Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Best Firewall??

2 views
Skip to first unread message

Fruit2O

unread,
Aug 8, 2009, 11:38:14 AM8/8/09
to
Since Norton Security Suite has such good reviews this year, I'm
thinking of buying it. However, I'm wondering if there is a better
firewall available. Any and all suggestions are welcome. Also,
comments on the Norton Suite.

G

unread,
Aug 8, 2009, 1:20:46 PM8/8/09
to
In article <or6r75pak6v7lqkso...@4ax.com>,
jz13...@cox.net says...

Here is a reliable source of information:

http://www.matousec.com/projects/proactive-security-
challenge/results.php

There are several free firewall options that are consistently rated in
the top group. There's no reason for you to pay for Norton if you can
get something else (rated higher, no less) for free.

I've recently switched to Kaspersky because I got it for free (after
rebates) from Fry's. It has done very well. Previously, I was using
Comodo, which also did very well.

I don't know how the current Norton suite is, but they have a bad
reputation in recent years, mainly having to do with the effort it takes
to get rid of it. Whatever you choose to do, make sure you backup your
system before installing the security product to make sure you can
easily roll things back if you don't like it.

Volker Birk

unread,
Aug 8, 2009, 1:59:38 PM8/8/09
to

You don't need a "Personal Firewall". Just use the Windows-Firewall.

Yours,
VB.
--
"Du bist nur das, was ich genehmige."

Sachbarbeiter im Sozialamt Mülheim/Ruhr zum "Kunden"

Nelson

unread,
Aug 8, 2009, 8:56:01 PM8/8/09
to
On Sat, 8 Aug 2009 10:20:46 -0700, G <geoffstemp...@yahoo.com>
wrote:


What do you think of these firewalls in their ability to control
programs' access to the Internet? Can they do a fine-grain control
of which programs (inclusing OS programs) can contact which remote
addresses?

Comodo seems to do this well. Does Kaspersky also do this job well?
Are there others that are particularly good at this? Thanks for your
thoughts.


BTW, is there any difference between Comodo PRO and FREE, other than
the added help and handholding services? Thanks again.

G

unread,
Aug 8, 2009, 11:33:12 PM8/8/09
to
In article <a7as75p2krl56u7j5...@4ax.com>, replies-to-
newsgro...@thank.you says...

I can't really answer that question. I only use it to allow or block
internet access for each program and process. I don't limit it to
specific addresses. I don't know exactly what you're trying to do. But
if you just want specific IP addresses allowed to those on your network,
then it would probably be better accomplished through your router
settings.


G

unread,
Aug 8, 2009, 11:36:53 PM8/8/09
to
In article <a7as75p2krl56u7j5...@4ax.com>, replies-to-
newsgro...@thank.you says...
>

As for Comodo, I've always just used the free version. I don't know
anything about the "Pro" version.

Volker Birk

unread,
Aug 9, 2009, 3:37:32 AM8/9/09
to
Nelson <replies-to-n...@thank.you> wrote:
> What do you think of these firewalls in their ability to control
> programs' access to the Internet?

This is a b0rken concept. Just don't run programs you don't trust.
Configure your programs, that they're doing what you want only.

Nelson

unread,
Aug 10, 2009, 6:29:01 PM8/10/09
to
On Sat, 8 Aug 2009 20:33:12 -0700, G <geoffstemp...@yahoo.com>
wrote:

Here's what I decided, then replies:

I chose Comodo. It does what ZoneAlarm used to do but does it even
better. Other firewalls did the general job well enough but didn't
have the fine-grain control desired.

To G and Volker Birk: There's good reason to control apps. Example:
My newsreader is permitted to access my ISP's DNS server and my news
service's servers. That's all. No longer do I find it trying to
access various applications' servers to report who-knows-what to their
publishers, because those apps (even though blocked from access) have
used other apps (such as my my newsreader) to access the Internet.

