Computer Help forum

General discussion

Firewalls

by GhOst-AdVance / December 7, 2006 10:02 AM PST

I am unsure if i should be using a firewall such as ZoneAlarm, or if it is fine to use the windows xp sp2 firewall

Discussion is locked
You are posting a reply to: Firewalls
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Firewalls
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
XP's is fine
by jackson dougless / December 7, 2006 10:20 AM PST
In reply to: Firewalls

No doubt a number of people will be in here shortly yammering on about how XP's firewall doesn't do outgoing filtering... Which is not only untrue, but pointless given the vastly overblown importance of outbound filtering.

XP's firewall is one of the few things Microsoft has ever managed to do right IMO. It's just a firewall, it doesn't try to be an entire security suite like ZoneAlarm does. It doesn't pester users with cryptic messages worded in such a way as to make it seem like the world is ending. It's light on the resource use. It does a good job of blocking port scans and other automated attacks that are by far and away the biggest network related threat to the average user.

If you want something to help you deal with spam, malware, viruses, and all the other threats that exist, there are plenty of good tools for each of those problems. Even alternative solutions, such as getting a Mac, or running Linux instead of Windows. Firewalls do not, and should not, protect against these things. They're one part of the total solution, not the entire solution like most people -- such as those that repeat what they read in a press release, even though they have no idea what it really means -- think of them as.

Collapse -
thanx
by GhOst-AdVance / December 7, 2006 11:05 AM PST
In reply to: XP's is fine

thanx a lot. yea i was noticing that my pc was running a little slower after installing ZA, and i was annoyed by the allow/block messages.

Collapse -
xp firewall
by tomron / December 7, 2006 12:25 PM PST
In reply to: Firewalls

I used to use sygate and zonealarm,(not at the same time)

I now use windows xp firewall and have no issues.

Check these links,HERE and HERE

Tom

Collapse -
Why you should NEVER use the Windows XP firewall.
by Paul C / December 8, 2006 10:28 AM PST
In reply to: Firewalls

That firewall does a good job of blocking inbound threats that you did not allow on your PC; however, it does nothing to prevent malware that's either already on your machine or those you invited onto the PC for whatever reason from dialing its masters for instructions.

Using a one-way firewall such as the Win XP one provides all the protection of driving a convertible in the rain with the top up and the windows open, and then wondering why and how you got wet.

Until and unless Microsoft makes their firewall a true two-way firewall, there's no way I could recommend its use, even to my worse enemies. Get a true two-way firewall. I recommend Zone Alarm, but there are others (Outpost and Avast to name two) that are also good and just as free as Zone Alarm. The difference is that IMO, Zone Alarm is easier to use.

Collapse -
Not true
by jackson dougless / December 8, 2006 11:29 AM PST

Before you go paraphrasing a press release from ZoneLabs, you really should do some basic fact checking. XP's firewall is not one way, and even if it were, you'd still be missing the point. People should be focused on PREVENTING the malware from ever reaching their system, not resigning themselves to the fate of its inevitability, and focusing on how to mitigate the effects.

Outbound filtering is given far too much importance by people, such as yourself, who read a press release and think you know everything there is to know about firewalls. It leads people, such as yourself, to focus your efforts on treating the symptoms instead of curing the disease. It also leads people, such as yourself, to put far too much faith into the firewall. This makes for a situation where you have a false sense of security, and only makes matters worse. It's probably better that people use a minimalist firewall, as opposed to some one-stop shopping solution. The minimalist scenario forces people to be far more cognizant of their actions, and the consequences of said actions. Whereas the the-kitchen-sink-is-in-there-somewhere solution makes people feel like they're completely covered, even though they have absolutely no idea what's going on, and so they go and do plenty of stupid things thinking they're protected. Just because you used a condom every time doesn't mean it's a wise idea to go sleep with a bunch of prostitutes.

