Re: Firewall of SP2 is good?

From: Vanguardx (see_signature)
Date: 10/02/04 

Date: Sat, 2 Oct 2004 14:23:16 -0500

"Duane Arnold" <notme@notme.com>
wrote in news:Xns957686107BBD6notmenotmecom@204.127.199.17:
>
> I fully understand the XP SP 2 FW.
>
> http://support.microsoft.com/default.aspx?kbid=875357#5
>
> I do understand that the XP FW has App Control like the rest of the
> PFW solutions and some people do consider App Control a limited means
> of stopping outbound. If the program is being *blocked* or stopped
> from executing, then it cannot send any outbound traffic. Is this the
> same as me creating a rule on the WatchGuard to stop outbound by
> port, protocol, or IP? No, it is not the same on the XP SP 2 FW, but
> nevertheless, if the program cannot execute, then it cannot send
> outbound traffic.
>
> Duane :)

The "App Control" in Windows Firewall is to permit unsolicited inbound
connections to an application. The firewall does NOT stop any
application from *executing* on that host. Whether I define a rule or
not in Windows Firewall has nothing to do with, say, Gator getting
loaded into memory and running and *attempting* to make unathorized
outbound connections. The firewall doesn't kill an application that
doesn't get outbound permission. All it does is block that
communication. But Windows Firewall doesn't do outbound permissions.
Its exceptions only apply to inbound connections but it also applies
ONLY to inbound connections that were unsolicited, so any application
that runs on your host is not going to get killed by the firewall, will
make an outbound connection, which then solicits for return traffic so
then that inbound traffic is no longer unsolicited.

With ICF (Internet Connection Firewall) or the later Windows Firewall, I
can run SamSpade, Lynx, IE, Mozilla, FileZilla, any e-mail client, and
so on and NEVER get prompted by the those firewalls if I want to permit
those processes to have an Internet connection. Same for spyware,
trojans, or anything else running on your computer that wants to connect
outside. They all are permitted, and any inbound traffic they initiate
will also be allowed.

As a test, I disable my 3rd party firewall and enabled the Windows
Firewall. I started FileZilla (and FTP client) and connected to
ftp.symantec.com. Did I get blocked? No. A prompt appeared asking me
if I wanted to Keep Blocking, Unblock, or Ignore (don't remember the 3rd
option). I selected Keep Blocking. So then I clicked on a subnode in
the directory tree and it opened, and I continued on down the tree until
I found a file and I successfully downloaded it. So just where did
Windows Firewall actually block my outbound connection and the
subsequent *solicited* inbound traffic? Never!

So I still standby my view that Windows Firewall only blocks UNSOLICITED
inbound connections to your running processes, just like Microsoft said
in the KB article that I mentioned which said, "Windows Firewall lets
you add exceptions for programs and services so that they can receive
inbound traffic." If I run an FTP server and don't define an exception
(to punch a hole in the firewall) then outsiders cannot connect to it.
If I run an FTP *client* then the Windows Firewall will do nothing to
stop any outbound traffic from it and any resultant inbound traffic
initiated by that outbound traffic. Same for spyware and other malware.

ICF and the Windows Firewall are better than nothing. Their similar to
the "firewall" function of a NAT router. But they don't compare to even
the freebie firewalls you can get. The "App Control" in Windows
Firewall is NOT the same as application control in 3rd party firewalls.
In the 3rd party firewalls, you have to authorize an application to EVER
have an outbound connection. With the Windows Firewall, ALL
applications are allowed outbound connections. Also, some programs the
generate outbound traffic never will generate inbound traffic (although
it would then be solicited traffic), like zombies phoning home to some
private chat room to let their master know their IP address and
listening port. 

-- 
_________________________________________________________________
********  Post replies to newsgroup - Share with others  ********
Email: lh_811newsATyahooDOTcom and append "=NEWS=" to Subject.
_________________________________________________________________

Relevant Pages

  • Re: Network Firewall/Routing Solution
    ... > for a good solution to route inbound and outbound traffic. ... > firewall combo boxes that linksys sells, and I really don't want to run ... > I will need to deal with inbound web and ftp requests from the ... > non-pasv connections. ...
    (comp.security.firewalls)
  • Re: Firewall of SP2 is good?
    ... >> PFW solutions and some people do consider App Control a limited means ... then it cannot send any outbound traffic. ... > connections to an application. ... The firewall does NOT stop any ...
    (comp.security.firewalls)
  • Re: D-Link 604 Router
    ... > I can filter outbound connections using URL filtering using something ... > firewall software or hardware and no router, ...
    (comp.security.firewalls)
  • Re: Firewall of SP2 is good?
    ... Duane doesn't understand that Windows Firewall does NOT ... applications (web server, ftp server, etc.). ... Firewall to allow inbound connections on YOUR local port. ... Firewall for that because it will always allow outbound connections. ...
    (comp.security.firewalls)
  • Re: I might bite bullet on SP2..but!
    ... Windows Firewall will automatically allow all outbound connections, ...
    (microsoft.public.windowsxp.general)
Quantcast