Firewall Qs from a beginner

After having read a lot various Qs & As here I decided to take a few of the tests mentioned in the sticky Firewall Questions for Beginners. When I tried the link to Firewallleaktester I was met by

"http://www.firewallleaktester.com will not be available for a few months from now ... Guillaume Kaddouch."

So maybe it should be removed for some time.

I have a few beginner Qs.

There seems to be (very) divergent opinions about the necessity of a software firewall when you are behind a router, even between obviously very experienced people at the forum.

I am on a desktop with XP SP3 (only 1 GB RAM), behind a Netgear WNR1000 (default, except for changing the password and disabling the wireless option), GhostWall (default), NOD32 vers. 3.0, WinPatrol (have upgraded to the paid version to try to learn successively), and cable connection. Now and then I use (manually) Malwarebytes´Anti-Malware (free), Windows Defender, Sophos Anti-Rootkit and CCleaner. Sometimes I browse using Returnil (free), in particular if I intend to test a new program that does not require reboot.

Q1. Does GhostWall (which is very light on my scarce resources) have any effect at all? After all it seems to allow everything (on default).

Q2. Could I as well instead of Ghostwall use Windows firewall?

Q3. Do I need a (light) software firewall that also have outbound protection?

(It is very seldom that the anti-virus/anti-malware programs above detect any threats.)

 

You will find people answering Yes and people answering No, depending on their point of view.

Some want to monitor all outbound connections to prevent their applications from calling out to the vendor's site.

Others want outbound protection to (hopefully) catch any malware that happens to install and then attempts to connect out to another server.

Some examples:

1) Downloader trojan installs and attempts to connect out to retrieve more malware. The firewall intercepts the attempt:

​

2) Drive-by PDF exploit, the PDF Reader attempts to connect out to download malware. The firewall intercepts the attempt:

​

I'm not familiar with the other products you mention.

----
rich

 

It only filters inbound traffic, just like Win fw.

Never used it but apparently it's very light, minimal system impact. Windows fw will do the same but maybe not provide the same info as GW such as logging. GW has long ago stopped being developed, so that could be cause for concern if it one day conflicts with a Win update or other program.

This is toughest to answer. I'd say it depends on you; if and only if you want to control outbound traffic, if you feel sure you won't be annoyed or inconvenienced by the extra effort required to recognize programs or services that need outbound connections and the ports they need to connect to, the ip addresses (if you want this kind of granularity, and protocol they need, then maybe you might feel a need for one. Are you also willing to take on the learning effort required for this? IMO, outbound control of network traffic is optional - not needed for a typical home setup. Just keep in mind it's added maintenance overhead for the user.

Personally, some time ago I went with Win 7 two-way fw control for my trusted programs. It's quite basic but does the job very well with no user interaction required once it's set up. However, getting it setup in the first place is a bit like pulling teeth, because there are no program alerts. The user has to figure out the ports, protocol, ip address(es) if desired, and the programs or services that actually require outbound access. I see you use XP so this not an option for you at this time.

 

rich, I guess that you recommend the Kerio Personal Firewall?

In your first example, shouldn´t WinPatrol alert me so that I can stop the trojan from installing? And shouldn´t NOD32 react?

In your second example, shouldn´t NOD32 react? And if the PDF Reader succeeded in downloading the malware, could it install malware without a reaction from WinPatrol?

JonLezz

 

hmmmmmmmmmm

 

Well, that´s what scares me, since with my limited knowledge, I guess it will be a long steep learning curve. For a while I tried Comodo, but found it annoying because many times I didn´t know if I should allow or not.

JonLezz

 

No, because it is no longer being updated, so I don't think it works on newer Operating Systems, and does not support IPv6, which will be necessary at some point in the future.

Most newer firewalls, unfortunately, are more than just a firewall -- often with HIPS-like protection included. I haven't followed them, so I have no recommendation.

Many who do not use a software firewall for outbound monitoring are satisfied that their security will protect them from malware intrusion.

I'm not familiar with the products you mention here, but if you feel sure that they afford such protection, then you can make a case for not needing a firewall for outbound monitoring.

----
rich

 

First rule for all my PCs and for any PCs that I am in charge of...friends, family...and the vast majority...clients, mostly small business clients.
*All computers must be behind NAT, a hardware firewall. This, by default, blocks all incoming traffic. So by default your computer is protected from all the undesired "noise" of the internet, port probes, worms that spread around looking for computers to infect, etc. In the US, most cable ISPs give you a pure cable modem, so directly connecting your PC to that, your PC is directly on a public IP address..and exposed. So a broadband router should be put in place. With most DSL ISPs now, they ship you combo modem/routers, which already do NAT, so that's a good thing. Years ago with early DSL, you just got a plain DSL modem...again, PC sitting directly on a public IP address, exposed.

