Firewalls and Antivirus questions

[Greg Bockelman]

Is Windows Firewall any good? When I got my new laptop, they put Trend Micro Antivirus on it and enabled Windows Firewall. So far as I know, that isn't a bad thing, but what is the opinion of you experts out there?

And as far as Antivirus goes, is the antivirus that AOL has as part of 9.0 any good? I think it is McAfee based but I am not sure. Also, how well do two different antivirus programs work together? Can I run them independently at the same time?

My Norton subscription has run out and I don't want to renew with Norton. It seems to do nasty things to the operating system that I just want to avoid. If AOL's is any good, I would like to do that, but I just don't know enough about it to make an informed decision.

 

[mikea]

Kerio firewall and Zonealarm are better, but the Windows firewall is better than none. Kerio is only $14.95 http://www.sunbelt-software.com/Kerio.cfm

Forget Norton or AOL: http://www.avast.com

 

[gismo]

Kerio firewall and Zonealarm are better, but the Windows firewalll is better than none. Kerio is only $14.95 http://www.sunbelt-software.com/Kerio.cfm

Forget Norton or AOL: http://www.avast.com

My company is currently using Trend Micro and AFaIK it's OK. I used to have ZoneAlarm on my laptop but I got tired of it screwing things up with my email and VPN so I quit and now just use the Windows firewall. According to PC magazine it's not bad.

 

[jesse]

You are good to go.

The windows firewall is plenty. IMHO it's probably better then Zone Alarm..Problem with Zone Alarm or Norton Internet Security is the average user does not understand what the program is telling them..So they just accept anything.

Really the most important thing that the firewall is going to do for you is block some of the ports for windows services that do not need outside network access (having it enabled would have prevented the famous MS Blaster virus) for example.

Honestly Antivirus doesn't even do much for you these days. It might stop the rare e-mail worm. But you are still hosed when it comes to spyware.

Do the following:

1.) Enable Windows Firewall
2.) Stay up to date on Windows Updates
3.) Do NOT use Internet Explorer..Use Firefox.

...If you are worried about picking up a virus from an e-mail or IM client...Install some sort of anti-virus. Trend Micro will do the job.

 

[Greebo]

Honestly Antivirus doesn't even do much for you these days. It might stop the rare e-mail worm. But you are still hosed when it comes to spyware.

I'm sorry, this is absolutely false.

Viruses continue to be a prevelant problem within corporate networks. They don't just come in via email (although the virus software which "doesn't do much for you" does tend to catch and toss most of those cases before they get a chance to infiltrate the network), they come in via websites, users downloading crap they shouldn't, users bringing in disks they shouldn't, users taking their laptops home and using them for personal stuff, and the list goes on.

Get anti-spyware software without anti-virus software and you're begging to have a crippled machine.

Effective computer security means layered security. Firewalls, antivirus, anti-spyware as proactive protections, plus regular manual scans (or automatic if the software supports it) as reactive protections.

The software designed to damage your computer doesn't quit trying, it doesn't get bored or impatient, and it doesn't "go away". As long as human beings take a lax attitude towards proper security, the risk of infection remains as high as ever.

 

[wbarnhill]

I keep my windows firewall disabled and use my router as my primary means of keeping people out and use AVG as my anti-virus.

Personally I think education is the best resource out there. Instead of trying to throw software at users to protect them from themselves, why not educate some as to what to look for when it comes to getting a virus or how to keep windows from loading up 500 different services accessible through the network.

 

[Greebo]

Personally I think education is the best resource out there. Instead of trying to throw software at users to protect them from themselves, why not educate some as to what to look for when it comes to getting a virus or how to keep windows from loading up 500 different services accessible through the network.

It is, but you know, I see it about every week - no matter how many times we tell people about what is and isn't safe and how to avoid infecting their machines, someone ALWAYS has to dbl click the anna_korva.exe file they got in their email...

Some people just don't listen.

 

[wbarnhill]

It is, but you know, I see it about every week - no matter how many times we tell people about what is and isn't safe and how to avoid infecting their machines, someone ALWAYS has to dbl click the anna_korva.exe file they got in their email...

Some people just don't listen.

*as he looks through the multiple IT repair requests made today*

Point well taken.

 

[Greg Bockelman]

OK, I am asking for it by asking this, but what is the best way to most thoroughly protect my computer. Name names and all that stuff.

I realize that if I get ten replies I will get ten opinions, but I hope there is some commonality in the replies.