In an experiment with the current ZoneAlarm Pro (yes, purchased), it
still tries to access the Internet and reach ZA servers even when all
of the access-related options are turned off. Also, ZA refuses to
allow its firewall or program-control settings to prevent Internet
access by its own programs or components. Further, when effectively
blocked by a hardware (router) firewall from reaching its home
servers' IP addresses, ZA enlists various other apps including
operating system components to silently try to reach its home servers.
And they call this a security program???

Comodo may or may not be the only firwall that's really good at this
aspect. If you know of others, do tell.

Kulin Remailer

unread,
Aug 10, 2009, 9:32:40 PM8/10/09
to
On 10 Aug 2009 17:29:01 -0500, Nelson
<replies-to-n...@thank.you> wrote:

>>
>
>Here's what I decided, then replies:
>
> I chose Comodo. It does what ZoneAlarm used to do but does it even
>better. Other firewalls did the general job well enough but didn't
>have the fine-grain control desired.
>
>To G and Volker Birk: There's good reason to control apps. Example:
>My newsreader is permitted to access my ISP's DNS server and my news
>service's servers. That's all. No longer do I find it trying to
>access various applications' servers to report who-knows-what to their
>publishers, because those apps (even though blocked from access) have
>used other apps (such as my my newsreader) to access the Internet.
>
>In an experiment with the current ZoneAlarm Pro (yes, purchased), it
>still tries to access the Internet and reach ZA servers even when all
>of the access-related options are turned off. Also, ZA refuses to
>allow its firewall or program-control settings to prevent Internet
>access by its own programs or components. Further, when effectively
>blocked by a hardware (router) firewall from reaching its home
>servers' IP addresses, ZA enlists various other apps including
>operating system components to silently try to reach its home servers.
>And they call this a security program???
>
>Comodo may or may not be the only firwall that's really good at this
>aspect. If you know of others, do tell.

Exactly!

I run into the same crapola all the time.

I'm tired off arguing about why I need a firewall that doesn't let
anything out.


Ansgar -59cobalt- Wiechers

unread,
Aug 11, 2009, 4:44:22 AM8/11/09
to
Kulin Remailer <rema...@reece.net.au> wrote:
> I'm tired off arguing about why I need a firewall that doesn't let
> anything out.

Because you have no arguments to back your opinion, I suppose? Oh, well,
what do you expect from anonymous trolls ...

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Nelson

unread,
Aug 11, 2009, 5:20:02 PM8/11/09
to
On 11 Aug 2009 01:32:40 -0000, Kulin Remailer <rema...@reece.net.au>
wrote:

Yes, people who have actually monitored what their software is doing
come away very disturbed about this. On the other hand, those who buy
security software and look no further, assuming that their security
software is protecting them, can be blissfully (if ignorantly) happy.

The single worst offender is the MS Windows operating system. Again
and again, Windows components that perform a local task and have no
reason whatsoever to access the Internet are busy doing just that.
Further, if blocked, they try multiple IP targets and try to hijack
other apps on your computer and connect through them. They keep
trying repeatedly, filling up your log with thousands of rapid-fire
attempts and slowing down your system while doing so. Ugh!



Ansgar -59cobalt- Wiechers

unread,
Aug 11, 2009, 6:02:03 PM8/11/09
to
Nelson <replies-to-n...@thank.you> wrote:

> On 11 Aug 2009 01:32:40 -0000, Kulin Remailer wrote:
>> I'm tired off arguing about why I need a firewall that doesn't let
>> anything out.
>
> Yes, people who have actually monitored what their software is doing
> come away very disturbed about this.

BTDT. After configuring the chatty programs appropriately, only update
routines are connecting outbound. I fail to see why one would be
disturbed about that.

> On the other hand, those who buy security software and look no
> further, assuming that their security software is protecting them, can
> be blissfully (if ignorantly) happy.

"ignorant" being the operative word. Particularly about personal
firewalls creating additional security holes.

> The single worst offender is the MS Windows operating system. Again
> and again, Windows components that perform a local task and have no
> reason whatsoever to access the Internet are busy doing just that.

