Firewall with adv security

I would never ask for help with vista firewall, it is again
not exactly what the end user is expecting from the personal
firewall IMHO. That is why a wide range of third party firewalls
are dominating the market. Unfortunately the problem is that
my favorite years verified firewall is not running on vista
yet so I have to wait for an update or buy a new one which is
working correctly on vista. I'm using (actually the most of us
are using) the outbound protection for a long time and have
never had any problem with it. Do not understand why it is
confusing you.

Anyway, thanks for your help.


Jesper wrote:
> Sorry, I also forgot to answer your last question. The reason outbound
> filtering does not work is because any process running in the context of a
> particular user can (until certain limited cases in Vista only) hijack any
> other process running as the same user and make that other process do its
> evil bidding. To do so takes something like 20 bytes of machine code. In
> Vista it is possible to restrict the process token in such a way as to make
> this impossible. It is only done for services though, which is why filtering
> services is useful in Vista.
>
> "voidcoder" wrote:
>
>> Sorry Jasper, I do not agree. If the outbound control
>> is useless so why it is there at all in the first place?
>> Personally I'm using it since the days of win95 and
>> NT3 and not going to stop, doesn't matter what OS
>> I'm running on. I do not like that any piece of
>> software is able to send something in background
>> without to let me know what it is doing.
>>
>> I do not understand why this is an open door for
>> the malware, actually it is preventing and notifying
>> you about any malware running on your PC, while
>> with the uncontrolled outbound *any* running
>> process can connect to *any* address on any port
>> and send some data and you will never detect it.
>>
>>
>> Jesper wrote:
>>>> No, I do not try to prevent Windows Update from doing
>>>> anything. I'm trying to *allow* it doing its job when
>>>> the outbound protection is turned on. Go to the firewall
>>>> settings, then select your profile and turn on the outbound
>>>> control. Next goto Windows Update and try to check for updates,
>>>> it will fail since there is no outbound rule for it.
>>> Did you change the default action of outbound filtering to block? That's
>>> highly unadviced. It already blocks that which can be meaningfully blocked by
>>> default. You will end up with hundreds of custom rules to punch holes in it,
>>> many of which will serve as perfect portals for malware on your system to get
>>> out through, assuming that you can actually enumerate all the things that
>>> need to communicate out on your system.
>>>
>>>> You will not find too much information for the most
>>>> of native windows or third party software what ports
>>>> what exactly ports they are using internally nor what
>>>> addresses they are trying to connect and why they are
>>>> trying to connect.
>>> No, that is correct, you won't. Such information is virtually impossible
>>> for the vendor to collect, as the destinations will be different in every
>>> environment. The firewall can only tell you which host it is going to now,
>>> and which port it is trying to connect to, but not why. That is why prompting
>>> for outbound blocks is not implemented in Vista. The most you will find is
>>> the Port Requirements for the Windows Server System article:
>>> http://support.microsoft.com/kb/832017/en-us.
>>>
>>>> Run some normal firewall with outbound
>>>> control and you will be surprised how much native and
>>>> third party windows software is trying to connect somewhere
>>>> and send some data in background.
>>> Yep. It turns out that the more you use your computer, the more the computer
>>> tries to communicate on the network to do what you are asking it to do. All
>>> the "learning mode" firewalls have popups that allow you to open the ports,
>>> and every one I have seen have a default action to "allow all traffic by this
>>> program." As long as the first action the user sees is innocuous there is a
>>> near-100% chance that subsequent malicious actions will be allowed as well.
>>> Using "learning mode" to do anything even close to meaningful to build
>>> firewall rules makes your computer just about useless; and annoying.
>>>
>>>> Anyway in a half of situations you simply can't determine
>>>> what binary you have to specify in your rule. Some programs
>>>> are not a single binary exe located in the program folder.
>>>> Some a a gazillion of binaries calling each other and mixed
>>>> in the program folder, windows folders or elsewhere.
>>> Yep. That's how programs are designed, which is why it is virtually
>>> impossible to build a coherent outbound firewall policy.
>>>
>>>
>>>> Have you tried
>>>> to install say VS2005 with the outbound control turned on?
>>> No, because restricting outbound communications for user applications is
>>> totally meaningless for security. Therefore I have never bothered wasting
>>> time on it.
>>>
>>>> The learning mode is not to popup on every inbound/outbound
>>>> packet. It is to help you to define quickly rules for the
>>>> programs that you trust
>>> So, why are you running programs you don't trust? It seems to me that you
>>> would be able to solve this problem easily enough by not running programs you
>>> don't trust.

"voidcoder" <voidcoder@yahoo.com> wrote in message
news:%23ZJld2eKHHA.4000@TK2MSFTNGP06.phx.gbl...
> I do not understand why this is an open door for
> the malware, actually it is preventing and notifying
> you about any malware running on your PC, while
> with the uncontrolled outbound *any* running
> process can connect to *any* address on any port
> and send some data and you will never detect it.

If you don't trust the software that's installed on your machine, don't run
it.

Once you've got malware on your machine, it can pretend to be any other
trusted piece of software that you run - it can run that other trusted piece
of software and then inject its own code into that other piece of software.

So, as outbound filtering becomes more popular, malware that requires an
outbound connection simply uses Internet Explorer to make the outbound
connection for it. Bingo, your outbound firewall filtering is useless.

Now, outbound filtering may be a useful piece of policy restriction -
perhaps, for example, to prevent employees from running IRC chat programs,
or peer-to-peer file theft networks - but if your users control what gets
filtered (through accepting or rejecting dialog messages), that's no
protection at all, either.

