Vista - Vista firewall outbound protection blocks Windows Update

01-15-2008

An issue I have come across with Vista's firewall outbound blocking is that
it blocks Microsoft update. I have figured out how to fix it by unblocking
wuapp.exe and svchost.exe. Vista complained about me unblocking svchost.exe
though as it said it may conflict with it's own internal rules settings.
What I am doing for now is enabling the rule for svchost.exe to check for
updates and then disable the rule the rest of the time. Is that the best way
around this issue? Why could'nt Microsoft have made Windows Update unblocked
by default? Even some 3rd party Firewalls know to unblock certain apps by
default.

01-15-2008

"*^&%$$#*%!" <someone@xxxxxx> wrote in message
news:a9%ij.10179$wx.1505@xxxxxx

Quote:

> An issue I have come across with Vista's firewall outbound blocking is
> that it blocks Microsoft update. I have figured out how to fix it by
> unblocking wuapp.exe and svchost.exe. Vista complained about me unblocking
> svchost.exe though as it said it may conflict with it's own internal rules
> settings. What I am doing for now is enabling the rule for svchost.exe to
> check for updates and then disable the rule the rest of the time. Is that
> the best way around this issue? Why could'nt Microsoft have made Windows
> Update unblocked by default? Even some 3rd party Firewalls know to unblock
> certain apps by default.

It's not a FW and neither are any of those 3rd party solutions you are
talking about FW(s) either. A FW sits at the junction point between two
networks. The network the FW is protecting from usually the Internet, and
the network it's protection the LAN.

A FW will have at least two network interfaces. One interface will face the
WAN/Internet, and the other interface will face the LAN. Or in your case for
a software FW solution running on a secured gateway computer, the computer
will have two NIC(s) Network Interface Cards, with one facing the WAN, and
the other one facing the LAN.

What you're talking about is a machine level packet filter that protects
services running on the computer at the machine level.

The normal filtering rule that would be applied for outbound traffic on a
FW, or in your case, the machine level packet filter that can stop outbound
would be to set a rule to stop all outbound traffic on ports. You then set
rules by services required (that you know you have to let outbound out)
based on outbound ports used by those services.

Svchost.exe is just the messenger. Svchost does the bidding for O/S programs
and other programs, which can include malware, as malware too can use
Svchost.exe as a *host* on its behalf. Svchost does nothing on its own. It
always does the bidding for others programs.

But you see, that's the errant action a home user will make is making rule
to stop Svchost.exe with a packet filter and worthless application control
in those solutions.

You don't kill Svchost.exe (the messenger). You find out what is using the
(messenger) and you kill that.

http://www.vicomsoft.com/knowledge/r...irewalls1.html

01-15-2008

Hey, Mr. Arnold. That website you pointed me to says there are various types
of firewalls and the top level is application control level so where do you
get off telling me applkication level blocking is not a firewall at all? It
goes on to further say, "it is recommended you begin with the methodology
that denies all access by default. In other words, start with a gateway that
routes no traffic and is effectively a brick wall with no doors in it." Gee,
that's what I did and now I am allowing stuff at the application level. WTF
is wrong with that method? Nothing! As stated, I already have a hardware
fiurewall between my PC and the internet that is working at level 3 (SPI).
If I want to take further steps that is my business. Messing about with this
stuff is how we learn. Sounds to me like the only method you know is the
rote method you paid way too much money for at some college for cadet
network specialists.

01-15-2008

"*^&%$$#*%!" <someone@xxxxxx> wrote in message
news:hb1jj.71417$EA5.66533@xxxxxx

Quote:

>
> Hey, Mr. Arnold. That website you pointed me to says there are various
> types of firewalls and the top level is application control level so where
> do you get off telling me applkication level blocking is not a firewall at
> all?

FW(s) do not block applications. It's not a FW function. You no more know
what you're talking about than a man in the Moon.

And Application gateway and some junk you're talking about in Vista's packet
filter or some 3rd party packet filter junk is not what an Application
gateway is about.