Name one that can't be configured to not do that.

> Further, if blocked, they try multiple IP targets and try to hijack
> other apps on your computer and connect through them.

Name one.

Besides, if the manufacturer of your operating system decided to have
the operating system phone home, no software running on top of said
operating system could actually prevent it from doing so. You do realize
that, don't you?

Nelson

unread,
Aug 11, 2009, 8:19:01 PM8/11/09
to
On 11 Aug 2009 22:02:03 GMT, Ansgar -59cobalt- Wiechers
<usene...@planetcobalt.net> wrote:

>Nelson <replies-to-n...@thank.you> wrote:
>> On 11 Aug 2009 01:32:40 -0000, Kulin Remailer wrote:
>>> I'm tired off arguing about why I need a firewall that doesn't let
>>> anything out.
>>
>> Yes, people who have actually monitored what their software is doing
>> come away very disturbed about this.
>
>BTDT. After configuring the chatty programs appropriately, only update
>routines are connecting outbound. I fail to see why one would be
>disturbed about that.

It may not disturb you (and probably many others), and that's fine.
But it does bother me (and at least a few others) when software
establishes communications with remote servers without my knowledge or
consent.

People can have various good reasons for not wanting such
communications. Some have sensitive financial, technical, or personal
information that might be compromised. Some may not want inventories
of the software on their drives reported because they haven't paid for
it all. Some may have signed nondisclosure contracts which cannot be
fulfilled if outflow of information from their computers is no longer
within their control.

And some (including me) find it in principle obectionable. How would
you react if you hired someone to do some work in your home only to
find them rummaging through your file cabinet and faxing copies of
your information to confederates unknown to you?

>> On the other hand, those who buy security software and look no
>> further, assuming that their security software is protecting them, can
>> be blissfully (if ignorantly) happy.
>
>"ignorant" being the operative word. Particularly about personal
>firewalls creating additional security holes.

Yes.

>> The single worst offender is the MS Windows operating system. Again
>> and again, Windows components that perform a local task and have no
>> reason whatsoever to access the Internet are busy doing just that.
>
>Name one that can't be configured to not do that.

Sure. See below. Also, if you do block their external access, they
go nuts trying to get around the block, and some desired tasks may not
work. And it's hard to spot such activity if they go through
svhost.exe or other apps.

>> Further, if blocked, they try multiple IP targets and try to hijack
>> other apps on your computer and connect through them.
>
>Name one.

Sure. Here are three (all in WinXP-SP2 and SP3):

userinit.exe
wininit.exe
winlogon.exe

These are multipurpose apps, but they sometimes can be found
initiating external communications when none should occur.

>Besides, if the manufacturer of your operating system decided to have
>the operating system phone home, no software running on top of said
>operating system could actually prevent it from doing so. You do realize
>that, don't you?

That's why we have hardware routers with built-in firewalls. By
blocking the target IP addresses of the persistent offenders within
the router's firewall, you can indeed stop it.

A suggested strategy is to permit the legitimate communications for
your tasks (including your own ISP's DNS server IP addresses rather
than permitting all traffic on port 53) and blocking other target IPs
in the router's firewall.

>cu
>59cobalt

Ansgar -59cobalt- Wiechers

unread,
Aug 12, 2009, 8:51:27 AM8/12/09
to
Nelson <replies-to-n...@thank.you> wrote:

> On 11 Aug 2009 22:02:03 GMT, Ansgar -59cobalt- Wiechers wrote:
>> Nelson <replies-to-n...@thank.you> wrote:
>>> On 11 Aug 2009 01:32:40 -0000, Kulin Remailer wrote:
>>>> I'm tired off arguing about why I need a firewall that doesn't let
>>>> anything out.
>>>
>>> Yes, people who have actually monitored what their software is doing
>>> come away very disturbed about this.
>>
>> BTDT. After configuring the chatty programs appropriately, only
>> update routines are connecting outbound. I fail to see why one would
>> be disturbed about that.
>
> It may not disturb you (and probably many others), and that's fine.
> But it does bother me (and at least a few others) when software
> establishes communications with remote servers without my knowledge or
> consent.

