choosing firewall and antivirus: Norton or McAfee ? And anonymity

Discussion in 'Security Software' started by unstablemicrosoft, Jun 20, 2006.

  1. Hi. I have narrowed down my choices to Norton and McAfee for a firewall and
    anti virus. It's best to have the firewall and antivirus of the same
    manufacturer.

    What I like about McAfee is that it's anti virus program has an aggressive,
    heuristic approach to what might be viruses or malware and who are not yet in
    the DAT file. How is Norton's product in that regard ?

    Norton claims that it's firewall is completely stealthed, but is that true
    for all ports, including 0 and 1 ? I suppose it doesn't make my presence on
    the internet invisible, or am I wrong ? Basically, I have a static IP adress
    (cable ISP), reverse DNS possible. Officially I have a dynamic IP adress, but
    that changes rarely. So my computer name acts like a supercookie, as said on
    www.grc.com. This is just an intermezzo, but I'll ask it anyway: there are
    ways to be anonymous on the internet, but are governments, criminals and
    hackers not especially after proxies or other ways to remain anyonymous,
    making one even less secure ? It would be easy and safe if my ISP had a proxy
    server, but it does not. Any recommendations to stay REALLY anonymous on the
    internet (I'll allow cookies, except tracking cookies) ? I'd have to
    hide/change my IP.

    Ok, back to the original question: is Norton anti virus aggressive towards
    possible viruses of which no entry in the DAT files have been made yet ? And
    how does it compare overall to McAfee's anti virus ?

    And now the firewall ? Which one is better, Norton or McAfee, and why ? Any
    vulnerabilities ?

    Please give me a comparison of those two. McAfee and Norton.

    Even if you don't know both, I'd appreciate your input. I'd have to buy one
    of these soon.

    Kind regards,
    Unstablemicrosoft
     
    unstablemicrosoft, Jun 20, 2006
    #1
    1. Advertisements

  2. I doubt it matters much which personal firewall you use and opinions will
    vary and I suggest you use the one that you are most comfortable with it's
    interface but I would make sure that you use an internet router device also.
    One that says it has a SPI firewall built in. That will keep unwanted
    traffic off of your network adapter and give you a first line of defense.
    The problem with personal firewalls is too often they become disable or
    misconfigured by user interaction, software conflict, or malware. By all
    means use one if you want but not as your only firewall when using cable. I
    personally like Zone Alarm when using a third party firewall for ease of
    configuration though for me my first choice is the built in Windows Firewall
    if I have a need for a host firewall. Yes the Windows Firewall can not
    manage outbound access but I have no need for that. --- Steve
     
    Steven L Umbach, Jun 21, 2006
    #2
    1. Advertisements

  3. McAfee and Norton are both resource hogs.. better to try Zonealarm and AVG
    or BitDefender..
     
    Mike Hall - MS MVP Windows Shell/User, Jun 21, 2006
    #3
  4. unstablemicrosoft

    Alun Jones Guest

    Why? This is an assumption that doesn't have any value.

    Choose a variety of different protections, some redundant, that offer you
    protection that you feel you need, along with utility that you know you
    want - for instance, I've had to suggest my parents remove the Norton
    Internet Security Firewall from their system, because they just can't get
    the webcam and MSN Messenger to work through it, and they need to see the
    grandkid.
    And you make another assumption here - that a stealthed firewall is a good
    idea.

    Consider this - if at any stage a protocol assumes that it can use your IP
    address as an identifier for you, you can be spoofed if your firewall is
    stealthed, whereas a non-stealth firewall will issue a reset, causing the
    spoofee to reject the spoofed data traffic. The Internet is built on some
    fairly robust standards, and you should be cautious about anything that
    ignores those standards, even in the name of security.
    Black holes are invisible(*), yet we know where several are.

