Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: XP's "firewall" - why the bad press?

  1. #1
    Join Date
    May 2003
    Somewhere in Texas

    Question XP's "firewall" - why the bad press?

    Ok, just what IS just so bad about XP's firewall?

    It seems that ANY security product that comes out always gathers comments like: "Security? Bah, that piece of crap _________ (fill in the blank) isn't worth it..."

    I'm hearing the same about XP's built in "firewall" -- I know it's not a *real* firewall. And yet, any scans I run against it seem to indicate that it's pretty decent. Am I missing something? I read in another thread someone actually recommending not bothering with it and disable it.?.? Why? Isn't something better than nothing?


  2. #2
    Join Date
    May 2003
    One thing that I know about it is that it has no ability to limit outgoing traffic. This could be considered a serious problem if a trojan is on your system. Your system could also be more likely to be used in a DDOS attack, because of this inability to limit outgoing traffic. Thats the most that I know about the XP firewall, hope it helps.

  3. #3
    Dead Man Walking
    Join Date
    Jan 2003
    Well for starters it doesnt filter anything outgoing wich is juts as important as incoming with all the trojans and stuff floating around out there. Another thing is that if you have another software firewall they will conflict with each other and then you've got an even bigger hole in your security. That and the fact that it is comepletely unconfigurable. its either on or off. that is a big problem to me.

  4. #4
    Join Date
    Dec 2002
    maybe is because it's not a fully featured firewall, it only carries very basic functions
    you cannot tweal its setting as you would with a commercial firewall and dont have as much control of whats going on

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    it's not a fully featured firewall
    Correct, for one, it has no idea about connection state, second, it is very limited in that it only allows for port and protocol filtering from the "outside" and not much else.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    May 2003
    i wouldn't consider it a firewall, lacks too much needed functionality of basic software based firewall. i wouldn't be surprised to see ms coming up with their version of firewall soon, but firewall and security goes hand in hand, and it would all depend on what your needs are.


  7. #7
    One thing I would like to add to this discussion is that it doesn't report ports as 'stealth' instead it reports ports as 'closed'. Sygate reports all none used ports as 'stealth' for example.
    If you use a nmap scan on it, wheter it be a syn scan or one of the other scans., it reports the host as being 'up'.
    Why is this bad ?
    If a port is in the state closed and you send a packet to it it will respond to that packet. For example with a 'res' packet. The packets contain overhead that can give information on the system.

    Another thing is that you get no information. It does not tell you what is happening.
    And being unable to block outgoing connections is just plain bad.

    In my opinion you can better use a (free) third party firewall like sygate, kerio zonealarm or outpost.
    Like mentioned remember to disable the built in firewall if you choose to use a third party one.

  8. #8
    Senior Member
    Join Date
    Nov 2002
    Well, Noodle about the stealth mode I'm not sure to fully aggree.
    There one information that is given to the attacker: A firewall is being used btw him and the target.
    What type of information does the rst will give to the attacker the TCP seq? I hope every one got a stack with no predictable seq number!
    Is there another sensitive information?

    What I'm sure of, is that for a firewall that protect a LAN i'd rather go with a rst spoof reply from the firewall in order to hide as much as possible my firewall. And to avoid the attacker to possibly guess what is the firewall ruleset and then guess what is the network topology and server protected.

    But this had been already discussed here

    Originally posted here by Networker
    When a firewall is protecting a port (e.g. FTP port ) the firewall will drop any related frames. That's what we are expected from the firewall!

    Now, in the case there is no firewall & If you start a scan using TCP with ACK flag your are expecting the target to answer you with a TCP packet with the RST flag (read the TCP rfc for more details!).
    The trick is that when a firewall is in the middle, it will simply drop the packet and you'll never get the TCP RST packet back.
    That's a simple way to detect what port is protected or not. (Nmap will do it for you, have a look in the manpage!)
    Of course some constructors knows about it and implement counter measure:
    - A simple one is to answer a TCP RST from the firewall, but you can still detect the firewall action thanx to the IP source (the one of the firewall)
    - The ultimate mitigation is when the firewall is able to spoof the target IP for answering the RST packet.

    I hope it help,
    [shadow] SHARING KNOWLEDGE[/shadow]

  9. #9
    For example if you are running one or two services on you computer the prediction of the OS will be much easier.
    We are talking about XP here and it uses a predictible sequence. This way the attacker would find out what OS is being used in no time. With this information the attacker can expand his attack.
    If you are using one of the BSD's for example the sequence is complete random.
    So if you scan a box with nmap -O on a XPfirewall protected box and only one service enabled you will find pretty soon the box is running XP. Where if you are using sygate (for example) you would not discover this.
    This may not sound like a big deal but if you have someone that is truly attacking you it makes a difference.
    Knowing the person uses XP strikes out many things.
    Would he be using Internet Explorer ?
    Would he be using Outlook Express ?
    This gains many oppertunities for the next stage of attack.

    To add to the previous post. Xp comes with this firewall but is still highly vulnarable to attacks because the default install enables port 139, 445, 5000 and they will be reported as being open to the scanner. The user gets a fake sence of security.
    IMO it is better to have no security then to have a fake sence of security.

  10. #10
    Join Date
    Mar 2003
    Yes! Yes! -------------->>>> "M$"

    Ms asumes everybody is a buddy, so no one will do such things like that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts