Is Windows Firewall any good at all?

[J_K9]

I found a PDF lying around on my hard drive which I thought you all might find interesting. I'm not sure where I found it, but it's a VigilantMinds article and it involves testing various Windows firewalls (including the inbuilt SP2 one) to see if they can be bypassed. Take a look at the results at the end of the article - that'll give you a rough idea of how good Windows' inbuilt firewall is.

Cheers,

-jk

[edit]

The attachment was corrupted and I couldn't fix it, so I've uploaded it to my site: click

[Penelope Mills]

I beleave the dozen or so articles with that title each have an example of how to inject into a trusted application. And thats the problem addressed. However I really don't understand where this would be specific to that firewall. You can assume that everything packaged with these security suits sold in walmart will be the first set of programs disabled by malware anyway.

Even then, most of the time I could sniff out anything "non-RFC compliant" to a particular service and maybe send any response right back. In effect, warp any session I want into a vector for backdoor communication.

I don't understand why most of you people can't admit that there really are no preventive measures. Atleast none that the security industry and the retailers of their products would want you to know about.

[MS_Security]

no firewall even those in the fwtk legacy or network guards can prevent trusted applications from sending undesired or unauthorized data. if the formatting of every single packet is defined in a manner so draconian to be no longer useful in general purpose environments covert channels still exist.

firewalls are not the appropriate choice to protect these vectors. a strong change control policy must be in place on internal systems. the firewall must be limited in scope to moderating network access and filtering outbound content for signs of remotely compromised services/daemons. more tasks will overload the firewall and play away from its strengths.

i disagree with the idea that no preventative measures are available. prevention of unauthorized disclosure alteration and even some instances of destruction is the primary use of access controls. access controls are limited by their technical nature and are useless if not supported by strong organizational policy or for the home user a little self-education and simple caution.

[dynamoo]

I'm in the camp that says that's it not a great product - but it's certainly a LOT better than no firewall at all. It does have an elegant simplicity.. and as has been said, if you go onto the internet without it you'll be 0wned in 20 minutes or so.

Personally I use ZoneAlarm (the one with the integrated AV is pretty good) but the firewall on router keeps the nasties out anyway.. so really, ZoneAlarm is there to mitigate against attacks on the wireless LAN somewhere and to provide egress filtering. But you know, for 99% of users that's probably overkill.. but for power users it can be extremely useful having that sort of granular level of control for inbound and outbound network connections.

I'd sooner spend $60 a year on a decent package like the ZoneAlarm Internet Security Suite which gives you pretty much everything you need rather than take the risk.

[C4573R 7R0Y]

TH13, Could you please post that pdf? I would really like to see what they have to say about Symantec's Firewall. The only problem I've really noticed is that it takes up a lot of memory when running it.

[tyger_claw]

Now here's a question:

If you are behind aNAT router, is it even worth turning WFW on?

Just to clear a little something about firewalls...

If you are connected to the internet directly (no router between you and the modem or *eek* the phoneline), having a software firewall filters incoming traffic and (the better firewalls) monitors outgoing traffic with proper permissions

If you are connected to the internet behind a router (or hardware firewall), having a software firewall is only good for filtering outbound traffic that has permission

Do I have that right?

[HTRegz]

Originally posted here by tyger_claw
Now here's a question:

If you are behind aNAT router, is it even worth turning WFW on?

To answer that question, you'd have to answer this question first.

Do you trust the other users that are on the LAN with you?

There are quite a few PCs on my home network..

I've got my Desktop (XP) and an iMac (Mac OS 9.2)
My girlfriend has her desktop (XP) and a Clamshell iBook (Mac OS 9.2)
My Roommate has his desktop (XP) and his file server (XP)
Another Roommate has his desktop (XP) and his laptop (XP/SuSE)
There's also a LaserJet 4MV and occasionally a Powerbook (OS X)
There used to be a SuSE 9.3 box... it'll be back soon... and there's also Debian under coLinux...

Do I run a software firewall?? nope...I have other methods of monitoring outbound connections and I trust the NAT on the firewall to keep me from rogue inbound connections. At the same time, I trust my roommates.. I keep the gfs PC updated and one roommate works for a Comp Sec company.. the other graduated in Electronics Engineering.

At work it's a mix of XP and OS X... again ... no software firewall... the trust is placed in the NAT and we trust the internal users...

However... if i was in a dorm (several only provide one network drop for all the students in the room)... so if I shared a home router with roommates or I was direct into the drop... I'd be running a firewall... I'm NATed to the internet but I wouldn't trust the other internal users...

Just to clear a little something about firewalls...

If you are connected to the internet directly (no router between you and the modem or *eek* the phoneline), having a software firewall filters incoming traffic and (the better firewalls) monitors outgoing traffic with proper permissions

If you are connected to the internet behind a router (or hardware firewall), having a software firewall is only good for filtering outbound traffic that has permission

Do I have that right?

I think the above also answers your question there.... a software firewall is still providing inbound or inbound/outbound (depending on the firewall).... The question is do you trust the other users enough... Do you need inbound filtered behind the NAT... Do you have a DMZ setup on your router... do you have ports forwarded... do you want those to be filtered?

Unfortunately defining a network setup (where to place a firewall, type of firewall, what do I need to block, what do I need to filter)... isn't a set in stone process... It's like picking a car..

Do I need 2, 4, 5, or 7 seats.
Can I drive a stick or do I require an automatic.
Do I want more cargo capacity.
Do I want passenger side airbags
Do I want the extra options
How much power do I want under the hood...
Do I want price or performance or a mix of both..


Your firewall is going to be the exact same...

Hardware, Software, or a Combo
Do I need it to configure itself
Do I need it to be able to process a large amount of traffic quickly
Do I want a built in IDS
Do I want full control over it.. or minimal contrl that wil be simplified

To me the Windows firewall is like a sunfire... It's made fun of by enthusiasts and experts in its field... It's definately not high quality and doesn't provide ultimate performance.... However it's simple... it's low cost and it goes from point A to point B... and if that's all you need... then it does the trick.

Peace,
HT

[thehorse13]

TH13, Could you please post that pdf? I would really like to see what they have to say about Symantec's Firewall. The only problem I've really noticed is that it takes up a lot of memory when running it.

http://www.vigilantminds.com/files/d..._firewalls.pdf

Scroll to the last page to see the matrix of results. Everything before that is background noise. Well, at least it should be if you're a security engineer.

I don't understand why most of you people can't admit that there really are no preventive measures. Atleast none that the security industry and the retailers of their products would want you to know about.

Wanna solve 99% of your issues related to this for free? Remove the ability of end users to install software. Done.

[J_K9]

Hmm... So that's where I got that PDF from! Must've been in one of TH's previous posts a while ago...

Cheers,

-jk

(See top of page if confused )

[dynamoo]

Originally posted here by tyger_claw
[B]If you are behind aNAT router, is it even worth turning WFW on?

It depends. It's definitely worth taking additional steps if you have a wireless network, but as
HTRegz said it kinda depends on your circumstances. For my home network I take several additonal steps, because I live in an urban area with quite a concentration of wireless networks. Even though I use WPA-PSK I don't 100% trust the wireless network to be absolutely secure.

On corporate networks you usually find that Windows Firewall is turned off on client PCs because it just tends to make machines difficult to manage. In fact, the Windows Firewall product in that kind of environment can be quite dangerous.. in certain circumstances a PC can become virus infected, and the Windows Firewall can prevent administrators from accessing the PC to clean it up.