Inbound Protection

I'm not sure about it. I think the main task of FW is to control network traffic. Correctly implemented stack can protect itself without additional help.

This is just wording. I insist that correctly implemented stack can drop the packets with the same efficiency as any firewall does. From the other side to control illegal flags etc any FW needs to allocate and use additional resources which turns all those efforts into null at best.

 

Well I will not go around in circles with you one this. So I will make my last post to thread on this.


With windows there are 4 basic types of networking software, which are, services, APIs, protocols and network adapter device drivers, and each is layered on the next to form a network stack. So I put forward that MS placed the windows firewall as part of that stack to help with correct implementation.
Now when you remove windows firewall you are removing part of the stack and also removing the packet filtering that the firewall does, and replacing it with another firewall, that firewall then becomes part of the stack, usually through kernel-mode /TDI. Now if that replacement is lacking in what it has replaced, in which I mean if the packet filtering is at least not as good as what as been removed, then you are intentionally weakening the stack.

 

I see your point, but what I actually meant by stack is a code starting with NDIS but before TDI. Starting from TDI (actually this is start of winsock, in other words logical level) individual packets are not seen, it's already socket stream cleared from physical stuff.

And BTW, I never had any troubles with in-built firewall + third-party firewall in case there were not contradicting rules.

 

Hi Stem regarding illegal packets that you have mentioned here, other than windows firewall, what software firewalls can block illegal packets??

 

CHX-I V. 3 allows for conditional rules, but the conditions generally allow the triggering of a rule based on some other network communication event. There is no provision for directly triggering a rule by process. However, this works nicely for some P2P applications that communicate outbound on a known specific port when started as this event can be used to trigger opening a port to allow the initiation of inbound communications. Works like a charm with uTorrent.

 

Very interesting. Thanks.

And, to continuing with your exemple, does the triggered rule(s) are then de-activated at µTorrent application closing down?

CHX-I keeps interesting me more and more, shame they placed it under the shelf years ago.

 

Can you mention some vendors? Does Linksys apply in the case? If I'm not mistaken Linksys is part of Cisco?
Perhaps Thomson has improved with their latest routers (ST7 series)?

 

Might Threatfire Free be of any use to me?

 

Again, my apologies for the scare...
Stijnson, if your router firewall is weak. You can just compliment it with better personal firewall. No need to throw the box out for this silly reason.

To answer you earlier question, yes Linksys seems to be better from what I here from my colleagues. And most new CPE/Routers have good firewalls, since they use more powerful network processors and there has been a thrust on security which was not there earlier.

Protection Layers:
*Router
*Personal Firewall
*HIPS

Now depending upon the power of the individual layer, you can choose a more/less powerful alternative for others.
For ex: If you are using Online Armor or Comodo Pro, you don't need a seperate HIPS since they already have a good one in-built.
If you are using a router with SPI , then you can choose any simple personal firewall which provides decent outbound protection.

----EDIT ---
Threatfire is a pure HIPS product. If your AV or firewall doesn't have a behavioral blocker/HIPS, IMO it would be best to use ThreatFire.

 

Hi Vijayind. No need to apologize, I'm just paranoid -
I just still don't know if Windows firewall will suffice behind a router (apart from if the router's firewall is weak or not. For my brand I just don't know).

Perhaps I'll try OA Free to complement my router.

EDIT: I have done some digging and I have discovered that my router uses a SIF.

From the documentation:
Stateful inspection firewalls (SIF) combine the aspects of the other three types of firewalls. They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer. They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways. They rely on algorithms to recognize and process application layer data instead of running application specific proxies. Stateful multi-layer inspection firewalls offer a highlevel of security, good performance and transparency to end users.

Is this any good?

 

Ok, but IMO paranoia is not warranted.

Windows Firewall is good enough. As Stem will post, you can harden WF to increase the ruleset for better protection. The only thing Windows Firewall, seems to fail in is outbound protection & self protection. So for this if you have HIPS product, you can be safe.

SIF !! Are you using SpeedTouch ... Its basically SPI + some addons. Like ability to DNS query and cross-check.

Online Armor would make a good personal firewall. Else as stated earlier, you can use a hardened Windows Firewall + HIPS.

 

Hi Vijayind. I saw Stem's post about Windows Firewall. Is this the one you are referring to - and is this the post where hardening XP's firewall is discussed?
I will look into ThreatFire Free (I'm not familiar with how it works and if it's difficult to master).

I'm not sure if I have a ST router. It came with customized ISP box and software.

 

Hi,

I have mentioned hardening in a number of posts. For that it is better to use one of the free utilities that are available to save manually editing the registry.

As example:

Hardenit: http://www.sniff-em.com/hardenit.shtml

 

Isn't this tool for 'professional internet users' only?
I hardly consider myself a professional of any kind, so is it safe to use this tool in my case?

What is the difference between Harden-It and Secure-It?
On the website it states that version 1.2 of Harden-It was released somewhere in 2005, but the download link gives me version 1.0.1.3.

All other links I was able to find download either Secure-It 1.0.1.3. or Harden-It 1.0.1.3. No 1.2...

 

I have not seen problems caused by using Hardenit. It does give recommended settings during the execution. The main caution is if you are an heavy on-line gamer or P2P user, as some settings can slow those down.

Any changes made can be reverted back by running the program again.

This is the first main option screen of Hardenit.



Options that follow will show a simple choice or a recommended setting:-

As example:-







Hardenit does not install onto the PC, it simply modifies or creates reg entries to change/enable protection.



- Stem

 

I think you are using ST or ST-clone. DareGlobal makes the CPE for ST and other ISP/Vendors who rebrand it. I say this because very few vendors use SIF. SpeedTouch being the major one, others mostly use the same DareGlobal kits to market their own.

Threatfire is very novice friendly. If my Dad can use it, any one can use it
If you are not sure, look into the Anti-Malware section of Wilders. I am sure they will have a detailed thread running.

---EDIT---
Yes, I meant Stem's post. If you had difficulty with it, I would have recommended Harden-it. But Stem, beat me to it.

 

Stem, could you add this to your existing Windows Firewall thread. So that it becomes a one-stop thread and new or experienced user don't have to scour wilders for info.

Thanks.

 

Harden-it tweaks IP and Firewall settings.
Secure-it tweaks system settings to keep potential attacks away.

IMO, if you use any HIPS like Threatfire, secure-it is not needed.

 

@Stem: thanks for the screens. On a single pc setup one would have to select the 'workstation' settings in Harden-it I guess?

@Vijayind: thanks for the clarification about Secure-it. Do you have Harden-It 1.2, because all I seem to find is downloads for 1.0.1.3?

 

Hi Stijnon, please see my earlier post. I have given links to MajorGeeks download site where you can download ver1.2.

 

I know, but those links either download version 1.0.1.3. or Secure-It (which seems odd, because the link is for Harden-It).

 

I think I was a little off in my description.
Harden-it is for Win XP.If you are using Win Vista, you have to use Secure-it. Which includes many of the "Harden-it" features plus Vista specific tweaks for more security.
If you install Harden-It on Vista, it will ask you to download Secure-It instead.

 

OK. I have downloaded v1.0.1.3 (none of the links at MajorGeeks download the promised v1.2 unfortunately). Can I use the settings for 'Workstations' (single pc setup)?

 

Yes, you can use Workstations. But please note Secure-It contains some of the features of Harden-It, not all.
And if I am not mistaken, it doesn't have the Windows Firewall and IP protection present in Harden-it. Can someone please confirm ?