Can someone explain the point of a Firewall?

I run an inbound Firewall on Ubuntu but I don't really see the point.

I see Firewalls as a way to limit exposure. So let's say I have samba running on my system as an exposed service.

With a Firewall:
All ports are closed except those necessary for Samba.

Without a Firewall:
All ports are closed except those necessary for Samba.

So if Samba is my attack surface I have two options:

1) Disable Samba. With no service behind the port I've removed the vector, right?

2) Enable a Firewall to block Samba. An attacker can't reach the service, so the threat's removed.

The only difference I see here is that a Firewall removes access to code but in itself adds its own code. Disabling a service only removes code.

So what am I missing? What's the point of a Firewall? If I have a Firewall and I open all of my ports but there are no services behind those ports how am I any less secure than having a Firewall with only specific ports open?

 

A firewall can in theory help enforce the principle of least privileges.

It can to some extent help make sure programs are able to "access (use) only the information and resources that are necessary for its legitimate purpose".

A firewall can also serve as an additional layer in case of software bugs, maybe you specified to the server that it should disable and not use the built in remote control option but due to a coding error the hacker could still connect. (opera browser for instance currently still loads iframes despite the user specifically say in the settings that it should block iframes, what says that servers can't have bugs..).

Firewalls can sometimes help detect(log, alert wrong uses) and/or stop attacks (or possible limit the damage).

 

Perhaps another way of putting it is that while the app opens the port for expected communications, the firewall regulates the traffic to help ensure that communications are only as expected.

Additionally, it will help block known network attacks that could create connections that wouldn't happen under normal circumstances.

A gateway firewall can take this a step further with IDS/deep packet inspection to help filter exploit attempts for various types of clients and servers, and possibly application firewalling to provide even more granular control of the requests/commands/etc (blacklist and/or whitelist) that can be sent to your server.

 

I'm not referring to outbound Firewalls here. Just to be clear.

How can a local Firewall do this?

Reading on I see you mean perimeter. I apologize, I was unclear. I meant local firewalls/ host firewalls.

Sure. But if a program has access to one port (we can assume it does if it's being exploited) then does it matter whether it has access to other arbitrary ports? An attacker can simply use the ports available, right?

To me this is IDS, which would be separate from Firewalls if I'm not mistaken.

So to clarify:
What is the purpose of an inbound Firewall for users when they're already behind a network Firewall?

I guess it would be isolation from other active devices on the same network? But then we're back to "just disable the service" if you don't want local access to it. Or I guess if you use really specific rules with the firewall it might make sense.

 

You can just as easily set host and/or subnet restrictions on incoming connections with a host firewall.

It's not about the port itself, but the resource that opened the port; a port itself isn't anything but a sort of address to a program. The port doesn't give full access to everything behind the firewall, unless the program listening for connections is exploited. An attacker would need different ways to compromise each different program.

Mostly it would help in the event that someone got behind the network firewall (either physically, remotely, or via malware), but it may also offer you more granular control and/or other options that a network firewall wouldn't. There may also be features that you can't use on the network firewall because they cause too much disruption for the other hosts, but not your server.

IDS isn't necessarily separate, although it can work on its own and not all firewalls have IDS. It uses deep packet inspection, which is the next step up from stateful packet inspection. These are more typically found in network firewalls, but not always. You can find application firewalls for both host and network.

If you're the only person on the network then a local firewall certainly won't be as necessary, but it's still a good layer to have. You never know what the next vulnerability will be.

 

Exactly... I was about to say something similar, but this is it in a nutshell.

 

What I mean is that if I compromise a browser and the browser has access to ports X Y and Z, I don't need access to A-W, I can just use what I've got.

I suppose I can see the point for finely grained rules.

 

If the browser has access to X Y and Z then that is outbound. A browser is not a server process that listens on an inbound connection. It attempts an outbound connection then establishes a two way connection when its outbound attempt is accepted by the remote server. There is a three-way handshake procedure here: Syn - Syn-ack, Ack.

