Firewalls - are they really needed?

[Deleted User] · 22 December 2008 at 8:17PM

Hi,

I wanted to start a healthy debate on firewalls, specifically outbound firewalls and are they really required?

I've personally gone from ZA, to Comodo to Online Armour. I'm currently sitting behind a NAT'd router with an inbound hardware firewall and Windows XP SP3 Firewall turned on. Nothing more. No outbound filtering.

A couple of interesting articles and a quote or two from each:

http://ask-leo.com/is_an_outbound_firewall_needed.html

My preference is to use a hardware device such as a router with NAT (Network Address Translation) enabled. This does an incredibly effective job of hiding your computer from outside access. You can connect out, but outside computers cannot initiate a connection without your having explicitly configured your router to allow it.
Using a router also takes the burden of that work off of your computer. In fact, a single router can act as a single effective inbound firewall for all the computers that are connected behind it.

Now, don't get me wrong: software firewalls do have their place. In particular, when traveling and using open WiFi hotspots I'll absolutely turn on the built-in Windows firewall. Software firewalls are also a good choice if you have no router, or if you cannot trust the other computers that share your router. But in either case that's for the firewall's incoming protection against external threats, not the outgoing.

http://technet.microsoft.com/en-gb/magazine/2007.06.vistafirewall.aspx

Make no mistake: client firewalls are no longer optional. To protect your computers from your own corpnet and from the Internet, client firewalls are required.

The bigger deterrent was the security theater performed by manufacturers of other client firewalls. Some people believed that the design of the Windows XP firewall—namely allowing all outbound traffic to leave unfettered—was insufficient functionality for a client firewall. The argument was that a sufficient client firewall should block all traffic, inbound and outbound, unless the user has specifically granted permission.
Now, let’s think this through for a moment. Two scenarios emerge.

* If you’re running as a local administrator and you are infected by malware, the malware will simply disable the firewall. You’re 0wn3d.
* If you aren’t running as a local administrator and you get infected by malware, the malware will cause a third-party firewall to raise a dialog filled with a foreign language involving ports and IP addresses and a very serious question: "Do you want to allow this?" The only answer, of course, is "Yes, you stupid computer, stop harassing me!" And once that dialog goes away, so does your security. Or, more commonly, the malware will simply hijack an existing session of a program you’ve already authorized, and you won’t even see the dialog. Again, you’re 0wn3d.

There’s an important axiom of security that you must understand: protection belongs on the asset you want to protect, not on the thing you’re trying to protect against. The correct approach is to run the lean yet effective Windows firewall on every computer in your organization, to protect each one from every other computer in the world. If you try to block outbound connections from a computer that’s already compromised, how can you be sure that the computer is really doing what you ask? The answer: you can’t.

Outbound protection is security theater—it’s a gimmick that only gives the impression of improving your security without doing anything that actually does improve your security. This is why outbound protection didn’t exist in the Windows XP firewall and why it doesn’t exist in the Windows Vista™ firewall.

[Deleted User] · 22 December 2008 at 8:36PM

TorrestheGreat wrote: »

Theres no debate to be had here. Firewalls are a gimmick.

Reasoning may help people trying to understand your unconvential view. I've tried to back my current thoughts up with facts from learned people, something similar would be nice

aliEnRIK · 22 December 2008 at 8:36PM

TorrestheGreat wrote: »

Theres no debate to be had here. Firewalls are a gimmick.

Im actually amazed YOU dont have one Torres. you know, for those 'dodgy' programs

For the debate ~
IF you get a keylogger or some other spyware/malware on your computer (VERY possible)
then without a decent firewall it WILL send information out (Keylogger in particular could send out your passwords as you write them etc).
Simple as that really

Anyone at all going to try to claim that getting these on the computer is IMPOSSIBLE?

fwor · 22 December 2008 at 8:37PM

It depends on what you're doing and how well you understand computer security.

I have a router with NAT, and a hardware firewall inside that, and every PC runs an IPTABLES based software firewall, but with the outgoing rule completely open. For Linux it's probably good enough.

