firewall

Just a little discussion here..

....In addition to the other items mentioned in this discussion, the computer network configuration is a primary consideration in the firewall issue. On a stand-alone, single "home" computer where the user isn't required to share files and "filesharing" is disabled, on Windows 9.x/ME machines, then I agree that a firewall normally isn't required and it most probably applies correctly to Nancy's post here. But, this is a very specific group of users and doesn't include all users of Win9.x/ME.

Indeed, with the increased use of nifty home networks which allow for filesharing between computers, there are a number of users with Windows 9.x/ME machines which would legitimately need an effective firewall. There are a large number of "network aware" viruses/worms which affect Windows 9.x/ME machines which have filesharing enabled. I've had to clean up a large number of them that were infected over open shares. (One such situation involved a daily clean up of about 10 machines for two weeks till we figured out how to close the "holes" which included installing firewalls on a couple of the computers.) And although rare, there is also a slim chance that unscrupulous individuals may choose to access the unprotected computer. Some office, small business, and home networks require "wide open" sharing without "password protection" which leaves a "hole", vulnerable to a number of attacks.

My point is ... there are a number of considerations to ponder when choosing to use a firewall, or not. And if the user decides to use one...which type will work best for their needs. Users need to do the research, consider all the good advice given here and elsewhere and make an informed decision.

Hope this helps.

Grif

Again, the firewall is optional. Here's why.

1. To enable filesharing, the firewall will have to allow the ports needed to allow filesharing. No firewall is stepping in here!

2. The fileshare is not visible to the internet on the proper Home LAN setup. Here's why. The Internet is on the other side of the ROUTER or NAT and can't be seen by the outside world. The firewall again is not doing anything.

Yes, this is a very small percentage of users, but the problem remains that the DOS based Windows have FIXED RESOURCE memory pools and today's users will not understand why installing a firewall on DOS based Windows results in the need to reboot more often as the resources get drained.

Maybe it is time to close the books on Windows 95/98 and certainly ME.

Bob

....which includes a hundred or so different domains, the viruses I mentioned earlier were actually going through the routers.Obviously, that's a lot different networking setup than the one being discussed in this thread...but...

Just some information about our agency problem a couple of years ago....

Our "shared" computers were getting infected from a remote location on the WAN. How? Ya got me...as it appeared almost impossible to me. We were looking for the source for a couple of weeks and eventually found the culprit about 50 miles away on a different domain but within our WAN. Our IT staff kept telling me that there were multiple routers between us and them, but somehow the infections were making it to our computers. So one day, I turned off all our department computer except for one, sat the IT manager next to me, then waited for the intrusion to occur at the recognized time. (The infections were occurring at the same time each day.) Sure enough, while simply watching the computer screen, our antivirus program indicated the detection, and I cleaned out the machine again.

Obviously, that's not the situation in this discussion about Nancy's computer but it explains why we had to firewall a couple of our Win98 machines which acted like internal servers for our department LAN. We dumped those older machines about a year ago, so the question is mute now, but it can happen. The viruses/worms/trojans in question, (listed below) search for available ports of networks and infect open shares and somehow were crossing domains, routers, etc..

The first two below were the main problems, while the third one only happened a single time.
W32.Funlove.4099

W32.HLLW.Qaz.A (Notepad.exe)

W32.ElKern.3326

Just thought I'd bring out an unusual circumstance worth discussing. But I totally agree...

"Maybe it is time to close the books on Windows 95/98 and certainly ME."

Hope this helps.

Grif

As a novice, how do you turn filesharing on or off?

...which you haven't indicated here, but the instructions below should help you get there:

Windows 9.x/ME: Click on Start-Settings-Control Panel, double click on the "Network" icon. When that loads, on the "Configuration" tab, look in the white network components section and click once on the "File and Printer Sharing for Microsoft Networks" to highlight it, then click on the "Remove" button and follow the prompts to remove the service.

Windows 2000/XP: Click on Start-Settings-Control Panel, (or Start-Control Panel in XP), then double click on the "Networks and Dial Up Connections/Network Connections" icon, then find your type of connection type being used currently, either "Local Area Network" or "Dial-Up", then RIGHT click on it, choose "Properties". You should then be able to see the network components that are installed on the computer. If "File and Printer Sharing for Microsoft networks" is listed, UNCHECK the box next to it to disable it or click once on it to highlight it, then click on the "remove/uninstall" button to remove it entirely. It can be reinstalled later, if needed.

Hope this helps.

Grif

A "worm" has a very specific definition. Windows ME has yet to be infected by a worm if the filesharing is turned off and the user didn't install the worm by opening some email. But that's not a worm, but INSTALLING the item which may be a worm to infect other machines.

My challange is simple.

"Show me the exploit" for Windows 95, 98 and ME in the case of the machine just sitting there with file sharing turned off.

Can you hack it?

