Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security

How Secure is Windows Firewall? 620

Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.
This discussion has been archived. No new comments can be posted.

How Secure is Windows Firewall?

Comments Filter:
  • Zone Alarm? Blech (Score:5, Informative)

    by Anonymous Coward on Saturday August 14, 2004 @06:02PM (#9970449)
    Kerio Personal Firewall [kerio.com] is much much better.
    • Re:Zone Alarm? Blech (Score:5, Informative)

      by timothv ( 730957 ) on Saturday August 14, 2004 @06:15PM (#9970562)
      I agree. Kerio PF (even the post-trial free version) is a great tool for Windows. I've only had a problem with it on Windows ME (don't ask) where it made the system unbootable except to safe-mode.
      • by Jameth ( 664111 ) on Saturday August 14, 2004 @08:41PM (#9971379)
        Doesn't let WindowsME boot? Sounds like it's working fine.
      • Normally I use ZA, but I tried KPF after a little trouble with ZA. I just couldn't get used to it.

        Normally, with ZA, I require my browser to ask permission to access the web - this happens on the browser launch. With KPF, I was asked on visiting *every* goddamned website. It was either that or allow my browser access *all* the time. Insane.

        I fixed my issue with ZA and am back using it. It's much less annoying and unobtrusive than KPF.
    • Re:Zone Alarm? Blech (Score:5, Informative)

      by identity0 ( 77976 ) on Saturday August 14, 2004 @06:28PM (#9970654) Journal
      I use Tiny persoanl firewall [tinysoftware.com].

      It's great because it detects any program that tries to connect to the internet from your PC, and pops up a window asking you if you want to allow the program to connect, or to block it, and if you want to set up a rule for future attempts. It also detects connection attempts from the outside, and asks you about those too. Best windows security tool I've seen.
      • by SpaceLifeForm ( 228190 ) on Saturday August 14, 2004 @06:32PM (#9970674)
        I agree that if you have to use Windows, you should use TPF. But, make no mistake, you have no way of really knowing for sure that TPF is actually seeing *all* of the connections. Your best setup is to use TPF on Windows, but also have a separate hardware firewall anyway.
    • by Anonymous Coward on Saturday August 14, 2004 @06:47PM (#9970758)
      Please, Windows firewall works so much more elgantly than kerio personal Firewall.

      The main technique microsoft is using is that they made a shitty firewall so it would get mentioned in the IT topic section of slashdot. They knew all of the would be hackers would read it, and have their eyes burned out by the hidious brighter than the sun sand brown color scheme. How clever Bill, how clever.
    • Well... (Score:3, Insightful)

      by Inf0phreak ( 627499 )
      I agree with you as far as version 2 goes, but version 4 is a horrible mess in my opinion. Not only has it a custom user interface with a horrible blue colour that fits in with neither Windows 2000 or Windows XP Luna, it is also a pain in the neck to get to the advanced configuration options that allows you to configure it in the same way that you did with v2 (which I much prefer to the way v4 apparently wants you do to things...)

      I didn't use v4 for long before I went back to v2, but I've switched to Syga

    • Re:Zone Alarm? Blech (Score:3, Informative)

      by ozbird ( 127571 )
      I've used the free version of Sygate Personal Firewall [sygate.com] with success. I'll try Kerio to see how it compares.
    • Re:Zone Alarm? Blech (Score:3, Interesting)

      by whoever57 ( 658626 )
      Maybe Kerio is better than Zone Alarm.

      Microsoft has shown very often that it is king of good enough. Microsoft does not strive to be the best, just good enough to stop the majority of people from searching out and installing alternatives. Microsoft does not strive to satisfy the average /. reader.

  • Stealth? *ARGGGH* (Score:5, Insightful)

    by Anonymous Coward on Saturday August 14, 2004 @06:02PM (#9970451)
    Why are windows users so obsessed with "stealth"?

    It's annoying on two levels, firstly it breaks the requirements of the rfc's leaving other nodes on the network hanging waiting to see of a connection is going to succeed or be rejected, waiting for timeouts isnt fun. secondly, THERE IS ABSOLUTELY NO POINT, it is trivial to find out if there is a node at that address, all sufficiently intelligent scanners can tell if there is a machine there, nmap for example. YES WINDOWS USERS, I'M TALKING TO YOU, get rid of that stealth crap, if there is no machine there the nearest router will return no such host...if there's no icmp from the router, we know that there's a windows user there (of course, we cant determine the operating system of the node, but everyone knows only windows users do this)...

