FIREWALL CHECK

[Hank Arnold (MVP)]

And 99.99% of quoted statistics are made up on the spot...

Including yours??? ;-)

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

 

[Root Kit]

On Wed, 30 Jul 2008 13:01:16 -0400, "Mr. Arnold" <MR.

Once again, will someone tell this person what outbound packet filtering
means, which Vista has outbound packet filtering. What he is talking about
is application control, which are two differnt things and is snake-oil.

Okay. There is a big difference between outbound packet filtering and
application control. Neither are reliable counter measures against
malware allowed to run.

 

[Root Kit]

Vista's outbound filtering needs manual configuration and is well
beyond the scope of anyone who doesn't have serious training.

That's true for any kind of "outbound control". One who doesn't
understand networking shouldn't be expected to be able to properly
configure a firewall.

For application control the situation is even worse, since it requires
a deep understanding of the inner workings of the OS.

"Do you want svchost.exe to connect to the internet?" - Erhmmm, NO -
BEEEEEEEEP - WRONG ANSWER. Okay.. then erhm... YES - BEEEEEEEEEEP -
WRONG ANSWER.

And how about when the "firewall" asks you to make decisions based on
utter nonsense? How about this one that I have come across in several
"personal firewalls": "Program X is trying to contact the internet on
IP address 127.0.0.1"? Not only is it nonsense, it's of absolutely NO
help to a user and worst of all gives the impression of the program
having been developed by coders who have no clue about networking
themselves.

Application filtering is not snake-oil and does have value.

That's true. It does have value. A good feeling of being in control
certainly has value. Just not in terms of security.

It's also possible for average users to actually turn it on an have it work.

It's possible for average users to turn it on and shoot themselves
seriously in the foot.

 

[Root Kit]

Nonsense. Not all malware is sharp enough to avoid firewall detection.
Not all malware infections are lost cases.

No. But no matter what, that has to be always the default assumption.
Unless you have a baseline and can identify exactly what has been
changed you are basing your security on hope.

Repair is possible quite often.

Repair is possible if you're very skilled. It's certainly not a job
for Mr. Average. If you rely on running a few anti-tools in order to
declare a system clean as soon as the symptom seems to be gone, you're
on a very slippery slope.

The earlier the problem is detected, the higher the probability
for repair. There are enough malware schemes that don't avoid the
firewall that it is worth using one. PERIOD.

If you allow even poorly coded malware to have a ball on your
computer, your defenses are non-existing anyway.

Museums have sophisticated security systems. Nonetheless, criminals
get through them and steal valuable items fairly consistently. Do the
museums throw up their arms and say "we won't bother with an alarm
system since there are _some_ people who can beat it". No, they
install a security system that keeps out the large majority of
potential thieves, recognizing that no system is perfect.

The real and the virtual worlds don't easily compare. This has lead to
a variety of bad analogies. Yours is just yet another one.

The fact that some people have an illusion of safety does not negate
the increased security offered by an outbound firewall.

The possible increase in security from an outbound firewall must as a
minimum outweigh the drawbacks. For me that's a very easy assessment
to make.

There's a difference between relying and utilizing.

One shouldn't utilize a security measure one can't rely on to a very
high degree. Especially not one which has a serious impact on the
system it's trying to protect.

 

[Root Kit]

But the point be argued here is having an outbound firewall vs. none
at all (windows firewall).

If it was only that simple.

No A/V solution will catch everything.

That's true. In fact they are getting less effective every day.

Add a few layers - an extra non-unobtrusive, non-performance impacting
layer that can help is worth it, IMHO.

But a "firewall" implementing "outbound application control"
unfortunately does not fall into that category.

 

[Mr. Arnold]

On Wed, 30 Jul 2008 13:01:16 -0400, "Mr. Arnold" <MR.


Vista's outbound filtering needs manual configuration and is well
beyond the scope of anyone who doesn't have serious training.

Any personal FW/packet filter that has outbound packet filtering, the user
faces the same problem using the solution effectively and need serious
training. They don't know how to do it. So what's the difference in some 3rd
party solution and Vista's packet filter/ FW, none.

Application filtering is not snake-oil and does have value. It's also
possible for average users to actually turn it on an have it work.

99% of clueless average users have no idea as to what is happening with it,
it takes a lot of hand holding because I have been there holding their hands
and it's worthless.

