[Dshield] Opinons on XP Internet Connection Firewall (ICF) sought

Daniel G. Kluge dkluge at acm.org
Sun Apr 4 15:48:48 GMT 2004


Hello gang,
I got my easter eggs early in the form of a new PC at work, where I 
also got a spanking new XP on it and local Admin rights to boot. So I 
gave the Internet Connection Firewall (ICF) a try, and after running it 
for a few days, I have some questions & comments.

First of all, is there anything which would qualify as documentation, 
i.e. something written for people who actually know what they are 
doing? There was an article on SecurityFocus[1], which resonates my 
sentiment very well:
> ICF is an excellent personal firewall and will prevent most attacks 
> from the Internet. However, the lack of granular control makes ICF 
> much too restrictive for power users. So, as they say, you can’t live 
> with it, you can’t live without it.

I had the deja-vu of my Sonicwall experience: Gets you secure quickly, 
but as soon as you want to do something a little bit more complex, the 
GUI toy comes to its limits. Don't get me wrong, I really like the 
Sonicwalls, though I don't use mine anymore, but they do have their 
limitations (hint: there's more to the Internet than TCP, UDP and 
ICMP).

Of course I was asking a lot of the firewall, since this is in a 
corporate environment, so I had to open quite a few ports to keep it 
from bitching (I do log all failed attempts).I then wrote a small 
perl-script which throws out all the garbage, and leaves from the 20k 
entries in the log about 74 relevant ones, and yes a global corporate 
network isn't an entire friendly place.

It seems to me to be very much a toy, like most of o M$ desktop wares. 
I'd be much better served by any "basic" *NIX based firewall, but then 
again, I do hold an MSCS; most computer users don't.

Does anybody really use that thing? Or do people either use free 
personal firewalls or corporate solutions with policy enforcement? 
Please note I don't want another thread with "BlackICE vs. Tiny vs. NAI 
vs. McAffee" or "M$ is crap, PFWs are snake-oil", just ICF pro/cons 
yes/no enlightenment.

Some questions/observations on my side:
- Can you force the thing to release its log-file, or is it only on 
size-based rollover? How many files does it keep?
- I see odd packets with my address as the target address being 
dropped, I guess its state-keeping isn't too good.
- Without the ability to deny based on source address I can only allow 
or deny all NetBIOS traffic, and there is some traffic that I don't 
want/need, probably coming from infected machines. Toy.

-daniel
[1] http://www.securityfocus.com/infocus/1620


More information about the list mailing list