 

[Greebo]

I'll leave most brands out of it, but I recommend:
Hardware firewall (a broadband router will do the trick) to put your computer behind NAT aliasing (keeps you invisible on the net)
Software firewall (redundancy ain't bad)
Good Antivirus software, pick your fav, there's several good ones
and for anti-spyware Microsoft Antispyware, Spybot S&D, and AdAware are my preferred tools.

 

[wbarnhill]

I'll leave most brands out of it, but I recommend:
Hardware firewall (a broadband router will do the trick) to put your computer behind NAT aliasing (keeps you invisible on the net)
Software firewall (redundancy ain't bad)
Good Antivirus software, pick your fav, there's several good ones
and for anti-spyware Microsoft Antispyware, Spybot S&D, and AdAware are my preferred tools.

The really nice thing about Chuck's suggestion is almost all of that is free (or you already have it)... the router is about the only thing you'll need to buy, and most people already have one because of broadband and multiple computers in the home

Contrary to popular belief, just because something cost money vs. being free, doesn't necessarily mean it's going to do a better job. In other words, home users don't need to go out and buy 300$ worth of security software because it will more than likely be about the same protection as the free software such as Spybot, Adaware, AVG Antivirus, etc.

 

[jesse]

Antivirus is more or less a:
"Protect a stupid user from doing something stupid" solution. It's not going to protect you from anything that a little bit of thinking would have prevented.

If another virus sweeps the internet that takes advantage of a major windows flaw..Your antivirus isn't going to help.

Best bet:

1.) Buy a router

2.) Turn on Windows Firewall

3.) Use Firefox.

Those three things the majority of us would agree on and will help you the most.

 

[Greg Bockelman]

I'll leave most brands out of it,

Aw, shucks, Chuck!

but I recommend:
Hardware firewall (a broadband router will do the trick) to put your computer behind NAT aliasing (keeps you invisible on the net)

I have a Linksys Wireless-B broadband router. Do I need to do anything to configure it for max protection?

Software firewall (redundancy ain't bad)

I am using Windows Firewall.

Good Antivirus software, pick your fav, there's several good ones

OK, I seem to be covered there.

and for anti-spyware Microsoft Antispyware, Spybot S&D, and AdAware are my preferred tools.

All of them? I had a problem with my computer once. Can't remember the problem, but the tech rep (a US based one that English was her first language for a change) She said that the probable root of my problem was the freeware Spybot. Or it might have been the AdAware because I use both of them.

Opinions?

Contrary to popular belief, just because something cost money vs. being free, doesn't necessarily mean it's going to do a better job. In other words, home users don't need to go out and buy 300$ worth of security software because it will more than likely be about the same protection as the free software such as Spybot, Adaware, AVG Antivirus, etc.

See above.

BTW, thanks for the info, guys. Keep it coming.

 

[Greebo]

Antivirus is more or less a:
"Protect a stupid user from doing something stupid" solution. It's not going to protect you from anything that a little bit of thinking would have prevented.

True to a degree, but more false than true. True, it helps protect stupid users from their own mistakes. However, it also protects YOU from stupid users and their mistakes. If you send and receive files daily from multiple sources, anti-vi can save your bacon 10 times over.

If another virus sweeps the internet that takes advantage of a major windows flaw..Your antivirus isn't going to help.

You seem to be assuming that viruses only attack windows. Windows happens to be the most popular target, granted, but its hardly the only one. One of the trojans I read about was specifically designed to target online-gamers by capturing keypresses when gamers logged in and sending them off to the hackers who then hijacked the accounts.

 

[wsuffa]

Aw, shucks, Chuck!



I have a Linksys Wireless-B broadband router. Do I need to do anything to configure it for max protection?

Make sure you have WEP turned on, and disable SSID broadcast. Also make sure to change the default administrator password.....

All of them? I had a problem with my computer once. Can't remember the problem, but the tech rep (a US based one that English was her first language for a change) She said that the probable root of my problem was the freeware Spybot. Or it might have been the AdAware because I use both of them.

I've never had any problem with Spybot or AdAware.

 

[Greebo]

I have a Linksys Wireless-B broadband router. Do I need to do anything to configure it for max protection?

Turn off SPID broadcasting, set a 128 bit WEP encryption key, and manually configure your wireless devices to use that spid and key.

Thats more on the wireless side, but as a firewall, IIRC by default, it will bounce out EVERYTHING that didn't originate from within your network.

All of them? I had a problem with my computer once. Can't remember the problem, but the tech rep (a US based one that English was her first language for a change) She said that the probable root of my problem was the freeware Spybot. Or it might have been the AdAware because I use both of them.

I respectfully disagree emphatically with the tech rep.