    Every time you visit a web site, you tell that web site where you are.
    Again, an assumption - you assume that site has any information of value
    whatever. Steve Gibson is not given to understanding any of the work that
    has gone on before, or during, his involvement in networking, and he
    frequently makes up stupid terms for existing concepts, claiming to have
    invented them himself. He's a shameless self-publicist, and if he sees a
    way to put his name in the papers by predicting the imminent descent of the
    stratosphere, he will do so. At least, that's been my impression from the
    crap I've read from him in the past. Some of what he says is correct, but
    that seems more by accident than by design. If you want to learn how to
    secure your network, start with Johannson and Riley's book.
    The best way to stay REALLY anonymous on the Internet is not to do anything
    on the Internet. Anything beyond that is trackable to some degree.

    Alun.
    ~~~~
    (*) Yes, I know they emit Hawking radiation, but before that was identified,
    we still knew where several black holes were.
    [Please don't email posters, if a Usenet response is appropriate.]
     
    Alun Jones, Jun 21, 2006
    #4
  5. So, you've narrowed down your choice to the two worst choices. You have my
    sympathies.
     
    Frank Saunders, MS-MVP OE, Jun 22, 2006
    #5
  6. Hi. Why are those two the worst choices ? What would you consider good
    criteria for choosing a good firewall and a good antivirus program ? Any
    specific programs you have in mind ?

    Btw, for the sake of experimentation I asked the company from who I bought
    the router (router is between cable modem and wireless adapter on PC) how I
    could turn off the router. I did follow their instructions and to my
    surprise, when using firewall tests, such as pcflank, tests at
    www.hackerwatch.org/probe and shieldsup at grc.com (it made no difference
    whether my McAfee firewall 6.0 was on or off) all ports appeared to be
    stealthed. Except port 0 and 1. Were they really stealthed, or did it just
    appear as if they were ? I used Port Fw. and gave an ip address (it did not
    make a difference if I used the IP address of my computer, or the "Ip
    address" I have to type in as a URL when I want to access my router. I
    suppose you could call it my router's IP. (Please correct me if the latter is
    nonsense). I also specified the port range from 1 (could not use 0) to
    something over 60000. And when I performed firewall tests, it appeared as if
    I were stealthed.

    If they were stealthed, does the inability of the router to make port 0 and
    1 stealthed the stealth option of little value ? I don't know how hackers
    operate with that regard.

    Please advise.

    "Frank Saunders, MS-MVP OE" schreef:
     
    unstablemicrosoft, Jun 26, 2006
    #6
  7. Because these two cause the most problems with other programs. McAfee is
    notorious for screwing up Outlook Express and Norton puts too many hooks
    into the operating system and is a terrible resource hog.
     
    Frank Saunders, MS-MVP OE, Jun 27, 2006
    #7
  8. Can someone please explain that statement:
    "Consider this - if at any stage a protocol assumes that it can use your IP
    address as an identifier for you, you can be spoofed if your firewall is
    stealthed, whereas a non-stealth firewall will issue a reset, causing the
    spoofee to reject the spoofed data traffic. The Internet is built on some
    fairly robust standards, and you should be cautious about anything that
    ignores those standards, even in the name of security"

    A non-stealth firewall causing a reset ? With regard to spoofing ? I REALLY,
    REALLY, don't understand that. No offense, but it doesn't seem to make sense.
    I have received spoof email messages even though my current firewall is NOT
    stealthed.

    It seems I can make the firewall of my router stealthed (looks like that,
    according to several tests). Except port 0 and 1. Does having port 0 and 1
    non-stealthed make the "stealth" useless ? Aside from certain specific
    trojans and worms I'd guess that having even ONE port non-stealhed makes the
    "other" stealth useless. Am I wrong ?

    Thank you.
     
    unstablemicrosoft, Jun 27, 2006
    #8
  9. unstablemicrosoft

    B. Nice Guest

    I have not yet heard any solid arguments why "stealthed" should be
    better than "closed" at all. And I am not saying there aren't any. I
    am just saying, I have'nt come across any yet.

