Is Windows XP firewall enough for advanced inbound protection?

Hello, everybody.
I just wanted to ask you. You are all having different kinds of software firewalls for your protection, but here is what I really have:
I have a router/hardware firewall with SPI (Edimax router AR-7084A) which has SPI and blocks everything inbound, Windows XP firewall (Windows XP Pro SP2) which also blocks everything inbound, and I also have Avira (free) antivirus.

1. Why do I need any other protection losing in adjusting security level of software firewalls, if this is just enough.
Trust me on these I spent several every day just to see it if this combination is secure, and trust me, it is.
None has ever broke through router (that doesn't mean he/she can't do it).

2. When we talk about Windows XP firewall's INBOUND protection-is it at least as good as the inbound protection of the best software firewalls in the market today?
Has anyone tried to test it to see, to actually compare this?


3. So, basically what I really need is not a software firewall, but HIPS, right?
The problem comes out when you have combination of firewall and HIPS, because I don't want firewall with HIPS, I only want HIPS?

4. But also, what HIPS products have all the security areas covered? For example are System Safety Monitot and ProSecurity, each has different limitations (I forgot which, I suppose in one of them you can't protect files, and in another you can't protect registry-the obvious sign of limitation)
Can anyone help me with this?

5. Ok, recently I have just found out that simply block just about any malware from any portable media (CD, USB stick, DVD,...), because I changed rules inside the computer management.
What I did, is simply blocking "Autorun" and opening from any portable media, so if I have a rootkit on stick to do anything, it wouldn't able to do anything-since I blocked autorun.
So, why do I need HIPS at all, if I basically took care to get a total control of my computer even without HIPS?

6. Isn't a router/hardware firewall with SPI (Edimax router AR-7084A), Windows XP firewall (Windows XP Pro SP2) which blocks everything inbound, plus Avira (free) antivirus simply much more than just enough to get the inbound protection as well as the protection from malware that I get from portable media if I disable "autorun" (on portable media)?


Thanks to all and cheers.

 

One of Stem's threads should help.

 

Big thanks for that I didn't know Windows XP firewall's inbound protection was discussed here.

 

I think there should be a firewall bible somewhere that describes the 2 philosophies of a software firewall today. Sort of the 2 commandments.

1. Thou shall not allow inbound traffic
2. Thou shall not allow outbound traffic

Because, as to your question, it really is 2 different uses. Everyone should have inbound. A router may be enough, maybe not depending on if you have a LAN and wish to restrict.

It is the outbound that is really the question. Do you need it? Should it make rules per application? Most 3rd party firewalls are into this and many now with a hips component. But do you need it? There is no golden rule, no 'one rule to bind them'. It is simply a matter of what kind of control you think you need to have over your system.

So, hundreds more will ask the same question. And hundreds more will recieve the 2 firewall commandments, and still be left wondering if they need the security of an application aware firewall. And hundreds more will recieve the same answer: it depends on you.

I don't really need an application aware firewall. Sometimes I want it, just to know. But more often now I have other security methods that handle things before I need to worry about a firewall blocking/allowing applications.

So your question, how do you answer it? Are you sure you won't have some rogue application get installed that wants outbound connections that you would not have happen? Are you in a position where even if this did happen, you could restore the system to a known good point? I think those are the questions that need to be asked to answer questions like yours.

But then, I speak from an experienced viewpoint, where I have already been down the firewall road. Having played with every one I could find, having elaborate configurations. Really, never having had a problem I would need one for. Others may have different viewpoints, which is fine. But each person without knowledge of how secure they really are will find it hard to answer the question.

Too bad really, as so much attention is drawn to them. They are a complex piece of software. You do have to know a little something to use them properly. And that is where the problem lies, as with most security programs. The program is only as good as the user configuring it.

Sul.

 

Very good post. Was going to quote bits of it , then figured its all worth reading !

I use the windows firewall.

I think as Stem said for inbound connections Windows FW is fine.
For outbound connections I have 1 custom rule in Threatfire , which alerts me if a new application tries to make a outbound connection.
Thats it.
And as I'm careful with my browser security and the apps that I choose to install , its very much a nice to have , not a "front-line" security requirement.

 

No.

An HIPS does not filter IP protocols


- Stem

 

I'm sure you could show me a plenty of ways where the best software firewalls beat out Windows XP firewall, but the fact still remains with my experience, that combination of SPI router, Windows XP firewall, Avira Antivirus (Free) and disabling autorun for any portable media is simply just enough to me without being scared of getting bugs in firewalls or antivirus products.
So, my question is: What makes you think Windows XP firewall is not good enough when it comes to inbound protection, if we exclude those IP protocols (which I never really used when I had ZoneAlarm Pro, Outpost Pro and etc...)?

I'm sorry for asking this, but I'm an amateur, and I'm also sure if you really wanted to break through into my computer, you would do it (since you know firewalls' weaknesses).

 

Stem - Whats changed in the other firewalls on the inbound side ?

