Fog Creek Software
Discussion Board




Firewall for Windows 98

Hi all:

I have a friend using Windows 98 on a dial-up connection, and he has asked me if he needs a personal firewall program or not. If it was Win2000/XP I wouldn't hesitate in recommending one, but... Win98? AFAIK, it doesn't have all those open services exposed to the net (svchost/ports 135-139, etc.), and my friend is far from being a power-user, meaning that he won't be installing any server software on it either.  He just uses the basics: email, web browsing, Office, etc. What do you think? Would a firewall be overkill in that case?

Consulting for friends
Tuesday, April 13, 2004

<P>Ask him to buy a hardware firewall (like those from LinkSys, SMC, and DLink), they are available for a song.

Only thing he really needs is a good virus protection software on his pc. Trojans get by virus protection pretty easily though so I have no suggestion in that regard.

Li-fan Chen
Tuesday, April 13, 2004

Have him install zone alarm.  I had win98 for a long time.  Zone alarm is good for letting you know when a program is trying to access the internet.  I like to know which programs are accessing the internet.

K
Tuesday, April 13, 2004

Agree with K - ZoneAlarm would be good - but warn him he needs to be patient while ZoneAlarm goes through initial setup process for regular apps, which does require user input.  Otherwise, users just end up turning it off because they can't get to favorite web sites/apps because they are unwilling to use the dialogs.

Joe Hendricks
Tuesday, April 13, 2004

<anti-MS troll>
Wouldn't the vicious code be on the inside of the firewall anyway?
</anti-MS troll>

<pro-MS troll>
For a little more than the price of a firewall, he could upgrade to XP Home and use it's built in features.  Everybody wins
</pro-MS troll>

Capn' Kirk
Tuesday, April 13, 2004

I am looking at buying an router that has a built-in firewall.

I suppose it takes a little more effort to learn how to use(?), but I am thinking that getting (effectively) an ADSL modem, 4-port switch and a firewall for less then A$200 (I think that is about US$100-150).

It may be overkill for a single user, or maybe not...

Aussie Chick
Wednesday, April 14, 2004

ZoneAlarm is free and very, very good!

I don't see a reason to buy a hardware firewall or router or such. Doesn't this need to be configured?

ZoneAlarm needs to be configured, too, but at least the configuration is very intuitive.


With hardware firewall:

- You try to use an application, let's say DC++

- Oh, wait, it doesn't work. I have to configure the firewall.

- Configure the firewall.

- Oh, wait, it still doesn't work, I have probably made the wrong settings.

- Configure the firewall.

- It works.


With ZoneAlarm:

- Start DC++

- ZoneAlarm asks "Do you want to allow this program (DC++) to access the Internet? Yes/No". You choose Yes, check the checkbox to always allow.

- ZoneAlarm asks "Do you want to allow this program (DC++) to become an Internet server? Yes/No". You choose Yes, check the checkbox to always allow.

- DC++ works well


So.. in my opinion, there is simply no comparison.

A ZA fan
Wednesday, April 14, 2004

IMHO - Hardware firewall = Very good at preventing people from connecting to you. Because of this you may have to tweak it for p2p connections.

Software firewall = Very good at preventing files on your computer (spyware, trojans) from connecting to the internet. My friend is behind a home network (and presumably a hardware firewall) and still had tons of spyware on her computer, she got annoying popups any time you visited a page (any page, even a google search).

So I ran Spybot Search & Destroy, Lavasoft Ad-Aware, and AVG Antivirus and installed ZoneAlarm on her computer.

I would suggest ZoneAlarm - it's free! It'll prevent people from connecting to your computer too (but is easier to tweak to let them connect). Then a hardware firewall/router... He'll need it anyway if he wants to connect two or more devices to the internet, like his X-Box or laptop.

www.MarkTAW.com
Wednesday, April 14, 2004

I would also recommend a hardware firewall, because Windows is fundamentally too insecure to even run a software firewall on, but...

... this guy is using dial-up.  Evidently, the Telebit NetBlazer was 15 years ahead of its time.

If I were to do this myself, I would set up a PC with FreeBSD and my trusty old 33.6 USR Sportster internal (can you even get a V.90 non-winmodem these days) as a firewall/dial-up router.  You can also buy dial-up routers (Google for "dial-up router") that connect to external modems.

