Firewalls Useless?

In the thread http://www.wilderssecurity.com/showthread.php?t=5091;start=0;boardseen=1
wizard stated "For the personal firewall: for home users I would recommend not to use one except there is a real need. There is a lot of hype regarding personal firewalls these days but when it comes to the point what level of additional security they really bring it shows up that they are more or less useless."
I don't think I've ever read this. Seems to go contrary to everything I've heard. Could wizard, or someone, explain the reasons for this thinking about firewalls?
Thank you,
Scotcov

P.S. I put this question here because the original statement is in the AV section. Hope I did OK

 

I cannot agree with the statement of wizard, I don't know why he did such a statement because without a firewall you leave your door from and to internet complete wide open.

I complete agree with the statement of Wilders.org about firewalls:

"Firewalls are a special way of security, offering a specific way to protect one's system and
are not configured that easily, if they are "rule-based". Because a bad configured firewall
would just create a fals feeling of security, what follows is an explanation to what a firewall
actually does, providing a simplified explanation about TCP/IP and Networking.

A firewall takes care of filtration from data, accepting or denying request to communicate
with several applications and machines, keeping a log file and alarming if something in
this traject seems to be wrong."

Because many people configured their firewall bad, just like Paul Wilders says, it creates a false feeling of security, but a good configured firewall gives a lot more protection for the bad and ugly on internet then without firewall.

Nothing is perfect, included firewalls, but doing nothing against attacks is completely wrong!

 

What you've said is what I've always thought, Smokey. But I really would like to hear from someone who understands the other viewpoint. It always seems to help my understanding when I hear different views (as long as everyone stays nice )
Scotcov

 

I agree very home user should have a software firewall.
In the ideal world , every home user would have one old 486 running Linux as a server before their main PC. OR a good (hardware firewall) I don't even think you find these classes in your local high-schools. Isn't that strange since a person could take alternative energy classes in the early 80's
these were classes that taught you how to make solar panels from next to nothing and get a 40 percent TAX break for installing on on your home.
I think we need these HOW-TO classes on home security.
What is the cheapest ways for the home user to protect their family from the evil forces on the internet? Class 1a
Then offer a nice tax break as an incentive for those that
implement these protective techniques...

 

Maybe wizard can explain here why he cames to his point of view about firewalls?....

BTW Everybody on this board is always nice

 

Everyone has opinions on such things. I have seen discussions on the need for firewall, is stealth necessary, should firewalls also incorporate content filtering, and many more related items.
I use Win 2k and with a little tweaking, I could secure it from most exploits, without a firewall. But I cannot tweak it to stop a trojan from connecting out while I am online. That and many other reasons prompt me to not only use a firewall myself, but also to highly recommend it to everyone else.
It is another line of defense in my layered protection, and I would not throw it away for anything.
Just my .02

 

I agree !
I think a FW is extremely important. I would feel very vulnerable without it, especially after seeing all those portscans and such that are in my ZA logs.
They serve they're purpose just as AVs' ans ATs' do !
You need them if you are planning to connect to the "outside" world !!

regards,
bill

 

I think Wizards very brave in saying how he feels lol and i think theres a grain of truth in what he says . Especially if you live in the USA currently with all the controlls an monitoring of ones privacy that is in swing . Sometimes loading up ones system with all the best security measures can indeed give one a false sense of security , in that you trust that these security measures will not be utilised to your disadvantage by those who know how to do so with out any awareness on your part , just my halfpenny thrown into this really interesting thread , regards , Robert

 

I'm going to make several responses to this thread (unless I get distracted!).

First, it seems to me that many of the respondents have totally missed the fact that Wizard said "personal firewalls". He didn't say firewalls in general and he didn't (so far) say anything about alternatives to firewalls that are readily available (and often considerably less complex, and cheaper, i.e., free and already available on most Windows platforms) to provide the same functionality.

