Gudda96: I move these posts from the end of Black Mirrors 'hammer' topic to give your question better visibility. Terry


Jcampi

Am not right in believing that Windows firewall only works one way and that is incoming?

If so, is that wise?

That's true. Is it wise? Probably not, but better than no firewall at all. I understand Vista has a 2-way firewall.
-td

Jcampi

Am not right in believing that Windows firewall only works one way and that is incoming?

If so, is that wise?

Not completely, the Windows Firewall after SP2 has some limited outband abilities but if you have the right protection inside i.e. Nod32, Spywareblaster and Spybot, then what is going to get in to dial out anyway..."much ado about nothing".
Vista appears to be 2 way...

Vista is 2 way and it looks like the firewall in Windows Live OneCare, but with even less options. the XP firewall (with SP2) may have just a little outbound protection, but I still recommend something like ZoneAlarm over it, especially if you don't have a hardware firewall. XP's firewall isn't powerful enough to block certain inbound attacks, IMO.

I'd rather have Blaster Virus than Zone Alarm...at least I would know where I stand, and how to rid myself of it!

Windows firewall was a half hearted attempt to plug some of the swiss cheese in XP security for their benefit ... considering the number of people who don't use any firewall, and cut down on the amount of patching to fix the leaks.

Unfortunately for MS, they have to tread very lightly around 'Third party' software already on the market. Every time they hire out something like this, they get hit with huge patent infringement suits. Look at the mess they got into with Veritas and much of the backup software that came from them. They hired out to them to create it and then, a few years later, end up in huge patent disputes with them.

XP firewall has some advanced features but the design can be a little too much for many 'average users' to take advantage of. MS has to face the "dumb down" issue with everything often ending up in default levels that are inadequate.

One key issue, and huge screen door, is port management as so many legitimate Windows functions open or listen on many different ports. This is all 'background' function not visible to the 'average' user. When connected to the web, at any given time, XP can have numerous open ports or listening ports ACTIVELY connected to the web. These are only visible if you run a port scanner program and actually see what is open.

Seldom mentioned, the trend in hacking and back door entry has been geared to 'ports' for some time now.
Using any good firewall (without a NAT router) will routinely show hundreds of port pings daily probing for an open connection access point.
Most viruses, trojans, keyloggers, and other 'back door' malicious apps are geared to 'piggyback' on a legitimate Windows process that opens or listens to a specific port.
When a port ping comes in through an open or listening port, the malware calls a legitimate Windows dll to establish a connection.
You don't see these as they may mask running under SVChost, of which you will find several instances always running, and are passed through the firewall as legitimate Windows traffic as an "Allowed Process".

As we have previously stressed, a NAT router is an important first line of defense. Unless specific port forwarding is established in the NAT router, these incoming pings are dumped as the router has no idea where to send them.
The second line of defense is a good two way firewall which is very specific about what programs it allows to connect to what. OUTBOUND traffic must be monitored for any rouge app attempting to open a port.
Third line of defense is routinely using a port scanner to see what ports are open or listening and what they belong to.
Lastly, using a program like Process Explorer to see what is running under each instance of SVChost and knowing what legitimate software should be there.

As always, running a good AV and malware scanning is an absolute must these days.
Just keep in mind, malicious apps get smarter every day in the never ending wars. They can get through even the best AVs and malware scanners and hide deep in the system.
These apps have been increasingly stealthier as their purpose is to hide quietly, undiscoverd, until an external port ping activates them. Unlike "script kiddie" viruses meant to announce themselves and do harm, these new malwares want to quietly steal your information and never let you know they are there!

So long as you have an internet connection, whether YOU are using it or not, inbound and outbound traffic monitoring is essential to ensure that nothing is talking behind your back without authorization.

With every peice of software these days calling home and self-updating, your computer is routinely and constantly talking to somebody, somewhere as long as you have an active gateway to the web.
Safe Computing means knowing who, when, where, and what at all times!

This all tends to be way over the heads of 'average users' who are often connected 24/7 with cable or broadband connections. It is the primary reason "bot nets" are so abundant and so many computers are easily hijacked and placed under remote control. The "average user" has no idea someone else is using his machine for nefarious purposes and just complains about how slow it is running lately. With current high end machines, he may not even notice that!