 

I can't live without a firewall.
I can't live withot bandwidth monitor.

last few days i was doing something on my computer , nothing connected to the internet but bandwidth monitor shows high download rate. I checked my firewall connections i found svchost.exe connecting to micrsoft and downloading something.
this is about 34Mb and it is stored in C:\Documents and Settings\admin\Local Settings\Temp . this thing is the new live messenger which i didn't ask to download or install.

What if you have a trojan or a server (like prorat or bifrose )that sends your activities and information to someone (consider that antivirus did't discover it).
how can you know about it exist on your pc without a firewall and bandwidth monitor?

 

I don't know about others, but things like messenger do not get installed on my computer. I am aware of what services are running and what autostarts. I have my network icon displayed in my tray so it is easy enough to monitor for activity. I have written apps that help me if I am curious or just want to watch. ProcessExplorer running in tray is also an easy way to see what app is using bandwidth.

I guess the bottom line is, in context of this thread, if you know what you install, and know what is running, XP firewall or no firewall is easy to use. There are ways without a firewall to see what is happening if you want to. Some just don't need the kinds of firewalls that let you know everything.

Besides, I use some ipsec rules in XP, which pretty much eliminates any ports not declared.

All about how you use your machine I suppose. I don't worry about it now. And, if I examine my router logs or firewall logs, or put up an app that monitors for a day, I don't see anything I don't expect. But then, everything I install is tested in vmWare or Sandboxie first.

Sul.

 

Think of protection like a Secured Army Base and you surround by the enemy. Who do you let come into your Base. Who do you let out of the Base. This is the way you have to think when you're on your system. Internal LAN (network) and External WAN (internet). The threat is real and worst today than prior years.

Too much jokes, foul play and remote control kiddies can take over your system, thus the need of firewall software started back in 90's. Still since then most firewalls do work for inbound and outbound some still don't block the browser that software developers use if you uninstall their products they want to know why and thus put in a internal comment to have the browser launched for outbound connection to their site. This is what you need to stop or be warn of such an event.

Firewalls can't do it all though. Software firewall can only do what's it been programmed to do. Hardware firewall running from a chip set like NAT, SPI and Intrusion Detection works sort of the same way protecting key areas only.

 

Just a little example.

I used to plug my laptop to the different LANs when visiting my friends. With one of the LANs I've often got some malware uploaded to my not restricted share folder even with Vista firewall enabled. On the opposite side with some good third-party firewal enabled and a LAN not trusted by default I didn't get the same malware in my shared folder (just because my third-party firewall blocks netbios access from the not trusted computers).

Not a big deal, no harm was done, the malware was just uploaded to my share. But ... but who knows how many security holes does Windows have ?

 

@alex_s

If I may ask, why should you even bother having the server service on within a foreign LAN? That alone would cure much problems. I myself have my service to manual. If I need to file share for some reason, I issue a simple 'sc start lanmanserver'.

Also, have you ever made an ipsec policy that covers a foreign LAN, where only traffic to and from let us say a router is permitted and all others blocked? It would make an interesting test with the type of exploit you are speaking of.

Sul.

 

You have enough, within the reason ans sanity boundaries.
Is Windows XP as good as ... some Cisco monster? No, but for home users, it's quite adequate.
Mrk

 

The problem is I don't like to press more buttons than there is really needed

The accident with the Vista firewall was rather experiment than my regular practice. Generally I prefer that my software automatically adjusted my settings depending on the environment (and I like to think it actually does). Manually changing the settings every time when plugging into the different networks is troublesome and timeconsuming (to say nothing about possibly being in a hurry).

 

I get Sick of people like you saying that what you currently have for security is quite adequate.

Due to people like you always giving out Mis Information this is the reason why millions of pc's around the world are infected with malware.

I was told the same thing once by a so called expert. you have a AV and firewall so you don't need any thing else, And yet I still got infected with malware.

 

You are clearly mistaken. The reason people are infected is due to them using a computer that connects to millions of other people over the internet. With human nature, some people will do things that are, less than honest. This is not unknown to the world. But people have better things to do that learn how to navigate the waters of the internet safely. So they don't learn. And they get into trouble.

Imagine it like this. If you don't know how to swim, do you go swimming in the middle of the ocean? Or do you take some swimming lessons and learn. If you want to swim, and learn just enough to do the dog paddle, how will you get back to shore? You will now know how to stay afloat in the water, but be unable to save yourself, instead relying on the coast guard to come by and pluck you out.

Computers are the same. People without the internet don't need to know how to swim. People using the internet generally learn how to dog paddle, just staying above water, as you say a simple firewall and AV. But when waves come or they get tired (you pick the analogy), they cannot save themselves. They require the coast guard AKA computer guru, computer geek, computer nerd, mr. fixit. The person who actually knows how to swim, and beyond that carries a life preserver for others. Around Wilders, many carry a dozen life preservers

I hear your frustration. It is just today how it is. The internet is thriving with dishonest people, and no one is safe unless they take some safety courses. The best peeps can do IMO is learn how to backup thier data, a few safe habits, and hope for the best. Because honestly, most of the average users won't take the time to learn something they have no interest in and no proper fear of.

