Pretty Good Experience Building New PC

[The little lost angel]

That should be a feature of the e-mail software - it *is* on Mozilla's
e-mail clients. Even 10 year-old Eudora had it.

Yes the option exist but the email client itself might be the one
dialing home

Furthermore, software firewall catches accidental clicks on emails
links that launches the browser.

And the email client is just one example, other apps have tendency to
want to dial home or do funny things that a software firewall will
tell you but a hardware one won't. e.g. the 2.0 beta version of
Firefox will still attempt to connect to a google database despite
being told to use only a local list for phish sites protection.

In what sense? I just told you but you snipped it out. Firewalls do not

Sorry I snipped it out because it did not make any sense to me.

work with advanced network interface features... the things which chipset
mfrs are touting as new, advanced, desirable features. They cause problems

I'm not familiar with these networking hardware features so pardon me
if this is a stupid question.

Why and how would they cause problems with the firewall? My
understanding is the firewall analyses the traffic on a higher layer
than the hardware and should be acting before the data hits the
hardware layer for outgoing and after the hardware layer for incoming.
I don't see why they would interfere with each other.

with accesing a domain; Windows Firewall has a sub-component service,
Windows Firewall Internet Connection Sharing, which is not even stopped
when Firewall is disabled, which severely degrades high speed local area
network performance.

Well, in the first place if you're using the Windows Firewall and
ICS.... Those two are amongst the first thing on my list of services
to stop and disable on Windows alongside things like Task Scheduler
and Messenger. Honestly, why would anybody trust a firewall from big
brother itself??? pPp

 

[kony]

Yes, I should have specified "home" use and not office use.
Presumably in the office I wouldn't be installing nearly as many
programs and browsing websites that are somewhat questionable (and
therefore might try to exploit holes in web browsers). Also the
network admin at work is going to be monitoring trends in network
traffic and would notice a spike in outgoing traffic if I were to pick
up a trojan.

Not necessarily, the trojan might be a downloader for
something more which was a small download then control could
be very low traffic. There is no expectation the amount of
traffic would indicate it, rather than actual scan of the
system or the ports being used.

 

[George Macdonald]

Yes the option exist but the email client itself might be the one
dialing home

Furthermore, software firewall catches accidental clicks on emails
links that launches the browser.

Protecting the inept from the inane?

And the email client is just one example, other apps have tendency to
want to dial home or do funny things that a software firewall will
tell you but a hardware one won't. e.g. the 2.0 beta version of
Firefox will still attempt to connect to a google database despite
being told to use only a local list for phish sites protection.

Sorry I snipped it out because it did not make any sense to me.


I'm not familiar with these networking hardware features so pardon me
if this is a stupid question.

Maybe do a bit of searching & reading.

Why and how would they cause problems with the firewall? My
understanding is the firewall analyses the traffic on a higher layer
than the hardware and should be acting before the data hits the
hardware layer for outgoing and after the hardware layer for incoming.
I don't see why they would interfere with each other.

I've already mentioned most of the "magic words": TCP/IP offload, TCP
Chimney, NetDMA... and then there's RSS (Receive Side Scaling). M$
themselves say that their Scalable Networking Pack implementation does not
work with any firewall - there's no API for TCP/IP offloading and any
firewall has to be specific to each hardware's implementation. They all do
some bypass of the TCP/IP stack. Like I said, M$ does not say what "don't
work" means but with a 3rd party firewall, the effect is anybody's guess...
hangs, bluescreens, crashes, reboots?

Well, in the first place if you're using the Windows Firewall and
ICS.... Those two are amongst the first thing on my list of services
to stop and disable on Windows alongside things like Task Scheduler
and Messenger. Honestly, why would anybody trust a firewall from big
brother itself??? pPp

I'm not talking about ICS - the service is called "Windows Firewall
Internet Connection Sharing" - it is specific to Windows Firewall, is not
stopped by turning the firewall off and is started whether you have ICS
enabled or not. Most people, myself included, did not know it existed -
you'd have to scroll through the Services and it's not always obvious what
each service is responsible for... e.g. if you're not using DHCP Client,
you cannot turn the service off.

