Re: I am sick of windows firewall

Sebastian wrote on Wed, 22 Mar 2006 17:53:01 +0100:

Spack wrote:
Sebastian wrote on Wed, 22 Mar 2006 11:29:41 +0100:

Spack wrote:

But it's better than nothing whatsoever to prevent incoming
connections, or a software firewall panacea.
A so-called TCP/IP stack prevents incoming connections very well and
even in a RFC-conformant manner.

It also allows incoming connections to any listening ports - after all,
that's what it's for.

Right. And for any listening port, you have a wanted service that has to
be permitted by the firewall. Your point being?

Saying that the TCP/IP stack prevents incoming connections is like saying
that a car can be stopped with it's brakes - they're not on by default, and
you have to know how to use them. The fact is that out of the box pre-SP2 XP
and earlier MS OS's have a number of services running by default that can be
connected to if nothing is there to prevent it - and the majority of PC
owners are clueless people who have no idea that these are running.

Until MS and OEM suppliers lock down the OS so that
out of the box nothing is listening, there will be some configuration
required. It's a shame that you seem unable to grasp that this is the
case,

Oh, I know exactly what's the case. At that configuration is rather easy
and a way better approach than a host-based packet filter.

That's why they cannot rely on software firewalls because that requires
technical understanding. Shutting down unneeded services once and
forever is a one-time-action, reliable and with good documentation a
pretty easy thing.

And how do you suppose they get documentation?

The same way you're getting all documentation: request it!

MS and OEM suppliers certainly don't supply it

As they don't supply extensive firewall and firewall configuration
manuals.

I know they don't - I spend many days fielding phone calls for Microsoft
Press UK trying to explain to people that MS don't supply *any* manuals. You
get some crappy online help, and that's it.

so they get it from the web. And how do you
think they connect to the web? They hook up their shiny new PC and ...
oh, too late, they're hooked up to the internet and open to abuse.

Right. Get a friend or pay someone who has a clue before connecting to
the web.

Try telling the PC stores to put a sticker saying that on their boxes -
they'll just laugh at you. Not everybody who buys a PC knows someone who can
help them out - there's plenty of proof of that already.

Do you ever
stop to think about how to apply your suggestions in the real world?

Yes. Once done, you can keep the documentation and spread it to anyone
else who need it, including having it for yourself.

So you have the addresses of every PC owner on the planet and you're sending
that documentation out? I'll keep my eyes on the post.

Dan


.

Relevant Pages

  • Re: I am sick of windows firewall
    ... or a software firewall panacea. ... It also allows incoming connections to any listening ports - after all, ... And how do you suppose they get documentation? ...
    (comp.security.firewalls)
  • Re: What is the Pattern here ?
    ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    (comp.security.firewalls)
  • Re: Black Ice confesses faulty program!!!
    ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ...
    (comp.security.firewalls)
  • Re: Port 135
    ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
    (microsoft.public.security)
  • Re: convincing a client to go with dotNet instead of Access project
    ... That would be good documentation to have... ... > -learning curve for language, APIs, deployment management, etc ... > -Access really tops out with performance after six concurrent connections ... >> I believe a dotNet solution is better, but I'm trying to be as ...
    (microsoft.public.dotnet.general)