However, if I need to run something on a Windows-based PC which I'm not sure is well-behaved, I'll have ZA in use as well, so that I get warned if it's trying to "call home".

I also installed ZA on my Dad's PC and it's useless in practice. He's no idea what the warning popups mean (i.e. he knows something is trying to connect to the internet but has no way of knowing if they are good or bad).

So I reckon they do have their place, but for the "average" user, the sentiment of those articles is probably about right.

[Deleted User] · 22 December 2008 at 8:43PM

aliEnRIK wrote: »

Im actually amazed YOU dont have one Torres. you know, for those 'dodgy' programs

For the debate ~
IF you get a keylogger or some other spyware/malware on your computer (VERY possible)
then without a decent firewall it WILL send information out (Keylogger in particular could send out your passwords as you write them etc).
Simple as that really

Anyone at all going to try to claim that getting these on the computer is IMPOSSIBLE?

Personally I'm savy enough to believe the chances of me getting said spyware/malware is very slim however I would still advocate installing and running anti-virus scans, anti-spyware scans and anti-malware scans. I've also got Windows Update turned on and SP3 installed. I'm also using Firefox with add-ons. Finally I'm not into downloading from P2P, notoriously riddled with nasties.

[Deleted User] · 22 December 2008 at 8:46PM

TorrestheGreat wrote: »

The firewall in my router is annoying enough without de-stabilising my system with one of the dreadful software ones. I am taking stpes to eliminate the firewall in my router so I can enjoy headache-free downloading.

Which router?

DatabaseError · 22 December 2008 at 8:48PM

i have a router based hardware firewall, I also use a 3rd party windows firewall specifically to block outbound connections, I have apps which want to communicate, and I don't want them to.
I accept that my pc/net use may be slightly different to the norm

just having a quick peek at the logs, the router is busy as always, the software wall has yet to meet any inbound questionable event...

Conor_3 · 22 December 2008 at 9:21PM

If you're connected via a router, whether wireless or cable, a firewall isn't really needed. The NAT on the router protects you from inbound connections. Yeah, a software firewall will stop outbound ones but that's only if the malware doesn't disable it, use a port that other applications use and the user doesn't click allow when asked because they don't know what it is.

I've never used anything other than Windows built in firewall since Zonealarm started causing problems half a decade ago. Never had a problem and neither has any computer I've built or configured.

[Deleted User] · 22 December 2008 at 9:32PM

Conor wrote: »

If you're connected via a router, whether wireless or cable, a firewall isn't really needed. The NAT on the router protects you from inbound connections.

What about if your network is wireless enabled and there are other machines connected which may be infected. They'll then circumvent the inbound hardware firewall, hence the reason for having the Windows Firewall turned on. Two layers of inbound firewall with minimal overhead.

Conor wrote: »

Yeah, a software firewall will stop outbound ones but that's only if the malware doesn't disable it, use a port that other applications use and the user doesn't click allow when asked because they don't know what it is..

As the technet article says, malware can disable the outbound firewall. Malware can also hijack an existing session of a program you’ve already authorised and you won’t even see the dialog...

chuckles1066 · 22 December 2008 at 9:35PM

fwor wrote: »

I also installed ZA on my Dad's PC and it's useless in practice. He's no idea what the warning popups mean (i.e. he knows something is trying to connect to the internet but has no way of knowing if they are good or bad).

Agreed; I have about ten instances of svchost.exe live and running, if I deny a single one of them internet access then I don't get online.

God knows what info they're sending back to Microsoft HQ

Conor_3 · 22 December 2008 at 11:05PM

Deleted_User wrote: »

What about if your network is wireless enabled and there are other machines connected which may be infected. They'll then circumvent the inbound hardware firewall, hence the reason for having the Windows Firewall turned on. Two layers of inbound firewall with minimal overhead.

Do I really have to go to Securityfocus and post some links?

Firewalls - are they really needed?

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free