As for trusting "big brother", do you not now religiously download &
install Windows Updates? We didn't used to trust that.... until Sasser and
SQL Slammer.

 

[George Macdonald]

Yes, I should have specified "home" use and not office use.
Presumably in the office I wouldn't be installing nearly as many
programs and browsing websites that are somewhat questionable (and
therefore might try to exploit holes in web browsers). Also the
network admin at work is going to be monitoring trends in network
traffic and would notice a spike in outgoing traffic if I were to pick
up a trojan.

Not many small businesses have the equipment for network "monitoring".;-)

Perhaps, though I'm not sure how big a worry it is. Certainly for
100Mbit/s networks there is no real need at all. For gigabit and
10Gbit/s server connections, then I guess it becomes more of a
concern. However when you're dealing with servers, all the rules
change about networking stuff.

It's not a "worry". It's more: what's the point of all those network
interface enhancements if you can't use them? There are a lot of people
who have sworn off nForce chipsets because the offloading doesn't work and
the nForce Firewall causes many problems.

 

[The little lost angel]

I'm not talking about ICS - the service is called "Windows Firewall
Internet Connection Sharing" - it is specific to Windows Firewall, is not
stopped by turning the firewall off and is started whether you have ICS
enabled or not. Most people, myself included, did not know it existed -
you'd have to scroll through the Services and it's not always obvious what
each service is responsible for... e.g. if you're not using DHCP Client,
you cannot turn the service off.

Don't everybody who's even mildly concerned about their system
security and privacy go through the Services list on a new
install/update? The "Windows Firewall/Internet Connection Sharing" is
again one of the first things I disable in Services. I'm usually very
aggressive about turning things off and only start turning things on
if other stuff don't work or complain

As for trusting "big brother", do you not now religiously download &
install Windows Updates? We didn't used to trust that.... until Sasser and
SQL Slammer.

In the last six months or maybe more, the only OS updates I downloaded
for myself were for... Ubuntu Linux

I don't really care to let Microsoft muck around with my system unless
absolutely necessary. For the machines in other people's offices that
I freelance for, I don't have a say in these matter and let the
machines do whatever it wants since they don't even have a proper
firewall on it. I just hook up my laptop to their wireless network
just for internet access and banned everything from internal network,
data transfers are faster using flash cards.

 

[kony]

Don't everybody who's even mildly concerned about their system
security and privacy go through the Services list on a new
install/update?

Sure, and they also use a firewall external to any system,
not the nForce firewall or any software as the first line of
defense.

Software firewalls do have their place though, 'tis good to
control outbound connections.

 

[The little lost angel]

Sure, and they also use a firewall external to any system,
not the nForce firewall or any software as the first line of
defense.

Definitely! I was just making the point that software firewall have
their place, in addition to the hardware one. I wouldn't want to rely
on software alone!

Software firewalls do have their place though, 'tis good to
control outbound connections.

Yup!

 

[George Macdonald]

Don't everybody who's even mildly concerned about their system
security and privacy go through the Services list on a new
install/update? The "Windows Firewall/Internet Connection Sharing" is
again one of the first things I disable in Services. I'm usually very
aggressive about turning things off and only start turning things on
if other stuff don't work or complain

Like I said, it's not always obvious what any service is responsible for...
and things that "don't work" are not always that immediately evident. I
don't go through removing services for which I don't know the consequences.

In the last six months or maybe more, the only OS updates I downloaded
for myself were for... Ubuntu Linux

I don't really care to let Microsoft muck around with my system unless
absolutely necessary. For the machines in other people's offices that
I freelance for, I don't have a say in these matter and let the
machines do whatever it wants since they don't even have a proper
firewall on it. I just hook up my laptop to their wireless network
just for internet access and banned everything from internal network,
data transfers are faster using flash cards.

Where you have non-expert business users, living without Windows Updates is
not an option any longer. You only have to get burned once.:-(

 

[Tony Hill]

Not many small businesses have the equipment for network "monitoring".;-)

For those small businesses they maybe should consider a software
firewall in addition to some hardware protection, or else they should
be very careful (err.. I guess the latter is a given regardless of
what sort of networking software/hardware they have).

It's not a "worry". It's more: what's the point of all those network
interface enhancements if you can't use them?

