Avast or Zone Alarm using proxy server?

[James Egan]

Agreed. I just hope anyone reading along sees enough of our replies to
not heed Gerald's advice.

On the contrary he's mentioned quite a few valid points and is largely
correct. Don't try and make him out to be some kind of whacko (which
he clearly isn't) to try and gain the upper hand in your losing
argument.


Jim.

 

[bassbag]

You don't just install a software because it "seems a respected site".
This is just the problem. If you want to install freeware you check
forums, usenet groups other places and look for people that are using it
and confirm where they have it from. If you read the comments for that
software you will see that it contains a trojan.

Only because you see a "respected house" even in a "respected
neigborhood" does not mean that there is nothing illegal or dangerous
behind the doors. But with your PFW and AV software you just get
careless because you think you are invulnerable against anything.


No. You have seen a pop-up and you hope that the firewall did actually
stopped it. You don't know what it actually did to your system. You
don't know if it, while you were reading the pop-up, actually tunneled
information out through Internet Explorer. You don't know what it
actually modified on your system and where it might have changed
something. You don't know if there is something waiting in the
background for the moment when you even turn off your PFW because some
other program you use does not work together with your PFW. You don't
know. That is the point: your computer is compromised because of you
downloading software. The pop-up makes you think that "you know" and
that you prevented something bad. You prevented something, maybe, but
you don't know anything. And that is the problem: you think you know
although you don't. If, in a month from now, your ISP gives you an angry
call and has disconnected you from its network because you were relaying
spam mails you just wonder, why and how, because you PFW did stop the
trojan from talking to the outside while in reality it may have made a
few other changes for later...

The outgoing pop-ups may be nice to learn but as part of security
software people quickly depend on it and believe it completely. If you
really want to know what is going over the wire, get a network sniffer.
That gives you the truth about what is going on. If you just want to
know what application does send data out, there are other non-intrusive
programs available that log you with outgoing connections and you can
learn that way...

Gerald

Gerald

Ahh rite....my car has one driver air bag ,my neighbours has 4.I havent
crashed yet nor has he ,so i dont know wehther theyll work or not.I
wonder why he forked out for a car with all those extra airbags when he
doesnt even know if theyll work.Of course if he leaves it in the garage
and dont go anywhere ,drive on roads that he doesnt know , he shouldnt
have to worry at all .By the way i have several sniffers.Its a bit late
looking at the sniffer log and seeing the horse after its bolted.But then
again ...how do i reallllyy know that my sniffers working correctly.It
seems rather strange you condemn an application firewall because of the
possible mess it might make on a system and then recommend a sniffer .I
guess if microsoft upgrade thier firewall to application filtering too in
the near future you will be in a right quandry.
me

 

[Beauregard T. Shagnasty]

On the contrary he's mentioned quite a few valid points and is
largely correct.

Yes, his ideas would be fine for him, you, and me, who know how this
stuff works, but not a good idea for, as an example, a granny who just
got her first computer so she can email the family. I can not picture
phoning up my 85 year old mother who lives 250 miles away, and telling
her to uninstall the firewall, use Internet Explorer, and get a packet
sniffer. I gave Mom her first-ever computer for her 80th birthday.

Don't try and make him out to be some kind of whacko (which he
clearly isn't) to try and gain the upper hand in your losing
argument.

I never said he was a wacko, just that his advice for newbies is
insufficient.

 

[Roger Wilco]

Agreed. I just hope anyone reading along sees enough of our replies to
not heed Gerald's advice.

He's not all wrong - and I wonder why he makes a distinction between
XP's firewall and another. Anybody serious about security will have a
dedicated firewall device not some software running on the machine that
hopes to be protected. He is absolutely correct about not battling
security with complexity.