Why MS didn't make the network icon in the systray a default I can't fathom. One of the earliest clues to something going on is LIGHTS flashing away in the network icon, router, and modem when nothing should be talking. Having these easily visible, and some place you will notice them, is important.
I don't know how many times I have found a legitimate app that failed to close out properly and remained connected to some external server. I have once voice com for gaming that does it routinely. The only indication of this is network activity lights that shouldn't be active.
Noticing this, a quick inspection will reveal the app closed but left a process running or a port connected.
Your 'average user' would never detect such activity.

http://www.kickenhardware.net/image/passed.gif http://www.kickenhardware.net/image/transpixel.gif
http://www.kickenhardware.net/image/graypixel.gif
http://www.kickenhardware.net/forum/../image/transpixel.gif Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.



OK from my Unit 1 Shields Up Gibson Analysis with a USR Router and Windows Firewall on XP only.
Now what is it I should be so heavily concerned about as to install that junky obtrusive BS on my system? I don't have anything dialing out when I am on any of those firewalls and I have tested each for days, except for my failed attempts to use VPN that that BS will not allow.
That is completely useless destructive software for paranoid users!

Rich, of course you pass the Gibson test. The router makes your machine invisible to most of them!
In order to run most of the external port scanning tools, it is necessary to take the router out of the loop or forward the ports to be tested. They are otherwise not visible to the external scanner.
THAT is the benefit of a NAT router.

For INTERNAL port scans, there are many freeware port scanner programs you can dl that will tell you what ports are open or listening and the process they belong to.

You don't THINK you have anything calling out...
Do you actually see the Nod32 kernel calling home for updates on a regular basis.... not!
Do you notice the Adobe or Flash updates connecting every time you boot (unless you turned that off)? And, who knows what else that calls home whenever you use it?
Those processes are invisible to the user!

Truth is, unless you have something monitoring that traffic, you don't really know and will never see or notice it.
Even if you did selectively allow programs with ZA program control, do you know how many apps use Generic Host Process for Win32 Service or Application Layer Gateway Service, all of which are granted access by allowing these standard Windows functions ... which do open and listen on ports.

That is where a port scanning program and Process Explorer will show you what is listening on what and who it belongs to.

Just because YOU can't figure out Zone Alarm isn't justification to constantly slam all firewall programs.
If you want a lesser amount of protection, that's up to you.

Rich, of course you pass the Gibson test. The router makes your machine invisible to most of them!
In order to run most of the external port scanning tools, it is necessary to take the router out of the loop or forward the ports to be tested. They are otherwise not visible to the external scanner.
THAT is the benefit of a NAT router.



But why I never run without the router.



For INTERNAL port scans, there are many freeware port scanner programs you can dl that will tell you what ports are open or listening and the process they belong to.



Tell me one! I don't beleive in any of this so I don't know who they are.




You don't THINK you have anything calling out...
Do you actually see the Nod32 kernel calling home for updates on a regular basis.... not!
Do you notice the Adobe or Flash updates connecting every time you boot (unless you turned that off)? And, who knows what else that calls home whenever you use it?
Those processes are invisible to the user!


Good let them do their thing and I will do mine. That is one of the reasons I bought a computer and not a secretary.




Truth is, unless you have something monitoring that traffic, you don't really know and will never see or notice it.


Ou***anding because there is nothing in here now, and XP firewall won't let anything else in either.





Even if you did selectively allow programs with ZA program control, do you know how many apps use Generic Host Process for Win32 Service or Application Layer Gateway Service, all of which are granted access by allowing these standard Windows functions ... which do open and listen on ports.


That's a Windows process...fine with me and I don't want to know everytime it does something either...I haven't time.





Just because YOU can't figure out Zone Alarm isn't justification to constantly slam all firewall programs.
If you want a lesser amount of protection, that's up to you.



Doug I am not just slamming them all, I ran all of them and I doubt there is a single program available I did not test. I used Sygate and it was a super program and not a freebie I bought Pro version and it never did any of the things any of the others do. I need a pc to run a few businesses and keep me up on various things going on on the internet, and am not going to allow myself to be tortured by crappy software which serves no purpose for me and creates problme after problem. If you practice safe computing, have 2 image file programs run weekly, and 2 programs backing up all data and files, what on earth do I need with some damn annoying piece of crap telling me what I already know is running and doing in my system?

Rich - please reminds us, what is it about Sygate that you like, and ZA that you don't like? I'm curious because I only have first hand experience with ZA and WinXP firewalls and haven't run into any problems.

