Re: XP's Firewall and general security



Robert Moir wrote:
Leythos wrote:

In the case of every PFW I've used and people I know have used, the
malware or threats have caused a reaction from the PFW software. I
know that they can still be compromised without warning, but every
one of the non-Windows XP firewalls that I have experience with
warned the user before they made the mistake.

But they can't do that if you run the equivilant of kill -9 on the appropriate bit of code. This is noticable, but only if you look for it. I don't know many people who keep one eye on the system notifcation area while using their computer. I tend to have the autohide turned on for as much as possible on my system, personally.

If I thought it was intentional, I might suggest that the only thing Microsoft are doing here is actually being the only company to be honest about the viability of a host based firewall in the face of an attack from software running as administrator on the host box.

Yes, they could, and Microsoft could have made it impossible for
Software to add exceptions and designed it so that it required a USER
to create exceptions

Given my point of view above, I would say that all Microsoft are doing is being honest by providing a recognised interface for adding exceptions programatically, and saving the installer software running as admin with the rights to do anything it wants the effort and bother of "hacking" the firewall.

- they could also have build a reporting tool and
real-time monitor GUI for it, but they failed in that too.

They might argue that the security centre handled this. And you'd probably counter that it was somewhat inadequate (and I'd agree with you) but arguably it *is* there.

[snip]

First, lets understand, I'm not "Picking" on the Windows Firewall,

Poor choice of words on my part. Sorry if I caused any offence.

it
may seem that way, but it has some serious flaws that are not
exploited the exact same way as many of the non-XP Firewall solution
is.

I understand that. I just feel the cost difference to code running on the system is negligable at this point. My feeling is that the battle is already over the moment malicious code was run in an admin context, and we're just waiting to see how the coup de grâce will be administered. You can't really trust the system from this point onwards.

[re-arranged the order of your list below slightly to group for comments]
No reporting
No authorization to make changes
No real-time view of connections in any direction

Quite so. Possibly a weakness. Possibly a strength when looking after inexperienced users who do not know and do not wish to know what is happening on a realtime basis.

With the first and last of your 3 points above, it's interesting to note that Apple use pretty much the same model for their software firewall with very little comment or complaint. I suspect their user community would be very annoyed by the sort of "look at me" popups that the majority of 3rd party windows software firewalls use.

No notice of changes made

This could perhaps be handled better. Of course, it could be suborned by malware.

You run software on your system in the context of an admin user, and
that software owns your machine and can subvert any software
firewall / anti-spyware or anti virus program installed on that
system, just by shelling out a batch script that runs a bunch of
"net stop" commands to turn off their services.
Yes, but that's not what we're talking about, but I completely agree.

Ok. I feel it is what we're talking about, because I'm trying to address while I feel outbound filtering on a software firewall is worth far less than people think.

Turned off is easy to detect on many third party firewall products,
and even if stopped, their icon in the task bar disappears - not so
with the Windows XP Firewall.

Security Centre? Big Red shield and a popup?

Look, I use XP Firewall on this laptop, but I also have another
installed, I use one or the other, depending on the environment. I
have never had a single compromised machine that we manage, ever, and
I'm not about to start now, but I don't trust something that is only
half- implemented by design.

Absolutely. I don't disagree at all. I'm just simply saying that I believe that all host-based firewalls are just as crippled when it comes to outbound filtering for the reasons I've already presented, and that I think the worse Microsoft can be accused of here is an attack of honesty!

Either way, thanks for an interesting debate, by the way.

Regards
Rob Moir

Rob, do you know if Microsoft will have Vista so that it has a minimal surface area of attack. I refer to having all points of access to the operating system closed until needed by a verified and safe program. Do you think the NT (New Technology) source code has a strong enough foundation to resist the attacks of the 21st century? Chris Quirke, talks about the lack of a true maintenance operating system with XP because it lacks MS-DOS. (Microsoft Disk Operating System) Will this be remedied with Vista or in a later Microsoft operating system? Why is there the constant focus about Windows 98 Second Edition not being a secure operating system if according to the secunia web site the XP operating system suffers from many more serious vulnerabilities? Thanks for your thoughts.

http://cquirke.mvps.org/whatmos.htm

http://secunia.com/product/13/?task=advisories

http://secunia.com/product/22/?task=advisories

http://secunia.com/product/16/?task=advisories
.



Relevant Pages

  • Re: I got a virus help
    ... made by Microsoft not least because they know that if you attack an MS ... It wasn't for nothing that Bill Gate's first operating system was ... Gates to ask if he could do an OS (after being snubbed by Gary Kildall ...
    (rec.music.makers.guitar.acoustic)
  • Re: Hardening Windows XP
    ... I will assume a "Windows" operating system is what is ... Windows Update ... You should at least turn on the built in firewall. ... Kerio Personal Firewall ...
    (microsoft.public.windowsxp.security_admin)
  • Re: I got a virus help
    ... made by Microsoft not least because they know that if you attack an MS ... It wasn't for nothing that Bill Gate's first operating system was ... Gates to ask if he could do an OS (after being snubbed by Gary Kildall ...
    (rec.music.makers.guitar.acoustic)
  • Windows is crap, and I mean it
    ... You have the right to purchase another operating system ... Microsoft didn't force ... attack much more often than you are seeing now. ... You say you are a programmer of 15 years, ...
    (microsoft.public.security)
  • Re: Best Free Firewall Virus
    ... And NO I do not want to use the XP built in firewall. ... > M$ can't even make a good operating system, why should I trust them to ... I do however recommend installing free virus scanner software. ... It won't bother you with any popups except when it gets its updates (and these ...
    (comp.security.firewalls)