firewall on budget ?

[Beladi Nasralla]

Hi there,

I have a PC built for me, and I installed Windows XP SP2 on it. I
presume I need to put a firewall and antivirus on it to ward off worms
and viruses. I am more concerned about the firewall. I installed
ZoneAlarm Free Edition, and it worked al'right. However, it always
bothered me by asking me to pay up, so that I uninstalled it. My
computer is currently running on the in-built Windows firewall. Is
this OK ?

As an antivurus, I am using AVG Free Edition, and it seems doing its
job. Also, I can get a corporate edition of Trend Micro's PC-cillin
from my employer for little money; should I get it ? Thanks.

 

[Leythos]

Hi there,

I have a PC built for me, and I installed Windows XP SP2 on it. I
presume I need to put a firewall and antivirus on it to ward off worms
and viruses. I am more concerned about the firewall. I installed
ZoneAlarm Free Edition, and it worked al'right. However, it always
bothered me by asking me to pay up, so that I uninstalled it. My
computer is currently running on the in-built Windows firewall. Is
this OK ?

As an antivurus, I am using AVG Free Edition, and it seems doing its
job. Also, I can get a corporate edition of Trend Micro's PC-cillin
from my employer for little money; should I get it ? Thanks.

A simple NAT router will do more and better than ZAP or Windows XP
Firewall in most all cases. Linksys BEFSR41 or a wireless version is
under $50 and provides protection from inbound attacks.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Beladi Nasralla]

A simple NAT router will do more and better than ZAP or Windows XP
Firewall in most all cases. Linksys BEFSR41 or a wireless version is
under $50 and provides protection from inbound attacks.

My early experience with connecting a PC with no firwall to the
Internet (via dial up) shows that it gets infected with a worm within
20 minutes. So that now I always put a firewall between my PC and the
Internet. Now my PC is connected to the Internet via a NetComm NB5
ADSL2+ modem router. You think this will repel the worms ?

 

[Leythos]

My early experience with connecting a PC with no firwall to the
Internet (via dial up) shows that it gets infected with a worm within
20 minutes. So that now I always put a firewall between my PC and the
Internet. Now my PC is connected to the Internet via a NetComm NB5
ADSL2+ modem router. You think this will repel the worms ?

The NAT router blocks "unsolicited" connections to the PC, it's sort of
a 1 way filter - it lets you out, but only lets external sites
talk/reach your PC if you contact them first.

Many people use NAT routers are their primary protection method with no
firewall at all and have no problems.

Security is more than the firewall, it's not using easy to compromise
apps, keeping updates installed, not doing things that put you in harms
way, monitoring your firewall logs (as you can easily monitor the
Linksys devices for in/out traffic), and many other things.

If your address is not a private address then your Modem is not doing
NAT, and if you have a live public IP then you're screwed without a
barrier device.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Computerflyer]

The NAT router blocks "unsolicited" connections to the PC, it's sort of
a 1 way filter - it lets you out, but only lets external sites
talk/reach your PC if you contact them first.

Many people use NAT routers are their primary protection method with no
firewall at all and have no problems.

Security is more than the firewall, it's not using easy to compromise
apps, keeping updates installed, not doing things that put you in harms
way, monitoring your firewall logs (as you can easily monitor the
Linksys devices for in/out traffic), and many other things.

If your address is not a private address then your Modem is not doing
NAT, and if you have a live public IP then you're screwed without a
barrier device.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)- Hide quoted text -

- Show quoted text -

Check out ghostwall. It resembles a rule based router-firewall more
than a bloatware internet protection package. If you are savy enough
to set it up, it works as advertised.

 

[Straight Talk]

If your address is not a private address then your Modem is not doing
NAT, and if you have a live public IP then you're screwed without a
barrier device.

You're implying that the Windows Firewall is remotely exploitable. Got
any references to that?

 

[spodosaurus]

Hi there,

I have a PC built for me, and I installed Windows XP SP2 on it. I
presume I need to put a firewall and antivirus on it to ward off worms
and viruses. I am more concerned about the firewall. I installed
ZoneAlarm Free Edition, and it worked al'right. However, it always
bothered me by asking me to pay up, so that I uninstalled it.