Also, he qualified his statement (not as well as he probably should have, but nevertheless ....) Specifically, most home/personal/small office users relying on an ISP for their Internet connection are not knowingly running a web server, an e-mail or newsgroup server or an FTP server. Indeed, for most such users to do so would violate their ISP's ToS/AUP. (You do this, knowingly or unknowingly, and you're dead meat anyway in most instances. The only question is who shuts you down first? Your ISP or some skiddy or cracker?)

Moving on to the next response ...

 

Stupid External Port Scans

These are the most common 'exploits' reported by (or simply alarming) people using personal software firewalls. They are launched, for the most part, by clueless skiddies who just got a new 'toy' from one of their buddies in an IRC chat room. No real 'cracker' has used this method in probably years. Furthermore, you can get these scans from your own ISP! (Mine, for example, has a tendency to scan regularly looking for illegal -- under the ToS/AUP agreement under which I operate-- Web, mail, news, and FTP servers at irregular intervals.)

And, if you're relying on GRC, Sygate, Symantec, DSLR, PCFlank, HackerWhacker, or whatever to 'scan your ports', that all they're doing themselves. Do you need a personal software firewall (PSF) to 'protect' you from these kinds of 'intrusion attempts'? Not hardly. For the most part a NAT router will serve quite well -- and that explicitly includes the software-based NAT router included (free of charge) in every Windows OS since Win 98 SE. It works perfectly well even if you're on a stand-alone machine using a dialup connection.

Other options? Well, a hardware NAT router can do the job, also (again even if you're stand-alone) and it also gives you a nice option for building an in-home LAN. Hardware routers are as cheap, if not cheaper, than the bleeding PSFs these days and far simpler to set up and configure -- at least as far as these particular vulnerabilities are concerned. Actually, several companies now make combined hardware routers/firewalls that are cheaper than the current crop of 'pay for use' software firewalls. You don't have to worry about 'upgrading' (and paying for it) or buying additional licenses for additional machines, either.

Okay, now, let's move onto the vaunted 'outbound' threats for which PSFs are deemed so essential. Next post . . . .

 

My thanks for all these superb responses. Discussions like you gentlemen have carried on are what makes this forum great for learning. I think that maybe I understand firewalls just a little bit better.

My appreciation to you all!
Scotcov

 

I would have to agree with root as security is a major issue and one can't have enough in my opinion. I for one am running OutPost Firewall, Norton Anti-Virus, Trojan Remover, and use Spyware Blaster and MRU Blaster....overkill?? maybe...but let me say this gentlemen...I've been using the net for 3-1/2 years now have blocked numerous attacks with my firewall....blocked numerous virus's and have stopped and disabled trojans with my trojan software...... Without these tools in my humble opinion your asking for trouble while surfing the net. Its best to be armed than defensless!For all our members here is a great security site one can read up on security http://www.computercops.biz/index.php
I hope this small contribution helps

 

Look, I understand what you are saying. I probably use more security utilities than most of the people who frequent this forum. All I'm trying to do at the moment is explain where wizard was coming from (as I understand it). He has a point; I just wish he had made it a bit better.

Ahh, Zhen-Xjell's website! Okay, I'll try to cover this stuff shortly and explain what (I think) wizard's point was.

 

JVM,
I'm sorry, but I must be missing the point.....do you think their is a need for a PFW ?(no router)
You may be trying to explain Wizard's post but it almost seems you are in agreement.
As for your mention of GRC, PC Flank, Sygate, etc., portscan tools and exploit tests....are you saying that those types of tests are not similar to say...a real hacker's attempts to exploit a PC ?

thanks and regards,
bill

 

Hold on, first, let's go back and re-read (carefully) what wizard said (probably off the cuff, admittedly). . . .