    It's pointless, it's only used because having a "stealth" computer sounds cool on proprietory firewall marketing material (would it be so desirable if it were called "filtered"), please turn it off...
    • by Anonymous Coward
      GRC [grc.com] - Shields Up: If you aren't stealthed, the evil boogeyman will get you... and your children!
      • Re:Three letters (Score:5, Informative)

        by Sentry21 ( 8183 ) on Sunday August 15, 2004 @12:07AM (#9972341) Journal
        on an interesting note, apparantly, my entire system is 'stealthed' (or at least the first 1056 ports of it are) - yay me. Shields Up thinks this is 'very cool'. I'm inclined to agree, since the only firewall I have running is the built-in Windows firewall. This is a fresh, as-of-yet untweaked version of Windows XP, with only the messenger service turned on, and Shields Up was unable to get any information whatsoever on my machine, excepting a ping reply.

        My roommate's computer, which is installed pretty much the same as my own, minus SP2, is reporting all kinds of information - computer name, workgroup, and a ton of open ports - to the ShieldsUp scanner.

        I just thought I'd mention that, since the only thing I have installed that could be closing these ports and fixing things up is SP2 and the Firewall.

        --Dan
        • Re:Three letters (Score:3, Informative)

          by tiger99 ( 725715 )
          Yes, but please don't be deluded into thinking you are secure. You are not! A lot of rogue programs, Real Player being the most obvious, initiate connections to the outside world which are not stopped by anything from M$. Despite what has been said by others, Zone Alarm Pro works, and stops all of these unless you give them explicit permission. In fact it is worth having just to keep Real Player under control!

          I also note that a lot of M$ programs seem to want to connect somewhere or other, Bill's firewall w

    • by 0racle ( 667029 )
      Windows is not the only thing that will do this. pf, the firewall thats included in OpenBSD for instance can be set to either return ICMP with rst, or just silently drop the packet. It serves a simple purpose, it dissuades some of the idiots that are just out scanning a subnet for fun.
      • by mdamaged ( 708238 )
        If they are scanning a subnet for fun, they aren't a real security concern, the people whom you SHOULD worry about do not need a ping reply, as they know there are other ways to see if a host is alove or not, in which case blocking pings does nothing.

        Security by obscurity is a bad practice to pass on.
        • by 0racle ( 667029 ) on Sunday August 15, 2004 @01:50AM (#9972619)
          They're not a concern because they are then the type of people who they use the automated tools to attempt to cause trouble, which makes them an annoyance, and I don't know about you, but I like to remove as many annoyances in a day that I can.

          Have you ever heard of people buying those little 'This house protected by...' stickers for their homes when they really have no alarm system. Its called a deterrent, it doesn't protect from the determined, experienced individual, but it makes the casual thief think twice and look for another target. Silently dropping ICMP packets does the same thing, a lot of script kiddies have no idea how things work so if they get no response from an address, they just move on making it one less headache to deal with. Unless your the type of person who loves analyzing logs and your not hosting services through your firewall, there is nothing wrong with it and it is a valid response to dealing with idiots.
        • by Shanep ( 68243 )
          If they are scanning a subnet for fun, they aren't a real security concern, the people whom you SHOULD worry about do not need a ping reply, as they know there are other ways to see if a host is alove or not, in which case blocking pings does nothing.

          pf does not just drop ping packets, it can drop any connection that was not statefully initiated from the trusted side.

          Security by obscurity is a bad practice to pass on.

          pf dropping packets that it does not expect to get, by no means falls under the typic
    • by datajack ( 17285 )
      'Stealth' iis useful for system security for the simple reason that it causes serious delays for many potential attackers. A full-range portscan against a machine returning ACK/RST or ICMP-Port-Unreachable is far faster than having to rely on timeouts and multiple attempts to differentiate between a 'stealthed' port and random network trouble.
      When this is applied to a firewall protecting a network of machines, then it's even more useful as you cannot be certain what is there and what isn't.

      I don't care
      • by mdamaged ( 708238 ) on Saturday August 14, 2004 @08:57PM (#9971456)
        Not true at all, proper tools can ignore these 'stealth' techniques. Timeouts for example.

        What about net or port unreachables? You block all those then you end up making the users wait extra before their _insert client here_ built-in timeout occurs. Same with host unknowns. It also creates a pain to the netops whom need to run diagnostics.

        There are some ICMPs which have little or no place in most networks and are OK to block for the most part.

        And lets not even get into PMTU issues. (do not frag/frag needed), especially with microsofts brain-dead implementation of PMTU in short order.

        And blocking destination-unreachable, source-quench, time-exceeded, parameter-problem, can realy make a networks response times to these conditions suck ass.

        Again pushing security through obscurity is a BAD idea, whether used alone or in conjunction with other security measures. If a windows users thinks his machine is invincible (i am not saying _you_ do) than they will be less likely to further secure his or her machine. Good habits form good conditions. Blocking all icmps is BAD practice.

        There are hundred of papers on this and none but the most pedestrian sites (i.e. marketers to the windows user) advocate blocking ALL ICMPs.

