Firewall Yes? No?

I am not using Kerio right now. I have the SP2 Firewall enabled. Plus I use a Router with NAT that helps on the incoming side.

But if I were to use a so called 3rd party Firewall the FOOTPRINT would be THE LEAST of my concern. If it takes more space/resources ( or whatever ) to do the BETTER job then so be it.

BillyBob

 

BillyBob,
My computer is pretty old and my system resources are very limited. When I build a new one and have a high speed connection, then I may agree with you but that won't be untill Windows 64 bit, Loghorn, or whatever is out and not in Beta (Next year I hope ). I was a Internet Support Tech. for a few years and most of the calls I got were problems from firewalls. That was a couple years ago but from my own personal experience I have not had very good luck with any of them. I just got my computer running have way decent after removing Norton and going with a less resource hungry antivirus app. And I do like the fact that my system is more responsive. After much research, I feel I'm better protected with the new antivirus software and it has a smaller footprint and uses allot less resources. Since I've never had a problem without a firewall I'm very reluctant to install one now, but try and keep an open mind when I hear so many people say that I should.

Later
Rockit

 

I'm agreeing with you again Rockit.
I've never felt the need to complicate things more with a third party firewall.
The one in XPSP1 seemed to work for me and the new one in SP2 certainly is an improvement.
I have no wish to be told by these fancier firewalls everytime there is a knock at the door. I'm paranoid enough as it is.

 

Rockit

In no way can I disagree with you in respect to available Resources. That is something that does need to be considered.

BillyBob

 

It's not just the MVP's advising against the use of more than one firewall. I've faithfully followed the Netscape newsgroup and the Windows newsgroup(s) [from Win 95 days] and have yet to meet up with any who advise using more than a single firewall. If one is good, that does not necessarily translate into "two are better."

And advising the use of an inbound-only firewall (i.e. the one that comes with SP 2) over a third-party firewall (i.e. Zone Alarm) which affords the added protection of outbound packets, is fool-hearty IMHO. ZA can be configured so that it is not bugging you on a constant basis. In fact, it's really a no-brainer to set it up to run quietly in the background.

 

One problem w/ the way you formulate "two firewalls" is, this is not as if I were running Sygate with ZA, it's running ICF/WFW w/ Sygate which is a different matter. They don't operate on the same level. WFW "front ends" Sygate on my system and would on any other. There are 3rd party firewalls that you can't do this with - Symantec's and I think Kerio as well.

About your other point: as I wrote in one of my posts, I insist on having outbound App control and advanced rule making - shutting down ports, restricting apps to a single port and so on. Others have different ways of controling those things. WFW does have the abilty to close a port to a process. And I have other ways to control applications via a application "firewall" - in my case System Safety Monitor. There is another one called Process Guard by the TDS people and more of these kinds of programs on the way.

Regards - Charles

 

dual Firewall

Charles -

Thank you for your insight on having Sygate + XP's firewall running.

I am slowly but surely trying to remedy a laptop with issues (killed ME with a trojan via a System Restore, have since installed XP), and I am currently trying to finalize my security setup.


XP's firewall is active, but I still got hit yesterday with "begin2search.com" added toolbar/spyware/junk before I could get AdAware & Spybot installed.

I am mainly looking at using Sygate Personal Firewall.

-k

 

Hello kedalia,

Your problem with the trojan is not because it got past the firewall - I think it got past your browser security.

If your running IE - look at the ActiveX settings. Most security advice is to disable the "unsigned" categories and enable "signed ", and that mostly works. The problem I have with that is obvious, to paraphrase a recent Vice-president, who's "the contolling authority "? One site that still needs to allow "Run activeX and Plug-ins" is MS's Windows update. So for that, you have allow it.

I have ALL activeX settings either on prompt or disabled - if a site doesn't work because of that, then you always have the option to enable. Another option is to put a site that uses activeX and that you trust into IE's trusted Zone.

Use these sites to review your security:

http://www.infinisource.com/techfiles/surf-safe.html

http://www.cert.org/homeusers/HomeComputerSecurity/

http://forums.net-integration.net/index.php?showforum=38 The pinned thread "how I got infected in the first place "

Regards - Charles

 

I use AVG free edition for antivirus, and Zone Alarm free edition in both Win98SE and Windows 2000 Pro. I don't have any problems. A friend of mine runs the same 2 apps and has no problems. I am on Cable broadband, and he is on dialup.

