Re: XP's Firewall

On Wed, 23 Aug 2006 12:59:26 -0600, Dan <spamyou@xxxxxxxx> wrote:

<snip>

Also, see this article that is suggested by PA Bear, MVP.

http://inetexplorer.mvps.org/data/prevention.htm

3. Use a firewall

Windows XP has a firewall - turn it on!

Agreed. Or even better: Disable unnescessary network services.

Only if you need to provide network services and only for a restricted
number of computers (for example on your local network) do you need a
packet filter to control that.

VERY IMPORTANT WARNING

The XP firewall cannot be considered to be equivalent to products
such as ZoneAlarm and Kerio. If your computer is infected, the XP
firewall may NOT stop your computer from sending data OUT. Until things improve I
must suggest that a third party firewall be used.

And this is where he is wrong, IMO. He simply does not understand that
when your computer is infected, the game is lost and *any* firewall
running on the same machine is easily busted (in other words, what he
is saying about the XP firewall may just as well be true for other
firewalls). Adding a lot of code to try and stop malware allowed to
run from "phoning home" simply is a silly idea and does not work
reliably. In that context, the software vendors have entered a battle
they cannot win. But since they make money from it, we can probably
expect them to continue :-)

I also recommend that you leave the Windows Firewall enabled,
even if you have a third party product installed. This is because Windows Firewall
includes boot time protection - protection during that short
period of time between when the network starts and a third party firewall fires up. Your
third party firewall may not have the same ability.

Good point about boot time protection. That is one of the benefits you
get from a packet filter being a part of the O/S core.

Adding a third party firewall on top is however nonsense IMO.

The issue here is that there is something about inbound protection.
It's proven that this can be done in a highly reliable way. A good
packet filter is all you need. And *BOTH* ZoneAlarm (ZA) and the
windows firewall (WinFW) do a good job in that context (with boot-time
protection as a possible exception).

But while the WinFW focuses on inbound protection and does that well,
PFW's like ZA also try to concentrate on other superfluous functions
like outbound connections (which can NOT be done reliably). At the
time you need outbound control for security reasons you most likely
have bigger problems than that.

In that case, from a pure security standpoint, the WinFW would be the
better choice because it is already there. Installing something like
ZA adds further code, and therefore also further attack vectors.

To make a system more secure you normally work on reducing the code
running (reducing complexity). Disabling network services (as already
mentioned) for example is a much better choice than providing network
services and then adding a firewall to protect those. That's a fact -
not just an opinion.

Even if you don't have XP there are various free firewalls available,
including ZoneAlarm, Kerio Personal Firewall and Sygate. Select
the one that best suits you according to your level of experience and
knowledge, and start using it.

This is just a general statement without much substance.

It is true however that a non-XP o/s like W2K may need a good packet
filter (depending on the circumstances). Solutions like wipfw or CHX-I
do a good job there.
.

Relevant Pages