Why using Windows Firewall ONLY is a bad idea?

Discussion in 'other firewalls' started by Wai_Wai, Sep 3, 2005.

Thread Status:
Not open for further replies.
  1. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Why using Windows Firewall ONLY is a bad idea?

    (Sidenote: You may wish to read this thread as well which is about "Do you use Wins Firewall(WF) ONLY?"
    https://www.wilderssecurity.com/showthread.php?p=548761 )

    Hi.
    Currently I would like to gather info why it is a bad idea to rely on Windows Fiewall ONLY.

    Instruction
    It would be great if you could:
    - provide reasons with good depth of explanation
    - provide evidence/hard facts to support the above (if applicabe)
    - provide links/reference as a proof (if applicable)

    Avoid giving:
    - subjective comments (with no explanation) (eg no Wins Firewall[WF] because they *****). Hard facts are preferred.
    - personal comments (eg no WF because it is made by Microsoft)
    - merely figurative/metaphor (with no explanation) (eg using WF is just equal to shutting the door without locking it.

    Hopefully these guidelines will not discourage you from posting.
    After all, you don't need to satisfy all the above. They are merely guidelines.
    You don't need to be too worried. Feel free to post if you have any reason in mind.



    Note
    - Please don't make any irrelevant comment or reply (eg discuss about which is the best third-party firewall). It's because I wish to keep this thread clean without cluttering up with lots of irrelevant info.

    - If you are too eager to do so, consider opening another thread or private messaging.


    =================================

    EDIT:
    - Now it seems people are talking about the point that "Windows Firewall is designed not to have Feature XX, eg outbound protection, security configuration" should or should not be a defense against the claim that "Windows Firewall is bad since it has no outobund protection". Apparently it seems to be a valid discussion, but it is indeed a vlaue judgement in my opinion.

    The fact is here - Windows Firewall provides NO SINGLE outbound protection or any other features mentioned above, in which it is fundamental to network security precautions (it may not be true for real security experts. Anyway some of them may even think anti-virus is not necessary).

    It is up to you to make your own value judgement that if these points are justified as "classifying Windows Firewall as bad/ineffective" in any perspective.

    So it would be great if you make another thread to discuss this particular point, should you wish to.
     
    Last edited: Sep 4, 2005
  2. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Here I go.

    {The following article is not complete, still working in progress}
    (Thanks to HandsOff, FatalChaos for some of their contributions)
    (The post becomes a bit too large. Browser for bold letters to get some ideas about points made in this article)

    Reasons:

    Security Performance
    - Windows Firewall(WF) only has inbound portection, but not outbound protection.
    From Microsoft Website (http://www.microsoft.com/technet/prodtechnol/winxppro/plan/icf.mspx):
    - As to inbound protection, it is still worse than all other famous Firewalls.

    - since Windows Firewall(WF) is the default firewall for every Windows user, it implies it has huge market shares. It further implies hackers will be (nearly) always eager to hack/bypass this firewall, in which it is simliar to the cases why Microsoft Outlook (Express) or Internet Explorer usually get hacked.

    - There are news that WF have been exploited previously.
    - It doesn't provide protection against attacks (like kerio or outpost does). Exampes of attacks are DoS attacks, winNuke attacks, etc. You can find lists in Kerio personal firwewall NIPS and Oupost Attack Prevention or w/e plugin.

    Limited Configuration
    - WF is not easy to configure and is not customizable. It means you will have a hard time to stricten your security by WF. Also it is still limited at what security configurations you can set (eg we can't really set rules for related programs).

    Few Update & Improvement
    - Microsoft hardly improve Windows Firewall (as all other thrid-party software does all the tme to incorpate new anti-hacking techniques in their Firewall)
    Windows firewall is almost never updated (except patches when, say, they have been exploited by hackers etc.), which means it can't adapt to hacker's using new techniques precautively beforehand.

    Other third party software can be free
    - There are many excellent AND free Firewall available (eg ZoneAlarm Free, Outpost Free). They are much better than WF.