I never much saw the point for them on desktop systems in the first
place. Servers are, of course, another matter.

There are a lot of people
who have sworn off nForce chipsets because the offloading doesn't work and
the nForce Firewall causes many problems.

Well these people should be happy again since the nForce 500 series of
chipsets for AMD processors no longer has that firewall.

 

[The little lost angel]

Where you have non-expert business users, living without Windows Updates is
not an option any longer. You only have to get burned once.:-(

Time to chain them down in front of a Windows-skinned Linux! pPp

 

[George Macdonald]

For those small businesses they maybe should consider a software
firewall in addition to some hardware protection, or else they should
be very careful (err.. I guess the latter is a given regardless of
what sort of networking software/hardware they have).

A software firewall where?... in a separate PC as an "appliance"? Personal
firewalls do *not* work well with LANs, especially a domain and even that
is pretty much standard fare for small business. The firewall in the
routers is usually "sufficient" if not ideal... an area for improvement
maybe, not to mention spending a few extra $$ for up front. Then again,
some of the standalone firewalls are quite inexpensive now... which you'd
need anyway if there's a Web server involved.

I never much saw the point for them on desktop systems in the first
place. Servers are, of course, another matter.

Even for a desktop, if you have a Gb connection, why saturate the PCI Bus
with it?

Well these people should be happy again since the nForce 500 series of
chipsets for AMD processors no longer has that firewall.

Yes and the silence on the shortcomings of nForce 3&4 is err, deafening.;-)
I do wish that nVidia would get their act together on documentation and I
don't mean just tech data sheets, which they have every right to allocate
to only mbrd OEMs; the features of their chipsets are so poorly documented
it's impossible to tell what they're supposed to do and what not. E.g.
there's a thing they call the "Hardware Network Engine" which appears to be
part of what they call Active Armor; I've been able to find absolutely
zilch on what HNE is, what it's supposed to do and how it's related to
other network offload features.

 

[Tony Hill]

A software firewall where?... in a separate PC as an "appliance"?

Software firewall on each desktop.

Personal
firewalls do *not* work well with LANs, especially a domain and even that
is pretty much standard fare for small business.

Personal firewalls work just fine on a LAN, though a domain could be a
tiny bit trickier. Nothing too complicated though, just make sure the
firewall is setup right from the beginning.

The firewall in the
routers is usually "sufficient" if not ideal... an area for improvement
maybe, not to mention spending a few extra $$ for up front. Then again,
some of the standalone firewalls are quite inexpensive now... which you'd
need anyway if there's a Web server involved.

Yup, a software firewall is DEFINITELY not a replacement for any sort
of hardware firewall (at the very least a NAT router). However it can
be quite useful for things that the router misses.

From today's news, a new JavaScript vulnerability was found:

http://news.com.com/JavaScript+open...attacks/2100-7349_3-6099891.html?tag=nefd.pop

This kind of vulnerability will get by a hardware firewall, however if
each PC behind the firewall was protected by a software firewall then
they would be protected.

Even for a desktop, if you have a Gb connection, why saturate the PCI Bus
with it?

Saturate the PCI bus with what? My WAN connection is only 5Mbit/s.
At work I occasionally send files over the LAN, but it's extremely
rare for me to send more than 20MB at a time, and that finishes in 2
seconds. There may be some people that do transfer LARGE amounts of
data around their LAN on a desktop PC, but I suspect that this is a
niche market.

Besides, most gigabit connections these days are hanging off something
other than the old PCI bus. Whether it be Intel's CSA (introduced 3
years ago with their i865 and i875 chipsets), PCI Express or some
other non-PCI channel.

Yes and the silence on the shortcomings of nForce 3&4 is err, deafening.;-)
I do wish that nVidia would get their act together on documentation and I
don't mean just tech data sheets, which they have every right to allocate
to only mbrd OEMs; the features of their chipsets are so poorly documented
it's impossible to tell what they're supposed to do and what not. E.g.
there's a thing they call the "Hardware Network Engine" which appears to be
part of what they call Active Armor; I've been able to find absolutely
zilch on what HNE is, what it's supposed to do and how it's related to
other network offload features.

