Re: I am sick of windows firewall

V S Rawat wrote:
Duane Arnold wrote:


V S Rawat wrote:

louise wrote:



Duane Arnold wrote:


Sebastian Gottschalk wrote:



Duane Arnold wrote:



IPsec that's on the XP O/S too can be used to
supplement the XP FW if you need to stop outbound
packets. And it can do it by port, protocol, or IP.
[...]
I use the AnalogX IPsec rules to supplement BlackIce
on the laptop.



That's bad. You're always open to IP/50, IP/51 and
UDP/500, and your rules will always let pass all
Kerberos, NetBIOS, multicast and broadcast traffic.
Some of those excemptions can be disabled, some
cannot.


I have made my adjustments to IPsec to supplement
BlackIce to fit my needs. BlackIce is set to stop all
unsolicited inbound traffic and is letting nothing
through that's not solicited. In addition to that, I
have set rules with BlackIce to block TCP and UDP ports
from 1-65535, which means if I take BI off of it
highest configuration rule of stopping all unsolicited
inbound traffic, it's still blocking all unsolicited
inbound traffic.

IPsec is only a supplement to BlackIce or to any PFW
solution. It's not a front line defense solution. If I
need IPsec to stop outbound that BlackIce cannot do by
setting rules, then I'll do that.

In addition, the alters on BlackIce's highest threat
level that I was getting that were happening on the
attempts on the Windows networking ports even though BI
was stopping the attempts came to a complete stop on
the notification and logging, once I implemented the
AnalogX rules for IPsec, activated IPsec and configured
IPsec to start block packets amid at those ports.

Again, IPsec is a supplement solution behind the PFW
solution and I am pleased with it's ability to be a
supplemental packet filtering solution.

Ipsec is doing its job on this laptop. If it comes past
IPsec and BlackIce on unsolicited inbound traffic, then
I'll worry about it. :)

I need IPsec to stop outbound if I need it to do it.
That's its purpose and why it is there.

Duane :)

I've read all your posts and am confused by your
statement(s) that PFWs only deal with incoming traffic.

I've been using Sygate for several years (don't know what
to use instead, even now), and it definitely asks before it
connects for an update. For example, Adobe Reader always
wants to update - I set Sygate to stop it. Several other
programs I run want to go check for updates all the time
and I don't want them to use resources and keep my waiting.

And - perhaps more importantly, I certainly don't want
them to download and install their updates unless I decide
I need that update. And then, I want to install one
update and make sure it hasn't affected machine
performance, before I download another. Essentially, I
want to know what's going on. Even if the intentions are
good, if there is a negative result, a bug, a conflict
between programs, I want to know what was just
changed/installed/updated.

If Windows FW doesn't do that - then what would I need it
for? I have a Linksys NAT, SP1 router - doesn't that
perform the same function better?

TIA

Louise



Exactly what I feel.

I can't hold your hand. You have got to figure things out for
yourself.


OK. Some M$fans on this ng thinks that a firewall should
listen to inbound traffic only.

Again, you're way off in left field as usual. I don't even
consider a PFW to even be a FW period. What I do consider it
to be is a machine level packet filter. That's it and nothing
else.

And again, I or anyone else in this ng that have little
expertise know the difference that you can't seem to grasp.
It's not my fault that you cannot seem to grasp it. But you're
not alone.



Now, unless there is some outbound traffic from our pc, how
would inbound traffic begin?

If you actually knew what you were talking about, then you
would be dangerous. Inbound unsolicited traffic from a
application running from a remote site can cause the
listening or server program to send outbound traffic from a
machine. Such would be the case of your browser on the client
machine that must initiate contact with a Web serve to begin a
session between the two, with it sending back outbound traffic
to continue the session. Now of course, the FW that would be
setting in front of the Web server would have port 80 HTTP
open to all unsolicited inbound traffic from potential client
machines.


