Alternatives to using a Personal Firewall



Well knowing that it is impossible to state a one-for-all solution
here is some input on how to start getting along in a home windows
environment without running a personal firewall.

It is certainly not complete, but feel free to add Your tricks to the
list.

Note also that:

1. The right things to do in the end depends on Your environment,
habits and behaviour.

and

2. There is no such thing as full security on the internet. Your level
of security is something You come to a balance with, the key word
being trust.



Okay, here we go:

1. If possible put an NAT router/firewall device between Your
internet-connection and Your PC.

It does filter out a lot of network traffic that is just pure noise,
and it does provide a decent level of protection from "intrusion
attempts" from the outside.
If You are willing to invest a little money in security this is one of
the best ways to do it.


2. Disable unnescessary services

If directly connected to the internet, this part is *crucial*.

If behind a NAT router as suggested in point 1 however, this is less
important as long as Your router does not forward any traffic.

The ideal would be of course if You can end up having no open ports at
all. A PC configured like that can be directly connected to the
internet just as safely as if You were using a personal firewall - and
best of all, without all the noise from firewall pop-ups :-)

If You have a simple setup (like a stand-alone PC connected to the
internet, without any special requirements other than normal surfing
and mailing around) there are pretty straight-forward step-by-step
guides available that can help You close all open ports on Your
machine depending on the windows version You are running. Remember to
check that Your ports actually are closed (the guide will probably
tell You how to do that).

Otherwise search the internet for ways to close ports You don't need.
(It's a good idea to write down which services You disable and how You
do it. You might find that You need to reopen them again at a later
time). Figuring out which services can be deactivated can be rather
tricky. Search the net and seek help in relevant forums.

If for some reason You need to have services running (which should be
the exception in most home environments), make sure that the software
behind it is kept up to date (patched) which leeds us to the next
item...



3. Keep Your software pacthed.

This is true for windows itself as well as any other software You are
running.



4. Do not run programs You don't trust.

It may sound a little too simple, but it really is. Unless You have
the source code and understand how to interpret it, there is NO way
You can control what a programmer has decided to let a program do, so
it all comes back to trust. If You don't trust the programmer or the
program vendor, don't run it! The moment You run or install a program
You have accepted to take a risk. It is just like driving a car. You
know there is a risk, but You accept that risk in order to get quickly
to point B.

If downloading programs from the internet, do it only from sources You
trust.



5. When surfing the web with Internet Explorer use it's zone-concept.

IE has a quite decent concept which allows You to regard any web-site
You have not specifically acknowledged as being worthy of Your trust
as unsafe. You do that by making sure You set the security level of
the untrusted sites zone to the highest possible. That makes it quite
safe to surf around. You will, as a consequence however, bump into a
lot of sites that simply won't work properly under the high security
level because only the simplest web-techniques are allowed to be used.
As You go along You add the web-sites that You decide to trust into
the trusted zone that has a much more relaxed level of security
settings. An example: You will most likely not be able to do Your
home-banking on a website classified as untrusted. But hey, if You
don't trust Your bank's web-site why place Your money there in the
first place. So You add that website to the trusted zone and from that
on it works.
I must admit that adding trusted sites to IE is a cumbersome job. But
there are smart little apps available out there that will place
buttons on Your explorer from where You can quite easily add or remove
sites from zones.
In the beginning when You have only a few trusted sites, surfing can
be a pain, but eventually when You have added the sites You most
frequently visit it actually starts to pay off.

Tip: I like SpywareBlaster. Why? Because it takes advantage of this
build in facility by adding a list of known spy- and adware providing
sites into Your list of restricted sites. Check it out.


6. Before opening a mail that looks suspecious, think twice.

and when You are finished doing Your thinking, think once again. Don't
open suspicious mails and don't open attachments unless You are
confident what You do. Common sense is the most powerful firewall
available.



I will stop here for now, well knowing that there are many issues left
I have not covered.

I have only listed some tips on what to do, and generally not how to
do it. Feel free to ask for further help or search the web for the
info You need.

I know my tips aren't perfect, but I can say just as well as people in
here are saying that they have been running PFW for years and not
having problems that I have been surfing the net for years, WITHOUT
resident anti-virus protection - WITHOUT resident spyware-protection
and WITHOUT a Personal Firewall - without noticeable problems.

I ocassionally do scan my machines for viruses and other malware using
free online scanners available. They seldom find anything but a few
"suspicious" cookies.

Does that mean my machines are clean? - Impossible to tell, but at
least I am not stressing my not too fast CPU's with unnescessary
add-ons.

/B. Nice
.



Relevant Pages

  • Re: Automatically Open File After Download?
    ... And why should I trust your application? ... This would defeat one of the most important security features we have. ... For example, I have disabled all ActiveVirus, JavaVirus, and VBVirus ... In case you haven't noticed, the Internet is a very, very dangerous place. ...
    (microsoft.public.vc.mfc)
  • Re: pcAnywhere...Outbound Only.
    ... Working within reasonable limitations is always our challenge for security. ... I was taught practically that at least as far as the Internet connection ... trust your internal users and don't trust the outside world. ... > to connect to a host OUTSIDE of our network. ...
    (Security-Basics)
  • [Full-disclosure] Plague in (security) software drivers & BSDOhook utility
    ... Ghost Security Suite beta 1.110 and alpha 1.200 ... Norton Internet Security 2008 15.0.0.60 ... Online Armor Personal Firewall 2.0.1.215 ... Not vulnerable software: ...
    (Full-Disclosure)
  • Plague in (security) software drivers & BSDOhook utility
    ... Ghost Security Suite beta 1.110 and alpha 1.200 ... Norton Internet Security 2008 15.0.0.60 ... Online Armor Personal Firewall 2.0.1.215 ... Not vulnerable software: ...
    (Bugtraq)
  • Re: zone alarm help
    ... without a personal firewall. ... system does not give any additional security. ... Installing a personal firewall and getting it to do the "right" ... would hook into a program that has already been granted internet ...
    (comp.security.firewalls)