Outbound filtering cannot prevent your machine from getting infected by
malware. It cannot prevent malware from getting further instructions or
downloading extra components (because, after all, if the original malware
code had a route into your system, it can exploit that route again for
further parts of itself, or to receive updated instructions).

Outbound filtering can only prevent _well-behaved_ programs from making
connections - and if you need to do that, then you generally should either
uninstall or re-configure the program, rather than make your firewall more
complex.

I'm not even sure that I agree with Jesper that outbound filtering in Vista
is terribly useful or important. I can see a couple of places wherein it
might prove useful for preventing tools and services from going outside the
local network, where those tools and services have no ability to be
configured that way. [For instance, for preventing File and Printer Sharing
from accidentally going outside the local network.] But that's probably
better configured at the edge firewall than on each individual PC within a
network.

Alun.
~~~~

Sorry guys, I do not agree with you both. For some
reason you are thinking that you know better than me
what exactly I need to be happy. Somehow the outbound
protection is serving me very well for years, no plans
to change anythings here. I'm asking how to use the
build in outbound protection in vista firewall while
you are convincing me that outbound protection is not
useful, unsafe etc. It is not more unsafe than the
inbound protection. There is nothing that is 100%
safe, everything can be hijacked. But thinking so you
can simply not worry about the protection at all.

Yes, you are right of course. The outbound filtering
cannot prevent your machine from getting infected
(again there is nothing that can 100% prevent it),
I'm not expecting more than it can do for me.
However it can warn you that there is something
running on your PC that is trying to communicate
with the outside network in background without letting
you know. It is really enough for me to start looking
what is it and why is it. Note that without the outbound
protection that "something" will be be able to do it
forever, unless some day will be detected differently
using the anti-virus, some changes on your credit
card account etc.

Defining the inbound/outbound rules in learning mode
for some particular binaries in conjunction with
checking that the binary isn't modified (a standard
function for the most today firewalls) is all I need
to be happy. Bad thing is that learning mode is for some
reason only implemented for inbound filtering, otherwise
I would stop any research in this field and stay with
vista firewall. Unfortunately it is not there so I'm
forced to spend some additional $ and buy a third party
solution to fill my needs.

Only installing software that I trust is not an
option for me. How do you decide that you trust
or not trust some software from unknown vendor? Mine
is usually installing a demo/trial/whatever to see what
is it, how it works, is it exactly what I need, is it safe
etc, and finally I decide that I trust it and need to buy
or just need to uninstall and forget about it. For me it looks
like a right tactic, not sure about others. A friend of mine
is even checking everything new on Virtual PC first prior
installing it on the main machine, but it is a little
overhead for me.


Alun Jones wrote:
> "voidcoder" <voidcoder@yahoo.com> wrote in message
> news:%23ZJld2eKHHA.4000@TK2MSFTNGP06.phx.gbl...
>> I do not understand why this is an open door for
>> the malware, actually it is preventing and notifying
>> you about any malware running on your PC, while
>> with the uncontrolled outbound *any* running
>> process can connect to *any* address on any port
>> and send some data and you will never detect it.
>
> If you don't trust the software that's installed on your machine, don't run
> it.
>
> Once you've got malware on your machine, it can pretend to be any other
> trusted piece of software that you run - it can run that other trusted piece
> of software and then inject its own code into that other piece of software.
>
> So, as outbound filtering becomes more popular, malware that requires an
> outbound connection simply uses Internet Explorer to make the outbound
> connection for it. Bingo, your outbound firewall filtering is useless.
>
> Now, outbound filtering may be a useful piece of policy restriction -
> perhaps, for example, to prevent employees from running IRC chat programs,
> or peer-to-peer file theft networks - but if your users control what gets
> filtered (through accepting or rejecting dialog messages), that's no
> protection at all, either.
>
> Outbound filtering cannot prevent your machine from getting infected by
> malware. It cannot prevent malware from getting further instructions or
> downloading extra components (because, after all, if the original malware
> code had a route into your system, it can exploit that route again for
> further parts of itself, or to receive updated instructions).
>
> Outbound filtering can only prevent _well-behaved_ programs from making
> connections - and if you need to do that, then you generally should either
> uninstall or re-configure the program, rather than make your firewall more
> complex.
>
> I'm not even sure that I agree with Jesper that outbound filtering in Vista
> is terribly useful or important. I can see a couple of places wherein it
> might prove useful for preventing tools and services from going outside the
> local network, where those tools and services have no ability to be
> configured that way. [For instance, for preventing File and Printer Sharing
> from accidentally going outside the local network.] But that's probably
