Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

W7FC XP versus WinXP built-in firewall.

The product edition for XP, 2003, 2000

W7FC XP versus WinXP built-in firewall.

Postby Oleg » Mon Nov 29, 2010 11:53 pm

This question already was introduced in forum in the past.

Some stealth test:
GRC ShieldsUP! --> Proceed --> All Service Ports.
W7FC XP - All ports closed, Solicited TCP Packets: RECEIVED (FAILED), Ping Reply: RECEIVED (FAILED).
WinXP built-in firewall - all ports stealthed, TruStealth.

PC Flank stealth test
TCP "ping" - non-stealthed
TCP NULL - non-stealthed
TCP FIN - non-stealthed
TCP XMAS - non-stealthed
UDP - non-stealthed

WinXP built-in firewall - all tests stealthed.

Paranoia Scanner - site in сzech, but intuitive - click red button(EVA Free) --> click red button on bottom of page, after that type your e-mail, check checkbox and go.
W7FC XP - 10 tests missed - http://img521.imageshack.us/img521/1483 ... ranoia.png
WinXP built-in firewall - 1 test missed - http://img602.imageshack.us/img602/2789/paranoiya.png

What you think about this?

Best regards.
Posts: 18
Joined: Thu Jul 08, 2010 11:34 am

Re: W7FC XP versus WinXP built-in firewall.

Postby VistaFirewallControl » Tue Nov 30, 2010 10:50 am

There is no problem to use the built-in firewall concurrently if you do think it’s required.

All the “leaks” are linked to ICMP protocol (stealth mode) most probably.
All the other points in the reports were rather informational at first glance.
Ping is implemented via ICMP as well.

The brief “stealth” theory is the following.
When a remote host sends a packet to a port of the host and the host does not have listening TCP/UDP socket on the port, the hosts (the system core) sends “Destination Unreachable” ICMP message to the remote host back. The functionality is the part of TCP/IP protocol specification, i.e. it’s the standard.
The standard can not be safe or unsafe; any TCP/IP implementation must just follow the standard.

Suppressing “Destination Unreachable” ICMP message (breaking the standard) is called the stealth mode.
We do think the stealth mode is rather a marketing approach.
Anyway a connection can not be established to the port regardless of whether the remote peer is informed about that or is not.
The stealth mode (along with many other security “discoveries”) is created by security product manufactures. The manufactures have to discover (sometimes invent artificially) security holes and offer protection from (sometimes artificial) threats following the trivial business purposes.
So a part of protection from discovered “threats” is business godsend, not a real security improvement.
Almost any “independent” firewall test implicitly or explicitly offers one and only firewall that passes all the tests and so is recommended.
You can check the above yourself.
Undoubtedly, the security report is stuffed by tons of various informational messages like “a file sharing service is running”.
What it means practically. The host has file sharing service and listens on a specific (well known port). You manage the system, you should know about that without any third party tests. right?
The attempt to connect to the port is failed and “Destination Unreachable” has been send back to the peer (the testing service). So the peer knows the PC is on and the service is running.
But the service is untraceable for the peer anyway. So where is the problem?

Moreover, suppressing ICMP may have various drawbacks like multiple timeouts when “destination reachability” information is used as the part of vital application functionality.
As the result, none of the industrial security solutions uses stealth mode and violates TCP/IP standard either.

Actually to check a firewall indecently you would need a couple of tools only like nmap and netcat for instance.
The main firewall quality question is whether the firewall can block a connection attempt if an application accepts (or issues) the attempt.
If the application is neither listening nor generating a network activity, there is nothing to protect with firewall.

W7FC (XP Edition) does not filter ICMP at all in the current version.
W7FC is focused on application protection mostly, ICMP functionally (and the entire TCP/IP stack) belongs to the entire system, not to a specific application.
If you do need breaking the TCP specifications to get “stealth” you can just switch on and configure the built firewall.
Site Admin
Posts: 1494
Joined: Fri Mar 27, 2009 11:25 am

Re: W7FC XP versus WinXP built-in firewall.

Postby Oleg » Thu Dec 02, 2010 12:15 am

Thanks for reply. I'll enable built-in firewall and completely test this.
Posts: 18
Joined: Thu Jul 08, 2010 11:34 am

Return to XP Edition

Who is online

Users browsing this forum: No registered users and 0 guests