WinXP SP2, firewall question

[George]

I installed WinXP Service Pack 2 (SP-2) and wondered about the firewall
settings. For web access, I have...

1) a LOCAL connection (via Linksys VPN router, which HAS a firewall), and

2) a DIALUP connection as a backup...goes out back of PC through modem over
phone line (probably NEEDS a firewall)

Most folks say I don't need Windows firewall since I have a firewall router,
but when I went to Control Panel / Network Connections... it won't allow me
to set these two connections differently... whatever you set firewall to
(enabled or not enabled), it forces BOTH connections to the same thing.

Q1: Is there any problem with checking [X] WINDOWS FIREWALL *ON* ( so at
least I'm covered if someone uses the dial-up connection (which goes around
the router and would be exposed if there's no Windows firewall set up)

Q2: Should I also check the [X] NO EXCEPTIONS for Win firewall? What do
most people do? Is this a big deal?

Thanks,
George

 

[Doug Kanter]

I installed WinXP Service Pack 2 (SP-2) and wondered about the firewall
settings. For web access, I have...

1) a LOCAL connection (via Linksys VPN router, which HAS a firewall), and

2) a DIALUP connection as a backup...goes out back of PC through modem over
phone line (probably NEEDS a firewall)

Most folks say I don't need Windows firewall since I have a firewall router,
but when I went to Control Panel / Network Connections... it won't allow me
to set these two connections differently... whatever you set firewall to
(enabled or not enabled), it forces BOTH connections to the same thing.

Q1: Is there any problem with checking [X] WINDOWS FIREWALL *ON* ( so at
least I'm covered if someone uses the dial-up connection (which goes around
the router and would be exposed if there's no Windows firewall set up)

Q2: Should I also check the [X] NO EXCEPTIONS for Win firewall? What do
most people do? Is this a big deal?

Thanks,
George

Based on everything I've read, the Windows firewall does not monitor
OUTGOING activity, which makes the thing pretty much useless. It's important
to know if something malicious is trying to broadcast to the outside world
without your knowledge. Go to www.zonelabs.com and get the free version of
ZoneAlarm. Be sure to disable the Windows firewall. You don't want to have
both things running.

 

[Phil]

I installed WinXP Service Pack 2 (SP-2) and wondered about the
firewall settings. For web access, I have...

1) a LOCAL connection (via Linksys VPN router, which HAS a firewall),
and
2) a DIALUP connection as a backup...goes out back of PC through
modem over phone line (probably NEEDS a firewall)

Most folks say I don't need Windows firewall since I have a firewall
router, but when I went to Control Panel / Network Connections... it
won't allow me to set these two connections differently... whatever
you set firewall to (enabled or not enabled), it forces BOTH
connections to the same thing.
Q1: Is there any problem with checking [X] WINDOWS FIREWALL *ON* (
so at least I'm covered if someone uses the dial-up connection (which
goes around the router and would be exposed if there's no Windows
firewall set up)

When you use the broadband connection the xp firewall is not needed if your
router does nat and spi. Nat only, I'd suppliment with another software
firewall. And an outbound monitoring firewall like zone alarm is always a
good idea.
When you use the dialup, just turn the xp firewall on.

Q2: Should I also check the [X] NO EXCEPTIONS for Win firewall? What do
most people do? Is this a big deal?

Most people are ignorant to computer/internet security and probably don't
even use a firewall, so your ahead of the game. If you need exceptions setup
then go ahead, if you don't then don't use them.

 

[Jupiter Jones [MVP]]

Doug;
No, the Windows Firewall is far from useless.
It is comparable with other firewalls as for what it is designed to
do.
It is far more important to control what comes in than what goes out.
If the computer is maintained and secure, there will be nothing
undesirable to go out.
Some users are best suited to the Windows firewall as they would
disable something instead of take the time to configure.