<copied>
An application gateway/proxy is considered by many to be the most complex
packet screening method. This type of firewall is usually implemented on a
secure host system configured with two network interfaces. The application
gateway/proxy acts as an intermediary between the two endpoints. This packet
screening method actually breaks the client/server model in that two
connections are required: one from the source to the gateway/proxy and one
from the gateway/proxy to the destination. Each endpoint can only
communicate with the other by going through the gateway/proxy.

<copied>

Quote:

> It goes on to further say, "it is recommended you begin with the
> methodology that denies all access by default. In other words, start with
> a gateway that routes no traffic and is effectively a brick wall with no
> doors in it."

Yes that is correct. A FW denies all inbound traffic by default, unless you
set rules to allow unsolicited inbound traffic or an application behind the
FW running on a computer makes the solicitation for inbound traffic by
sending outbound traffic to a remote IP. The FW will allow the solicited
traffic to pass and will block unsolicited traffic by default.

Quote:

> Gee, that's what I did and now I am allowing stuff at the application
> level. WTF is wrong with that method? Nothing! As stated, I already have a
> hardware fiurewall between my PC and the internet that is working at level
> 3 (SPI).

You're letting stuff in at the Application level are you? LOL

You're talking about a router for *home usage* that's running SPI. A NAT
router for home usage running SPI is not a FW solution. It's not running FW
technology software. It's pretending to be a FW.

Quote:

> If I want to take further steps that is my business. Messing about with
> this stuff is how we learn. Sounds to me like the only method you know is
> the rote method you paid way too much money for at some college for cadet
> network specialists.

You are absolutely clueless and ignorant of the facts. I suggest that you
visit a FW and Security NG, and let them rip you a part with your lack of
knowledge.

I have been IT since 1971, and I am still going strong. I have forgotten
more than you'll even know.

Here is another link about FW(s) that you know nothing about. You're
somewhere out there in left field with *home user* knowledge, and that's
about it, when it comes to FW technology

http://www.more.net/technical/netserv/tcpip/firewalls/

01-16-2008

"Mr. Arnold" <MR. Arnold@xxxxxx> wrote in message
news:uGUgmb3VIHA.5448@xxxxxx

Quote:

> FW(s) do not block applications. It's not a FW function. You no more know
> what you're talking about than a man in the Moon.

That website you sent me to says otherwise. There are various levels of
firewalls and more than one method of functioning as a firewall. It says at
the application level it is a level 5 firewall. Did you even read what you
yourself posted? Back to network specialist cadet school for you. Whether it
is called a firewall or not I don't care and still want to block
applications. Why is of no importance or any of your 'effing business. If
you don't know the answer to my question then go bother someone else who
might be impressed by your dorkinesss, I am not.

01-16-2008

"John Candy" <someone@xxxxxx> wrote in message
news:klgjj.74316$EA5.17813@xxxxxx

Quote:

>
> "Mr. Arnold" <MR. Arnold@xxxxxx> wrote in message
> news:uGUgmb3VIHA.5448@xxxxxx

Quote:

>> FW(s) do not block applications. It's not a FW function. You no more
>> know what you're talking about than a man in the Moon.

>
> That website you sent me to says otherwise. There are various levels of
> firewalls and more than one method of functioning as a firewall. It says
> at the application level it is a level 5 firewall. Did you even read what
> you yourself posted? Back to network specialist cadet school for you.
> Whether it is called a firewall or not I don't care and still want to
> block applications. Why is of no importance or any of your 'effing
> business. If you don't know the answer to my question then go bother
> someone else who might be impressed by your dorkinesss, I am not.

Do you think I really care? I am not going to bother with you, as you can't
read and you don't know what you're talking about, basically you are some
kind of a moron.

A packet filter such a Vista or some 3rd party solution are not firewalls,
they do NOT separate two networks, they do not have two interfaces that
control the packets between the interfaces, and they do not have the
snake-oil application/program control, the snake-oil junk in them that you
lean on like a crutch -- your stops all and ends all security blanket.

