L
Lyle Giles
Is the Windows Firewall now good enough to run alone without the need to
have another more comprehensive one (eg Zone Alarm)?
have another more comprehensive one (eg Zone Alarm)?
K
Ken Blake, MVP
You'll get various opinions on the comparative merits of different
firewalls. I won't comment on that question.
However I do want to comment on your word "alone" is the above
sentence. Whatever you do, don't run two firewalls. You achieve no
extra protection, you incur the extra overhead of running two
firewalls, and you run the risk (probably small, but not zero) of
conflicts between them.
See http://www.microsoft.com/athome/security/protect/firewall.mspx
which includes the following:
"Q. Should I use both the built-in firewall and a software firewall
from a different company on my Windows XP computer?
"A. No. Running multiple software firewalls is unnecessary for typical
home computers, home networking, and small-business networking
scenarios. Using two firewalls on the same connection could cause
issues with connectivity to the Internet or other unexpected behavior.
One firewall, whether it is the Windows XP Internet Connection
Firewall or a different software firewall, can provide substantial
protection for your computer."
Also note that if you update your third-party firewall to a new
version, the update routine will probably turn it off first. If the
Windows firewall isn't running, you will temporarily be left with no
running firewall, which is very dangerous. So turn on the Windows
firewall temporarily before doing maintenance on your third-party
firewall.
E
Ed Metcalfe
Lyle Giles said:
Lyle,
The XP firewall is plenty good enough for inbound protection, however it
does lack outbound protection.
If you're confident of the applications you have installed on your PC then
the XP firewall is, in my opinion, fine. If you have any doubt about what is
installed then I would use an alternative firewall application.
I've been a ZA user for several years but uninstalled it recently after a
lot of problems. I'd recommend Sunbelt Kerio.
Ed Metcalfe.
R
RalfG
Just to add to that, if you intend to use Internet Connection Sharing on
that computer stay away from the free versions of 3rd party firewalls as
most aren't compatible with ICS. It's been a while since I used ICS but IIRC
Tiny PF and Kerio were the only free ones that worked with it, though that
may have changed since then.
that computer stay away from the free versions of 3rd party firewalls as
most aren't compatible with ICS. It's been a while since I used ICS but IIRC
Tiny PF and Kerio were the only free ones that worked with it, though that
may have changed since then.
U
Unknown
My two cents worth. I use the Windows firewall and only the Windows firewall
and have no problems whatsoever.
and have no problems whatsoever.
B
Bruce Chambers
Lyle said:
I don't think so, no.
WinXP's built-in firewall is usually adequate at stopping incoming
attacks, and hiding your ports from probes. What WinXP SP2's firewall
does not do, is protect you from any Trojans or spyware that you (or
someone else using your computer) might download and install
inadvertently. It doesn't monitor out-going traffic at all, other than
to check for IP-spoofing, much less block (or at even ask you about) the
bad or the questionable out-going signals. It assumes that any
application you have on your hard drive is there because you want it
there, and therefore has your "permission" to access the Internet.
Further, because the Windows Firewall is a "stateful" firewall, it will
also assume that any incoming traffic that's a direct response to a
Trojan's or spyware's out-going signal is also authorized.
ZoneAlarm, Kerio, or Sygate are all much better than WinXP's
built-in firewall, and are much more easily configured, and there are
free versions of each readily available. Even the commercially
available Symantec's Norton Personal Firewall is superior by far,
although it does take a heavier toll of system performance then do
ZoneAlarm or Sygate.
Having said that, it's important to remember that firewalls and
anti-virus applications, which should always be used and should always
be running, while important components of "safe hex," cannot, and should
not be expected to, protect the computer user from him/herself.
Ultimately, it is incumbent upon each and every computer user to learn
how to secure his/her own computer.
--
Bruce Chambers
Help us help you:
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin
Many people would rather die than think; in fact, most do. -Bertrand Russell
S
smlunatick
I would like to clarify your responce. You can not run "two" software
firewalls at the same time. However, you can run one "hardware"
firewall, usually one some type of router device / PC, and one
software firewall. With this type of set up, you can also protect
yourself from any other PCs on tou local network also.