Bob

I spent five minutes looking for an example, but I can't think of any way to filter the hits to just those that have fire sharing turned off. So I'll just address this in the general case.

The nature of many of the bugs being exploited simply doesn't rely on whether or not file sharing is enabled on the target machine. All the work is done using arbitrary code being run through a buffer overflow in the packet-handling code.

While I'm sure there are some worms out there that exploit the weak security of shared resources under Windows, that is not the only route into a Win 9x machine.

You can't find the exploit for a simple reason. It's the old old old WOLVERINE code that got fixed a long time ago. If you don't remember the Microsoft Wolverine project, then dig a bit more about how MS took a hit on that and fixed it.

Again, I've yet to find an exploit of the DOS based windows in the conditions I set up. And since a firewall exacts a heavy toll on the resources resulting in more reboots, only the uninformed will continue to scream that ALL Windows 95, 98 and ME users require a firewall.

Show me the exploit.

Bob

I'm not saying this to be facetious. It's just a statment of fact: I can't find an example of that exploit because every search phrase I can think of turns up a bazillion hits.

And if you'll allow me to paraphrase for you, it sounds like you're telling me that, in the Win 9x kernel, long before security became a central priority to Microsoft, when file sharing is turned off there was precisely one (1) overflow bug, and that single bug is fixed?

Pardon me if I'm skeptical and choose to counsel in favor of caution.

Your choice on the matter and you feed the marketing machine for the firewall companies.

A little truth in advertising would go a long way.

It's not fun to read people having dire problems with "resources" and they are running a firewall that, in their selected OS isn't needed.

Maybe it is time for Windows 95/98/ME to vanish? That way, it would be true that you could always tell everyone that uses Windows to get a firewall.

Bob

Let's look at likelihoods. Which of these is more likely?

1) Despite Windows' complexity, there is no exploit for ME with file sharing turned off.

2) There have been exploits, but you haven't heard of them because the descriptions don't include special attention toward whether or not file sharing being turned on makes a difference.

You seem quick to pounce on people who advocate using a firewall. How much time have you actually put into researching whether your declaration is correct? Do you have thorough knowledge and experience in keeping track of Windows exploits? Or is this something that you've just kinda kept an eye on?

If you've actually spent a substantial amount of time researching or tracking this issue then I'm willing to defer to your judgement. But if it's just a layman's impression then I think it's not a good idea to be pushing it so hard. Repeating an impression over and over doesn't make it any more true.

I'm actually mostly on your side. I think a software firewall is marginally effective, at best. I don't run any on my Win 9x boxen. I rely on a hardware firewall to protect my network.

But I also think Windows has a well-documented history of mediocre security.

Again, looking at liklihoods, there appears to be a fairly high likelihood that adding a layer to keep Windows ME from even seeing some malformed packets will increase the security of the system. Albeit probably just a little bit.

Mighty,

Here's my background. Embedded TCPIP programming on many microcontrollers. From assembler to C and more on Windows.

For some years I offered a small product that booted a diskette to share a dialup internet connection and that was a lot of fun.

I know my stuff and do not "pounce", but ask that people don't fall for the PREDATORY SALES PITCHES that you must have a firewall for all versions of Windows.

It's blatently false in the case of the DOS based Windows and people are getting ripped off.

Why should I participate in helping with the pickpockets?

Bob

I think we're kinda talking past each other.

You do appear to know your network programming. No question about that.

But that's not quite the same as working for an anti-virus company or being the network security admin for a large corporation and thus part of your duties includes keeping a close eye on all the exploits as they're revealed. There are a bunch, and many of them do not include the advise to turn off file sharing to prevent the intrusion.

That's the difference I was referring to between being a guru/power user/knowlegable techie who pays some attention to exploit reports vs being intimately familiar with a large majority of the exploits in the wild.

I have Win ME on a laptop here. I'm tempted to hook it up outside the firewall as a ******** and see how long it lasts. I'm trying to decide how much work it would be to clean everything off before doing that, and then restoring it later.

Does anyone reading this have a convenient machine they can test with?

Or, Bob, do you have any links to tests run by reputable people that verify your assertion?

Drake

Does anyone reading this have a convenient machine they can test with?
==================================

UMMM maybe.
Will you accept a desktop running w98se and no sharing?

If so.
This machine connects to the net almost daily.
It has been doing such for the last five years or so.
Except for about a month of testing a firewall it has run without such and so far I have not seen an issue.

If that is a ******** so far I have not drawn any flies.

When I tested a firewall all it kept squawking about was port probes, medium risk, high risk etc. etc.

Since I keep all my ports closed I thought "so what" let them come knocking there is no service to open the door and I got rid of the firewall.

Since we all run our machines in a different fashion I make no suggestion to anyone running w9x/me that they should or should not run a firewall.

It's a simple request.