What you have described is plausible only if our PSW (ZA, etc.)
are not controlling inbound traffic. They are controlling and
filtering that, so they are as effective as windows firewall in
that respect. Plus za also controls and reports outbound
traffic, which windows firewall doesn't, hence za is one up on
windows firewall.

Like I told you before, there is another packet filtering element on the XP O/S that can be used to stop outbound packets from leaving the machine by port, protocol, or IP to supplement the XP FW or machine level packet filter.

Your point is moot as far as I am concerned.

And again, I don't consider a PFW a FW. It doesn't meet the definition for a FW, which is to protect the network it is protecting from the WAN/ Wide Area Network/Internet and the network it is protecting the LAN (Local Area Network). PFW is only a machine level packet filter that's it and nothing else.




In addition to this, you as a typical home user would never
have that situation and nothing running on your machine would
be in a server listening mode as the norm.


Anyway. please coin some other term for the software that
listens to and controls outbound traffic, but give me some
tips about such software who are good at that, and are free.

None of them are IMHO and you won't get it out of me. :)


:) Then, I would have to rephrase the question.

Suppose I switch on windows firewall, and uninstall za, which
other software should I install to observe and control outbound
traffic?

I am going to tell you one more time. I have given you the links to IPsec in a previous post. You need to go read them.

BlackIce cannot stop outbound traffic by setting packet filtering rules by port, protocol or IP either and I like BI better than I like any other machine level packet filter solution -- that's just me.

That's why IPsec supplements BlackIce in this area when the laptop is in use with a direct connection to the Internet, and BI's Application Control is disabled I don't need it.

I also use Active Ports (free) on this machine too with a short-cut for Active ports in the Start-up Folder to observe connections being made at the boot and login or anytime I need to observe what is connecting to the Internet and where is it connecting.

If I want to know about a remote IP, then I use Arin Whois to look up the IP to make a determination as to who it is and whether or not it's dubious.

If I want to know what is happening on the machine and I use these tools periodically on routine basis on all my Windows based machines even the ones connected to my FW appliance, then I do just that. I use them and go look for myself and let nothing like a PFW tell me that everything is okey dokey.

Long
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

Also, I run the free RootTool Kit revealer that the PE people make from time to time.

Lastly, for my laptop that has a direct connection to the Internet, I try to further secure the machine by going to the O/S and hardening it to attack and certain things like accounts and whatnot I don't use and other things too that I don't need active on the machine, like I don't use Client for MS network or File and Print Sharing for MS on the NIC. I have no need for the machine to be doing networking so why leave that open, as it's not on my LAN at home where I would be sharing resources between machines.

The buck stops at the O/S and your ability to configure it, configure applications such as OE and IE for security or don't use them and using, your common sense with not having the happy fingers clicking on everything under the Sun or Moon. It doesn't rest with the PFW and some of its worthless features is the bottom line.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

Duane :)








.

Relevant Pages

  • Re: I am sick of windows firewall
    ... I use the AnalogX IPsec rules to supplement BlackIce ... need IPsec to stop outbound that BlackIce cannot do by ... attempts on the Windows networking ports even though BI ...
    (comp.security.firewalls)
  • Re: security advice (possible hacker activity?)
    ... Well, it's entirely up to you, but usually blocking all ports both outbound ... trojan or worm is installed onto the web server. ... the IIS web server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: security advice (possible hacker activity?)
    ... Well, it's entirely up to you, but usually blocking all ports both outbound ... trojan or worm is installed onto the web server. ... the IIS web server. ...
    (microsoft.public.win2000.security)
  • Re: N00b Question
    ... There is a great product called packet shaper by packetteer. ... AIM, iTunes, etc... ... ports and IP's this device will detect it. ... > For MSN/yahoo chat you can block the ports in your external firewall. ...
    (Security-Basics)
  • Re: Question regarding firewalls
    ... In an SBS domain, what firewall ports are really needed for most ... 110 if they use POP3 on external server ... Your clients should need only HTTP and HTTPS outbound, ...
    (microsoft.public.windows.server.sbs)