> better configured at the edge firewall than on each individual PC within a
> network.
>
> Alun.
> ~~~~
>
>

"voidcoder" <voidcoder@yahoo.com> wrote in message
news:u3%23wQI4KHHA.5016@TK2MSFTNGP04.phx.gbl...
> Sorry guys, I do not agree with you both. For some
> reason you are thinking that you know better than me
> what exactly I need to be happy.

Please accept my apologies for arguing with you.

Had I known that the purpose of outbound firewall filtering was simply to
make you happy, I would have quite happily ceded the point to you, as only
you can know what makes you happy.

> Somehow the outbound
> protection is serving me very well for years, no plans
> to change anythings here.

Might I suggest that you also buy some of my purple elephant defence spray?

User testimonials indicate that no users of my purple elephant defence spray
have ever been trampled by purple elephants.

> I'm asking how to use the
> build in outbound protection in vista firewall while
> you are convincing me that outbound protection is not
> useful, unsafe etc.

If I have given you the impression that I am arguing that outbound filtering
is unsafe, then I apologise.

I believe that outbound filtering merely offers too little in the way of
security (i.e. close to none) when compared with the added complexity
introduced by implementing it. Since that's a value judgement, you should
feel free to disagree.

> It is not more unsafe than the
> inbound protection. There is nothing that is 100%
> safe, everything can be hijacked. But thinking so you
> can simply not worry about the protection at all.

Asking for outbound filtering to protect you from malware is like asking for
keyed locks on the inside, as well as the outside, of your house doors, to
protect you from murderers and thieves. Too late! The criminals are already
on the inside, and are holding the door open!

> Yes, you are right of course. The outbound filtering
> cannot prevent your machine from getting infected
> (again there is nothing that can 100% prevent it),
> I'm not expecting more than it can do for me.

Perhaps you can explain what it can do for you?

> However it can warn you that there is something
> running on your PC that is trying to communicate
> with the outside network in background without letting
> you know.

For most users, such warnings are generally useless - either they are
dismissed, because the user doesn't understand them, or they put the user
into a frightened state, because the user doesn't understand them. When the
first outbound firewalls were introduced, I was forever having to calm down
users who had become really upset that their ISP was running malware on
their computers, because for why else would their system be repeatedly
trying to make a contact to the ISP on port 53?

[For those who don't want to figure it out, that is simply a normal part of
resolving names, so that you can use www.microsoft.com in a browser instead
of the truly memorable 207.46.225.60]

> It is really enough for me to start looking
> what is it and why is it. Note that without the outbound
> protection that "something" will be be able to do it
> forever, unless some day will be detected differently
> using the anti-virus, some changes on your credit
> card account etc.

And, with the outbound protection, that "something" will be able to connect
outbound on the Universal Firewall Tunneling Protocol (port 80), or the
Secure Universal Firewall Tunneling Protocol (port 443) through Internet
Explorer, or the Sneaky Firewall Tunneling Protocol (port 53) - unless you
think that we should be warned every time we load up a web browser, or an
application goes to check a DNS name. What about Ping? Are you looking for
the firewall to complain about that on the way out, too? There are endless
numbers of protocols that your outbound filter shouldn't be filtering, and
which malware can use to phone home.

> Defining the inbound/outbound rules in learning mode
> for some particular binaries in conjunction with
> checking that the binary isn't modified (a standard
> function for the most today firewalls) is all I need
> to be happy.

This component of Vista doesn't appear to have been designed with the goal
of keeping you - or me - happy. Jesper's a little happier about it, but
then I think he may have had some input in the design

> Bad thing is that learning mode is for some
> reason only implemented for inbound filtering, otherwise
> I would stop any research in this field and stay with
> vista firewall. Unfortunately it is not there so I'm
> forced to spend some additional $ and buy a third party
> solution to fill my needs.

Every now and again, the default operating system tools will not satisfy
your innermost desires. That's what third party tools are for. In the
eighty/twenty rule, you have just migrated across the boundary from eighty
to twenty. You're special. Keep telling yourself that as you pay for a tool
that I'm convinced is completely useless.

> Only installing software that I trust is not an
> option for me. How do you decide that you trust
> or not trust some software from unknown vendor?

I go by reputation, documentation, testing and need.

> Mine
> is usually installing a demo/trial/whatever to see what
> is it, how it works, is it exactly what I need, is it safe
> etc, and finally I decide that I trust it and need to buy
> or just need to uninstall and forget about it. For me it looks
> like a right tactic, not sure about others. A friend of mine
> is even checking everything new on Virtual PC first prior
> installing it on the main machine, but it is a little
> overhead for me.

It's all a risk/benefit analysis, but too many people don't realise that
they should be considering risks versus benefits.

Alun.
~~~~