 

[Gerald Vogt]

In alt.comp.anti-virus, James Egan wrote:
Yes, his ideas would be fine for him, you, and me, who know how this
stuff works, but not a good idea for, as an example, a granny who just
got her first computer so she can email the family. I can not picture

We never talked about a specific group in particular for which other
means may be necessary and required. We talked about the average which
is not completely computer-illiterate. And if you write that you "know"
that an application does not send data into the internet because your
out-going firewall did block something, that it is obviously about you
and not your granny.

And in respect to the group you focused on here, grannies and newbies, I
strongly do not recommend the simple use of a commercial PFW: PFWs ask
so many questions that no newbie can answer correctly. A newbie does not
know much about security. He cannot accurately answer questions
regarding security. I know of know PFW that does properly help newbies
in particular. A newbie should have a computer that is closed down as
far as possible. I should be set up in a way that he runs only as
limited user, cannot install anything and cannot reconfigure the system.
The security system basically should say nothing and just protect the
user. The only reasonable messages would probably a AV messages when you
downloads a virus or browses to an infected site. That would help the
learning process, but only if the warning would include something like:
"you were lucky this time. be more careful. the probability that the
anti-virus will recognize the threat the next time is 50% so don't play
russian roulette". Windows Update and similiar should just run fully
automatically. This list goes on and on and on...

A newbie computer has specific security requirements which by far are
not answered by a PFW/AV. But that is what is sold: just install our
software are you will be perfectly safe. And this does not promote what
is most important in respect of security: the person sitting in front of
the computer should be careful of what he does.

You where the one who wrote "You surely have strange ideas, which I
would not recommend to anyone." You were the one who wanted to give
general advice to everyone. We never talked about a specific newbie or
granny...

Gerald

 

[Gerald Vogt]

He's not all wrong - and I wonder why he makes a distinction between
XP's firewall and another. Anybody serious about security will have a
dedicated firewall device not some software running on the machine that
hopes to be protected. He is absolutely correct about not battling
security with complexity.

Which firewall do you mean with "another"? If you mean a PFW then I
mentioned that most/all PFWs deeply modify Windows, many of these
changes cause often trouble with other software (I am not even talking
about configuration problems that basic PFW users generally solve by
temporarily turning it off.)

In general, I would say you are right. I think a hardware firewall is
preferable to a software one on your computer. But in this thread we
started off with PFWs so this is the mainly focus. A general security
concept does consist of many things. And in particular there is no
security concept for all people. It always depends on the scenario. If
you only have one computer and you want to browse a little and send a
couple of e-mails you would for example not even need a firewall if you
configure the computer properly and be careful.

Gerald

 

[Gerald Vogt]

Ahh rite....my car has one driver air bag ,my neighbours has 4.I havent
crashed yet nor has he ,so i dont know wehther theyll work or not.I
wonder why he forked out for a car with all those extra airbags when he
doesnt even know if theyll work.Of course if he leaves it in the garage

It is not about whether they work or not. It is about how you drive with
airbags on board or not. In general, people tend to risk compensation.
If they have some more security stuff they risk more because they have
it. The overall security does not improve because of added risky
behaviour. If you think that with your super-secure car that has airbags
and all the other security "features" for $20000 you can drive with
200km/h full frontal against the wall then you have a classic case of
risk compensation.

have to worry at all .By the way i have several sniffers.Its a bit late
looking at the sniffer log and seeing the horse after its bolted.But then

Yes. But was does the average joe does when his PFW does actually report
that malware XYZ tries to send data to the internet? He is so happy that
he has this fantastic feature, blocks the traffic and continues to
browse for another P2P software to install next... Why bother, they are
safe anyway. And he think he _knows_ because of that message for sure
that you blocked the malware completely and that it does not tunnel
information through IE for example. And once he one "successful" block
of a data transmission he also assumes - for whatever reason - that any
other malware will be blocked, too, which again is wrong because there
is sometimes malware that is more clever.

