|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
00:01 EST/05:01 GMT | News Source:
ActiveWin.com |
Posted By: Robert Stein |
Ben has just posted his preview of Windows XP Service Pack 2 Beta. Here is an excerpt:
Windows Firewall now has the ability to monitor outgoing connections as well as incoming which was a big feature missing from the previous version. You can enable network access per app, per port, and can even restrict applications to responding only to communication requests from the local subnet.
|
|
#1 By
12071 (203.185.215.149)
at
2/29/2004 11:51:38 PM
|
This looks good. Quick question - can you specify port ranges for the firewall? From the dialog box it looks as if it only accepts single ports.
Also why doesn't the ICF dialog box have "Allow" & "Disallow" type buttons as opposed to "Configure..." & "Close"? Do we really need to make it different? How is that intuitive?
Can you have different rule sets for different adapters? Or do you have to have the same ports open for all your adapters?
And how come the reviewer doesn't have a bluetooth adapter? They're not exactly expensive!
And why is "The Bad Point" - Price?
This post was edited by chris_kabuki on Monday, March 01, 2004 at 00:04.
|
#2 By
2 (24.239.196.15)
at
3/1/2004 12:15:18 AM
|
Chris, fixed the last point. That was my fault.
|
#3 By
12071 (203.185.215.149)
at
3/1/2004 12:24:36 AM
|
Not a problem, I thought it might have been a typo given that everywhere else on that page the price was specified as 'n/a' - just wanted to double check given the rumors of XP SE which will need to be bought - especially as they are putting in an updated firewall, popup blocker, component manager etc etc into this service pack.
|
#4 By
61 (24.92.223.138)
at
3/1/2004 1:00:34 AM
|
I can't even find a place to enter in a port range in W2k3's basic firewall... it's quite irritating
|
#5 By
12071 (203.217.64.40)
at
3/1/2004 3:12:28 AM
|
#4 I honestly hope that's not the case - you should be able to put in port ranges! But I have to say that since w2k3 is supposed to be a server, in one way it could be argued that this was done as a security measure - so that pencil admins (read MCSE's) don't open up huge holes in the server. But in this case, this is a firewall for users and it really does need the ability to enter in port ranges. I would not rate it above any other firewall if it can't handle port ranges!
#5 "Ports ranges? What would be an example of a port range useful for a home or business user?"
P2P Applications such as BitTorrent, eMule, eDonkey etc.
Games such as Unreal Tournament and fairly much every multiplayer game that uses the default DirectX ports.
Other applications such as mIRC DCC, ICQ etc.
Game Applications such as GameSpy.
There's probably more examples of users requiring port ranges than there are of businesses/servers requiring port ranges to be open! Note that this is by no means an exhaustive list, these are just applications that I could easily name of the top of my head, there would be plenty more!
So I really hope that you can put in port ranges otherwise that firewall is going to be a pain in the arse for a lot of people!
Edit: Here's a link to the DirectX ports page as an example:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q240429
You require a port range of 100 ports to be open. Are you going to ask users to set up 100 individual rules so that they can play Midtown Madness 2 for example without having to worry!
This post was edited by chris_kabuki on Monday, March 01, 2004 at 03:19.
|
#6 By
233 (81.49.20.132)
at
3/1/2004 3:34:13 AM
|
Hi there,
Great preview. The reviewer says Bluetooth is supported natively. That's great news but what type of adapters (only MS ones ?) will be supported and what will be the form of the BT stack ? I mean will it be the same support as offered with the MS Bluetooth hardware where it supports only a few BT profiles or will the support be more comprehensive with support for phones, printers, PDA, etc ?
|
#7 By
233 (81.49.20.132)
at
3/1/2004 4:10:11 AM
|
Hey Ben,
Thanks for your answer. I think i'll go straight away to betaplace to download my SP2 copy and check out how Bluetooth support performs. But if it does support Virtual COM Ports then it's almost wonderful, since the previous KB didn't handle that... Too bad though there doesn't seem to be any form of audio support... Maybe in SP 3 ;)
|
#8 By
233 (81.49.20.132)
at
3/1/2004 4:20:57 AM
|
Another thing, I read somewhere else OE was supposed to feature a block mail function à la Outlook 2003. Do you confirm ?
|
#9 By
12071 (203.217.64.40)
at
3/1/2004 6:44:47 AM
|
#7 "You don't specify port ranges and I would say doing so would be dangerous."
