Firewalls?

[Nabubrush]

So, here's the deal. Me and the sweetie got the old DSL setup at home just recently. It's the first time I've ever had that at home - I've only had dial up. You people know hella more than I do about computers and stuff of that nature, so what's up with the whole firewall thing? What do I need? In answering, if you act like I don't know a damn thing about computers, you can't go far wrong.

[AlohaDawg]

I don't know poop about firewalls either. But my broadband provider has given all the subscribers access to firewall and antivirus programs for free and they seem to work pretty well. I guess giving that away en masse is cheaper than dealing with the spammers and data miners and spyware and all that crap that is floating around. They gave us e-trust anti-virus and e-trust EZ Firewall. So to piggyback on the above question in a way, could some of you branier people tell me if running this stuff is a waste of time?

[Choop]

A good firewall is a good solution if you're sloppy on the internet, or if you're hosting a web site. Here's the secret nobody wants to reveal: If you're a careful surfer, you don't need a firewall.

Being a careful surfer:
 - Don't give out your email address. Period. Set up a catch-all webmail account somewhere that's not related to an email address you download to your computer.
 - Don't open unknown attachments. Don't read spam, even in the preview pane of your browser. If you don't know the address, or if the subject looks even a little bit skunky, skip it. If it's from somebody real, they'll email you again. If it looks too good to be true, it is.
 - Block ads and popups with a good browser or plugin.
 - Run an antivirus check daily, with "quarantine" and "alert" settings enabled. Update it at LEAST weekly, and especially when you hear news of a new virus making the rounds.
 - Disable print and file sharing on your computer (google for instructions). These are two of the biggest security gaps in all of Windows, and I wouldn't trust either in any operating system without very specific permissions.

This is not to say that a firewall is worthless. If you aren't any of the above, you should install a good free firewall - reviews abound on the internet, and I like reading grc.com for internet and Windows security news.

[CortJstr]

I want to think we use etrust AV at work and it seems to work okay. Paid firewalls are better and I know a lot of people who pirate stuff like BlackIce and Sygate Personal Firewall Pro but the free version of Zone Alarm is fine for most people.

[CortJstr]

A good firewall is a good solution if you're sloppy on the internet, or if you're hosting a web site. Here's the secret nobody wants to reveal: If you're a careful surfer, you don't need a firewall.

I won't 2nd that. There are several programs out there that just do port scans to try and get in. A decent router should stop it but I wouldn't rely on it. Plus the new witty worm can infect computers without the user doing anything. Clones will be on the way soon and you can be they'll be more advanced.

- Don't open unknown attachments. Don't read spam, even in the preview pane of your browser. If you don't know the address, or if the subject looks even a little bit skunky, skip it. If it's from somebody real, they'll email you again. If it looks too good to be true, it is.

Can anybody on the planet justify why the preview pane even exists? Using it is practically suicide yet it's on by default and most are ignorant of its dangers.
Also, depending on your client you can right click a message and view its source without actually opening it. This way you can skim the code for things like "Vi-ag-ra" or "hey, I'm on the Achewood board" without the danger of opening the message or running any associated scripts/attachments.
 

- Run an antivirus check daily, with "quarantine" and "alert" settings enabled. Update it at LEAST weekly, and especially when you hear news of a new virus making the rounds.
 - Disable print and file sharing on your computer (google for instructions). These are two of the biggest security gaps in all of Windows, and I wouldn't trust either in any operating system without very specific permissions.

Agreed.

[Choop]

Cort, I haven't used a firewall in a couple years, and even with the missus on the PC a couple hours a day, I haven't had any incident. Let it be noted that I've been educating her - it started with how to get less spam, and Lesson Number One was "Drop all your old email addresses, and find a new one."

That said, is there a copy of that article somewhere which requires less than the forfeiture of all my Intellectual Property and Potential Offspring to view? How about you PM it to me?

Edit: Also, I don't know of a client other than Outlook Express (often bashed, but a fairly good client and much more secure than regular Outlook) that will allow one to view the source of a message without first opening it.

Also also, I've got a feature in Thunderbird (doesn't seem to be an extension) which allows me to view all messages as plain text, simple HTML, or original HTML - either of the first options disables any remote files (such as scripts or web bugs) and most, if not all, formatting. This is a good way to use the preview pane. I don't have to open a new message window to read a message, and it's safe in either case. I do wish I had some mappable keyboard shortcuts, though... *grimace*

[slink]

It is true that you can get by perfectly happily without a firewall. But the moment you install one, you will get a note saying that an unknown IP has tried to access yours. This is not good. And happens many, many, many times an hour.
Various machines out there are trying various ip's, and yours will come up now and then. Maybe nothing comes of it, but it is best to be safe.