It is also to be noted that several anti-virus systems also include a
"hidden" firewall, which is known under a different name/label.
Norton Antivirus, since 2005, has an 'Internet WOrm" feature. In
looking at the "advanced" setting of this module, I was able to see
that this "behaves" like most software firewall. It is also "posted"
widely on the web.
K
Ken Blake, MVP
A further clarification: You *can* run two software firewalls at the
same time, but you *should* not. That was the point of my response.
Yes, I agree with that. Thanks for the clarification.
K
Kayman
The Windows Firewall was always an adequate protection for the average
homeuser (stand-alone machine). MS never subscribed to the advertising hype
as created by the makers of PFW's.
Is the XP SP2 firewall getting a raw deal?
http://blogs.zdnet.com/Ou/?p=81
How to Configure Windows Firewall on a Single Computer.
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx
Exploring the Windows Firewall.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theater¡Xit¡¦s a gimmick that only gives the
impression of improving your security without doing anything that actually
does improve your security."
But even the WinXP Firewall is not really needed when appropriate services
are disabled (I know this will raise some eyebrows and wish I hadn't
mentioned it); You can leave it enabled if it makes you 'feel' better
Don't expose services to public networks!!!!).
http://www.blackviper.com/WinXP/servicecfg.htm#
http://www.ss64.com/ntsyntax/services.html
http://www.beemerworld.com/tips/servicesxp.htm
This can be a trying exercise; You've got to patient
Add this most useful application:
Seconfig XP is able configure Windows not to use TCP/IP as transport
protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
and 445 (the most exploited Windows networking weak point) closed.
http://seconfig.sytes.net/
http://www.softpedia.com/progDownload/Seconfig-XP-Download-39707.html)
PFW (ZA) is Phoney-Baloney Ware; A One-Click BS solution!
Personal Firewalls are mostly snake-oil.
http://www.samspade.org/d/firewalls.html
Why your firewall sucks.
http://tooleaky.zensoft.com/
"But I quickly realized the truth: The added protection provided by
outbound filtering is entirely illusory."
Constructive Criticisms.
http://en.wikipedia.org/wiki/Personal_firewall#Criticisms
At Least This Snake Oil Is Free.
http://msinfluentials.com/blogs/jesper/archive/2007/07/19/at-least-this-snake-oil-is-free.aspx
De-constructing Common Security Myths.
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Scroll down to:
Myth: 'Host-Based Firewalls Must Filter Outbound Traffic to be Safe.'
If you are a homeuser, operating from a stand-alone machine and serious
about computer security, Hardening OS and LUA are superior alternatives to
any PFW Phoney-Baloney Ware!
http://www.5starsupport.com/tutorial/hardening-windows.htm
Additional assistance concerning hardening of OS be obtained in newsgroups
such as comp.security.firewalls; Inspirational reading can be found here:
http://home20.inet.tele.dk/b_nice/index.htm
Valuable tips/info in relation to LUA:
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx
http://blogs.technet.com/markrussin.../02/running-as-limited-user-the-easy-way.aspx
http://www.securityfocus.com/infocus/1848
Ensure that you OS is current/updated/patched.
http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us
Ensure that all software on your pc is current/updated.
Practice Safe-Hex
http://www.claymania.com/safe-hex.html
Good luck
L
Leythos
No, it wasn't a good deal.
If you have a NAT Router then it's enough for most home users, but if
you don't have a NAT router then it's filled with to many holes, put
there by vendors, users, applications, that it's almost useless.
Many vendors ship machines configured with holes (exceptions), not to
mention the apps that put holes (exceptions) in the windows firewall
without the user knowing about them....
If you've got a PC connected to the internet and you're using the
Windows firewall without any hardware appliance, well, you had better be
checking the firewall exceptions and also make sure that you remove
File/Printer sharing from network settings.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)