XP's Firewall

My sister is having a new system built with Win XP. I know XP has a firewall with it. She's going to have ZoneAlarm Pro on it. Can she tell the computer guy NOT to install XP's Firewall because she wants to use ZA Pro?

P.S. I installed XP via the Upgrade method to my Win 98SE. I already had ZoneAlarm installed, so XP did not install it's own Firewall. It's my understanding that if XP detects another firewall it won't install its own. Which was great for me. If you're doing a clean install of XP I'm hoping it won't automatically install it's own Firewall by default.

 

Hi AceH,

I am not familiar with XP as I will only use WIN98SE until it dies but... as far as XP not installing when another FW is present
I belive that XP's FW is allready installed within the OS and can be disabled. If in fact it has a install process with XP that the user can run and what you say is right about detecting another firewall then that is great. But if not you can always have your sister tell the tech to make sure it is disabled.

There are many discussions on running 2 FW at same time.. some do and get away with it, and some do and have many problems. IMHO I belive that only one FW is nessecary as long as it is set up properly to the users needs and maintained. I use Kerio 2.1.5 and is a fully customizable "rule based" firewall.

Hope this has been a little help I am sure others will chime in... as I said it can be a hot topic at time

Good Luck,

~FireDancer~

 

Hello AceH,

It does co-exist with ZA and Sygate, I can personally attest to that.

No need to be frantic about it

This is one of those issues that makes me grit my teeth, see this thread http://www.wilderssecurity.com/index.php?board=23;action=display;threadid=12939

Fortunately the original poster had enough gumption to question the conventional wisdom.

Regards - Charles

 

Thanks for the input in this matter.

 

Hey AceH,

Let me make myself a little clearer here. I'm not advocating running multiple commercial firewalls such as Sygate or ZAP, that would cause a conflict.

What I'm saying is that ICF in no way conflicts with any 3rd party commercial firewall that I'm aware of. Nor have I ever seen ANY post on any board saying that ICF caused a problem in tandem with another firewall. So the comments in the thread that I linked is par for the course, theoretical and lacking in direct experience.

My experience with it is that its effect is that of a hardware router, blocking in only and giving the main FW a lot less to do. This is all easily tested comparing logs - with ICF on/off.

Unlike Sygate lets say, ICF can be shut down/started up just like any XP service unlike another FW which is installed/uninstalled with all the time and trouble that takes.

Since it comes installed and running by default, millions of users are running the 3rd party FW's with ICF on with no one telling them they can't be doing that.

Regards - Charles

 

For more solid protection yet stick a Hardware Firewall between the machine and the Modem. Alias a Router. They take and lot of incoming load of of the Software Firewall.

Also with a Router. If you have a Local Area Network ( LAN ) it keeps that and the Internet separated. While allowing at least four machines on line at the same time with only one Account. ( for DSL and Cable anyway. )

However I do not know if one will work on Dial-up.

Then use one software Firewall and you have things niled down fairly tight.

What may be being over looked here is that the more things running the more chance for conflicts. And the more load on the system.

I do not know about ZA and Sygate but Kerio sure needs no help.

I have no proof other wise but I would suspect that XP firewall may only block what MS wants it too. Lettting itself in.

Another thing that helps is to get DCOM shut off. There is a program that will do that but I will be drarned if I can find it and I downoaded it too.

BillyBob

 

Hey BillyBob,

"I have no proof other wise but I would suspect that XP firewall may only block what MS wants it too. Lettting itself in. "

Actually Kerio will allow MS in unless you specifically block the IP's they use. Don't we all let MS in when we do Windows Updates? With ActiveX to boot which is far more intrusive than anything that a FW can block. If you feel that way, what are you doing using MS's OS?

Easy enough to test port blocking which is what ICF is good at, better than a lot of FW's. Again, easily tested by a any number of test secuity sites.

I agree that a router is good, provided that its good and set up properly. In the real world, how many will do so?

Regards - Charles

 

BillyBob, you are right. M$ can override their ICF anytime they want to. The only software that I know of that can boss M$ is Symantec, but that's another thread... (and I think we have beat that equine to death several times!

I would say that if you running a reliable third party firewall, disable the default XP one and forget about it. I would also say that if you are not running an additional firewall, you are part of the problem, not the solution, in regards to these new worms and trojans that steal resources and spy on users.

Cheers from Ohio!
Johanna

 

Maybe. Maybe not.

 

Thanks, Brett

That is why I love this place, there is always more to learn! Thanks for sharing another point of view. I want to read the whole article tonight. I should have said that the average user needs internet security. People like my mom who couldn't find her control panel if it were on her desktop. Otherwise the whole system gets busy because some idiot throws blaster or whatever into the pot. I have no doubt that there are people who could sneak past any security feature I install and maintain while they force my computer dance and sing "La Cucharacha" if they took a notion to, but Mr & Mrs Joe Average need some kind of protection from the routine stuff, and the defaults on the main IS software would have stopped these recent attacks IF people took the time to USE any of the available security options. I repaired a dozen computers for users who had no idea why their systems were shutting them down in 59 seconds and had no clue that they could have prevented this easily. Some of them had the protection available, just weren't using it. Sigh. Oh well, I took their money.

