RE: Microsoft to ship new versions with firewall enabled
Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? -- No clue, but I can tell you how long it will last before ISP helpdesks disable the firewall. XP pro has been shipping with a F/W for a year now, I'd say? no suits yet. In fact, I read some review (CNET, etc) that said the XP F/W in conjunction with Zone Labs ZoneAlarm was very effective, given the test parameters. I have ran mine since day 1, with both DSL and dial-up. All systems go. Jim
Microsoft to ship new versions with firewall enabled
John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default.
Re: Microsoft to ship new versions with firewall enabled
on 8/14/2003 9:29 AM Sean Donelan wrote: John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. Wouldn't it make more sense to ship with all of the services disabled? I mean, if the role of the firewall is to block packets to weak services, wouldn't it be simpler to just disable the damn services since they aren't going to be usable anyway? -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: Microsoft to ship new versions with firewall enabled
Apple have the right idea... I'd say all the vendors need to take a carefully balanced approach to security in the default configurations of their software. Leave services exposed to the network disabled by default, where possible. By all means, configure firewalls by default to block all non-established incoming connections to low port numbers, but for heaven's sake don't also block access to those ports from the local subnet as well. How would your users cope if all their shared printers and file servers suddenly became inaccessible because NetBIOS was universally blocked by new operating system security features? I'd hazard a guess that after they've called their ISP support team a couple of hunderd times, they'll just switch the firewall off... Your firewall rules should automatically open ports when services are explicitly enabled, and should be able to cope with laptops roaming between home and office where the local subnet addresses may change. If the firewall doesn't detect this, then you're going to cause a whole new world of support problems. - Matt
Re: [Microsoft to ship new versions with firewall enabled]
At 10:46 AM 8/14/2003, Joshua Sahala wrote: Sean Donelan [EMAIL PROTECTED] wrote: John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. while i think many of us will welcome this, i am skeptical of what the firewall will be 'enabled' to block, and how easy it will be for the user to set-up rules (and hopefully there will be a sanity check included so that 'permit in any' is not a valid option, but then 'permit out any' should not be one either) but still, it is a step... The firewall in XP appears to perform stateful inspection. I have run scans against my own XP machines using NMAP and other tools. The machine appears completely non-responsive to such scans (i.e. no response on any ports). I use this feature most especially when using public wifi hot spots, and encourage my clients to do the same (or use some other firewall software) when at such locales. What Microsoft implemented does seem quite sufficient for many users. The down-side to this and all other firewalls running in software on end hosts is the possibility of an application finding another path in (e.g. email attached virus) and disabling the firewall. I am no Microsoft apologist and am a proponent of open source, but have to admit they did a good job on this feature. It's good that Microsoft has finally realized the value in defaulting this capability to ON.
RE: Microsoft to ship new versions with firewall enabled
However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest big box store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around. But that's exactly what a consumer PC is! An appliance (just like a toaster) for exchanging pictures, sending email, balancing the checkbook, paying bill, play games, etc. The average Joe doesn't care why the thing works. But he does notice if it doesn't work as expected. Then he'll call tech support or get the neighbours kid to help. He may never notice that the box is has been compromised and DoSs his favorite website or relays SPAM to millions of fellow Joes. That's reallity! The more broadband there is, the worse the problem becomes. I absolutely agree with the statement that the network should be transparent. No blocked ports, no filtered content. What goes in one end comes out the other or is delivered to the intended recipient in between. Exceptions are temporary measures to reduce or eliminate harmful traffic that impeded network performance or otherwise compromise the network design goals. Having said that, customers of ISPs have great variety of needs. On one hand is the transport of transit data. This is truly a gigo (garbage in, garbageout) situation where traffic should flow unhindered and in its entirety. On the other hand there is the residential ISP market. I don't think it's safe to let a residential PC sit on an internet connection and have pass traffic to and from it without inspection. ISPs need to wake up and offer a managed internet service. Where the ISP takes the initiative to provide filtered internet to residential customers. Turn on firewall features in your cable box or make those small NAT routers part of the service offering. Bashing any OS vendor isn't the solution. All OS have exploits. The *NIX crowd is just a lot more technically inclined and a lot more aware of network security than your average Windows user. So instead of beating up on OS vendors or crippling the network, how about crippling the devices that are the root of the problem??? Adi
Re: Microsoft to ship new versions with firewall enabled
On Thu, 14 Aug 2003, Jack Bates wrote: John Neiberger wrote: Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? -- No clue, but I can tell you how long it will last before ISP helpdesks disable the firewall. About 30 seconds, for my customers. In fact, when you configure a dialup connection, the firewall *is* enabled by default, until walk them through turning it off? Why? Because after anywhere from 2 days to 2 months, suddenly things just stop working...usually POP3, but often SMTP, HTTP or HTTPS. Like many things MS, it's broken. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Microsoft to ship new versions with firewall enabled
On Thu, 14 Aug 2003, Eric A. Hall wrote: Wouldn't it make more sense to ship with all of the services disabled? I mean, if the role of the firewall is to block packets to weak services, wouldn't it be simpler to just disable the damn services since they aren't going to be usable anyway? 'Firewall' is more buzzword compliant. This doesn't even begin to address the fact that the firewalling included in windows is nowhere near as functional as the firewalling in other OSes (such as FreeBSD or Linux).