Sadly poor documentation seems to be the norm these days. With the
exception of Intel, who has absolutely stellar documentation, everyone
else seems to operate very much on a need-to-know basis. Even AMD has
drastically cut back on what documentation they have publicly
available as compared to a few years back.

 

[kony]

Yup, a software firewall is DEFINITELY not a replacement for any sort
of hardware firewall (at the very least a NAT router). However it can
be quite useful for things that the router misses.

A software firewall could work fine, BUT it sure as heck
wouldn't be running on the same Windows host.

 

[Tony Hill]

A software firewall could work fine, BUT it sure as heck
wouldn't be running on the same Windows host.

For most cases I would tend to recommend sticking with a pure hardware
firewall. However in the past I have used an old Linux box with IP
Chains/IP Tables and Masquerading to handle the firewall and NAT
duties, and that worked pretty well. It did have some nice advantages
in being more configurable than any low-end or even mid-range
firewall. However the downside is that it also is a much more complex
system and therefore has much more potential for vulnerabilities.
Besides which it also consumed about 20 times more power and took up
20 times as much space as the small NAT router that replaced it.

As I said, it'll work, but other than some extreme cases I wouldn't
recommend it.

 

[George Macdonald]

Software firewall on each desktop.


Personal firewalls work just fine on a LAN, though a domain could be a
tiny bit trickier. Nothing too complicated though, just make sure the
firewall is setup right from the beginning.

With a domain, even M$ tells you to turn Windows Firewall off and it
doesn't actually do much for you in the way of protection. I've seen
problems on our domain when somebody has unwittingly turned on the Windows
Firewall; the only way I saw to "fix" it was to turn it off. I believe
it's worse than trickier for a domain; for a workgroup it can be
troublesome if you want to use your LAN for what one normally does. For
most users, "it's too complicated".

Yup, a software firewall is DEFINITELY not a replacement for any sort
of hardware firewall (at the very least a NAT router). However it can
be quite useful for things that the router misses.

From today's news, a new JavaScript vulnerability was found:

http://news.com.com/JavaScript+open...attacks/2100-7349_3-6099891.html?tag=nefd.pop

This kind of vulnerability will get by a hardware firewall, however if
each PC behind the firewall was protected by a software firewall then
they would be protected.


Saturate the PCI bus with what? My WAN connection is only 5Mbit/s.
At work I occasionally send files over the LAN, but it's extremely
rare for me to send more than 20MB at a time, and that finishes in 2
seconds. There may be some people that do transfer LARGE amounts of
data around their LAN on a desktop PC, but I suspect that this is a
niche market.

I believe there are *many* people who are transferring substantial amounts
of data across the LAN... to think otherwise is a huge assumption IMO.
Even backing up across a network, however it's done, to where and when, is
something you want to happen at the highest speed possible.

Besides, most gigabit connections these days are hanging off something
other than the old PCI bus. Whether it be Intel's CSA (introduced 3
years ago with their i865 and i875 chipsets), PCI Express or some
other non-PCI channel.

Yeah well that's the point - all part of those "enhanced" network
interfaces. Having to figure out what works and what doesn't is a PITA.
If you look about the middle of this page,
http://support.microsoft.com/?kbid=912222 for what it doesn't work with,
and some of the other restrictions, this new M$ network "acceleration" pack
doesn't bring much hope for realizing some of the "advantages" of network
stack hardware offloading.

 

[krw]

With a domain, even M$ tells you to turn Windows Firewall off and it
doesn't actually do much for you in the way of protection. I've seen
problems on our domain when somebody has unwittingly turned on the Windows
Firewall; the only way I saw to "fix" it was to turn it off. I believe
it's worse than trickier for a domain; for a workgroup it can be
troublesome if you want to use your LAN for what one normally does. For
most users, "it's too complicated".

I'm not going to get in the middle here, but we've been *ordered*
to use ZoneAlarm on any system used within the firewall. Yes, with
hardware firewalls it works. OTOH, we've also been ordered to
disable any M$ AV/FW crap. ZA seems to work pretty well, free too!

<snip>

 

[George Macdonald]

I'm not going to get in the middle here, but we've been *ordered*
to use ZoneAlarm on any system used within the firewall. Yes, with
hardware firewalls it works. OTOH, we've also been ordered to
disable any M$ AV/FW crap. ZA seems to work pretty well, free too!