    Other third party software can have light resource usage
    - it is true that WF is light. However there are light third-party firewalls which re light too.

    I'm safe even if using WF only
    - You may say "my computer is still safe even if I use only WF. There's no alert that I get intruded."

    According to nowadays technique, it is not difficult for a hacker to bypass this flawed firewall and intrude your system easily AND without getting you notice.

    Since their objective is to sneak into you computer, so if they succeed, it is normal that you will never notice of this intrusion or implantation of any troajns/backdoors etc.

    In the above cases, "nothing seems happen" does not guarantee securty. Rather it is just a false sense of security.

    How easy is it? Well, it is diffiuclt to answer since different poeple have different vlaue judgement. But the fact is it is possible for even beginner hackers too since:
    1) some handy and free advanced hacker tools are available on the Internet. 2) Also they can do it themselves when they are willing to search for freely available hacker articles.
    For more descriptions on how powerful hackers can be, see [#1]


    Careful user with safe browsing may not help either. Extra protection is definitely beneficial
    - You may say I am a careful user which practice safe browsing and will not go to warez websites, don't use P2P/BT, only browse legimitate websites, or I will not install/execute any malware etc.

    However the truth is hackers don't need to ask for your permissions to intrude your computer, nor they can only trouble you in passive ways.
    Indeed there are many ways in which a hacker can attack your computer:
    - simply online. That's it.
    - when you make mistakes [humans will make careless mistakes. Software will not make on its own (eg humans, any calculate wrongly, say 2+3=6; but software will never make this kind of mistake)]
    - by the way, even if you don't online, you may get malware when you install infected disks/CD (from your friends etc.)

    How come? See [#2] for details.


    I don't bother to install any third-party firewall
    - You may say "The fact is I haven't get intruded yet. So I don't bother to install any third-party firewall."

    Remember that there can be no obvious/easy sign to notify you when you get intruded. So better safe than sorry & intall good security software.

    And how hard is it to install a third-party software? Just a few clicks. You will find it worthwhile when your newcomer firewall tells you that it blocks something which your WF misses.

    It is not really difficult to use as some people claim which makes software Firewall scary to beginners/noivces. Simple guides:
    - use learning mode or anything simliar if the firewall has this function. It will save you the trouble and self-configure it for you.
    - even if it doesn't have. It doesn't matter. (Read on :p)
    - When an alert occurs, choose "deny once" first.
    - If the program cannot function as what you intends, it implies you need it. Close the program and reopen it. Choose "Accept always" now.
    - Otherwise, choose "deny always".
    [Note: It is very often some people may use "imperfection" as a point to negate the use of this method (eg this method cannot help users to get 100% correct choice).
    True is that it is not perfect.
    False is that they forget Windows Firewall is not perfect either. "Not perfect" is never an excuse to negate/discourage something.
    And when comparing wth both options, it is definitely the former method is far better in providing protection and keep learning at a minimum at the same time. If you wish to have maximum security, surely you need to learn (a bit). There's no free lunch in the world :p]

    Even if you are an advanced or careful user, why not save your trouble to install a third-party software to do these jobs automatically and nicely? You don't need to be too alert or worried when you browse, read email and so on (although I'm not going to tell you you can indulge yourselfwith doing everything).

    It's no hurt to install a third-party firewall. Why do you need to be too hesitant at it? Go try and I can guarantee that you will see its value in the near future.


    Features-related
    - If Windows Firewall unfortunately block your legitimate programs from functioning (eg by blocking their required ports or connections), you need to go into some technical configuration of the firewall, in order to make it work with these programs. For other third-party firewalls, they usually have easier ways to do these kinds of things (eg permission list, learning mode).

    The foolowing points are contributed by HandsOff:
    - The interface for setting the firewall on or off (sp1) requires prior knowledge of where and how to do so and several steps. and...

    - You do not have a tray icon to indicate firewall is activated or not, and...

    - The firewall is a service that depends on other services that have to be in abled in order for it to run. This means that you have to run additional services that (in my case) I did not need for anything else.