(emphasis added)
First, his comment is quite clearly addressed to 'personal firewalls'. This thread, however, seems (at least to me) to be taking it as a blanket denunciation of all firewalls (and some seem to be taking it as a dismissal of all security measures whatsoever). Just note the thread title: "Firewalls useless?"
Second, he expressly made the point "except there is a real need". Oddly, no one at all seems to be picking up on that part of his statement. What constitutes a 'real need'?
Third, he references "additional security", but again no one has broached the question of "in addition to what?" An increment over what? What's readily available as part of OS security measures? An increment over that AV (and preferably at least with some AT capability) that all of us have been universally recommending for the past twenty years or so? (And why am I answering these questions instead of wizard himself? )

Yes, I use a PSF, but I also understand the thrust of his comments (I think!) I believe his main thesis is that the majority of people who think "I've got a firewall; I don't have anything to worry about!" are as misguided as those who say "Oh, I don't need a firewall; I don't have anything here that someone would want and I'm not going out of my way to irritate people on the Internet!" In other words, I think he's saying that the subjective assessment of the value of having a firewall (and nothing more) is as misguided as the subjective presumption that since your machine came with an AV software application, you don't need to worry about viruses (or Trojans, or worms, or spyware, or key-loggers). I think he's saying that an awful lot of people simply think you need to have a firewall -- that you don't have to configure it; you don't have to update it; you don't have to maintain it, and (in certain hopefully rare situations), you don't even have to use it! It's just there (somewhere on the machine); so what's to worry?

Why aren't we talking about what (i.e., under what circumstances) makes a software firewall advantageous? Again, probably 90 % of the people reading this thread here at Wilders have access to Microsoft's Internet Connection Sharing (ICS) or Sygate's Home Network (SHN) or WinRoute, or a hardware router that's inline as part of their cable or DSL hookup.

Let me make sure I've got this straight: These people have probably already got one of the above but can't be bothered to set it up (correctly). Obvious solution: Install a software firewall and bother to set it up (correctly, I hope). (Am I the only one that sees a problem here?) And if they do set this stuff up correctly, just how much additional protection does the software firewall provide? Well, that's what I'm trying to explore here, nothing more, nothing less.

The answer to this question is fairly involved. Let me pick it up in another post shortly, okay?

 

I'm sorry, JVM . I wish I could change it.
Scotcov

 

Hey, guy, ain't no big thang! You should check out the titles I've put on some of the threads I've started!

 

Hi Joseph,

Thank you for that post (no, I don´t mean the one directly above )
I wish I could express myself like that. Glad you did it for me.

~applaud~

Pieter

 

Okay, back to this part of your prior post. I'm not real happy with the way I've formulated my response, but I guess it will have to do for now.

Now, let's all remember one thing: My prior post (to which you responded) had to do with unsolicited inbound probes against your machine. I haven't yet gotten to the 'outbound' threat.

Bottom Line?: No; no real hacker (I prefer the term cracker, but nevertheless...) is going to be so stupid as to assault you with such a blunt-edged tool as unsolicited probes of your TCP/UDP ports. All that does is make him (or her) stand out like a sore thumb. Between MyNetWatchman, dShield.org, and those large ISPs and corporate blocks that report directly to SANS or CERT (not to mention the individual user who simply fires off an abuse notice to the relevant ISP), this approach is now sheer madness. (Oh, they 'spoofed' their IP address? Well, then they didn't get any information back anyway, now did they?) True, the entire world is not hiding behind a firewall or an IDS or possessed with a memory-resident AV/AT/Registry monitoring utility. Still, how do they know that you aren't? (Think about that last question; it has some serious implications.) None of these crackers are going to take the chance that you've got such defensive measures in place (which they don't know about) and will consequently be able to 'back-trace' them. How do they know you haven't set up a honey-pot, that you're not running a router and logging unsolcited inbound? Well, really, there's only one way: Because you've told them you aren't (knowingly or unknowingly). Save for some third-world countries, any idiot who would be stupid enough to do this is likely to find him/herself in a world of hurt in very short order -- especially today.