For those able, a full featured firewall gives the additional
protection of checking outbound and thus helping you catch what
already got past you to in the first place.

 

[Marko]

Doug;
No, the Windows Firewall is far from useless.
It is comparable with other firewalls as for what it is designed to
do.
It is far more important to control what comes in than what goes out.
If the computer is maintained and secure, there will be nothing
undesirable to go out.
Some users are best suited to the Windows firewall as they would
disable something instead of take the time to configure.

For those able, a full featured firewall gives the additional
protection of checking outbound and thus helping you catch what
already got past you to in the first place.

you assume that it is easy to control what goes out, the problem is that
nearly everything you install today wants to connect, and its not
obvious where to disable those functions, or nearly impossible without
outgoing firewall protection

--
Marko Jotic, MMCT Holdings Int. Inc.
"Common sense is anything but common".
From the notebooks of Lazarus Long. Robert A. Heinlein.
Handmade knives, antique designs, exotic materials at
http://www.knifeforging.com/

 

[Guest]

-----Original Message-----
you assume that it is easy to control what goes out, the
problem is that nearly everything you install today
wants to connect,

I've found that a little time googling an app before
installing will tell you if it wants to phone home.
There are plenty of choices that don't. I've been
running ZA for years and I have never once had a surprise
outbound connection. It's a nice security blanket but
you can get by without it too.

 

[Jupiter Jones [MVP]]

No, I don't make that assumption.
But many will and already do disable something if it is not very
simple or "bugs" them a lot.

However part of secure computing is regularly checking for spyware in
addition to AV, Windows Updates and a firewall.
If all that is done, very little will stay in to get out.
However with nearly every program installation, a reconfiguration of
the firewall may be necessary for that application.
That regular reconfiguration will encourage many to disable the
firewall and leave them with nothing instead of just the inbound.

Of course the best option is for all computer users is to become
educated on safe computer practices.
Until then there are options that give a good compromise.

 

[Doug Kanter]

Doug;
No, the Windows Firewall is far from useless.
It is comparable with other firewalls as for what it is designed to
do.
It is far more important to control what comes in than what goes out.

Nonsense. Even reputable software wants to talk outbound, sometimes when
it's first installed, before you have a chance to get to its options menu.
Sometimes, the communication is harmless, but other times, it's a waste of
resources. WMP is a perfect example. It's forever trying to phone home. And,
who knows if the producers of RealPlayer have really learned their lesson?
Remember that scam from a couple of years ago?

 

[Guest]

-----Original Message-----
And, who knows if the producers of RealPlayer have
really learned their lesson? Remember that scam from
a couple of years ago?

Seems like everyone around here does. I don't know
anyone who currently has RealPlayer on their PC.

You start with "nonsense" and then talk about
how "reputable software" does stuff that is only
sometimes harmless. Don't you find that a bit odd? I
just keep the stuff that isn't always harmless off my
system instead of wrestling with it.

 

[Doug Kanter]

Seems like everyone around here does. I don't know
anyone who currently has RealPlayer on their PC.

You start with "nonsense" and then talk about
how "reputable software" does stuff that is only
sometimes harmless. Don't you find that a bit odd? I
just keep the stuff that isn't always harmless off my
system instead of wrestling with it.

By "harmless", I mean you're not dealing with a trojan or some such thing.
But, every computer function uses resources. If you're running the maximum
number of applications your system can handle at the moment, and something
decides to update itself, your machine may hit the wall because it runs out
of resources. I'm sure you've seen that happen. If you feel this negates
"harmless", I'll agree with you partially because it *does* waste your time
rebooting when you preferred to be doing useful work.

 

[Guest]

-----Original Message-----
If you're running the maximum number of applications
your system can handle at the moment, and something
decides to update itself, your machine may hit the wall
because it runs out of resources. I'm sure you've seen
that happen.