Re: Microsoft to ship new versions with firewall enabled
Richard Cox wrote: On Thu, 14 Aug 2003 16:07 UTC, Eric A. Hall [EMAIL PROTECTED] wrote: | Wouldn't it make more sense to ship with all of the services disabled? Yes it would - at least to US - but that would inevitably create a load for the Support desk. However as Microsoft charge for end-user support I wouldn't put it past them thinking along those lines. I hope there's nobody from Microsoft reading this list ... that might give them ideas! But who actually calls Microsoft for support? Bob and Beth Luser call their OEM, DELL, Gateway, Sony, Compaq, etc., not Microsoft. And I think the EOMs are getting off a little easy in all of this. Microsoft distributes their product to OEMs who have a fair a bit room to customize the default settings (all of the monopolistic arm twisting involving hiding IE icons, installing other web browsers, etc., ignored for now). How much you wanna bet if Microsoft distributes with the firewall enabled, OEMs will turn around and _disable_ it in the installation they sell? They are the ones who want to cut down the support calls. And they don't want to lose business to a competitor who ships with all of the bells-n-whistles turned back on because Bob and Beth are convinced the computer they got was broken because disabled (mis)features were not enabled out of the box. On the other hand, OEMs can be the Good Guys here and take the lead ahead of Mickeysoft and firm up the loose default setting they get from Microsoft. DELL has promised to do this... but I still don't know if their press releases will live up to reality. If any NANOGers out there make purchasing decisions about PCs with Windows, I hope you direct your business towards OEMs who do sell better secured distributions or demand that the OEMs do so. -- Crist J. Clark [EMAIL PROTECTED]
RE: Microsoft to ship new versions with firewall enabled
The checkpoint and Pix Boxen are what we use here. But we also use ipchains to secure things at a host level. Scott C. McGrath On Thu, 14 Aug 2003, Drew Weaver wrote: ipchains and similar firewalls are indeed far superior. I manage real firewalls as part of my responsibilities. However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest big box store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around. I don't believe that many people really see ipchains as a real viable firewall. I think it is awesome, but in many corporations simply mentioning it gets you a stern eyeing. Of course these corporations can spend tons of money on Checkpoint and PIX boxen. -Drew
Re: Microsoft to ship new versions with firewall enabled
On donderdag, aug 14, 2003, at 17:45 Europe/Amsterdam, Christopher L. Morrow wrote: No answer on that one, However Mac OS X also includes a built in firewall. yes, with fairly a simple method to add listening services to it... though it seems the 'listening service' might have to register with the OS in order to be seen in the preferences panel? Oh, and lest I forget (which I did) press the 'START' button to make it active :) ...which is completely redundant because MacOS X doesn't expose any services except the ones that the user enabled in the first place. So enabling the firewall is only useful if you don't trust the applications you're running.
