[OT] Which firewall is good..?!

Sheepdog · Post by *Sheepdog » 2005-10-18, 22:48 UTC

Balderstrom wrote:Well I wont completely disagree with you, but your using the words "Easy" in so many places is misleading,

Easy is meant for someone who knows programming and knows enough of the Operating Systems to programm a virus or another program that is useful for him to install on other peoples PC's to make them remote PC's.

But that is what a firewall claims to protect you: Programs that are able to use OS-functions to connect your PC to hteir PC and make it their slave PC.

and using IE in the example...

In the example it were indeed IE but it could be the default browser.

If it were that easy, we'd all have virus riddled PC's. And I've never been infected with any virus. And only had forced download/desktop replacement/screwups when using IE.

Don't you know that out there are people who sell 50 thousands remote PC's to use them as mail-client for a few hundred Dollars?

On the other hand I was talking of calling out from a PC without knowledge of the user. I did not say anything about how to get those programs on your computer.

Now if that club could make that happen in Opera, would give it more credence.

They could easily, as mentioned before. Even if they do not know the browser name they only call the standard browser. ANd it's something about Meta data in the URL that triggers the browser to get the load the commands from a certain URL that later be executed on the remote PC.

And I'm not 100% sure, but from what I know of Kerio, is it differs from most all other firewalls, in that it underlies the Operating System in many key places - even to the point of Harddrive access -- When my Sata drives were overheating I would get Error popups in Kerio heh.

Even if the Kerio exchanges all relevant system drivers (what I doubt) are the new drivers a security risk too. If you do not dismiss those dangerous packets there is always a chance to infect your system.

sheepdog

Sheepdog · Post by *Sheepdog » 2005-10-18, 23:32 UTC

Xtrician wrote:There is something in your words but im not sure you right 100%.

I'm not the expert and I tried only to summarize the statements I referred to.

Xtrician wrote: if you say that Firewall's give you a false alert its not right.

What I say is that you can't be sure there is no outgoing connection even if your firewall doe not alert.

Xtrician wrote:Of course if i remove my firewall nobody hack me or something but he show me information about incoming traffic, this is something too.

That's true, but there are other tools that do the same and do not claim to protect you (what is not possible).

Xtrician wrote:and you cant to say that Personal Firewall not nedded today to a millions peoples and big companys like McAfee, Kaspersky, Symantec, etc..

PFW can't do what they promise to do: Protect your computer from incoming damage data packets, prevent programs to connect out of your PC and make your PC safer.
If you are careful you do not need a firewall. And if you are not careful a firewall wouldn't help you.

sheepdog

Wilhelm M. · Post by *Wilhelm M. » 2005-10-19, 08:22 UTC

Hacker wrote:(I think there was a third service that needed to be enabled, too, but can't remember which one it was, sorry.)
HTH
Roman

Yeah, that's exactly the problem! The two you have named are started already but - no joy. I have already tried to de-install AutoUpdate completely (as far as windows let's you do that) and re-install it. Nothing helps. When I open AutoUpdate in the control panel it simply says "Windows Update is not available." Very informative as always.

I have also a simple question for Sheepdog: have you activated a firewall on your computer or not?

I mean we can very extensively discuss and philosophise here about firewalls, but as balderstrom has already stated: there are very small yet well working firewalls which will perhaps not solve all your security problems but will do no harm either. I think most people have larger and more useless software on their computers than personal firewalls. So is there really a point in heated discussions?

Balderstrom · Post by *Balderstrom » 2005-10-19, 09:28 UTC

I wouldn't trust windows without a firewall. And I am not so paranoid as to run another PC as a hardware firewall. Nor the power consumption of having yet another PC in the house running 24/7.

I already know my firewall helps, it prevents "Explorer" from turning into IE, as it doesn't allow Explorer Net connections. It prevents many incoming packets I deem Not needed.
And if some trojan can bind itself to a windows service - well I have most of them shut off. And if its not a service bound trojan, one that just attempts an outbound net connection, again it will prevent that.

And even if bound to a windows service/or underlying system, it would display outbound data exchange, on its tasktray icon, or in the Connections list, and again I'd know something was F'd.

But whatever floats yer boat

Lefteous · Post by *Lefteous » 2005-10-19, 10:09 UTC

The name of a trojan had not been chosen by accident. A working trojan integrates into a system without becoming visible. A (some of them) personal firewall detects outgoing traffic. If a trojaner can be detected this way it's not a working trojaner. So the first task of a working trojaner is to disable or bypass the personal firewall when it would like to communicate and reenable it when it's done without the users notice.
If I were a trojan I would completely substitute the personal firewall without changing the programs appearance. The user still thinks it's the personal firewall but actually it's an enhanced version which definitely not informs me about suspicious packets.
Anything else is a detected trojaner. Are we talking about the dangerous things or about the kids stuff? The fact remains: If you have an evil trojan on your system you really have a problem.

Wilhelm M. · Post by *Wilhelm M. » 2005-10-19, 10:50 UTC

Well, right! I think nobody will argue your point in general. But what is the conclusion?