    Anyone out there with the golden argument that will convince me? :)
     
    B. Nice, Jun 27, 2006
    #9
  10. A steathed firewall gives no respose to a packet,...it is "mute",...which is
    what makes it stealth,...hence no reset is given.
    A non-stealthed firewall does give a response, which is the "reset".

    The term "stealth" barely even means anything to me and it not something
    that I even care about or even seek as something I would want my firewall to
    do.
     
    Phillip Windell, Jun 27, 2006
    #10
  11. Don't worry about sheathed versus closed as you want to worry about open
    ports that should not be open. As Phillip said a closed port will respond to
    a computer trying to access it on the service that it is not available. This
    can be useful for troubleshooting but in any event it will not allow access.
    A stealth port just means it can not be detected at all and may or may not
    be open behind the firewall. If the stealthed port is also closed behind the
    firewall then there is no way to spoof it anyhow. Spoofing of IP traffic
    generally means tricking the firewall or computer into thinking the traffic
    is authorized/trusted such as traffic from the same network as the computer
    is on. Almost any firewall/internet router currently available that I am
    aware of these days will or can be configured to reject IP traffic from the
    internet that shows the same source network IP as the network behind the
    firewall or from source private IP address ranges. I would expect that
    current generation internet routers in particular would do that by default
    but to be sure one should refer to documenation or the vendor's website. The
    network portion of a typical class C network IP is the first three octets.
    So for an IP of 192.168.1.55 subnet 255.255.255.0 the network address is
    192.168.1.xxx . and the xxx would be the host addresses though you don't use
    0 or 255 . Spoofed email is totally different so do not confuse the two.
    Email spoofing generally involves you getting email from someone other than
    who you think it is. In other words the email says it is from your best
    buddy Joe with an attachment but it really is from hacker boy and the
    attachment is malware.

    So to answer your question IMHO no matter what the scare websites say that
    are trying to sell you their product or service you have nothing to worry
    about with your current firewall configuration. Also ports 0 and 1 are
    almost never scanned for in a port scan. Most port scans would target
    specific list of ports for efficiency, and not sending off alarms, instead
    of scanning 0 - 65,535 which would take a long long time and would probably
    only be done against a "high value" target.

    Steve
     
    Steven L Umbach, Jun 27, 2006
    #11
  12. Golden?,...no,...but I've always considered "stealth" to be worthless and
    just a "gimmic". If the port is disallowed then it is disallowed,...it
    really doesn't matter if they know the firewall is there or not.
     
    Phillip Windell, Jun 27, 2006
    #12
  13. unstablemicrosoft

    B. Nice Guest

    And one could further add: Stealth won't even provide the illusion
    that Your firewall is not there.
     
    B. Nice, Jun 27, 2006
    #13
  14. unstablemicrosoft

    Alun Jones Guest

    Spoofed email messages have nothing to do with spoofing a TCP connection.

    Let's put it a little more technically.

    In the absence of a firewall, the attacker's machine A pretends to be the
    user's machine U, and connects to the server machine S.

    S responds to U, saying "I accept your connection".

    U says "What? I didn't make a connection - go away!"

    S closes the connection.

    As you can see, machine A has managed only to make S and U exchange a packet
    each, and A has not been able to do anything as U.

    Now, suppose that U is behind a stealthed firewall.

    A pretends to be U and connects to server S.

    S responds to U, saying "I accept your connection"

    A pretends to be U and tells S "Thank you for accepting me, here's a command
    I'd like you to do"

    S believes that it received the command from U, and U hasn't told it to go
    away, so S executes the command.

    This is entirely different from spoofing email. Get email out of your head.
    That depends - do you have any protocols running on ports zero and one? I'm
    not sure you even _can_ get a protocol running on port zero with regular
    socket APIs, since zero in bind() means "assign me a random port".

    Realistically, what do you think you gain by "stealthing" your ports? If
    you can't succinctly answer that, consider whether it's of any use.

    Alun.
    ~~~~
     
    Alun Jones, Jun 29, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.