?
Solved

XP Firewall

Posted on 2003-02-21
21
Medium Priority
?
805 Views
Last Modified: 2013-12-04
My network is behind a router (with NAT).  What would be the pros & cons of turning on the built-in firewall in XP Pro?

TIA,
Tats
0
Comment
Question by:Itatsumaki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +5
21 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 7994441
Not much. The NAT will probably do more then the XP firewall. But experiment with the XP firewall to see if logs any probes for a period of a week or two. It is unlikely to see any probes because the NAT will pick them up. Although some network gurus suggest that you run both a hardware and software firewall for extra protection.


The Crazy One
0
 
LVL 24

Expert Comment

by:SunBow
ID: 7996734
ditto. I've heard nothing good about it, so if you have no valid reason, then don't do it. MS also sells firewall hardware. But that is not their business, so you know you can't accept them as best when at v 1.0.    If you want more, try ZoneAlarm. This would be the software topic mentioned by CrazyOne.
0
 
LVL 2

Expert Comment

by:NEOsporin
ID: 7996909
Put up a firewall, XP's blowz, use ZoneAlarm, it has a free version that is better than XP's. The registered version is well worth the $$ (50). You are behind a Router, which Routes packets, packet's that will end up on your machine, NAT offers no protection other than IP, sort of. A static nat will go directly to your PC, I send  a probe from my PC, it hit's your router and your router has a STATIC nat to your PC, I am probing your machine, but against the ACL's of your router. That is the only protection you have, the ACL's on the router. If you don't have static NAT, then it's a little bit better, but not much. Get a real firewall, software or hardware. Anything is better than nothing. If you need more info let me know, google is the best! www.google.com/toolbar.html
-NEO
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 12

Expert Comment

by:Otta
ID: 7997749
The NAT box will keep hackers on the Internet
from entering your network.

Using a firewall (the XP firewall or ZoneAlarm or
Tiny Personal Firewall or ....) will block any
hackers "within" your network from getting into
*your* computer.

Compare it to a controlled-access hotel, with security at
the street-level entrance, and one security-guard outside
the hallway-door of each hotel-room on each floor.
So, even if a thief gets into the hotel,
the thief still has to get by the guard
standing outside of your personal hotel-room.
0
 

Expert Comment

by:halcyon985
ID: 7998026
I agree with Neo, NAT isn't a reliable way to stop anybody from doing anything to your network.  NAT is designed to send packets to your computer.  NAT is there to allow a private network to use a public IP, imo the security benefits of NAT are more a side affect then necessarily the reason its there.  A good question is what type of router do you have?  More then likely, since your asking this question at all, your on a home network with something like a linksys router.  They have built in firewalling if Im not mistaken correct?  This should do fine for you, if your really security paranoid, you can set up another one software wise on your comp.  The only reason to do this though is if your worried about your perimeter box getting owned.  Other wise its the same thing because your going to have the same ports open on both firewalls.  

So to end my blabbing, if you don't have a firewall on your router, definately go with a software one (or if you have an old comp laying around, put a nice flavor of LRP on it, I got it, its nice), otherwise you will be fine if you have a firewall on your router.  

Jim
0
 
LVL 2

Expert Comment

by:NEOsporin
ID: 8000338
otta is incorrect, let me explain. In order for you to get to a web page, your PC with an PRIVATE ip of lets say 10.10.10.10, sends all his packets that need to get anywhere to the gateway of 10.10.10.254, which is an interface on your router. The router says, hey! 10.10.10.10 want's to go to a PUBLIC address of 206.169.61.185, I had better translate his private IP to a public one so he can get there, OHH he has a static nat, so an ip of 63.1.1.12 (just and ex). Anything that 206.169.61.185 port 80 sends to 63.0.0.12 will go to 10.10.10.10. Without static, the problem is less, unless there is a session established, say you visit my webpage 66.35.250.150, I can then bind my security scanner to send info to port 80 of your box, and not be bothered at all by the NAT, I can overflow or just about anything. There are plenty more things that can be done. My point was, otta was wrong. ACL's on the router are what protect you, or your firewall, which is close to what ACL's do. ACL's on or off, blocking or allowing, firewalls can establish a better set of rules to apply. Sorry for the spam.
-NEO (ccnp)
0
 
LVL 12

Expert Comment

by:Otta
ID: 8001970
NEOsporin is wrong.