No, no, no, the real crackers (as opposed to the skiddies and the wannabees) are using entirely different approaches to messing with your head (and your PC). They're relying on 'social engineering' to allow them into your system as part of a communication transaction that you have authorized. And, of course, if you're authorized the communication, the firewall itself (strictly defined) isn't going to do a damn thing to prevent the 'intrusion/insertion''. At that point, as the security guys warning about Code Red II and Nimda pointed out, "You've just been scr*wd -- by Grandma!" You're 'own3d', my man. Game over -- time to re-format, re-boot, re-install (and kiss all your saved work behind -- because "Who knows what evil (now) lurks in all those previously saved work files?").

Okay, now I want to go back to one of your previous postings in this thread, where you said

You didn't elaborate on that statement, so I need to ask. Are you talking about multiple (and unsolicited) 'probes' against a particular local port -- or are you talking about 'multi-port' scans?

I have to ask because 'multi-port' scans are rare as hen's teeth in my own personal experience. Indeed, if I eliminate those from MY OWN ISP (looking for unauthorized Internet servers in contravention of the ToS/AUP agreement under which I am blessed with their services), I typically only see this once or twice per month.

Now, as for the others (multiple probes against a single local Port from a single remote IP address), almost all the ones I'm seeing can be attributed to:

• Worms -- and especially worms such as Code Red, Nimda, and MS SQLSnake. (I don't see OPASERV and BugBear for the simple reason that my ISP has apparently shown the foresight to block them.)
• Point-to-Point File Sharing Requests I'm not quite sure why I see these, inasmuch as no one here uses any of these applications. I would assume it's because I'm on a dynamically assigned IP address -- still, that address doesn't get changed all that frequently, but the suckers still keep rolling in.
• Skiddies -- Looking for a RAT Trojan that someone else might have been kind enough to install on my box(es) (with my collusion, of course) and relying on a default 'listening' service for the RAT in question. For the most part, the skiddies themselves couldn't install the frigging RAT in the first place even if it would get them a spot on "Would you like to marry a millionaire".

All of the above can be handled adequately by a hardware or software-based router on your end. (And they will do it far better and more simply than a PSF.) Some will simply show 'Closed' whereas others will show 'Stealthed'. I think this was a considerable part of Wizard's point. How much 'incremental' protection does a PSF provide over what's readily available to you, simply using the utilties readily available to every Win OS user since Win 98 SE? (Again, in the terms of 'unsolcited inbound intrusion attempts'.)

So, okay, now you're starting to think "Okay, bright guy, just how do these guys penetrate your system?" Well, that's a whole 'nother topic, now isn't it? Watch this space ...

 

" They're relying on 'social engineering' to allow them into your system as part of a communication transaction that you have authorized. And, of course, if you're authorized the communication, the firewall itself (strictly defined) isn't going to do a damn thing to prevent the 'intrusion/insertion''. At that point, as the security guys warning about Code Red II and Nimda pointed out,"


I only wanted to mention All you want to know about Social Engineering
can be found in Kevin Mitniks book.

He seems to be a regular guest on Tech TV these days.
They still don't allow him to touch a PC while on the show.

 

I am really intrigued by this discussion. It's a good one with well thought out positions. LowWaterMark, as have others, have done a fine job of refuting the statement by Wizard.

To me, in reality, it's a common sense issue.

Many people opt for a dead-bolt lock on their front doors. However, many don't have them on their back doors. In fact, I don't. When I think about it, it's rather silly not to. Are we just going to give the best protection available to the front door? It only takes a thief ten seconds to come around back and do his thing. So, frankly, I would recommend to anybody (If I were a home security expert) to put a dead-bolt on the back door as well. Some would argue it's not needed. Maybe it is, maybe it isn't. However, what harm could it do to put a dead-bolt on the back door? There is no way to tell someone it's not needed "except under certain circumstances" because that brings up a whole new issue of what "circumstances" bring about the "exception." If it can do no harm, yet potentially do great good (alerting on outbound connections) why not recommend the personal firewall? If I put that dead-bolt on my back door, I have no way of knowing if I ever deter an attempt to break into my home. But I know this: it's sure not going to make me any less safe for having done so! Once the doors are secure - remember the windows. Can we do too much to keep our families safe? Can we do too much to keep our data safe?

