Why install a firewall?

Was thinking of the different reasons people want to install a firewall.

Here is what I have so far:

• I am meant to have a firewall to protect my pc
• To stop an automated attack (MSBlast, SQL Slammer virus)/protect against application that has a known/unknown vulnerability
• Hide machine from other machines on the network
• Control outbound traffic

What other reasons do you have?

 

# Hide machine from other machines on the www
# Control outbound traffic

Able to see what IP's are scanning me via the real time logs. Lots of Very interesting IP's in there from time to time, including .MIL .GOV etc etc

Looks nice lol.

 

The reasons are not new. Here is the reference:

https://www.wilderssecurity.com/showpost.php?p=809711&postcount=1

 

Was not suggesting they are new .. I was looking at reasons why people want to install a firewall, would like to find out other reasons I did not list.

I am not talking about feature sets or how something works, what is the problem you are trying to solve with the firewall.

 

The 2 most common reasons are:

1) To block unsolicited inbound traffic.
2) To attempt to control outbound traffic.

I don't think there really are many other reasons....

 

"Control outbound traffic" covers a lot of scenarios, including a few that some might not think of:

• Blocking internet access during specific time periods (parental control, such as no internet browsing or instant messaging after 11PM, restricting gaming hours, etc).
• Being notified when and to where an app, system component, or an unknown wants to connect out (for an update or other reasons)?
• Blocking connections to/from specific sites, countries, adservers, etc.
• Some software needs to receive incoming connections to function properly, but only from one IP or small IP range. A software firewall can block all incoming connections to that application that don't originate from those specific IPs. Should a vulnerability be found in that application, the address specific firewall rules will protect it from attack and hide it from port scans that target the port it uses.
• When properly configured, a good software firewall can make the internet seem a bit faster by blocking the unnecessary connections and traffic that consume your bandwidth. On DSL or cable, the increase would be too small to matter, but on dialup service the apparent increase can be quite noticeable.
• On a home or small business network, software firewalls let the user control how much access the different PCs have to each other.
• With many software firewalls, the user can stop all traffic with one or two clicks.
• Allowing a primary browser (FireFox, SeaMonkey, K-Meleon, etc) full internet access while restricting another (Internet Explorer) to a very narrow list of sites.

 

my only reason is: outbound control

and for that i think look n stop is the best, light and not chatty and very effectiv, you can even block lns itself from connectin to internet.

 

I do it because it offers me greater control and forces me to learn more about what my machine is actually doing. I've learned a lot from using Outpost which wouldn't of happened if I just had Windows firewall turned on.

 

The main reason I install a firewall is to filter inbound to my liking.

 

To hide my PC from the internet...which is where the bad stuff is. That includes hackers using tools, exploits, the self spreading of worms such as Blaster/Slammer, etc. All the "noise" of the internet.

 

Ignorance and/or paranoia are the main reasons.

 

As far as I know, that is not possible. If you're referring to "stealth", well... don't get me started on that one. "Stealth" has been proven useless on many occasions before, but still no one seems to care.

These need an open port/a service listening on a half-opened connection to be exploited. If not used, services should be stopped/ports closed. If used, a firewall won't help, in which case patches should be applied.

There are tools that can get past most personal firewalls even if you think you are "hidden", let's not name them for security's sake. However, there are some firewalls (1 or 2 that I'm aware of) that can be utilized to stop these attempts, if correct rules are applied (and not default config).

On the contrary, I think Look'n'Stop's strength is in inbound filtering and the ability to create RAW rules. If your only concern is outbound control, then you don't need a firewall. You can disable L'n'S internet filtering altogether or use a HIPS with network protection.
___________________________

To reply on topic, a firewall is not an anti-malware device. It is a filter for network protocols. Whether you need such filter or not depends on your preferences and personal concerns. For most users, the only concern is to stay malware free. They should look at anti-malware software instead.
If you wish to allow ARP only to/from your router, control ICMP types/codes, filter TCP flags for malformed, allow/disallow packet fragmentation, then a firewall is for you. Unfortunately, most of the popular personal firewalls will not allow for such granular control (which imo makes them almost useless), so I can totally understand comments like this one -

Cheers,

 

finally someone that understands, i completely agree with you.

 

That one struck a chord for me..

I am tempted to ask what those (1 or 2) firewalls might be..?? However, if reluctant to comment, then maybe in the interests of security, how might those correct rules be applied, ie that vary from the default configurations you refer to - simply looking at those rules that if not implemented properly would otherwise allow the "tools that can get past most personal firewalls" to do precisely that, or is this what you are referring to here:

Peter

 

Re: Why install a firewall - my little rant...

Thank you, seer. That is the way I understand firewalls as well. The internet can be a scary place, especially if you've experienced some of the nastier trojans out there (as I recently did). Unfortunately, internet security software seems to require the user to be a security software engineer to optimally configure it! That is the fault of the industry, not the user. If I worked in the industry - yeah - I'd expect I should know port protocols, packets, etc, inside and out. But it's tough enough just trying to be an expert in my own profession without having to be an expert in this one as well. Never the less, I was learning a lot with Sygate PFW, especially reading the logs and developing rules. But without a real expert to look over my shoulder, I wonder if I ever really "got it right".