        You fell for pure marketing and ignore real-world network operations.
        • Re:Stealth? *ARGGGH* (Score:4, Interesting)

          by Kiryat Malachi ( 177258 ) on Sunday August 15, 2004 @03:57AM (#9972893) Journal
          Honestly, Windows users who are using Windows firewall with 'stealth' mode aren't running anything where they're going to have "users". The only people attempting to reach them are crackers and skiddies.

          As to netops, again, we're not talking core net routers. We're talking leaf nodes, and I'd note that the networks generally diagnose through the physical layer (talking to the cable/DSL modem) and not through the computer.

          For *users*, this is actually a valid thing to do. Its basically a tarpit trap - anything that makes an attacker's mass attacks slow down can't really be viewed as bad if it doesn't interfere with the majority of legit uses.
      • Aren't most portscanning tools multithreaded anyway? I doubt there are any tools which are both effective and single-threaded. A tool that opens 50,000 TCP ports simultaniously would not suffer very much at all by waiting for 2 minutes or whatever the TCP SYN/ACK timeout is.

        There is the issue of TCP RST or "ICMP unreachable" fingerprinting - it's conceivable that an attacker would use your NAK to narrow down the possibilities of what OS you are using. (TTL, for example) But assuming that this is a host

    • Because STEALTH is how you security your compooter!! Bill Gates is the smartest man on earth and he is smarter than those evil H4CK0RZ who are trying to break is pretty WIND0WZ!! I think GRC is the best web site ever made and if it says "Stealth" then that means I have securitieied my compooter! Stoopid Lunix doesn't have a Stealth mode You can't even install McAfee Firewall on Lunix! Lunix sucks, Windows is the best OS ever because it has STealth.

  • by sqrt(2) ( 786011 ) on Saturday August 14, 2004 @06:03PM (#9970461) Journal
    With the firewall, and the security center it was using an extra ~20 MB of memory that I need to play Doom3 faster!
    • Re:I turned it off. (Score:4, Informative)

      by Foolhardy ( 664051 ) <csmith32@gmai l . com> on Saturday August 14, 2004 @08:40PM (#9971376)
      Wrong. Process Explorer [sysinternals.com] tells me that the firewall and security center are hosted in the main svchost process, along with 21 other services. With the SharedAccess (firewall) and wscsvc (Security Center) services stopped, that svchost was using 18,872k of private memory. With both of them running, the process was using 19,108k of private memory, a difference of 236k. The services are implemented in DLLs so they are considered shared memory: the Securty Center binary (wscsvc.dll) is 80k and the firewall binary (ipnathlp.dll) is 323k. That's a total 639k of memory used by the firewall and security center on my computer (xpsp2). Hardly 20mb.

      I'm curious; how did you come up with the 20mb number?
  • by MMC Monster ( 602931 ) on Saturday August 14, 2004 @06:04PM (#9970463)
    As long as the firewall is activated prior to any ports being opened on bootup, it's probably better than nothing. That is, at least the 99% of users that don't understand what a firewall is will be safe.
    • by Beryllium Sphere(tm) ( 193358 ) on Saturday August 14, 2004 @06:38PM (#9970711) Journal
      Like the advice wilderness survival instructors have about knives. What's the best survival knife? The absolute best? It's the one you have with you. All the others are useless.

      Being installed by default is a "feature" more important in real life than any other.

      (Yes, I'd run something else in addition).
    • by gbjbaanb ( 229885 ) on Saturday August 14, 2004 @07:46PM (#9971106)
      and the 'doesnt block outbound traffic' flaw everyone's going on about is similarly a good thing, as the PCworld article said:

      Microsoft's user testing showed that asking users to approve every application trying to communicate with the Internet tends to backfire.

      "If you flood the user with messages like that, they say 'yes' all the time," he says.


      Just like making passwords minimum 25 character length won't improve security as people will just write them down. This is good enough for the majority.
      • OT:

        Writing down your password isn't as bad as you may think. Seriously. I brute-force your password much easier than I can break into your office and steal your sticky note. Or even better, if you keep the password in your wallet, my task is even more difficult.
  • by ChrisKnight ( 16039 ) on Saturday August 14, 2004 @06:05PM (#9970471) Homepage
    I've installed SP2 on two machines now. In both cases SP2 had me reboot, and before offering a log-in prompt it presented a screen where I could enable or disable automatic updates. This is an administrative setting, and it should not have presented itself prior to an authenticated login. Sure, it only happens once, but by design it violates secure computing practices.

    -Chris
    • by Monoman ( 8745 ) on Saturday August 14, 2004 @06:11PM (#9970527) Homepage
      I ran into a similar flaw with Tiny Firewall (or was it Zone Alarm?).

      The FW app would pop-up automatically to ask the user if they wanted to allow certain traffic the first time it occured. The problem I found was that there didn't have to be a user logged in.