 

[Greebo]

Make sure you have WEP turned on, and disable SSID broadcast. Also make sure to change the default administrator password.....

Great minds...hehe

tho I forgot about the admin pw, but he's right. While someone outside the network (ie coming in from the net) can't access the admin functions, someone tapping into your wireless network can.

 

[jesse]

True to a degree, but more false than true. True, it helps protect stupid users from their own mistakes. However, it also protects YOU from stupid users and their mistakes. If you send and receive files daily from multiple sources, anti-vi can save your bacon 10 times over.

Let'see.. Someone just e-mailed me this thing called:
"coolpicture.reg" I better open it!
"coolpicture.bat" Wow this looks great!
"coolpicture.vbs" *OPEN*
"coolpicture.exe" *CLIICK*
"coolpicture.msi" **CLIIICK*
(these are extensions i spewed out off the top of my head)

If I received a virus via e-mail it was my stupid mistake that did it. In order for it to be dangerous it must be a binary. (or a file designed to crash the binary that opens it via something like a buffer under run and execute arbitrary code after that)..But once again Antivirus wouldn't catch that.

Maybe if my job involved me reciving binaries from untrusted sources all day long..I'd probably be running the antivirus...Right now though it does not..If someone sends me a binary I either know exactly what it is and it came from a compitent person..or I don't click on it to see the "cool picture"

 

[Greebo]

Honestly Antivirus doesn't even do much for you these days. It might stop the rare e-mail worm. But you are still hosed when it comes to spyware.

By your own statements, Anti-virus DOES to a lot to protect the average user from their own ignorance.

But at least now we have gotten to the crux of the matter - Antivirus , in your opinion, doesn't do much "FOR YOU". Just because you think it's not very useful for you doesn't mean it isn't a useful tool. (And frankly, I think you're very wrong on that score)

Most users do not know enough about their own computers to know how to enable the displaying of file extentions. Personally, I don't understand the decision from Microsoft to hide extentions - if the user is told time and time again not to click exe files, and they can't see that its an exe file, well golly gee, it must be ok. Not hard to make an exe file look like a jpg file when they can't see extentions.

Even well educated users can not know everything about their computers. Hell, the geniuses at Microsoft are no longer expected to know everything about every microsoft product - the scope is just too vast. I've got more years of general computer experience than you have of breathing, and more years of programming as a professional than you have of having double digits in your age (which does nothing but make me feel old, mind you) and *I* know I don't know nearly enough to trust my own skills to keep my computer safe all the time.

Beyond that, there are innumerable other situations where some form of anti-virus protection is very important. Various servers (email, ftp, file, http) rely on AV to keep themselves clean. Excluding email, these are servers that, by definition, must accept delivery of just about every file type.

 

[Brian Austin]

What Chuck said....based on 20 years of experience with some of the first and most recent viruses around, as well as the most ignorant and most experienced users. It just doesn't matter if there is no thought behind the click.

AV is like insurance. I'm a great driver with no accidents in 22 years of driving...but that doesn't do me any good if someone t-bones me at an intersection. I haven't needed insurance for 22 years but I'll need it then...and I'd rather have it and not need it than NOT have it until it's too late.

 

[wbarnhill]

I think a key thing to remember about email is that it is a very UNSECURE method of communication. So be extremely wary of attachments as well as any emails from companies that claim to know you (PayPal, eBay, your bank, etc.) Unless they specifically use your name, there's a high chance it's a fake.

Vigilance is an important method of securing your system, so like I said, education can go a long way, but as Chuck and Brian have pointed out, the other stuff can provide a backup in case the primary defense fails (wow that was a lot of commas...)

 

[mikea]

You are good to go.

The windows firewall is plenty. IMHO it's probably better then Zone Alarm..Problem with Zone Alarm or Norton Internet Security is the average user does not understand what the program is telling them..So they just accept anything.

True, but Windows Firewall doesn't filter outgoing requests AT ALL.
Although it is true that with Kerio or Zonealarm you might get sick if it asking if it's OK for "wga.exe" to send, it does only you ask you once, and there's a chance that you have enoguh sense to know that there should be no reason for "w1ndowsxps3ver.exe" to even be on your PC, much less trying to call out. That would be your first warning of malware.
...

1.) Enable Windows Firewall
2.) Stay up to date on Windows Updates
3.) Do NOT use Internet Explorer..Use Firefox.

...If you are worried about picking up a virus from an e-mail or IM client...Install some sort of anti-virus. Trend Micro will do the job.