Actually I haven't. It sounds kind of theoretical to
me. Since every application creates a different amount
of each kind of resource it requires, I think it would be
rather tricky to try to craft a controlled experiment in
which the app can do every one of its functions - except
for updating itself - without the PC running out of
resources.

Of course, if you could construct this scenario, the next
question would be: would you have had enough resources if
your weren't running the firewall to protect yourself
from this scenario?

Now if you want to talk bloatware in general - I'm with
you - but phoning home in particular has never been a
resource issue for me.

With modern PCs there's shouldn't really be as many
resource issues as there are. For example, XP has
trouble opening more than 40 or so applications on my
machine with loads of memory. This is an annoying
artificial limit that should be fixed but it doesn't
happen to have anything to do with updating.

because it *does* waste your time
rebooting when you preferred to be doing useful work.

I've never had an ap just out-of-the-blue make me reboot
because it had updated something. Most of my update-
happy apps I have start by asking if they may check for
an update. ZA can't do anything about these because they
ask first so I just grumble and click no.

 

[George]

Thanks for all the posts, I'm sorry I don't fully yet understand whether I
can have both firewalls and have everything work ok or not. Original
questions were:

Q1: (It's a given I have a Linksys firewall router, however....) Is there
any problem with also checking [X] WINDOWS FIREWALL *ON* ( so at least I'm
covered if someone uses the dial-up connection (which goes around the router
and would be exposed if there's no Windows firewall set up)... there does
not appear to be a way to have NO Windows firewall on the LAN (router)
connection, but have YES Windows firewall only on DIALUP. Whatever you
check...you get for both LAN and DIALUP. I need to protect DIALUP...The LAN
is already protected by the firewall router...so question is... Does having
BOTH the router firewall and the WinXP firewall serve any detriment. Some
possible answers might be:
___a. Check YES for Windows firewall, having both it and the router
firewall won't hurt
___b. Check YES for Windows firewall, but by having both it and the router
firewall, the consequences will be____
___c. Check NO for Windows firewall, the DIALUP connection still has a
firewall from ____ and wont' be exposed
___d. Something else ______

Q2: Assuming I check [X] WINDOWS FIREWALL ON... should I also check the [X]
NO EXCEPTIONS for Win firewall? What do most people do? Is this a big deal?
Some possible answers might be:
___1. Lots of people check yes [X] NO EXCEPTIONS, you won't notice much
difference anyway
___2. Lots of people check yes [X] NO EXCEPTIONS, but the consequences are
______
___3. Almost no one uses this, so don't check [ ] NO EXCEPTIONS because
_____

Thanks

 

[Phil]

Like I already answered........ when you use broadband forget the xp
firewall. When you use dialup turn on the xp firewall. Better yet, get an
outbound monitoring firewall like zone alarm and use it and your router all
the time. Using the xp firewall with your router doesn't give you any extra
protection.
Forget exceptions and the xp firewall. You need either your router alone or
your router and an outbound monitoring software firewall.

 

[Guest]

You can leave it running all the time. A hardware
firewall and a software firewall won't hurt. (Two
software firewalls on the same machine may conflict which
may be why you're worried.)

The only complexity is that if you need to punch a hole
for some app, you may need to do it in each firewall.

Exceptions vary. (That's why they're exceptions ;-)) If
you want to be really secure, try the tightest settings
and loosen up only if something you care about doesn't
work.

 

[Guest]

Doug;
No, the Windows Firewall is far from useless.
It is comparable with other firewalls as for what it is designed to do.

But unfortunately, what it was designed to do isn't enough.

That's why even Microsoft recommends users not actually use it but install a
third party firewall that can control

Controlling what can go out is just as important as what comes in.

Not only do you have to deal with spyware or trojans that might accidently
get on your system (a recent report said, what, 80% of users have it on
their system without their knowledge), you also need to control the
'reputable' programs.

Programs that might want to connect for no other purpose than just for the
sheer hell of it.

Or programs that aren't entirely honest, such as Real.