      This was on a co-workers machine and so of course while he was out of the office I tried to access his machine. When the FW app prompted with the pop-up, I just told it to always allow my host access to his machine. :-)

      Two problems I figured:

      1. The app should have never prompted when the user was not actively using the system.
      2. The OS should not allow input when there isn't anyone logged in.

      • by Anonymous Coward on Saturday August 14, 2004 @06:26PM (#9970645)
        2. The OS should not allow input when there isn't anyone logged in.

        lemme tell you, that'll make it a bitch to log in.

      • According to Microsoft guidelines [microsoft.com], you aren't supposed to let privledged services interact directly with the user at any time, except for error message boxes in some cases. You have to go out of your way to make a service interactive; you can override the setting in the services control snap-in: in service properties in the log on tab, clear the 'Allow service to interact with desktop' checkbox. It will be given its own sandbox to create windows in; the user can't see or interact with them. Like it says in
    • by Anonymous Coward
      Want to know a **REALLY** interesting trick about that screen, now that you mention it?

      Press SHIFT+F10 at that screen. You get a full CMD console...

      EXCEPT as SYSTEM! Not as Administrator, but SYSTEM!!

      Ummm, owned?
    • by damiam ( 409504 ) on Saturday August 14, 2004 @07:41PM (#9971076)
      If someone has physical access, then they have root if they want it, period. As long as SP2 only offers that prompt on a local display, there's not much of a problem.
  • It's Microsoft! (Score:5, Insightful)

    by chrispyman ( 710460 ) on Saturday August 14, 2004 @06:05PM (#9970474)
    While their new XP SP2 firewall is somewhat degraded comared to, say, ZoneAlarm, thats not entirely a bad thing. The new firewall is a step in the right direction, especially being on by default. Not only that, but by not including a "top of the line" firewall in XP, they allow for a market where 3rd parties can still sell firewalls as opposed to being yet another software industry crushed by Microsoft.
    • Re:It's Microsoft! (Score:5, Insightful)

      by Rich0 ( 548339 ) on Saturday August 14, 2004 @08:59PM (#9971466) Homepage
      Not only that, but by not including a "top of the line" firewall in XP, they allow for a market where 3rd parties can still sell firewalls as opposed to being yet another software industry crushed by Microsoft.

      Honestly, the most logical place to implement a firewall is in the OS TCP stack. That's how linux does it. Now, a userspace program to configure it makes sense, and there are a millions competing linux projects to provide somewhat sane front ends to iptables, but the actual filtering should be handled by the OS.

      And it doesn't really make sense to have 3rd parties modifying the TCP stack - talk about the potential to break stuff.

      Honestly, I don't mind MS bundling free stuff with their OS. Now, when they make OEMs sign agreements not to include competing products as well, that is a problem (such as the way they banned Netscape from being pre-installed). And if the behavior of the windows firewall were to break the TCP standard and make it less compatible with non-windows internet servers, then that would also be a problem. However, nobody screams about putting Cisco out of business by putting a firewall in linux...
  • by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Saturday August 14, 2004 @06:06PM (#9970483) Homepage Journal
    I think there's a reason for this. If M$ put a good firewall and good virus scanner in XP, they would be using their monopoly position to put third-party anti-virus and firewall software companies out of business. They wouldn't be doing this intentionally, but it doesn't matter. That whole incident with IE fucked them over.

    If M$ could go back a few years, they would see that not putting IE in the OS would have avoided all the anti-trust problems AND made windows more secure. LOL at M$.
    • by gordgekko ( 574109 ) on Saturday August 14, 2004 @06:18PM (#9970592) Homepage
      It's not "LOL at M$", it's "LOL at millions of XP users". Microsoft isn't suffering (I hear they make good bank off their OS), it's the end user who has to put up with poor security.

    • Lots of us told lots of people at Microsoft that integrating the MS HTML control in WIndows Explorer was a horrible security risk, way back when they first did it. They also knew that it was likely to cause legal probelms. They still did it, because they believed the danger of an independent application platform (which is how they saw Netscape and Java) was too high to be risked. Even if they had a certified message from Bill Gates 2004 to Bill Gates 1996 about the risks, they would probably still have done the same thing.

      Microsoft doesn't care about any problem that doesn't hurt their bottom line. It's rare that any company does: that's just part of being a limited liability corporation. And in 1996 and 1997, security wasn't an issue, it didn't win sales, so they didn't care.
    • Yes but they would have risked Netscape or someone else taking over the client side of interaction with the Internet and increasingly most applications since most applications are moving to a web and browser basis. Netscape had declared its intent to make its client platform independent. It could easily over time have made it irrelevant what your underlying OS was, destroyed Microsoft's monopoly and their stock price.

      Microsoft did exactly what they knew they had to do to head off the gravest threat they
  • wow, neat. (Score:3, Funny)

    by LBArrettAnderson ( 655246 ) on Saturday August 14, 2004 @06:08PM (#9970502)
    So if it couldn't be turned off by software that would mean...? that would mean that MS is abusing their monopoly.