RE: Microsoft to ship new versions with firewall enabled
John Neiberger wrote: Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? -- No clue, but I can tell you how long it will last before ISP helpdesks disable the firewall. About 30 seconds, for my customers. In fact, when you configure a dialup connection, the firewall *is* enabled by default, until walk them through turning it off? Why? Because after anywhere from 2 days to 2 months, suddenly things just stop working...usually POP3, but often SMTP, HTTP or HTTPS. Like many things MS, it's broken. --- Is that what causes the random stoppage? I never thought of that, why would it prevent outgoing connections on only some ports though. Seems fishy, thanks for the tip though :-) BTW: I've seen this too. -Drew
Re: Microsoft to ship new versions with firewall enabled
On Thu, 14 Aug 2003, Christopher L. Morrow wrote: On the configuration angle, the Microsoft ICF (Internet Connection Firewall) blocks everything by default. as does OSX. Just to clarify, the OSX firewall has a little bit of sense. If you check that you want to enable one of the services it will automatically add the exception to the firewall rules. That is all through the GUI though. From terminal you can modify firewall rules (ipfw) and add/remove services without notifying the GUI. Microsoft's built in firewalling (at least for Win2k) would let you turn on IIS and the firewall and the firewall would not allow connections to port 80 unless you went in and allowed it. G From my Ti Pb.
RE: Microsoft to ship new versions with firewall enabled
From: Scott McGrath [mailto:[EMAIL PROTECTED] No answer on that one, However Mac OS X also includes a built in firewall. On the configuration angle, the Microsoft ICF (Internet Connection Firewall) blocks everything by default. I just worked on a friends computer last night. The XP ICF firewall was on, and it did not stop the bug.. I want to test that in a lab environment though...
Re: Microsoft to ship new versions with firewall enabled
Sean Donelan [EMAIL PROTECTED] 8/14/03 8:29:07 AM John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. [Veering further off-topic] Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? --
RE: Microsoft to ship new versions with firewall enabled
ipchains and similar firewalls are indeed far superior. I manage real firewalls as part of my responsibilities. However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest big box store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around. I don't believe that many people really see ipchains as a real viable firewall. I think it is awesome, but in many corporations simply mentioning it gets you a stern eyeing. Of course these corporations can spend tons of money on Checkpoint and PIX boxen. -Drew
Re: Microsoft to ship new versions with firewall enabled
John Neiberger wrote: Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? -- No clue, but I can tell you how long it will last before ISP helpdesks disable the firewall. -Jack
Re: [Microsoft to ship new versions with firewall enabled]
Sean Donelan [EMAIL PROTECTED] wrote: John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. while i think many of us will welcome this, i am skeptical of what the firewall will be 'enabled' to block, and how easy it will be for the user to set-up rules (and hopefully there will be a sanity check included so that 'permit in any' is not a valid option, but then 'permit out any' should not be one either) but still, it is a step... my $0.02 Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence. - Stephen Hawking -
Re: Microsoft to ship new versions with firewall enabled
At 12:07 PM 8/14/2003, Eric A. Hall wrote: on 8/14/2003 9:29 AM Sean Donelan wrote: John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. Wouldn't it make more sense to ship with all of the services disabled? I mean, if the role of the firewall is to block packets to weak services, wouldn't it be simpler to just disable the damn services since they aren't going to be usable anyway? Ah, no. There are many services that ARE useful on the local machine, which may not need to listen to the outside world in all configurations. While I think the intent of your question was reasonable, the better way to phrase it would be: Wouldn't it make more sense to ship products with services listening only on loopback interfaces, rather than listening on all interfaces? The same exact issue applies to every operating system. Indeed, some vendors are dealing with this well. RedHat changed the default configuration of sendmail in RH9 to listen only on 127.0.0.1. The user can change that to listen to the outside IF the machine in question has a need to listen (i.e. it really was intended to me a mail server). This approach is to be commended, and should be followed for other services that may be necessary to run on a local machine, but which need not be reachable from outside the machine.
RE: [Microsoft to ship new versions with firewall enabled]
while i think many of us will welcome this, i am skeptical of what the firewall will be 'enabled' to block, and how easy it will be for the user to set-up rules (and hopefully there will be a sanity check included so that 'permit in any' is not a valid option, but then 'permit out any' should not be one either) but still, it is a step... Perhaps the better idea would be to ship a stripped down, basic OS for about $25.00 a license. Then offer up all the bells and whistles on a pay per download option. I think this one simple step alone would aid in reducing security issues on the OS. I would hazard a guess that a majority of users will NEVER use (or need) all the built in functionality currently included with the OS. ~S~ Disclaimer: My own two cents. Learn more about Paymentech's payment processing services at www.paymentech.com THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.
