[Dshield] Opinons on XP Internet Connection Firewall (ICF) sought
Daniel G. Kluge
dkluge at acm.org
Sun Apr 4 15:48:48 GMT 2004
I got my easter eggs early in the form of a new PC at work, where I
also got a spanking new XP on it and local Admin rights to boot. So I
gave the Internet Connection Firewall (ICF) a try, and after running it
for a few days, I have some questions & comments.
First of all, is there anything which would qualify as documentation,
i.e. something written for people who actually know what they are
doing? There was an article on SecurityFocus, which resonates my
sentiment very well:
> ICF is an excellent personal firewall and will prevent most attacks
> from the Internet. However, the lack of granular control makes ICF
> much too restrictive for power users. So, as they say, you can’t live
> with it, you can’t live without it.
I had the deja-vu of my Sonicwall experience: Gets you secure quickly,
but as soon as you want to do something a little bit more complex, the
GUI toy comes to its limits. Don't get me wrong, I really like the
Sonicwalls, though I don't use mine anymore, but they do have their
limitations (hint: there's more to the Internet than TCP, UDP and
Of course I was asking a lot of the firewall, since this is in a
corporate environment, so I had to open quite a few ports to keep it
from bitching (I do log all failed attempts).I then wrote a small
perl-script which throws out all the garbage, and leaves from the 20k
entries in the log about 74 relevant ones, and yes a global corporate
network isn't an entire friendly place.
It seems to me to be very much a toy, like most of o M$ desktop wares.
I'd be much better served by any "basic" *NIX based firewall, but then
again, I do hold an MSCS; most computer users don't.
Does anybody really use that thing? Or do people either use free
personal firewalls or corporate solutions with policy enforcement?
Please note I don't want another thread with "BlackICE vs. Tiny vs. NAI
vs. McAffee" or "M$ is crap, PFWs are snake-oil", just ICF pro/cons
Some questions/observations on my side:
- Can you force the thing to release its log-file, or is it only on
size-based rollover? How many files does it keep?
- I see odd packets with my address as the target address being
dropped, I guess its state-keeping isn't too good.
- Without the ability to deny based on source address I can only allow
or deny all NetBIOS traffic, and there is some traffic that I don't
want/need, probably coming from infected machines. Toy.
More information about the list