ZA:
networking and some tasks like remote desktop, etc. can be a real PITA. One little mistake can drive you insane if you fail to enter a proper IP or IP range into the trusted zone.

I understand the frustration as I too have spent a day or so tracking down a network malady when I changed an IP and forgot to add it into ZA on both machines. Makes you want to scream until it suddenly dawns on you....
For remote desktop connections, add the IP of the machine you are connecting to or expect problems there... which would be the same as a VPN....

No, ZA isn't perfect despite the much improved ability of a FRESH install to detect and setup the network, something it didn't used to do.
Once you understand the nature of the beast....

ZA:
networking and some tasks like remote desktop, etc. can be a real PITA. One little mistake can drive you insane if you fail to enter a proper IP or IP range into the trusted zone.


Hey Dan, let me share an awful experience with ZA.
Some time ago, I was messing around with my WinME setup and shutting
off ZA by disabling it in MSCONGIF startup. Suddenly, I found my local
network not working. All my other computers in my network were working fine.
Suspecting ZA as the cause, I uninstalled it. All the symptoms seemed to
indicate I had a bad Network adapter, so I tried a new one and the problem
still persisted. I still could not ping any of the other computers on my network.
I must have wasted a whole day troubleshooting this weird problem.

Finally, I reinstalled ZA and disabled it normally via progrma control
(not via MSCONFIG) and everything went back to normal.

The lesson I learned is not to try to defeat any program that hooks
itself deep into the OS by messing with MSCONFIG. It's best to
uninstall the appication or use the controls within the application
to disable it.

I still use ZA to this day and it works great.
Other than my story above, I seen ZA go bad on a client PC where
it could not even be uninstalled without performing a manual
procedure prescribed by ZA tech support. But in all fairness, that
was a Win98se PC that was severely malware infested. One other
time I saw a more recent version mess up when I denied interent
access to an application and then tried to remove that app from
the ZA program list so it would start over asking for permission.
Well, ZA kept right on denying access and I had to uninstall ZA
and reinstall it to fix the problem. That was in a WinXP pc.

Sure I've had a few problems with ZA, but overall, my experience
has been very good. I've installed to many PCs without any problems
over the years. The biggest problem I've seen with ZA or any 2-way
firewall, is operator error where the user denies internet access to
a beneficial program such as their anti-virus program which then
renders the updates disabled. I think ZA is more a tool for the
intermediate level user and above becasue the novice user can't
handle it properly.

---pete---

Tony,
I cannot access my VPN with ZA installed.

This crap about firewalls is so over stated. If you have a decennt antivirus and spyware software the XP firewall is fine. I'm sooooo happy I removed those stupid drags on my system. ZoneAlarm, Sygate, etc. I believe the software companies have everyone fooled on needing this crap. If you keep your PC clean what is going to try and contact the web anyway??? I've been operating with only the XP firewall now for months and have not had a single issue. I always update the antivirus and run spyware software every week. I don't think users should be so afraid of using the XP Firewall if they just use some common sense.

This crap about firewalls is so over stated. If you have a decennt antivirus and spyware software the XP firewall is fine. I'm sooooo happy I removed those stupid drags on my system. ZoneAlarm, Sygate, etc. I believe the software companies have everyone fooled on needing this crap. If you keep your PC clean what is going to try and contact the web anyway??? I've been operating with only the XP firewall now for months and have not had a single issue. I always update the antivirus and run spyware software every week. I don't think users should be so afraid of using the XP Firewall if they just use some common sense.

Well great John finally another sane one appears from the "Firewall Wars"...I keep hoping Dan will appear here soon as well. I agree 100% John that this firewall paranoia is just a gold pot at the end of the rainbow for those makers of imperfect software, who can virtually throw any old piece of crappy software out there, and then scare people into thinking it will save them from them from "the dark side of the force" on the internet.
Enough already until I was scared into using Sygate I never used any and never had any problems either.

Rich, once in a while we will agree. This must mean we are bound to disagree on the next 100 topics. I had AMD long ago. You hated them. Now I am a total intel convert and you are a AMD fan. In the end, this stuff is a personal preference. Whatever works for you is the key in the end.

Sure... you have not had any problems without a firewall..
afterall, we are experienced users here all running a multitude of defenses, scans, AV, etc. and almost everyone is behind a router.