Disable the update routines as well. Problem solved. Still nothing to be
disturbed about.

> People can have various good reasons for not wanting such
> communications. Some have sensitive financial, technical, or personal
> information that might be compromised. Some may not want inventories
> of the software on their drives reported because they haven't paid for
> it all. Some may have signed nondisclosure contracts which cannot be
> fulfilled if outflow of information from their computers is no longer
> within their control.

Ummm... what makes you believe that some program's update routine would
transmit any other information that its own software version (and
perhaps the operating system's version)?

> And some (including me) find it in principle obectionable.

You find keeping your software up-to-date objectionable in principle?
Then why are you wasting any thought at all on computer security?

> How would you react if you hired someone to do some work in your home
> only to find them rummaging through your file cabinet and faxing
> copies of your information to confederates unknown to you?

I would most certainly *not* lock him into my office and try to somehow
prevent him from communicating. Instead I would do what I do with any
software behaving that way: remove the culprit from my premises.

>>> On the other hand, those who buy security software and look no
>>> further, assuming that their security software is protecting them, can
>>> be blissfully (if ignorantly) happy.
>>
>> "ignorant" being the operative word. Particularly about personal
>> firewalls creating additional security holes.
>
> Yes.

*sigh*

>>> The single worst offender is the MS Windows operating system. Again
>>> and again, Windows components that perform a local task and have no
>>> reason whatsoever to access the Internet are busy doing just that.
>>
>> Name one that can't be configured to not do that.
>
> Sure. See below. Also, if you do block their external access, they
> go nuts trying to get around the block, and some desired tasks may not
> work. And it's hard to spot such activity if they go through
> svhost.exe or other apps.
>
>>> Further, if blocked, they try multiple IP targets and try to hijack
>>> other apps on your computer and connect through them.
>>
>> Name one.
>
> Sure. Here are three (all in WinXP-SP2 and SP3):
>
> userinit.exe
> wininit.exe
> winlogon.exe
>
> These are multipurpose apps, but they sometimes can be found
> initiating external communications when none should occur.

- What kind of connections did those processes supposedly try to
establish for no good reason?
- What's the path of those executables?
- Did you verify that they're in fact the system files supplied by
Microsoft and not some malware disguising itself as a system file?

Besides, userinit.exe for one has (among other things) the purpose to
establish network connections, so it actually does have business
accessing the network.

>> Besides, if the manufacturer of your operating system decided to have
>> the operating system phone home, no software running on top of said
>> operating system could actually prevent it from doing so. You do
>> realize that, don't you?
>
> That's why we have hardware routers with built-in firewalls. By
> blocking the target IP addresses of the persistent offenders within
> the router's firewall, you can indeed stop it.

True. What does that have to do with personal firewalls?

Nelson

unread,
Aug 13, 2009, 5:00:01 AM8/13/09
to
On 12 Aug 2009 12:51:27 GMT, Ansgar -59cobalt- Wiechers
<usene...@planetcobalt.net> wrote:

Yes, these OS components are the right ones and in the right paths.

Of course the update options in Windows and in apps were turned off.
And still they try to reach their publisher's servers. Sometimes,
disabling a Windows service can stop it, but sometimes the services
cannot be stopped or they cannot be stopped without losing needed
functions.

Various apps collect and report lots of data about your hardware and
software, often extensive, often of little apparent relevance. Look
at the dumps that are sent or attempted to be sent.

Sure, userinit has legitimate functions, but my point that it
initiates external communications with MS servers when none should
occur stands. Look at the firewall logs, which will show lots of such
entries if you either track all Internet access or block access to MS
servers.

"What doies that have to do with personal firewalls?" The router
(hardware) firewalls are needed because, as you said, firewalls that
sit on top of the OS cannot fully control OS communications. So an
effective firewall system for outbound data requires both.