Look into forums or newsgroups where people ask for help. They sometimes
post hijackthis logs containing more than 20 viruses, ad/spywares etc.
They write they don't understand how that happened. They installed a PFW
and AV. Always blocked everything possible. Still they got infected and
they don't know how. And then they read about Spybot, Ad-Aware and all
this other stuff and ran it over their system. They used all available
virus-scans on the internet. They cleaned everything that any of these
programs suggested should be cleaned. But in the end, still they don't
understand why there computer is still compromised. When you tell them:
if your computer is compromised the only safe thing to do is to take the
Windows CD, boot from it, and format the hard disk, they don't want to
hear that either...

again ...how do i reallllyy know that my sniffers working correctly.It

That is a silly question. Anything can fail to any given time. A sniffer
is a fairly simple device and if you put it into the wire, all traffic
has to go through it. Due to the simplicity it is harder to make it all
wrong. There may be bugs there, too, but that is true for any soft- and
hardware, for anything actually.

seems rather strange you condemn an application firewall because of the
possible mess it might make on a system and then recommend a sniffer .I

No. I do not condemn application firewalls. I said that the current PFWs
do mess with the system. Again: look at your PFW. Look how many registry
entries it created. Look how much DLLs and EXEs it installed. Look how
much it modified in your system. It is a well established fact that PFWs
in particular have a deep impact on the system. This has nothing to do
with "application firewalls".

The biggest problem is the concept to control traffic on the machine
itself on which the malware runs at the same time and to believe this
will work perfectly.

guess if microsoft upgrade thier firewall to application filtering too in

You don't have XP SP2. Correct?

Gerald

 

[Martin]

Exactly! Because you don't want to care about it. You just want to do
anything you want and somebody or something else should prevent any
evil...

Gerald

No, I just expect programs that make a certain claim to live up to that
claim - oh, hang on, isn't that YOUR point???

I run Zone Alarm Pro (because Windows XP SP2 Firewall wasn't doing the job I
wanted or needed it to do), Ad-Aware and Spybot, and Avast Pro, all of which
update regularly as does Windows XP using auto-update. On top of that all
computers run behind a router anyway. Unless I know they are coming,
attachments in e-mails are deleted or just not loaded off the server, and I
don't just download anything and run it just for the hell of it!!

I think you can say I don't just sit back and hope everything is OK and
certainly don't just rely on any of the above to do the job for me - I am
constantly monitoring things, checking logs, installing updates, etc.
However I still like the extra features that ZA offers above what Windows FW
does, and so far I have found ZA works far better with other things than WFW
seems to! As I said, I turned off WFW and went back to ZA because even
after SP2 it still failed to protect in some ways (don't ask me to remember
full details, I really can't be bothered that much)... Yes, ZA does require
more user intervention that WFW does, but as many have told you they seem to
prefer to have that extra feature....

 

[Gerald Vogt]

I run Zone Alarm Pro (because Windows XP SP2 Firewall wasn't doing the job I
wanted or needed it to do), Ad-Aware and Spybot, and Avast Pro, all of which
update regularly as does Windows XP using auto-update. On top of that all
computers run behind a router anyway. Unless I know they are coming,
attachments in e-mails are deleted or just not loaded off the server, and I
don't just download anything and run it just for the hell of it!!

Then you are happy anyway. So good for you. All I said is that there are
many things in your setup that you don't need. If you want it anyway,
then you are free to do whatever you do. Many other people do use
security software in a different way (e.g. thinking two security
products make everything more secure than one.)