Collapse -
M'soft may disagree with you
by jonah jones / December 8, 2006 12:14 PM PST
In reply to: Not true

according to them XP won't stop "unsolicited" outgoing connections


,.,

Collapse -
Since we're using this analogy...
by JonathanCase / December 8, 2006 12:34 PM PST

From reading the Microsoft KB, and a few other help sites, I'm understanding that the XP (SP2) firewall does have limited outbound protection, of a "pre-set" nature, not configurable. But it is a good firewall. If you place any importance on leak tests, though, it's not a good firewall. (Comodo is. And I like it.) Franky, I've learned a lot about my pc's systems from considering and researching my firewall's pop-ups to get a much better handle on what's likely to be risky. This is analagous to education, or to showing folk why they maybe shouldn't sleep with prostitutes rather than just saying it's a bad idea. You can still get a killer disease from a non-prostitute, while being lulled into a false sense of security.

Collapse -
Then how is it...
by jackson dougless / December 8, 2006 11:02 PM PST

That at a previous job, I was able to block specific apps using the XP firewall? Wasn't even that difficult. This was all using just the stock SP2 firewall, no special addons or anything like that. I'd even get some popups asking whether or not I wanted to allow a special kerberos helper app to be allowed to access the network, and darned if blocking it wasn't an option.

With the XP "Gold" and SP1 rendition of the firewall, you had to go mucking about in IPSec to configure the firewall, but SP2 made it quite a bit more convenient.

So again... You might want to do some of the most basic of fact checking before paraphrasing a press release you don't understand. Or paraphrasing a tech columnist who paraphrased a press release they didn't understand.

Expecting a firewall to be your early warning system for malware is foolhardy, and likely to be woefully ineffective. It's a completely reactionary method, and not even close to 100% effective. Don't think that malware authors don't test their creations to try and mask them from firewalls and virus scanners. They could also just piggyback all communications through some program almost certain to be allowed through the firewall, such as Internet Explorer. Or, they could program it with the necessary logic, that once it's installed on your computer, it goes and silently adds itself to the allow list of the firewall. I just got up maybe a half hour ago, and so once I wake up, I'm sure I could think up a few more methods, but hopefully you get the drift.

Collapse -
*sigh* ok
by jonah jones / December 9, 2006 10:49 PM PST
In reply to: Then how is it...

fact checking:
if you set your windows firewall to "ask me when needed" i.e you click on a legitimate exe file it asks you "do want to connect?" all is well...

but you and i both know that it isn't the "legitimate" exe files that worry people, right...


a quick google of windows help sites will show that the general opinion seems to be "it's a good basic firewall for "legitimate" programs that require/need/want internet access (my interpretation/phrasing)

it does however "stumble" when that little file that came down with the great crack for the latest game you got from your favourite P2P program wants to play its own little game....


you may not like M'soft, but when their own scriptwriters say "it's a firewall and pretty basic too but it's not perfect" maybe we should believe them....


,.,

Collapse -
And?
by jackson dougless / December 10, 2006 12:45 AM PST
In reply to: *sigh* ok

A) How is the threat of modified executables any different with XP's firewall vs. any other firewall
B) How is a modified executable the domain of the firewall and not that of your AV program
C) How does this in any way help if the malware in question is given a similar name to a legitimate system file (like the kernel32.exe variants) or if the data is piggybacked off of another program such as Internet Explorer

You're doing exactly the same thing as the other person, and expecting the firewall to take on duties it isn't supposed to. The firewall's job is filtering network traffic based on rules YOU create, end of story. It's not an anti-virus program, it's not some sort of digital nanny that protects you from your own stupidity, it's not this impenetrable barrier that envelops your computer. If anything, it's like a rain coat. Great at keeping you dry when it's raining, but utterly useless if it's 20 below outside. It's just as important to understand what a firewall isn't, as well as what it is. Most people don't, like you and the other gentleman who was posting earlier. Knowledge and understanding is replaced with hearsay and superstition.

I get that learning about firewalls is about as entertaining as watching paint dry, but there's not much I can do about that. I also get that it's a complex subject, and takes some time to digest fully, which is also something I can't do anything about. It'd be great to live in a world where you didn't need a firewall, because no one would ever dream of any kind of hacking, but we don't. That means that it's every computer owner's responsibility to learn these things for him or herself. If they can't, or won't, accept this responsibility, they should return their computer to the store or sell it to someone who can/will and await the mythical appliance computer.