Re: Microsoft to ship new versions with firewall enabled
[Veering further off-topic] Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? Along the vein of I dislike Microsoft, but let's get over it - when some Linux started out with, what, ipchains/ip-something to protect it from network vulnerabilities, it took our little lab's folks some time to remember to punch holes in it for DNS, SSH, etc. each time we set a new one up. Ah, live and learn. The legacy of shipping machines open to attack predates Microsoft, it isn't their fault(tm). This issue was raised in at least as far back as The Cuckoo's Egg (since I've met folks that don't remember it, by Clifford Stoll - very entertaining tale of an astronomer-turned-SA tracking a hacker). In the epilogue, he mentions the Morris worm, so we're talking about incidents in '87 or so. (The Morris thing was what, Nov 2, 1988? Give or take a week.) I highly recommend that book as part suspense novel and part security tutorial. Every time a vendor/open-sourcer decides to stop shipping with security down, there's a learning curve forced on the buyers. But that's why we get paid to work in air conditioned offices in the summer. ;) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-703-227-9854 ARIN Research Engineer Sponge Bob Square Pants? I'm still trying to figure out the Macarena.
Re: Microsoft to ship new versions with firewall enabled
No answer on that one, However Mac OS X also includes a built in firewall. On the configuration angle, the Microsoft ICF (Internet Connection Firewall) blocks everything by default. Scott C. McGrath On Thu, 14 Aug 2003, John Neiberger wrote: Sean Donelan [EMAIL PROTECTED] 8/14/03 8:29:07 AM John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. [Veering further off-topic] Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? --
RE: Microsoft to ship new versions with firewall enabled
At 10:00 AM 8/14/2003, Daniel Senie wrote: At 12:39 PM 8/14/2003, Matthew Watkins wrote: Apple have the right idea... I'd say all the vendors need to take a carefully balanced approach to security in the default configurations of their software. Leave services exposed to the network disabled by default, where possible. By all means, configure firewalls by default to block all non-established incoming connections to low port numbers, but for heaven's sake don't also block access to those ports from the local subnet as well. Define local subnet. Go sit in a Starbucks and use Wifi. Is the person at the next table, or sitting on the bench outside with their laptop considered on the local subnet? Do you trust that person? Hold on a second, and let me ask him. :-) This is just an example of how a policy like the one you suggest can be dangerous. He said What's a subnet? heh jc
Re: Microsoft to ship new versions with firewall enabled
On Thu, Aug 14, 2003 at 05:37:44PM +0100, Richard Cox wrote: What I do like in the latest release of Zone Alarm Pro is that it will stop ANY program from connecting outbound on Port 25 unless that program has been specifically authorised to send mail. It was quite informative to see which programs were trying to mail information back to their base! Zone Alarm Pro is very stupid as well. When a machine makes an outbound connection attempt, yes, you'll see a dialog that pops up asking you whether to allow that SINGLE connection or not, I guess this is what you mean... BUT on every single occasion I get that dialog box, it's telling me that the program is trying to access my ISP's DNS servers, which is correct, I click yes to allow that SINGLE connection, and it lets the program go ahead and connect to port 22 (putty is the application in this instance), instead of asking me about port 22 next. Reasons why this is bad? A) Semi-savvy user sees 'DNS' and their ISP's nameservers and clicks yes not knowing it's a trojan trying to resolve the hostname for trojan base. B) Trojanned program operates semi-normally, makes the initial connection to the proper host, you ok it with ZoneAlarm because it looks legit, but ZoneAlarm goes ahead and lets the program connect to whatever it wants after the inital OK, (example scenario: buffer overflow), so the trojan connections are concealed. C) It's bothersome. Ask the user every time they fire up the program whether they want to let it connect to something, and they're going to click the please don't ask me about this crappy program ever again checkbox, and be done with it, again, concealing trojan connections in the event the program gets modified later down the road.