Oh I see we are quite far a way now from the original
question about the particular firewall option

Are you against the outbound protection? Just don't use
it then. In my opinion disabling it will remove one additional
level in your security, being somehow protected is always
better than nothing. Why do you think this feature has been
included into windows firewall at all and is there in every
third party firewall? It is likely due to some customer demand,
I'm sure MS wont spend time coding something for fun without
some serious market analysis. Yep, a half of users wont worry
about the outbound protection, as well as a good
piece wont worry about the firewall at all. Don't understand
why I should follow this scenario.

Yes, I'm going to buy a third party firewall, among the purple
elephant, if it makes sense for me


Alun Jones wrote:
> "voidcoder" <voidcoder@yahoo.com> wrote in message
> news:u3%23wQI4KHHA.5016@TK2MSFTNGP04.phx.gbl...
>> Sorry guys, I do not agree with you both. For some
>> reason you are thinking that you know better than me
>> what exactly I need to be happy.
>
> Please accept my apologies for arguing with you.
>
> Had I known that the purpose of outbound firewall filtering was simply to
> make you happy, I would have quite happily ceded the point to you, as only
> you can know what makes you happy.
>
>> Somehow the outbound
>> protection is serving me very well for years, no plans
>> to change anythings here.
>
> Might I suggest that you also buy some of my purple elephant defence spray?
>
> User testimonials indicate that no users of my purple elephant defence spray
> have ever been trampled by purple elephants.
>
>> I'm asking how to use the
>> build in outbound protection in vista firewall while
>> you are convincing me that outbound protection is not
>> useful, unsafe etc.
>
> If I have given you the impression that I am arguing that outbound filtering
> is unsafe, then I apologise.
>
> I believe that outbound filtering merely offers too little in the way of
> security (i.e. close to none) when compared with the added complexity
> introduced by implementing it. Since that's a value judgement, you should
> feel free to disagree.
>
>> It is not more unsafe than the
>> inbound protection. There is nothing that is 100%
>> safe, everything can be hijacked. But thinking so you
>> can simply not worry about the protection at all.
>
> Asking for outbound filtering to protect you from malware is like asking for
> keyed locks on the inside, as well as the outside, of your house doors, to
> protect you from murderers and thieves. Too late! The criminals are already
> on the inside, and are holding the door open!
>
>> Yes, you are right of course. The outbound filtering
>> cannot prevent your machine from getting infected
>> (again there is nothing that can 100% prevent it),
>> I'm not expecting more than it can do for me.
>
> Perhaps you can explain what it can do for you?
>
>> However it can warn you that there is something
>> running on your PC that is trying to communicate
>> with the outside network in background without letting
>> you know.
>
> For most users, such warnings are generally useless - either they are
> dismissed, because the user doesn't understand them, or they put the user
> into a frightened state, because the user doesn't understand them. When the
> first outbound firewalls were introduced, I was forever having to calm down
> users who had become really upset that their ISP was running malware on
> their computers, because for why else would their system be repeatedly
> trying to make a contact to the ISP on port 53?
>
> [For those who don't want to figure it out, that is simply a normal part of
> resolving names, so that you can use www.microsoft.com in a browser instead
> of the truly memorable 207.46.225.60]
>
>> It is really enough for me to start looking
>> what is it and why is it. Note that without the outbound
>> protection that "something" will be be able to do it
>> forever, unless some day will be detected differently
>> using the anti-virus, some changes on your credit
>> card account etc.
>
> And, with the outbound protection, that "something" will be able to connect
> outbound on the Universal Firewall Tunneling Protocol (port 80), or the
> Secure Universal Firewall Tunneling Protocol (port 443) through Internet
> Explorer, or the Sneaky Firewall Tunneling Protocol (port 53) - unless you
> think that we should be warned every time we load up a web browser, or an
> application goes to check a DNS name. What about Ping? Are you looking for
> the firewall to complain about that on the way out, too? There are endless
> numbers of protocols that your outbound filter shouldn't be filtering, and
> which malware can use to phone home.
>
>> Defining the inbound/outbound rules in learning mode
>> for some particular binaries in conjunction with
>> checking that the binary isn't modified (a standard
>> function for the most today firewalls) is all I need
>> to be happy.
>
> This component of Vista doesn't appear to have been designed with the goal
> of keeping you - or me - happy. Jesper's a little happier about it, but
> then I think he may have had some input in the design
>
>> Bad thing is that learning mode is for some
>> reason only implemented for inbound filtering, otherwise
>> I would stop any research in this field and stay with
>> vista firewall. Unfortunately it is not there so I'm
>> forced to spend some additional $ and buy a third party
>> solution to fill my needs.
>
> Every now and again, the default operating system tools will not satisfy
> your innermost desires. That's what third party tools are for. In the
> eighty/twenty rule, you have just migrated across the boundary from eighty
> to twenty. You're special. Keep telling yourself that as you pay for a tool
> that I'm convinced is completely useless.
>
>> Only installing software that I trust is not an
>> option for me. How do you decide that you trust
>> or not trust some software from unknown vendor?
>
> I go by reputation, documentation, testing and need.
>
>> Mine
>> is usually installing a demo/trial/whatever to see what
>> is it, how it works, is it exactly what I need, is it safe
>> etc, and finally I decide that I trust it and need to buy
>> or just need to uninstall and forget about it. For me it looks
>> like a right tactic, not sure about others. A friend of mine
>> is even checking everything new on Virtual PC first prior
>> installing it on the main machine, but it is a little
>> overhead for me.
>
> It's all a risk/benefit analysis, but too many people don't realise that
> they should be considering risks versus benefits.
>
> Alun.
> ~~~~
>
>

Been following this thread for some time now, and must say I’m with voidcoder
– all the way!

On my XP setup (now as SP2) I’ve been using Agnitum Outpost Pro for years,
plus a hardware firewall. Yes, at times it gets a tad annoying when yet
another warning / request window is popped up by Outpost – whether inbound or
outbound.

However, at least I AM AWARE WHAT IS GOING ON!

And that, Jesper and Co, gives me, like many other users, some well deserved
peace of mind. Something severely lacking in any Windows OS – including the
not all too shabby Vista (RTM Ultimate version).

Jesper’s and Alun’s insistence that the user doesn’t need to know about
outbound traffic and preferably shouldn’t even bother, let alone be allowed
to play with its apparently secret settings, makes we wonder, wonder a lot,
actually!

Why should I trust Microsoft all of a sudden? Hell, Redmond’s previous
attitude to security has been somewhat lacking in more than just one area.
And I haven’t even mentioned Redmond’s past snooping attempts. Now that
Microsoft is tackling the issue, granted an applaudable attempt, they still
continue looking at users like children that need to be kept under strict and
ruthless parental control – all of the time, no questions answered, fullstop!

Do I want to be able to filter outbound traffic just like inbound traffic?
Hell yes! Agnitum Outpost Pro kept me safe (and sane) over the years, and
looking at its rather detailed logs (another thing completely and utterly
missing from Vista’s so-called out-of-the-box security experience) Agnitum
Outpost Pro not only has warned me about a fair few suspicious outbound
traffic attempts, but also has saved me from numerous attacks that could have
been potentially disastrous!

So much for Jesper’s and Alun’s claims that outbound filtering, the use of
and the knowledge of how to configure it, is useless for the user. What a
load of claptrap!!