 

Essentially that is what I'm running too, with the exception that the AVG I'm running is the new beta version.

Charles, I asked the question about running both the WinXP firewall and another 3rd party firewall in the Microsoft forum and to a man every MVP and everyone who contributed to the thread agreed that it was not a prudent thing to do. Some of them got far more complex in their answers than I could follow but what I could follow suggested that there was no additional security afforded by running both regardless of configuration and that while there was a small possibility of conflict that was not the main concern which was the fact that one could and often did cancel out the effectiveness of the other without the user being aware that such was the case. The net effect was a system that was actually less protected than had the user simply gone with one.

I'm not trying to be argumentative. I hope you understand this. But when I read that all these techies and all those who contributed were of one mind on the issue, I have to believe that they know something about the potential dangers of running both. For the time being, I'm sticking with ZA and keeping WinXP off.

 

I'll try to start a new thread and see whether or not I can come up with something more substantive for you to work with.

 

For the time being, I'm sticking with ZA and keeping WinXP off.

Hi James,

Ok, and that's fine. In no way do I think that you're vulnerable, all things being equal. Please understand that I'm not trying to "convert" anyone. Nor am I poo pooing MVP's.

I do think that after more than two and half years I would have detected if something wasn't working.

Regards - Charles

 

That's cool, Charles. I'm just trying to educate myself on these things. Even though I've been online since '97, I still consider myself a neophyte in regards to computers and particularly to security.

 

James, there is something that I wanted to add about safety and security.

A firewall basically blocks "unsolicited" intrusions against your system in the form of "packets ". Sort of like locking your door. And all the top tieir firewalls do that job, and as far a I can tell, do it well. So IMO, you shouldn't be worrying whether ZA is doing that job.

Its the Browser that in effect "solicits" intrusions" into your system, constantly openning that "door ". And this is where the biggest threat is and the bigger job: sorting out whether the intruder is safe or not.

Regards - Charles

 

Let me reiterate "why" a software firewall with outbound blocking because we may gotton off track:

As a "tripwire" - something not known about wants to connect out.

As a contoller of legitimate software that often wants to connect out whenever it feels like it.

The ability - not all have this - to make advanced rules.

Regards - Charles

 

Hello, Charles

I use Netscape 7.2 for that very reason... security. As a secondary browser I use Firefox and on rare occasions, Opera 7.54. I only use IE when I must update my confounded WinXP system.

My wife and I are on DSL and we are networked together (not wireless but hard networked). We have an Actiontec modem which also acts as a router so we are doubly protected... by a hardware firewall so to speak and by Zone Alarm (on both of our computers).

I've had a few comments regarding the running of two firewalls on the MS group but they did not use complimentary language and thus I've chosen to ignore them. When or if I see something substantive, I'll post it here so that you can weigh its relevance.

 

Another 2p ...

... or, for the sake of those on t'other side of the pond, another 2c.

1. Running more than one firewall can negatively impact on both the security and stability of a system and, tho' some firewalls may happily coexist, others most certainly will not. This from Agnitum, the devopers of Outpost:-

We strongly recommend that you uninstall all other firewall applications before installing Outpost Firewall. Running Outpost with other firewall products can result in system instability (i.e., crashes) and can cause Outpost to operate in an unsecure mode.

http://www.agnitum.com/download/outpostpro.html

This, BTW, is not a ploy to encourage users to install only Agnitum's firewall - the risks are genuine.

2. Firewall-munching Trojans are actually rather rare (how many posts have you seen from people whose firewalls have been compromised?) and so the risks of a person actually encountering such a beast are extremely small. In fact, I'm not sure whether there is currently any malware out there that has the ability to kill (an up-to-date) firewall.

3. If a person were to be unfortunate enough to encounter a firewall-muncher, there's a good chance that it'd kill every installed firewall as well as every installed antivirus programme. For example, here's Kevin McAleavey's, the developer of BOClean, assessment of BioNet (it's now somewhat dated but still makes for informative reading):-

I should perhaps been a bit more specific on ZA 2.6.xxx - please forgive me folks, I never did believe in software firewalls and don't use any of them. What I *should* have said was early versions of ZA 2.6.xxx (the freebie - we've played with it to test compatibility of our own products) and they go byebye with ease. After ZA's changes, and those of other manufacturers including ourselves, you have to now go after a Ring0 device driver to kill the security product, but YES, they ALL DIE if you know what to do. The DIRT demonstration doesn't know how to do this and I am *NOT* going to mention any specifics as to how.