    - Since the default firewall (sp1) setting is off, I would not be the least bit suprised if some updates return it to the default off, and as I said there is no try icon you may not be away of its deactivation.

    - I think it is perfectly legitimate to point out it is made by Microsoft, since Microsoft has demonstrated, time and again, a willingness to subordinate the clients security to their own interests.



    Hard Fact:
    If using XP2 Firewall, nono of leak attacks can be blocked.
    If using others, it can block up to about 50% leak attacks depending on what firewalls you choose.
    If using Firewall + Intrusion Prevention System, it can block up to 90-100% leak attacks.
    Ref: http://www.firewallleaktester.com/tests.htm


    New MyDoom knocks through Windows weak firewall
    http://www.pcpro.co.uk/news/63211/n...-firewall.html?searchString=firewall firewall

    Critical hole found in Windows XP SP2 firewall
    http://www.pcpro.co.uk/news/67270/c...-firewall.html?searchString=firewall firewall

    Windows Firewall Has A Backdoor
    http://habaneronetworks.com/viewArticle.php?ID=144

    Conclusion
    Windows Firewall, as a software firewall, is a misnomer.
    Uisng it is no difference from shutting the door without locking it.

    Since third-party firewalls are better, can be no-cost, light, and boost your comptuer security to much higher level, why you still insist in NOT installing third-party Firewalls?
    It's no hurt to install one. I highly recommend you trying it out. You will be satisfied.

    {Work in Progress}

    ----------------------
    #1:
    Here's some "achievements" hackers have made:
    - do you realise security companies cannot protect themselves either? No matter how they protect their software, hackers can steal them very easily. When a new version is released, it is not uncommon that hackers can crack their protection within a short period (eg 24 hours). It is really hard to imagine how all these crazy tihngs can happen all the time.

    - do you realise there is the news that hackers manage to steal 40 millions credit cards numbers? It is already too late when they discover that.

    - in case if you don't know what hackers can do, http://www.pcworld.com/resource/bro...x,1,pg,1,00.asp is a good start. There are more advanced articles about hackers elsewhere. You may google them yourself.


    #2:
    Let's tell you briefly why hackers can hack you simply if you are online:
    - if you are online, they can manage to find you easily with lots of free hacker tools available in the Internet.
    - Windows vulnerabilities can be exploited to intrude your system. There are no need to do anything except online t be intruded.
    - malicious codes embedded in email, webpages etc. What you need to do is to reading email or browsing websites as usual. Note that malicious codes can even affect the display of a legitimate website and you may get trapped and infected/intruded.
    - beginner hackers can still manage to hack your computer since 1) there are free handy hacker tools available fr beginners 2) there are also articles avaiable on the Internet for them to hack you
    So the best way to help you to minimize the threats exploited on the Internet. You should install security software AND they have to be good in order to stop most attacks, and save you from trouble.
     
    Last edited: Sep 4, 2005
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Wai Wai -

    Nice post, with a refreshing determination not to get too much in depth, nor loose sight of the objective. I would cry foul for answering your own post, and not adherely to your own guidelines, if you had not written the clause dealing with not being afraid to post, and don't be constrained by the guidelines. I have a feeling you may be more familiar with the details of how windows works than I am, however I will attempt to add a couple other reasons.

    By the way, your article should provide enough reason to motive any doubters that they should have a firewall. Mine just reflect areas that have caused probems for me at times:

    - The interface for setting the firewall on or off (sp1) requires prior knowledge of where and how to do so and several steps. and...

    - You do not have a tray icon to indicate firewall is activated or not, and...

    - The firewall is a service that depends on other services that have to be in abled in order for it to run. This means that you have to run additional services that (in my case) I did not need for anything else.

    - Since the default firewall (sp1) setting is off, I would not be the least bit suprised if some updates return it to the default off, and as I said there is no try icon you may not be away of its deactivation.

    - I think it is perfectly legitimate to point out it is made by Microsoft, since Microsoft has demonstrated, time and again, a willingness to subordinate the clients security to their own interests.