 

And what ports a program uses for outbound depends entirely on the server it's connecting to. A compromised program may not be able to use the ports that are already allowed by the firewall (depending on what it wants to do); for one thing, the firewall SPI would be more likely to detect and stop something like an IRC connection (often used by backdoor trojans) attempted over port 80 (HTTP), as an example. AFAIK this is standard enough in firewalls that what you describe is not attempted anymore.

A firewall is also going to protect the operating system's network stack, which is actually probably a bigger reason to use the firewall (exploit the network stack and it won't matter what services you have disabled). Besides that, however, if you put a firewall on the system with the samba server, then the firewall is going to help stop attempts to compromise the server using network connection exploits (fragmented or malformed packets and such).

If the server was compromised then it would not be able to take over any ports that the server is already using, and a firewall would prevent it from opening any new ports; if you locked down outgoing communications as well then it wouldn't be able to connect anywhere at all; it's communication would be limited to what's normal and expected.

 

My take on it is that incoming connection blocking on a desktop computer that is behind a router won't help you much. The only thing you could use it for is if you thought another computer behind your router could be launching attacks on you. In that case you can set up your firewall to only allow incoming connections from a specific address.

If however you are not behind a router so your computer has an externally routable address, then incoming connection blocking is much more important. You could take it on yourself to make sure no program is configured to listen on the external address, but that is time consuming and error prone. Plus you might get it all done, and a software update later could open you up again without you noticing.

In this case you could set up your firewall to allow no listening on the external ip. In the case you actually wanted one program to have access, you could then whitelist it.

 

Malformed packet attacks haven't been a threat in years. Still good to protect against them I suppose.

 

I suspect there are many people adding other types of Internet enabled devices (TVs, printers, alarm systems, surveillance cameras, thermostats, light bulbs, etc) to their private network. Perhaps such use of a software firewall would be more frequently beneficial than it seems.

 

Software firewalls, in my opinion, only have value in preventing malware from phoning home.

Back in the Windows 98 era, remote attacks were common and effective. IIRC, even the Linux kernel was somewhat vulnerable to them. But times have changed and, barring something like an SSH vulnerability or very out-of-date internet facing services, remote attacks are kind of uncommon. Nowadays, it's all about browser-based malware and DDOS.

If someone used Windows 7 or Windows 8 with Google Chrome and perhaps Sandboxie, and they practiced safe downloading habits (e.g. no bittorrent piracy), then I don't think a Firewall or AV or anything else is even necessary.

 

i like to keep an eye also on legitimate programs.

with a firewall that alerts me to outbound connection, i can see if an app is connecting to the internet when there is really no need to.
if it does, i look for a competing product.

 

Some installers automatically open a web browser so that the developers/company behind the application can track the percentage of users who actually install it... or something like that. One of the measures one has to stop this, is to have one browser has default and prevent it from connecting to the Internet, while having a second browser that we actually use.

This has worked fine so far. Any traces left by the portable browser are also cleaned.

 

Firewall is also useful because it can alert you about inadvertedly installed spyware/adware. Some years ago, i installed a software that was supposed to be freeware. At least the author was claiming so. Soon after, i got an outgoing request from an exe that i didn't know and didn't seem related to the program. It was "bundled" in the installer and with no option to uninstall it during installation. The firewall made me aware of its presence, blocked, uninstalled the proggie too and since then i try to only get software from softpedia. But that's not always possible, as there is often some obscure freeware out there that is downloadable only at author's site.

Of course at the same way, it can let you know about malware that your AV missed and it uses a not very sophisticated way to phone out instead of hijacking your browser for example. So you see suddenly an outgoing connection and you think "what the hell is that?". And then you start with the on demand scans.

 

Thanks for posting this....I am behind a router, using Windows 7 built-in firewall and felt I am fairly secure...your post helps reinforce that feeling of security.

 

Among the NSA guides, there's a fact sheet on "Desktop or Enterprise Firewall?" that you can read here (PDF).