Ok thanks. It just irks me that we have all this new network hardware,
with extravagant performance claims, where you have to disable the advanced
features to get it to work with necessary software. <sigh>I guess
reworking the TCP/IP stack, at this stage, *is* a kinda big job....
though I hear that nVidia may have gotten its act together with their
latest effort on drivers and their firewall.

 

[The little lost angel]

With a domain, even M$ tells you to turn Windows Firewall off and it
doesn't actually do much for you in the way of protection. I've seen
problems on our domain when somebody has unwittingly turned on the Windows
Firewall; the only way I saw to "fix" it was to turn it off. I believe
it's worse than trickier for a domain; for a workgroup it can be
troublesome if you want to use your LAN for what one normally does. For
most users, "it's too complicated".

That's really weird. What problem does software firewall cause with a
domain? I've been using the same software firewall with my school's
network which requires log in to a windows domain for years and I
don't seem to have any problems specifically related to the firewall.
But of course I don't use the Microsoft provided one pP

Similarly no problems at home with several pc/laptops on the same
workgroup and we share printers/files/whatnot (I even recently got
Samba working! )

 

[Tony Hill]

With a domain, even M$ tells you to turn Windows Firewall off and it
doesn't actually do much for you in the way of protection. I've seen
problems on our domain when somebody has unwittingly turned on the Windows
Firewall; the only way I saw to "fix" it was to turn it off. I believe

Keep in mind that Windows Firewall is a piece of crap as far as
software firewalls are concerned! It wouldn't surprise me if it
causes a lot of problems that the other software firewall companies
fixed 5+ years ago.

it's worse than trickier for a domain; for a workgroup it can be
troublesome if you want to use your LAN for what one normally does. For
most users, "it's too complicated".

It all depends on what you need the LAN to do and how tight you want
the security on it to be. For some users it would indeed be too
complicated. These users are going to be regularly hacked anyway
though, so there's no much point in worrying about them.

Yeah well that's the point - all part of those "enhanced" network
interfaces. Having to figure out what works and what doesn't is a PITA.

None of the above have anything to do with "enhanced" network
interfaces, they're all for sending data from memory to the network
controller, occasionally via the CPU if needed. No specific reason to
have (or not have) anything special that a plain ol' fashion PCI card
wouldn't have. Only difference is that you aren't going to be
saturating your PCI bus with any of those technologies.

If you look about the middle of this page,
http://support.microsoft.com/?kbid=912222 for what it doesn't work with,
and some of the other restrictions, this new M$ network "acceleration" pack
doesn't bring much hope for realizing some of the "advantages" of network
stack hardware offloading.

Microsoft seems to be agreeing with me here that this is really an
issue for servers much more than desktops. Servers have always had a
whole load of issues related to networking, and careful implementation
is definitely a must.

 

[George Macdonald]

None of the above have anything to do with "enhanced" network
interfaces, they're all for sending data from memory to the network
controller, occasionally via the CPU if needed. No specific reason to
have (or not have) anything special that a plain ol' fashion PCI card
wouldn't have. Only difference is that you aren't going to be
saturating your PCI bus with any of those technologies.

Now I'm not sure what you mean by "the above" nor "enhanced" NIs. The
offloading technology is incorporated into the NI hardware and always comes
together with the PCI bypass in some modern chipsets and with drivers which
attempt some kind of offloading by default... as did the nForce Firewall.
Believe me, I've had my troubles, even without the nForce Firewall and
there *are* mysteries for which apparently only the chipset mfr knows the
root cause. The nForce3/4-Eudora 10053/10054 "bug" is one I've personally
come across.

Microsoft seems to be agreeing with me here that this is really an
issue for servers much more than desktops. Servers have always had a
whole load of issues related to networking, and careful implementation
is definitely a must.

You seem to be missing the point that LSO, NetDMA, TCP Chimney, which are
part of the above pack -- which is *also* released for XP-x64 -- all use
the advanced offloading features I've been talking about and which some
modern NIs, even desktop, include. IOW they're there - you can't use
them... yet another exercise in futility.