You're not picking on me.
While I respect your opinion, that's what you are offering.
You have not cited any references to anything.
How would anyone know that you are not making up stuff?
ICF monitors outbound ports to know what inbound ports to block/open.
[[Q: How does ICF compare to third-party firewalls?
A: In many cases ICF does not have the rich feature set provided by these
products. This is because ICF is intended only as a basic intrusion
prevention feature. ICF prevents people from gathering data about the PC and
blocks unsolicited connection attempts. ICF is intended for users who
connect to the Internet but would not normally purchase a firewall from the
store.
Q: Does ICF do outbound packet inspection?
A: Other than checking the source IP address, ICF does not do any outbound
packet inspection.
The Internet Connection Firewall (ICF) is designed to give the home user and
small business protection against these threats. The goal is to provide a
baseline intrusion prevention mechanism in Windows XP. This means protecting
against scans for information and denying all unsolicited inbound traffic.
The goal of Internet Connection Firewall is to provide a baseline intrusion
prevention mechanism in Windows XP. This means protecting against scans for
information and denying all unsolicited inbound traffic. By doing this, the
basic tools that are available to "script kiddies" will be ineffective and
they will likely move on to an easier target.]]
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/icf.mspx#XSLTsection125121120120
[[ICF functions as a stateful packet filter that uses technology shared with
ICS. Although the ICF feature is stand-alone, you can also run it on the
shared Internet connection to protect your home network.
When enabled, this stateful filter blocks all unsolicited connections
originating from the public network. To accomplish this, ICF uses the flow
table and validates any incoming flow against the entries in the flow table.
Incoming data flows are only allowed if there is an existing flow table
mapping that originated from the firewall system or from within the internal
protected network. In other words, if the network communication did not
originate within the protected network, the incoming data will be dropped.]]
http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspx
[[Because ICF inspects all incoming communications, some programs,
especially e-mail programs, may behave differently when ICF is enabled. Some
e-mail programs periodically poll their e-mail server for new mail, and some
e-mail programs wait for notification from their e-mail server. Outlook
Express, for example, automatically checks for new e-mail when its timer
tells it to do so. When new e-mail is present, Outlook Express prompts the
user with a notification about the new e-mail. ICF does not affect the
behavior of this program, because the request for new e-mail notification
originates from inside the firewall. The firewall makes an entry in a table
noting the outbound communication to the mail server. When the mail server
returns the response for new e-mail, the firewall finds an associated entry
in the table and allows the communication to pass, then the user receives
notification that a new e-mail has arrived.]]
http://www.microsoft.com/resources/...ion/IIS/6/all/proddocs/en-us/hnw_UsingICF.asp
[[ICF is considered a "stateful" firewall. A stateful firewall is one that
monitors all aspects of the communications that cross its path and inspects
the source and destination address of each message that it handles. To
prevent unsolicited traffic from the public side of the connection from
entering the private side, ICF keeps a table of all communications that have
originated from the ICF computer. When used in conjunction with ICS, ICF
tracks all traffic that has originated from the ICF/ICS computer and all
traffic that has originated from private network computers. All inbound
traffic from the Internet is compared against entries in the table. Inbound
Internet traffic is allowed to reach the computers in your network only when
there is a matching entry in the table that shows that the communication
exchange originated from your computer or private network.]]
http://www.microsoft.com/resources/...proddocs/en-us/hnw_understanding_firewall.asp
[[A simple definition. ICF allows outgoing communications that originate
from your computer (and the corresponding incoming replies) while blocking
everything else.
Essentially, ICF only allows in that which is a reply to a previous request
that went out. ICF blocks and discards all other incoming traffic.
Say you get infected with a Trojan horse program. Many of these announce
their existence to some database somewhere. If an attacker tries to connect
to the Trojan on your computer, ICF will block it. Note that this applies
only to Trojans in which the attacker makes the first connection to the
infected computer; other Trojans that make the first connection to the
attacker will open a connection in ICF's memory, allowing the attacker to
reply.]]
http://www.microsoft.com/technet/archive/community/columns/security/askus/aus1001.mspx
[[The Internet Connection Firewall (ICF) feature in the original release
version of Windows XP examines only inbound unicast traffic. Starting with
Windows XP Service Pack 1 (SP1) and Windows Server 2003, ICF examines and
drops (blocks) unsolicited inbound unicast, multicast, and broadcast
traffic.]]
http://support.microsoft.com/default.aspx?scid=kb;en-us;329928#appliesto
[[Windows Firewall considers outbound traffic and the corresponding
responses to be the components of outbound connections. All outbound
connections are automatically allowed by Windows Firewall.
Action Required
None. Windows Firewall will automatically allow all outbound connections,
regardless of the program and the user context.]]
http://msdn.microsoft.com/security/productinfo/XPSP2/networkprotection/firewall_devimp.aspx
Windows Firewall
[[Windows XP Service Pack 2 (SP2), now in Beta testing, includes the new
Windows Firewall, previously known as the Internet Connection Firewall
(ICF). Windows Firewall is a stateful host-based firewall that drops all
unsolicited incoming traffic that does not correspond to either traffic sent
in response to a request of the computer (solicited traffic) or unsolicited
traffic that has been specified as allowed (excepted traffic). Windows
Firewall provides a level of protection from malicious users and programs
that rely on unsolicited incoming traffic to attack computers on a
network.]]
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
--
Hope this helps. Let us know.
Wes
In
NT Canuck said:
ICF does *not* block outgoing traffic.
Heck...I am not trying to pick on you...but that's wrong also.
ICF can block ports, and it does block spoofed packets that
originate from that computer. ICF does not specifically block
"applications" (especially outgoing or worms)...which is what most
decent software firewalls (even the free ones) can do. Should
Microsoft wake up a bit...they could fix the app' part in days.
[[Q. Should I use a non-Microsoft personal firewall instead of the built-in
[]
out to the Internet) then choose a personal firewall from another
company.]]
http://www.microsoft.com/security/protect/firewall.asp
that is not bad...but the etrust av/firewall offer is using a zonelabs
"branded"
firewall and it isn't that stable by itself. The etrust AV seems ok.
[[Most third-party firewalls protect you from software that may
violate your privacy or allow an attacker to misuse your
computer—features not found in ICF.]]
heh...doesn't sound like much done for "security" pledge last 2 years.
I hope it helps someone but is only info and not any solution.