Granted, some users may not want it, and indeed might find it annoying to
say the least. However, perhaps Microsoft in its utter graciousness accepts
that not all users are automated morons contend with using what and how
Microsoft allows them to. An inbuilt option for advanced users to configure
the firewall, would not only be very much in order, but even more appreciated
by many, I’m sure!

Besides, now that Microsoft has finally gone the security way and seen the
light by offering something that approaches a half usable firewall, why not
go the whole hog, admit to the well documented fact that there are numerous
users out there more than capable of setting up / using correctly a fully
blown software firewall, and offer us the same. Rather than giving us a
half-hearted attempt of a firewall, crippled on purpose simply to keep some
sort of control over the user. It stinks.

Like voidcoder, I will definitely continue paying for a decent third-party
firewall as soon as it becomes available for Vista – can’t wait, in fact!

Meantime, voidcoder, this little free utility might help you gaining more
control over programs attemptiong outbound connections. Its free, and works
like a charm with Vista Ultimate RTM:
• Designed for Windows Vista
• Free
• Protection from incoming and outgoing threats
• Simplicity of operation
• Per-application security settings

Go get it here: http://sphinx-soft.com/Vista/index.html

One more tool to consider, voidcoder: Ad Muncher – great utility to stop
them annoying on-line ads, including Microsoft's petty banners on hotmail et
al.

Go here to get it: http://www.admuncher.com/


"voidcoder" wrote:

>
> Oh I see we are quite far a way now from the original
> question about the particular firewall option
>
> Are you against the outbound protection? Just don't use
> it then. In my opinion disabling it will remove one additional
> level in your security, being somehow protected is always
> better than nothing. Why do you think this feature has been
> included into windows firewall at all and is there in every
> third party firewall? It is likely due to some customer demand,
> I'm sure MS wont spend time coding something for fun without
> some serious market analysis. Yep, a half of users wont worry
> about the outbound protection, as well as a good
> piece wont worry about the firewall at all. Don't understand
> why I should follow this scenario.
>
> Yes, I'm going to buy a third party firewall, among the purple
> elephant, if it makes sense for me
>
>
> Alun Jones wrote:
> > "voidcoder" <voidcoder@yahoo.com> wrote in message
> > news:u3%23wQI4KHHA.5016@TK2MSFTNGP04.phx.gbl...
> >> Sorry guys, I do not agree with you both. For some
> >> reason you are thinking that you know better than me
> >> what exactly I need to be happy.
> >
> > Please accept my apologies for arguing with you.
> >
> > Had I known that the purpose of outbound firewall filtering was simply to
> > make you happy, I would have quite happily ceded the point to you, as only
> > you can know what makes you happy.
> >
> >> Somehow the outbound
> >> protection is serving me very well for years, no plans
> >> to change anythings here.
> >
> > Might I suggest that you also buy some of my purple elephant defence spray?
> >
> > User testimonials indicate that no users of my purple elephant defence spray
> > have ever been trampled by purple elephants.
> >
> >> I'm asking how to use the
> >> build in outbound protection in vista firewall while
> >> you are convincing me that outbound protection is not
> >> useful, unsafe etc.
> >
> > If I have given you the impression that I am arguing that outbound filtering
> > is unsafe, then I apologise.
> >
> > I believe that outbound filtering merely offers too little in the way of
> > security (i.e. close to none) when compared with the added complexity
> > introduced by implementing it. Since that's a value judgement, you should
> > feel free to disagree.
> >
> >> It is not more unsafe than the
> >> inbound protection. There is nothing that is 100%
> >> safe, everything can be hijacked. But thinking so you
> >> can simply not worry about the protection at all.
> >
> > Asking for outbound filtering to protect you from malware is like asking for
> > keyed locks on the inside, as well as the outside, of your house doors, to
> > protect you from murderers and thieves. Too late! The criminals are already
> > on the inside, and are holding the door open!
> >
> >> Yes, you are right of course. The outbound filtering
> >> cannot prevent your machine from getting infected
> >> (again there is nothing that can 100% prevent it),
> >> I'm not expecting more than it can do for me.
> >
> > Perhaps you can explain what it can do for you?
> >
> >> However it can warn you that there is something
> >> running on your PC that is trying to communicate
> >> with the outside network in background without letting
> >> you know.
> >
> > For most users, such warnings are generally useless - either they are
> > dismissed, because the user doesn't understand them, or they put the user
> > into a frightened state, because the user doesn't understand them. When the
> > first outbound firewalls were introduced, I was forever having to calm down
> > users who had become really upset that their ISP was running malware on
> > their computers, because for why else would their system be repeatedly
> > trying to make a contact to the ISP on port 53?
> >
> > [For those who don't want to figure it out, that is simply a normal part of
> > resolving names, so that you can use www.microsoft.com in a browser instead
> > of the truly memorable 207.46.225.60]
> >
> >> It is really enough for me to start looking
> >> what is it and why is it. Note that without the outbound
> >> protection that "something" will be be able to do it
> >> forever, unless some day will be detected differently
> >> using the anti-virus, some changes on your credit
> >> card account etc.
> >
> > And, with the outbound protection, that "something" will be able to connect
> > outbound on the Universal Firewall Tunneling Protocol (port 80), or the
> > Secure Universal Firewall Tunneling Protocol (port 443) through Internet
> > Explorer, or the Sneaky Firewall Tunneling Protocol (port 53) - unless you
> > think that we should be warned every time we load up a web browser, or an
> > application goes to check a DNS name. What about Ping? Are you looking for
> > the firewall to complain about that on the way out, too? There are endless
> > numbers of protocols that your outbound filter shouldn't be filtering, and
> > which malware can use to phone home.
> >
> >> Defining the inbound/outbound rules in learning mode
> >> for some particular binaries in conjunction with
> >> checking that the binary isn't modified (a standard
> >> function for the most today firewalls) is all I need
> >> to be happy.
> >
> > This component of Vista doesn't appear to have been designed with the goal
> > of keeping you - or me - happy. Jesper's a little happier about it, but
> > then I think he may have had some input in the design
> >
> >> Bad thing is that learning mode is for some
> >> reason only implemented for inbound filtering, otherwise
> >> I would stop any research in this field and stay with
> >> vista firewall. Unfortunately it is not there so I'm
> >> forced to spend some additional $ and buy a third party
> >> solution to fill my needs.
> >
> > Every now and again, the default operating system tools will not satisfy
> > your innermost desires. That's what third party tools are for. In the
> > eighty/twenty rule, you have just migrated across the boundary from eighty
> > to twenty. You're special. Keep telling yourself that as you pay for a tool
> > that I'm convinced is completely useless.
> >
> >> Only installing software that I trust is not an
> >> option for me. How do you decide that you trust
> >> or not trust some software from unknown vendor?
> >
> > I go by reputation, documentation, testing and need.
> >
> >> Mine
> >> is usually installing a demo/trial/whatever to see what
> >> is it, how it works, is it exactly what I need, is it safe
> >> etc, and finally I decide that I trust it and need to buy
> >> or just need to uninstall and forget about it. For me it looks
> >> like a right tactic, not sure about others. A friend of mine
> >> is even checking everything new on Virtual PC first prior
> >> installing it on the main machine, but it is a little
> >> overhead for me.
> >
> > It's all a risk/benefit analysis, but too many people don't realise that
> > they should be considering risks versus benefits.
> >
> > Alun.
> > ~~~~
> >
> >
>

