So what's wrong with Vista Firewall?

Discussion in 'other firewalls' started by tonyseeking, Apr 12, 2009.

Thread Status:
Not open for further replies.
  1. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Why cannot we all just use Vista Firewall?

    Why the need for other firewalls? :blink:
     
  2. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Cos it's made by Micro$uck! Oh noes!

    'Nuff said.
     
  3. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    You can. You don't.
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    At least one reason (really they are many) for me is performance:

    perfudp test

    pure system:

    1.) 22.978 sec
    2.) 23.431 sec
    3.) 23.103 sec

    windows firewall on

    1.) 25.038 sec
    2.) 25.147 sec
    3.) 25.225 sec

    To say nothing about many things that can be done with just one click. For example my firewall allows to trust/untrust any computer on a LAN by "one click" which results in ability/inability remote to access my netbios and protects from some ARP related attacks. Also I can block all the network traffic by hot-key. Also I can use banking mode when I do my online banking. To say nothing about Vista firewall poor leaktests performance.
     
    Last edited: Apr 12, 2009
  5. progress

    progress Guest

    If you don't need a HIPS then keep your windows firewall. I think that's the only reason for a software firewall :)
     
  6. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
     
  7. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
     
  8. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Ahh, I was looking at post #3 which didn't specify like post #4 which did specify XP SP3... ;)
    https://www.wilderssecurity.com/showthread.php?t=237243
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
    Off topic post removed.
     
  10. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    One can if one chooses to.

    Personal preferance, at least here it is.
     
    Last edited: Apr 12, 2009
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Yep, from the very beginning I didn't think it should make any difference. But the second set made me think it does .. Lerning learning learning :)
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have seen far too many times where a "one click" solution can actually compromise a system, or in some circumstances cause loss of internet.

    - Stem
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This also happens. But the same may happen with "go up and down, dance and sing and only then get what you need" solutions :)

    To be serious, this rather depends on understanding than on the number of clicks.
     
  14. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    You should also test system with other firewall for comparison. I use Windows Firewall because of its performance in comparison to Comodo. ;)
    As for leaktests, that is complicated, since it is testing mallware leakage via infected processes and so on and should be stopped on other layer.
     
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I did ! Not too much testing though, but after all I did what I was interested in :)

    https://www.wilderssecurity.com/showthread.php?t=237243
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Thanks for the link, that one part with OA was missing here. ;)
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I do make some tests for packet handling, but have not used the tests you mention.
    For such results to have any meaning to me, then there would have to be a side by side comparison of "firewall A" <-> "firewall B" and what I mean is, not just a performance test, but also a full check on what the firewall is filtering. For example. If "firewall A" is filtering all protocols just to IP/Port but firewall B is filtering TCP to flag or even sequence number level and/or such as DHCP/DNS returned packets are having checks made on extra info such as transaction ID, then I would expect some difference in performance. Another consideration for me is as to what the firewall is actually filtering. For very simple example, for me to replace the vista firewall with a 3rd party firewall, then that 3rd party firewall would need to filter IPv6.


    - Stem
     
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Yep, I understand. I do not try to move you to a different firewall. We talk here about the reasons and opinions. At the moment I don't care about IPv6 because I didn't encounter IPv6 based exploits, instead I encountered a lot of IPv4 exploits that can bypass windows firewall (including Vista firewall). Tastes and needs differ. I'm more practical than theoretical. I think when IPv6 support will make practical sense it will be added to the third-party firewalls. I do not see much problems with IPv6 except the main one - IPv6 support can turn UI to the true mess and IPv6 addresses can bring unprepared mind to a true disaster :)
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Please explain.


    As for IPv6, even on an home/trusted LAN I would want filtering where Vista is present, as at its core network function it makes ICMPv6 multicast/ solicitation/ advertisement. So just for good management I would want control/filtering of those protocols, and would certainly not want these simply sent out over the internet.

    - Stem
     
  20. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    To bypass Vista firewall all you need is to intrude into/replace a trusted process. When done firewall doesn't matter anymore. And there is a lot of malwares that use this. What should I explain ? I can describe a lot of malwares and what they do, does it make sense ?

    Hm .. I just disable IPv6 on my interfaces and this allows to manage my network very well without buggering with very strange and completely useless at the moment IPv6 stuff.
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Protection of process is not a packet filtering job. For that you add an Hips or other security application. Why would you call that an "IPv4 exploit"?

    Running a LAN with Vista nodes would be better managed with its core networking functions actually working, so filtering is a better option than disabling such a base function. As in Vista firewall there are rulesets/single rules that can be enabled/disabled where/when required for such functions, there are no need to create rules.

    - Stem
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK

    Just a note:

    I do not currently have the vista firewall as a security layer on my setup. I only installed Vista due to a number of recent questions I have been asked concerning the inbuilt firewall. So currently I am just testing the firewall, it is not connected to the internet.

    So for my personal choice of what packet filtering would be in place for Vista setup is still undecided.

    - Stem
     
  23. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Because modern firewall is not only packet-filter. To be just a packet filter is not enough to be firewall today

    http://en.wikipedia.org/wiki/Firewall_(networking)

    ===
    A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
    ===

    It's a pity the article didn't update since 1994. So much water flew since then.

    ===
    First generation - packet filters
    Second generation - "stateful" filters
    Third generation - application layer

    Subsequent developments

    In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

    The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).

    Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.

    Another axis of development is about integrating identity of users into Firewall rules. Many firewalls provide such features by binding user identities to IP or MAC addresses, which is very approximate and can be easily turned around. The NuFW firewall provides real identity based firewalling, by requesting user's signature for each connection.
    ===

    I believe to manage something good you need to understand it. I'm not ready to understand IPv6 addresses. More to say, I do not believe it will ever become popular, in the first place due to address comlexity. I believe this is dead-born standard. In any case I do not see any practical sense (aside from your theoretical speculations) to enable IPv6 support. I better sacrifice IPv6 in favour of security, because Vista firewall doesn't provide security level I expect from a modern firewall and I do not understand IPv6 well enough to feel secure.
     
    Last edited: Apr 13, 2009
  24. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    While I won't question that claim, to say that a program needs to be able to protect files from malware attacks to be called a firewall sounds just a teeny-weeny bit far-fetched.
     
  25. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OK. Firewall must protect inbound and outbound, even from a tricky malware. Generally I do not care what means does it use to do this job, but it must do it. Vista firewall doesn't do it, so for me it doesn't do its job well. This is my approach. Let us return to the very beginning. The guy asked "why something else". I just explain why I use something else, these are my requirement to a firewall. Somebody else can have different requirement. In 30 min I can compile an example that will steal ICQ number and send it out bypassing Vista firewall. Though, it will not bypass ZA, OP, OA, Comodo, PCT etc. Do you see now what I mean ?

    Information can be sent out using DNS, ICMP protocols. It can be sent out using BITS, svchost, IE, FF, Opera. Actually there is a lot of thicks to bypass Vista firewall. Vista firewall can help only in case you never start anything on your computer except native windows utilities. For most people this restriction is inacceptable.
     
    Last edited: Apr 13, 2009
Loading...
Thread Status:
Not open for further replies.