Then you did something wrong during setup: mine never asks that.

My
computer is currently running on the in-built Windows firewall. Is
this OK ?

It's satisfactory, unless something manages to get inside and call out.
Then you're stuffed.

As an antivurus, I am using AVG Free Edition, and it seems doing its
job.

I use that, it's good. I'm thinking of upgrading to the full version on
at least one of my home systems to make use of the extended features.
It's pretty cheap to do so as their licenses are two years for the price
of one from competitors (IIRC).

Also, I can get a corporate edition of Trend Micro's PC-cillin
from my employer for little money; should I get it ? Thanks.

How does that licensing work? If you're happy with AVG Free edition, why
change?

Cheers,

Ari


--
spammage trappage: remove the underscores to reply
Many people around the world are waiting for a marrow transplant. Please
volunteer to be a marrow donor and literally save someone's life:
http://www.abmdr.org.au/
http://www.marrow.org/

 

[Mellowed]

Hi there,

I have a PC built for me, and I installed Windows XP SP2 on it. I
presume I need to put a firewall and antivirus on it to ward off worms
and viruses. I am more concerned about the firewall. I installed
ZoneAlarm Free Edition, and it worked al'right. However, it always
bothered me by asking me to pay up, so that I uninstalled it. My
computer is currently running on the in-built Windows firewall. Is
this OK ?

As an antivurus, I am using AVG Free Edition, and it seems doing its
job. Also, I can get a corporate edition of Trend Micro's PC-cillin
from my employer for little money; should I get it ? Thanks.

I've used Sygate for years. It doesn't bug you. You can still get it here.
http://www.oldversion.com/program.php?n=sygate

 

[Leythos]

You're implying that the Windows Firewall is remotely exploitable. Got
any references to that?

It's locally exploitable - look at anyone running as a local admin, and
any software that wants to create an exception in the WF. Even AOL will
create exceptions without you knowing about it. All you have to do is
google.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Leythos]

Check out ghostwall. It resembles a rule based router-firewall more
than a bloatware internet protection package. If you are savy enough
to set it up, it works as advertised.

A proper Usenet Client would snip the signature lines when you reply,
consider getting one.

Any software that runs on the users computer is a security risk, even
ZAP and others, if it's on a non-dedicated firewall computer then it's a
risk. A NAT Router is transparent, doesn't ask the user anything, and
does its work without exploits when properly setup - this is not the
case for most PC based firewall solutions.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Straight Talk]

It's locally exploitable - look at anyone running as a local admin, and
any software that wants to create an exception in the WF.

Any local FW is exploitable when running as local admin.

Anyone running arbitrary code as local admin is likely to get screwed.
You seem to advocate keep doing so and then have a barrier to minimize
the damage instead of advocating doing the right thing, which would be
to run a LUA in which case the WF can't be exploited the way you're
thinking of.

 

[Leythos]

Any local FW is exploitable when running as local admin.

Anyone running arbitrary code as local admin is likely to get screwed.
You seem to advocate keep doing so and then have a barrier to minimize
the damage instead of advocating doing the right thing, which would be
to run a LUA in which case the WF can't be exploited the way you're
thinking of.

No, I don't advocate what you are talking about, but I'm also not aware
that many programs won't run under Windows unless the user is an admin,
and I also understand that many users don't have a clue about security.

In the case of a NAT Router, while it doesn't stop stupid people from
infecting their computers, it does stop external sources from directly
accessing the users computer without an invite. Windows ships from many
vendors with lots of exceptions and that makes it a threat to the
ignorant, a NAT Router would mean that exceptions are meaningless.

I a user is going to run as an admin, and most are, even with warnings,
then they need some means to protect them - if ALL ISP were to implement
NAT at the internet device provided to the users, allowing exceptions
for those smart enough to ask for an exception, it would eliminate a LOT
of problems for users.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[frodo]

There are many free firewalls out there. google for "free firewall".

