dslreports logo
 story category
Relying on SP2's Firewall
Can users trust the revamped version?
In addition to a smattering of other security features, Windows XP Service Pack 2 comes with an upgraded firewall, which comes enabled by default. One user in our Security forum asks, "Should I continue to use ZoneAlarm, or do you think the new and improved firewall is sufficient? Anything I should know before I switch over?" Will the "new" firewall (it's really revamped to more closely resemble ISA Server and does not come with outbound protection) - cause many users to lower their guard and migrate away from free software firewalls like Zone Alarm or Kerio?
view:
topics flat nest 

Penguins3
Have You Played Atari Today?
join:2001-12-01
Cleveland, OH

1 recommendation

Penguins3

Member

Without outbound connection filtering...

its pretty much useless against viruses, trojans, and other malware.

palbri
Premium Member
join:2000-10-22
Suffield, CT

palbri

Premium Member

Re: Without outbound connection filtering...

??? I was under the impression it DOES have outbound connection filtering....

rorrim180
The Original Captain Chaos
Premium Member
join:2001-12-29
united state

rorrim180

Premium Member

Re: Without outbound connection filtering...

When I was using SP2 beta a message popped up on my screen for a few programs, one of them being AIM, asking me if I wanted to give it permission to access the internet. Doesn't that provide some form of outbound protection?
philburg2
join:2003-04-11
Seabrook, NH

philburg2

Member

Re: Without outbound connection filtering...

The firewall picked up on a some spyware trying to phone home on me, not bad for a bare minimum firewall. It's enough that I won't need to install heavier stuff on some computer.

Camelot One
MVM
join:2001-11-21
Bloomington, IN

Camelot One

MVM

Re: Without outbound connection filtering...

I found that it was only picking up on the outbound connection, not actually stopping it. Each time I got the notification, it said it was currently blocking application "xx" whatever, prompting me to allow it or continue blocking. But the program was in fact getting out just fine.

So I guess maybe it works as an outbound connection warning, but certainly not as an outbound firewall.

AthlGrond
Premium Member
join:2002-04-25
Aurora, CO

AthlGrond to Penguins3

Premium Member

to Penguins3
I'd say it's pretty much useless against outbound traffic, but works fine on the inbound stuff.

Andrew J
Premium Member
join:2001-11-09
Lancaster, PA

Andrew J

Premium Member

Re: Without outbound connection filtering...

It must block outbound since the second I rebooted after the install, it asked if I wanted to allow "Media Server" to work. This is an out-bound program to my DVD player. It's hosing Active Sync connections for PPC users, also.

AthlGrond
Premium Member
join:2002-04-25
Aurora, CO

AthlGrond

Premium Member

Re: Without outbound connection filtering...

Good to know, the reviews I've read have given mixed signals on this. (I've seen it stated both ways. Sometimes in the same review!)

Personally, I think the inbound protection is so much more important that I wouldn't mind if it did nothing for outbound.

1 recommendation

SecurityExpert to Penguins3

Anon

to Penguins3
Look, if you have to block outbound traffic then you have already been infected and it is too late. Inbound filtering and common sense is good enough.
LoungeLizard2
join:2003-11-21
Vallejo, CA

LoungeLizard2

Member

Re: Without outbound connection filtering...

Better late than never!! At least with an outbound notice, you're given a flag that your infected, and can then address the problem.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Re: Without outbound connection filtering...

said by LoungeLizard2:
Better late than never!! At least with an outbound notice, you're given a flag that your infected, and can then address the problem.

..assuming the malware tries to connect out before it deletes every file you own, you're protected.


mr_slick
join:2003-05-22
Lynnwood, WA

mr_slick to SecurityExpert

Member

to SecurityExpert
some people just like to control what connects to the Internet--- myself included.... I don't want Windows Media Player phoning home or any other 'non-malware' app. to "check for new version". call me paranoid, but who knows what kind of info is actually going out. If I want an update or to send "non-identifiable info" I will do it manually.