    Question: Is the built in firewall listed as firewall in the taskmanager, or does it just have some generic name that makes monitoring your processes that much more difficult? I will prolly know the answer soon since I happen to be experimenting with ICF and related services for an unrelated reason.

    Question 2: I have heard to differing view on whether it is desirable to run the windows firewall, in addition to a commercial firewall. Is this a definite no, no?


    - HandsOff
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I personally wouldn't rely on the Windows Firewall either, but you have to admit that for the millions of users that can't handle a real firewall and have never even considered installing a better one, it's better than nothing for sure. At the very least it will keep the majority of worms out.
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    What criterion are using for what a firewall should or should not do? Are you suggesting a good firewall has to have outbound application control? The definition of firewall nowadays will be as varied as the number of users.

    Perhaps you could follow your own guidelines and provide details as to where inbound only protection is lacking compared to other firewalls.

    Intrude how, inbound through the firewall? As for trojans or other malware being implanted how is this the job of the firewall? This will usually result from user interaction (downloading unknown software/opening attachments), is this not the job for your AV?

    If you run with Administrator privileges then the Windows Firewall exceptions can be modified by third party software, which includes malware. This is a sore point with many and can be mitigated by using a limited account for regular use. Using a limited account also helps prevent malware from being able to install in the first place.

    This was patched some time ago.

    I disagree. The Windows Firewall serves it purpose in providing basic protection to systems/users who would not have otherwise installed a third party software firewall or those that may only want inbound protection. For those that want more out of a firewall, there is plenty to choose from.

    Regards,

    CrazyM
     
  6. FatalChaos

    FatalChaos Registered Member

    Joined:
    Aug 6, 2005
    Posts:
    98
    well for one I think a major flaw is that it can only protect against inbound protections, which means trojans will bypass it with ease. Secondly, it doesn't provide protection against attacks (like kerio or outpost does). Third, as stated before, it has been exploited before. Also, it can't limit port ranges for programs and is is not very customizable, which means it will be less flexible to your needs. Fourth, as shown before hackers are looking for exploits in the Windows firewall, because usually people who use it are not experts at security and tend not to be well protected. However, hacker's rarely ever look for or find major exploits in third party firewalls. Finally, the firewall is almost never updated, which means it can't adapt to hacker's using new techniques.
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Not a flaw, it was never intended to deal with outbound control. If outbound control is something you want, then the Windows Firewall is not the one for you.

    Is there any guarentee that a third party software firewall will see this trojan? If you have allowed this trojan (unknown/untrusted .exe) to run, how much security do you have once your system has been compromised?

    What kind of attacks?

    Again, something it was not designed to do and not the choice for those that want this kind of ability/configuration in their firewall.

    Trojans, viruses, malware will target well known Windows services as well as third party security applications (AV's, firewalls, etc.), but need to make their way on to your system and be run.

    Inbound only configuration/exceptions, permit all outbound, not much to update there.

    You just need to know the limitations of the Windows Firewall. If you want more, you can always use something else.

    Regards,

    CrazyM
     
  8. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    The command line interface.

    Already there are malicious applications in the wild that drop an exe, and then use to commandline interface to give the exe they just dropped nice permissions.

    While the settings can only be modified by an administrator, most home users still run as admin.
     
  9. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    I find posts like these mildly amusing to say the least.

    I'd really like to know how to perform these mysterious 'voodoo' acts, voodoo because it really sounds like some kind of magic with the details just abstracted away, because they are, of course, not important it seems.


    Wow, I wouldn't have expected that....from an inbound only firewall!

    Wouldn't have been much easier to just say "ICF is not a good firewall because it does not have outbound protection" without the added nonsense/fictional padding?
     
  10. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I will attempt to restate the foregoing points in outline form:

    Wai, Wai: Are there compelling reasons to scrap XP'S Built in firewall, or does the appearance of a growing industry that seems to be distributing a whole lot of firewalls to people that already have them point to the gross inadequacy of Microsofts firewall?