ZoneALarm Free should never ask you to "pay up"; you have it setup wrong
somehow. I would recommend version 6.1.744, it was small and stable.
6.5.737 was the last version 6, but it was flakey (on my system at least).
The latest version 7 is bloated (IMO).

http://filehippo.com/download_zonealarm_free/?822

Comodo Firewall Free is also highly regarded:

http://www.comodo.com/products/free_products.html

And the XP built-in isn't totally worthless. It simply doesn't try to stop
"baddies" installed in your system from calling home (but then the others
won't stop a SMART bad guy either; the smart bad guys can get past many
outgoing firewalls, you need to scan regularly to make sure they don't get
on your system in the first place).

If you are connecting directly via a modem (dialup/cable/dsl) you NEED a
firewall, for sure. You are exposed directly to the internet, and the
firewall log will confirm for you that it is blocking packets all the time
(the estimate in prev post of <20 mins before attack is right-on).

If you are behind a NAT router (ie, residential gateway, like a $50
linksys or the like) then you are somewhat protected by the gateway
itself, but I'd still use a software firewall anyway. Most likely its logs
will show almost no blocked incomming packets even after many hours (since
the router dropped them).

 

[Straight Talk]

There are many free firewalls out there. google for "free firewall".

No thanks. I see no need to add further vulnerabilities to my system.

ZoneALarm Free should never ask you to "pay up"; you have it setup wrong
somehow. I would recommend version 6.1.744, it was small and stable.
6.5.737 was the last version 6, but it was flakey (on my system at least).
The latest version 7 is bloated (IMO).

http://filehippo.com/download_zonealarm_free/?822

Don't worry. ZA free is never going to ask me to "pay up", since it's
not going to get to my machine in the first place.

Comodo Firewall Free is also highly regarded:

http://www.comodo.com/products/free_products.html

I know. Probably because comodo deliberately targeted passing leak
tests.

And the XP built-in isn't totally worthless.

No. It's not even close to worthless.

It simply doesn't try to stop "baddies" installed in your system from calling home

It doesn't have to. I don't run arbitrary programs that need to be
"controlled".

(but then the others won't stop a SMART bad guy either; the smart
bad guys can get past many outgoing firewalls,

I know. That's what make them worthless.

you need to scan regularly
to make sure they don't get on your system in the first place).

Scanning for them means they are on your system already, doesn't it?

If you are connecting directly via a modem (dialup/cable/dsl) you NEED a
firewall, for sure.
No.

You are exposed directly to the internet, and the
firewall log will confirm for you that it is blocking packets all the time
So?

(the estimate in prev post of <20 mins before attack is right-on).

Only if you're providing network services to the Internet, which would
be a bad idea.

 

[Ansgar -59cobalt- Wiechers]

And the XP built-in isn't totally worthless. It simply doesn't try to
stop "baddies" installed in your system from calling home (but then
the others won't stop a SMART bad guy either; the smart bad guys can
get past many outgoing firewalls, you need to scan regularly to make
sure they don't get on your system in the first place).

You have no idea of what you're talking about. Regular scanning does not
prevent malware from being installed. It merely may detect maleware once
it already is installed. Which is something any decent virus scanner
will do just fine. It's not a task for a firewall.

What a personal firewall can do reliably is blocking inbound connections
and preventing applications run by users from opening listening sockets.
The Windows Fireall does either of these just fine.

If you are connecting directly via a modem (dialup/cable/dsl) you NEED
a firewall, for sure. You are exposed directly to the internet, and
the firewall log will confirm for you that it is blocking packets all
the time (the estimate in prev post of <20 mins before attack is
right-on).

So? Just don't provide any services towards the internet. And now? What
more protection will a firewall offer? It will just add more code with
additional (potentially exploitable) bugs.

Granted, Windows makes it rather difficult to unbind services from
interfaces, so a firewall is the easiest and least error-prone way to
make services unavailable on a given interface, but that's about it.

F'up adjusted.

cu
59cobalt

 

[Straight Talk]

No, I don't advocate what you are talking about,
Yes.

but I'm also not aware that many programs won't run under Windows
unless the user is an admin,

There are ways around that.

and I also understand that many users don't have a clue about security.

Probably true, but that calls for education, not damage control.

 

[Leythos]

There are many free firewalls out there. google for "free firewall".