Remember that the need for a firewall evolved well before current threat technology was even thought of.
The majority of people were on dialup connections and the majority of threats came in email or corrupted code in programs and floppy disks.

Then came cable and DSL with 24/7 active connections.
Malware attacks moved to the web and web applications.
Port attacks became the method of choice.
Many people still connected to the web with direct connections. Without any firewall, you were wide open to attack.

Today, a majority of people have shifted to some type of network and use a router as wireless and laptops have gained serious ground. Even the "common idiot" these days has a network and router (usually wide open without ever configuring the security settings).

A NAT router is the first line of defense and rejects the most common form of attack ... port pings.
With even the cheapest router, you cut your risks 90%.

People who practice some form of "Safe Computing" and sit behind a router are 90% secure. They have a good AV and other malware blocking and regularly scan their systems. Their chances of being attacked are limited, with or without a firewall.

But, even MS recognized where the trends in malware were going and how bad the holes were in th OS where no amount of patching could close them. MS gave us a simple firewall defaulted to ON. Even that wasn't enough and Vista will have a much more robust firewall.

The never ending and ever escalating war with malware writers has turned financial. It's big money and big business, like it or not. Big money in malware means they can hire top level malware writers which has become a high level career path for many on the other side of the world.

On our side, security software companies have no choice but to compete and grow their products into ever more complex security "suites" and they have to sell them to stay in business. Just look at the evolution of almost every company dealing in security products in the last year. All have expanded and grown their products.
Do you really think they will let MS corner the market on security products? Their pressure on MS is considerable and MS is already in trouble with anti-trust and patent infringement litigation all over the place. Do you really expect MS to respond rapidly to the ever evolving trends in malware?

The consumer is stuck in the middle of a battle field.
Can you get a way without a firewall? Do you really need one? How long before "No problems" turns into "major nightmare" if you do get hit and how bad will the damage be? Paranoia or prudence?
It is all personnal preference and personal risk.

Choose as you will. I prefer to err on the side of full protection. Don't come to my castle when yours is invaded and burned to the ground! And, don't think that there isn't some scammer in Russia, India, China, or Maylasia just waiting for your IP to come up on his "hit list".

Doug one more little thing......"Then came cable and DSL with 24/7 active connections", doesn't apply to me. remember me, I shut off my pc when I am not there.

"I shut off my pc when I am not there."
Again, risk factor minimal......

But... how many "average" users even know they have a STANDBY button on their cable modem that stops internet access should they want to lock the door?
How many of them know about the INTERNET LOCK in many firewalls that again locks the door when not in use?

It is these "average" users who pick up a quick install cable kit at the store and get connected, 24/7, no firewall, no router ... or a wide open wireless router with no security settings. How many of them create wide open shares with EVERYONE having full permissions?

I doubt even one tenth of one percent of them have any concept or understand even the most basic security principles and functions BUILT-IN to XP, which can be an extremely secure system IF you set it up accordingly.
What the hey... I've run across "IT people" who still have no basic understanding of the most rudamentary levels of XP security. And to make matters worse, MS has to "dumb down" and default off the majority of these features to accomodate the "stupid" user.

Why are botnets and hijacked machines all over the place by the millions.......
Why do WE have to protect ourselves because of their stupidity and lack of education....
Situation ain't going to change any time soon as far as I can see.

"I shut off my pc when I am not there."
Again, risk factor minimal......

But... how many "average" users even know they have a STANDBY button on their cable modem that stops internet access should they want to lock the door?
How many of them know about the INTERNET LOCK in many firewalls that again locks the door when not in use?

It is these "average" users who pick up a quick install cable kit at the store and get connected, 24/7, no firewall, no router ... or a wide open wireless router with no security settings. How many of them create wide open shares with EVERYONE having full permissions?

I doubt even one tenth of one percent of them have any concept or understand even the most basic security principles and functions BUILT-IN to XP, which can be an extremely secure system IF you set it up accordingly.
What the hey... I've run across "IT people" who still have no basic understanding of the most rudamentary levels of XP security. And to make matters worse, MS has to "dumb down" and default off the majority of these features to accomodate the "stupid" user.

Why are botnets and hijacked machines all over the place by the millions.......
Why do WE have to protect ourselves because of their stupidity and lack of education....
Situation ain't going to change any time soon as far as I can see.


You are right in all these points when we consider the average user, but remember, in this one instance we are talking about me.