"akita" <akita@discussions.microsoft.com> wrote in message
news:A9E9F6F0-0C90-442A-9381-89ABE32B3DC2@microsoft.com...
> Jesper's and Alun's insistence that the user doesn't need to know about
> outbound traffic and preferably shouldn't even bother, let alone be
> allowed
> to play with its apparently secret settings, makes we wonder, wonder a
> lot,
> actually!

I applaud your ability to misconstrue what I'm saying in this thread. I am
saying this:

Outbound filtering firewalls do not protect you from attack.

That's all.

I have no problem with you using outbound filtering to learn what your
applications are doing. Education is a fine thing, and you would do well to
increase your own.

> Why should I trust Microsoft all of a sudden?

If you're running Windows, you already trust Microsoft - to the hilt. Every
application you run under Windows, every piece of data you store on a
Windows machine, is already given over to Microsoft's code. If you distrust
Microsoft, you should not run code from them - the same goes for any third
party that you distrust. Do not run code from untrusted individuals, groups,
organisations or companies.

> Hell, Redmond's previous
> attitude to security has been somewhat lacking in more than just one area.

And yet now they've had a "road to Damascus" conversion, and they're leading
the field, particularly in regards to development practices and processes
that are designed to produce secure code and protect privacy.

How are other companies doing on this track? What company has a better
process than Microsoft for securing their code?

> And I haven't even mentioned Redmond's past snooping attempts. Now that
> Microsoft is tackling the issue, granted an applaudable attempt, they
> still
> continue looking at users like children that need to be kept under strict
> and
> ruthless parental control - all of the time, no questions answered,
> fullstop!

Microsoft makes a lot of money out of making operating systems that any
idiot can use. As a result, of course, many idiots use their operating
system, along with others who have better understanding of what they are
doing. The defaults are set for the majority of Microsoft's users to remain
safe and secure for the most part; advanced users can modify the defaults or
use third-party utilities to get the extra capabilities that they feel they
need.

> Do I want to be able to filter outbound traffic just like inbound traffic?
> Hell yes! Agnitum Outpost Pro kept me safe (and sane) over the years, and
> looking at its rather detailed logs (another thing completely and utterly
> missing from Vista's so-called out-of-the-box security experience) Agnitum
> Outpost Pro not only has warned me about a fair few suspicious outbound
> traffic attempts, but also has saved me from numerous attacks that could
> have
> been potentially disastrous!

It may have saved you from attacks, but not by outbound filtering - once you
see the outbound filtering messages, you're already attacked - you're
already running untrusted third-party code.

"The calls are coming from inside the house." - your computer is owned.

> So much for Jesper's and Alun's claims that outbound filtering, the use of
> and the knowledge of how to configure it, is useless for the user. What a
> load of claptrap!!

Jesper's claims are subtly, but distinctly, different from my own. My claim
is simply that the use of outbound filtering does not prevent attacks; it
may be useful as a policy filter within an organisation (disallow outbound
traffic on ports commonly associated with chat applications, stolen file
sharing and so on, for instance), but adding it to your firewall sticks
unnecessary complexity into what should be a simple enough application that
you can prove its security.

> Granted, some users may not want it, and indeed might find it annoying to
> say the least. However, perhaps Microsoft in its utter graciousness
> accepts
> that not all users are automated morons contend with using what and how
> Microsoft allows them to. An inbuilt option for advanced users to
> configure
> the firewall, would not only be very much in order, but even more
> appreciated
> by many, I'm sure!

"netsh firewall" along with the GUI should provide you with most of what you
want. After that, as you've pointed out, there are numerous third-party
tools.

> Besides, now that Microsoft has finally gone the security way and seen the
> light by offering something that approaches a half usable firewall, why
> not
> go the whole hog, admit to the well documented fact that there are
> numerous
> users out there more than capable of setting up / using correctly a fully
> blown software firewall, and offer us the same. Rather than giving us a
> half-hearted attempt of a firewall, crippled on purpose simply to keep
> some
> sort of control over the user. It stinks.