I think not.

I would highly recommend a personal firewall without hesitation.

All the best,
John
Luv2BSecure

 

Useless? Maybe not the best choice of words, as there are things that can be gained from running a personal software firewall.

Are personal software firewalls necessary? Perhaps this may be more to the point.

In a public forum such as this, one has to take into account your audience. The experience level of persons participating here will vary from the newest users, to professionals, and all of us in between. The manner in which all these user systems are being used will be just as varied.

When discussing the risks associated with the Internet and educating new users in securing their systems, I recommend the use of a personal software firewall as part of the layered approach to system security.

Encouraging users to take time and learn a little more about how things work is also important. Software firewalls will form part of this learning process and provide them with insight as to how their system and applications are interacting with the Internet.

Some users may not want to go beyond a set it and forget it type approach.

Others will gain experience and become more conversant with computer security. These users will discover the flexibility and control software firewalls and other utilities afford and use them to their fullest in securing and auditing their systems.

Experienced users can easily secure systems (OS) from unsolicited connection attempts, monitor outbound traffic and may be quite comfortable in running without a personal software firewall. But this does not mean they are not using other essential applications/utilities to keep their systems secure. And this approach is definitely not for everyone.

But all these unsolicited connection attempts (the scans most news users are alarmed to see in their logs) are basically harmless and the least of our worries. As JV is starting to touch on, social engineering is a greater threat.

As mentioned above, the manner in which all these systems are being used will vary greatly. One has to take this into account when recommending what may or may not be required. How many different users will be using this system? How many different users and systems are on the home LAN? All it takes is one inadvertent click to compromise the system and/or LAN.

As we are likely to see multiple users with varied experience/knowledge and more home set-ups with multiple systems, the layered approach is probably best for most home users and this includes a personal software firewall.

As LowWatermark commented:

When it comes to knowledge and experience, there is a lot of it here on this forum. Likely one of the reasons most of us participate here, to learn and share our experiences and make knowledge the number one tool in our system security.

 

I really hesitate to post an opinion, since I know I have only a fraction of the knowledge of those who have posted. But what luv2bsecure said makes the most sense to me:

Nevertheless, I want to express how fascinating and thought-provoking JVM's posts have been.
For that matter, everyone's posts have been fascinating!
Scotcov

 

After typing a 15min response, I looked up at the screen and it was gone !! ARGGGHHH !! Here's a shorter version !!

JVM,
<<<<You didn't elaborate on that statement, so I need to ask. Are you talking about multiple (and unsolicited) 'probes' against a particular local port -- or are you talking about 'multi-port' scans? >>>>

I was talking about the Worms and P2P. I also agree that multiport scans are rare. Occassionally I get hit with a scan for a Rat or Bot on the higher port scale but none too often. Harmless ? Perhaps...but "the Devil you KNOW is better than the Devil you DON'T !!"

<<<< They're relying on 'social engineering' to allow them into your system as part of a communication transaction that you have authorized. And, of course, if you're authorized the communication, the firewall itself (strictly defined) isn't going to do a damn thing to prevent the 'intrusion/insertion''>>>>

Are you referring to ICQ, MSN Mess., MIRC, P2P, etc.... ?
If one of the above programs becomes infected and I run say MSN Mess, my Firewall's MD5 Checksum will advise me that the program has changed. Of course I would investigate.
If you are stating that a Trojan or Bot might be dropped in a PC using one of the above utilities, than a properly configured Firewall should alert the user of the connection attempt.
I'm willing to bet that at least 75% of experienced users have and use a Firewall.

thanks and regards,
bill

BTW.... I'm not being argumentative, It's just part of the learning experience and all comments are related to the learning curve !!