Windows XP forum: Do I need a firewall

In my opinion, for probably 99% of all Windows users, the Windows firewall is perfectly adequate. I actually consider it one of the very few examples of good software engineering on Microsoft's part, which means they probably lifted it from one of the BSD operating systems. I'd guess FreeBSD, which Microsoft has been known to take networking code from in the past. All perfectly legal by the terms of the BSD license for anyone who might have some panty bunching going on.

Anyway, for the majority of people it's perfectly adequate. Some will claim it's lack of support for outbound filtering is a reason to get another firewall. I say that outbound filtering is vastly overrated. Firewalls are for keeping things OUT, not in. Besides, by the time outbound filtering is of any real use to you, you almost certainly already have the problem of a malware or virus infestation, so all it's really doing is performing something of an early warning system. Personally, I like to just prevent viruses and malware from ever getting on my system, not assuming that it is inevitable that I am hit by these things, and focusing my efforts on trapping and containing them.

Well, I have Avast running, but for the most part I just follow a set of rules that I often post for other people.

TIPS FOR A SMOOTH RUNNING SYSTEM
================================

The more of these suggestions you follow, the fewer problems you should have. Follow them all, and you've probably eliminated at least 95% of all potential problem sources.

Things you should NOT do
--------------------------------
1: Use Internet Explorer
2: Use any browser based on Internet Explorer
3: Use Outlook or Outlook Express
4: Open email attachments you haven't manually scanned with your virus scanner
5: Open email attachments you were not expecting, no matter who they appear to be from
6: Respond to spam messages, including using unsubscribe links
7: Visit questionable websites (e.g. porn, warez, hacking)
8: Poke unnecessary holes in your firewall by clicking "Allow" every time some program requests access to the Internet
9: Click directly on links in email messages
10: Use file sharing or P2P programs
11: Use pirated programs

Things you SHOULD do
-----------------------------
1: Use a non-IE or IE based browser
2: Always have an up to date virus scanner running
3: Always have a firewall running
4: Install all the latest security updates (the exception to the no-IE rule)
5: Delete all unsolicited emails containing attachments without reading
6: Manually scan all email attachments with your virus scanner, regardless of whether it's supposed to be done automatically
7: Copy and paste URLs from email messages into your web browser
8: Inspect links copied and pasted into your web browser to ensure they don't seem to contain a second/different address

To date, I don't think I've ever had a single problem since adopting those rules. But I keep programs like Avast around just in case. I may get a little arrogant from time to time, but I don't think that my system outlined above is going to prevent everything.

Should it ever happen that I get a virus, if my AV program can't clean it up pretty quickly, I don't hesitate to blow everything away and start fresh by formatting and reinstalling everything.

There's always one person like you. You think that because you haven't had any problems, it somehow invalidates the experiences of hundreds of other people who HAVE had problems.

In statistics, you would be considered an outlier result. That being some data point WAY off from the norm. Another way to look at it, is that you're the exception that proves the rule. The odds of any one person winning the lottery are astronomical, yet it can and does happen to someone. There's always that one in a billion chance.

Just remember that because you've been lucky so far doesn't mean that it will always be that way. All it takes is one wrong click with IE, and you'll get to spend a delightful couple of hours, maybe days, cleaning up the mess that's created. I know from personal experience. I once spent a very hot summer afternoon in a building with no air conditioning and very low ceilings, cleaning up after someone who made just one wrong click with IE.

Also, just for the record, I wasn't suggesting that somehow a manual scan is more accurate. I suggested running a manual scan because you can never really be sure if the automatic scan was even run. If you scan the file(s) manually, then you know that they have been inspected. It's more about having a healthy dose of paranoia given how many people there are out there with viruses and/or spyware on their systems and don't even know it.

This isn't some anti-Microsoft thing, it's acknowledging the reality that Microsoft products are frequently exploited. You're welcome to whatever theory you want as to why, but it doesn't change facts. If and when Microsoft starts taking security seriously in its products, I may well have to revise some of my rules/suggestions. I just don't see that happening until Ballmer, and the rest of the Microsoft "old guard" is gone. They are still stuck in the mentality of the 80s and 90s where computers are islands unto themselves, that you sell upgrades by just cramming as many new features into a program as possible, and that usability trumps security every time. I honestly think that once the "old guard" has left Microsoft, it will very quickly be able to compete against other products on merits, and not have to resort to smear campaigns and monopolistic market tricks.

Wish I was a better word-smith, but here goes...

Maybe Jimmy used the wrong term but add me to the list of non IE/Outlook support.

Better than 80% of my repair work is spyware/virus removal from clients who are retired using IE and Outlook. 90% of the infections are of the Smith-fraud family from use of IE.

