June 4th, 2003, 04:57 PM
XP's "firewall" - why the bad press?
Ok, just what IS just so bad about XP's firewall?
It seems that ANY security product that comes out always gathers comments like: "Security? Bah, that piece of crap _________ (fill in the blank) isn't worth it..."
I'm hearing the same about XP's built in "firewall" -- I know it's not a *real* firewall. And yet, any scans I run against it seem to indicate that it's pretty decent. Am I missing something? I read in another thread someone actually recommending not bothering with it and disable it.?.? Why? Isn't something better than nothing?
June 4th, 2003, 05:04 PM
One thing that I know about it is that it has no ability to limit outgoing traffic. This could be considered a serious problem if a trojan is on your system. Your system could also be more likely to be used in a DDOS attack, because of this inability to limit outgoing traffic. Thats the most that I know about the XP firewall, hope it helps.
June 4th, 2003, 05:06 PM
Well for starters it doesnt filter anything outgoing wich is juts as important as incoming with all the trojans and stuff floating around out there. Another thing is that if you have another software firewall they will conflict with each other and then you've got an even bigger hole in your security. That and the fact that it is comepletely unconfigurable. its either on or off. that is a big problem to me.
June 4th, 2003, 05:09 PM
maybe is because it's not a fully featured firewall, it only carries very basic functions
you cannot tweal its setting as you would with a commercial firewall and dont have as much control of whats going on
June 4th, 2003, 05:39 PM
Correct, for one, it has no idea about connection state, second, it is very limited in that it only allows for port and protocol filtering from the "outside" and not much else.
it's not a fully featured firewall
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
June 4th, 2003, 05:44 PM
i wouldn't consider it a firewall, lacks too much needed functionality of basic software based firewall. i wouldn't be surprised to see ms coming up with their version of firewall soon, but firewall and security goes hand in hand, and it would all depend on what your needs are.
June 4th, 2003, 06:57 PM
One thing I would like to add to this discussion is that it doesn't report ports as 'stealth' instead it reports ports as 'closed'. Sygate reports all none used ports as 'stealth' for example.
If you use a nmap scan on it, wheter it be a syn scan or one of the other scans., it reports the host as being 'up'.
Why is this bad ?
If a port is in the state closed and you send a packet to it it will respond to that packet. For example with a 'res' packet. The packets contain overhead that can give information on the system.
Another thing is that you get no information. It does not tell you what is happening.
And being unable to block outgoing connections is just plain bad.
In my opinion you can better use a (free) third party firewall like sygate, kerio zonealarm or outpost.
Like mentioned remember to disable the built in firewall if you choose to use a third party one.
June 4th, 2003, 07:13 PM
Well, Noodle about the stealth mode I'm not sure to fully aggree.
There one information that is given to the attacker: A firewall is being used btw him and the target.
What type of information does the rst will give to the attacker the TCP seq? I hope every one got a stack with no predictable seq number!
Is there another sensitive information?
What I'm sure of, is that for a firewall that protect a LAN i'd rather go with a rst spoof reply from the firewall in order to hide as much as possible my firewall. And to avoid the attacker to possibly guess what is the firewall ruleset and then guess what is the network topology and server protected.
But this had been already discussed here
Originally posted here by Networker
When a firewall is protecting a port (e.g. FTP port ) the firewall will drop any related frames. That's what we are expected from the firewall!
Now, in the case there is no firewall & If you start a scan using TCP with ACK flag your are expecting the target to answer you with a TCP packet with the RST flag (read the TCP rfc for more details!).
The trick is that when a firewall is in the middle, it will simply drop the packet and you'll never get the TCP RST packet back.
That's a simple way to detect what port is protected or not. (Nmap will do it for you, have a look in the manpage!)
Of course some constructors knows about it and implement counter measure:
- A simple one is to answer a TCP RST from the firewall, but you can still detect the firewall action thanx to the IP source (the one of the firewall)
- The ultimate mitigation is when the firewall is able to spoof the target IP for answering the RST packet.
I hope it help,
[shadow] SHARING KNOWLEDGE[/shadow]
June 4th, 2003, 07:36 PM
For example if you are running one or two services on you computer the prediction of the OS will be much easier.
We are talking about XP here and it uses a predictible sequence. This way the attacker would find out what OS is being used in no time. With this information the attacker can expand his attack.
If you are using one of the BSD's for example the sequence is complete random.
So if you scan a box with nmap -O on a XPfirewall protected box and only one service enabled you will find pretty soon the box is running XP. Where if you are using sygate (for example) you would not discover this.
This may not sound like a big deal but if you have someone that is truly attacking you it makes a difference.
Knowing the person uses XP strikes out many things.
Would he be using Internet Explorer ?
Would he be using Outlook Express ?
This gains many oppertunities for the next stage of attack.
To add to the previous post. Xp comes with this firewall but is still highly vulnarable to attacks because the default install enables port 139, 445, 5000 and they will be reported as being open to the scanner. The user gets a fake sence of security.
IMO it is better to have no security then to have a fake sence of security.
June 4th, 2003, 08:01 PM
Yes! Yes! -------------->>>> "M$"
Ms asumes everybody is a buddy, so no one will do such things like that.
(-:IF U R A HACKER TRY TO BE ON POINT,IT SAVES TIME:-)