Or hundreds of other programs that might want to connect for purposed the
writers think is valid but that you don't agree.

You might not want your xyz program updated to the latest greatest version
because you don't like it. Or because it doesn't actually work well. Or
because it can cause a lot of problems. (I'll leave it to you to make the
connection to xp's SP2 here...)

In the old days, outside theats were all that existed. So XP sp2's current
firewall would be good enough. As would any proxy firewall, or hardware
firewall, etc. etc.

But that's just no longer true for today's desktop.

It is far more important to control what comes in than what goes out.

Maybe... But that's also partially due to the number of flaws and weaknesses
in XP.

With an actually secure system, inbound firewall is practically worthless.
All it accomplishes is stealthing your ports. Without the stealth, a proper
system isn't going to let anybody in anyway.

Windows doesn't fall into the 'secure' category.

If the computer is maintained and secure, there will be nothing
undesirable to go out.

And how many normal users do that?

Have you read the recent report that talks about how many normal users have
spyware & trojans on their system?

How many users are running unpatched systems because they don't know how to
update. Or what to do with the automatic update if it is turned on. Even
Microsoft has bitched about that.

Some users are best suited to the Windows firewall as they would disable
something instead of take the time to configure.

Perhaps. And those are precisely the people who NEED a firewall that
controls outbound stuff.


These days, outbound protection is just as important as inbound protection.

Microsoft would have done the users a better service by just bundling a
commercial product in with XP, instead of trying to develop their own even
though they don't have the experience.

 

[Marko]

I will say Duh to that, but its still a problem, the fact is we do not
control our desktops: I fix a lot of my friend's system, most users know
sweet f-all about these issues, you find their computers improperly
updated with tons of spyware and no scan disk in over a thousand days

If MS actually used their brains no piece of software, newly installed,
should be able to access anything without the users turning them on

No, I don't make that assumption.
But many will and already do disable something if it is not very
simple or "bugs" them a lot.

However part of secure computing is regularly checking for spyware in
addition to AV, Windows Updates and a firewall.
If all that is done, very little will stay in to get out.
However with nearly every program installation, a reconfiguration of
the firewall may be necessary for that application.
That regular reconfiguration will encourage many to disable the
firewall and leave them with nothing instead of just the inbound.

Of course the best option is for all computer users is to become
educated on safe computer practices.
Until then there are options that give a good compromise.

--
Marko Jotic, MMCT Holdings Int. Inc.
"Common sense is anything but common".
From the notebooks of Lazarus Long. Robert A. Heinlein.
Handmade knives, antique designs, exotic materials at
http://www.knifeforging.com/

 

[Marko]

I don't understand how this is a problem, each will have its own
"connection" in "network connections", there each can have its own setting

Thanks for all the posts, I'm sorry I don't fully yet understand whether I
can have both firewalls and have everything work ok or not. Original
questions were:

Q1: (It's a given I have a Linksys firewall router, however....) Is there
any problem with also checking [X] WINDOWS FIREWALL *ON* ( so at least I'm
covered if someone uses the dial-up connection (which goes around the router
and would be exposed if there's no Windows firewall set up)... there does
not appear to be a way to have NO Windows firewall on the LAN (router)
connection, but have YES Windows firewall only on DIALUP. Whatever you
check...you get for both LAN and DIALUP. I need to protect DIALUP...The LAN
is already protected by the firewall router...so question is... Does having
BOTH the router firewall and the WinXP firewall serve any detriment. Some
possible answers might be:
___a. Check YES for Windows firewall, having both it and the router
firewall won't hurt
___b. Check YES for Windows firewall, but by having both it and the router
firewall, the consequences will be____
___c. Check NO for Windows firewall, the DIALUP connection still has a
firewall from ____ and wont' be exposed
___d. Something else ______

Q2: Assuming I check [X] WINDOWS FIREWALL ON... should I also check the [X]
NO EXCEPTIONS for Win firewall? What do most people do? Is this a big deal?
Some possible answers might be:
___1. Lots of people check yes [X] NO EXCEPTIONS, you won't notice much
difference anyway
___2. Lots of people check yes [X] NO EXCEPTIONS, but the consequences are
______
___3. Almost no one uses this, so don't check [ ] NO EXCEPTIONS because
_____

Thanks

--
Marko Jotic, MMCT Holdings Int. Inc.
"Common sense is anything but common".
From the notebooks of Lazarus Long. Robert A. Heinlein.
Handmade knives, antique designs, exotic materials at
http://www.knifeforging.com/

 

[George]

Actually, that's why I posted...

I could be doing something wrong, but when I tried to set the LAN for "no
WinXP firewall" and then set the DIALUP for "yes WinXP firewall".... Windows
just took whatever the last thing I did and applied it to BOTH of the
network connections.

If I'm doing this wrong, please let me know. I agree, you would think you
can set each one up however you'd like.

Thanks,
George

 

[Ken Blake]

In

Based on everything I've read, the Windows firewall does not
monitor
OUTGOING activity,

True.


which makes the thing pretty much useless.

But that's not at all true.

Incoming activity is the far greater risk, especially if you do a
good job of otherwise protecting yourself from spyware.

Even if incoming and outgoing were equal risks, the Windows
firewall would be far from useless. It's far better to have one
element of protection than none at all. I'd much rather ride in a
car with seatbelts and no airbag than one with neither.

It's
important to know if something malicious is trying to broadcast
to
the outside world without your knowledge. Go to
www.zonelabs.com and
get the free version of ZoneAlarm. Be sure to disable the
Windows
firewall. You don't want to have both things running.

I agree with all that. ZA *is* better than the Windows firewall,
but that doesn't make the Windows firewall useless.

 

[Doug Kanter]

Actually I haven't. It sounds kind of theoretical to
me. Since every application creates a different amount
of each kind of resource it requires, I think it would be
rather tricky to try to craft a controlled experiment in
which the app can do every one of its functions - except
for updating itself - without the PC running out of
resources.

Of course, if you could construct this scenario, the next
question would be: would you have had enough resources if
your weren't running the firewall to protect yourself
from this scenario?

Now if you want to talk bloatware in general - I'm with
you - but phoning home in particular has never been a
resource issue for me.

With modern PCs there's shouldn't really be as many
resource issues as there are. For example, XP has
trouble opening more than 40 or so applications on my
machine with loads of memory. This is an annoying
artificial limit that should be fixed but it doesn't
happen to have anything to do with updating.


I've never had an ap just out-of-the-blue make me reboot
because it had updated something. Most of my update-
happy apps I have start by asking if they may check for
an update. ZA can't do anything about these because they
ask first so I just grumble and click no.

My company gave me a Sony notebook with a 256mb RAM limit. During a busy
day, it's usually running these (on XP Pro)

-Act for Windows (a pig)
-Paradox for DOS (lean & mean)
-Excel 2000 (a pig, but at least it's predictable) with 6-8 sheets open, two
of them enormous.
-Winfax (not too bad)
- Mozilla or IE (pigs)
- Outlook Express 6
- PC Miler (a trucking mileage thing)
- Two java apps for access to my customers' databases
- ZoneAlarm Pro
- NAV with auto protect turned on.

Disk thrashing begins when I open a large sheet in Excel (which also invokes
virus scanning). To me, thrashing indicates I'm pushing the limit. If I want
to open Word, I have to shut down Excel, or things get really ugly,
especially if I need to ALT-TAB to an app I haven't looked at in a few
minutes. If I shut down both of the large MS apps, start WMP, and it wants
to phone home, it causes about the same amount of thrashing as if both Excel
& Word were running in this mix.

Not a controlled experiment, but it repeats every single day, and it's
always the same.