What's a level 5 FW? <g>

<copied>

Session (Layer 5)

This layer establishes, manages and terminates connections between
applications. The session layer sets up, coordinates, and terminates
conversations, exchanges, and dialogues between the applications at each
end. It deals with session and connection coordination.

<copied>

You have the Session (Layer 5) in the OSI model, which has nothing to do
with snake-oil application control with Vista's packet filter or the
snake-oil in 3rd party personal packet filters, or in your case, a 3rd party
personal firewall. . It's talking about network traffic or inbound or
outbound packets to/from the FW or ingress/degrees of packets.

You can block all the programs you want with the snake-oil in the packet
filters until the cows come home, which is NOT FW functionality, if that
will make you happy in your security blanket. But that doesn't make them
FW(s), and they are not working at layer 5 of the OSI model in the manner
you think they are.

And I told you what to do on outbound packet filtering on ports with a FW or
Vista's packet filter. You're too stupid to put 2 + 2 together and you
can't do it. However, the one thing you can play with is *application*
control . You can can play with that, but really, you don't even know what
you're doing with that either, when you stopped Svchost.exe (the
messenger) -- you have no clue as to what you're doing -- not really. <g>

BTW, I am impressed with your lack of knowledge, your inability to
comprehend, your ability to mis-read, your ability to twist things to fit
your needs, your ability to show your mental illness, and your
incompetence, when it comes to FW technology.

01-16-2008

In article <1egjj.74272$EA5.50331@xxxxxx>,
John Candy <someone@xxxxxx> wrote:

Quote:

>

Quote:

>> You're talking about a router for *home usage* that's running SPI. A NAT

>My specific router has more than just SPI. You don't even know which router

BTW, (assuming "SPI" means stateful packet inspection) why
WOULDN'T a combination of NAT and stateful inspection make a good
firewall? I mean, it's good enough for Checkpoint...

01-16-2008

"the wharf rat" <wrat@xxxxxx> wrote in message
news:fmkt66$krr$1@xxxxxx

Quote:

> In article <1egjj.74272$EA5.50331@xxxxxx>,
> John Candy <someone@xxxxxx> wrote:

Quote:

>>

Quote:

>>> You're talking about a router for *home usage* that's running SPI. A
>>> NAT

>>My specific router has more than just SPI. You don't even know which
>>router

>
> BTW, (assuming "SPI" means stateful packet inspection) why
> WOULDN'T a combination of NAT and stateful inspection make a good
> firewall? I mean, it's good enough for Checkpoint...
>

I think you had better learn what a FW is about and what FW technology is
about. NAT is not FW technology. NAT is mapping technology.

Checkpoint is a FW solution, and a solution that is a true FW solution will
ensure that only HTTP traffic comes down port 80 TCP and block any other
traffic trying to come down that port, as an example.

Checkpoint, Watchguard, Sonicwall, Cisco, Snapgear, etc, etc, even the
people who created the software in the link use NAT. But NAT is not FW
technology.

http://www.vicomsoft.com/knowledge/r...irewalls1.html

No router for home usage is running FW software. The router may have SPI
running, and the SPI is a form of a FW. But the overall solution is NOT
running FW software.

I have learned from the best in the FW and Security NG, my home base NG the
first NG I went to way back in 2000. I leaned from the best. I leaned from
the ones who implement security and firewall solutions for a living.

And I also suggest that you read the information in the link to find out who
are the impersonators, which was explained to me by experts in the FW and
Secuirty NG.

http://www.more.net/technical/netserv/tcpip/firewalls/

01-16-2008

On Wed, 16 Jan 2008 12:26:46 +0000 (UTC), wrat@xxxxxx (the wharf
rat) wrote:

Quote:

>In article <1egjj.74272$EA5.50331@xxxxxx>,
>John Candy <someone@xxxxxx> wrote:

Quote:

> BTW, (assuming "SPI" means stateful packet inspection) why
>WOULDN'T a combination of NAT and stateful inspection make a good
>firewall? I mean, it's good enough for Checkpoint...

Well, it isn't good enough for Checkpoint anymore. They have added AI
(Application Intelligence) protecting all the way from layer 3 up to
7. So has the Cisco PIX Secure Firewall.