Absolutely do not use Internet Explorer. I will no longer allow Windows Update to auto-install since WGA hosed my laptop. If you read the current EULA for Windows Media player you may note that you have to agree that Microsoft is allowed to disable anything they choose and DELETE FILES for any reason. To quote from a stolen sig: Bill thinks it's "My Computer," which explains a few things. I'm pretty sure I own it.

 

[ggroves]

Is Windows Firewall any good?

Yes, it's good, it's free, and it's supported by Microsoft. I run it on all 2,500 of my company's PCs.

Also, McAfee is superior to and less envasive than Norton. Again, I have 2,500 examples of this.

Greg
182RG

 

[LeonardMack]

Yes, it's good, it's free, and it's supported by Microsoft. I run it on all 2,500 of my company's PCs.

Also, McAfee is superior to and less envasive than Norton. Again, I have 2,500 examples of this.

Greg
182RG

I'm assuming if you have 2500 PC's on a network (or multiple networks), that you probably have plenty of hardware firewalls that essentially make the use of Windows firewall null and void.

At my company, we don't have quite 2500 PC's, but we have several hundred and I turn off the windows firewall because it gets annoying and bothersome for some internal networking that we do. The hardware firewalls block anything and everything that could possible cause any harm, though.

No software firewall compares to hardware firewalls. Many of the software firewalls get annoying with their "security breech" messages every time a standard ping, keep-alive packet or other necessary net traffic that isn't malicious comes through. People think they are being hacked when they really aren't. I used to get so many calls from people who ran Zonealarm saying they were being hacked and it was the end of the world when it was simply their ISP sending a ping to make sure the connection was still active.

 

[Greg Bockelman]

So what is a hardware firewall?

 

[Brian Austin]

I'm assuming if you have 2500 PC's on a network (or multiple networks), that you probably have plenty of hardware firewalls that essentially make the use of Windows firewall null and void.

Until I walk in and plug into your network. I used to do this all the time with penetration/security testing for companies and schools. Great perimeter security but bluffing my way past the receptionist and finding a quiet office for a few minutes made the perimeter something I didn't even bother worrying about.

It's not incredibly effective (no stateful packet inspection, attack sigs, etc.) but it's better than nothing.

 

[LeonardMack]

Until I walk in and plug into your network. I used to do this all the time with penetration/security testing for companies and schools. Great perimeter security but bluffing my way past the receptionist and finding a quiet office for a few minutes made the perimeter something I didn't even bother worrying about.

You don't get any network access without authenicating in my network and I will get notice as soon as someone plugs something into one of our ports that isn't authorized (i.e. rogue access points or someone comes in with a laptop)

 

[Brian Austin]

You don't get any network access without authenicating in my network and I will get notice as soon as someone plugs something into one of our ports that isn't authorized (i.e. rogue access points or someone comes in with a laptop)

You have MAC-based authentication in a 2500 PC network? Or you're using 802.1x authentication with VLAN shifting or policy management? (FYI, I can bypass that, too, with the right stuff and a little more time)

 

[LeonardMack]

So what is a hardware firewall?

For your home connection, the cable modem routers you get from D-link or linksys or other brands double as a firewall. It bascially blocks any traffic from coming into your network without you physically specifying where it should go. If you don't specify, then it is blocked. It is the best protection against outside hackers entering yoru network. It blocks it right after the cable modem, rather than software firewalls, that wait for it to get to your individual machine.

 

[LeonardMack]

You have MAC-based authentication in a 2500 PC network? Or you're using 802.1x authentication with VLAN shifting or policy management? (FYI, I can bypass that, too, with the right stuff and a little more time)

I don't have a 2500 pc network, that was someone else.

But anything is hackable! Even if you have the windows firewall running! lol. Give anyone enough time and resourses and they can get around any sort of protection. It would be pretty far fetched you would make it into my building without a card key, find an open office with network connectivity and have enough time to hack everything. If you made it as far as into an office, we have other security problems! You might as well walk into the data center too!

This discussion kind of got off topic though. It started out talking about a home network and what is the best firewal. Obviously a hardware firewall that you can get for under $50 is the best solution and you can use that along with or without the windows built in firewall if you are running a windows machine. I was merely stating that the windows firewall doesn't do a whole lot for that home user if they set up the hardware firewall also. I prefer to use less systems resourses for a useless firewall, and let the hardware one do the work.

 

[wbarnhill]

what is a hardware firewall

To better answer the question of what is a hardware firewall, we should look at the two terms.

A firewall is essentially a solution to enforce security policy.

A software firewall means that it is a program running on a PC, that is either meant to protect specifically that PC, or that PC is a gateway to the internet (so all traffic has to pass through the PC and is thus subject to the policies).