These clients are the least risky users, not a clue what they are doing, but not willfully exposing them selfs. All are educated to use a web browser for mail and Firefox for browsing. No one has had a re-infection provided the grandkids do not visit.

Yeah IE is standardized, tested and a true spyware/virus catcher.
Everyone should use it, keeps Computer Shops/ self-help hero gurus busy.

Firefox is new, non-standardized, un-tested and ....
well too new to say if it becomes a spyware/virus catcher.


Bill

Guy, take a pill ... switch to decaf or take a vacation ... or something.

You handed off some reckless advice ... and I said something about it when you made a nasty-sounding judement call on someone for rendering their opinion. I offered my exerience to validate my opinion. I try to help people ... not combat them and make them feel stupid for asking their questions.

As for the Mac thing; well, tell you what. You go out and buy one for yourself, then replace all your applications (if you can find effective replacements for your PC apps) and get your productive self back to work as soon as you can. My experience is showing me that most people coming from a PC based life are having a really difficult time grappling with Mac's inability to do what they just wanted it to do in the first place; get their work done.

Lighten up, Jimmy.

ps most real big shots that i know have a something or someone that they seek advice from occassionaly.

I direct your attention to the comment "Should it ever happen that I get a virus, if my AV program can't clean it up pretty quickly, I don't hesitate to blow everything away and start fresh by formatting and reinstalling everything."

When was the last time you (or any consumer computer user) performed a complete wipe out, reformat and reinstall?

In case you haven't done one recently (and my I strongly suggest that you belive in your backup/recovery system as strongly as you do your religion), it takes roughly 1 hour to wipe and restore the original OS to the factory default condition.

However, reinstalling, reconfiguring (you did save all your indivudal program configuration settings and included them in your current and complete backups, right?) software AND data without the benefit of a corporate network can take a really, really long time. If you are ever able to fully recover everything.

My excellent advice? Spend two minutes with anyone seekng my advice on such matters educating them as to the horrors of opening unsolicited email, using LimeWire and that an offer of "free-porn" is absolute rubbish (and by trying to access such a site will also probably render their PC rubbish as well).

The PC has really come a long way ... and I couldn't be happier and more productive at home. But if you need the data on that PC and inevitably use the machine for more than a media player, BE CAREFUL with it!

An old, old, old DOS term comes to mind ... "Garbage In {means that you will get} Garbage Out."

You do need a firewall. I believe that what windows offers is not enough. It's very easy to find a good one. go to google and write "best firewalls". You will find some free. you can write again in google search "best antivirus" and there are some free also. I like zone alarm and I use it.

Certainly, you can respectfully disagree, just as I will with your reasoning.

To my mind, it's better to prevent the malware or whatever from ever getting on the system in the first place. That, and firewalls aren't really the right tool for the job if you're looking for some kind of early malware warning system. If you're that worried about it, then some malware scanner with real-time scanning would be a MUCH better option.

Plus, the XP firewall DOES actually do both in and out filtering. It's just you have to go in and manually configure it, which was rather difficult pre-SP2, and by that point this nonsense about it not doing outbound filtering had 2 years to take hold.

Still, I stand by the statement that the XP/Vista firewall is perfectly sufficient for virtually all Windows users. Inbound filtering only or not, the majority of what people need in a firewall is something to keep the automated probes at bay long enough to install security patches plugging any holes they might exploit.

i use windows xp professional, along with these 2 programs. i use the norton internet security antispyware edition, which i believe is a much better, more secure and more up to date firewall than the one that microsoft offers. it doesnt use hardly any system resources and gets almost all viruses, but doesnt fare too well on the spyware front. for that i use a free program called Spyware Terminator. i think that it is the best freeware spyware scanner. it nets nearly 100% of all spyware/adware/malware/ect, and the rest can be taken care of typically by dumping the temporary internet files, which i would recommend doing anyways.

I have to agree that firewalls can make life a little difficult sometimes. In my own case I've learned that some things will not install. For instance, as I just installed Windows Home Server (WHS), the installation utility was repeatedly failing. I never suspected the firewall because I supposed that the my firewall software would generate an access request and I'd simply respond appropriately and everything would be okay.

However, as I tried to install WHS, I got no access requests and no error messages either; it simply didn't work. Eventually I began to suspect Zone Alarm. I shut it down while performing the installation and was finally able to get it installed. Afterward, I re-started Zone Alarm, it popped up a few access requests that I answered, and everything has been okay ever since.

And so what evidence do you have to back up the claim that the XP firewall is rubbish? In all likelihood, it's an adapted version of FreeBSD's ipfw, widely considered one of the best firewalls around, just with a distinctly Microsoft front end to it. Virtually all the rest of the Windows networking stack came from FreeBSD, why not the firewall?