Security → My ISP recommends no firewall

I just got off the phone with a technical support rep from my ISP. I was complaining of slow download times (I am on dial-up) and I happened to mention that I have NPF. The technician stated that I should uninstall my firewall and I will probably see an increase in speed.

Is this advice plausible or is he out to lunch?

Thanks in advance to any replies.

Jake

He's out to lunch. Keep the firewall and call back to talk to someone else who knows what they are talking about. Better yet do a tweak test here on DSLR and see if you can improve yourself.

No firewall.... yeah right!

This is one of their many lame excuses.....

My system downloads/uploads at the same speeds with the firewall loaded, shutdown, or uninstalled.

There have been a few cases where programs like firewalls have slowed down your connection speed due to them being mis-configured, but these are not the majority of programs. They also don't want to troubleshoot connections with active firewalls since they don't know what is being blocked, and even ZoneAlarm has been known to block traffic even with the firewall shutdown...

They are blowing smoke up your usb ports

Bad advice. Do not follow it. Most ISP now make software firewall and antivirus packs for their customers to use. He should be reported to your customer care unit. If you don't have his name that is ok as they have a record who you talked to in their customer database.
[text was edited by author 2002-04-05 21:32:48]

I see no difference in my speeds using a firewall. I think he was just blowing you off because he didn't want to deal with your problem. You WANT to use a firewall, don't let them tell you otherwise.
Now that you have the CORRECT info, call back and give 'em heck.

NO WAY!
I have been asked to exit my firewall by a tech while doing speed tests. But never UNINSTALL it!
Please report that individual to a supervisor.
There is no telling how many people have followed that advise and are now surfing without a firewall.
That guy needs to be released immediately!

Thanks to all who replied. His advice did not sit well with me but I needed a second opinion. He is the second support tech at my ISP that has told me to uninstall my firewall. I remember the first guy I talked to told me there was nothing he could help me with if I did not uninstall the firewall and also told me he was going to make a note of this on my account in case I called in again. It may be more than a couple of support people with bad advice. Maybe my ISP has an unofficial policy to discourage the use of firewalls. But why?

Check out my previous reply, I gave a couple reasons, but they should not be the basis for this kind of support crap.

If you have proven that disabling your firewall gives you no speed increase, then that's that....

Next time just shutdown your firewall for that short bit of time, and turn it back on when they are done doing whatever to your machine. The chances are low that something will get into your system during that time unless you have an active trojan installed on your system.

With ATTBI, they run tests against your computer, and modem that usually are blocked by your firewall. So after having to tell them to re-run their tests a few times I just shutdown my firewall everytime I talked with them about a problem with the service....

said by jake5983:

---

Maybe my ISP has an unofficial policy to discourage the use of firewalls.

---

If this is the case they have the wrong people handling the service. If you have an alternative ISP in the price range then call them for a suggested price. You can combine price with service quality. Here in Sweden it takes 2 weeks to change your broadband ISP and carrier for phone. All it takes is a phonecall and a signature. Some even can do it on the web.

As you stated you had a dial-up then you just get an account from another ISP. Often this can be made online.
[text was edited by author 2002-04-05 22:16:47]

said by BlitzenZeus:

---

Check out my previous reply, I gave a couple reasons, but they should not be the basis for this kind of support crap.

If you have proven that disabling your firewall gives you no speed increase, then that's that....

---

I have tried disabling my firewall and it makes absolutely no difference to my speed. I told the first guy this and he came back with something to the effect that even though the firewall is disabled, it still makes changes to the registry that can cause problems so that's why it must be uninstalled.

said by Frosties:

---

If this is the case they have the wrong people handling the service. If you have an alternative ISP in the price range then call them for a suggested price. You can combine price with service quality. Here in Sweden it takes 2 weeks to change your broadband ISP and carrier for phone. All it takes is a phonecall and a signature. Some even can do it on the web.

---

You know, it might just be time to change ISP's

I wholeheartedly agree with whomever suggested you call and demand to speak to a supervisor. Don't settle for a tech, talk to a mgr and find out what the heck they're smoking down there. If he parrots the same idiocy, I'd strongly suggest finding a new ISP, because obviously those people would be idiots.

I also strongly agree you should go over to the Tweaks forum here, answer the 11 questions, and let those folks help you out. They are very good at what they do, and very generous with their time and expertise. If there is room for improvement on your setup, they will find it.

Ok, they don't really even know what they are talking about. They are trying to make excuses...

Next time disable it, and lie to them that you even have one installed.

ISP like to get rid of firewalls for the following reasons, IMHO:

1) So that they can ping and otherwise see what machines you have connected to the internet so the can, now or in the future, charge you per machine. It may already be in your TOS. (It did take an act of Congress to forbid cable operators for charging per TV)

2) Some ISP's, especially cable ISP's, install spyware software as part of their installation software suite so they can delivery "content" from "partners", either now or in the future.