My exploration of this topic was prompted not by any great secrets but
by curiousity about unknown access entries appearing in firewall logs.
I find the results of that exploration disturbing. You don't. I did
something about it (selectively blocking external access using
firewalls). Everyone here will individually decide how much of this
fits their needs and preferences.


Volker Birk

unread,
Aug 14, 2009, 9:15:04 AM8/14/09
to
Nelson <replies-to-n...@thank.you> wrote:
> People can have various good reasons for not wanting such
> communications. Some have sensitive financial, technical, or personal
> information that might be compromised.

No "Personal Firewall" can prevent that from happening. I fear, you
cannot understand why. If that is the case, and you're interested, I
will be happy to explain.

Message has been deleted

Volker Birk

unread,
Aug 17, 2009, 1:09:22 PM8/17/09
to
ann...@email.invalid wrote:

> On Fri, 14 Aug 2009 15:15:04 +0200 (CEST), Volker Birk
> <bum...@dingens.org> wrote:
>>Nelson <replies-to-n...@thank.you> wrote:
>>> People can have various good reasons for not wanting such
>>> communications. Some have sensitive financial, technical, or personal
>>> information that might be compromised.
>>No "Personal Firewall" can prevent that from happening. I fear, you
>>cannot understand why. If that is the case, and you're interested, I
>>will be happy to explain.
> Please do.

Information is transferred by encoding¹. Encoding means, that someone
is transmitting data, which is seen as a message by sender and receiver,
which contains that information as the meaning of the message.

If there is connectivity between sender and receiver, they can transmit
any information they want, if they've a common code. Connectivity means,
that they have the possibility to send at least as many different
messages as they need to discribe the words of the formal language they
want to transmit, which is used to discribe the information they want to
transmit.

For example, if someone wants to transmit your Bank account PIN, and
this PIN has four digits, which can be from 0 to 9, then they need to be
able to transmit at least 10'000 different words.

For that case, it does not matter at all, *which* words they're able to
transmit, and it does not matter at all, *how* they're transmitting.

For example, the first digit 1 can be transmitted by not transmitting
anything at 12:00 o'clock, while transmitting the second digit as 2 can
be done by requesting the software update on an odd hour of the day.

The code is at will. It just has to be known by sender and receiver.

So if a "Personal Firewall" enables connectivity in *any* way, it is
possible to transmit *any* information. Because "Personal Firewalls" are
filtering, they're preventing many codes from working.

Others do work. So an attacker just will switch codes.

The worst design flaw in a "Personal Firewall" I saw yet, was in Norton
InSecurity: They were filtering your bank PIN out of any transmitted
data.

This way they're publicizing your bank PIN to anybody who wants to have
it, and whose web server you're browsing; one just has to have the
de Bruijn sequence for four digits² in a hidden field of an HTML form,
and the digit combination which is filtered out is your bank PIN -
filtering is used as code to transmit this data here.

The only way to stop transmitting arbitrary information is to prevent
connectivity. Just cut your cable with a knive ;-) And don't use WLAN...

Yours,
VB.

¹ http://en.wikipedia.org/wiki/Code
² http://www.hakank.org/comb/debruijn_k_10_n_4.html

Kyle T. Jones

unread,
Aug 17, 2009, 5:49:46 PM8/17/09
to

What if all I want from my personal firewall is the ability to select
which installed apps on my Com-Put-Or can access outside resources, and
which can't?

Seems like a personal firewall would be useful, for that. It kinda
seems like that was what the OP wanted to be able to do, primarily.

Cheers.

Ansgar -59cobalt- Wiechers

unread,
Aug 17, 2009, 6:34:23 PM8/17/09
to
Kyle T. Jones <KBf...@realdomain.net> wrote:
> What if all I want from my personal firewall is the ability to select
> which installed apps on my Com-Put-Or can access outside resources,
> and which can't?

Since programs can communicate through other programs that won't help.
Not as long as at least one program is allowed to communicate, that is.

> Seems like a personal firewall would be useful, for that.