Sul.

 

I think you guys are missing my point.

ssj100 If windows firewall is enough for inbound protection then why do you need all the other products in your Sig??

 

But, would you need all of that? That is the point here. I don't need it. I have ran, day to day with just Avira. XP firewall often disabled. True, behind a router. True, I try different things out: ipsec rules, different SRP approaches, AppGuard lately, Cyberhawk periodically. Toying with different things. But most often, only Avira. Even then, what does it do? Nothing. Rarely a peep from it. So am I infected? Am I compromised? How do you know? Is anything 'phoning home'?

The answer is, No. Do I want the piece of mind of 'something'. Yes. Am I willing to go through many hoops anymore to get it? No. Why? Because it is mostly not needed. Is it for you? Maybe. Depends on your knowledge.

The point is, and I did not miss yours, that you really don't need all that. If you know what you are doing. So who is to blame when the person who does not know what they are doing (and no fault there, it is ok to know things other than computes) takes advice that they are not capable of understanding? The advice giver or the advice taker?

How do you, personally, anyone, know when one security scheme or setup offers you the protection you need? The answer is, if you understand why, then you are fine. But, if you don't understand, you either need to learn why, or just say you don't know and find some other means.

Security is simple. Piece of mind not as much. The reason we have 50 firewall companies and 25 hips vendors is simple. Most people don't know enough to do for themselves what they tools try to do for them. And if even one of those tools worked for the 'average' user, they would reign supreme, much like M$ does, and others would dwindle. I don't see that happening at all, so I think it is safe to say that the majority of users in the world dont' know what to do or how to do it, and in turn, should admint as much and not try advice without understanding they might get bit.

One would think anyway.

Sul.

 

The answer is the same as with the airbags. 99% can say "I don't need it, I drove w/o them for the years and everything was OK". Still there are the people who can say "yeah, airbags saved my ass". There is no logic in the situation, just probability, so all the arguments like "I did this and never got that" are irrelevant. AV is OK, but everybody knows AV is always step back after zero-day malware.

 

Quite right. Some people do benefit from airbags. Most, thankfully, never do because they don't get into a wreck. But notice one common factor? They all know how to drive. lol, some better than others. But they had to pass a test to be allowed to drive. If using computer on the internet were the same way, you had a baseline of knowledge, perhaps you would know how to properly use the airbag deployment system, and not need a roll cage, 5 point harness, firesuit and helmet.

Spouting how one does not use things is not the issue. The issue is that problems described by arran will always exist, due to the very large gap between those that know how to drive without an airbag and those that don't. My granny has been driving without one for nigh on 70 years now, so it can be done

Good points though. I would say that Windows XP firewall can provide good enough protection if one know's what they are protecting and how to protect it. But, this cannot be true for everyone. I still don't know what a peep is going to do if they don't understand. I don't think any security product will help them if they don't start learning.

Sul.

 

You made a specific thread. you also put forward a specific question directed to me which I replied to. Do not interpret reply to specific as considered as global.


- Stem

 

Heh .. You've missed my point. Even being Formula-1 driver you are not guaranteed from the accidents. Circumstances can be just unavoidable.

Another question is do you really have something to protect ? If you don't do online banking, if you have not sensitive materials, if you all you need from a computer can be just restored from a backup and your lovely game can be reinstalled from CD, then the native XP firewall and Windows Defender is more than enough to keep you safe

But .. if you have something to protect, it's better to take more sophysticated measures.

 

Very true.

What then does the novice do? Hobbyists or people who work with computers could use more robust protections, maybe online armor or DW. They can or want to understand what to do. But the novice? What do they use that truly protects thier online banking or other more sensitive nature material?

Hard one because those many 'button clickers' don't want to know any more than they have to. And why should they? But this gives them, IMO false sense of security with thier sensitive material. They assume just as much, that thier more fancy powerful program is better than the simple windows firewall etc. But because they don't understand how to configure it (without help), they can be in exact same boat, or the boat where the internet stops working, so they completely disable the protection so they can get back online. Leading to the same issue as if you only use XP firewall and AV.

So in your analogy, the formula 1 driver can crash into the truck driver who in turn crashes into the bicyclist, who flips and crashes into a pedestrian who then knocks over a childs lemonade stand. Playing the odds.

Yes?

Sul.

 

i agree with both of u "alex and sully"
simply sometimes a bloated security software can cause an exteme harm to ur compuer "BSODs , kill performance ,or even delay the boot time " more than a real virus can do "at least the virus will do it and will stop once removed but a bloated security software will do it in realtime "
for example 3 years ago i was using kaspersky internet security for one year and after i left kaspersky for avira i realized after one year how fast is my pc and how i killed its performance for a full year " then i said welcome viruses if the security software will kill my pc like that
but since i used avira i got both got performance and never pc infected"

best regards