as I showed last year) - nobody can open a closed port *from outside*, or, even if it were possible, create a connection with anything that wasn't listening there.

    Infiltration by script or download relies on finding an open listening port - P2P, IM, chat rooms, etc, - so these attacks are not a port filtering problem, since the firewall is permitting the traffic by choice of the user.

    Bigger threats are the sites you visit (open port 80) and the e-mails you receive. Again, this is not a port filtering problem - the firewall is allowing this traffic by choice.

    This is pretty basic stuff and applies here, unless you know something that I don't. If so, please share.

    regards,

    -rich
     
  3. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    What about worms and such things? Is this more for an AV to detect or prevent? Maybe I'm just not getting this, but if someone has a strong enough security set up with say AOL Active Virus Shield (Self protection, and spyware detection) and Cyberhawk to both protect and detect, isn't the Windows Firewall sufficient enough to round off that protection along with FireFox, NoScript, and McAfee Site Advisor?
     
  4. marcromero

    marcromero Guest

    I use the Windows Firewall and Shields Up test reports stealthed.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I recently discovered that "The name 'worm' comes from The Shockwave Rider, a science fiction novel published in 1975 by John Brunner."

    http://en.wikipedia.org/wiki/Computer_worm

    If you think through how worms propagate, the two most common are

    1) Through a port. Symantec describes the W32.Welchia.Worm as exploiting the DCOM RPC vulnerability using TCP port 135. But if Port 135 is closed by a tweak in the OS, or blocked by a firewall, then this exploit is not effective. This applies to ports 139, 445, and any others that have been used. Here is a port scan from my log today:

    http://www.urs2.net/rsj/computing/imgs/portscan.gif

    The WindowsXP firewall would provide similar inbound protection against this type of traffic.

    2) By email. Mcafee describes W32/Ganda@MM as "a mass-mailing worm sends itself to email addresses [via port 25] harvested from the Windows Address Book and files on the victim machine."

    Should something like this happen, the WindowsXP firewall would not block an abound attempt, where a 3rd party firewall would:

    http://www.urs2.net/rsj/computing/imgs/outbound.gif

    Of course, there are methods other than a firewall for preventing outbound internet traffic, so one has choices in setting up a security system.

    The obvious prevention, of course, is not to open such an email if you receive one. But if you do, what detects? AV may or may not, depending on whether or not the virus signature has been added to its database, and if the user has updated the AV. You may remember the early days of the wmf exploit about a year ago this month. The first day the exploit was true zero-day:

    http://www.urs2.net/rsj/computing/imgs/wmf-scan3.gif

    Once successfully downloaded or cached, a worm/trojan has to execute. From Mcafee: "When W32/Ganda@MM executes the worm copies itself into %WinDir% as SCANDISK.EXE and ########.EXE (8 random characters)."

    Because AV is not reliable, you might want to have some other type of protection in place to block such execution. See suggestions in this thread Security suite for the dangerous surfer?, especially SpikeyB's post #22 about the use of Software restriction policies - certainly one of the most underrated security measures available for those with XP Pro.

    regards,

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  6. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Yahoo Mail uses Norton AV to scan e-mails, which is what I use for my E-mail. But could an AV with heuristics pick up a new and dangerous mass mailing virus, like Antivir or AOL AVS? I of course watch what i open, but still wonder.
     
  7. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Not intending to bring up the earlier quesiton regarding the XP firewall and its performance versus third party firewalls, does the Windows Security Center show any prompt when the XP firewall is shut off by malware? Has anyone tested a system where malware shut off the XP firewall and if any alert was made to indicate the shutdown? Since there is no icon on the system tray for the XP firewall, I wondered how you would know that something sneaky occurred and it was shut down?
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
  9. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Thanks for the link. I've never seen that particular popup come up before. I have received the AV prompt about being vulnerable because the AV was not the most recently updated. An odd thing did occur with the Antivir program. The umbrella was closed (meaning the program was deactivated) yet when I opened up the main AV menu, it listed the program as "activated". I clicked the activate and deactivate link several times and then the umbrella icon appeared to follow the program status in sync. I think others had the same issue about whether the program was activated yet the icon showed "deactivated".
     
  10. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Providing one executes file in first place. Take e-mail for example, how many of us are daft enough to run such files without first scanning them or at best just plain ignoring them?

    Some of this is down to using commonsense as well.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.