I think you can say I don't just sit back and hope everything is OK and
certainly don't just rely on any of the above to do the job for me - I am
constantly monitoring things, checking logs, installing updates, etc.
However I still like the extra features that ZA offers above what Windows FW
does, and so far I have found ZA works far better with other things than WFW
seems to! As I said, I turned off WFW and went back to ZA because even
after SP2 it still failed to protect in some ways (don't ask me to remember

a) the XP SP2 FW does work - as far I can tell and as far as I read
reports from others in newsgroups and other places - exactly the way it
is supposed to work and does exactly what it promises, nothing more, in
a efficient way. If you, for example, set the SP2 FW to block all ports
with no exception than all ports with no exceptions are blocked. The
setting can only be changed by an administrator. (I do not say that
other malware that the user runs locally and that exploits other
security vulnerabilites may be able to gain administrator privileges and
may reconfigure the FW. This is different problem and does not change
the fact that the SP2 FW does what is promises and nothing else.)

b) the XP SP2 FW does interfere in general less with other software on
the computer than any PFW software.

c) the PFW I had was - as long as I was running it - completely useless.
It was basically just harassing me with messages of either incoming
packets going to a dead end anyway or with outgoing connections of
software checking for updates which I wanted anyway and for which I had
to regrant permissions after each update. No software on my computer did
actually unexpected data transmissions. I knew which software does
connect and where to and how to configure in case I don't want it in
which case the software did not communicate anymore. On top of that the
PFW did surely consume 1 GHz of my 2GHz CPU.

d) I have a backup strategy and am able to restore a working backup in
case something actually does happen. I won't play around with a system
that has been compromised and hope I got everything cleaned up. I know
my system and I know the processes running on it.

Thus, I never had a case where the SP2 FW failed me to protect and I
still don't see why in general this should happen except on initiative
of the user itself.

Gerald

 

[Julian]

In general, I would say you are right. I think a hardware firewall is
preferable to a software one on your computer. But in this thread we
started off with PFWs so this is the mainly focus. A general security
concept does consist of many things. And in particular there is no
security concept for all people. It always depends on the scenario. If
you only have one computer and you want to browse a little and send a
couple of e-mails you would for example not even need a firewall if you
configure the computer properly and be careful.

I wouldn't go so far as this, although a couple of years ago I used to
say it, too. Even if that's all you want to do, there are still various
things exposed in Windows that can be exploited by an attacker. If
Microsoft can't even work out how to make Windows safe until after the
event, how is even the most techno-savvy user supposed to know?

 

[Gerald Vogt]

I wouldn't go so far as this, although a couple of years ago I used to
say it, too. Even if that's all you want to do, there are still various
things exposed in Windows that can be exploited by an attacker. If
Microsoft can't even work out how to make Windows safe until after the
event, how is even the most techno-savvy user supposed to know?

Which things are "exposed"? What do you have in mind?

At least on XP Prof. it is possible to prevent limited users from
installing software or DLLs, and configure access rights accordingly to
prevent most damage. Certainly root exploits may still be possible but
in most cases root exploits work in a way that no firewall can do
anything against it. And even then it is still not a compromise of the
firewall or due to the absence of the firewall.

Gerald

 

[Julian]

Which things are "exposed"? What do you have in mind?

At least on XP Prof. it is possible to prevent limited users from
installing software or DLLs, and configure access rights accordingly to
prevent most damage. Certainly root exploits may still be possible but
in most cases root exploits work in a way that no firewall can do
anything against it. And even then it is still not a compromise of the
firewall or due to the absence of the firewall.

I'm thinking about things like LSASS and UPNP. Okay, those holes have
been closed now, but who knows if there aren't others? Since they are
services, they are not necessarily contained by security or policy
restrictions placed on the user. In any case, few people have sufficient
understanding of Windows security to lock their systems down.

Even if they do, many applications, and especially games, don't work
properly when run under such restrictions. What you are advocating is
possible only in an organization running XP Pro with a strictly
controlled environment. For home users (perhaps I've lost the thread,
but I thought they were mostly what this was all about) that just isn't
practical.

 

[Gerald Vogt]

I'm thinking about things like LSASS and UPNP. Okay, those holes have
been closed now, but who knows if there aren't others? Since they are
services, they are not necessarily contained by security or policy
restrictions placed on the user. In any case, few people have sufficient
understanding of Windows security to lock their systems down.

