Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > MS WORD launches slowly due to IE local security setting

Reply
Thread Tools

MS WORD launches slowly due to IE local security setting

 
 
Todd H.
Guest
Posts: n/a
 
      11-03-2006
Sebastian Gottschalk <(E-Mail Removed)> writes:
> Zak wrote:
>
> > Seb, I'm new to your view on firewalls but you seem to have in mind a
> > rather different thing than what many people would call a software
> > fireall on their PCs.

>
> A firewall is a concept to separate network segments on a perimeter.


Says you.

But in conversation, the rest of the world accepts the notion of a
"software firewall" that can selectively deny outbound traffic from a
host based on application.

You're being pedantic in a rather masturbatory way that isn't helping
the original discussion.

But that's what makes you you.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
 
B. Nice
Guest
Posts: n/a
 
      11-03-2006
On Fri, 03 Nov 2006 14:34:08 +0100, MC <(E-Mail Removed)>
wrote:

>>> Can you say a bit more about what sort of preferred solution I could use
>>> which is as economical as possible. (I can't afford lots of sexy super-
>>> specification hardware if there is a cheaper and effective equivalent).


>>Sebastian Gottschalk wrote:
>> For home users? Simply no packet filter or firewall at all. Obviously,
>> since you can't achieve any security trough such measures without in-depth
>> knowledge of TCP/IP and networking - which home users usually don't
>> possess.

>
>This is some rather bad advice, Sebastian. The whole point of host-based
>software firewalls with an easy to understand interface is to provide
>home users with a means to protect themselves without *needing* in-depth
>knowledge of the protocol suite used. See my explanation above on the
>way they protect even if the packets arrive at the targeted computer.


If proper protection is in place without the user having to answer
technical questions it is okay with me. This is how good inbound
protection works.

However, if you are not providing any network services you actually
can get away without using a packet filter or firewall as Sebastian
implies.

>The knowledge has been put to use by the programmers of these packages,
>so let's use it, shall we?


No thank you

I find it way better to minimize the amount of attackable code than to
add further buggy code that is essentially not needed.

>The threat of malicious software is two-fold in this case: incoming AND
>outgoing traffic.
>A host-based firewall/packet filter has access to the
>process information on the computer,


And malware has access to information about any personal firewall
running on your computer. Your point is?

Dealing with incoming traffic means dealing with packets hitting the
border of the environment - something which has proven to be doable
with a high level of reliability.
Dealing with outgoing traffic means dealing with a process which is
already running within the environment - something which of course
cannot be done reliably.

The only "security" product which makes some sense against malware
IMHO is a good antivirus product because it can at least stop malware
it knows about before it is allowed to run. But then of course,
antivirus programs have their obvious limitations too.

>and can apply rules based on
>program trust as well as IP addresses and ports; they are more versatile
>in the way they can protect a user.


If that program does not mind being controlled, it will allow for
that. Otherwise it won't care. Don't expect malware to go by your
rules.

BTW, I find it inappropriate to mention rules based on IP adresses and
ports when you just mentioned that personal firewalls where meant to
protect users WITHOUT in-depth knowledge.

>Standalone firewalls are good to
>protect networks as a whole, host-based firewalls are good to protect
>the user specifically.


So you believe in controlling a malicious program already allowed to
run on your computer? - I don't.

>> Against malware there's very simple solution: Don't run it in first place.

>
>This is easier said than done.


But nevertheless the only sensible goal.

>The average user cannot make easy
>judgement on the (often cleverly disguised) malware.


But you expect the same average user to be able to make reasonable
judgements about its technical behaviour when asked?

>To help prevent the malware from achieving its goal, a check on
>undesired and often hidden connections to servers is what you want.
>A host-based firewall with application control will do just that, and
>alert the user to the fact that the unchecked connection attempt is
>being made. It is then up to the user to evaluate the need for this
>connection and/or to adjust their level of trust in the application they
>are running.


Either you are a personal firewall salesman, or you have been reading
too many advertisements *SCNR*

>Sure, the solution isn't all-encompassing, but it is a workable one. It
>allows good control over the traffic to and from the applications
>running on the pc, and gives good protection if configured right (and
>let's not go into the discussion about badly configured ones, please. A
>badly configured standalone firewall is just as bad)


If configured right it MAY, if you are lucky, provide some protection
- but you just said that "The average user cannot make easy judgement
on the (often cleverly disguised) malware." - so he/she is obviously
not the right one to do that.

>MC


/B. Nice

--
Comments I make or advice I may provide is primarily aimed at home users.
 
Reply With Quote
 
 
 
 
Todd H.
Guest
Posts: n/a
 
      11-03-2006
Sebastian Gottschalk <(E-Mail Removed)> writes:

> MC wrote:
>
> > Sebastian Gottschalk wrote:
> >>> I also suggest strongly that you get a firewall installed, and in it,
> >>> block MSIE from accessing the Internet
> >> Firewalls can't filter by applications.

> >
> > Well, sorry, but they can, and have been able to for quite a number of
> > years. If you have one that can't I suggest you look for a different
> > (software) firewall.