You have been party to the conversations inside of Microsoft when they were
designing the firewall? You know that this was "crippled on purpose simply
to keep some sort of control over the user"? Is this information first hand,
second hand, or merely supposition on your part?

From my perspective, I'm guessing that outbound filtering was added on the
basis that there were too many self-labeled "security experts" saying that
"outbound filtering is where it's at, man, if you don't have that, you're
not a secure firewall" - it's a marketing feature to me.

Every feature you add to a firewall makes it more complex, and more likely
that there's a bug that can be exploited to bring down the firewall. I like
my firewalls simple and strong, rather than complex knitting.

> Like voidcoder, I will definitely continue paying for a decent third-party
> firewall as soon as it becomes available for Vista - can't wait, in fact!

That's for you to decide, and it's up to you as to whether you feel it's
necessary. But don't be saying that outbound filtering prevents your system
from being attacked without expecting people like me to jump up and tell you
that you're wrong.

In fact, given the pluggable nature of Windows Vista's firewall stack, it
should even be _easy_ for a firewall vendor to produce an outbound filter
for Vista. All you have to do is write a device driver, following the sample
code that's already in the DDK. If you're a developer, try it - it's
insanely easy.

> One more tool to consider, voidcoder: Ad Muncher - great utility to stop
> them annoying on-line ads, including Microsoft's petty banners on hotmail
> et
> al.

Or, you could actually pay for your email, and not have to worry about
advertising that subsidises the free service you're using. Eventually, the
free service providers will find a way to guarantee that their adverts are
tied to their email in a way that you aren't ready to extract.

Alun.
~~~~

"voidcoder" <voidcoder@yahoo.com> wrote in message
news:unnYTd5KHHA.536@TK2MSFTNGP02.phx.gbl...
> Are you against the outbound protection? Just don't use
> it then. In my opinion disabling it will remove one additional
> level in your security, being somehow protected is always
> better than nothing.

That's the purple elephant protector commercial's line - you're "somehow
protected" against stampeding purple elephants, even if you can't actually
say how.

Yes, I'm against extra "protection" that adds complexity to something that
needs to be robust. Robustness in code comes through simplicity - code that
is too simple to be significantly wrong. Add complexity and, even if you
disable it, you have added more chance for mistakes.

> Why do you think this feature has been
> included into windows firewall at all and is there in every
> third party firewall? It is likely due to some customer demand,

I'm sure it is due to some customer demand. I don't think it's due to any
sound application of security theory.

After all, if customers demand protection from purple elephants be built
into their cars, what are you going to do - build a car with purple elephant
protection built in, or spend a lot of time and effort telling people that
there's no such thing as a purple elephant?

> I'm sure MS wont spend time coding something for fun without
> some serious market analysis. Yep, a half of users wont worry
> about the outbound protection, as well as a good
> piece wont worry about the firewall at all. Don't understand
> why I should follow this scenario.
>
> Yes, I'm going to buy a third party firewall, among the purple
> elephant, if it makes sense for me

Your prerogative - but it's not because it will protect you from malware.

Alun.
~~~~