The average joe will likely have to settle for ZoneAlarm or some such...

David Jones
Wednesday, April 14, 2004

I don't understand why "settle for Zone Alarm".

Is Zone Alarm inferior to the "spare BSD box" firewall you describe? If so, in what way?

I'll tell you where ZoneAlarm is superior: you can configure it very easily.

It also blocks outside connection attempts.

For example, I run an IIS server for development. I can access it from my machine, but an outside machine can't access it because I configured Zonealarm to deny access.

A ZA fan
Wednesday, April 14, 2004

I like the disassociation from reality you tend to see on these boards.

"for a little more upgrade to WinXP and use it's tools".  Ok.  I run Win98 at home on 5 year old hardware.  Do you really think that box will be any fun to use with WinXP?  I didnt' think so. 

"Use a spare box for BSD firewalling".  Yeah, I have an old box laying around, but it's my old 50MHZ 486.  And I suspect I'm in the minority.  My kids don't have spare boxen.  My parents don't have spare boxen.  Of all my friends, I can only think of 1 that might have an old PC sitting in a closet somewhere.  When I buy a new machine do you really think I have somewhere to put this old box?  I'd hesitate to put it in a closet due to heat issues in the summer.  Put it in an unobtrusive place somewhere?  A PC sitting on the floor is unobtrusive only if your a geek.  All the women I know are gonna say "get that thing out of here, it's ugly".

I'd get either Zonealarm or a Linksys router.  Preferably the latter, it's small, unobtrusive, effective, and will fit nicely under the couch if you want it to.

Snotnose
Wednesday, April 14, 2004

The "upgrade to XP" suggestion was clearly, EXPLICITLY labeled as a troll, but you took the bait anyway?


Using BSD as the firewall is a sort of common wisdom, for some reason.  Unfortunately, no one ever goes into detail as to how to 'get it done'.  So, here it is: there are floppy-based distributions (yes, 1.44MB) that run the firewall from the floppy with no further setup.  I don't know how you'd save your firewall configuration, but at least you know how it's possible now.  Easily--as easy as BSD gets (!!!). 

Oh, and you'd have to find a second (and probably first) ISA NIC to go in that old 486, if I'm not mistaken.  PCI is too newfangled.

pds
Wednesday, April 14, 2004

Software firewalls are inferior to hardware firewalls in that they run on the very systems they are supposed to protect.

Microsoft operating systems are like Swiss cheese when it comes to security.  Microsoft is just beginning to understand this, but its products to date, and in particular pre-NT have had virtually no significant end-user security at all.

In short: viruses can, and do, disable your software firewall.

With the BSD box, nothing else runs on it.  Period.  Its only external influences are the packets that impinge upon it.  The current level of knowledge and technology of open-source Unix-like systems makes the problem tractable in this case.

With Microsoft, the level of sloppiness gets worse and worse.  WinXP suffered from the problem that the firewall rule tables were loaded after the network stack was initialized.  In the short interval between interface configuration and firewall initialization, the machine is completely exposed.

Sorry, Billy boy, but that's bullshit.  I built and sold a configurable packet-filtering firewall on top of NetBSD TEN F*CKING YEARS AGO and I was confronted with this problem.  My solution?  If the packet filter table is not loaded, then the default is to "drop and log" everything.  You're supposed to load the filter tables first, and if you forgot, the console log messages would VERY QUICKLY remind you.  And in the meantime you would still be secure.  And with your thounsands of employees and billions in cash you couldn't get this right???

But, if you're not a network geek, you will have to settle, and I mean settle, for a software firewall. The problem is not so much ZoneAlarm itself, but the fact that one cannot trust the infrastructure that it runs on.

David Jones
Thursday, April 15, 2004

Zone Alarm is just fine and is easy to configure.

Get AVG free edition for anti-virus.

Get Ad-Aware for Spyware.

And don't write rubbish about one of the three not doing the jobs of the other. Spyware is not caught by firewalls or anti-viruses because what it is doing is perfectly legal. You want to block it, then disable all permanent cookies, but don't expect a pleasant surfing experience.

Stephen Jones
Friday, April 16, 2004

*  Recent Topics

*  Fog Creek Home