DaMaGeINC
The Lan Man
Premium Member
join:2002-06-08
Greenville, SC

1 recommendation

DaMaGeINC to Penguins3

Premium Member

to Penguins3
said by Penguins3:
its pretty much useless against viruses, trojans, and other malware.

If your stupid enough to get all that shit, then your a moron in the first place.
LoungeLizard2
join:2003-11-21
Vallejo, CA

1 edit

1 recommendation

LoungeLizard2

Member

Re: damageinc...

Please....either add something constructive to the discussion you self-righteous Erkel, or reach in the back of the fridge, where I left you an ice cold 40oz of PBQ!! (please be quiet):p

Karl Bode
News Guy
join:2000-03-02

Karl Bode to DaMaGeINC

News Guy

to DaMaGeINC

Re: Without outbound connection filtering...

Play nice, please.

I'm not a big fan of locking threads.

Thanks.

not quite right
I'm not cool enough to be a Mac person
join:2001-06-23
Puyallup, WA

2 recommendations

not quite right to Penguins3

Member

to Penguins3
You guys don't get it do you? Microsoft CAN'T put a full fledged two way firewall into it's OS without every 3rd party software manufacture screaming MONOPOLY, and suing them for trying to protect your ignorant asses!
Windows firewall is meant to protect the sheep from the wolves of the internet nothing more.

SRFireside
join:2001-01-19
Houston, TX

SRFireside

Member

Re: Without outbound connection filtering...

If that were the case then how come they still have a fully functional media player and video editing suite? Either the developers in Microsoft don't have the savvy to make a powerful firewall or Microsoft refuses to invest enough to make a quality firewall. Either way it's just a simple solution tacked onto an already bloated OS.

glassgnost
@srar.com

glassgnost to Penguins3

Anon

to Penguins3
If UPNP is still allowed to open new inbound ports on the fly, it's useless. Does SP2 kill UPNP by default?

Jeremy341
Bye
Premium Member
join:2000-01-06
localhost

Jeremy341

Premium Member

Re: Never mind outbound connection filtering...

said by glassgnost:
Does SP2 kill UPNP by default?
Yes.
DSLrgm
Premium Member
join:2002-08-22
Oak Park, MI

DSLrgm

Premium Member

Half baked

Inbound protection only.

No outbound packet inspection.

No.

Do you stop using a REAL firewall product.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay

MVM

Keep using another firewall...

The MS SP2 patch still tags only incoming access to your computer...nothing from your computer asking for access to the Internet, so although it's better, continuing to use ZA or any other firewall and/or a router is preferable.
vernalex
Premium Member
join:2000-10-19
Vernon Rockville, CT

1 recommendation

vernalex

Premium Member

I'm curious too...

I am curious how well it will work out over time. I think it will turn out better than ZoneAlarm or such, but it will create a single failpoint for newer worms to attack.

A lot of people will complain that it only blocks incoming. And personally from handling computer support for years I find that outgoing "protection" causes more problems then it fixes. The worms attack remotely, and if you have a worm on your computer then you have bigger problems then firewalls. Nothing beats updating your computer and closing all your open ports (through firewalls or other ways).
koat
join:2001-05-12
Sunnyvale, CA

koat

Member

Playing devil's advocate

Why would you worry about outgoing traffic if you do not download malware infected junk, use outlook or open execetable attachments, or the like?

I use Kerio for my firewall which has outbound protection, but over the past 3 years I might have had spyware on my machine 2-3 times from when I install bearshare to download out of date linux isos.

ropeguru
Premium Member
join:2001-01-25
Mechanicsville, VA

ropeguru

Premium Member

Re: Playing devil's advocate

Because there may be a product that you download that in the past has not had spyware/malware in it, but new versions do. Take AOL IM, in the past it never had any issues. Recently they started packaging wildtangent to be installed automatically. Granted, they have since made it an option to install. But if you did not have outgoing protection you may have never known it was even there.

Another example is weather bug. They did, and still do, the same thing. It phones home to send back user habits. Also, you may want to use a product that does phone home for other reasons, such as connection statistics. There may not be an option to turn it off. But if you have outbound protection you can block that but still use the product without worries.