Re: Microsoft to ship new versions with firewall enabled
In message [EMAIL PROTECTED], McBu rnett, Jim writes: From: Scott McGrath [mailto:[EMAIL PROTECTED] No answer on that one, However Mac OS X also includes a built in firewall. On the configuration angle, the Microsoft ICF (Internet Connection Firewall) blocks everything by default. I just worked on a friends computer last night. The XP ICF firewall was on, and it did not stop the bug.. I want to test that in a lab environment though... The Wall Street Journal noted that Microsoft is testing a variety of other security products, including one from Tiny Software because (according to Microsoft itself) it's more advanced. --Steve Bellovin, http://www.research.att.com/~smb
Re: Microsoft to ship new versions with firewall enabled
It comes standard with a firewall built in, which is not user friendly and you have to still purchase a firewall that allows user access to control what gets blocked and what does not, most intelligent people turn it off. -HenryEdward Lewis [EMAIL PROTECTED] wrote: [Veering further off-topic]Hmm...I didn't even know XP had a built-in firewall. Any bets on howlong it is before other companies with software firewall products bringsuit against Microsoft for bundling a firewall in the OS?Along the vein of "I dislike Microsoft, but let's get over it" - when some Linux started out with, what, ipchains/ip-something to protect it from network vulnerabilities, it took our little lab's folks some time to remember to punch holes in it for DNS, SSH, etc. each time we set a new one up. Ah, live and learn.The legacy of shipping machines open to attack predates Microsoft, it isn't "their fault(tm)". This issue was raised in at least as far back as "The Cuckoo's Egg" (since I've met folks that don't remember it, by Clifford Stoll - very entertaining tale of an astronomer-turned-SA tracking a hacker). In the epilogue, he mentions the Morris worm, so we're talking about incidents in '87 or so. (The Morris thing was what, Nov 2, 1988? Give or take a week.) I highly recommend that book as part suspense novel and part security tutorial.Every time a vendor/open-sourcer decides to stop shipping with security down, there's a learning curve forced on the buyers. But that's why we get paid to work in air conditioned offices in the summer. ;)-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Edward Lewis +1-703-227-9854ARIN Research EngineerSponge Bob Square Pants? I'm still trying to figure out the Macarena.
RE: Microsoft to ship new versions with firewall enabled
At 12:39 PM 8/14/2003, Matthew Watkins wrote: Apple have the right idea... I'd say all the vendors need to take a carefully balanced approach to security in the default configurations of their software. Leave services exposed to the network disabled by default, where possible. By all means, configure firewalls by default to block all non-established incoming connections to low port numbers, but for heaven's sake don't also block access to those ports from the local subnet as well. Define local subnet. Go sit in a Starbucks and use Wifi. Is the person at the next table, or sitting on the bench outside with their laptop considered on the local subnet? Do you trust that person? This is just an example of how a policy like the one you suggest can be dangerous.
Re: [Microsoft to ship new versions with firewall enabled]
On Thu, Aug 14, 2003 at 10:46:56AM -0400, Joshua Sahala wrote: while i think many of us will welcome this, i am skeptical of what the firewall will be 'enabled' to block, and how easy it will be for the user to set-up rules (and hopefully there will be a sanity check included so that 'permit in any' is not a valid option, but then 'permit out any' should not be one either) but still, it is a step... It's a pretty rudimentary firewall, I suspect enabling that by default is gonna piss off a hell of a lot of people (I'd venture to say it'll piss off more than a virus, since most are too clueless to get mad at that). John
Re: Microsoft to ship new versions with firewall enabled
On Thu, 14 Aug 2003, Iljitsch van Beijnum wrote: On donderdag, aug 14, 2003, at 17:45 Europe/Amsterdam, Christopher L. Morrow wrote: No answer on that one, However Mac OS X also includes a built in firewall. yes, with fairly a simple method to add listening services to it... though it seems the 'listening service' might have to register with the OS in order to be seen in the preferences panel? Oh, and lest I forget (which I did) press the 'START' button to make it active :) ...which is completely redundant because MacOS X doesn't expose any services except the ones that the user enabled in the first place. or things like livewire/kazaa/aim (filedownloads) So enabling the firewall is only useful if you don't trust the applications you're running. yup. but its nice that it has the damned firewall anyway :)