A hardware firewall means that there is a physical device which performs the policy enforcement, and in the home scenario will generally be shared with the routing capability.

The primary difference is that the hardware device can be dedicated to handling traffic, meaning less strain on your CPU and network since it is dealt with at the gateway to your network instead of all traffic being passed to a PC which then decides whether or not to accept it.

 

[wbarnhill]

I prefer to use less systems resourses for a useless firewall, and let the hardware one do the work.

Same here. On my home PC I leave windows firewall off. For my laptop, I leave it on, mainly because though I know my home network is protected by the router, my laptop ends up on who knows how many networks, and thus I'd like an extra layer of protection in case the network I'm on isn't as secure as I'd like it to be.

 

[wbarnhill]

Until I walk in and plug into your network. I used to do this all the time with penetration/security testing for companies and schools. Great perimeter security but bluffing my way past the receptionist and finding a quiet office for a few minutes made the perimeter something I didn't even bother worrying about.

It's not incredibly effective (no stateful packet inspection, attack sigs, etc.) but it's better than nothing.

Of course, a quick diabolical way to upset a network administrator who enjoys using the spanning-tree portfast option is to purchase a little 10$ switch and plug a cat5 cable into two ports, then plug the switch into the wall jack.

 

[Greg Bockelman]

So my linksys router is a hardware firewall. As long as I do the SSID and change passwords and all the other stuff associated with it, I am good to go with that. Does that mean I don't have to or shouldn't bother with a software firewall such as Norton or Windows?

 

[LeonardMack]

Of course, a quick diabolical way to upset a network administrator who enjoys using the spanning-tree portfast option is to purchase a little 10$ switch and plug a cat5 cable into two ports, then plug the switch into the wall jack.

If they have the spanning-tree portfast option enabled though, won't it immeditely disconnect that port rendering your little invention useless?

If they didn't have it, it would create a bad loop!

Or maybe i misunderstand it totally. I'm not that familiar with that.

 

[wbarnhill]

So my linksys router is a hardware firewall. As long as I do the SSID and change passwords and all the other stuff associated with it, I am good to go with that. Does that mean I don't have to or shouldn't bother with a software firewall such as Norton or Windows?

I would say as long as you don't have the linksys router setup to forward all ports to one PC on your network, you'd be fine without the local software firewall.

Others may disagree, but just from my experience, in a home environment the software firewall isn't needed as long as the hardware firewall isn't forwarding ports to an internal machine.

 

[LeonardMack]

So my linksys router is a hardware firewall. As long as I do the SSID and change passwords and all the other stuff associated with it, I am good to go with that. Does that mean I don't have to or shouldn't bother with a software firewall such as Norton or Windows?

Yep you should be set and won't need the software firewall. I certainly wouldn't purchase the Norton, but if you want, you can leave the Windows one enabled if it makes you feel better, but essentially, it will be doing nothing.

 

[wbarnhill]

If they have the spanning-tree portfast option enabled though, won't it immeditely disconnect that port rendering your little invention useless?

If they didn't have it, it would create a bad loop!

Or maybe i misunderstand it totally. I'm not that familiar with that.

It does create a loop. Portfast means the switch immediately sets the port as being connected to a single machine, no testing to see if the connection is valid. We've had at least two instances where professors have tried to tidy up after disconnecting their laptop and turned around and plugged the other end of the cable into another port on their little 10$ switch. Go up to the closet and you see every port on that VLAN blink in unison. Switch goes dead to the network.

All because the previous network manager didn't want to wait for ports to come up to the proper state, so he set all of them to spanning-tree portfast.

 

[Brian Austin]

Of course, a quick diabolical way to upset a network administrator who enjoys using the spanning-tree portfast option is to purchase a little 10$ switch and plug a cat5 cable into two ports, then plug the switch into the wall jack.

Anyone using portfast is trying to make up for a poorly designed network or protocol. The only time I've used it is with Netware 5 IPX GetNearestServer calls on a particularly large network (college). Stupid Cisco spanning tree algorithm took too long to transition to a forward state that IPX decided that there WAS no server available. Funny how it only happened on our faster machines. The other ones booted so slow that spanning tree was done by the time the Novell client was asking.

 

[Greg Bockelman]

Yep you should be set and won't need the software firewall. I certainly wouldn't purchase the Norton, but if you want, you can leave the Windows one enabled if it makes you feel better, but essentially, it will be doing nothing.

Well, my laptop goes on the road with me, and probably no hardware firewall with the wireless systems I use. Maybe they do, but I am not sure. I will leave Windows Firewall on for that, but on my home stuff I won't worry about it.

Thanks again for the input, guys.