Re: Firewall of SP2 is good?
From: Duane Arnold (notme_at_notme.com)
Date: Sat, 02 Oct 2004 21:13:49 GMT
"Vanguardx" <see_signature> wrote in news:mLOdnQjVZpq4ncLcRVn-
> "Duane Arnold" <firstname.lastname@example.org>
> wrote in news:Xns957686107BBD6notmenotmecom@22.214.171.124:
>> I fully understand the XP SP 2 FW.
>> I do understand that the XP FW has App Control like the rest of the
>> PFW solutions and some people do consider App Control a limited means
>> of stopping outbound. If the program is being *blocked* or stopped
>> from executing, then it cannot send any outbound traffic. Is this the
>> same as me creating a rule on the WatchGuard to stop outbound by
>> port, protocol, or IP? No, it is not the same on the XP SP 2 FW, but
>> nevertheless, if the program cannot execute, then it cannot send
>> outbound traffic.
>> Duane :)
> The "App Control" in Windows Firewall is to permit unsolicited inbound
> connections to an application. The firewall does NOT stop any
> application from *executing* on that host. Whether I define a rule or
> not in Windows Firewall has nothing to do with, say, Gator getting
> loaded into memory and running and *attempting* to make unathorized
> outbound connections. The firewall doesn't kill an application that
> doesn't get outbound permission. All it does is block that
> communication. But Windows Firewall doesn't do outbound permissions.
> Its exceptions only apply to inbound connections but it also applies
> ONLY to inbound connections that were unsolicited, so any application
> that runs on your host is not going to get killed by the firewall, will
> make an outbound connection, which then solicits for return traffic so
> then that inbound traffic is no longer unsolicited.
I don't need a lecture about this.
> With ICF (Internet Connection Firewall) or the later Windows Firewall, I
> can run SamSpade, Lynx, IE, Mozilla, FileZilla, any e-mail client, and
> so on and NEVER get prompted by the those firewalls if I want to permit
> those processes to have an Internet connection. Same for spyware,
> trojans, or anything else running on your computer that wants to connect
> outside. They all are permitted, and any inbound traffic they initiate
> will also be allowed.
> As a test, I disable my 3rd party firewall and enabled the Windows
> Firewall. I started FileZilla (and FTP client) and connected to
> ftp.symantec.com. Did I get blocked? No. A prompt appeared asking me
> if I wanted to Keep Blocking, Unblock, or Ignore (don't remember the 3rd
> option). I selected Keep Blocking. So then I clicked on a subnode in
> the directory tree and it opened, and I continued on down the tree until
> I found a file and I successfully downloaded it. So just where did
> Windows Firewall actually block my outbound connection and the
> subsequent *solicited* inbound traffic? Never!
And again I don't need a lecture.
> So I still standby my view that Windows Firewall only blocks UNSOLICITED
> inbound connections to your running processes, just like Microsoft said
> in the KB article that I mentioned which said, "Windows Firewall lets
> you add exceptions for programs and services so that they can receive
> inbound traffic." If I run an FTP server and don't define an exception
> (to punch a hole in the firewall) then outsiders cannot connect to it.
> If I run an FTP *client* then the Windows Firewall will do nothing to
> stop any outbound traffic from it and any resultant inbound traffic
> initiated by that outbound traffic. Same for spyware and other malware.
I'll admit I have not looked into the XP FW and its App Control fully and
apparently it's not there with the App Control I have used on BlackIce
which can stop execution and communications at the Dll level. I'll paly
with XP's FW and it's Security App Control later.
> ICF and the Windows Firewall are better than nothing. Their similar to
> the "firewall" function of a NAT router. But they don't compare to even
> the freebie firewalls you can get. The "App Control" in Windows
> Firewall is NOT the same as application control in 3rd party firewalls.
> In the 3rd party firewalls, you have to authorize an application to EVER
> have an outbound connection.
And App Control in those solutions can still be beaten by malware as well
at boot since none of them are integrated O/S components that can get to
the TCP/IP connection before the malware, unless one starts hacking the
Registry on the dependencies.
> With the Windows Firewall, ALL
> applications are allowed outbound connections. Also, some programs the
> generate outbound traffic never will generate inbound traffic (although
> it would then be solicited traffic), like zombies phoning home to some
> private chat room to let their master know their IP address and
> listening port.
That's why there are other tools that can be used like IPsec to stop
inbound or outbound that's setting on the O/S and can be used to supplement
the XP FW or a NAT router.
One can also use Active Ports or some other tool in the boot process to
view all inbound and outbound connections.
The bottom line is I have very little appreciation for App Control in any