If I'm not completely wrong, ISA Server 2000 (rel. 1999) was one of
the first -- if not the first -- firewalls to add strong layer 7
protection.

jas

01-16-2008

In article <ei4DVEEWIHA.4868@xxxxxx>,
Mr. Arnold <MR. Arnold@xxxxxx> wrote:

Quote:

>
>I think you had better learn what a FW is about and what FW technology is
>about. NAT is not FW technology. NAT is mapping technology.
>

No single technology provides sufficient security to be called
a "real firewall". But NAT is certainly one of the tools available to help
secure a network.

Quote:

>Checkpoint is a FW solution, and a solution that is a true FW solution will
>ensure that only HTTP traffic comes down port 80 TCP and block any other
>traffic trying to come down that port, as an example.
>

Bull****. That kind of protocol fixup is not a requirement of
a general firewall solution. You're overloading your terms. (The technical
term for *that* is amphiboly, BTW. It's very bad.)

A firewall is simply a device that manages and controls network
traffic. A simple nat gateway is a firewall. (Not a *good* firewall...)
So is an intelligent screening router that incorporates active response IDS.
Look at it this way: a Chevette is a car, right? So is a Ferrari, right?
It's like that.

Quote:

>
>http://www.vicomsoft.com/knowledge/r...irewalls1.html
>

Pffffttt. That's an infomercial not a technical paper.

Quote:

>I have learned from the best in the FW and Security NG, my home base NG the
>first NG I went to way back in 2000.

Lol. "I'm a security expert. I read all about it on Usenet!"

You're so funny.

01-15-2008	#1 (permalink)
^&%$$#%! n/a posts	Vista firewall outbound protection blocks Windows Update An issue I have come across with Vista's firewall outbound blocking is that it blocks Microsoft update. I have figured out how to fix it by unblocking wuapp.exe and svchost.exe. Vista complained about me unblocking svchost.exe though as it said it may conflict with it's own internal rules settings. What I am doing for now is enabling the rule for svchost.exe to check for updates and then disable the rule the rest of the time. Is that the best way around this issue? Why could'nt Microsoft have made Windows Update unblocked by default? Even some 3rd party Firewalls know to unblock certain apps by default.
My System Specs

01-15-2008	#2 (permalink)
Mr. Arnold n/a posts	Re: Vista firewall outbound protection blocks Windows Update "^&%$$#%!" <someone@xxxxxx> wrote in message news:a9%ij.10179$wx.1505@xxxxxx Quote: > An issue I have come across with Vista's firewall outbound blocking is > that it blocks Microsoft update. I have figured out how to fix it by > unblocking wuapp.exe and svchost.exe. Vista complained about me unblocking > svchost.exe though as it said it may conflict with it's own internal rules > settings. What I am doing for now is enabling the rule for svchost.exe to > check for updates and then disable the rule the rest of the time. Is that > the best way around this issue? Why could'nt Microsoft have made Windows > Update unblocked by default? Even some 3rd party Firewalls know to unblock > certain apps by default. It's not a FW and neither are any of those 3rd party solutions you are talking about FW(s) either. A FW sits at the junction point between two networks. The network the FW is protecting from usually the Internet, and the network it's protection the LAN. A FW will have at least two network interfaces. One interface will face the WAN/Internet, and the other interface will face the LAN. Or in your case for a software FW solution running on a secured gateway computer, the computer will have two NIC(s) Network Interface Cards, with one facing the WAN, and the other one facing the LAN. What you're talking about is a machine level packet filter that protects services running on the computer at the machine level. The normal filtering rule that would be applied for outbound traffic on a FW, or in your case, the machine level packet filter that can stop outbound would be to set a rule to stop all outbound traffic on ports. You then set rules by services required (that you know you have to let outbound out) based on outbound ports used by those services. Svchost.exe is just the messenger. Svchost does the bidding for O/S programs and other programs, which can include malware, as malware too can use Svchost.exe as a host on its behalf. Svchost does nothing on its own. It always does the bidding for others programs. But you see, that's the errant action a home user will make is making rule to stop Svchost.exe with a packet filter and worthless application control in those solutions. You don't kill Svchost.exe (the messenger). You find out what is using the (messenger) and you kill that. http://www.vicomsoft.com/knowledge/r...irewalls1.html
My System Specs