>
> You're still talking about host-based packet filters with application
> control as it they were real firewalls. Could we please stick to more
> common and reasonable definitions?


Yes Sebastian, please do!

How many "host-based packet filters" can you find on the software
shelves at your local big box retailer that a person can be pointed to
by the staff there? I'm gonna wager none.

Now, ask em "where can I find firewall software?" and you'll be
pointed the right place.

This entire stupid discussion is a great case in point about how much
time can be wasted quibbling over "proper" definitions of what a
firewall is and isn't while still completely avoiding the concept that
was originally raised.

Best REgards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      11-03-2006
B. Nice wrote:

> However, if you are not providing any network services you actually
> can get away without using a packet filter or firewall as Sebastian
> implies.


And even further, with sample implementations like ntsvcfg this can be done
is a partitially idiot-proof way.

Well, no need to wonder why the big "security" vendors haven't implemented
such a thing yet - you can't get any revenue from reselling your same old
**** with higher version numbers.

> I find it way better to minimize the amount of attackable code than to
> add further buggy code that is essentially not needed.


Potentially buggy. However, all PFWs up-to-date are also actually buggy to
no end.

> The only "security" product which makes some sense against malware
> IMHO is a good antivirus product because it can at least stop malware
> it knows about before it is allowed to run. But then of course,
> antivirus programs have their obvious limitations too.


Virus scanners can serve a host-based intrusion detection system. However,
keeping of the malware in first place still is the user's job.

"Antivirus" is a bit too broad, as f.e. scripts for checking and adjusting
ACLs, creating and verifying checksums, automating updates of software
components etc. are also measures against viruses (and pretty serious).

> BTW, I find it inappropriate to mention rules based on IP adresses and
> ports when you just mentioned that personal firewalls where meant to
> protect users WITHOUT in-depth knowledge.


Obligatory: "I've scanned myself at grc.com and my shields are up. But it
port 80 is stealth, how can it be I can still surf the web?"

>>Standalone firewalls are good to
>>protect networks as a whole, host-based firewalls are good to protect
>>the user specifically.

>
> So you believe in controlling a malicious program already allowed to
> run on your computer? - I don't.


I do. With kernel-level socket control (SELinux), secure IPC (X11 security
extension) and sufficient isolation (chroot, jail) one could implement such
a system. I don't claim that it's practical.

Anyway, malware doesn't care for what he or you believes, but simply does
the job.
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      11-03-2006
Todd H. wrote:

> Sebastian Gottschalk <(E-Mail Removed)> writes:
>> Zak wrote:
>>
>>> Seb, I'm new to your view on firewalls but you seem to have in mind a
>>> rather different thing than what many people would call a software
>>> fireall on their PCs.

>>
>> A firewall is a concept to separate network segments on a perimeter.

>
> Says you.
>
> But in conversation, the rest of the world accepts the notion of a
> "software firewall" that can selectively deny outbound traffic from a
> host based on application.


The rest of the world? Doubtful. Only the uninitiated. Among computer
professionals, there's a clear distinction.

> You're being pedantic in a rather masturbatory way that isn't helping
> the original discussion.


Being naive is only acceptable to a certain point. Host-based packet
filters don't share many important properties with real firewalls, that's
why you shouldn't mix the termini.
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      11-03-2006
Todd H. wrote:

> How many "host-based packet filters" can you find on the software
> shelves at your local big box retailer that a person can be pointed to
> by the staff there? I'm gonna wager none.
>
> Now, ask em "where can I find firewall software?" and you'll be
> pointed the right place.


The same as many people claim that the firefox is a fox. Now, will the
biologists change the name and claim a direct kind relation?

> This entire stupid discussion is a great case in point about how much
> time can be wasted quibbling over "proper" definitions of what a
> firewall is and isn't while still completely avoiding the concept that
> was originally raised.


Well, that's exactly the problem. By twisting terms like the uninitiated,
you're losing the fundamental differences between the concepts.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      11-03-2006
Sebastian Gottschalk <(E-Mail Removed)> writes:

> Todd H. wrote:
>
> > Sebastian Gottschalk <(E-Mail Removed)> writes:
> >> Zak wrote:
> >>
> >>> Seb, I'm new to your view on firewalls but you seem to have in mind a
> >>> rather different thing than what many people would call a software
> >>> fireall on their PCs.
> >>
> >> A firewall is a concept to separate network segments on a perimeter.

> >
> > Says you.
> >
> > But in conversation, the rest of the world accepts the notion of a
> > "software firewall" that can selectively deny outbound traffic from a
> > host based on application.

>
> The rest of the world? Doubtful. Only the uninitiated. Among computer
> professionals, there's a clear distinction.
>
> > You're being pedantic in a rather masturbatory way that isn't helping
> > the original discussion.

>
> Being naive is only acceptable to a certain point. Host-based packet
> filters don't share many important properties with real firewalls, that's
> why you shouldn't mix the termini.


You don't laid much do you?

LOL. Okay sorry... couldn't resist. I guess I'm just so not a fan of
ivory tower nomenclature that pretends the rest of the world's
parlance on a given subject simply doesn't exist that it gets me a bit
fired up.