I find it interesting that you can't find a noted WORM that infected via an open port on Windows 98/ME on the setup I noted.

Also you want me to find a document that states that Windows 98/ME doesn't have this issue. You can do this yourself, but it's much like me telling you need a black hole detector in your firewall because that's why all firewalls fail. And only BlackFire has such. Now we have setup the scenario for a long dialogue if black holes cause such and I can come back with a request to show me proof that this is not true.

I can only share a few things.

1. I marketed, sold, supported an Office router of my own design for years (5+) until such became a commodity.
2. I've been at this since DOS with programming on CRYNWR TCPIP stacks to today's Windows. Wolverine is the base implementation of TCPIP in Windows. I wonder what your programming background is.
3. I go to the Microsoft seminars and pin Softy's in a corner on this more than a few times. Do you?

In closing, I find it abhorrent to support FLEECING the unknowning masses.

It's your dollar, buy a firewall for an OS that doesn't need it with the right setup (NT/2000/XP/2003 need it!)

Nothing you can write will stop me from telling it like it is and SAVING a person a buck or more.

Bob

I've been programming professionally for 20 years, including accounting (yuck,) graphics programming, and game programming. I don't know the TCP/IP stack anywhere near as intimately as you do, but I do know how buffer overflows work. And I'm very familiar with how sloppy and inconsistent some portions of Windows' API are.

The more you tell me about your experience, the more I see that your experience is on target and current enough that your opinion on this subject can probably be considered expert.

And now Bob b has provided one anecdotal account that supports your assertion.

You keep coming back to my not being able to find an exploit. Even if there are known exploits out there that can get into a Win 9x machine with file sharing turned off, there's no way anyone is going to be able to find them. Unless they're a lot better search engine guru than I am. Each search I can think of turns up many thousands of hits, and there's no obvious way to whittle them down to a reasonable number to check. Those reports simply aren't indexed nor keyworded by that criteria. So the fact that I haven't stumbled on one doesn't really mean anything one way or the other. Repeatedly bringing it up doesn't change that.

I was asking if you knew of some other more widely recongnized authority that had previously come out with a declaration that a Win 9x box with sharing turned off is safe. I was thinking that if you really do follow this stuff then maybe you know how to track down something like that more easily than me, since I'm starting from scratch. Maybe you know of one or more outfits who have already run this test and documented their results. Even if you can't provide me with a link, maybe you could give me some names or other keywords to search on to have a reasonable chance of finding that research.

Because, as it stands, I have only your repeated assertion, plus one anecdotal account.

It's beginning to look like you're probably correct. But expert or not, if I hear something like that from only a single source, then I have to consider the idea that they could be mistaken. I'm simply searching for more evidence one way or the other.

I don't think that's unreasonable of me, considering we're talking about what advice I give to friends on the security of Windows boxes exposed to the net.

Drake

My experience has been that a router is really the way to go. When I got cable internet connected I had Norton internet security running but no router at first. The Norton firewall would effectively block all hacking attempts, 35 in a week was the worst, but the alerts became annoying, so I connected the modem through a router after which I also left the firewall running, just to check the effectiveness of the router to block intrusions. Over a year there was not one ping on the firewall.

With this evidence I have uninstalled the firewall and have seen a good improvement in internet speed, due to the CPU having to do less work.

I have a cable modem/router at home and a DSL router at work. I run the Grisoft Anti-Virus Free program that updates EVERY day (user configured)and the Kerio free Firewall. I also run Ad-aware and Spybot. You would be amazed at the intrusion attempts on my machine. While browsing this thread there were over 350 pings classified as moderate by Kerio. I think that anyone running any version of Windows that has access to the Internet or Email would be foolish not to have some kind of protection, especially with all the FREE programs available.

This post is exactly why I recomend people NOT run firewalls... At least until they can discern between the normal sorts of things a firewall will pick up that are benign, verses the sorts of things that are a true threat.

Software firewalls use alarmist terminology to make you feel like it's actually doing something. If you don't know how to strip out the actual information, you might think that a friend trying to initiate a direct connection via AIM is some hacker trying to get into your system.

You need to know how to use a tool before it becomes useful.

A lot of good advice has been given here. Not the least of which by yewanchors in saying the more you know, the more successful you'll be in keeping your computer free of malware. But one thing that is THE basic mantra of secure computing is "Defense in Depth." A fire wall (both hardware and software) is an integral part of that depth.

I think it may be possible -- and Im just guessing, here -- that the protection provided may keep a trojan already on the puter from doing anything. So, when you turn it off, then the trojan (or other malware) can do what it was intended to do. A guy may think his puter is clean when it isnt. What do you think? For example, I know I have ".coolwebsearch.com [*] dword:4" (according to my CWShredder), but isnt it a homepage hijacker? But my homepage isnt hijacked.

Can you find a documented exploit about how to do this on Windows ME?

I've yet to find it.

Bob