Re: How to tell if a firewall alert is suspicious or not

From: Volker Birk (bumens_at_dingens.org)
Date: 09/15/05 

Date: 15 Sep 2005 19:14:08 +0200

Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
> I thank you for your detailed suggestions summarized below as:
> 1. There exists innocent common connections reported by the firewall

Yes.

> Regarding the first interesting comment above:
> - Is there a site where all the common innocent connections are listed?

I don't know one. And I think, this will not be possible. There are
too many possibilities for these. Why using a "Personal Firewall" at all,
which is showing useless Popups?

> Regarding looking up the NAME of the IP address:
> - WHY would my DNS provider suddently connect (this does not happen often)?

There may be many reasons for this.

> Regarding the content of the incoming packets:
> - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
> - The DETAILS button gives more information (cryptic to me, a novice).
> - Again I wonder if there is a list of known non-dangerous contacts.

The point is, that this is a b0rken concept to ask the only person,
who for sure does not know what to do here - you, the user.

It's OK, that not everybody is a networking expert. A good security solution
has to work _without_ asking the user.

> For we novices who still desire basic firewall protection, it would be nice
> to refer to a list of known generally non-dangerous requests to accept.

Why not using the Windows-Firewall and not having such problems?

Yours,
VB. 

-- 
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
                                    Harald Schmidt zum "Weltjugendtag"