No. You either configure the application to not establish outbound
connections, or you remove the application entirely (in case it won't
allow proper configuration). Everything else is plain stupid.

Nelson

unread,
Aug 18, 2009, 12:36:01 AM8/18/09
to
On Tue, 18 Aug 2009 00:34:23 +0200 (CEST), Ansgar -59cobalt- Wiechers
<usene...@planetcobalt.net> wrote:

>Kyle T. Jones <KBf...@realdomain.net> wrote:
>> What if all I want from my personal firewall is the ability to select
>> which installed apps on my Com-Put-Or can access outside resources,
>> and which can't?
>
>Since programs can communicate through other programs that won't help.
>Not as long as at least one program is allowed to communicate, that is.
>
>> Seems like a personal firewall would be useful, for that.
>
>No. You either configure the application to not establish outbound
>connections, or you remove the application entirely (in case it won't
>allow proper configuration). Everything else is plain stupid.
>
>cu
>59cobalt

There are some additional things you can do which involve filtering
applications' target IP addresses for undesired outbound
communications.

Specifically, give permission for applications to access their
legitimate servers and block all others.

For example, you can use firewall rules to permit your newsreader to
access your news servers and your ISP's DNS servers. If you use your
newsreader for e-mail, then permit that too. Then block all others.

You can reduce blocked programs' ability to hijack other programs to
gain external access by preventing application interaction (or acting
as a parent) if your firewall has that ability.

And for those programs that are necessary for your OS to function or
for certain apps to do needed tasks -- and which insist on accessing
the Internet -- log their target IP addresses and, if they cannot be
blocked by software firewalls, block them at the router (hardware)
level.

Other tools can converge with these kinds of approaches to gain the
degree of security you need (or want). Storing and/or transmitting
sensitive data in encrypted form is one example.

Again, permitting only the target IPs you approve is *much* better
than trying to detect and block all the unwanted communications.

Volker Birk

unread,
Aug 18, 2009, 2:49:26 AM8/18/09
to
Kyle T. Jones <KBf...@realdomain.net> wrote:
> What if all I want from my personal firewall is the ability to select
> which installed apps on my Com-Put-Or can access outside resources, and
> which can't?

This is much harder than it sounds. Most "Personal Firewalls" are
failing completely.

It is very easy to circumvent any filtering attempt by not sending
directly, but making other applications to send. And if there is
connectivity, there are applications which can send, like the web
browser or your mail program.

People call that "leaks", and testing programs "leak tests". I wrote
two. The first did cost me ten minutes of work, and any "Personal
Firewall" was fooled at this time¹, then they patched (it's an unfair
game - it is much easier for the attacker to chose the next available
option to send, while the "Personal Firewall" programmers have to spend
months of development time to prevent that from happening - and they
have to destroy functionality of the operating system to get that to
work).

After "Zone Alarm" was ready, and had patched, I spend just another half
an hour while dinner on a Saturday evening with my laptop², and again
every "Personal Firewall" failed.

I stopped that, because I think, problem was showed.

Trying to prevent applications from sending, which you're running on
your system, is a b0rken concept anyways.

If you have code running on your system, and this code manages it to
gain administrator rights, you lose³.

Usually, people are working as administrator on Microsoft Windows, so
there is nothing to do for an attacker. The clever attacker is running
code in kernel space then, ignoring any "Personal Firewall".

If people are careful enough to not work as administrator, then there are
hundreds of tricks to gain administrator rights on a Windows box.
Usually, it's enough to install a printer driver⁴ or use the scheduling
service.

But even if all that would work, trying to prevent applications from
sending, which are running on your system, is a b0rken concept anyways.

This is, because deciding which communication should be prevented from
happening and which not is not a computable problem. If you're
preventing an application from "phoning home" to search for updates or
for information about new security holes, you're lowering security
instead of elevating it.

And because the "Personal Firewall" cannot decide, it is asking the only
person, who should not be asked at all, the person who should be secured
and not at all be responsible for security:

They're asking the user.

