Do we really need a firewall?

I am just curious… what can you say on the quote below:

“@John: a good firewall makes a system perfect? oh dear.. I dont run a firewall, and never have done.. I kinda got a bit of a mental block about the whole process of opening up a dangerous port then having firewall software pester my cpu and have it look at every packet that comes through.. better to just close the port.. prevention, not cure ”

It sounds interesting, isn’t it? Is it really possible to be safe without using a firewall?

Of course there’s no reason not to use one coz there are lots of available free programs out there and topics and forums that talks bout firewalls. But… how about if one chooses not to use a firewall? What’s the best alternative that you can suggest… and how can we close all those vulnerable open ports? Can we considers Windows Worms Doors Cleaner (WWDC) of gkweb just enough to close those ports?

 

Hi Sweater .
I always get the idea that you try to goad people with your questions . Well . Here it is . You do not have to use a firewall to be safe . However , you still need something for security in order to stay safe . I can tell you one or 2 products that you can use without ever using a firewall . I will not mention them in here though as people think I might be forcing an opinion on you . Ports being open are not really a problem IF you use an app to detect what is being let through . Bottom line . No , you do not need a firewall . BUT , in order to be secure , you must use something to take the place of one . Some people may tell you just use a router . Same thing as a firewall basically . Hope that answers your question . I would not recommend running without something in it's place though . Otherwise , it is a matter of time before you are compromised .

 

Block all hackable ports with EMSA port blocker or other related apps, use good AV, preferably with a web scanner, you have to harden TCP layer as a rule and practice safe browsing, it is possible to run without one, I for one am only running CHX for inbound, comes close to being without a firewall as I have no outbound protection except for Antihook.

 

Surely we can all connect to the 'net without a firewall, just in the same way as we can drive a car without wearing a seat belt. But firewalls are available, for nothing in many cases, and they do a useful job in helping protect you from some of the many dangers present on the 'net. As with vehicle safety and the fact that we use a combination of seat belts, airbags, crumple zones, safety cages and so on, it makes little sense to NOT use any available security since every bit certainly helps.

Yes, you can operate without a firewall and be fine, but one day it could save your PC and data, so why take the risk?

 

over the years this question has been asked a zillion plus times

My question back to you is: "do you have enough knowledge and experience to attempt it"

an since you had to post the question an ask......no, you do not have either the knowledge or experience......so, the next question would need to be: are you taking bets on how quick your computer will be hacked

 

perhaps your question should be; Will someone teach me how not to need a firewall,

 

Few questions running through my mind are ...

"I kinda got a bit of a mental block about the whole process of opening up a dangerous port"... "better to just close the port"
If you are opening a port surely you are opening them for a reason to allow people to communicate with you ?

Surely you would assess the risk of opening that port before opening it (think network hardware firewalls not just desktop OS)?

Would be daft to open a port to the whole network or machine, so get it forwarded ONLY to the specific machine, specific application (that you trust in the first place enough to want to open a port to it), you need to trust the application that will listen on that port !

What are the alternatives ?

Dunno, problem is you have a server app listening, you never know when your gonna get an inbound request...

what about a firewall ? ... the initial quotee is working on the assumption that the firewall leaves the port open and listens itself ... I thought most/all software firewalls hook into the TCP/IP stack in win nt OSes anyhow, with a driver and intercept the requests before opening the required port (that being if the firewall app is not running the port is shut (default state of driver is to keep ports shut)).

Secure connections, use VPN or similar so that only trusted external sources can connect in?

 

I think the quote is referring to the ports open by default if you run windows 2k,xp etc due to windows services. It's not really your choice to open them, but out of the box they are open.

I'm not really sure if it's possible to close all ports on xp but if it's done, it would reduce the need for a firewall at least if you don't care about 'stealth'.

And you don't think outbound filtering is worth springing for.

 

Only 65,500 or so ports to ensure are closed. Much easier to use a firewall with a final block inbound rule.

 

The short answer is, yes it is possible, but not desirable, recommended, or wise...

 

Hi sweater,

Gordon's reply says it all, of course if you are up to the challenge, you could opt to use TCP/IP filtering with registry entries to enable it in:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, whereas the specific settings for each interface are configured in the key:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\Interface_GUID

Note: Tcp/ip port filtering applies to all interfaces on the computer and cannot be applied on a per-adapter basis. However, you can configure allowed ports and protocols on a per-adapter basis.

What is there, something like about 600 or so protocols out there?

When configuring Tcp/ip filtering, you can permit either all or only specific prots or protocols listed for Tcp ports, Udp ports, or Ip protocols. Packets destined for the host are accepted for processing if they meet one of the following criteria:
The destination Tcp port matches the list of Tcp ports.
The destination Udp port matches the list of Udp ports.
Th Ip protocol matches the list of Ip protocols.
The packet is an Icmp packet.

The Registry Values for Tcp/ip filtering are:
Setting Type Description
EnableSecurityFilters DWORD 1 enables Tcp/ip filtering; 0 disables it.
UdpAllowedPorts MULTI_SZ 0 allows all UDP ports; an empty (null) value blocks all UDP ports; otherwise, the specific allowed UDP ports are listed.
TCPAllowedPorts MULTI_SZ 0 allows all TCP ports; an empty (null) value blocks all Tcp port; otherwise, the specific allowed Tcp ports are listed.
RawIpAllowedProtocols MULTI_SZ 0 allows all IP protocols; an empty (null) value blocks all IP protocols; otherwise, the specific allowed IP protocols are listed.

Too much work to do it manually, but a configuration tool would be nice! Has anyone ever heard of any for Tcp/ip filtering?

-- Tom

 

Well all you need to do is to ensure that there are no applications listening on the ports ..... No need to filter all 65K ports. If so application is listening, you can't be hurt anyway.

 

Sure, years ago I used to do it with win2k ipsec. Something like this. http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

 

Hi,
I think firewall is essential for 99% of computer users. You can use router or packet filter, but I still think it's nice to know what goes out as well as in.
Mrk

 

Depends on different situations...

Firewalls.. seem to be a thing of convenience, probably just the nature of an environment evolving around those that don't understand it.

Many are told that firewalls protect your computer.
From hackers.
But many do not possess the technical knowledge of what exactly they are protecting...how, why, etc.

I want my 8 minutes back.