 

[Mr. Arnold]

On Wed, 30 Jul 2008 13:01:16 -0400, "Mr. Arnold" <MR.


Okay. There is a big difference between outbound packet filtering and
application control. Neither are reliable counter measures against
malware allowed to run.

The job of a real FW, which I don't consider some 3rd party personal
FW/packet filter or even Vista's FW/packet filter to be a FW is not to stop
malware. A FW's job is not to stop malware running on a computer.

A packet filtering FW router, FW appliance or host based software FW
running on a secured gateway computer jobs are not to be stopping a malware
program running on some computer.

<copied>

What is a firewall?

A firewall protects networked computers from intentional hostile intrusion
that could compromise confidentiality or result in data corruption or denial
of service. It may be a hardware device or a software program running on a
secure host computer. In either case, it must have at least two network
interfaces, one for the network it is intended to protect, and one for the
network it is exposed to.

*And for those that don't know what two network interfaces means for a
computer running a host based FW, it means the the computer must have two
network interface cards (NICS) in them with one NIC protecting from the
network it is protecting from, and the other NIC protecting the network it
is protecting.*
A firewall sits at the junction point or gateway between the two networks,
usually a private network and a public network such as the Internet. The
earliest firewalls were simply routers. The term firewall comes from the
fact that by segmenting a network into different physical subnetworks, they
limited the damage that could spread from one subnet to another just like
firedoors or firewalls.

A firewall examines all traffic routed between the two networks to see if it
meets certain criteria. If it does, it is routed between the networks,
otherwise it is stopped. A firewall filters both inbound and outbound
traffic. It can also manage public access to private networked resources
such as host applications. It can be used to log all attempts to enter the
private network and trigger alarms when hostile or unauthorized entry is
attempted. Firewalls can filter packets based on their source and
destination addresses and port numbers. This is known as address filtering.
Firewalls can also filter specific types of network traffic. This is also
known as protocol filtering because the decision to forward or reject
traffic is dependant upon the protocol used, for example HTTP, ftp or
telnet. Firewalls can also filter traffic by packet attribute or state.


*That is FW technology, and the Vista FW/packet filter or some 3rd party
personal FW/packet filter are NOT FW(s).*

 

[Ken Blake, MVP]

Including yours??? ;-)

All generalizations are false (including this one).

 

[Hank Arnold (MVP)]

All generalizations are false (including this one).

As Captain Kirk said to the robot:

"Everything I tell you is a lie!"............

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

 

[Kayman]

Including yours??? ;-)

Well, in this thread I haven't made up any stats, I think

 

[Kayman]

I agree that some programs can work towards beating your outbound
firewall - but on a practical basis, it catches quite a few. Some is
better than none.

What is there to 'catch'. Since malware already has/is manipulating your OS
the game is lost[PERIOD]!

Nonsense. Not all malware is sharp enough to avoid firewall detection.
Not all malware infections are lost cases. Repair is possible quite
often. The earlier the problem is detected, the higher the probability
for repair. There are enough malware schemes that don't avoid the
firewall that it is worth using one. PERIOD.

We are talking about 3rd party software (so-called) firewall) and their
effectiveness in relation to monotoring outbound traffic as a security
meassure!

Museums have sophisticated security systems. Nonetheless, criminals
get through them and steal valuable items fairly consistently. Do the
museums throw up their arms and say "we won't bother with an alarm
system since there are _some_ people who can beat it". No, they
install a security system that keeps out the large majority of
potential thieves, recognizing that no system is perfect.

Read above in-line response!

The fact that some people have an illusion of safety does not negate
the increased security offered by an outbound firewall.

Google *is* your friend!

There's a difference between relying and utilizing.

Yes, employing cd and re-installing the OS.

No, I've been spending my "wondering time" puzzling over how someone

Spend your "wondering time" on educating yourself;
Make it a habit checking credentials of authors writing articles/messages
in advertisement sponsored publications and take commercial messages with a
ton of salt.
(Amazing how a bit of online research makes me sound like an expert...

becomes such a condescending, know-it-all, dick head like you.

You don't know me, if you group me in some arbitrary fashion, it is your
own inability to see clearly; Not my issue!

Unlike you, I can claim to walk away from this pointless quibble knowing
what I am doing. This is me, granting you whatever last words you feel
might make you whole again.

Have a wondeful day