I agree with you to a point, and definetely agree when it comes to securing a server on the internet.
"By opening a range you are significantly increasing the attack surface that people can hurt you."
Maybe, maybe not, read on.
"When you close your game or other application your ports are still open needlessly."
But if there's nothing listening on those ports then nothing can be attacked by evil hackers right?
"What you can do however is enable or disable access based on programs. So I can say for instance allow mIRC access to the whole internet."
See this is where I have an issue with these types of firewalls. Not because the firewall is in anyway the problem but because the interfaces shown to the user encourage them, in a way, to give full access to applications. For example, everyone is going to allow IE full access to the internet, meaning that an "evil hacker" (as you like to call them - maybe you should call them crackers) can now write an exploit that uses IE and it will have full access to the internet. This is easily as dangerous (if not more so) than opening a range of ports up - especially if there is nothing listening in on those ports except for when they are being used. There was an exploit which did exactly this a while back to show just how completely ineffective ZoneAlarm was. Obviously it wasn't ZoneAlarm's fault per se, but given that all the users automatically gave IE full access, the firewall was completely useless. What was the point of all of that babbling? The point was that port ranges aren't dangerous per se, they are only dangerous if you encourage users to start opening huge holes all over the place, just like encouraging users to give full access to applications is dangerous.
"So I can say for instance allow mIRC access to the whole internet. Then that program will be able to communicate normally. Thats what the little popup dialog box is asking you."
To be completely paedantic with you, which I do like being, the little dialog box is not asking me whether I want it to communicate normally or not, because then the obvious buttons on there would be "Allow" and "Disallow" as per probably every other single firewall on the market! It's asking whether you want to "Configure..." or "Cancel". That was my point about it being completely unintuitive.
#8 No problem, I have a D-Link bluetooth adapter for my Nokia mobile, which is why I asked.
|
#10 By
7826 (137.69.77.125)
at
3/1/2004 3:50:11 PM
|
"SP2 is great, just don't install it yet if you have an epson printer as a network printer, the spool service takes up all your cpu time and as much memory as it can grab! "
That's a common problem with Epson printer driver (or its own printer spooler to be specific) when you set it up as network printer. Not specific to XP or any other OSes. First thing you should do is disable EPSON's own spooler and use the default Windows spooler.
|
#11 By
7826 (137.69.77.125)
at
3/1/2004 4:01:32 PM
|
The other thing I'm really excited about SP2 is "Execution Protection". That's the major reason I'm seriously looking into an AMD A64 system right now. I'll sleep better knowing that my PC no longer risks from attacks of buffer overrun (which you can never 100% get rid of):)
As for simultaneous sessions, it's nice to have it but that's nothing new. Windows 2003 Server or 2000 Server offers better remote desktop support that allows 3 simultaneous sessions.
|
#12 By
12071 (203.185.215.149)
at
3/1/2004 6:26:23 PM
|
#16 What are you talking about now? I know that it DOES allow you to open ALL the ports for a single program. I'm saying that if you're stance is that opening up "port ranges" is a dangerous thing to do from a security point of view, then you should have that same stance when the dialog box encourages users to open up ALL the ports for a single application. The example I used for this was IE, although any program that you get a dialog box for and then immediately add it to the exclusions list will do. An exploit just has to use that application whom you have given access to and your firewall has been beaten.
As a result, my point was that port ranges per se are not dangerous, encouraging users to open up huge port ranges on their firewall is however. You weren't even aware of the sheer number of applications which require port ranges to operate correctly, meaning that as soon as you run this firewall, like the reviewer, I'm guessing you would have given every single one of those applications full access (i.e. you would have opened a giant hole in the firewall for each of those applications).
