Inbound firewall: Necessary?

Discussion in 'other firewalls' started by Rmus, Jun 16, 2009.

Thread Status:
Not open for further replies.
  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    Yes. The Windows firewall is free, routers have their own (NAT) firewall, and of course there are third party software firewalls.

    Theoretically, in the situation you mentioned, a firewall would not be necessary.

    But something can always go wrong.

    A hardware or software error/bug, a simple mistake, some Microsoft/Windows update messes something up, you let someone else use your computer and something goes wrong, etc.

    The Windows firewall is free, and very light. So what's the excuse for not using a firewall ?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is something I have been asked many times, I always think about it at that time, but always come to the same conclusion and say yes. The protection of inbound is not just specific for closed ports, but for current outbound ports that should not be seen by scans etc.

    - Stem
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Can you elaborate on this? How does a scan see a current outbound port?

    And what could happen if a scan sees a current outbound port?

    thanks,

    rich
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I think what stem is saying is that any apps on our PC that make outgoing connections opens up a port. Logically the port would have to open for an app to make an outgoing connection and to receive incoming data

    A hacker who is port scanning at the time will see the port open up giving him an open door, or an opportunity to carry out his attack.
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Not really.... let's say the user is browsing and port 80 is open outbound. At best, all a "hacker" could do is fire some UDP junk packets back into the browser, which the browser would then proceed to ignore as it wasn't expecting anything except TCP responses to his outbound traffic. I seriously doubt there's anything anyone could do via port 80, or any other port, as it would depend entirely on the software holding the port open to be vulnerable to some specific manipulation, something that, to my mind, is not too likely. So I guess I'm saying, practically speaking, the danger is zero.
     
  6. wat0114

    wat0114 Guest

    Then why don't businesses worth their salt simply run Windows firewall or even no firewall at all if all they have to do is ensure services or other software are not holding open ports? There must be a reason they are using serious hardware firewalls such as Cisco, right? And again I bring up YeOldeStonecat with his obvious experience in the IT industry who continuously brings up the importance of routers and hardware firewalls but is rarely taken seriously in these forums on their value. If it was so easy to run work stations securely without a hardware firewall perimeter especially in a corporate environment then there would be no need to fork out big $$ on this hardware. As for the home computer environment, whether single pc or more, < $100 for a router is is a mere pittance well spent.
     
    Last edited by a moderator: Jun 17, 2009
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I'd say a business or enterprise is another story, they are more of a target than any average home user. A business will run a firewall to keep pests out. Home users don't typically have pests.

    I really don't now what all can be done to a corporate firewall from the outside, but there must be some reason for concern yes. But a home user? No way.... I could have run Win2k for 5 years without any firewall and be none the worse off...
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,038
    Location:
    Texas
    I'm not sure that is entirely true given the amount of home computer users that show up in forums needing help. Whether it happens by just using the internet or by intentionally going to risky sites is a question I can't answer.

    I really see no reason not to use a firewall or any other tools that may prove helpful in your digital life.
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I don't quite get what you guys mean by "port 80 is open outbound"

    because port 80 would have to be flapping its doors open for Inbound as well, otherwise how else would your browser receive Incoming data?
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I just mean that the TCP traffic is initiated by the user by loading a browser let's say, so the initial traffic is outbound, with the responses coming back inbound. All I was saying there is that I don't think anyone could pick on the user's open port 80 by sending traffic to him as the browser would receive it and wouldn't have a clue what to do with it. For anything bad to happen from the outside, a port would need to be open, AND an app or service with an exploitable vulnerability would have to be holding that port open. Unless you think someone bombarding the port 80 browser user with packets to the point of disrupting his data stream is a real threat.
     
  11. wat0114

    wat0114 Guest

    I haven't figured out Vista or Linux yet, but XP will typically use a local port range of between 1024-5000. Port 80 on your machine would only be used if you are running a web server. Remote Port 80, used mostly for average surfing, is not open on your pc.
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Sure, common sense says use a router, or a software firewall if needed, agreed there... I use a router myself, and have been trouble-free for years. Just because it's possible to go without one doesn't mean that's the practical thing to do.
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    True, I was using (remote) port 80 to mean browser traffic in general I guess. The local port in use by the browser would be some local port most likely in your 1024-5000 range yes... But still, for that to be exploited from the outside, the browser would have to have a vulnerability and the outsider would have to know exactly how to exploit it. Most likely the browser would just be brain dead to any attempts.
     
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    yes yes of course your right, port 80 is open on the remote server. browser uses other ports on your pc.

    But I just wonder how Vulnerable to hackers the port range of 1024-5000 really is when opened by your browser??

    Edit. also too what about Gamers who need to foward ports for certain games on their Router? that just leaves doors wide open on your Router.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    The browser will open one or a few ports to do it's job. Any ports opened will be open to the browser only. As mentioned, there would need to be an active browser vulnerability to be exploited, and someone who knows how to exploit it for some gain or other...
     
  16. wat0114

    wat0114 Guest

    No arguments here. I'd say you are absolutely right, as other such as Rmus have explained. I was only trying to explain to arran port 80 is remote and not local. I still fully endorse the firewall idea, especially the router ;)

    If the browser has no current exploitable vulnerabilities then I suppose it is safe on these ports.

    The forwarded router ports are open but it still comes down to the ports on your machine; if they are not vulnerable due to services or software issues then there should be no concern. Kerodo, Rmus, Mrkvonic and others who discuss this are right. The router simply keeps all unnecessary Internet crap noise off the pc's network interface and internal software firewall or Windows fw. I like this idea. i have a thread somewhere that pictorially illustrates just how much noise - harmless in this case as it may be - in a very short time can bombard the network interface while connected to a public ISP server.

