Windows Firewall

[geoffry]

Hi all,

The Windows Firewall thats used in Windows XP (SP3 if that matters), I hear some people bash it, others say its fine but I haven't seemed to be able to get a definite answer.

If a computer never installs a new app and has avast, and only browses the web to say 30 websites is the Windows Firewall enough? I think so because the outgoing traffic is meaningless when this particular computer has just the most basic applications installed and doesn't download anything aside from video clips off trusted websites (not nudies).

 

[BW86]

Windows firewall is fine, I'm using it right now.

 

[GaryJohnson]

If you're behind a router it is blocking everything inbound anyhow. An inbound firewall would just be an extra layer of protection, in case the router is compromised.

For joe consumer outbound protection is important because they will open that funnyvideo.exe email attachement, click the "Your Computer is Infrected!" pop up and install it's active x control, and download the 43kb MS Office 2007 torrent and run it.

If you never ever do anything that could ever possibly get any malware downloaded, then you don't need an outbound firewall or a antivirus/antispyware/antimalware for that matter either.

 

[geoffry]

Originally posted by: GaryJohnson
If you're behind a router it is blocking everything inbound anyhow. An inbound firewall would just be an extra layer of protection, in case the router is compromised.

For joe consumer outbound protection is important because they will open that funnyvideo.exe email attachement, click the "Your Computer is Infrected!" pop up and install it's active x control, and download the 43kb MS Office 2007 torrent and run it.

If you never ever do anything that could ever possibly get any malware downloaded, then you don't need an outbound firewall or a antivirus/antispyware/antimalware for that matter either.

This computer is at work, I don't have a router there...just the modem.

 

[geoffry]

There was a local sale on Norton IS 2009 so I picked it up...I liked its demo anyways, nice features.

That month in between paid services made me nervous for some reason, lol...I don't do anything risky but I was just used to having something protecting my puters.

 

[GaryJohnson]

A lot of modems have built in routers, particularly DSL modems (vs cable modems which are sometimes just modems).

 

[mechBgon]

OP, why not add a router between your modem and your computers... even if your modem has basic firewall functionality, your router should get you a more compotent firewall with SPI features.

If you do get a router, (1) update its firmware, and (2) give it a strong password for the Admin log-in, don't leave it at default settings. Also (3) ensure its Universal Plug 'n Play (UPnP) feature is disabled, and (4) disable its wireless feature. Also do those steps for your modem insofar as you can. You can usually access the device your computer's plugged into by using a Web browser to go to http://192.168.0.1 or http://192.168.1.1.

If you do need wireless, use WPA2 or at least WPA encryption, and also enable the router's MAC-address filter and enter your own computers' MAC addresses, so unauthorized computers won't be allowed to attempt a connection.

 

[Lemon law]

With all due respects to some windows fans, both the XP sp2 firewall and vista firewall's have but one virtue, namely they are better than nothing. And I have later found out from a resent thread on spywarewarriors, that the vista firewall, without much user intervention, is hardly anything remotely resembling a two way firewall. Nor do I have all that much faith in a router. And while mechBgon is spot on about wireless being a security hole, but when it comes to firewalls, wireless adds a somewhat comparing firewall apples to wireless oranges.

If nothing else a descent two way firewall will add easily accessible log files that tell you exactly what your outgoing internet traffic is. If you are infected with spyware that is communicating with suspicious outside sources, that activity will show in those log files. But only for those that bother to read them
which takes both work and knowledge.

But that question of how much security you need is always somewhat unanswerable and can change over time. Its more of a risk reward problem. If you remain uninfected with minimal security, you can say, see it works. And say to the guy with more security, see you have the pain of maintaining too much security. But either of those can get infected and later discover they did not have enough computer security.

 

[mechBgon]

Originally posted by: Lemon law
If nothing else a descent two way firewall will add easily accessible log files that tell you exactly what your outgoing internet traffic is. If you are infected with spyware that is communicating with suspicious outside sources, that activity will show in those log files.

Based on what I know about malware, I wouldn't be so confident of that. The NewMediaCodec malware variants that I used to hunt, morning and night, used the BITS to bypass firewall detection (article on this evasion technique in general). I often saw malware download more malware files via the web browser, disguised as .GIF or .JPG image files, before unpacking them and deploying them. Does your two-way firewall ask you before it lets your web browser download a picture?

Also, there's plenty of malware that'll take the direct approach and attempt to take down your firewall by force. Once there are burglars in your house, they can tamper with your burglar alarm before they throw open your front door and haul away your stuff.

On that last note, I'd certainly encourage the OP and anyone else to adopt a non-Administrator user account for daily-driver use, so that if your software gets exploited, the attack doesn't gain Admin-level power over your system and its defenses. non-Admin user accounts and other security features. I feel the most valid reason to run a two-way firewall would be to control your legit programs in how they access the network and Internet, rather than expecting them to stop malware. Malware should be stopped many layers sooner than the outbound firewall, IMHO.

 

[Lemon law]

I agree 100% with mechBgon limited account thing, especially if it has a full software restriction policy.

And the common weakness of any firewall, be it hardware or software, is and remains, if the idiot sitting behind the keyboard says I want that piece of eye candy, the firewall will roll out the red carpet.

And once in, some varieties of special malware can disable any security system in milliseconds, simply by commanding the CPU to download various helper apps, hardware routers may be slightly less vulnerable, but any hardware router has enough open ports so the hardware part is only an illusion. Which brings us back to NAT, how can the hardware firewall tell the difference between malware and legitimate when its the CPU is asking for helper malware apps the firewall is supposed to roll out the red carpet for?

Bringing us back to the original limited account, if the limited account will not let the malware install, what can't install can't infect.

 

[geoffry]

Thanks guys, thats one of the reasons I prefer Vista to XP, but alas at work all I have is XP but I will definitely make in a non-admin account.

I will also look into getting a router, wireless means nothing as everything is hard wired there.

 

[Chiefcrowe]

thanks for that article mech.. it's very interesting and scary too!

Originally posted by: mechBgon

Originally posted by: Lemon law
If nothing else a descent two way firewall will add easily accessible log files that tell you exactly what your outgoing internet traffic is. If you are infected with spyware that is communicating with suspicious outside sources, that activity will show in those log files.

Based on what I know about malware, I wouldn't be so confident of that. The NewMediaCodec malware variants that I used to hunt, morning and night, used the BITS to bypass firewall detection (article on this evasion technique in general). I often saw malware download more malware files via the web browser, disguised as .GIF or .JPG image files, before unpacking them and deploying them. Does your two-way firewall ask you before it lets your web browser download a picture?

Also, there's plenty of malware that'll take the direct approach and attempt to take down your firewall by force. Once there are burglars in your house, they can tamper with your burglar alarm before they throw open your front door and haul away your stuff.

On that last note, I'd certainly encourage the OP and anyone else to adopt a non-Administrator user account for daily-driver use, so that if your software gets exploited, the attack doesn't gain Admin-level power over your system and its defenses. non-Admin user accounts and other security features. I feel the most valid reason to run a two-way firewall would be to control your legit programs in how they access the network and Internet, rather than expecting them to stop malware. Malware should be stopped many layers sooner than the outbound firewall, IMHO.