"And for corporations who really don't care if you want to play games or not. Or do P2P filesharing."
I thought we were talking about home users? But that's fine, as an example many corporations use MSN messenger or some alternative of it (for instance many financial institutions use Reuter's Messenger which is a rebranded and secure version of MSN Messenger). MSN Messenger requires ports to be open for file sending, voice chat etc.
#17 I'm pedantic on details, not spelling =)
|
#13 By
12071 (203.185.215.149)
at
3/1/2004 9:33:11 PM
|
#22 "If Microsoft adds in port ranges to the final product, how many users are going to type in 7777-27900"
As many, if not a lot less than the amount of users who will give Unreal Tournament full access to the internet using the current method! For the ports you specified, using port ranges means you can do it in 3 rules. Without port ranges you are either going to give the whole application full access or you're going to have to create 9 rules. For DirectX games you will only need 101 rules unless of course you think giving the whole game full unsecured access to the internet is a more secure alternative!
"As for Messenger in corporations, the nice thing is that the list of open ports is configurable as part of group policy."
Messenger was an example, there's lots of applications that use port ranges that you were not aware of!
Anyways, it would be great to have port ranges and to be able to apply different rule sets to different adapters rather than trying a one size fits all policy. Check out Sygate's Personal Firewall if you want better control.
|
#14 By
2332 (65.221.182.2)
at
3/2/2004 2:00:14 AM
|
The preview is incorrect about the firewall being able to block outgoing connections. It is still only able to handle incoming connection restrictions.
More information can be found here:
http://msdn.microsoft.com/security/productinfo/XPSP2/networkprotection/firewall_devimp.aspx
I have manually confirmed this in VMWare.
Personally, I don't think this is a bad thing. ZoneAlarm (and like products) confuse the hell out of most people by popping up dialogs anytime they try to do anything on the web. And the fact of the matter is, if a bad program is on you computer, it will be able to get around the firewall from the inside out, so it really doesn't offer as much added protection as one might think.
This post was edited by RMD on Tuesday, March 02, 2004 at 02:02.
|
#15 By
5444 (64.185.17.248)
at
3/3/2004 12:16:48 AM
|
rmd,
But in a home network where I have finally taught my wife and daughter not to automatically allow it. it has been a GODSEND with outgoing packets.
I personally believe that a good firewall that can't prevent 2 way traffic(iow outgoing traffice must have permssion to go out as well as incoming traffic.
There is a program, and I have to find it again. http://www.a-2.org/en/
that I believe that the platform should support at the lowest levels.
If I have it determined or if a warning comes out that states a name of a trojan
and or platform is damageing it should be just as easy to put that name as
a blocked program as putting a web site in IE is now. the program should
just be put on there as one of the programs that can't just run.
firewall should have that ability also but that is besides the point;)
el
|
#16 By
2332 (65.221.182.2)
at
3/3/2004 12:30:25 AM
|
#26 - It really doesn't matter how low level the firewall is. If a program is running on the computer, it will be able to form outgoing connections. Period. Products like ZoneAlarm and Norton Internet Security give the false impression of saftey, and that's about it.
I have written proof of concept applications (in VB no less!) that are able to make outgoing connections at will even with ZoneAlarm and Norton running. I can't really give out the details, but trust me, any good programmer who thinks about it for a little while will figure it out.
It is simply not possible to prevent this from happening in an unmanaged (aka non-.NET) environment. With .NET you can restrict the very APIs and components the application has access to, thereby preventing this kind of thing from happening.
In other words, an outgoing filter only serves to bug the user. We have to wait until Longhorn before that changes.
|
#17 By
12071 (203.185.215.149)
at
3/3/2004 1:01:39 AM
|
#25/#27 Thanks for the link RMD. That just makes this firewall even more useless! I'm not going to bother pointing out why blocking outgoing connections is important, you'll still stand by Microsoft's decision no matter what... until they decide to include outgoing connection blocking when you will come in and herald it a fantastic "feature" or "innovation" or god knows what else. The point is that ANY half decent firewall, that dares to call itself a firewall, has the ability to block incoming and outgoing connections.
