Another Question on Firewalls

[MorseLady]

I have been quite happy to trust the built in XP Firewall and not use ZA or Norton as I have been to the Gibson site many times to do the tests and all my ports are at Stealth.

But fellow networking students tell me I should use another firewall as the XP one is not aggressive enough.

Are the Gibson ShieldsUp tests really conclusive and am I really safe with the XP Firewall? If not, should I use ZoneAlarm or Norton, I am comfortable using either.

[NooNoo]

From the Gibson site, get leaktest.exe
Then see.

[MorseLady]

I have been using Leak Test for some time and just tried it again, three times, each times deleting the old copy and downloading a new one as advised. It said Firewall Penetrated.

But I then did Probe my Ports and Shields up, which I have also been using for some time, and all my ports including the HTTP Port 80 are at Stealth and to all intents and purposes my computer is not visible to passing scanners etc.

These results are with the XP Firewall only. So is my Firewall adequate or not because I am confused

[NooNoo]

Right the way the XP firewall works is this

If you get an unsolicited communication to a port - that is, one that has not been asked for by your computer, it will reject the communication.

If your computer did send first, then the firewall will let the reply back in indiscriminately.

Fine for most users, BUT

Supposing you have a trojan? The XP firewall will quite happily allow that trojan to communicate to its master simply because your computer initiated the contact.

If you put Zone Alarm on and check through the logs you will find it blocks according to the access you have allowed for a particular program and/or port.

This way if a trojan attempts to send information out from your computer and it is not in the list of programs you have explicitly allowed, the trojan will not be able to get past your firewall and will show up in the logs as an unauthorised outbound connection.

GRC does not do an exhaustive port scan either. I have run an exhaustive port scan for a friend and it took 5 hours on dsl.

The XP firewall can be compared to shutting the doors and windows on your house, but not locking them, therefore anything already inside can still get out... and access can be gained at other weak points in the house with impunity.

[MorseLady]

Thanks Noo all understood and obviously I need to protect my computer more than XP can.

Options: Install ZoneAlarm
Install Norton Firewall 2001
Buy and install Norton Firewall 2003
Install ZA and Norton

My instinct would be to go for Norton 2003 and update my AV too, there is a special offer double pack available. I already have Firewall 2001 and SystemWorks 2002 which includes AV but I am not using the Firewall as I have ZA on my non XP Partitions.

I would be interested in how you did your port scan but I take it I would need a broadband connection to do it? I am looking at that possibility and thinking about things like static IP or not so the Firewall question becomes very important. I suppose as a frequent Internet user, banking, FTPing to my websites, doing lots of interactive stuff like Skill Drills and online shopping, my computer is very vulnerable.

[NooNoo]

You are on dialup... you don't run servers from your connection. The likelihood of a hacker being interested in you is very very low. Having said that, there is a lottery winners chance you could pick up a script kiddie (read punk kid who thinks its cool to vandalise) who could trash your computers.

As to the port scan, there are several scanners available for download usually with a few days trial. I downloaded one of those and ran the scan with the users permission... he was having problems getting isa server to behave as he wanted.

If you are caught port scanning by the isp they can cut off your connection, it is against the terms of service.

Port scanners are great tools and, like all great tools can be used for good or bad.

As to Norton or not... I have an inherent dislike of norton - it previously failed Steve Gibsons tests - whether they have improved that situation I don't know. I know I don't like the amount of resources it chews, nor the damage it can cause when it gets its knickers in a twist.

Norton for dos is a fabulous thing, they kinda went off the boil with their GUI packages. - MY OPINION ONLY!!!

[MorseLady]

You raise some very interesting points Noo.

Running Servers - what if a hacker detects my W2K Server demo I run to help my studies? Mind you, I do run ZA with it, so I guess I am safe. I don't actually serve anything, it is just so I can mirror what we do in class and learn the tabs

Caught Port Scanning by ISP Could I plead I am a networking student who needs the hands on for my course? why is it against ISP TOS?

Norton Although I do use the entire Norton Suite of tools, not neccessarily all at the same time, I do have some issues with the Utilities! In fact it was Disk Doctor's "repairs" which corrupted my Partition Table on the other computer recently, instead of correcting a small fault, and I ended up rebuilding everything from scratch. I do not and will not use the Norton defrag utility in any OS or anything, apart from AV, that loads on startup because it slows things down and slows the boot up process. As for the Norton Firewall, I found it slow and clumsy compared to ZA but was told it was the most aggressive Firewall available

My Conclusion I am going to install ZA on all OS here including XP that haven't already got a copy running.

Thanks Noo.

[Radical Dreamer]

Originally posted by MorseLady
You raise some very interesting points Noo.

Running Servers - what if a hacker detects my W2K Server demo I run to help my studies? Mind you, I do run ZA with it, so I guess I am safe. I don't actually serve anything, it is just so I can mirror what we do in class and learn the tabs

Caught Port Scanning by ISP Could I plead I am a networking student who needs the hands on for my course? why is it against ISP TOS?

Norton Although I do use the entire Norton Suite of tools, not neccessarily all at the same time, I do have some issues with the Utilities! In fact it was Disk Doctor's "repairs" which corrupted my Partition Table on the other computer recently, instead of correcting a small fault, and I ended up rebuilding everything from scratch. I do not and will not use the Norton defrag utility in any OS or anything, apart from AV, that loads on startup because it slows things down and slows the boot up process. As for the Norton Firewall, I found it slow and clumsy compared to ZA but was told it was the most aggressive Firewall available

My Conclusion I am going to install ZA on all OS here including XP that haven't already got a copy running.

