There is no problem to use the built-in firewall concurrently if you do think it’s required.
All the “leaks” are linked to ICMP protocol (stealth mode) most probably.
All the other points in the reports were rather informational at first glance.
Ping is implemented via ICMP as well.
The brief “stealth” theory is the following.
When a remote host sends a packet to a port of the host and the host does not have listening TCP/UDP socket on the port, the hosts (the system core) sends “Destination Unreachable” ICMP message to the remote host back. The functionality is the part of TCP/IP protocol specification, i.e. it’s the standard.
The standard can not be safe or unsafe; any TCP/IP implementation must just follow the standard.
Suppressing “Destination Unreachable” ICMP message (breaking the standard) is called the stealth mode.
We do think the stealth mode is rather a marketing approach.
http://vistafirewallcontrol.freeforums.org/closed-vs-stealthed-ports-t119.htmlAnyway a connection can not be established to the port regardless of whether the remote peer is informed about that or is not.
The stealth mode (along with many other security “discoveries”) is created by security product manufactures. The manufactures have to discover (sometimes invent artificially) security holes and offer protection from (sometimes artificial) threats following the trivial business purposes.
So a part of protection from discovered “threats” is business godsend, not a real security improvement.
Almost any “independent” firewall test implicitly or explicitly offers one and only firewall that passes all the tests and so is recommended.
You can check the above yourself.
Undoubtedly, the security report is stuffed by tons of various informational messages like “a file sharing service is running”.
What it means practically. The host has file sharing service and listens on a specific (well known port). You manage the system, you should know about that without any third party tests. right?
The attempt to connect to the port is failed and “Destination Unreachable” has been send back to the peer (the testing service). So the peer knows the PC is on and the service is running.
But the service is untraceable for the peer anyway. So where is the problem?
Moreover, suppressing ICMP may have various drawbacks like multiple timeouts when “destination reachability” information is used as the part of vital application functionality.
As the result, none of the industrial security solutions uses stealth mode and violates TCP/IP standard either.
Actually to check a firewall indecently you would need a couple of tools only like nmap and netcat for instance.
The main firewall quality question is whether the firewall can block a connection attempt if an application accepts (or issues) the attempt.
If the application is neither listening nor generating a network activity, there is nothing to protect with firewall.
W7FC (XP Edition) does not filter ICMP at all in the current version.
W7FC is focused on application protection mostly, ICMP functionally (and the entire TCP/IP stack) belongs to the entire system, not to a specific application.
If you do need breaking the TCP specifications to get “stealth” you can just switch on and configure the built firewall.