3) It makes diagnosing problems with customers equipment easier for them with the brain dead 1st & 2nd tier support people using the spyware and or pings into the customers equipment.

4) They really want to follow a broadcast model of data delivery, however they want the "TV" slaved to what they want you to see. This can only happen if there are no firewalls so they can control your PC. Nobody does this yet, but I certainly think cable executives at Crapcast, among others, are have wet dreams over this.

Anyway that's my 2 cents, I certainly may be more paranoid than is justified. But on the other hand "Fritz" Hollings did introduce the CBDTPA which is about as worst case as one could imagine.

said by jake5983:

---

Maybe my ISP has an nofficial policy to discourage the use of firewalls. But why?

---

said by Conejo:

---

I also strongly agree you should go over to the Tweaks forum here, answer the 11 questions, and let those folks help you out. They are very good at what they do, and very generous with their time and expertise. If there is room for improvement on your setup, they will find it.

---

I actually have done a considerable amount of tweaking using DrTCP and have made some excellent progress. Unfortunately, I live out in the country and I do not think the phone infrastructure is up to much. I think I have squeezed just about everything I can out of this dial-up connection.

said by BlitzenZeus:

---

Next time disable it, and lie to them that you even have one installed.

---

Sounds like solid advice

said by jake5983:

---

I actually have done a considerable amount of tweaking using DrTCP and have made some excellent progress. Unfortunately, I live out in the country and I do not think the phone infrastructure is up to much. I think I have squeezed just about everything I can out of this dial-up connection.

---

If it's available, you should consider fixed wireless.
That is, if you don't have a better alternative.

What OS are you running? Just a thought. You can unbind NetBIOS from TCP/IP to get a more secure set up (or at the very least disable print and file sharing if it's enabled) and then run a port scan (with your firewall disabled) to see if you have any open ports. If you're not running any services/servers your ports (theoretically) should be closed. (Not sure if you can fully achieve that with XP given all the stuff it has running.) Check out the links at the top of the forum for port scan sites (including dslr) and how to unbind NetBIOS.

I suggest this because if your system is secured in this manner you could feel better about temporarily uninstalling your firewall to get your ISP to deal with your issues. That is, if you can't get anyone there to deal with them with your firewall installed. If your ISP techs had a clue, they might have suggested this themselves.

BTW, are slow downloads a recent problem? Could be the phone lines and/or equipment. If you're in an area serviced by a number of ISP's you might want to check out the competition.

Actually your ISP Sympatico do recommend that you use a firewall according to this page.

"If you think it is possible some one is accessing your PC, dial or HSE then it is definitely a good idea to install a firewall to stop further intrusions."

But from their bad support I would see if there is another ISP to change to. Service and good support is important when it comes to internet and phone service. Also in the TOS the state that you are solely responsible for your computers security.

[text was edited by author 2002-04-05 22:53:30]

said by jabbawest:

---

If it's available, you should consider fixed wireless.
That is, if you don't have a better alternative.

---

The only broadband option I have is one way satellite. I tried it and gave up on it after only six weeks. It is really expensive and the performance really sucked.

said by sig:

---

What OS are you running? Just a thought. You can unbind NetBIOS from TCP/IP to get a more secure set up (or at the very least disable print and file sharing if it's enabled) and then run a port scan (with your firewall disabled) to see if you have any open ports. If you're not running any services/servers your ports (theoretically) should be closed.

BTW, are slow downloads a recent problem? Could be the phone lines and/or equipment. If you're in an area serviced by a number of ISP's you might want to check out the competition.

---

I am running windows98se and I have unbound NetBIOS from TCP/IP and port scans show all ports to be closed when I scan with my firewall disabled.

Slow downloads have been a problem ever since I moved here last November. I actually phoned tech support of another ISP today and explained my situation and asked if switching to them might help. The guy I spoke with said no, the problem most likely is in the phone lines. I also phoned the telephone company and they are going to perform some diagnostics on my line to see if they can spot any problems.

Does your modem support V.90?

"However, as of March 21, 2002, Bell Sympatico will be making changes that will impact members currently using the K56Flex modem protocol. These members will still be able to connect to the network, however, they will not be able to connect using the K56 Flex protocol. If their modem does not support the V.90 protocol, they will connect at the next lowest protocol standard (i.e. V.34+ or 33600bps - a slower connect speed)."

said by Frosties:

---

But from their bad support I would see if there is another ISP to change to. Service and good support is important when it comes to internet and phone service. Also in the TOS the state that you are solely responsible for your computers security.

[text was edited by author 2002-04-05 22:53:30]

---

It may seem hard to believe but other than these two support people insisting that I uninstall my firewall, I have been pleased with the technical support I have received.

said by Frosties:

---

Does your modem support V.90?