    ----------
    Intermission
    ----------

    Wai Wai: and the answer is, drum roll please...
    XP's firewall is not a very good value for the price...which is zero.

    HandsOff: Nice of you to point that out, Wai Wai, I wish I had found that out sooner than I did. (A wish that untold thousands have probably made). You may have noticed that there is a very understated control interface for XP's firewall. Coninuing unobtrusively, in this distincly unMicrosoft-like fashion, the firewall does not presumptuously assume that you would even want it to run. Therefore it sits, silently, out of sight, as alone and dejected as a Maytag repair man, as all manner of atrocity is committed agains who knows how many unsuspecting victims. As they say, discretion is the better part of valor.

    Notok: You wouldn't catch me using it a second longer than necessary, however, it is better than nothing. (good point!)

    CrazyM: I have heard some hints that Microsoft's firewall suck's. What are you using as a standard to compare it with? Are you merely comparing its capabilities with the capabilities of the other firewall choices that one could make? Are you mudding the waters by pointing out that competing products provide better protection against malware. Those things are beside the point, I say! Microsoft built its firewall so that it does what it does, no more, no less. Since you must admit that it does what it does, you are as much as confirming that it is a microsoft firewall. When you think of it this way it performs flawlessly. Let's not drag port steathing, custom blocking, recogniton of patterns matching know exploit behavior, intrusion detection, port assignment and monitoring, event logging, ongoing developement or any other protection past, present, or future that any other firewall has to offer its users into this. Those things are irrelevent as long as you just force yourself to embrace a particular definiton you will see, in the end, that Microsoft's firewall is the true, old-school, no nonsense firewall.

    I will grant you that there was a hole in microsofts firewall, but, dammit, they fixed it! Well okay, I know that won't help people who didn't get the patch for whatever reason. I know that such people are probably be screwed even as I write this, but for our purposes ... they don't count.


    FatalChaos: MSF is better than nothing, however, allow me to point out that there are better better options out there. compared with other firewalls they...

    CrazyM: Don't start rattling off what other features are enjoyed by the user's of non-microsoft FW's. It's not being a good sport to point out that these other's didn't have to wait for Microsoft security patch number 57 billion in order to be protected. After all, who in there right mind would have even guessed that a microsoft product would have vulnerabilities. It was just stupid blind luck that this people looked elsewhere to secure their computers. Also bear this in mind: If you create and use an additional user account with limited priveledges, you can trade inconvenience and waste time instead of putting yourself at risk. In fact, if you want to go that extra yard, don't use your computer at all! Watch TV instead.

    MikeNash: People are going to continue to use administrator accounts. And even if they didn't they will still be marked for death so long as they look to microsoft's firewall as a pillar of there security.

    HandsOff: Well, I still don't think you should use Microsofts firewall in conjuction with your own third party firewall. and, bad as the unimposing sp1 firewall was, at least it had good manners. Something definitely lacking in the sp2 itteration.

    ---

    That was just for fun. I hope I didn't go too far. Crazy-M is THE authority on firewalls, as far as I am concerned. And I mostly admire the champions of hopeless causes. Now his sense of humor is being put to the test. Could this be his achilles heel? I do know MS firewall should be invoked the second someone's finds their first line firewall is down, or before they have a chance to install a firewall, or if they are simply morons who don't want to install another firewall. I think Crazy-M and Notok are right to emphasize that they firewall we love to hate, is also the one firewall that will always be there. And Notok, I do recall your references to doing so in your guidelines for securing XP. And Crazy-M, I have downloaded and studied the ebook on NPF and related firewalls that you co-authored. Probably most of the protection that my firewall provides would not be there if I were running the default settings. And I was using the default settings until I read your posts and your book.

    Is it just my imagination, or are security programs a) Getting easier to install. And b) installing with weaker default settings. If this keeps up we will all end up with firewalls already built in, that are set to do nothing.

    Back to the Future!