If a PC with a "private" IP wants to access a "public"
IP-address, the PC obtains a "socket" (just a number
between 1024 and 65535 that is not already being used).
TCP/IP services on that PC:
 * puts that socket-number into the IP-packet,
 * puts its private IP-address into the packet,
 * puts the "destination" IP-address into the packet,
 * puts the "destination-port" (for example '80',
   if the destination is a web-server) into the packet.
Then, it sends the IP-packet.

The NAT ("network address translation") server
records the above four items into a "state-table".
The server then substitutes its own IP-address
and its own socket-number into the packet,
and sends the packet to the destination IP-address.
If an IP-packet is received, and the packet
contains the substituted IP-address *AND*
the substituted socket-number, then the "state-table"
is examined.  (If an *EXACT* match is not found,
as in NEOsporin's example, then the IP-packet is
discarded.)  The "state-table" is used to invert
the substitution, and the received IP-packet is
modified, inserting the "private" IP-address
and the original socket-number, and the translated
IP-packet is sent to the "private" PC that made
the request.

> can then bind my security scanner to send info to port 80 of your box

No! No! No!  If your "public" PC creates an IP-packet
which has a socket-number, say '80', which does *NOT*
match the socket-number that was inserted into the
IP-packet that the NAT-server sent to your "public" PC,
then the packet will be *DISCARDED*, because a "session"
between the NAT-server and your "public" PC is based
on *TWO* pieces of information (the socket-number and
the IP-address), not just the *ONE* piece of information
(the IP-address).

To make an analogy: if a "private" friend of mine
is a card-player, and asks me for a "black jack",
and then, on his behalf, I ask you for a "black jack",
then I expect to get a "black jack" from you.
At approximately the same time, my friend can ask me
for a "red queen", and I will ask you for that card.

If you give me a "black king", I will say "you are wrong",
because I have done the book-keeping to record
which card (or cards) that I have asked you to provide
(namely "black jack" and "red queen").

I will *NOT* pass your "black king" to my friend.
Yes, the card is "black", but it is *NOT* a "jack",
so I will *NOT* "relax" my rules to pass the wrong card
to my friend.

> I can overflow or just about anything.

You are wrong.  The NAT-server will just "discard"
your unsolicited IP-packet.












0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8003174
Frankly, I would just "play around" with it.If you want to learn about it you gotta use it and configure it yourself. (else you'll always be asking for someone else's help and free help is worth what you pay for it.)

If XP's firewall doesn't work for you or cause problems with your current setup, you can just shut it off. No harm done.

0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8003196
Here's a good overview of the XP firewall.

http://www.sans.org/rr/win/XP_firewall.php
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8003252
Oh one other thing...if you have a Linksys router with the lastest firmware. You might want to check to see if you can run Zonealarm Pro with it.

If you can, then Zonealarm pro will work with your router to provide "firewall" functionailty.

It's a nice option :-)
0
 
LVL 2

Expert Comment

by:NEOsporin
ID: 8003281
I give, whatever. This is all over his head (Itatsumaki) most likely. He asked a simple question, and I turned the thread into a special olympic's 100m race, even if you win... your still a re**** Do not expect NAT to protect you, as it will not to the degree it has been made to be here. Get yourself a fire wall.
I have my CCNP, and I have been hacking for some time, I over generalized in my example, forgivness plz. Good Luck to all.
-NEO
0
 
LVL 12

Expert Comment

by:Otta
ID: 8003347
> Do not expect NAT to protect you,

I disagree.

> Get yourself a fire wall.

NAT, because it uses "stateful-inspection" _DOES_ function
as a firewall -- *ALL* unsolicited traffic is *NOT* allowed
through the NAT-server into your computer(s).

If you do use the XP firewall, enable its "logging",
and look at the logs, and study them, to understand
what is being blocked.
0
 
LVL 4

Accepted Solution

by:
Ghost_Hacker earned 300 total points
ID: 8003454
NAT will protect againest "active" hacking, but not againest "passive" hacking.