I give an analogy. Everbody knows that it is impossible to completelely secure your house against house-breakers. There is no door nor wall that can block every attack. But is the conclusion that you can simply leave your door open? I don't think so. For the simple reason that most attacks are not done by the absolute "pros" but by rather simple-minded people. So if you shut your door and its lock is not a very lousy one, you increase your chance to not get robbed.

Maybe I'm wrong, but that seems similar to our discussion.

deus-ex · Post by *deus-ex » 2005-10-19, 10:53 UTC

Hacker wrote:Enable Automatic updates and Background intelligent transfer service. (I think there was a third service that needed to be enabled, too, but can't remember which one it was, sorry.)

HTH
Roman

The third one is the Remote Procedure Calls (RPC) service. You can find such info by looking at the Dependencies-Tab of the Service-Properties.

Regards,
deus-ex

Sheepdog · Post by *Sheepdog » 2005-10-19, 11:06 UTC

Wilhelm M. wrote:[I have also a simple question for Sheepdog: have you activated a firewall on your computer or not?

No I have not.

perhaps not solve all your security problems but will do no harm either.

The problem is that if a Malware attacks the firewall it gets usually its Admin rights even if you are logged in a normal user (only very few firewalls run with normal user rights).

And the user feels secure because of the firewall and his attention subsides.

BTW Here you can see a screenshot with all my running services, and the automatic update works fine here. Maybe you'll find the service you'll have to reactivate.

sheepdog

Lefteous · Post by *Lefteous » 2005-10-19, 11:11 UTC

2Wilhelm M.
I think the problem in your analogy is that breaking in is not really the point. In my scenario the housebreaker already entered. The question is how can you avoid he will do whatever he wants inside your home?
I hope you agree that things like security holes cannot be avoided by personal firewalls. Especially because personal firewalls have the potential to open even more security holes.
So breaking in is another problem.

icfu · Post by *icfu » 2005-10-19, 11:33 UTC

@deus-ex:
This is wrong, as RPC is the only essential service of Windows (2000/XP). When you manage to disable it, Windows won't boot anymore and when you kill its process, Windows will shutdown like if Blaster had knocked at port 445.

@Wilhelm M.:

But is the conclusion that you can simply leave your door open?

No, the solution is to close all doors and not to install a personal firewall that additionally attaches some stupid "This door is not here but stealthed, haha"-sign to all closed doors, which is what personal firewalls do. A door that is closed doesn't need to be protected by personal firewalls and a bad boy that is already in the house will simply take what he needs, break down the locked door from inside and laugh at the sign when leaving.

Regarding Windows Update:
Check if the "Cryptographic Services" or "Kryptographiedienste" are running and if they are:

I have already tried to de-install AutoUpdate completely (as far as windows let's you do that) and re-install it.

What have you done exactly?

Icfu

Wilhelm M. · Post by *Wilhelm M. » 2005-10-19, 12:07 UTC

@lefteous
I agree, not out of conviction but out of lack of knowledge. If one who obviously is more experienced says so, then I must believe it. But still: my analogy holds, because firewall ARE installed because people think they can block intruders, i.e. they regard firewalls as safety doors. Besides if the intruder - in your scenario - is already within the house then shutting down windows services will not throw him out.

@icfu
No, the "Cryptographic Services" or "Kryptographiedienste" are not running, but - more seriously - they are not even contained in the service list. Not even as "stopped" services. BTW: system is W2k Prof.
What I meant with de-installed is de-installation via Windows Setup.

Lefteous · Post by *Lefteous » 2005-10-19, 12:17 UTC

2Wilhelm M.

firewall ARE installed because people think they can block intruders

Is that really true? I never heard that before.

Wilhelm M. · Post by *Wilhelm M. » 2005-10-19, 12:23 UTC

@lefteous
2 questions: what have you heard? And do YOU have installed a PFW?

icfu · Post by *icfu » 2005-10-19, 12:25 UTC

No, the "Cryptographic Services" or "Kryptographiedienste" are not running, but - more seriously - they are not even contained in the service list.

If it's not there your system has been corrupted, at least the entry for the service has been deleted from registry.

I have uploaded a fix here:
http://rapidshare.de/files/6476957/Kryptographiedienst_wiederherstellen.reg.html

Click on "Free", download and doubleclick the regfile, after that reboot. This should restore the service.

What I meant with de-installed is de-installation via Windows Setup.

I am not aware of any uninstallation feature thru Windows Setup for Windows Update, sorry. You mean uninstalled using some entry in Control Panel-Software? If yes, this was maybe just some (beta) update to Windows Update.

IIRC there is an entry that removes just the icon for Windows Update from the start menu, but this is just a cosmetical "uninstall", not a real one.

Icfu

Wilhelm M. · Post by *Wilhelm M. » 2005-10-19, 12:31 UTC

In Windes Setup (control panel/software/add or remove windows components) you can de-select "Automatic Updates" (Automatische Updates).

Will try your fix!

You were too quickly! Ah, I see - had that suspicion myself already. Like with many windows components that are not really de-installed if you "de-install" them...