    HandsOff
     
  11. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    This point is doubtful. According to firewall tests, even the best firewall miss 50% or more in leaktests. So it has some good indicators (Note that I say good indicators![#1]) that Windows Firewall will not keep most worms out. Anyway, I think I should confront with what I said, so I save the details and not to digress.

    EDIT:
    #1: I know the results of leaktests are not directly related to worms. However from the poor results obtained in leaktests, it may give us some good indicators that simliar things can happen to worms where they manage to bpyass the firewalls in other ways. That's why I say "good indicators".
     
    Last edited: Sep 4, 2005
  12. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Wow! Extremely informative thread...never knew that WinXP SP2 Firewall is so shoddy!
     
  13. FatalChaos

    FatalChaos Registered Member

    Joined:
    Aug 6, 2005
    Posts:
    98
    1) I'm just pointing out the WF flaws, and this is one of them. Sure it was never designed to do this, but that's like saying XP was never designed to be secure. Still a bad thing :).

    2) no guaruntee that the firewall will 100% prevent the torjan from doing harm, but its got a lot better chance of preventing the torjan than windows firewall.

    3) DoS attacks, winNuke attacks, etc. You can find lists in Kerio personal firwewall NIPS and Oupost Attack Prevention or w/e plugin.

    4) True, but this is still a reason why you shouldn't use WF.

    5) And if they do make their way onto your system, you had better be prepared. Plus exploits found in thrid party AV's and FireWalls tend to be les widespread

    6) I realize that windows firewall was never designed to do all these things and most of these problems are not glitches but rather design limitations, but i feel these design limitations are all reasons that WF is not very good.
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Leaktests test the ability to block trojans connecting out once they're already in.. you do know what a worm is and how they work, right? If the netstat ports are blocked from any incomming traffic, then you are safe against most network worms.

    Wei Wei, you would be seriously well advised to take a step back here and reassess things here.. you can't seriously think that you know more than an accredited expert on the subject?

    Your argument could just as well be applied to an external hardware firewall.. which is no less a firewall than your software one (some would argue that it is moreso than a software fw). I guess the question is; where are you really trying to go with this?
     
  15. dog

    dog Guest

    Wai Wai your last post was removed ... the thread starter does not have ownership of the thread, whatever is posted has a public ownership - And any decision in regards to content moderation is Wilders' ... We have moderators in place to maintain our standards, and It will be done by us.

    Any post with the content of the one removed will also be removed.

    Regards;

    Steve
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The thing you have to remember is that the Windows Firewall is designed for the people that don't know anything about firewalls, and many times don't even know how to install or configure a third party one. For those people, the Windows Firewall is probably the best solution, with the exception of maybe an SPI router that someone can set up for them. Of course that person really should set up a limited user account for those folks, but that doesn't happen much either. Most of the people on this forum know enough to use a third party firewall, if not then they generally know what they're doing.. but for the tons of users that don't run anything at all, the Windows Firewall is a very good start. I don't think many will argue that the Windows Firewall leaves a lot to be desired in comparison to many other third party ones, but for the non-technical user it may, in fact, be the best choice. If Windows Vista ships with a bi-directional firewall then I expect that we can see a big shift in third party firewall design, as what we know to be firewalls now will probably become just as vulnerable, and so on it goes.. there will probably be a repeat of this thread topic with entirely different content.
     
  17. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Dog-

    I hope I did not offend anyone with my posts. I don't even say I don't agree with what anyone has said. I only try to express how it seems to me, and I am fully aware that disagreeing often reveals my ignorance. I can live with that. If I don't say what I don't agree with, then I am not better off than before I read a response. On the other hand, if I appear not to weigh expert advice carefully, then I wouldn't expect anyone to bother responding.

    I know a little about firewalls. Enough to know that Crazy-M, Notok, and Ghost should all be regarded as experts.

    I hope I did not fan the flames.

    where I am going with this is:

    - xp's firewall lacks many features found in other firewalls
    - The features are of little value if you do not understand what they do and how to customize it for your needs.
    - The best way to find out is to ask a specific question right in this forum. I can tell you for a fact the makers of my product will not answer your question unless you pay them extra to do so!
    - its fun to criticize what we think are inferior products to what we use, but I try to come prepared to learn.