Few people have sufficient understanding. But they could read
http://www.ntsvcfg.de/ntsvcfg_eng.html and use the script provided
there. Regarding lsass und upnp: you do not need them for a simple
machine for some e-mail and web browsing that is most likely connected
directly to the internet. If you need them you are in a local network
and should have a router with firewall installed which won't let traffic
to these services... But the latter is always the problem: if you need
a service or if you run a server (let's say your own web server) this
server may always have security holes. But you should know about the
risk before you offer a server to the internet and try to keep the thing
updated. This is a general problem and cannot be avoided.

Even if they do, many applications, and especially games, don't work
properly when run under such restrictions. What you are advocating is
possible only in an organization running XP Pro with a strictly
controlled environment. For home users (perhaps I've lost the thread,
but I thought they were mostly what this was all about) that just isn't
practical.

It depends on what you want to do and how much your security is worth.
If you do a whole lot of sensitive stuff on your computer like internet
banking etc. you should just think about what else you do on that
machine. And I don't see the limitations in practicality. If you run
your computer directly linked to the internet you don't need these
services. Why do you want to use UPnP on the internet? Why do you want
to use file sharing on the internet? Neither UPnP nor file sharing are
designed for that and it is just stupid to do so. You won't need these
services in that scenario. If you have a LAN and you want to use UPnP
and file sharing etc. then you cannot shut down these services. Get a
router or use the SP2 firewall to close the ports towards the internet.

Summary: if you intentionally want to use a service you have to consider
about the security of this service because you want it. If you run a
internet server it is your own problem and you should know what you do.
But generally, for a simple e-mail&browsing computer that you were
refering to you don't need these services and you can shut them down or
configure them in a way that they do not accept connections from the
internet.

Never just install some PFW software and think this software will make
everything secure, whatever it will be what you are doing.

Gerald

 

[Julian]

Summary: if you intentionally want to use a service you have to consider
about the security of this service because you want it. If you run a
internet server it is your own problem and you should know what you do.
But generally, for a simple e-mail&browsing computer that you were
refering to you don't need these services and you can shut them down or
configure them in a way that they do not accept connections from the
internet.

Never just install some PFW software and think this software will make
everything secure, whatever it will be what you are doing.

Gerald

I agree with you in theory, especialy with regard to the problems caused
by PFW applications, but that's because I'm a fairly techno-savvy guy
who doesn't use IE or OE and never visits dodgy websites.

However, I have a fair bit of experience of dealing with the problems of
ordinary users. The trouble is, they are so ignorant of the risks they
face they don't even know that they *should* think about the security
risks of what they are doing, never mind have the *ability* to think
about it if someone told them to.

It's easy to fall into the trap of thinking that what works for us will
work for other people. It won't, because they don't think like we do. I
hate PFWs, and think that a lot of what they do, they do because the
marketing department wants to create an application that looks clever
and technical and constantly reminds the customer that it's doing the
job they paid for. The Windows firewall just gets on with the job,
quietly. (And my SMC router does the same job just as well, with the
added advantage that no bit of rogue software can quietly disable it
when I'm not looking.)

But PFWs *do* help to protect ignorant users from themselves, and it's
easier to get across the message "use a PFW" than it is to educate
people to the level where they can avoid the risks by knowing what they
are doing.

The PC is an appliance for most people now, like the video, and they
don't want to know any more about it than what buttons to push to get it
to do what they want to do.

 

[Gerald Vogt]

However, I have a fair bit of experience of dealing with the problems of
ordinary users. The trouble is, they are so ignorant of the risks they
face they don't even know that they *should* think about the security
risks of what they are doing, never mind have the *ability* to think
about it if someone told them to.

Those people can install their PFWs and other gadgets and learn it the
hard way, may it even be the police standing in their door because
someone is distributing child porn from their computer (which has
happened). If they want to ignore the signs or just rely on others or a
particular software it is their own fault (and irresponsible).