So there are a LOT of reasons to have it.

My opinion is that if Microsoft is hyping this new service pack so much on security, have put so much money into it, and make the file soooo big, 266MB to be exact, they could have done the little bit of extra to provide outbound protection.

To me just another example of M$ half assed work.
wilburyan
join:2002-08-01

wilburyan

Member

Re: Playing devil's advocate

I don't think it's hype at all... they put a sh*tload of work into it. They have very little financial gain from SP2 because it's a free update. It's an attempt to make M$ look better because we all know that they have been plagued with security issues. As much as we all like to bitch about them and how they arn't on the ball and don't quickly patch security flaws... i think they have a lot on their plate and should be cut a little bit of slack.

LordMalak
join:2003-07-02
Brazil

LordMalak

Member

Maybe, just maybe...

You all should actually use the thing before passing judgment, or repeating BS Microsoft haters like to spread.

The SP2 firewall does prompt you when a program tries to reach the outside world. It also manages exceptions, you can manually open ports, etc.

sadowski
I Am My Own Doppelganger
Premium Member
join:2000-04-14
Buffalo, NY

sadowski

Premium Member

Re: Maybe, just maybe...

It will warn you when a program tries to bind to a port for listening, that is, to accept unsolicited inbound connections.

Andrew J
Premium Member
join:2001-11-09
Lancaster, PA

1 edit

Andrew J

Premium Member

Re: Maybe, just maybe...

I'm also sure it blocks out-bound since on one box it immediately asked if I wanted some program internet access. I have no idea what it was but it had to be on the box when I rebooted. This box has up to date AVG and Spybot Search and Destroy. With very few other items since it's just an extra PC that crunches.

Mr Anon
@dsl.chcgil.ameritech

Mr Anon

Anon

Don't get confused!

Hold on before we get too off tilt here, ZA is a suite of programs its even divided as such in the interface. Its becoming more popular for software firewalls to include other protection services they are outside of what a firewall is.

A firewall is just for mostly inbound protocol and port security, securing just the network.
Program security is security against programs connecting regardless of port, IP, protocol, but can distinguish between connection to the Internet and running a service (which is what you see in sp2 just security over servers)
Anti-virus is file and program security no network involvement (scanning shares and things as they enter the system still is done locally )
Email protection only deals with email.

Each of these are different sections with different functions, don't be confused by the fact that they are in one program suit
Zone labs programs are really a security suit where as the Firewall in XP is just that, a firewall, same thing goes for the ones in Linux.

SecurityExpert

Anon

SP2 is good enough.

Yes, SP2's firewall is good enough on its own. Also keep in mind it does not carry with it the headaches that Zone Alarm has these days.

SirXILE
The SolWar 2-1
Premium Member
join:2001-02-24
Brooklyn, NY

SirXILE

Premium Member

Even..

I will still use ZAP in conjuction with the new SP2 Windows firewall on my soon to be 2nd PC. I won't install SP2 on my main computer though. SP1 & ZAP are there to stay on it.

anon0101
@tudor.com

anon0101

Anon

Re: Even..

i dont know what everyone's smoking but SP2's ICF DOES have outbound protection.....

it also 'learns' just like other firewalls, by popping up a message asking you to block or unblock programs that try to access the internet....it feels just like zonealarm without the bloat.

i think everyone's confusing pre SP2's ICF with the new SP2 ICF....the old one wasn't enabled by default, and didnt really do much except for incoming rules which had to be manually set.
the_real_jay
join:2004-02-23
Kalamazoo, MI

the_real_jay

Member

What does Windows Firewall Do

Been here, done that on this discussion but here is a C&P from MS.

What does Windows Firewall do?

Windows Firewall (previously called Internet Connection Firewall or ICF) is a software-based, stateful filtering firewall for Microsoft Windows XP and Microsoft Windows Server™ 2003. Windows Firewall provides protection for computers that are connected to a network by preventing unsolicited inbound connections through TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6).

