Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (
More info?)
On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:
> There are ways you can research these things...
Generally I do two obvious things each time I get a NEW message.
1. I run a reverse-IP address lookup at www.dnsstuff.com
2. I search Google Groups for the exact message (often I find others have
the exact same question, with the exact same message, and IP address).
Should I do more?
I'm hoping others can find THIS THREAD, for example, when they get the
messages I just posted and therefore they'd get the advice we all so
desperately need.
Where would YOU go when you received any one of the messages previously
posted when you didn't explicitly ask for that IP address to connect to
you?
> however, you will get so many of these alerts, and it is so
> fruitless to research them all, that I strongly recommend you consider
> a firewall configuration that does not alert you all the time with
> these things.
THAT's THE WHOLE POINT OF THIS THREAD!
With Sygate Personal Firewall (and I suspect all software firewalls), you
can tell the program to silently ignore and simply LOG all these
connections! My question was really WHICH OF THESE WOULD YOU IGNORE?
> Having a firewall ask the user to make decisions is a security accident
> waiting to happen, and is also a significant consumption of your time.
Is there any other choice?
These requests were made to my machine and I must respond to them.
Of course, I could simply say "Accept All Requests" but that would be
folly. The question really becomes two questions:
1. Which of these common requests is truly something to ignore
2. Of those which aren't ignorable, HOW DO NOVICES FIGURE THEM OUT?
> If and when you do want to research these things, you should look up what
> the remote IP address is
I generally use
http://www.dnsstuff.com but your suggestion of adding for
www.nwtools.com or www.netsol.com is valid. I did that, for example, with
the DHCP server request. But, that really only tells me who owns the
machine. It doesn't tell me WHY they would be contacting me. (Remember,
that server only contacted me once and I have been using this same setup
for years). So, why, all of a sudden, would a machine which purports to be
a DNS server, be contacting me?
> It's also useful to know what the protocol [e.g. TCP] and remote port number
> is... the firewall alert below didn't seem to tell you, which is really
> dumb.
In defence of the Sygate Personal Firewall, there is a DETAILS button which
spits out a huge amount of cryptic (to a novice) information about
something called a "packet" so the remote port MIGHT be in that listing.
> A really smart firewall would let you inspect the TCP flags and contents of
> the incoming packet, but I guess that's too much to ask.
I could post the DETAILED information if it would help (caution, it's
cryptic at best).