Just get ZoneAlarm and install it. It takes you through everything, is very easy to use, and will stop anything getting access to your machine.
Best of all, unlike BlackIce who are in bed with Microsoft, you can tell ZA not to let Windows access the internet if you like. This allows you to stop various programs talking to home.
It's also free (the free version that is).
Zone Alarm

I haven't had anti virus software installed full time. Ever. I install it when I want to check a file, but I have never succumbed to a virus, or trojan, because I know how not too. The same however cannot be said of port attacks, since you have no control over them.
You may get by without any trouble Choop, but it won't, and can't last indefinitely. The laws of inevitablity say so.

[CortJstr]

Cort, I haven't used a firewall in a couple years, and even with the missus on the PC a couple hours a day, I haven't had any incident. Let it be noted that I've been educating her - it started with how to get less spam, and Lesson Number One was "Drop all your old email addresses, and find a new one."

That said, is there a copy of that article somewhere which requires less than the forfeiture of all my Intellectual Property and Potential Offspring to view? How about you PM it to me?

Edit: Also, I don't know of a client other than Outlook Express (often bashed, but a fairly good client and much more secure than regular Outlook) that will allow one to view the source of a message without first opening it.

Sorry, I forget people who don't live around here don't use the Post as the default news source. Plus until recently they only required a username, gender, and ZIP code. Try this.

I'd love to use Thunderbird but it work work with my hotmail account (which I use as my "fake" e-mail for things like message board registration). And even OE is more secure than actually using the web interface.

I agree with what slink said. Although my computer is never off so I'm more vulnerable.

Oh, and make sure to disable Windows Messenger. Most firewalls will protect you but you should be sure.

[arkabee]

So, here's the deal. Me and the sweetie got the old DSL setup at home just recently. It's the first time I've ever had that at home - I've only had dial up. You people know hella more than I do about computers and stuff of that nature, so what's up with the whole firewall thing? What do I need? In answering, if you act like I don't know a damn thing about computers, you can't go far wrong.

Home, Personal, Software based firewall:
www.zonelabs.com, download and install the FREE zonealarm.  you can buy the other versions later, if you want, but the Free Version is about all you should need unless you get wicked fancy down the line.
this program will work, and it's free, and they do updates when they find problems (supposedly).  why do i mention that?  becuase there have been stinks about other companies NOT doing updates to their app when flaws were found, vis. Black Ice Defender a couple of three years ago.

Now, Black ICe, Mcafee, Norton, they may have great products, but, i've either heard bad things about them, or i've gotten confused by their programs (i'm a professional.  i've always felt that if a company's program is confusing _me_, then i'm going to have a hard time recomending it to my customers), or they cost money.

black ice- a couple of three years ago or so, there 'twas a HUGE stink about flaws that they denied (a la Real Netowkrs saying "spyware? huh?") existed and may or may not have ever fixed.  current version may be fine, but i say let 'em go out of business if they're going to lie to their customers.

McAfee- haven't tried their product.  supposedly they are the bastard responsible for taking Signal 9's PC Conseal off the market (best. personal. windows. firewall. ever. (imho...)) by BUYING them and "incorporating" their product into McAfee's.  well, i don't think so, but anyways.  i found the interface horrid and confusing and had to rely on my trust for McAfee knowing what's best so i caulked the hole in the cd and dumped it in the rubbish.

Norton's product- inernet something something.  usually get's bundled with a copy of NAV.  it's ok, but it seems less functional as a firewall than zonealarm, and it costs like 50-60 bucks.

ok, some of the above products, norton, come with other poducts, like AV software, popup blockers, etc, and it might seem a good idea to get them for the other stuff.  i wouldn't recommend it.  stick with zonealarm.  as a software firewall.

another thing-
installing a firewall on yor pc does NOT IN ANY WAY SHAPE OR FORM protect you.  the default settings are just that, default.  if you install it and just start clicking, you may or may not be opening up holes, etc.

you really need to understand what it is you are doing, and how to do it.

now, you said "if you act like I don't know a damn thing about computers, you can't go far wrong".  ok, fair enough.  and honestly, you shouldn't HAVE TO understand firewalling to put your _Personal_ Computer on the internet, but that's a different rant.