01-15-2008	#3 (permalink)
^&%$$#%! n/a posts	Re: Vista firewall outbound protection blocks Windows Update Hey, Mr. Arnold. That website you pointed me to says there are various types of firewalls and the top level is application control level so where do you get off telling me applkication level blocking is not a firewall at all? It goes on to further say, "it is recommended you begin with the methodology that denies all access by default. In other words, start with a gateway that routes no traffic and is effectively a brick wall with no doors in it." Gee, that's what I did and now I am allowing stuff at the application level. WTF is wrong with that method? Nothing! As stated, I already have a hardware fiurewall between my PC and the internet that is working at level 3 (SPI). If I want to take further steps that is my business. Messing about with this stuff is how we learn. Sounds to me like the only method you know is the rote method you paid way too much money for at some college for cadet network specialists.
My System Specs

01-15-2008	#4 (permalink)
Mr. Arnold n/a posts	Re: Vista firewall outbound protection blocks Windows Update "^&%$$#%!" <someone@xxxxxx> wrote in message news:hb1jj.71417$EA5.66533@xxxxxx Quote: > > Hey, Mr. Arnold. That website you pointed me to says there are various > types of firewalls and the top level is application control level so where > do you get off telling me applkication level blocking is not a firewall at > all? FW(s) do not block applications. It's not a FW function. You no more know what you're talking about than a man in the Moon. And Application gateway and some junk you're talking about in Vista's packet filter or some 3rd party packet filter junk is not what an Application gateway is about. <copied> An application gateway/proxy is considered by many to be the most complex packet screening method. This type of firewall is usually implemented on a secure host system configured with two network interfaces. The application gateway/proxy acts as an intermediary between the two endpoints. This packet screening method actually breaks the client/server model in that two connections are required: one from the source to the gateway/proxy and one from the gateway/proxy to the destination. Each endpoint can only communicate with the other by going through the gateway/proxy. <copied> Quote: > It goes on to further say, "it is recommended you begin with the > methodology that denies all access by default. In other words, start with > a gateway that routes no traffic and is effectively a brick wall with no > doors in it." Yes that is correct. A FW denies all inbound traffic by default, unless you set rules to allow unsolicited inbound traffic or an application behind the FW running on a computer makes the solicitation for inbound traffic by sending outbound traffic to a remote IP. The FW will allow the solicited traffic to pass and will block unsolicited traffic by default. Quote: > Gee, that's what I did and now I am allowing stuff at the application > level. WTF is wrong with that method? Nothing! As stated, I already have a > hardware fiurewall between my PC and the internet that is working at level > 3 (SPI). You're letting stuff in at the Application level are you? LOL You're talking about a router for home usage that's running SPI. A NAT router for home usage running SPI is not a FW solution. It's not running FW technology software. It's pretending to be a FW. Quote: > If I want to take further steps that is my business. Messing about with > this stuff is how we learn. Sounds to me like the only method you know is > the rote method you paid way too much money for at some college for cadet > network specialists. You are absolutely clueless and ignorant of the facts. I suggest that you visit a FW and Security NG, and let them rip you a part with your lack of knowledge. I have been IT since 1971, and I am still going strong. I have forgotten more than you'll even know. Here is another link about FW(s) that you know nothing about. You're somewhere out there in left field with home user knowledge, and that's about it, when it comes to FW technology http://www.more.net/technical/netserv/tcpip/firewalls/
My System Specs