Well said Alun

"Alun Jones" <alun@texis.invalid> wrote in message
news:uPgrZ$1LHHA.5016@TK2MSFTNGP04.phx.gbl...
> "akita" <akita@discussions.microsoft.com> wrote in message
> news:A9E9F6F0-0C90-442A-9381-89ABE32B3DC2@microsoft.com...
>> Jesper's and Alun's insistence that the user doesn't need to know about
>> outbound traffic and preferably shouldn't even bother, let alone be
>> allowed
>> to play with its apparently secret settings, makes we wonder, wonder a
>> lot,
>> actually!
>
> I applaud your ability to misconstrue what I'm saying in this thread. I am
> saying this:
>
> Outbound filtering firewalls do not protect you from attack.
>
> That's all.
>
> I have no problem with you using outbound filtering to learn what your
> applications are doing. Education is a fine thing, and you would do well
> to increase your own.
>
>> Why should I trust Microsoft all of a sudden?
>
> If you're running Windows, you already trust Microsoft - to the hilt.
> Every application you run under Windows, every piece of data you store on
> a Windows machine, is already given over to Microsoft's code. If you
> distrust Microsoft, you should not run code from them - the same goes for
> any third party that you distrust. Do not run code from untrusted
> individuals, groups, organisations or companies.
>
>> Hell, Redmond's previous
>> attitude to security has been somewhat lacking in more than just one
>> area.
>
> And yet now they've had a "road to Damascus" conversion, and they're
> leading the field, particularly in regards to development practices and
> processes that are designed to produce secure code and protect privacy.
>
> How are other companies doing on this track? What company has a better
> process than Microsoft for securing their code?
>
>> And I haven't even mentioned Redmond's past snooping attempts. Now that
>> Microsoft is tackling the issue, granted an applaudable attempt, they
>> still
>> continue looking at users like children that need to be kept under strict
>> and
>> ruthless parental control - all of the time, no questions answered,
>> fullstop!
>
> Microsoft makes a lot of money out of making operating systems that any
> idiot can use. As a result, of course, many idiots use their operating
> system, along with others who have better understanding of what they are
> doing. The defaults are set for the majority of Microsoft's users to
> remain safe and secure for the most part; advanced users can modify the
> defaults or use third-party utilities to get the extra capabilities that
> they feel they need.
>
>> Do I want to be able to filter outbound traffic just like inbound
>> traffic?
>> Hell yes! Agnitum Outpost Pro kept me safe (and sane) over the years, and
>> looking at its rather detailed logs (another thing completely and utterly
>> missing from Vista's so-called out-of-the-box security experience)
>> Agnitum
>> Outpost Pro not only has warned me about a fair few suspicious outbound
>> traffic attempts, but also has saved me from numerous attacks that could
>> have
>> been potentially disastrous!
>
> It may have saved you from attacks, but not by outbound filtering - once
> you see the outbound filtering messages, you're already attacked - you're
> already running untrusted third-party code.
>
> "The calls are coming from inside the house." - your computer is owned.
>
>> So much for Jesper's and Alun's claims that outbound filtering, the use
>> of
>> and the knowledge of how to configure it, is useless for the user. What a
>> load of claptrap!!
>
> Jesper's claims are subtly, but distinctly, different from my own. My
> claim is simply that the use of outbound filtering does not prevent
> attacks; it may be useful as a policy filter within an organisation
> (disallow outbound traffic on ports commonly associated with chat
> applications, stolen file sharing and so on, for instance), but adding it
> to your firewall sticks unnecessary complexity into what should be a
> simple enough application that you can prove its security.
>
>> Granted, some users may not want it, and indeed might find it annoying to
>> say the least. However, perhaps Microsoft in its utter graciousness
>> accepts
>> that not all users are automated morons contend with using what and how
>> Microsoft allows them to. An inbuilt option for advanced users to
>> configure
>> the firewall, would not only be very much in order, but even more
>> appreciated
>> by many, I'm sure!
>
> "netsh firewall" along with the GUI should provide you with most of what
> you want. After that, as you've pointed out, there are numerous
> third-party tools.
>
>> Besides, now that Microsoft has finally gone the security way and seen
>> the
>> light by offering something that approaches a half usable firewall, why
>> not
>> go the whole hog, admit to the well documented fact that there are
>> numerous
>> users out there more than capable of setting up / using correctly a fully
>> blown software firewall, and offer us the same. Rather than giving us a
>> half-hearted attempt of a firewall, crippled on purpose simply to keep
>> some
>> sort of control over the user. It stinks.
>
> You have been party to the conversations inside of Microsoft when they
> were designing the firewall? You know that this was "crippled on purpose
> simply to keep some sort of control over the user"? Is this information
> first hand, second hand, or merely supposition on your part?
>
> From my perspective, I'm guessing that outbound filtering was added on the
> basis that there were too many self-labeled "security experts" saying that
> "outbound filtering is where it's at, man, if you don't have that, you're
> not a secure firewall" - it's a marketing feature to me.
>
> Every feature you add to a firewall makes it more complex, and more likely
> that there's a bug that can be exploited to bring down the firewall. I
> like my firewalls simple and strong, rather than complex knitting.
>
>> Like voidcoder, I will definitely continue paying for a decent
>> third-party
>> firewall as soon as it becomes available for Vista - can't wait, in fact!
>
> That's for you to decide, and it's up to you as to whether you feel it's
> necessary. But don't be saying that outbound filtering prevents your
> system from being attacked without expecting people like me to jump up and
> tell you that you're wrong.
>
> In fact, given the pluggable nature of Windows Vista's firewall stack, it
> should even be _easy_ for a firewall vendor to produce an outbound filter
> for Vista. All you have to do is write a device driver, following the
> sample code that's already in the DDK. If you're a developer, try it -
> it's insanely easy.
>
>> One more tool to consider, voidcoder: Ad Muncher - great utility to stop
>> them annoying on-line ads, including Microsoft's petty banners on hotmail
>> et
>> al.
>
> Or, you could actually pay for your email, and not have to worry about
> advertising that subsidises the free service you're using. Eventually, the
> free service providers will find a way to guarantee that their adverts are
> tied to their email in a way that you aren't ready to extract.
>
> Alun.
> ~~~~
>

well put

Jeff

"Alun Jones" <alun@texis.invalid> wrote in message
news:%23VLPWD2LHHA.1280@TK2MSFTNGP04.phx.gbl...
> "voidcoder" <voidcoder@yahoo.com> wrote in message
> news:unnYTd5KHHA.536@TK2MSFTNGP02.phx.gbl...
>> Are you against the outbound protection? Just don't use
>> it then. In my opinion disabling it will remove one additional
>> level in your security, being somehow protected is always
>> better than nothing.
>
> That's the purple elephant protector commercial's line - you're "somehow
> protected" against stampeding purple elephants, even if you can't actually
> say how.
>
> Yes, I'm against extra "protection" that adds complexity to something that
> needs to be robust. Robustness in code comes through simplicity - code
> that is too simple to be significantly wrong. Add complexity and, even if
> you disable it, you have added more chance for mistakes.
>
>> Why do you think this feature has been
>> included into windows firewall at all and is there in every
>> third party firewall? It is likely due to some customer demand,
>
> I'm sure it is due to some customer demand. I don't think it's due to any
> sound application of security theory.
>
> After all, if customers demand protection from purple elephants be built
> into their cars, what are you going to do - build a car with purple
> elephant protection built in, or spend a lot of time and effort telling
> people that there's no such thing as a purple elephant?
>
>> I'm sure MS wont spend time coding something for fun without
>> some serious market analysis. Yep, a half of users wont worry
>> about the outbound protection, as well as a good
>> piece wont worry about the firewall at all. Don't understand
>> why I should follow this scenario.
>>
>> Yes, I'm going to buy a third party firewall, among the purple
>> elephant, if it makes sense for me
>
> Your prerogative - but it's not because it will protect you from malware.
>
> Alun.
> ~~~~
>