Let's fire up the wayback machine to March 22, 2001 when we posted a report on our site regarding a specific trojan that exploited the TerminateProcess() function on EVERY major antivirus and firewall in existence ... please note in particular the THIRD paragraph down:

http://www.nsclean.com/psc-bionet.html

and then the list beneath that of what it took out. You could also add to the list if you knew the specific programs to target. VSMON would get yanked first, then the ZA GUI. Same for "watchdogs" employed by other software to protect the main program.

Since BioNet, hundreds of other trojans incorporated this "ability" to take out all sorts of programs, most notably "MoSucker" which went beyond the original "one-shot" of BioNet and would keep nailing the various programs every second. Whereas with BioNet, you could restart the programs affected (if they weren't rendered corrupt) and hopefully nail them. MoSucker and a number of others however would keep whacking the security software and take it out before it even had a chance to get started, much less get to work. Fortunately, most of the hundreds of trojans designed to take out security software are VERY poorly written and don't work. However this OLD NEWS issue was what forced us to redesign BOClean 4.07 into BOClean 4.08 last year in order to do as much as possible to prevent it since our previous separate "watchdog" program was just as exposed as BOClean itself was at the time.

What the DIRT thing shows is old news. Nailing security programs with TerminateProcess actually goes back a couple of years now but BioNet actually made it push button easy which is why we made note of it in the report last year.

The REAL PROBLEM however isn't in the security programs, the problem is Microsoft's DELIBERATE DESIGN. THERE IS NO SOLUTION FOR TERMINATEPROCESS other than having Microsoft put up a "Kill? Y/N" box before the kernel's TerminateProcess() function pulls the rug out. Nobody but Microsoft can fix this and they have consistently, irrevocably REFUSED to do so. We've
been after them for years about this ourselves as have been many others to no avail.

=========================

From the WindowsAPI documentation:

The TerminateProcess function terminates the specified process and all of its threads.

<snipped>
========================

What's going on is a truly bad design and while the discussion has centered on blaming the various security companies for the problem when it's really Microsoft's fault (although all of us have done our utmost to circumvent this as best as we can) there IS NO SOLUTION until Microsoft is made to deal with this. I'd encourage folks to make the point to Microsoft personally here.

And actually, the situation is worse than the DIRT demo has pointed out. While many vendors have moved from Ring3 (the API layer of Windows) to put schemes to protect their products into Ring0 (the forbidden bunker of Billyland) the TerminateProcess() call also calls into Ring0 where it actually resides.

I need to be very careful about saying anything more detailed here as it would only aid and abet malcontents. But they've already gone there. There are a number of undocumented Windows calls that can get you FROM Ring3 TO Ring0 without the need to write VXD's or SYS files. Some of the recent trojans have done this. Microsoft needs to patch the TerminateProcess
function in RING ZERO itself to put that signage up ... simply moving the "not responding? Kill?" box from TASK manager to the TerminateProcess() call would be sufficient.

If Microsoft could be encouraged to do this, you could STILL hit YES on a hung program to kill it, but more importantly if malware decided to kill your firewall, you could let the box sit there while you determined WHY the box appeared and then decide Yes or No to the box ... but in the ongoing debate here, this whole point fo where the ACTUAL fault lies has been completely ignored.

Needless to say, I've been getting squatola done on my end here with all the questions pertaining to this dirtbag parlor trick. Real trojans today have that capability and they have had it for well over two years now. Anyone want to get Microsoft interested in fixing THIS hole? It's not like it's not been noticed or is a new one.

So ... to sum up, running more than one firewall is, IMO, both rather pointless and potentially hazardous.

 

I hear you Brett

If you remember we went thruogh this debate sometime last year, so out of gas on this issue.

On the MS issue, you're absolutely right. So its raining, have to use umbrellas and galoshes.

Regards - Charles

 

You should never use two firewalls and in fact, even Microsoft says to disable theirs if using another.

http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx (see the first note).

http://www.microsoft.com/athome/security/protect/firewall.mspx - see question 15.

You should never have 2 Antivirus programs running at the same time either. It is wise, however, to have one running and use another upon demand (turning off the in-resident one first).