    The whole point of the firewall is so that bad applications (like the ones that would turn a firewall off) don't get installed in the first place.

    And as far as I can tell, all the article is talking about is the fact that it asks you if you want to keep blocking a program or not. And it DOES ask you for every program that uses the LAN/internet/whatever.

    And do you honestly think that it's impossible to turn off Zone Alarm and those other ones with an application? I'm willing to bet that it's possible
  • TerminateProcess (Score:3, Insightful)

    by smallguy78 ( 775828 ) on Saturday August 14, 2004 @06:08PM (#9970505) Homepage

    The article's website is timing out, but can't you 'turn off' Norton, Zonealarm by simply doing a WM_CLOSE or TerminateProcess anyway?



    If the program has managed to make its way onto the host machine, then that is when the firewall isn't doing it's job.

    • by DarkEdgeX ( 212110 ) on Saturday August 14, 2004 @07:17PM (#9970933) Journal
      Heh, I was just about to reply saying the same thing. Just because Microsoft offers an API to turn off or disable the firewall doesn't mean it's any less secure than just doing what you described. In fact, doing what you described is far easier (or stopping/disabling the service, etc).

      Saying it's a bad idea for the reason stated in the write-up is just plain ignorant.
  • Get a grip (Score:4, Insightful)

    by IanBevan ( 213109 ) * on Saturday August 14, 2004 @06:09PM (#9970511) Homepage
    I'm gonna keep this comment straight forward and to the point.

    I have run Windows XP Professional since its release. I run my box 24x7 connected to a 2MBit cable connection. I use the Windows firewall and have auto-updates downloaded automatically. I have an ftp port open using the Microsoft/IIS ftp server. I have a port open for remote desktop. It's been this way for 2+ years.My box has never been hacked into.

    So, now some wise asses can ask for my IP address, sure. But my point is that by taking just the most basic precautions, you reduce your chance of being hacked to just about nothing.

    The new firewall may not be perfect, but it will further reduce the number of easy targets, which is a giant step forward.

    • Re:Get a grip (Score:3, Insightful)

      Out of curiosity, how do you know you haven't been hacked? I mean, I keep track of my logs, watch disk space usage, don't keep the machine on all the time, run AV and spyware detection software, etc., so I'm pretty confident that no one pwns my box, but if I didn't do any of that, particularly the log file monitoring, it would be pretty tough to tell whether I was hacked or not.

      Granted, if you were hacked, you'd probably notice performance degredation and get errors about your FTP directory's drive filli

    • by Anonymous Coward on Saturday August 14, 2004 @06:19PM (#9970598)
      My box has never been hacked into.

      This can also be read as:

      I never got a popup reading "ZOMG! J00ve b33n h4xx043d by da ch1n33z3!!1!1one!eleven lolololz"
    • Re:Get a grip (Score:5, Insightful)

      by Beryllium Sphere(tm) ( 193358 ) on Saturday August 14, 2004 @06:51PM (#9970784) Journal
      >But my point is that by taking just the most basic precautions, you reduce your chance of being hacked to just about nothing.

      Marcus Ranum's latest essay suggests that most of security isn't about doing smart things, but instead about avoiding doing dumb things.

      I bet your success also depended on not downloading animated cursors and password managers.

      That "just about nothing" chance also depends on a benign threat model. If you were whitehouse.gov, microsoft.com, or a bank's wire transfer department, you'd need more than "the most basic precautions". Against automated attack scripts your precautions are good.
    • Re:Get a grip (Score:3, Insightful)

      by theCoder ( 23772 )
      I have an ftp port open using the Microsoft/IIS ftp server.

      I guess you can chalk not being hacked up to shear luck, since every time you use your FTP server remotely, you're sending your username and password in the clear. This is nothing specific to Microsoft -- every FTP server is like this (except SFTP, of course). You really should consider using SSH and SCP instead. For Windows, I'd recommend using Cygwin's version of OpenSSH (plus, that gives you a working shell program, as opposed to the atrocit
  • No outbound blocking (Score:5, Interesting)

    by dj245 ( 732906 ) on Saturday August 14, 2004 @06:09PM (#9970512) Homepage
    The reason there is no outbound blocking is because XP Firewall is for the average user. Not the average Slashdot user. The average user can't determine whether Claria should be given internet rights or not. We know better.

    So for average users XP firewall is a good thing since you don't have to know anything, but we (Slashdot users and internet savvy) demand more.

    • >The reason there is no outbound blocking is because XP Firewall is for the average user.

