Fernando Cassia wrote: > On Sun, Dec 7, 2008 at 10:26 PM, David Brown <[email protected]> wrote: > >> Actually, far and away the best general purpose firewall on Windows is >> the built-in windows firewall - it is *much* better than any third-party >> addon (except perhaps ipfilter for windows), simply because it doesn't >> have a huge baggage of extra code to slow down the system and introduce >> new bugs and exploitable holes. > > I *strongly* disagree. The firewall built into Windows XP is an > inbound firewall only. It won't prevent programs and rogue apps from > "phoning home", nor will it alert of any such outbound connections. >
The aim of well-designed security is to avoid letting bad things onto your machine in the first place - blocking incoming traffic is *vastly* more important than blocking outgoing traffic. The Windows XP (and W2K) firewalls do a reasonable job of that - there are still some holes because windows doesn't have a proper layered network architecture, with specific points for filtering or manipulating network traffic (*nix systems *do* have such a layered architecture, that's why iptables on Linux and ipfilter on *bsd are far more solid than any firewall on windows ever can be). What you want for a basic a firewall is to block all incoming traffic, and allow all outgoing traffic. That's what you get with the default setup of a hardware firewall (i.e., a NAT firewall/router), and that's why you should *always* use one of these to protect windows machines. Filtering outgoing traffic is only useful for more advanced situations. The only outgoing traffic I filter on firewalls is to block SMTP traffic that is not heading for the ISP's mail relay. There may be occasions when you want to filter other things for specific reasons, but not in general. There are a number of reasons why using a third-party software firewall on windows and trying to block outgoing traffic from malware is a bad idea. First off, a lot of malware is smart enough to get round application-specific blocks (such as by using IE or other applications as an intermediary). Secondly, major "internet security suites" have regularly had security issues that give new attack vectors - they are far too complex, and therefore have a high chance of bugs, and they mess with important parts of the system. That's a bad combination. But the biggest problem with software firewalls is that they are (from what I have seen) far too fussy. They greatly encourage the traditional windows users' habit of automatically clicking "OK" in any dialog box, as they ask your permission again and again to allow your programs to access the network. It takes a specially observant and paranoid user to notice the one box asking permission for the malware you've just downloaded - most people will OK that too, especially as it will have an innocent-sounding name like "system" rather than "Zombie BotNet Client". This is, of course, assuming the user hasn't got so fed up with the "OK" boxes that he has already disabled the firewall. The road to internet security is the same as for any other kind of security - take basic precautions to prevent accidents or things happening without the user knowing (scan emails, block incoming traffic, avoid major vulnerable programs like IE, OE, and the MSN client as much as possible), and train the user to think or ask before clicking. Keep the security system as simple as possible - there's less to go wrong, and less to confuse the user. If you want to prevent unwanted outgoing traffic, an alternative to filtering is to look at the DNS system - either replace your hosts file with one of the many filtered hosts files from the internet, or switch to using opendns. Both can be used to effectively block a large number of phishing, scam and malware sites, and/or "undesirable" sites. And both work in a simple, clear and reliable way. Regarding iptables, there are vast numbers of options for filtering if you want to use them. I don't know if there is any way to block particular applications in a normal setup, but it should be possible - you can have iptables pass the packet into userspace for further classification and filtering. You could easily have a userspace daemon that checked the sending processes details and filtered on that basis. A related topic is Layer 7 filtering <http://l7-filter.sourceforge.net/> which classifies packets according to their protocol, rather than their port or application. _______________________________________________ vbox-users mailing list [email protected] http://vbox.innotek.de/mailman/listinfo/vbox-users