It's easy to fall into the trap of thinking that what works for us will
work for other people. It won't, because they don't think like we do. I

Not in my experience. Most people I know are willing to learn if you
tell them. They are willing to accept that it is better without a PFW
and are doing fine. The lack of this extra flashy thing puts a extra
amount of caution into their actions. No problems there. The only
problems are those who insist to have a PFW installed: "I cannot print,
I cannot do browser, I cannot do whatever while the FW is on. Help!".
And "What is this service? What is that? Do I have to block this? Can a
admit that?". Well, maybe I just know the wrong people, but the last
time I looked, the only real problems where with those people that had a
PFW. The other ones were actually more cautious...

But PFWs *do* help to protect ignorant users from themselves, and it's
easier to get across the message "use a PFW" than it is to educate
people to the level where they can avoid the risks by knowing what they
are doing.

I believe this "education" is generally not so hard if people are
willing to accept that it is a learning curve and they should take it
step by step. Certainly, if the first thing you want to do in the
internet is find all this cool free xxx sites...

But to rely on PFWs to protect people from themselves... Does it
actually matter if their computer is compromised within two days or
within two weeks? The result is the same: once compromised any security
software on that system is quickly absolutely useless. Once compromised
it does not make any difference anymore. In my experience, the only
thing that PFW really do is to make people think they are safe (and
invulnerable). They do not look out for "the signs" of a compromise
because they think if there was something their PFW/AV would tell them.
Those people without a PFW a more sensitive to what happens. They notice
if there is frequent network traffic and hard disk activity although
they are not doing anything. (Worst even, sometimes PFW actually
produces exactly that, too). With PFWs people don't notice and then
their compromised computer is actually longer on the internet to do its
harmful play.

Make a test: send a hand-written "test"-virus to the people you know. I
predict: those with all the flashy security software more likely go for
it and execute it if it comes from your email address than those with a
proper configuration of their computer.

So, my opinion: let the ignorant be ignorant. They can buy PFWs or not.
It does not make a difference. In the worst case, they buy a new
computer every year because after a year your computer becomes so
terribly slow with all that undected malware on it. (Where have I read
that story again...).

The PC is an appliance for most people now, like the video, and they
don't want to know any more about it than what buttons to push to get it
to do what they want to do.

Well, it is time to learn, that it is not. A computer is an extremely
complex machine. Some people read the manual of their microwave to
understand how to operate it and that is pretty easy. A computer is kind
of like all electrical devices in the household combined: the
super-generic all-purpose machine. Why do they think it's a toaster?

Gerald

 

[Julian]

Well, it is time to learn, that it is not. A computer is an extremely
complex machine. Some people read the manual of their microwave to
understand how to operate it and that is pretty easy. A computer is kind
of like all electrical devices in the household combined: the
super-generic all-purpose machine. Why do they think it's a toaster?

The trouble is, people are sold this complex computer when that isn't
want they need, or want. What they want is an appliance, something like
a digital satellite set-top box that just does the things they want, not
an OS that tries to be all things to all people and was designed in the
days (and for the kind of environment) when you didn't have to think
about how any feature might be exploited to cause harm.

The problem is Bill Gates' plan for world domination and a Windows PC in
every home. That's not what people need. But that's what they've got. So
we're stuck with applying band-aids like AV software, and anti-spyware,
and PFWs in order to make things work.

Contrary to your experience, many people *don't* want to learn about the
workings of a computer. And they don't want to accept the constraints of
safe operating practice like using a non-Microsoft web browser, or
logging in as a limited user, under which their favorite games don't work.

 

[bassbag]

guess if microsoft upgrade thier firewall to application filtering too in

You don't have XP SP2. Correct?

Correct.But who knows what microsofts future platforms might entertain?.I
admire your convictions ,though i would disagree with them.Ill leave it
at that.
regards
me

 

[Gerald Vogt]

Correct.But who knows what microsofts future platforms might entertain?.I
admire your convictions ,though i would disagree with them.Ill leave it
at that.