      Also because Microsoft's take on security is that once malware is installed it's Game Over. They've got a point. Your computer is the wrong turf on which to fight intruders unless you have a mandatory access control system.
  • Ridiculous. (Score:5, Insightful)

    by Daleks ( 226923 ) on Saturday August 14, 2004 @06:14PM (#9970551)
    Wait, a commercial firewall developer thinks Microsoft's free firewall isn't up to the challenge? Wow, what a surprise! What if Microsoft had put a full-fledged firewall into SP2? The same companies would be whining about how Microsoft bullied them out of the market.
  • by kiwioddBall ( 646813 ) on Saturday August 14, 2004 @06:17PM (#9970579)
    Save your time - don't bother. It adds absolutely nothing to the body of knowledge. It reports that it blocks all the ports very adequately. It also reports that it doesn't block outgoing connections from your computer! Really? Well that has been common knowledge for the last year. Windows Firewall only blocks incoming connections. This doesn't mean it is less than adequate. It does point out that Windows responds when certain standard port connections are attempted. This is a good compromise, but hardly a hole in the firewall - it is not a hole in a firewall to block connections using certain standard ports. And as for stopping the firewall using another Windows command - absolutely no evidence supplied. FUD!. Windows Firewall is pretty good.
  • by datajack ( 17285 ) on Saturday August 14, 2004 @06:26PM (#9970642)
    I've never used Windows Firewall (or XP or that matter), but their port scanning results look inconsistent to me. There should not be such a difference between the TCP Connect scan and the TCP SYN scan.

    I want to cover a few definitaions that aren't in the article. If they are using different definitions for these terms, they are going to confuse a lot of people (and may be confused themselves).

    1. 'Stealthed' port - yeuch, I don't like that name, but I assume that is where a probe to a port illicits no response from the remote host
    2. 'Closed' port - where the host returns the correct 'not available' response. In the case of TCP, this is a packet with the ACK and RST flags set.
    3. 'Connect Scan' - A port-scan that performs the full TCP three phase TCP connection handshake. Usually only performed when you don't have rights to perform a SYN scan.
    4. 'SYN Scan' - A port scan that only sends the initial SYN packet of the TCP handshake and bases it's result on the response.

    For the 'Connect' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. The 'Closed' ports will have sent back an ACK/RST packet.

    For the 'SYN' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. At this point, the 'SYN' scan is identical to the 'Connect' scan, so the 'closed' ports should have sent back ACK/RST.
    This leads me to believe that either the testers system was broken, the target system firewall was in a different state during the SYN scan, or there is something really weird going on there.

    As for the 'Turning Off' claim, that appears to be when the user or process has admin rights. As with the ludicrous Trend Anti-Virus 'vulnerability' posted to Bugtraq last week, it's unreasonable to expect software to 'defend' against being reconfigured or turned off by an authorised administrator.


    I've just realised I'm defending M$ here :o
    /me runs & hides
  • Yes, well... (Score:5, Insightful)

    by ctr2sprt ( 574731 ) on Saturday August 14, 2004 @06:29PM (#9970663)
    Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
    I did in fact RTFA, though it's slow as hell already, and I didn't see what evidence they had in support of this claim. I saw they made it, but not what provoked it. I mean, in Linux other applications can turn off the firewall quite easily: iptables -P INPUT ACCEPT. Does SP2 not require you to be an Administrator (or Power User) to do this?

    In any event, it's obvious this is not a cure-all since it won't block outgoing connections. But it's still a big improvement and ought to immunize XP users against at least one class of attacks. In fact, coupled with a virus (especially an email virus) scanner it ought to wipe out 99.95% of all Windows desktop compromises. That's a pretty damn big step and we should credit MS for taking it, even if it doesn't go quite as far as we'd like.

  • by argent ( 18001 ) <(peter) (at) (slashdot.2006.taronga.com)> on Saturday August 14, 2004 @06:31PM (#9970668) Homepage Journal
    It doesn't matter whether you're on Linux, on Windows, or on anything else, a firewall has to be outside the control of the objects it's protecting against. For Windows Firewall to protect against local applications, it would have to be running outside the security permiter around those applications.

    I don't care if you're Windows Firewall or Zone Alarm, any settings the user can change an application can also change, because no application that the user runs can have any more rights than the user. Whatever the user interface application does, another application can do as well.
    • Actually... (Score:3, Insightful)

      by Anonymous Coward
      In Linux land most users run apps (esp untrusted ones) as a normal user and not as root. (the obvious exception is lindows which is evil incarnate)

      Firewall rules can only be changed as root.

      Because of the extensive use of Linux in shell hosting enviroments Linux is fairly robust against local exploits. Windows is still terribly weak to local privlage escilation.

      Obviously there are ways around (say sabotaging the users enviroment and tricking them into giving the software root access), but it actually mak
  • by Anonymous Coward on Saturday August 14, 2004 @06:37PM (#9970704)
    It's incredible how ignorant and misleading this article is.

