ah poor Microsoft

16Aug/044

Yes, poor Microsoft. With $30 billion in the bank. You shouldn’t feel sorry for a company that comes out with a product, especially a security product, 4 years after third party products have been on the market (and who knows how many years since hardware firewalls have been on the market) and they STILL can’t get it right. This is after their big security initiative. That would be like Ford releasing a car with seatbelts that you just tie around your waist instead of locking.

Maybe if Microsoft climbed out of thier Ivory tower and paid attention to the tech world around them they wouldn’t screw up feature sets.

Filed under: Technology Leave a comment

http://www.ensight.org Jeremy C. Wright

C’mon, you can do better than this. XP SP2′s Firewall is a floor, not a ceiling. It is a base layer of security to protect users from… Intrusions.

It isn’t designed to protect the web from the user, but to protect the user from the web. And that it, actually, does quite well.

If Microsoft designed this solution as a ceiling (ie: commercially viable product or fully featured product) they’d get in trouble. But, designing apps as a floor (like Outlook Express and Wordpad) gives users the tools they need without putting Microsoft in the hotseat.
http://www.lazycoder.com Scott

The only real problem I have with the SP2 firewall is that programs have the ability to shut it down by themselves as reported here and here.
The issue of the firewall not reporting a port vs. reporting it as “closed” is a problem as well. Especially since the ports it does that with are the NetBIOS ports (137-139) and the RPC port (135). I think that this firewall is giving people a false sense of security. I honestly think that a better solution would be for computer manufacturers to start builiding a hardware firewall into their motherboards if they are including an onboard LAN port.
http://www.ensight.org Jeremy C. Wright

Except that every firewall out there allows other apps to do the same thing (sorry, no links handy, but if you want them, ask). Norton, McAfee, AVG… All of them. It’s called an API, and unless your API is privately accessible (none of the ones I’ve used are) then yes, it can be shut down.

So can virus scanning.

Is this insecure? Yes. Would a hardware firewall be better? You could argue it both ways, but generally I’ll say hell yeah.

But that’s not the point. This is a floor. Not a ceiling. Sure, users should be educated that there are other products out there and the IT industry should look at more fundamental ways to protect computers (a builtin hardware firewall’s not a bad idea at all)…

But none of this affects SP2. Before SP2 home users had no floor. If you already have a firewall installed after all these years: great. If you don’t, though, SP2 doesn’t give you a false sense of protection, it gives you very real protection.

I haven’t seen anyone show that SP2 is actually insecure in terms of protection from the web. I’ve seen lots of evidence that it’s insecure when:

1. Someone’s physically at the workstation
2. Malicious code is already executing

…

HELLO?! Every computer is insecure at that point. Even our VMS Mainframes are insecure if someone’s got malicious code running on them.

I’m not saying SP2′s perfect. I’m not using it’s builtin firewall because I do want more protection (protect the web from me mainly… I’ve been a ‘zombie PC’ once… It’s not fun).
http://geekswithblogs.net/jbrayton/ Jeremy Brayton

A hardware firewall? It would need it’s own OS. Many of the Linksys router/firewall combos run an embedded Linux distribution.

It doesn’t really make sense to have a component that needs an OS inside another component that needs a SEPARATE OS. It would make sense to marry the two so that they use one OS. I even strive to think a Software firewall could be enough IF and only IF it had the direct access to the hardware a hardware firewall has.

The only difference here is the hardware firewall is less likely to be exploited remotely. If you have a mechanism where the firewall acts this way though it’s inside the OS this should work and function exactly the same without the need for a separate embedded OS (which could potentially be exploited. There’s security holes in some later linux kernel code. If the embedded system can’t be patched the hardware is renderred useless).

I think it could be done reasonably well. Take iptables for Linux. It’s a wonderful firewall system that I currently use and have had 0 problems with. No one has circumvented the protection I’ve placed in it. That doesn’t mean a configuration problem can’t happen (which is true for any software/hardware firewall) but it is pretty dang secure. A hardware firewall is more secure but you have to think of what really makes a hardware firewall and it’s merely just a peice of equipment that is less likely to be tampered with because of it’s design. It doesn’t mean in 2 years an exploit could be out to hack all Linksys hardware router/firewalls it just means it’s less likely to happen.

Exception handling. » « dotNet OSS and company support.

Subscribe to Blog via Email

.NET HTTP Abstractions group

Subscribe to .NET HTTP Abstractions

Email:

Visit this group

Lazycoder