For example, I can't scan your systems behind the NAT for any weaknesses because the NAT will drop all inbound connections that aren't "started" by a computer on the inside of the NAT. (Active hacking :-) )

But, If I send a trojan out into the wild and wait for someone to foolishly install it. (click on the wrong email perhaps) Then that trojan will start a connection to the outside and be allowed thru the NAT. Because SOHO "NAT's" allow all outbound traffic by default. Once the connection is established by YOUR computer I would then have access to your computer regradless of your NAT.(passive hacking :-) )


As you can see a NAT or firewall provides just one half of the protection your network needs.Never rely on just one tool for protection, but instead look at layering your defenses.
0
 
LVL 2

Expert Comment

by:NEOsporin
ID: 8003518
If this were true, no one would run a firewall. Nat (especially static NAT) will not protect you. make your own conclusions, do the homework like it's been suggested. Google is your best bet. If you are unsure as to how your NAT funtions, ask someone, or get a firewall. nmap and quite a few other scanners have techniques to trick BOTH firewalls and NAT. This is my final comment. Or use otta's NAT as it is omniscient, and every NAT engine i used was not.
-NEO
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8003711
As I stated in my first post

"Although some network gurus suggest that you run both a hardware and software firewall for extra protection."
0
 

Expert Comment

by:halcyon985
ID: 8004113
Otta:

> the PC obtains a "socket" (just a number
> between 1024 and 65535 that is not already being used).

This is wrong, a socket is the port, destination ip, and the name of the transport layer protocol.  This is irrelevent though, as you could argue that the information that followed in your arguement is close enough to the definition.  

Stating this, this argument is irrelevant.  Anybody that thinks NAT is the end all answer to security isn't very bright.  NAT in its nature will deliver traffic between your computer and another host somewhere out there.  That is what it is designed to do.  And with this established, can you honestly argue that this is a good way to secure your network?  It's not.  At best, it is just another protection, in what should be a layered setup.  

Even if NAT was the god sent answer to network security, which it isnt, since if it was there would be no security forums, it would just say "Set up NAT" on @stakes website.  Anyway, getting of on a tangent, even if it was the answer, what happens if your firewall gets owned?  Setting up further security on the inside is a great idea, if not required.  Especially when you consider that the XP firewall is free and only requires the click of a mouse to get running.  The only trade off is system resources.  And most people running XP have plenty of that to burn, or they wouldnt be running XP.  If they want to go a more secure route, any of the fine solutions mentioned here would be even better.

Rant ended

Jim
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8005398
You might find this site helpful in understanding firewalls:

http://www.practicallynetworked.com/sharing/firewall.htm
0
 
LVL 2

Author Comment

by:Itatsumaki
ID: 8010273
Good god, I leave for the weekend and come back to a dozen+ useful answers.  Props to all for the help, much appreciated.  I have no clue how to divvy up the points with this many answers, but you guys are prolly smart enough that you don't care much.  Still, I want to be fair so I'll figure something out and post it here.

Thanks again all,
Tats
0
 

Expert Comment

by:WhomperStomper
ID: 8115067
The type of router you are using is significant.  Some home routers do not offer stateful packet inspection, others do.  This is central to the discussion of whether your router is even aware of the session when NATing or not.  Otta and Neo seem to be more concerned with oneupmanship than providing useful advice.  My thought is, if you are asking the question then you probably do not want the hassle of maintaining a software firewall, consequences be damned.

My advice.
1. Find out what features your router offers. (can you open and close ports, does it offer stateful packet inspection?)
2. Understand how those features work (i.e. play around).
3. Evaluate how much you enjoy the maintenance aspect.  Programs like Zone alarm can be more hassle than they are worth unless you are willing to take the time to learn and maintain them.

One other thing to keep in mind.  When implementing firewalls a good rule of thumb is block everything from the start and then open only the ports you need for your activities.
0
 
LVL 12

Expert Comment

by:Otta
ID: 8117347
> Some home routers do not offer stateful packet inspection

Please name one.  Thanks.
               
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month9 days, 1 hour left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question