01-16-2008	#5 (permalink)
John Candy n/a posts	Re: Vista firewall outbound protection blocks Windows Update "Mr. Arnold" <MR. Arnold@xxxxxx> wrote in message news:uGUgmb3VIHA.5448@xxxxxx Quote: > FW(s) do not block applications. It's not a FW function. You no more know > what you're talking about than a man in the Moon. That website you sent me to says otherwise. There are various levels of firewalls and more than one method of functioning as a firewall. It says at the application level it is a level 5 firewall. Did you even read what you yourself posted? Back to network specialist cadet school for you. Whether it is called a firewall or not I don't care and still want to block applications. Why is of no importance or any of your 'effing business. If you don't know the answer to my question then go bother someone else who might be impressed by your dorkinesss, I am not.
My System Specs

01-16-2008	#6 (permalink)
Mr. Arnold n/a posts	Re: Vista firewall outbound protection blocks Windows Update "John Candy" <someone@xxxxxx> wrote in message news:klgjj.74316$EA5.17813@xxxxxx Quote: > > "Mr. Arnold" <MR. Arnold@xxxxxx> wrote in message > news:uGUgmb3VIHA.5448@xxxxxx Quote: >> FW(s) do not block applications. It's not a FW function. You no more >> know what you're talking about than a man in the Moon. > > That website you sent me to says otherwise. There are various levels of > firewalls and more than one method of functioning as a firewall. It says > at the application level it is a level 5 firewall. Did you even read what > you yourself posted? Back to network specialist cadet school for you. > Whether it is called a firewall or not I don't care and still want to > block applications. Why is of no importance or any of your 'effing > business. If you don't know the answer to my question then go bother > someone else who might be impressed by your dorkinesss, I am not. Do you think I really care? I am not going to bother with you, as you can't read and you don't know what you're talking about, basically you are some kind of a moron. A packet filter such a Vista or some 3rd party solution are not firewalls, they do NOT separate two networks, they do not have two interfaces that control the packets between the interfaces, and they do not have the snake-oil application/program control, the snake-oil junk in them that you lean on like a crutch -- your stops all and ends all security blanket. What's a level 5 FW? <g> <copied> Session (Layer 5) This layer establishes, manages and terminates connections between applications. The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applications at each end. It deals with session and connection coordination. <copied> You have the Session (Layer 5) in the OSI model, which has nothing to do with snake-oil application control with Vista's packet filter or the snake-oil in 3rd party personal packet filters, or in your case, a 3rd party personal firewall. . It's talking about network traffic or inbound or outbound packets to/from the FW or ingress/degrees of packets. You can block all the programs you want with the snake-oil in the packet filters until the cows come home, which is NOT FW functionality, if that will make you happy in your security blanket. But that doesn't make them FW(s), and they are not working at layer 5 of the OSI model in the manner you think they are. And I told you what to do on outbound packet filtering on ports with a FW or Vista's packet filter. You're too stupid to put 2 + 2 together and you can't do it. However, the one thing you can play with is application control . You can can play with that, but really, you don't even know what you're doing with that either, when you stopped Svchost.exe (the messenger) -- you have no clue as to what you're doing -- not really. <g> BTW, I am impressed with your lack of knowledge, your inability to comprehend, your ability to mis-read, your ability to twist things to fit your needs, your ability to show your mental illness, and your incompetence, when it comes to FW technology.
My System Specs

01-16-2008	#7 (permalink)
the wharf rat n/a posts	Re: Vista firewall outbound protection blocks Windows Update In article <1egjj.74272$EA5.50331@xxxxxx>, John Candy <someone@xxxxxx> wrote: Quote: > Quote: >> You're talking about a router for home usage that's running SPI. A NAT >My specific router has more than just SPI. You don't even know which router BTW, (assuming "SPI" means stateful packet inspection) why WOULDN'T a combination of NAT and stateful inspection make a good firewall? I mean, it's good enough for Checkpoint...
My System Specs

