Security level of the XP firewall?

I have a friend who shares a wireless connection with other people in the building. I've read that there is malware that is designed to infect other computers on a LAN once it gets into one computer, since it is then past the router which is a primary defense. And of course there are users who try for fun to get into other people's computers. So I want to set up a software firewall to raise her level of security.


Is the XP firewall strong enough for this purpose? I am concerned that the XP Firewall may leave some ports open, or leave other vulnerabilities that can be exploited by a computer on the same LAN. If it is strong enough, I'd prefer to use it rather than a 3rd party firewall that gives prompts that she would have to deal with.

Thanks

 

against inbound attacks, the Windows Firewall would do just fine.

 

This is something that I don't know has been quantified. Many firewall reviews denigrate the Windows XP firewall because it is weak when compared to other third party programs. It has no outbound protection so any malware could "dial out" to a server without your knowledge. I have never had it shut down when I was using the computer, but that is dependent on what you come across when using the PC. There is a log file that you can track the "pings" and other communication streams that you come across. For inbound protection, it seems to be pretty good and it is light on machine resources. If you want to have the ability to control any outbound communications, you will have to go with other programs. I have scanned a PC with the XP firewall and the ports have always showed as stealth.

 

WinXP SP2 Firewall is more than sufficient for inbound protection. It is an SPI firewall so it is not any different than ZA for inbound filtering, the only thing it lacks is outbound filtering so anything on your computer can make any outbound connection. Some people view this as a bad thing. Personally I think it is a mute point. yes an outbound filtering firewall will alert you to possible malware connecting outbound, the point that most people miss is that at that point your system is already hosed as whatever malware would be connecting outbound has already installed itself and is up and running and would have gotten by your AV. While it is true you would have that last chance at stopping it, the firewall will do nothing to help you clean your system of the infection. I feel having a quality AV and AS is more important than an outbound filtering FW. As you may know having an outbound filtering FW is only of value if you know what the alerts mean and how to correctly respond to them. Clicking "Yes" which the majority of people do as they have no clue is the same as using the XP FW to begin with.

 

The XP firewall is more than capable for your purpose. For years it was the only network security i used and it never let me down. If you configure it correctly then it will do fine. For added protection you can install something like regdefend which can stop the firewall from being disabled.

 

Good points flyrfan111, but a lot of times people using HIPS such as Tiny (now CA) have the ability to allow software to run, while controlling it's actions. In certain instances it is nice to be able to block communication while figuring out what's going on.

With sandboxing HIPS simular to DefenseWall, GeSWall, SandboxIE and so on, it is not a problem running just about any malware you can find as long as you can prevent the malware from sending out private information. A lot of HIPS have features to protect specified information such as files, folders and pre-defined credit cards, social security numbers and the like, but when encryption is a possibility things aren't always full-proof.

I guess it's just a matter of personal opinion if you think you need outbound protection or not. While Comodo is nice, I still use Windows Firewall a lot and do not worry about anything. As stated above, the XP firewall inbound protection is just fine.

 

Thanks to all for the responses.

I guess it's good to hear that the XP firewall provides good protection. But I guess what I wonder now is what about zero day threats, like the Sasser worm? From what I remember, it worked by getting in through 3 ports that were vulnerable. I'd imagine that most of the XP machines that were infected had the XP firewall running, yet Sasser was able to get in. How did that happen?

Thanks

 

Sasser was more of a threat to Win 95/98/Me and it could be stopped by using a firewall:

Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.

If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99

 

AFAIK the Sasser worm was released before the windows firewall was enabled by default (SP2)

 

Sasser was an exploit that targeted Win2K and WinXP systems.
A good explanation is an old TrendLabs White Paper.

A couple of excerpts:

----------------------------------------------------
The SASSER Event: History and Implications
WHITE PAPER
TRENDLABS RESEARCH
WWW.TRENDMICRO.COM

Basic Exploit Similarities

Both SASSER and MSBLASTER are essentially worms, meaning these malware types are self-contained programs that use malicious code to spread functional copies of themselves or their segments to other computer systems. Typically, the propagation takes place via network connections or through email attachments.

Your standard worm would usually require human intervention – such as opening an email – in order to be launched. A notable characteristic that differentiates SASSER and MSBLASTER from the common worm, on the other hand, is they take off on their own. No email attachments, no URL links. The possibility of infection becomes immediate simply by being a part of a network, such as the Internet or a Local Area Network (LAN), and by having an unpatched operating system. Another significant characteristic these two worms mirror is that they affect only Windows 2000 and XP systems.

Infection Technique

Earlier we mentioned how SASSER and MSBLASTER are able to perform their infection routines automatically and do away with user intervention (opening an email attachment or clicking on a malicious URL). The technique uses the malware’s basic exploits to perform mass propagation routines across networks.

MSBLASTER uses port 135 to find vulnerable systems to infect (RPC DCOM vulnerability - MS03-026)

Similarly, SASSER uses port 445 to scan for vulnerable systems (LSASS vulnerability - MS04-011)
---------------------------------------------------------------------------------------

Both of these exploits have been patched. As you can see, if infected on a computer on your LAN, you would be protected if those trojan ports are closed. The XP firewall will take care of this, and you can check your firewall by running a port scan at the several scan sites on line: GRC and Sygate are two.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Ok I've done some searches and confirmed that in fact SP2 (with the firewall on by default) was released a few months after Sasser became widespread.

So unless I get some new info, I'll assume the XP firewall is strong enough to protect a computer at public wireless hotspots then.

Would it be safer to set it to No Exceptions when at a public hotspot, since File Sharing would seem to be an obvious attack vector?

Thanks

 

Hey vinzenzo, you should download GesWall Free Edition from www.gentlesecurity.com - I think it is just what you need.

 

Yes. That is exactly what Microsoft recommends.

 

Thanks, tayres.

AJohn, What kinds of threats at public hotspots would bypass the XP firewall(set on No Exceptions) and yet be stopped by GesWall?
Thanks

 

Rare browser exploits and such, user mistakes, etc.

Edit: I'm probably more paranoid than you are