    First of all, if the user using the machine is running as an admin, there is ABSOLUTELY NO WAY TO PREVENT THE FIREWALL FROM BEING DISABLED BY A 3RD PARTY PIECE OF SOFTWARE. Period. Guess what! Zonealarm and Symantec's stuff has the same 'fault'. If I have admin privs, and I run a piece of software (unless it's managed like .NET code), it can do ANYTHING I can do. That includes turning off firewalls.

    Software running as a non-admin user CANNOT TURN OFF THE FIREWALL. That's all you can expect.

    Second, outgoing protection just makes stupid people feel better. Any programmer with a clue can write software that gets around outgoing firewall protection. It took me about 20 minutes with VB (yeah, VB!!!) to write a proof of concept app that is able to do whatever it wants on the net even with Zonealarm installed.

    The only way to reliably restrict outgoing communications is at the borders of the network, not on the machine generating the traffic.

    All this FUD makes me sick.
  • Misinformed review (Score:5, Insightful)

    by Bob Ince ( 79199 ) <and@doxdes[ ]om ['k.c' in gap]> on Saturday August 14, 2004 @06:42PM (#9970734) Homepage
    > Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.

    Balls. The fact the Windows Firewall can be turned off makes it exactly the same as every other personal firewall, including ZA and Sygate.

    Malware has been disabling the firewalls of machines it infects for years. It is simply not possible for a firewall to remain an effective security measure on a machine where hostile code has been run at the same level of privilege.

    Once the attacker's code is running on your machine, the game is over and you have lost. Until we get full operating-system level sandboxing (whereby applications and users are fully protected from each other's interference until the user/admin explicitly grants rights), this will always be the case.

    The main difference between the Windows Firewall and other personal firewalls is that it only blocks incoming traffic. But so what? An outgoing traffic block is of no use if the outgoing traffic is generated by hostile code on the local machine, as it can just as easily shut the firewall down completely.

    Other firewalls still provided the feature because it figured most malware wouldn't bother detect and kill all the different brands of firewall. But Windows Firewall, soon to be very widely installed due to its default-on nature, would present a much more attractive target; soon every new virus, worm and piece of spyware would turn the block off as the first thing it did. Therefore the feature would be offer zero additional security.

    Flexbeta's reviewer seems to have grasped the vocabulary of security countermeasures with no actual grasp of their practical implications. In summary: feh.
  • by Dominic Burns ( 673810 ) <dominicburns@blu ... 59co.uk minus pi> on Saturday August 14, 2004 @06:47PM (#9970754)
    Contrary to what Flexbeta says, I suggest it's a better idea to first get the new firewall package, disconnect from the internet and then switch the firewall off before installing and initiating the new one.

    Switching the firewall off [no matter how weak it is] while connected to the net will open your machine up to all sorts of problems.
  • Lay off Microsoft (Score:4, Informative)

    by wwahammy ( 765566 ) on Saturday August 14, 2004 @07:07PM (#9970862)
    For god sakes, what do you expect of them? They are not in this to make slashdotters safer, they know we can defend ourselves just fine. They have a firewall that, while not perfect, is easy enough for the average and new user to use and provides a decent amount of protection. No its not the second coming but I don't think they ever intended it to be. They did what needed to be done and I applaud them for their effort and end product.

    MS bashing on here never bothered me until SP2 came out when A LOT of people mainly wrote it off as crap. They did a damn good job this time and a lot of you people should stop bitching about them.
  • by CdBee ( 742846 ) on Saturday August 14, 2004 @07:15PM (#9970921)
    Mac OSX has a firewall supplied which does exactly the same - inbound connections only with an option to open ports for file sharing, remote desktop etc... except NOT enabled by default.
    Again, if you're using it for serious stuff you'd add a hardware FW at the network perimeter.
  • by Blic ( 672552 ) on Saturday August 14, 2004 @07:15PM (#9970923)
    For the most part, if you're a savvy user you already have firewall software or are protected in some other fashion. What SP2 is aimed at is the unwashed masses who just have their Best Buy and Walmart boxes directly connected to the Internet with no protection at all.

    If anyone reading Slashdot *needed* SP2 to make their XP system secure you should be ashamed of yourself. =)

    So while it's not perfect, it's a situation where anything helps.

    This also leaves the door open for other vendors who want to provide better or different firewall solutions. Ditto with not adding AV software.

    Remember, unlike Apple and Linux distros MS can't bundle much into their OS unless they want to get dragged back to court...
  • The Firewall in XP (Score:5, Insightful)

    by AliasTheRoot ( 171859 ) on Saturday August 14, 2004 @07:43PM (#9971087)
    Is still around 10000000 times better than no firewall.
  • by gexen ( 123248 ) on Saturday August 14, 2004 @08:06PM (#9971193)
    Microsoft did the right thing by letting the firewall be turned off by another program. Otherwise, people who install SP2 and already have a firewall would be pretty screwed up. Two software firewalls on the same machine is never a good idea.

    What really pissed me off was the comment that Zone Alarm people gave that a worm could turn off the firewall. OK....A worm could turn off their product too.