Can you defeat this protection? Yes, in the past there have been a few bugs found in nearly all firewalls that defeated either their incoming or outgoing scanning! That's not to say that scanning outgoing connections is pointless - surely the number of Windows trojans etc that have appeared in the last 2 years alone show that thee is a need to block outgoing connections!
"I have written proof of concept applications (in VB no less!) that are able to make outgoing connections at will even with ZoneAlarm and Norton running. I can't really give out the details, but trust me..."
Have you beaten any other firewalls with your NanoProbes(c) Steve Gibson? ZoneAlarm is a joke!
|
#18 By
2332 (65.221.182.2)
at
3/3/2004 9:01:45 AM
|
#28 - Thanks for the link RMD. That just makes this firewall even more useless!
You're kidding, right?
I'm not going to bother pointing out why blocking outgoing connections is important
Good. Save me both some reading and annoyance. It is obvious why blocking outgoing connections is important. What is also obvious is that you cannot do it with a software firewall running on the source machine.
you'll still stand by Microsoft's decision no matter what
Huh? This has nothing to do with Microsoft's decision. If you understood how software firewalls worked in the background, you would realize that it is simply impossible to use them to block outgoing connections on the source machine.
Have you beaten any other firewalls with your NanoProbes(c) Steve Gibson? ZoneAlarm is a joke!
There is no code in my proof of concept apps that is specific to ZoneAlarm. The two I've tested are Norton's Internet Security and ZoneAlarm. Feel free to post links to more that I should test. I'm confident that none of them will block my app.
I don't get past the firewalls because of bugs. I get past them because in an unmanaged environment it is IMPOSSIBLE TO RELIABLY BLOCK OUTGOING CONNECTIONS USING A SOFTWARE FIREWALL ON THE SOURCE MACHINE.
Well, I take that back. You can block them. But you have to block ALL OF THEM. Don't need a firewall for this. Just unplug your ethernet cable.
Perhaps you should educate yourself on firewalls before you make yourself look even more silly.
|
#19 By
901897 (188.165.141.7)
at
11/28/2012 4:59:57 PM
|
This does not mean, necessarily, letting down your guard and pouring your heart out about how much you love your grandmother. There is a way to show personality while keeping things professional. A good rule of thumb is: if you wouldn't say it in an email to a client, it shouldn't go up on your company's blog.
<a href=http://cheapjordans2013.is-great.org/>cheap jordans</a>
With a little bit more research and time from you, we are sure you'll come up with a profit-building blogging strategy!
<a href=http://cheapnfljerseys168.totalh.net/>NFL Jerseys</a>
|
#20 By
868449 (110.85.126.20)
at
11/29/2012 6:20:48 AM
|
Simply because the price of everything keeps going up every year many men and women are finding that their present income isn't enough to cover their bills and so they look for ways to make some extra money. In relation to earning this extra money, the Internet is just one of the places folks are turning, simply because this is something that they're able to do from home to be able to earn the extra money they need. The only issue is that plenty of folks do not know how to start making money from the Internet because they do not have the information and knowledge that they need in order to get started. The reality is that there are few different ways you can start making cash on the internet and we will be talking about some of them in this article.
<a href=http://www.cheapjordanskicks23.com/air-jordan-fusion-c-149.html>cheap jordan 5</a>
You're going to discover that the Internet is packed with different techniques that men and women can use to earn an income, but the two methods we talked about above are the most popular at this point in time. With regards to learning other ways of making money on the internet you are going to find that there are plenty of different methods that can be used and in order to learn what they are, I recommend making use of the search engines to discover exactly what they are.
<a href=http://www.discount-airjordans.com/air-jordan-fusion-c-118.html>womens jordan 3</a>
|
|
|
|
|