Collapse -
Reply:
by Paul C / December 11, 2006 5:17 AM PST
In reply to: Not true

1. People such as myself do not paraphrase any company's press releases.

2. People such as myself know - usually through painful experience - the need to do exactly what you suggest, and run our PC's with layered defenses, including multiple anti-malware applications, a good antivirus application and a firewall. We also know that replacing Windows' inadequate HOSTS file with one available at many places on the Web makes good sense.

3. People such as myself also know the importance of keeping all these applications as well as Windows properly updated and do so regularly if not automatically.

4. People such as myself also know that thorough and regular backups are an absolute necessity in the present computing environment.

5. People such as myself also know that not surfing the Net's seedier side is stupid in the extreme.

6. People such as myself also know that people such as myself - and you - are still, alas, in the minority when it comes to computer security, which is why conservative estimates decree that 15% of PC's connected to the Web are thoroughly zombified and used as spam/malware servers.

7. Consequently, people such as myself know that when security experts say that the Windows Firewall is not to be used in network applications and reference Microsoft as their authority, we know that whatever the virtues of the Windows Firewall may be, that the average user is certainly better off using another firewall.

8. Finally, to expand on your rather crude analogy, people such as myself know that the only thing worse than consorting with prostitutes believing that a condom is sufficient protection is doing so with one that has holes punched in it.

Collapse -
Interesting
by jackson dougless / December 11, 2006 6:39 AM PST
In reply to: Reply:

1) For someone who doesn't paraphrase press releases, you sure do seem to echo a lot of the same things harped on by press releases... Or press releases disguised as articles and published by Cnet, Ziff-Davis, or IDG. Maybe you do it without knowing... Who hasn't read something somewhere, had it stick in your brain, and then pulled it out at some later date, long after you've forgotten where you came across it to begin with?

2) Not to make light of anything, but apparently your experience wasn't painful enough to cause you to question why it is all these things are necessary. Because quite frankly, you can get by with very little protection IF you take a little care in your planning. I've gone over this numerous times, so it shouldn't be hard to find an example of what I propose to people.

3) Good plan, but really has nothing to do with what we've been talking about

4) See #3

5) Not necessarily, but what does that have to do with what we've been talking about

6) Yes, and it's a shame... But a firewall isn't some magic cure that will stop this sort of thing dead in its tracks, and it's foolhardy to think otherwise

7) At least you didn't post something from the GRC website, so I can maintain a level of respect for you. I'm not going to get into nitpicking about how I've never heard of the author of that article, or how none of the accolades listed in the little bio include anything about security. The fact that he's apparently a big IIS fan actually speaks against him on the security front. I won't even bother getting into how the article doesn't really say much except that the XP SP2 firewall is aimed at home users and spends the majority of the time talking about how other software firewalls can switch it off automatically. Those are things that should be taken up with the guy's editor, so unless you're the aforementioned editor... I'm just going to respectfully disagree with the assertion being made by you. There is nothing compelling, from a protection standpoint, offered by ZoneAlarm or any of the others, over the XP firewall. Outbound filtering is simply not that big of a deal. It has its uses, I won't argue that, but it's importance is vastly overblown. I think we would both agree that the real issue is educating average users on the subject, and that there is no easy answer as to how to do this effectively. There probably should be something like a mandatory analog to Driver's Ed if you own a computer. It'd be nice if every school in the country had the budget to be able to create a series of classes every student has to take to graduate, which reinforces all of this. It'd be nice if you could just toss a pamphlet in with every new computer sold, and everyone would read it. It'd be nice if Corporate America realized how much money could be saved, and potential liability avoided, if they made such classes mandatory for employees like sexual harassment seminars. Unfortunately, that's all just wishful thinking. Just the same as slapping a firewall onto a system and thinking it will cure everything. Especially when the average user is just going to click "Allow" to every question posted by ZoneAlarm or any other firewall. They won't read the message, they'll just assume they won't understand it, just how ZoneLabs and company prefer it. Which fits nicely with your extension to my analogy about the condom with the holes punched in it.

Cool Isn't it funny how crude analogies always seem to work the best? You can make car analogies until pigs start flying, it won't ever have quite the same impact as mentioning something that isn't supposed to be talked about in polite society, such as prostitutes. What does that say about us as a culture?

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?