now, when you go online, your connection get's assigned an IP address.  this is _similar_ to a mailing address.  except that the address is for a big apartment building, with tons of different apartment numbers.  those are Ports.  for instance, if i send you a letter to you at 1234 North Street, Somewhereville, NY, 55555, the letter will get to your BUILDING (ip address / pc), but it won't get to your mailbox.  So, i have to address it to Apt 12987, or the specific PORT number on your PC, like port 10876.

why the ports?  well, because you might open up email and 6 browser windows and icq and who knows what else, all at the same time.  so when the data gets back from all those servers to your PC, your PC needs to know which program gets what data.  hence port numbers.

now, in the "good old days" you really needed to know port numbers, etc.

but with Zone Alarm, and several of the others, instead of dealing (mostly...) with Port numbers, it deals with which APPLICATION you want to be able to listen to the internet.

so, when you open Zone Alarm up, and run it, and THEN open your email program, Zone Alarm will ask "hey, do you want this to listen to the internet?" rather than pop up and say "hey, do you want to allow outgoing port 110 connections to bind to temp port 11,832?".

but, and this is why i said "you really need to understand what it is you are doing, and how to do it." if you tell zone alarm or black ice or any of them, "hey let me be wide open, or let this program be connectable from anywhere, etc" it WILL DO JUST THAT!

now, depending on what version of windows you are running, running zone alarm is going to offer you a TON of confusing questions (do i have to allow "services an control app" internet access?).  just remember, if you don't check "remember this answer" on the pop up box, the next time you reboot, it will ask you again.  so, if you don't know, tell it no.

also, you can go into the zonealarm and check the list of things you have allowed and disallowed, and make changes.

um, i hope this helps.

[Nabubrush]

Well, I'll be home in a week and I'll try that. We'll see if we have the internet back - we've had nothing but problems with Qwest, so who knows.

[CortJstr]

Sometimes I wish ZA had the option to let you fiddle with the ports individually. Like when I changed the ports eMule uses I couldn't get ZA to let it through until I deleted it from the list then totally re-authorized it. Had ZA just let me see the port options I could've just switched 4662 to 5555 or whatever by myself.

Otherwise I found that ZA is actually set up really well for the average user "out of the box"

[jay-ell]

Amen to ZoneAlarm, for all the aforementioned reasons.  

That is all.

[Asherdan]

There are several programs out there that just do port scans to try and get in. A decent router should stop it but I wouldn't rely on it.

Interesting.  I've got three PC's sitting behind a Netgear MR814 at home.  I've questioned the real need to go behind a software firewall as well.

Am I hiding behind the equivalent of a candy-filled toy* here?  Do I really need to 'double-bag' my home junk?

*credit to FJ for that phraseology

[arkabee]

Sometimes I wish ZA had the option to let you fiddle with the ports individually. Like when I changed the ports eMule uses I couldn't get ZA to let it through until I deleted it from the list then totally re-authorized it. Had ZA just let me see the port options I could've just switched 4662 to 5555 or whatever by myself.

Otherwise I found that ZA is actually set up really well for the average user "out of the box"

i don't know if "pro" version allows anything different, but i definitely agree with you.  given that they're binding the app to the ports and tracking it, it would seem to be "trivial" to me (i am not a programmer, hence it most likely would not be "trivial") to add another option in the applications menu wherein you can fiddle with the app-specific settings.  

on the flip side, I have a "test" for computer related things.  i call it "would i try to get this to work for my mom?".  if the answer is no, then i usually don't suggest that solution to people who don't want to call me often.  if the answer is yes, then i, um, suggest it to people.

CortJstr, if you ever come across a copy of Signal 9's PC Conseal, i'd recommend it to you.  it's learning curve is astronomical compared to the point and click of ZA, but it's entirely customizable with a text editor.  on the flip side, it got bought out by McAfee 3-4 years ago or so, and i'm not really sure how well it would operate with the differences in win2k & Xp's network stacks as opposed to nt4/win9x.  i think i remember it running ok on win2k, but can' be sure.

[jough]

I would highly recommend against using either Windows XP's built-in firewall OR McAfee Firewall - they cause more trouble than they solve.

The best thing to do is to have your Cable/DSL modem go straight into a hardware firewall and then into a network switch.

The entire solution costs about $250, but it's well worth it.