Thanks Noo.

To answer your questions, not all isp's have hacking-like activity black listed in their TOS. And as long as you have the targets permission and notify the ISP in advance you shouldnt have problems exploring their use (port scanners).

As far as using a firewall on dialup, its pointless, most hackers dont want to take the time to hack a dial up customer unless they know for SURE there is something worth getting to.

As for people searching for servers, they search for servers such as http, ftp etc. Not really what os, as you stated you are using win2k server.

[MorseLady]

Dial Up or not I really feel every computer should be protected by an effective Firewall and AntiVirus.

I have downloaded and installed the latest release of the freeware version of ZoneAlarm and ran Leak Test again as Noo suggested and now I know my computer is protected!

Thanks everyone, problem solved.

[InvisiBill]

I recommend Kerio Personal Firewall. It's actually the group of people who made Tiny PF 2.x, and KPF is essentially the next release of TPF 2.x. TPF 3 is essentially a new product... The only thing I miss is a "This program changes frequently" option, which disables the checksum for that one program. Handy for EQ, which changes constantly. I've also had some issues where applying a rule to a netmask doesn't work. If I create a new rule for a single IP, and manually change it to cover the whole netmask (for the whole LAN instead of just the one PC), it won't allow access for that PC the next time...

The strength of a firewall lies in its rules. A crappy firewall program with good rules is infinitely better than the most expensive firewall with poor rules. The whole concept is to have everything closed off with as few openings as small as possible for "good" traffic. So long as the firewall actually works like it's supposed to, there's not a whole lot of difference between the different brands...

Also, you're using LeakTest incorrectly. All it does is make an FTP connection to a server. It was designed to test program checksums by the firewall. You're supposed to rename it to something that already has a firewall rule, like iexplore.exe or netscape.exe. If you have a good firewall, it'll notice that this new iexplore.exe isn't the same one that gave access to earlier. Every software firewall I'm aware of does currently support program checksums, so this program is basically useless now. It's the same thing as using an FTP client that you haven't made a rule for...

Originally posted by Radical Dreamer
As far as using a firewall on dialup, its pointless, most hackers dont want to take the time to hack a dial up customer unless they know for SURE there is something worth getting to.

A properly configured firewall will also stop outgoing traffic. This includes trojans, spyware, advertising, etc. With dialup's limited bandwidth, a firewall can actually be very helpful.

[NooNoo]

Invisibill the point I was making with Morselady is that the XP firewall is not worth a red cent. If that leaktest.exe had tried to go through zone alarm, zone alarm would ask you if you wanted it to have permission. Windows XP firewall just assumes that since the prog wants outgoing access, it can have it.

[MorseLady]

Yes indeed, Noo, ZoneAlarm asked me and the XP "firewall" did not. Going by the number of alerts I had last night I am dammed glad I have ZoneAlarm! Even if some of the alerts were only "noise" it is still good to know thata hacker has less chance now and I am very seriously considering going over to broadband which makes it even more important if I choose a static IP!

[InvisiBill]

Originally posted by NooNoo
Invisibill the point I was making with Morselady is that the XP firewall is not worth a red cent. If that leaktest.exe had tried to go through zone alarm, zone alarm would ask you if you wanted it to have permission. Windows XP firewall just assumes that since the prog wants outgoing access, it can have it.

Yeah, I understand that, and LeakTest is a very simple way to test for stuff like that. I've just seen too many people who come to the wrong conclusion, because they're using it incorrectly. Guess it was more of a mini-rant than related to your use of it...

Also, when you create rules for programs requesting access, you should also choose the port. While limiting what programs can have access, and even moreso with what IPs, securing it at the port level will make your system even tighter. As I said, you can even block banners in some programs this way. ICQ really doesn't need access to port 80. =) You'll get a few more alerts, but it'll ensure that you're allowing only the bare minimum through...

[Quiet Thunder]

Just my opinion, but I would highly reccomend Norton 2003. I've been using NIS (Norton Internet Security) ever since 2000, and it's only gotten better, and better. I Personally feel that 2003 is by FAR it's best offering yet.

Norton 2003 has passed every single firewall test I can throw at it (Though I've only tested within reason) where pervious versions of NIS has failed. The firewall also offers really good cookie and ad and spam blocking. Note, the ad blocking has been known to make some websites appear other than normal, but that's an easily fixable problem and quite rare problem. In fact, it's really more the website's fault, than Norton's. I've tried several other firewall options, and the only one I'll stick with is Norton. Send me an email if you have any other questions.

[Quiet Thunder]

Originally posted by NooNoo
Invisibill the point I was making with Morselady is that the XP firewall is not worth a red cent. If that leaktest.exe had tried to go through zone alarm, zone alarm would ask you if you wanted it to have permission. Windows XP firewall just assumes that since the prog wants outgoing access, it can have it.

Here's the kicker with leaktest. Yes, if you're running ZoneAlarm, etc and you try to run leaktest it will ask you if you want to allow access. BUT what happens if you rename leaktest.exe to something like iexplore.exe ? Will it allow it to pass without question? Because you (probably) already have a rule allowing that program to execute. Although it's a seperate name, how well does the program do to actually check to see if youre renamed leaktest is actually Internet Explorer?

I'm not sure about a lot of other proggys, but I know that Norton 2000-2002 would allow leaktest to pass under these conditions, while NIS 2003 has fixed the issue.