    Dog mentioned something in the antivirus forum how quickly things can evolve into a battle. And I was surprised to realize I was starting to simmer. Don't let this happen to you.

    And my hat is off to Crazy-M and Notok because they have given freely of their knowledge. Not just in the forum but providing addition content that I will use as a resource long after this thread has been forgotten. Anybody can figure a firewall out if it is important to them. Not just anyone could raise the awareness of countless people. I truly respect them for what they have done. Everyone says, thankyou, or thanks in advance. I don't know how to say it differently. Crazy-M, thank you. Notok, thank you.

    - HandsOff
     
    Last edited: Sep 7, 2005
  18. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California

    Okay, Okay...It doesn't take a truckload of bricks dumped on my head to get me to thinking. I of course will follow your advice. At some point it may happen that I present this as my idea!

    - HandsOff
     
  19. mem1

    mem1 Guest

  20. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    There's one generic point to make, it is clearly germane to the present firewall discussion, but it is pertinent to a discussion of any security application: a high degree of configurability and power is a sharp double edged sword. I can't recall the number of times I witnessed threads in which new and naive users to firewalls have effectively shutdown connectivity in one, multiple, or all applications simply because they did not appreciate the detailed operation and nuances of the tools they were using. If you are trying to design for the mass market, as MS is, there is a downside to some types of functionality.

    Within the scope of its design and purpose, the native XP firewall is fine. My own recommendation would be to dispense with the XP firewall and rely on the functionality of a hardware router. I'd also recommend that course to any other user prior to their installation of any complete software firewall. In fact, I view software firewalls as a completely optional component in any security set-up if a decent hardware router is employed. Off hand, I can think of only one circumstance in which I'd qualify this recommendation.

    Blue
     
  21. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Now it seems people are talking about the point that "Windows Firewall is designed not to have Feature XX, eg outbound protection, security configuration" should or should not be a defense against the claim that "Windows Firewall is bad since it has no outobund protection". Apparently it seems to be a valid discussion, but it is indeed a vlaue judgement in my opinion.

    The fact is here - Windows Firewall provides NO SINGLE outbound protection or any other features mentioned above, in which it is fundamental to network security precautions (it may not be true for real security experts. Anyway some of them may even think anti-virus is not necessary).

    It is up to you to make your own value judgement that if these points are justified as "classifying Windows Firewall as bad/ineffective" in any perspective.

    So it would be great if you make another thread to discuss this particular point, should you wish to.
     
  22. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That's a very good summary, IMO.. and the second point is worth repeating. :) (thanks for the kind words, too.. very much appreciated, although I don't know about the expert part :) )

    Hehe, I just don't understand why those that build/repair computers don't do this for the 'ma & pa' types that only want to surf the internet and read their email.. no reason those types can't do so under a limited user account. I did this on the 'in-law's' machine a while ago, and they really haven't had any problems with the (otherwise) most basic setup.

    Awesome link, thanks!
     
  23. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Wai_Wai,

    Since there are alternate ways to operationally deal with this, it's a bit of a leap to state that it is fundamental aspect of network security. In fact, this strikes at the implicit premise of your thread - that you can render an assessment of the appropriateness of any single component of a security set-up in isolation. Simply put, you can't, it's a flawed premise from the start.

    Since there are multiple components working in unison in any coherently considered security set-up, you really do have to examine the entire assembly to render a judgement on functional fitness.

    Blue
     
  24. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    No, this is completely wrong. Worms need a) inbound access to infect machines and b) outbound access to infect others. Leaktests test outbound access only. Leaktests results are not an indicator of inbound worm protection. The main reason for Microsoft's increasing emphasis on ICF is that it is very good at mitigating worm outbreaks on the network. I really haven't seen any detailed inbound tests against ICF using a packet mangler to indicate otherwise.
     
  25. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
Loading...
Thread Status:
Not open for further replies.