R
RJ
Or is ZoneAlarm a better option?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
M
Mike Hall \(MS-MVP\)
Any third party option is better.. Zonealarm will cut it for you..
The SP2 firewall exists to give some protection on XP's first outing to
Windows Update.. it will give protection beyond that, of course, but only
against incoming 'hazards'.. third party firewalls also warn you re. things
that try to 'phone home'..
The SP2 firewall exists to give some protection on XP's first outing to
Windows Update.. it will give protection beyond that, of course, but only
against incoming 'hazards'.. third party firewalls also warn you re. things
that try to 'phone home'..
T
Touch Base
It is certainly true that one can make a computer safe without a firewall. Turning off all services or processes that listen to TCP and UDP ports, insuring that those services one wants to run are safe etc., will help. But security is a process, not a configuration setting. Especially with Microsoft, when you update your computer, reconfigure it or install new software, services that you thought were off are turned on again. Without a firewall these new or newly enabled services are listening away on the internet and may be a target of a vulnerability. A firewall helps manage this process. It is a single point in which you can configure what is allowed to connect to the internet and what is not. It helps protect you from mistakes made by yourself, or by your OS provider. A firewall is like a guard rail on a high mountainous road - if you take your eyes off the road, the guard rail will help prevent an accident.
Home users with broadband connections are wonderful targets. Lots of guys out there love to collect broadband zombies.
One of the best functions of a software firewall is outbound protection, i.e., stopping programs from phoning home. Think it isn't going to happen to you since you practice "safe computing"? Got kids? Ever install just about any kids' learning software program? How about the "Carmen SanDiego" series of games? Everyone of them seems to be bundled with Broderbund.
On the subject of kids... got them? They like to chat online? Maybe cruise IRC? Do they like their ICQ? AIM? Or any one of the numerous messenger services that allow direct connections? How about file sharing? Limewire, Bearshare, KaaZa?
In every possible event above, a software firewall could prevent or at least mitigate any potential problem. You have blocking of unsolicited inbound connections, and blocking of unapproved outbound (translate: spyware) connections. Don't think that simply because you don't keep valuable financial info on your pc that you aren't a target. If you have a 24/7 broadband connection, you're a target. Simple as that.
Home users with broadband connections are wonderful targets. Lots of guys out there love to collect broadband zombies.
One of the best functions of a software firewall is outbound protection, i.e., stopping programs from phoning home. Think it isn't going to happen to you since you practice "safe computing"? Got kids? Ever install just about any kids' learning software program? How about the "Carmen SanDiego" series of games? Everyone of them seems to be bundled with Broderbund.
On the subject of kids... got them? They like to chat online? Maybe cruise IRC? Do they like their ICQ? AIM? Or any one of the numerous messenger services that allow direct connections? How about file sharing? Limewire, Bearshare, KaaZa?
In every possible event above, a software firewall could prevent or at least mitigate any potential problem. You have blocking of unsolicited inbound connections, and blocking of unapproved outbound (translate: spyware) connections. Don't think that simply because you don't keep valuable financial info on your pc that you aren't a target. If you have a 24/7 broadband connection, you're a target. Simple as that.
M
MAP
RJ said:Or is ZoneAlarm a better option?
From www.spywareinfo.com
I promised myself a while back not to go on another anti-Microsoft rant,
that I would write calmly about any goofs they make. It has been a hard
promise to keep at times. And now, I must break that promise. If I don't
rant about this, I will burst at the seams.
The function of a software firewall is simple. It allows the user to control
the computer's access to other computers. To do that, it blocks attempts to
send unauthorized data out over a network, as well as the attempts of other
computers to send data to the protected computer. A proper firewall allows
data into or out of the computer, only when the user gives the firewall
permission to do so. I think most people will agree that this is an accurate
description of the proper function of a software firewall.
So I am left to wonder if the Microsoft programmers who designed the Windows
Firewall have lost their freakin minds. While the Windows Firewall will
block network access like any other firewall, the settings which determine
whether or not an attempt to access the network is permitted is stored in
the registry. Any piece of software is allowed to edit that part of the
registry and give itself permission to send or receive data over the
network.
There are several viruses, worms and spyware programs that edit the registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be reinfected at any
time, if the virus edited the firewall settings. Many network worms can
infect a computer if it discovers certain unsecured network ports. It
happened to me once, when I turned off my firewall and forgot to turn it
back on.
Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those settings
should not EVER be written to the registry, where they can be altered by any
other program running on the PC. It takes only the smallest shred of common
sense to realize this.
Where was the common sense when they were creating the Windows Firewall?
This is like hiring security guards to keep gate crashers away from a party
but allowing the guests to write their own invitations.
But wait, there's more!
Someone discovered recently that the Windows Firewall interface won't even
tell the user about an opened port, if the registry entry granting it
permission has a malformed name. Not only can a malicious programmer give
his evil creation permission to bypass the firewall, he can hide the fact
that he's done it!
It is boneheaded mistakes like this which make it difficult to use Windows
safely. God help us all when Microsoft begins to make its own antivirus
software. The only reason Microsoft's antispyware program works well
probably is because Microsoft didn't write it.
K
Ken Blake, MVP
RJ said:is the XP built-in firewall any good?
Sure. It offers significant protection.
Or is ZoneAlarm a better option?
Also yes. The XP firewall monitors incoming traffic, but does nothing to
stop spyware programs trying to call home. It also is much less configurable
than other choices (although it's much improved in SP2).
For those reasons I recommend the free version of ZoneAlarm (or almost any
third-party firewall) instead.
B
Bruce Chambers
RJ said:Or is ZoneAlarm a better option?
WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is provide an important additional layer of protection by informing
you about any Trojans or spyware that you (or someone else using your
computer) might download and install inadvertently. It doesn't monitor
out-going network traffic at all, other than to check for IP-spoofing,
much less block (or at even ask you about) the bad or the questionable
out-going signals. It assumes that any application you have on your
hard drive is there because you want it there, and therefore has your
"permission" to access the Internet. Further, because the Windows
Firewall is a "stateful" firewall, it will also assume that any incoming
traffic that's a direct response to a Trojan's or spyware's out-going
signal is also authorized.
ZoneAlarm or Kerio are much better than WinXP's built-in firewall,
in that they do provide that extra layer of protection, are much more
easily configured, and have free versions readily available for
downloading. Even the commercially available Symantec's Norton Personal
Firewall provides superior protection, although it does take a heavier
toll of system performance then do ZoneAlarm or Kerio.
--
Bruce Chambers
Help us help you:
You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
R
RJ
Thanks, guys. I installed the free version of ZoneAlarm, it was seamless, it
even disabled the Windows firewall. Very unobtrusive. But now I have another
question - how do I block sites that a teenager shouldn't go to? Well, porn
and also other potentially harmful sites?
even disabled the Windows firewall. Very unobtrusive. But now I have another
question - how do I block sites that a teenager shouldn't go to? Well, porn
and also other potentially harmful sites?