There are computer professionals--myself included--who know full well
the difference between "real firewalls" and programs known as software
firewalls but don't feel the need to enforce their opinion on what
things ought to be named overruling the names they actually have in
the marketplace and among many users as well as other computer
professionals here in this group.

So, backtracking, when you said a firewall can't control access on a
per-program level, you thought perhaps thought you were making
glorious understated point about a distinction between network
firewalls and host based packet filtering software.

Unfortunately, to nearly all readers you just looked either a) naive
of the existence of such functionality in such software or b) a
pedantic weenie.



Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      11-03-2006
Todd H. wrote:

> So, backtracking, when you said a firewall can't control access on a
> per-program level, you thought perhaps thought you were making
> glorious understated point about a distinction between network
> firewalls and host based packet filtering software.


Don't forget real application layer firewalls like proxys, or even
application gateways (who identify applications by applicatin-specific
credentials passed to a SOCKS proxy).

> Unfortunately, to nearly all readers you just looked either a) naive
> of the existence of such functionality in such software or b) a
> pedantic weenie.
>
>


My bad, this is alt.* hierarchy. Should have fup2'ed to
comp.security.firewalls for serious discussions.
 
Reply With Quote
 
B. Nice
Guest
Posts: n/a
 
      11-03-2006
On Fri, 3 Nov 2006 21:10:07 +0100, Sebastian Gottschalk
<(E-Mail Removed)> wrote:

>"Antivirus" is a bit too broad, as f.e. scripts for checking and adjusting
>ACLs, creating and verifying checksums, automating updates of software
>components etc. are also measures against viruses (and pretty serious).


But not obvious choices for the average home user which the OP seemed
to be adressing.

>Anyway, malware doesn't care for what he or you believes, but simply does
>the job.


I believe that

/B. Nice

--
Comments I make or advice I may provide is primarily aimed at home users.
 
Reply With Quote
 
Sy
Guest
Posts: n/a
 
      11-06-2006
Hey! "Simply no packet filter or firewall at all. Obviously,
since you can't achieve any security trough such measures without
in-depth
knowledge of TCP/IP and networking - which home users usually don't
possess."

I'm just university student studying Harding the Infrastructure, not
like the person below. My teacher is a CISSP and makes $150+ an hour.
The fellow below is speaking about a node firewall, i.e. a separate
box, but seem ignorant of host firewalls, which the CISSP expert
suggests work appropriately for many applications (ways intended to use
it, not to be mistaken for programs).If you are using a Microsoft
machine that is XP with SP 2, PC mag and Computer World both say it
gets the job done as far as ingress filtering, and after going into the
firewall utility>advanced and closing the port of my printer my
computer passed a partitioning test.

Otherwise there is the free ZoneAlarm firewall that just takes a little
figuring out. There is no mystery here for anyone interesting in
speeding a just a little time with it. My daughter is a pych and art
major, no geek and not particularly mechanically inclined and she can
do her own security with a little advise now and then, i.e. reminders
not to open attachment that are not recognized no mater who sends them,
friends can be easily mislead, etc.

I'm just a ole carpenter/plumber/electrician/mechanic who needs a job
that doesn't hurt. I am far from certain who the the fellow is that
suggests home owners without complex knowledge can't set up a firewall.
It just seems so silly.

Well maybe, not maybe I need to learn something so I'll keep my eyes
and ears open

Satya


Sebastian Gottschalk wrote:
> Zak wrote:
>
> > Seb, I'm new to your view on firewalls but you seem to have in mind a
> > rather different thing than what many people would call a software
> > fireall on their PCs.

>
> A firewall is a concept to separate network segments on a perimeter.
> Running a packet filter on the host that's supposed to be protected doesn't
> leave any way to do such a separation, the packets always arrive the host.
>
> > Can you say a bit more about what sort of preferred solution I could use
> > which is as economical as possible. (I can't afford lots of sexy super-
> > specification hardware if there is a cheaper and effective equivalent).

>
> For home users? Simply no packet filter or firewall at all. Obviously,
> since you can't achieve any security trough such measures without in-depth
> knowledge of TCP/IP and networking - which home users usually don't
> possess.
>
> Against malware there's very simple solution: Don't run it in first place.
> Don't use any software that automagically runs untrusted code. Make
> reasonable judgments about the trustworthyness of software vendors.
>
> Anyway, nothing will help against MS Word being a totally broken piece of
> software.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Follow Up Flag & Due Date Setting for Outlook MSG Files in Java Apps sherazam Java 0 09-14-2012 07:37 AM
How to due with "warning LNK4075: ignoring '/INCREMENTAL' due to Fresh C++ 2 04-22-2008 09:03 PM
Deploying .NET Security policy - Setting Local Intranet to Full Trust MOHR ASP .Net Security 0 09-21-2005 08:36 PM
How to get server local security setting? Bryan Yeo ASP .Net 0 04-14-2004 04:03 AM
EJB on Weblogic7 : accessing Ejb thru *Local interface* fails due to JNDI lookup Mumbai Joe Java 0 07-29-2003 04:16 PM



Advertisments