Re: XP firewall

• Previous message: *Vanguard*: "Re: Certificates"
• In reply to: Dannie: "Re: XP firewall"
• Next in thread: David Candy: "Re: XP firewall"
• Reply: David Candy: "Re: XP firewall"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 14 May 2004 01:58:23 -0500

Dannie said in news:eZVoc.502$XC.442259@news4.srv.hcvlny.cv.net:
> Hi Rick. I'm using XP Home Firewall but heard it does not stop
> outgoing. Can you recommend a firewall? My Norton PF2002 went out on
> me and while I have always stood by the Norton products, I'm somewhat
> miffed as to their support. Then again I guess one can't expect
> support forever.

Until Rick answers, here mine:

I've use Norton stuff for years. Unfortunately Symantec is a software
predatore first and a software developer second. Their products wane
over time. I suspect I'm on my last version of Norton Internet Security
(firewall) but Norton AntiVirus is still okay although if I replace one
(after their subscriptions expire) then I'll probably replace both.

If you're looking for cheap (i.e., free) replacements, some folks
recommend ZoneAlarm. It's good but I personally don't like some of its
behavior. For example, I put it on my aunt's PC and there were popups
noting some application was attempting to make a connection to the
Internet but did not identify what was the application. We had to open
up ZoneAlarm's main page to see where a "?" showed up in the application
list to determine how to correctly configure its access. Other
firewalls that have gotten recommended by users is Sygate Personal
(smb.sygate.com) and Kerio (don't remember the URL) version
2.<something>, not the version 4 which is after the company split. AVG
has a freebie version for anti-virus checking but I don't know how it
rates in effectiveness compared to other products or how often it
performs updates (I think you can schedule when it scans but not when it
polls for new virus signature updates).

XP's firewall only monitors your outbound connections to know what
inbound connections to allow (i.e., you made the connect to the inbound
traffic is what you wanted, like when connecting to a web site). It
only blocks unsolicited inbound connections. It does not block
unsolicited outbound connections, like a zombie that infected your host
from participating is a denial of service attack or spyware phoning
home. However, this is a misconception regarding this outbound
protection. If you enable your browser so it has Internet access then
you also enable any application that can use your browser to also get to
the Internet. There is a 'tooleaky' test that shows where another
application will use your browser to make an Internet connection (if you
run tooleaky, remember to use Task Manager to kill any remnant hidden
instance of your browser [i.e., it doesn't have a window]). You allowed
the browser to connect so you and anything else that runs the browser
can get to the Internet.

In Norton's Internet Security (and which I presume would also be in
their Personal Firewall), there are further options to watch when some
other program tries to coax an authorized program to make an Internet
connection. Under the firewall's options, under the Firewall tab, there
are the following 2 options:

    Check access for external modules ...

    When one program launches another , check ...

If can become quite daunting to decide what to do when all the
information is splashed in your face when you have both options enabled.
You'll get swamped and often not know what to do. I only have the
second option enabled. This may be more control than you care for.
However, unless you control a parent program that tries to use another
program that you have allowed access, you have no control. All this
hoopla about monitoring outbound connections is of little value since
you will be authorizing many applications to have access. Internet
Explorer, Word, Outlook, Outlook Express, Help and Support, svchost.exe,
or whatever. You recognize those requests for a connection and permit
them. Then some other program uses one of those permitted programs
without you ever getting notified of such; i.e., a sneaksie has covertly
made a connection that you actually permitted.

As an example, and with the "When one program launches another" option
enabled, I might have previously used Help and Support which wants to
make an Internet connection to find KB articles related to my search. I
got a popup saying that it wanted Internet access which I allow because
I want it to look for those KB articles. Later I am in Disk Management
(diskmgmt.msc) and want to look something up about it, so I open its
help. I click on a link in its own help file but which results in using
Help and Support. Although I previously authorized Help and Support to
have Internet access, it is a program that is calling Help and Support
instead of me, so a popup appears showing me the calling program to
identify the covert call. I don't have to keep doing this. Apparently
after permitting it, Norton's remembers it and doesn't nag me again.
However, if I did not have the "When one program launches another"
enabled, I would have never been notified that a program wanted to use
an previously authorized program to make an Internet connection. While
I knew all of what was happening here, it is entirely possible that
spyware, trojans, or viruses would try to use the browser, rundll.exe,
or some other prior-authorized program to make a covert connection.

So consider the outbound protection (in its default configuration) more
like the border guard at the road checking for illegal immigrants. That
checkpoint does nothing about all the rest of them not using that road
and instead wandering over the countryside. It catches the dumb or good
programs. The nasties are getting smarter. The options mentioned above
are rarely used simply because most users never bother checking them
out. By default they are disabled. I'm sure some other firewalls also
have a similar feature to let you know when covert program A is trying
to use prior-authorized program B to make a connection. However, I
haven't bothered investigating the freebie firewalls to see if they
include such a feature. Then again, maybe you don't want to be bothered
this much regarding what might be trying to make a connection, in which
case you really don't need to be concerned about outbound connection.
Most outbound connection protection in its default configuration is like
slapping a metal plate atop termite-infested wood.

-- 
____________________________________________________________
*** Post replies to newsgroup.  Share with others.
*** Email: domain = ".com" and append "=NEWS=" to Subject.
____________________________________________________________

• Previous message: *Vanguard*: "Re: Certificates"
• In reply to: Dannie: "Re: XP firewall"
• Next in thread: David Candy: "Re: XP firewall"
• Reply: David Candy: "Re: XP firewall"
• Messages sorted by: [ date ] [ thread ]