"However, as of March 21, 2002, Bell Sympatico will be making changes that will impact members currently using the K56Flex modem protocol. These members will still be able to connect to the network, however, they will not be able to connect using the K56 Flex protocol. If their modem does not support the V.90 protocol, they will connect at the next lowest protocol standard (i.e. V.34+ or 33600bps - a slower connect speed)."

---

My modem does support V.90, however I am using an initialization string (AT&F+MS=V34,0) as recommended by tech support which does seem to help.

I could be wrong about this since I don't know the init strings for modems based on the rockwell chipset, but that looks like it might limit the connection of your modem to only v.34(31200bps).

It seems your lines are in poor shape, and they are limiting your connection speeds. So you might do trial/error to find what your modem can be stable at, and limit your connection to that. It might only be 42000bps, but its sure not 31200.

said by BlitzenZeus:

---

It seems your lines are in poor shape, and they are limiting your connection speeds. So you might do trial/error to find what your modem can be stable at, and limit your connection to that. It might only be 42000bps, but its sure not 31200.

---

With no initialization string, my connection shows as being 26,400 bps. Is that sad or what?

The last time support at my ISP told me to shut off the firewall, I told him, well, I can't repeat that here The mild part was that he's stealing his paycheck.

That's slow. It's what I got for a long time when I had dial up until I used a command string (for a US Robotics modem), similar to the one you use, that gave me either 28,800 or 31,200kpbs. If I tried, without the special command string which restrained the modem to 33,000kbps or less, I could get a connection at 42,000kbps but could not sustain it for more than 30 minutes and usually only about 10 minutes. So, it was necessary for me to use a command string that would restrain the modem to a speed my noisy phone line from Verizon could handle. You might do a 3 com line test if you haven't already. Well, I see it isn't presently available, but here is the link for when it is back up and you don't have to have a USRobotics modem to test. »www.usr.com/products/lin ··· test.asp
Also, here is a link to the best site on the internet for modem help. My friend runs it and you can learn a lot here and get really good help. »808hi.com/56k/

Regarding a firewall, I got rid of ZA three months ago because the latest version was causing frequent BSOD's. I have a cable modem now, but I had gotten ZA when I had dial up. I haven't used a firewall since and I'm just fine. Of course, I have followed Symantec and Steve Gibson's recommendations regarding netbios, proper bindings, etc. And I have no open ports. Hacker Whacker (among other tests) says I'm not vulnerable so I don't agree anymore that a firewall is absolutely essential. I turn off my modem when I'm not on the internet making my connection no more vulnerable than dial up. I realize what I'm saying will be considered "heresy" here, but please - no flames. If I were you, since you have dial up, I would just can the firewall as you don't really need it if you disable file and print sharing, make sure your bindings in networking are safe and make sure you have no open ports.

said by Mele20:

---

Regarding a firewall, I got rid of ZA three months ago because the latest version was causing frequent BSOD's. I have a cable modem now, but I had gotten ZA when I had dial up. I haven't used a firewall since and I'm just fine. Of course, I have followed Symantec and Steve Gibson's recommendations regarding netbios, proper bindings, etc. And I have no open ports. Hacker Whacker (among other tests) says I'm not vulnerable so I don't agree anymore that a firewall is absolutely essential.

---

Thank you for the two links you provided. I have bookmarked both of them. The line test is still down but I will keep checking back and try it when it is up.

I too have followed Gibson's recommendations and every port scan I perform (including the full TCP scan at Hacker Whacker) shows all ports closed when I disable my firewall and perform the scan.

I realize there is a variety of opinions as to whether a firewall is truly needed. My main reason for using a firewall is to alert me to any attempts at an outbound connection. I like to control what applications have Internet access and I like the idea that I could catch a potential Trojan this way. I don't think I have too much to worry about though in the way of Trojans as I am running BOClean.

I believe my firewall, although maybe not essential for my particular set up now (I used to have DSL when I lived in the city) is properly configured and should not pose a problem in terms of my connecting to the Internet. I notice absolutely no difference in speed or quality of browsing when I disable it.

At this point, I have no plans to uninstall my firewall but I do appreciate your feedback. I am very curious to see what the results of that line test are.

You aren't the first one to be told to uninstall the
firewall someone I know someone who uses Sympatico the
tech told her the same thing she had big problems with
script kiddies they installed a screen saver with a horrible face harrassed her and her kids in msn messenger
they laughed and interrupted conversations belched unbelivable. I fixed the problem sprayed the script kiddies in her pc with raid (works on them too not just insects heheh) got rid of msn messenger (they weren't happy about that) patched the box it took me 4 hours to fix everything I found subseven, hack attack trojan, a worm in a song from a file sharing service, a nimda variant what a nightmare.

Glad I don't use Windows

[text was edited by author 2002-04-06 17:49:11]