This makes the concept absurd, even if it would work.

Yours,
VB.

¹ http://www.dingens.org/breakout-en.c
² http://www.dingens.org/breakout-wp.cpp
³ http://www.bluepillproject.org/
http://www.microsoft.com/whdc/archive/usbprint.mspx?pf=true#usbp1

Volker Birk

unread,
Aug 18, 2009, 2:51:34 AM8/18/09
to
Nelson <replies-to-n...@thank.you> wrote:
> Specifically, give permission for applications to access their
> legitimate servers and block all others.

With what intention?

> You can reduce blocked programs' ability to hijack other programs to
> gain external access by preventing application interaction (or acting
> as a parent) if your firewall has that ability.

There is no such thing as "reduce ability" in IT security. Wether it is
possible or not.

IT security does not work like security, say, in military.

Yours,
VB.

Ansgar -59cobalt- Wiechers

unread,
Aug 18, 2009, 6:32:21 AM8/18/09
to
Nelson <replies-to-n...@thank.you> wrote:

> On Tue, 18 Aug 2009 00:34:23 (CEST), Ansgar -59cobalt- Wiechers wrote:
>> Kyle T. Jones <KBf...@realdomain.net> wrote:
>>> Seems like a personal firewall would be useful, for that.
>>
>> No. You either configure the application to not establish outbound
>> connections, or you remove the application entirely (in case it won't
>> allow proper configuration). Everything else is plain stupid.
>
> There are some additional things you can do which involve filtering
> applications' target IP addresses for undesired outbound
> communications.
>
> Specifically, give permission for applications to access their
> legitimate servers and block all others.

Define the "legitimate servers" for, say, a web browser.

Besides, if you'd take a closer look at how DNS works, you might
understand why restricting access to particular DNS servers will not
solve the problem.

> For example, you can use firewall rules to permit your newsreader to
> access your news servers and your ISP's DNS servers. If you use your
> newsreader for e-mail, then permit that too. Then block all others.
>
> You can reduce blocked programs' ability to hijack other programs to
> gain external access by preventing application interaction (or acting
> as a parent) if your firewall has that ability.

Or, you could simply remove the misbehaving software and fix the cause
of the problem instead of dealing with the symptoms. Which would have
the additional advantages of a) *not* wasting significant amounts of
system resources on trying to confine programs, and b) *not* opening
additional attack vectors for malware. I know what I'd choose.

Nelson

unread,
Aug 18, 2009, 11:16:01 PM8/18/09
to


59cobalt and Volker Birk, your points about the inability of firewalls
and other security measures to provide complete security (or anything
close to it) are well taken. Who would argue with that?

But there are practical realities based on the fact that these
measures do help. They can stop some of the leaks, especially with
care to their settings.

Of course misbehaving apps should be removed and/or replaced where
that is possible, but sometimes that isn't an option.

Sure, the tactic of restricting target IP addresses won't work for web
browsers (at least the way most of us use them). But it does help
where it can be applied, such as in the newsreader example.

I will keep and use the lock on my front door even though it can be
defeated in various ways. I will not remove it as useless because it
can be forced, picked, or bypassed. The lock does reduce
vulnerability (if mainly through deterrence). Like firewalls, it
improves security but does not assure absolute security. In this
less-than-perfect world, I'll keep both thank you.


Volker Birk

unread,
Aug 19, 2009, 2:18:20 AM8/19/09
to
Nelson <replies-to-n...@thank.you> wrote:
> But there are practical realities based on the fact that these
> measures do help.

We are living in an age of botnets, millions of PCs are zombies. Maybe
your PC, too.

I hope, there will be a change of paradigms in near future. Windows
Vista and Windows 7 show, that Microsoft is working seriously on
improving security of the Windows operating system.

They're doing well in many points. Unfortunately, they're missing
some conceptional things yet.

"Personal Firewalls" cannot help us with such problems. Perhaps
Microsoft will.

Yours,
VB.

0 new messages