That said, do you have any good online or book references that explain this stuff "for dummies" - a good general primer?

Thanks,

Lee

 

How you define a firewall determines if this statement is correct. As people have different meanings for the same words this is where we get in to problems. While I agree with you I think to many people now view installing a firewall means they are after, what you refered to as a HIPS with network protection.

Which is why I asked the question of why are you installing a firewall in the first place. If you understand what people expect when they install a firewall, gives a better understanding of how they define what a firewall is.

 

I like to define a term "firewall" as an inbound filter. It must do that first, everything else is secondary. The fact that most users are now behind routers does not lessen the importance of inbound filtering in software firewalls. To me, at least.

Binding your MAC to your internal IP will stop ARP spoofing on a LAN (many users are now on untrusted ISP LANs), filtering TCP flags will drop various stealth scans (not just the famous GRC SYN scan), disallowing packet fragmentation will render breaking through closed/stealthed ports impossible.
I am not saying that these features are necessary for everyone, different people have different needs. Some are on trusted LANs (or no LANs at all), so they have no interest in ARP. Some are not concerned with stealth scans, etc., but my point is that a firewall should have correctly implemented inbound filtering, even though you have no use of it at the moment. You can use such a firewall in all scenarios (not just behind the gateway) and, in an unlikely case of a possible attack, this firewall may actually be of some use.
Very few firewalls give you this level of control. Many are advertised with ARP protection, stateful inspection, where you are left to trust the vendor on correct implementation. Some firewalls that I have tested (not the latest builds, but still) had state tables where TCP SPI was advertised, "pseudo-stateful" ARP actually did nothing where it should, so I learned to distrust the vendors. And use a transparent firewall that will allow manual control. As I said, very few firewalls (ok, not 1 or 2, there may be 2 more) can do this, so it shouldn't be very hard to imagine which ones I was referring to.

Unfortunately, I am not aware of any "dumb" references. I could google for some info and post the links but they would all be long reads. As a good strarting point, I can recommend looking at OSI model and following subsequent links. Wikipedia explains this correctly, if not in a very shortened (and possibly "dumbified") form.
For a more detailed information, take a look at RFCs on TCP, UDP and ICMP, as the most common protocols an average user will encounter.

Cheers,

 

I think I am understanding this a little better, it's really helpful.. and have been reading lots, here and elsewhere, but must admit that it takes a lot to go through to gain just a little useful knowledge..!!

Most vendor speak is "marketing driven".. and not too many are then qualified to judge, for such features, just how much the the various tick box (or even more granular) settings on a firewall actually achieve what they claim on the box, unless they have personally tested them, or have access to someone else's tests..

I guess I am slightly struggling to see the difference say between a firewall that can filter TCP flags and one that can't (in its rules interface) if the firewall is anyway simply going to drop any inbound packets that don't correspond to a specific and expected shape and format (ie if it applies a basic default deny), but appreciate that at the moment this is still well beyond my knowledge base..

Thanks..
Peter

 

If a system doesn't connect to the internet it doesn't need a firewall.

 

Expected shape and format are defined by packet header parameters. A firewall cannot just drop (give no reply to) any packet, it must be able to look as deep as possible into packet header to do this properly. For example, if a firewall filters TCP on IP and port level, but is simply hard-coded to drop unsolicited connection attempts (gives no reply to SYN flag, passes GRC scan - a case with many personal firewalls), you can then send a FIN flagged packet against it, a firewall will block it, as it is unsolicited. By blocking it, it gives a RST reply, so you know that this port is closed, even if the firewall passed the SYN scan as "all stealthed". To be able to drop such packet and give no reply, it must be properly configured to drop the FIN flag, either by filtering implemented (hard-coded) by vendor, or by user. This is where I prefer to do my own filtering than trusting the vendor on proper implementation based on his "opinion" what should be filtered. I have my own opinion which very often differs from vendors', so I like to have this little benefit with some firewalls - granular rule creation.

 

Which software do you recommend for inbound protection to average users on cable modem or router, beside Look 'n' Stop? Thanks.

 

Windows FW.

 

OK, I follow what you are saying.. It prompts more questions (!), but in the meantime I think I need to try and read more on this and understand it all better..
Thanks again...

 

Good advice. Windows Firewall will filter TCP protocol better than most 3rd party firewalls and home routers. It will not filter lower layers at all, so if you are on a router with trusted LAN, Windows Firewall would be a good supplement.

 

Out of curiosity, is there anywhere that one can objectively find out how well different personal firewalls perform at such flag filtering.. Firewalls like LnS and Jettico appear to provide full manual control over the process. The Windows firewall is very much set and forget, and yet "will filter TCP protocol better than most 3rd party firewalls"?

If trying to gain a better understanding, where does one go to understand the competencies of other third party firewalls in this context. There was a firewall thread a year or two back I think where Stem was testing one or two (and included the Windows F/W) but I seem to recall he did not have time to cover too many third party products. Has anyone else carried out any wider tests in this context (that one can locate)?