01-16-2008	#8 (permalink)
Mr. Arnold n/a posts	Re: Vista firewall outbound protection blocks Windows Update "the wharf rat" <wrat@xxxxxx> wrote in message news:fmkt66$krr$1@xxxxxx Quote: > In article <1egjj.74272$EA5.50331@xxxxxx>, > John Candy <someone@xxxxxx> wrote: Quote: >> Quote: >>> You're talking about a router for home usage that's running SPI. A >>> NAT >>My specific router has more than just SPI. You don't even know which >>router > > BTW, (assuming "SPI" means stateful packet inspection) why > WOULDN'T a combination of NAT and stateful inspection make a good > firewall? I mean, it's good enough for Checkpoint... > I think you had better learn what a FW is about and what FW technology is about. NAT is not FW technology. NAT is mapping technology. Checkpoint is a FW solution, and a solution that is a true FW solution will ensure that only HTTP traffic comes down port 80 TCP and block any other traffic trying to come down that port, as an example. Checkpoint, Watchguard, Sonicwall, Cisco, Snapgear, etc, etc, even the people who created the software in the link use NAT. But NAT is not FW technology. http://www.vicomsoft.com/knowledge/r...irewalls1.html No router for home usage is running FW software. The router may have SPI running, and the SPI is a form of a FW. But the overall solution is NOT running FW software. I have learned from the best in the FW and Security NG, my home base NG the first NG I went to way back in 2000. I leaned from the best. I leaned from the ones who implement security and firewall solutions for a living. And I also suggest that you read the information in the link to find out who are the impersonators, which was explained to me by experts in the FW and Secuirty NG. http://www.more.net/technical/netserv/tcpip/firewalls/
My System Specs

01-16-2008	#9 (permalink)
Jon-Alfred Smith n/a posts	Re: Vista firewall outbound protection blocks Windows Update On Wed, 16 Jan 2008 12:26:46 +0000 (UTC), wrat@xxxxxx (the wharf rat) wrote: Quote: >In article <1egjj.74272$EA5.50331@xxxxxx>, >John Candy <someone@xxxxxx> wrote: Quote: > BTW, (assuming "SPI" means stateful packet inspection) why >WOULDN'T a combination of NAT and stateful inspection make a good >firewall? I mean, it's good enough for Checkpoint... Well, it isn't good enough for Checkpoint anymore. They have added AI (Application Intelligence) protecting all the way from layer 3 up to 7. So has the Cisco PIX Secure Firewall. If I'm not completely wrong, ISA Server 2000 (rel. 1999) was one of the first -- if not the first -- firewalls to add strong layer 7 protection. jas
My System Specs

01-16-2008	#10 (permalink)
the wharf rat n/a posts	Re: Vista firewall outbound protection blocks Windows Update In article <ei4DVEEWIHA.4868@xxxxxx>, Mr. Arnold <MR. Arnold@xxxxxx> wrote: Quote: > >I think you had better learn what a FW is about and what FW technology is >about. NAT is not FW technology. NAT is mapping technology. > No single technology provides sufficient security to be called a "real firewall". But NAT is certainly one of the tools available to help secure a network. Quote: >Checkpoint is a FW solution, and a solution that is a true FW solution will >ensure that only HTTP traffic comes down port 80 TCP and block any other >traffic trying to come down that port, as an example. > Bull***. That kind of protocol fixup is not a requirement of a general firewall solution. You're overloading your terms. (The technical term for that* is amphiboly, BTW. It's very bad.) A firewall is simply a device that manages and controls network traffic. A simple nat gateway is a firewall. (Not a good firewall...) So is an intelligent screening router that incorporates active response IDS. Look at it this way: a Chevette is a car, right? So is a Ferrari, right? It's like that. Quote: > >http://www.vicomsoft.com/knowledge/r...irewalls1.html > Pffffttt. That's an infomercial not a technical paper. Quote: >I have learned from the best in the FW and Security NG, my home base NG the >first NG I went to way back in 2000. Lol. "I'm a security expert. I read all about it on Usenet!" You're so funny.
My System Specs

Similar Threads
Thread	Forum
Windows Firewall ALWAYS Blocks Incoming Traffic	System Security
Vista Firewall outbound control	Vista General
Firewall blocks outbound traffic even if outbound rule exists	Vista security
Vista firewall not blocking outbound traffic despite explicit rules to do so	Vista security
Outbound Firewall Rules	Vista General