So if your computer is behind a NAT router, you really don't need another software firewall, because all incoming traffic from the internet is already blocked by NAT..it's not like something slips past NAT and a software firewall is there as a 2nd block. If you're on a network with other PCs, leaving the Windows firewall enable can help protect your PC if another PC on the same network gets infected and has some bug that can skip across LANs (some do).

Outbound protection....I'm not a fan of those. They're naggy. And to be honest...99.9999999 of people don't know what the heck to do with those alerts. Most of the time end users see an alert about "svchost.exe is trying to connect to the internet, allow yes/no?" Or "explorer.exe is trying.." They're native Windows processes doing their job, and most people just stare at it like a deer caught in headlights, don't know what to do, and then click "allow" anyways..especially after the 188th naggy prompt. Or they end up blocking things that should be allowed, like Adobe alerts for updates, or Java alerts for updates, or Flash alerts for updates...those updates are needed these days. Those are my views. Use good protection in other areas of your computer, and anything that attempts to come into your computer is stopped in the first place. Else...a software firewall blocking malware from going out is like sticking your finger in a hole in the hull of your boat to protect a leak, when you should have done something to prevent getting the hole in the first place.

 

Yes, I am behind a secured NAT router, so this sounds great - and I must admit that I believed that a software firewall was a second block.

I am the only one, so this is another relief.

That is a very apt description of myself before I bought a router and uninstalled the constantly inquisitive software firewall!

Thanks a lot YeOldeStoneCat!

Now I feel a lot more secure (indirect answer to Rmus, thank you too for bothering!)

PS. Why don´t everyone for which a NAT router is an option use one. It seems to be a rather cheap option to be spared much time waste reading about and trying different firewall software.

 

A firewall (outbound/inbound) will be included with DefenseWall 3. I am using the current beta and it is very stable.
http://gladiator-antivirus.com/forum/index.php?s=&showtopic=97701&view=findpost&p=245830

 

It's not a bother at all -- outbound monitoring is a much debated topic!

I would like to amplify on a point made by YeOldeStonecat in his excellent post:

For those who use a software firewall with a rule set, here are two alerts for svchost.

1) How would you evaluate these alerts and what would be your response?

2) How would you teach the "average" user in setting up a software firewall with a ruleset, to evaluate and respond to these?

​

----
rich

 

@G1111
DefenseWall looks interesting, even without the firewall. I will read more about it.

@Rmus
Alerts of different kinds on svchost.exe were frequent when I used Comodo - and I always felt uncomfortable (most of the times I was encouraged to send the file to Comodo for analysis, if I remember correctly). I finally gave up.

I would have felt more uncomfortable seeing the right figure, since the file was found in a temporary folder.

 

If I never had used a two-way firewall (I used various ones over the last 6+ years) I would never have the basic understanding of networking I currently have, although certainly I'm no expert, but two-way firewalls are great learning "aids" for those who have the willingness and more importantly the ambition to learn about basic networking priniples. How to expalin the two example posted by Rmus to a beginner? Well, it's not easy, although doable if the beginner wants to know. They have to obviously know what svchost is and where the legit svchost process resides as a starting point, so that should help them in their decison to deny the second alert, and realize their machine is infected .Multicast streams is a network technology that they would probably just have to read about to know what it is. Not easy to explain imo, for me anyway. I still believe it comes down to the user either wanting to learn about networking basics or not. Some people want to understand what’s going on between their network adapter and the big Internet cloud. There’s nothing wrong with this so I would tend to encourage the use of a two-way fw, at least for a while until they decide it’s worth it or not, for those looking to gain this understanding. I do not want to become a detractor to those seeking to understand by simply replying: “don’t bother, you don’t need it” or “it’s too much work”. After all, knowledge is power

 

I agree.

Do you know of any good basic book on firewalls? I found it too slow to go by trial and error.

I saw a book "Firewalls For Dummies", 2nd Edition, 2003, when browsing the internet. It is a bit old, but judging from the contents it may still be valuable?

 

If you really want to understand firewalls then you have to understand TCP/IP, so I would recommend reading something on that first:
http://www.freebookcentre.net/Networking/Free-Tcp-Ip-Books-Download.html
I would highly recommend Stevens' TCPIP Illustrated, Volume 1 if you don't find it too technical.