    *Edit*

    regarding the noise, post #3 here. 2500 ARP requests in 30 seconds seems like a lot to me.
     
    Last edited by a moderator: Jun 17, 2009
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I agree with you. A firewall makes all the difference.

    And, I guess that's one of the reasons why so many home users have their systems as part of botnets, without even knowing it. These are users that are not aware of firewalls, and no other security measures.

    My wild guess is that most are even using pirated Windows versions. Here, and again my wild guess, a firewall would make no difference.

    But, if we're talking about a legit Windows, and users use a proper firewall, which will alert them for any possible unknown process trying to gain access to the Internet, then the users have a chance to stop the process from connecting.

    In this case, Windows's own is of no good, as it won't alert them, at all. But, one that will, makes all the different, between open path for malicious processes to connect to the Internet, or a closed path.

    I remember seeing in some forum, sometime ago, someone saying that his/her firewall was alert for a third connection, when connecting to the Internet, when the normal would be two requests - ISP DNS IPs.

    So, when the third connection was seen... something was clearly wrong. What do you guys think it could have been? Maybe becoming part of a botnet? Or simply a malicious process trying to gain access to the Internet to something else? No idea, but, this guy/girl having a firewall with both inbound/outbound protection made all the difference.

    Most of the time, most people may even think that firewalls are of no use for home users, but maybe we're talking about folks that never had any problems.

    I could say the same about anybody's home alarms. If they don't make those loud noises, then will they think: They never play, that means no one wants to get into the house. Lets get rid of it. o_O

    As everything else, a firewall is there to protect users, as a second layer of defense. It may trigger an alert, and then you can do something about it, or it may not, and it could mean everything's OK.
     
  18. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Yes.

    Because packets are something that we can't control, and also because it helps our system against its possible vulnerabilities, bugs, issues, etc...
     
  19. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    It also offers another layer of control, we all prefer to know exactly what is communicating with the outside world, and I'm not really referring to malicious behavior here.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Exactly. Good point, and I forgot about it.

    For example, I make use of one or two applications, that, everytime I start them, they open the default web browser. Now, I don't want this behavior, nor do I want them to connect to the Internet, as they have no need for such, to do their job. So, I prevent them from opening any network related application and to connect to the Internet, as simply there is no need for that.

    Thank you for pointing that out.


    Cheers
     
  21. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    215
    If you have to watch outbound malicious connections, you've lost the game.
    For information reasons I understand it.
    Anyway very informative discussion.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    And, how exactly, someone preventing malicious processes from connecting to the Internet, is losing any game? It means something got in the system, without anything else triggering an alert. It got there somehow. But, at least, the connections can be prevented if the firewall triggers alerts, right?

    Its the same as an anti-malware application. If it is detecting a malicious process, then a person has already lost the game?

    No, the person loses the game only if nothing prevents and detects a malicious process.

    Not all malicious processes harm your system. Some get in your system with the sole purpose of downloading more malicious programs, sending out important information, making people's systems part of botnets.

    So, even if an anti-malware applications fails to detect it, a firewall may still alert you for a connection. So, not all game is lost. It would be lost if your system was infected, and no anti-malware application would detect it and no firewall would trigger an alert for outbound connections, coming from unknown processes.
     
  23. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Guys..... if you'll take notice, this thread is about *inbound*, not about catching things outbound. I think you've deviated from the original intent and subject matter of the thread. ;)
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, it is about inbound, but that's OK: it's been interesting seeing others' perspectives, and it's an opportunity to address a several things about outbound.

    I've bolded the key words: if and may.

    The classic examples of alerts are when malware installs and attempts to connect out and the firewall intervenes. I gave one example in my post #15 above, using a PDF exploit. (Those knowledgeable enough to configure a firewall probably know enough to prevent that exploit from running anyway!)

    Do you think malware writers are bothered by the few people who might have a firewall that monitors outbound? I say "few" because I'm sure you would agree that it's enough to hope that the general population enable the Windows Firewall, which is only inbound in XP.

    Notwithstanding Stem's fine tutorial for the Vista firewall, how many in the general population would take the time to configure it?

    Not much of a worry for malware people.

    On the other hand, sophisticated malware authors have bypassed firewalls outbound. Conficker is a good example:

    An Analysis of Conficker's Logic and Rendezvous Points
    http://mtc.sri.com/Conficker/
    This, of course, assumes that conficker installs in the first place.

    In another example, Port 80 is open outbound by default. I created a test a while back using a Word document to launch run32dll to load the hotmail MAPI dll that connects out to the internet:

    [​IMG]

    This was to simulate an info stealer trojan which does no damage nor makes changes to the system. The only way to catch this, should it run, is to set the firewall to alert to all outbound traffic on Port 80...

    hmmapi-kerio.gif

    ...which, I'm sure you will agree, would become aggrevating very quickly! But this attack is easily prevented from running in the first place with proper protection.

    No one I know considers a firewall to be completely reliable in situations like this. Rather, they focus on prevention up front. Think of how many people use a router with no software firewall to monitor outbound!

    As for inbound: from my first post, I'm thinking aloud for the eventual implementation of IPv6. It's frustrating to see a fine product like Kerio 2 become obsolete.

    I'll probably go the router route as suggested by Kerodo, former Kerio 2 user who was helpful when I first started using that firewall.

    I would still like to know more about a couple of things Stem brought out... so I'll wait on that.

    DISCLAIMER: To re-emphasize, that although I and others have demonstrated inbound protection without a firewall/router ("a closed port is a closed port") I am not suggesting that anyone else do this.

    regards,

    rich
     
  25. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    You are talking for services that use static outbound ports or outbound ports in general? o_O

    Panagiotis
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.