Notice the word inbound and nothing about outbound.

Here is the full explanation so you can see I didn't snip it out of context: »www.microsoft.com/techne ··· 21120120

Some apps may connect via outbound port and request a connection back on another inbound port, causing Win Firewall to prompt for permission. I can't find the thread discussing this behavior but it seems to mislead some users.
Slippery616
Premium Member
join:2004-03-28
Littleton, CO

Slippery616

Premium Member

What, no outbound protection?

Maybe they ditched the "outbound traffic" protection after the beta because, Microsoft has more apps that call home than anyone.

•••••••

a ship on the intene

Anon

am i protected enough?

i'm behind one, two, three firewalls.........do i really need another one? lol

Paul928
join:2000-05-06
Haverhill, MA

Paul928

Member

NO outgoing traffic protection

I was listening to Leo Laport's radio show a few weeks ago, and one of his guests was Steve Gibson, of Shields Up fame.....Now according to Steve, the Windows XP firewall DOES NOT protect you from outgoing traffic....Just INBOUND! Unless the final version of Windows XP SP2 has changed since the beta version came out, then I'm still assuming that outgoing traffic is NOT protected.
Nutso
join:1999-12-09
Staten Island, NY

Nutso

Member

it doesnt

quote:
Since Internet Connection Firewall provides inbound protection only, if you have concerns about programs that “phone home” or send outbound data to an unknown destination over the Internet, you may want to consider a third–party firewall.
»www.microsoft.com/window ··· r12.mspx

••••••••••
google2
join:2004-02-04
South Beloit, IL

google2

Member

Hardware?

It seems there is a lot of discussion about the fireall compared to other software firewalls, but how about a hardware firewall? Would the ideal non-free, but 'inexpensive' solution be to disable the new sp2 firewall and use a hardware firewall (linksys, netgear, etc)? I know the reason a lot of people (including me, at the moment) use software firewalls, is they are either free or inexpensive after rebates (mcafee, norton, etc), but I'm certainly looking into getting a good hardware firewall.

netddos
Life Goes On..
join:2001-08-28
Fullerton, CA

netddos

Member

Re: Hardware?

Hardware firewall that *works* = expensive

Cheap NAT home orientated firewall= inexpensive, worse than software firewall.

AthlGrond
Premium Member
join:2002-04-25
Aurora, CO

AthlGrond

Premium Member

Re: Hardware?

said by netddos:
Cheap NAT home orientated firewall= inexpensive, worse than software firewall.
A NAT router:
*it doesn't add to system instability
*it doesn't drain system resouces
*it works during system startup
and
*it works if your system is hacked

The software firewall:

*it protects others if your system is hacked and the hacker can't figure out how to turn it off. (in other words it protects others from some virii that you might contract)

Call me selfish, but I'd rather have the thing that protects me.

Tabula Rasa
join:2004-03-30
Gatineau, QC

Tabula Rasa

Member

Heh

I don't have to worry, I don't use any apps that 'phone-home' unwaranted. I'm guessing the warning that pops up just allows you to block it, right? I noticed a media player of mine that popped that warning and it was buffering before i clicked allow.
SwampKracker
join:2004-06-08
Victor, NY

SwampKracker

Member

Considering the history of Microsoft....

Only if you want a lesser firewall than offered by 3rd parties.

It's always better to stick with a company that specializes in a particular technology than one who offers everything including the kitchen sink.

Da22in
Buck Fush
join:2002-06-10
Charlotte, NC

Da22in

Member

disabled....

I won't even have ICF enabled...well once I go through Services after SP2 install to see what it did to me, ICF will be disabled, along with that annoying Security Center. ZA Pro 4.5 does everything I need it to do already.

On the other hand, for the general public this whole thing is a good idea. A step in the right direction, if you will. I hope they'll address ActiveX and IE soon, and with the same effort.

Will SP2 CD's still be strewn everywhere to pick up for FREE in the near future? I'd pick up some extras for some people you may know....you know the ones.

•••