 

I learned mostly from the Outpost firewall forum (so many long-term members there with tremendous networking/firewall knowledge) and Googling the 'net. Lots of good info to be found. Also lots in these forums from many knowledgeable members (too bad Stem doesn't seem to post much anymore ). mvario's link, for instance, is another. For me it was a long process, over several years, but I never regret it and am glad to have learned as much as I know. However, I would not want to encourage anyone who finds it a chore, and simply does not possess the desire to learn networking and how two-way firewalls work. That's a kind of obvious approach with anything new to someone. No use taking on the challenge if you don't enjoy it. If you do have that desire, the "need to know", time, energy, ambition, then by all means go for it.

 

Well, it certainly looks quite technical. In the preface I find:

"This book is intended for anyone wishing to understand how the TCP/IP protocols operate: programmers writing network applications, system administrators responsible for maintaining computer systems and networks utilizing TCP/IP, and users who deal with TCP/IP applications on a daily basis."

Also, it is quite old: October 1993.

So, what I need is a text that gives a good, but not overly simplistic, overall picture (including of course TCP/IP) of firewalls, from which I later can go deeper when needed.

 

Rich (Rmus) wrote this many moons ago:
http://www.urs2.net/rsj/computing/kerio/index.html
Worked for me.

Don't skip the Preliminaries.

 

In addition to Pedro's nice link:

http://www.outpostfirewall.com/forum/showthread.php?t=9858

https://www.wilderssecurity.com/showthread.php?t=142036

 

Thanks for the links, Pedro and wat0114!

The Preliminaries seem to be a useful start together with some Internet search.

I notice that in wat0114´s second link you still find (as noticed in my first post):

"To test your firewall's ability to detect outgoing connections, special programs called "leaktests" have been developed which you can download and run on your system. FirewallLeaktester is the best source of information here, containing copies of the current leaktests plus reviews of firewall performance against them."

But the FirewallLeaktester link still leads to:

"http://www.firewallleaktester.com will not be available for a few months from now ... Guillaume Kaddouch."

 

Another question:

Are firewall leak tests applicable to router firewalls? On http://www.testmypcsecurity.com/what_is_a_firewall_leak_test.html you can read:

"The tests pose no real threat to the security of a computer as they are harmless simulations of the attack techniques typically used by Spyware and Trojan horse programs."

But doesn´t that mean that when you use the leak test program, you have deliberately allowed this program outbound connection? And is it not very difficult for a Spyware or Trojan horse program to install itself without being noticed by your anti-virus program in combination WinPatrol Plus?

 

In 10+ years using Kerio I've never had an alert from svchost except when testing. It sounds like some rules were over-tightly configured.

Regarding my 2 screen shots:

Exactly! It's a common trick for cybercriminals to use windows system and application filenames for their malware. But that doesn't fool the firewall. In addition to monitoring location, the firewall maintains a MD5 list which it also checks.

The point made by YeOldeStonecat is that the average user might be fooled.

Regarding you seeking out books: agreed, that often they are more advanced than what you need. As you mentioned, you can start by looking up basic terms on the internet. That's how I did it - I never used a book. Plenty of good articles covering basics, such as

• protocol
• TCP
• UDP
• ICMP
• IGMP
• DHCP
• DNS
• port
• Internet Protocol (IP)
• address

Without this basic understanding, it's difficult to configure a rule set. In the the early days of Kerio, many would copy other's rule sets and run into all kinds of problems. Over at the old, now defunct, Kerio forum, the experts showed no mercy at times, and wouldn't help someone when it became evident that the person didn't have the basic knowledge. While seemingly mean, it really wasn't, since configuring rules is more than just copy-paste.

There is nothing difficult at all about configuring a rule set once the basics are understood. It would be similar to one attempting to use manual settings on a camera without understanding f-stop, shutter speed, focal length, etc.

Regarding Leak Tests: You are correct that they simulate trojans, meaning that they first have to penetrate your security perimeter, as you mention.


----
rich

 

Leaktests in general, are about a rogue process communicating with another process, say Firefox, and using it to connect out. Since you would allow Firefox to connect in your firewall, it would succeed.

Firewalls then evolved - not all thankfully - to do more than 'firewalling'. Some are no longer a firewall, but a 'suite' of sorts.
They now attempt to intercept all kinds of inter-process stuff that happens on your computer, most not related to networking at all.

So when you test leaktests, you would see if the firewall detects this stuff. A traditional firewall would not detect the rogue process connecting out, only the process being abused of. Only if you had a tightly configured ruleset you would have a chance to detect an anomaly (like Firefox connecting to an obscure, not HTTP standard port, in Russia).

Try to search these forums, this has been debated to death, and i'm having trouble to go all over this again. My current opinion though is that, quite simply, ignore them.

 

Rmus and Pedro, many thanks for your posts. Now it is time for me to try to build some more coherent basic knowledge on firewalls - at present I only have scattered glimpses.