You don't read properly. I am not talking about "convictions". If you
want to be safe, get a secure Linux distribution. This thread was
related to Windows security and about Windows users. My comment was an
attempt to point out what kind of security is possible even on Windows
if you spend some time (instead of simply spending the time to buy the
PFW box). Most people are not interested in switching to Linux, which I
also assumed here. Thus, in the context of this thread we are on Windows.

You are the Windows fanatic who has to use Windows and needs a PFW to
protect yourself from yourself and what you are doing (although your
argument is that you don't trust Microsoft). So, here is my real advice:
switch to Linux! Are you happy now? You will tell my, "no, I can't
because I need this&that". But that is again all you own problem.

So in the context of this thread I pointed out that the SP2 FW does give
all the security that is really possible. Certainly, there may be
flaws in that, too. But from the software design point of view I believe
that the very simple SP2 FW, which implements a very simple but
extremely crucial aspect of network security, is much safer than the
huge giant of PFW which is the attempt to put all possible and
impossible security solutions into one big huge thing. The latter is
suposed to be much more errorprone that the first. The latter does on
top of that involve in immense amount of user interaction while the
first one doesn't. The number of code lines of the SP2 FW is magnitudes
lower than that of a PFW.

But the bottom line is: if you need the PFW because you rely on it you
rely on something that is conceptionally flawed and cannot provide you
with what the marketing department of the PFW vendor does tell you. It
is impossible to protect the user from himself in a standard windows
installation - with or without a PFW.

Gerald

 

[Roger Wilco]

Which firewall do you mean with "another"?

XP's firewall. To me XP's firewall is a PFW - just not an aftermarket
one. Is there something sprcial about XP's firewall that makes it any
more "real" than any other software running locally?

If you mean a PFW then I
mentioned that most/all PFWs deeply modify Windows, many of these
changes cause often trouble with other software (I am not even talking
about configuration problems that basic PFW users generally solve by
temporarily turning it off.)

I can see how XP's firewall might integrate better. I just wondered how
XP's could be considered any "better" if you consider that neither are
"real" firewalls. I understand now the integration with the OS is the
reason.

In general, I would say you are right. I think a hardware firewall is
preferable to a software one on your computer. But in this thread we
started off with PFWs so this is the mainly focus. A general security
concept does consist of many things. And in particular there is no
security concept for all people. It always depends on the scenario. If
you only have one computer and you want to browse a little and send a
couple of e-mails you would for example not even need a firewall if you
configure the computer properly and be careful.

If you know what you are running and what you are exposing to the
outside, keeping up with whatever security problems come to light with
them is the hardest thing to do. Aside from that, configuration
(minimalist) is all you need (and being careful of course).

PFW's do come with a lot of nifty security related features in addition
to control of ports, like application control, logging, packet
inspection etc...but a real firewall sits between and if it gets
compromised it is THAT machine not the protected one being compromised.

 

[Gerald Vogt]

XP's firewall. To me XP's firewall is a PFW - just not an aftermarket

Sorry I don't follow. "XP's firewall and another" with another = "XP's
firewall"?

one. Is there something sprcial about XP's firewall that makes it any
more "real" than any other software running locally?

It's not preferable to a HW FW. But it is magnitude better than a
standard commercial PFW that does protect the user against everything
and anything including himself. From the software design point of view
the XP SP2 FW is much more likely to do what it is supposed to to and
less vulnerable than a PFW.

PFW's do come with a lot of nifty security related features in addition
to control of ports, like application control, logging, packet
inspection etc...but a real firewall sits between and if it gets

Yes, but these features only work in limited scenarios and are never
100% secure. The problem is, people rely on things like application
control and are extremely surprised when you demonstrate how easy it is
for an application to send data out although the PFW is running. The PFW
does nice things but you have to know what is actually does and can
accomplish. The marketing people of PFWs won't tell you that...

Gerald