How secure is Windows XP Firewall?!

[Koopa]

I guess, no more words are needed.

[ujay]

Is that Laurel & Hardy I see pulling up at the kerb.

UJ

[swingdjted]

Shit, I'd be careful with that one. It may have rained the past night, meaning I'd get my pants wet trying to pass through that.

[MegaRock]

Hey, someone needs to pick up the doggy doo in the yard as well. That's a safety hazard.

[shakey_snake]

XP's firewall isn't any worse than any other software firewall.
If you want real protection you need to sit behind an NAT router.

[k_rock923]

it's sure not as good as iptables.

[shakey_snake]

ok so...
XP's firewall isn't any worse than any other windows software firewall.

[k_rock923]

Except that it doesn't do anything for outbound traffic.

Neither does a NAT router, for that matter.

[shakey_snake]

No software firewall can fix a compromised system.
Monitoring outbound traffic is for NRA members with carpal tunnel (aka people with a illogical obsesesson for protection who like to close pop-ups).

[k_rock923]

It's a symptom of malware infection. If my system had caught some malware and it was phoning home, I'd sure want to know about it.

[shakey_snake]

but an outbound-monitoring-firewall is no guarantee you'll know about it (because it too may be compromised)

But you sure are guaranteed to be bothered by any number of legitiment programs you run.
Not a particularly valuable trade-off, IMO.

[k_rock923]

It's my job to worry about such things.

[Sawg]

I find an outbound monitoring software firewall is good for catching malware trying to phone home, or even non-malware trying to phone home without permission. And it was less of a system strain to run a firewall all the time instead of an Antivirus scanner.

[swingdjted]

All of the firewalls I have tried have proven ineffective at blocking fire.

Fucking ripoff.

[zootm]

Quote:

Originally posted by shakey_snake
No software firewall can fix a compromised system.

There is no system in existence which can fix all problems; a software firewall will block a large number of attack vectors and will be capable of monitoring traffic generated by any system which does not specifically subvert the software or the API it uses, which is pretty good without extra hardware.

[Mattress]

I run neither a software firewall or anti-virus. Rarely ever have any problems.

[k_rock923]

Correct. Good browsing habits will avoid almost any problem. However, it never hurts to be safe.

[Mattress]

I do a pandascan every 45 months

[rockouthippie]

Quote:

Originally posted by k_rock923
Correct. Good browsing habits will avoid almost any problem. However, it never hurts to be safe.

The thing is "Where there's an activex control, they'res a way". So yeah....

If you want to run your computer and don't want to spend $100 a year for virus packages, Firefox is the bullet.

Using IE with a virus scanner is possibly risky. Using IE with no virus protection is instant death. Firewalls will stop incoming attacks, but it won't stop an infected computer from transmitting private information.

Rather than running the windows firewall I prefer to set the firewall manually in the TCP/IP filter. I trust that more than windows firewall and it's less of a nuisance.

And you're right, it's sure not ipchains. This gets really obvious in the windows 2003 server dedicated machine I lease.

[k_rock923]

Server 2003 really is a good OS though. We use it on almost all of the windows servers here and it works very well.

[shakey_snake]

Quote:

Originally posted by zootm
There is no system in existence which can fix all problems; a software firewall will block a large number of attack vectors and will be capable of monitoring traffic generated by any system which does not specifically subvert the software or the API it uses, which is pretty good without extra hardware.

"pretty good" isn't worth my rampant clicking or system resources, though. And I very highly doubt it's worth a computer novice's time (considering how long it'd take them to learn a new program, and how effective they'd be with it anyways)

[k_rock923]

pretty good is a lot better than zero

[gameplaya15143]

Quote:

Originally posted by rockouthippie
Firewalls will stop incoming attacks, but it won't stop an infected computer from transmitting private information.

I don't know what crap you are using (must be windows firewall), but mine blocks both directions. Nothing goes in or out without my permission.

[mikm]

Assuming your firewall hasn't been compromised/fooled.

[zootm]

Quote:

Originally posted by shakey_snake
"pretty good" isn't worth my rampant clicking or system resources, though. And I very highly doubt it's worth a computer novice's time (considering how long it'd take them to learn a new program, and how effective they'd be with it anyways)

The system resources are so minimal as to be completely negligible on any computer released in the past 10 years or so. And for a novice, it can be very beneficial. They need to learn one guideline (don't trust anything when you don't know what it is) and two buttons ("trust", "don't trust"), especially when so few programs actually need incoming connections. I'm not sure there's anything other than software that I wrote myself on my home machine which requires seeing any of the firewall user interface. If a user actually reads prompts (which novice users often do, bizarrely) this is an easy thing to learn. Furthermore blocking incoming connections by default can block a huge number of undisclosed and unpatched vulnerabilities leading from programs expecting connection through loopback.

This is a tremendous return on investment for the system resource and training cost.

[rockouthippie]

In other words.

Your computer wont notice a firewall in operation.

Most users won't notice the firewall software much because they don't run servers.

Don't load software when you don't have good reason to trust it.

Firewall software doesn't usually require that you know anything. It's not worth it to learn to do this "by hand" for most people.

Leave it on, because "pretty good is a lot better than zero"

About the only exceptions you're gonna need from filesharing software is bittorrent type stuff. The temptation will be to switch the firewall off rather than configure it right.

Don't. You are broadcasting your IP all over. If you ever needed security software, it's when you are making yourself public, as with gameservers, bittorrent etc.

You'd be amazed at how many computers are wide open. Type in their IP and you're looking at their hard disk. No router, no firewall

[swingdjted]

^Mine was like that till the computer teacher at my school visited for a get-together last year and bitched me out for it. Now all's well.

[Mattress]

Quote:

Originally posted by rockouthippie
You'd be amazed at how many computers are wide open. Type in their IP and you're looking at their hard disk. No router, no firewall

Eh... wouldn't you need to have configured IIS or something for this to happen?

[zootm]

Quote:

Originally posted by Mattress
Eh... wouldn't you need to have configured IIS or something for this to happen?

You'd have to share something of note. On an unpatched XP system (I'm talking pre-SP1, circa 2001) if the user enables the "Guest" account, the "SharedDocs" folder will be visible.

[rockouthippie]

Usually you can print on their printer too.....

For curiousity, I had this program that would scan IP blocks for open windows shares. You wouldn't get through 8 bits of the internet and not find a computer that was sharing stuff that you would figure the owner wouldn't want to share.

Without giving a hacking class, the vulnerability zootm mentions here was easily exploitable to gain full control of the machine.

But yeah, 2001 would be about right.... some of these holes are probably plugged, even if you were stupid enough not to use a router.

[zootm]

Quote:

Originally posted by rockouthippie
Usually you can print on their printer too.....

The printer needs to be explicitly shared too.

Quote:

Originally posted by rockouthippie
But yeah, 2001 would be about right.... some of these holes are probably plugged, even if you were stupid enough not to use a router.

I don't think there's any unpatched exploitable ones at the moment. Windows Firewall will stop internet access of shares anyway.

[k_rock923]

[nitpick]

A real router lets all traffic pass to the IP. Only a NAT router stops unknown traffic.

[/nitpick]