ZoneALarm Free should never ask you to "pay up"; you have it setup wrong
somehow. I would recommend version 6.1.744, it was small and stable.
6.5.737 was the last version 6, but it was flakey (on my system at least).
The latest version 7 is bloated (IMO).

http://filehippo.com/download_zonealarm_free/?822

Comodo Firewall Free is also highly regarded:

http://www.comodo.com/products/free_products.html

And the XP built-in isn't totally worthless. It simply doesn't try to stop
"baddies" installed in your system from calling home (but then the others
won't stop a SMART bad guy either; the smart bad guys can get past many
outgoing firewalls, you need to scan regularly to make sure they don't get
on your system in the first place).

Actually, the windows firewall is a bad concept from the start - people
think they are protected, but many machines have file/printer sharing
enabled and an exception for it, and many people run as local admin, so,
it's easy to subvert the firewall with simple malware, even non-malware
apps subvert it without warning.

The general rule is that your computer does not need a direct wired
connection to the internet at all.

If you are connecting directly via a modem (dialup/cable/dsl) you NEED a
firewall, for sure. You are exposed directly to the internet, and the
firewall log will confirm for you that it is blocking packets all the time
(the estimate in prev post of <20 mins before attack is right-on).

And the Cable/DSL anthing with a Network jack, should be behind some NAT
device or a real firewall appliance.

For the Dial-up, the windows firewall is a start, but I still have a old
modem/router device for dialup that does NAT. For my verizon BB card I
use the Windows firewall alone, but I also don't run as local admin,
don't screw around, etc...

If you are behind a NAT router (ie, residential gateway, like a $50
linksys or the like) then you are somewhat protected by the gateway
itself, but I'd still use a software firewall anyway. Most likely its logs
will show almost no blocked incomming packets even after many hours (since
the router dropped them).

And the routers logs will provide a more accurate indication as they
can't really be screwed with like software on your PC can.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Leythos]

There are ways around that.

Not in every case, at least not with users that are willing to wrangle
around it on a daily basis - you know human nature, it's what gets
people compromised in the first place.

Probably true, but that calls for education, not damage control.

But, until they get educated, and we've had security threats for more
than a decade and fewer and fewer people are educated, we need a measure
that will protect the ignorant masses from harming the rest of us - ISP
Mandated NAT implemented at the users gateway device would be a first
real help.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[jameshanley39]

No, I don't advocate what you are talking about, but I'm also not aware
that many programs won't run under Windows unless the user is an admin,
and I also understand that many users don't have a clue about security.

In the case of a NAT Router, while it doesn't stop stupid people from
infecting their computers, it does stop external sources from directly
accessing the users computer without an invite. Windows ships from many
vendors with lots of exceptions and that makes it a threat to the
ignorant, a NAT Router would mean that exceptions are meaningless.

I a user is going to run as an admin, and most are, even with warnings,
then they need some means to protect them - if ALL ISP were to implement
NAT at the internet device provided to the users, allowing exceptions
for those smart enough to ask for an exception, it would eliminate a LOT
of problems for users.

Can you link me to some devices for DSL internet, that -don't- use
NAT?

I looked once on ebay.co.uk but didn't find any. There was a 1 port
westell router/modem which I was told didn't use NAT, but it turned
out that it did.

I reckon, maybe, maybe, a PCI DSL modem doesn't use NAT. And maybe an
ISP's cable modem e.g. NTL cable modem when not used with a NAT
router. But i'm interested in any others. DSL devices that don't use
NAT

A DSL device that doesn't use NAT is so hard to find, I don't know
anybody in the UK that has one.

I'm asking this as a theoretical question , in the sense that i'm not
considering recommending them over NAT, so you needn't fear that!

 

[Leythos]

A DSL device that doesn't use NAT is so hard to find, I don't know
anybody in the UK that has one.

I'm asking this as a theoretical question , in the sense that i'm not
considering recommending them over NAT, so you needn't fear that!

You don't want to look at cheap devices then, you want to use a Firewall
Appliance in "Drop-In" mode - it still filters traffic based on rules,
but it allows all ports (jacks) to have the same public IP.

There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
LAN IP.

Why would you not want NAT?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)