“What is it with the Windows Vista Firewall and its refusal to go away? All our PCs are secured behind two firewalls: a hardware firewall and Microsoft ISA Server. The only traffic that gets in is the traffic that we want to get in. Now we can appreciate having the firewall on by default; but after turning it off over 20 times, it’s getting to be too much.”
columnists from a technology site would understand how to disable windows services without having to “troubleshoot”.
In addition to that what happens if the computer is a mobile machine that goes to coffee shops and malls. I don’t think I trust either of those with the security of my computer.
Sorry, but the author says that because he has two layers of filtering on the WAN that the PC firewall is not necessary. If one PC becomes compromised inside the LAN, a worm could easily spread through the network. Not to mention that internal users are a far larger threat than external these days..
This was a mindset I argued against for years and somewhere along the way my arguments started to stick. The idea that you can do boundary protection and be done, is insane. Anyone having any control over security for an enterprise needs to realize that there is more to network security than border firewalls.
I couldn’t agree more. Rather like those corporations that “standardize” on exactly one vendor’s Anti-Virus product. Just hope *you* don’t get by the worm that silently avoids that particular flavor of protection…
The better way to avoid the virus issue is this; simply don’t run McAfee or Nortons – and you won’t have that problem.
For me, Kaspersky wins hands down everytime; its interface may not be exactly eye candy, but it does the job without bringing the whole thing down to crawl and crash the system.
The problem with running client firewalls in an enterprise environment (most specifically a fully AD integrated Windows environment) requires so many ports open you can just as well turn the whole damn thing off as those are also the ports most trojans and viruses use.
Rigorous policies, a virus scanner on both client and server, no local admins and an very tight border security comes a long way in keeping crap outside.
You appear to lack an understanding of computer security. But I’m guessing you read much about it from ‘experts in the field’.
Firewalls are routers that have rules to control how or if they route traffic between networks.
A firewall serves no purpose on a PC.
If you want to protect your PC from exploitation of network services then just disable those network services.
A firewall is a device which permits or denies connections. A firewall can be hardware or software based.
Firewalls are routers that have rules to control how or if they route traffic between networks.
A firewall is not a router. Many routers include firewall functionality. You can buy hardware firewalls without any routing functionality.
A firewall serves no purpose on a PC.
A software firewall does serve a purpose on a PC, it permits or denies connections.
If you want to protect your PC from exploitation of network services then just disable those network services.
Close, but wrong. A firewall is not a replacement for security, so disabling services that aren’t required is essential, however to state that disabling services is the only action required is wrong. If a trojan creeps in, masked by a root kit and opens a port to allow remote control of your PC, a firewall might just save the day.
You appear to lack an understanding of computer security.
No, _You_ appear to lack an understanding of computer security.
Edited 2007-02-19 10:32
A Trojan masked by a rootkit that can’t disable/bypass your software firewall? I think not.
So your argument is that a software firewall can prevent unauthorised outgoing connections?
I’ll give you that preventing unauthorised outgoing connections is a useful thing. But you first have to control everything about what a program is allowed to do otherwise a malicious program can just use another program, that is authorised to make connections, to make the connections it needs.
A firewall is not a replacement for security,
This is very true and is my biggest issue with software firewalls and anti-virus. They add very little in terms of security while costing money, eating computing resources and giving the user a false sense of security.
There is a huge industry built around selling users ‘security’ software by marketing through fear and aren’t solving the problem in the right place.
A Trojan masked by a rootkit that can’t disable/bypass your software firewall? I think not.
Quite right, hence the reason why I said “a firewall might just save the day.”, (Emphasis added).
So your argument is that a software firewall can prevent unauthorised outgoing connections? [/i]
No, my arguement is that whilst a firewall should not be used as the basis of a security implementation, it does compliment properly securing or disabling services. Firewalls (hardware and software) are not infallable, but they should not be overlooked.
There is a huge industry built around selling users ‘security’ software by marketing through fear and aren’t solving the problem in the right place.
Very true, and I’m aware of far too many people that buy into this false sense of security.
Edited 2007-02-19 13:35
dont worry, i am sure it wont be long until there are plenty of handy programs that can turn the firewall off
For suitably malicious values of ‘handy’, you mean?
The issue is not whether the user is wise to be turning the firewall off, or whether he should have known to disable some service.
The point is, when you click the off button … it should turn off.
I -think- it does, only when you turn it off it sets the service into the “Stopped” state.
The thing is though, its startup type is still set on “Automatic” so when another service/program/whatever wants to use it’s functionality it gets restarted automatically. I could be wrong, I don’t have Vista installed on any of my computers right now but that’s what it seems like.
It’s more of a bug than Windows/Bill Gates trying to control your actions I think
Of course, in that case there is something to be said here about quality control at microsoft but then again, no one should be really THAT suprised…
I had no problem disabling the firewall and I don’t really use vista that much so I don’t care if it gets infected :p
And another thing, maybe MS thought the way he does it wasn’t the appropriate way to disable the firewall.. Did he ever think of that? I think not.. Disabling the firewall in vista isn’t exactly rocket science, pardon my rudeness, but his rant is just silly..
I don’t care if it gets infected
Well you should! The odds are that once a machine becomes infected, it will be used as a host for sending spam.
This web site makes me increasingly sad every day. I come here at least once a day to read stories regarding BeOS/Haiku and other operating systems. The chosen articles and related comments just seem to be a massive anti-“MS$$LOL!!!11111″/LINUX circle-jerk.
Well, given the charm offensive launched by Ballmer these days vs. open source/Linux, that’s indeed surprising.
But no, your allegation is nonsense, certainly regarding the chosen articles. They are usually linked by people about whom one couldn’t have the slightest suspicion that they are in any way and/or disproportionately anti-MS.
Not to mention the fact that sane people are anti-Microsoft by default, given the very nature and track record of that company, but that’s another discussion.
First of all, no one has confirmed his observations. He could be doing something wrong, or just trying to bash. If it is true, it is a bug. Lets hope he has reported it to Microsoft, if not he is complaining in the wrong place.
About the firewall.. Disabling the software firewall is just plain stupid. There is no reason to do so, and by doing so you are removing a security-layer (cant get enough of those). In larger installations it can be controlled with group-policies. In a SBS domain the clients cant even disable it by default (dont know if thats default for a win2k3 domain too?).
Edited 2007-02-19 15:32
they’ve probably got a group policy defined to enable the firewall.
All these years we’ve been convinceing people to use firewalls and now when firewall is built in we try to teach them to turn it of:)
Earlier poster: Ultimatebadass seems to have touched on the possible answer.
Still OFF should be “OFF”, not kinda ON.
References:
Dear Sir Bill Gates: invoice enclosed:
http://www.theregister.com/2006/08/21/bill_gates_invoice/
Disable system auto restart after installing Windows updates:
http://support.microsoft.com/?kbid=555444
“You are coming to a sad realization. Cancel or Allow?”
hylas