 

Hello Johanna,

" M$ can override their ICF anytime they want to. "

Evidence ? Because otherwise its hard to carry on a rational discussion.

I'm not advocating using ICF by itself.

Right, Symantec is a dead horse!

Regards - Charles

 

Charlesvar

Do you really think that Microsoft can't override their own firewall? From M$

Briefly:
How Internet Connection Firewall (ICF) works
ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, ICF keeps a table of all communications that have originated from the ICF computer.
All inbound traffic from the Internet is compared against the entries in the table. Inbound Internet traffic is only allowed to reach the computers in your network when there is a matching entry in the table that shows that the communication exchange began from within your computer or private network.

Communications that originate from a source outside ICF computer, such as the Internet, are dropped by the firewall unless an entry in the Services tab is made to allow passage. (Like Messenger??)


IMO, Microsoft can cross that XP FW anytime. Whether they would, or why they would, is another thread, but CAN they? Yes.

My point about additional firewall and internet security software was similar to what you said about routers- In the real world, how many people know to install it, why they should, and how to configure it properly? I have had people tell me, "Oh, I don't need ZA, Norton, Kerio, Fill-in-the-blank because I use XP, and it has a FIREWALL. Whoopee. They don't realize it is designed to be one way, they don't have any updated scanning features, and it doesn't look at email. It is NOT a substitute for proper internet security software. Without it, a computer could be used to harm other people's computers, and the problems compound exponentially.

Sorry, didn't mean to get on my soapbox. But when Blaster made its rounds, my phone started ringing. They couldn't type an email in 59 seconds and none of them realized how easily their whole mess could have been prevented with a few simple precautions.

Johanna

 

Hi Johanna,

Actually, I think you've made a great case for allowing ICF to run with a 3rd part Firewall beause then its not a matter of trust, no more than trusing any other software or a router for that matter.

By the logs of my 3rd party firewall, ICF frontends them. So I let ICF do whatever it does. One thing it does do well is block ports. I have verified this with a lot of sites that test firewalls, including Steve Gibson, that great fan of MS's , both with ICF on and off.

Ok, so we'll agree to disagree.

Regards - Charles

 

If you want 100% protection from the Nasties ( alias the best firewall to be had ) Never plug the machine into an electrical outlet in the first place

Cause once we plug it in, turn it on and connect to the Internet it is vulnerable to attack.

Next best; Never use E-mail, MS Messenger ( or what ever it is ), AIM or Hotmail. I myself have not used Outlook Express for YEARS. Mostly becasue most users use the default Windows setup so the creators of the Nasty sutff know right where certain folders are.

Or a better choice would be to not connect it to the Internet at all.

At lot of the nasty stuff that gets to a PC comes in via a path that WE ALLOW and do not protect properly. E-Mail I believe is the main one. The best firewall or even a Router won't stop that.

It used to be that AV checking of the e-mail was enough.

Now I have MailWasher to prescreen mail and delete what looks like trash. I WILL NOT bounce it cause I may be sending it back to somewhere that it never came from it the first place. A lot of it comes right back to me anyway. ( ONCE is ENOUGH ) AVG7 also checks here too. And I do not care about infecting someone elses machine if I can help it. And I CAN HELP.

Next I have now added Benign to the list. Which checks the mail along with AVG7as it is being download and helps to take out some of the nasty stuff.

AVG7 is also set to check e-mail on the way out. I know many users that do not think this is needed.

And unless absolutely necessary I do not forward any e-mail.

Now even with all that, there still exists the possibility that one of us ( human or software ) will miss something somewhere. Or someone writes a new batch of code. But it sure as hell won't be because I did not try.

Windows XP Firewall all by itslef IS USELESS Because if something is allowed to get out, It can get back in.

And last but not least. The creators of the Nasty stuff count on unprotected machines.

Johanna

DO NOT be sorry for being on the Soap box. Get on it. Stay on it. and speak LOUDLY and FRIMLY about the subject of protection at hand.

BillyBob

 

Do you think that Zonelabs can cross Zonealarm?

 

Hi All,

I TOLD YA SO!!!!!!...............

~FIREDANCER~

 

Hello Brett,

"Do you think that Zonelabs can cross Zonealarm? "

Good point. That applies to any software or since firewalls are the subject, a hardware router's firmware/software.

My answer is cross checking as much as possible any security app that I run. This includes Sygate and NAV which I run on XP.

I don't think this would be such a "hot" subject if this weren't MS we were talking about

Regards - Charles

 

Quite.

 

I wouldn't mind allowing the built in XP firewall to run next to another one, like Charles does, but it causes conflicts with some of my other software. Does Zonelabs cross ZoneAlarm? I don't know, I'm a Norton holdout. I know that Norton can do whatever it wants to, though, because I have given it the permission. (That's where the trust thing comes into play) Do I trust Symantec? Absolutely. Do I trust M$? Yeah, but like my 3 year old, I keep an eye on 'em. Do I trust my cousin's babysitter's hairdresser (average computer user) to not spread computer plague? Ya gotta be kidding! Would I let Charles, Newt, Pete, Reboot, Abraxas, Miz, Daizy, Arie, Mike Flynn etc come over and monkey with my computer? Yep. And I'd even cook them supper.

Johanna