    There has also been criticism that the firewall doesn't block outgoing connections. I guarantee you if they did do that, firewall manufacturers and "Type A" slashdot readers would be crying anti-trust.
  • bizarre (Score:5, Insightful)

    by XO ( 250276 ) <blade.eric@NoSPAM.gmail.com> on Saturday August 14, 2004 @09:02PM (#9971487) Homepage Journal
    Find me something that -can't- be turned off by another application, if you know how it works?

    That's a really lame complaint. If a program has the proper authorities, or can hack the proper authorities, then of course it can stop the operating of another application.

    In Unix, they call it "kill".

    How many Windows viruses will auto kill your task-window process whenever they see it come up? I bet lots of them. Same deal.

    While delousing Windows boxes, I usually find myself downloading the least popular anti-virus programs I can possibly find to do it, because then I am usually able to get it running on the machine without bringing the whole system down.. any good virus would automatically kill norton, mcafee, and other popular virus scanners..

    and even if you can't kill the running process, if you have access to change the configuration files, then you can effectively take it down that way as well..

    think about your complaints before you make them!
  • by reallocate ( 142797 ) on Saturday August 14, 2004 @09:23PM (#9971605)
    The vast majority of computer users -- Windows, Linux, OS X -- lack the knowledge to correctly configure a firewall. They also lack the will and intent to acquire that knowledge. Almost all computer users don't have the foggiest notion of how IP networks function, and will never acquire that knowledge.

    Badmouthing Microsoft for rolling out a less-than-perfect firewall is more than a bit hypocritical when much of it comes in the form of kneejerk ritualistic abuse from open source users who couldn't implement a firewall if it involved anything more complicated than selected "Yes" during their Linux installation.

    Insecurity on the network is, in the end, a human problem. Computers do what they're told. The only effective solution is to go after the behavior and the people who cause the insecurity.
  • wha? (Score:3, Insightful)

    by Transcendent ( 204992 ) on Saturday August 14, 2004 @09:28PM (#9971629)
    Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.

    That's horrible, horrible logic. I'm supressing lines of cursing and name calling due to that little line you just spouted because it is just plain stupid to say that. For one, pretty much any program can do anything it pleases if the user has permission to.

    What 90% of people forget is that the great majority of users are running windows in an administrator's permission set. It's just like someone running their linux box as root. You run a certian program, you're screwed.

    Give me root permissions on your unix machine and I'll write a nice little script, not even a program, to do lots of nice little things to your computer.
  • by JRHelgeson ( 576325 ) on Saturday August 14, 2004 @09:32PM (#9971654) Homepage Journal
    The one thing that drove me nuts about setting Joe SixPack, Computer Luser, up on a software based firewall is that it would check with them each time their computer tried making an outbound connection to anything. This happens a lot when the software first gets installed; but a dangerous thing happens.

    People get rapidly conditioned to click the yes button, to permit the traffic to pass, because they quickly find out that if they click no, something breaks (i.e. IM Client).

    What happens is that users become afraid to click no, for fear of breaking something - which effectivly negates the integrity of the firewall.

    It appears that MS has integrated it pretty well into windows (duh, would you expect anything else?), to allow dynamic opening and closing of ports without having to confirm each connection with the user.
  • by laslo2 ( 51210 ) on Saturday August 14, 2004 @10:46PM (#9972014)
    and here's why. If Microsoft gives you a basic port blocker and says "here. this isn't a network level firewall solution, but it will help a little", then it's not their fault that you were 0wned. It's your fault, because you're on a network that doesn't have proper security precautions. If Microsoft gives you a port blocker/firewall with some serious kung-fu, guarantees you're secure, and someone breaks it... then it's Microsoft's fault, 'cause they said it was secure. MS seems to care about its image with regard to security, anyway, which is an improvement...

    of course, pcflank.com didn't find anything to worry about on my computer. then again, my computer's a mac... (no, I don't care about karma, do what ya gotta do)
  • by LittleBigLui ( 304739 ) on Sunday August 15, 2004 @05:21AM (#9973023) Homepage Journal
    Obviously so-called "personal firewalls" suffer from a few problems.

    They run on the exact machine they are supposed to protect, often under the same user account (since Windows programs often want to run as Administrator, so lots of people have administrator privileges on their "normal" accounts).

    Obviously, they can therefore easily be defeated by trojans.

    Then there's a few social problems. Having a car with additional security (big crumple zones, ABS, SIPS, airbag, ...) makes some people feel more secure, hence drive less careful. The same applies to PFWs, especially with users who aren't that knowledgeable in computer security. Those also suffer from the fact that PFWs are often difficult to understand for them, so user error may also contribute to reduce the security provided.

    A big point is, PFWs are not trivial to write and test, and often have to run as superuser. This can actually mean that they introduce new security holes.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...