Is a firewall really necessary for home use?

My experience has been that "if it is known, then ..." doesn't always prove to be true. Being a skeptic by nature, I like to run my own tests where possible.

Very interesting! I have to say that in the past few months, I've become persuaded towards using a router. Kerodo, bigc, and others have made convincing arguments.

But here, it's not a matter of router vs firewall, rather, just to show that it is possible (albeit not easily done, nor perhaps practical) to run safe with no external devices for inbound protection.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Gentlemen, no offense but, this is a *VERY* old and [for lack of better term] tired debate, IMHO ..

FYI, here is "all ya wanna know" about the issue, a 16-page marathon of heated debate done at DSLReports over three years ago [ca. June '02]: Closed vs Stealthed Ports

.. And .. the Conclusion was .. as will probably be in THIS thread .. it is a matter of PERSONAL OPINION & PREFERENCE .. hehe ..

That said, I prefer Stealth because:

1. Stealth implies Closed, but not Vice Versa; thus Stealth is more restrictive than Closed -- so, I prefer the more restrictive condition which implies the less restrictive condition. You could say one [stealth] is a more restrictive subset of the bigger set [closed].
2. I use PPPoE ADSL {a dialup type of DSL} which, similar to dialup, assigns a dynamic IP from a pool of addresses everytime I connect. If a hacker or portscanner sees nothing at my address he can conclude:
(i) there is nothing there {the scanned IP is offline or unassigned}
(ii} there is something hidden there {the scanned IP is online but stealth}
3. It really isn't worth his time to probe and probe to see if he can "see" me or even determine whether *I* {a live, online system} exist; there are too many other bozos on the Net with exposed open ports to exploit, for him to waste valuable time and resources sniffing out something that he isn't even sure exists or not.

That is my take on it; but I respect "the other side" [all sixteen pages of it!] Edit: FWIW, I think "my side" {the stealth preference} is a minority in the Security Community ..

 

hi, you can use the TCP/IP filtering too with windows, i'm not sure why no one bothers

http://img209.imageshack.us/img209/3960/13371fc.th.jpg

 

here are some old registry hacks

http://www.governmentsecurity.org/forum/index.php?showtopic=6526

 

I also prefer "stealth"; it is simple and inexpensive-why not? To me, it is very similar to security for a home or business - most thieves and burglars are looking for the quick, easy, low risk hit. I try to make it unattractive for them.

There have been several break-ins around my neighborhood, and usually the thief tries to find an unlocked door, or a backdoor, out of view, that he can force open. I don't have a backdoor and previously my next door neighbor was burglarized, through the back door, and footprints showed the guy came through my yard and went on to the neighbor.

Hardware routers are very inexpensive and the XP firewall can be a good secondary defense.

 

Let me ask this, since I don't really know the answer. Let's say I'm a "hacker" and I pick a random IP address, say 68.121.9.109, ok? Now let's say I start pinging that address or probing it or whatever, and I get no response back. Is there any way I can tell the difference between there being no machine there whatsoever and there being one there which is "stealthed"?

 

not if you don't get a response back there are scan options that work against closed ports which open ports will drop.

 

Well, if they can't tell the difference, then the argument that they can tell you're there anyway by your stealth lack of response is nonsense.. and stealth would be effective then.

 

I thought they just pinged a range of addresses. If they got a couple of responses then they would know that there must be computers present between the two addresses that responded. Assuming that the allocation of IP addresses is sequential and not random.

Anyway, I think the difference between stealth and closed is a side issue. For me, the most interesting thing from this thread is that there seems to be no difference between a closed port and a port protected by a firewall. So you can actually use windows functionality to protect yourself without needing to install anything and without needing to run any extra processes. That seems pretty good to me.

 

To be honest I have really only skimmed this thread, but I had to break in with a couple of points:

1. Actually, I believe there are several ways to tell the difference between "no machine whatsoever" and "one there which is 'stealthed'". I'm not really an ICMP expert, but I believe that one way is that the last-hop router usually sends "destination unreachable" messages when there is no actual host on its subnet versus a machine that is there but just dropping packets. Also, I believe that if you purposely create special malformed IP and/or ICMP packets, then a machine that is there but dropping TCP/UDP packets will nevertheless often respond to malformed packets with detectable ICMP error messages. I wouldn't put a lot of stock into the "stealthed" packet-dropping versus just simply having a "closed" port, but it might keep the less knowledgable hackers away.
   
   
2. With respect to the original matter at hand, "Is a firewall really necessary...", I think it is worth remembering that there are other protocols and packets on the network besides simply TCP/UDP. The thread starter proudly displays an almost entirely closed (or stealthed, don't remember precisely) portmap as if that's all there is. Granted, most modern network traffic is TCP or UDP based, but certainly not all. There are often other vulnerabilities discovered in the TCP/IP stack that can lead to attacks. Closing ports when you can is a great idea as it eliminates the bulk of your worries, but not all of them... and it is a mistake to assume otherwise. Moreover, I believe someone else noted the problem in closing services and ports by system configuration vs firewalling or filtering is that you often are sacrificing functionality to do so, and often fully closing such services and ports in a knowledge and wise manner is a complex task far beyond most users. Finally, even if closed, the lack of a firewall still means that your local network is possibly being innundated with BS packets. Why waste the local bandwidth if you don't need to? The best answer is to make use of a true hardware firewall or a router with a good NAT and/or SPI firewall implementation. Why not? They are so inexpensive these days (especially if you don't need wireless), that they are almost giving them away.

 

The on-line scans/probes are the only tools readily available to the home user, which indicate the state of their ports and nothing else.

I realize you've only skimmed this thread, but I did address some of these vulnerabilites in a previous post.

I didn't intend to address networks - this test used a stand-alone computer on dialup.

"possibly being innundated..." - I monitored the logs carefully while doing normal surfing and never noticed any innundation of BS packets or anything that affected my surfing. I don't think it's an issue for a stand-alone home system.

Can't argue with that!

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Ok, well if this is true, then stealth is not all it's cracked up to be. Thanks for the info..

 

But course it's true. That's why the majority of people in the security community don't think much of stealth.

Of course it is.

My observation is that in general the more knowledgable someone is on networking, the more likely he is to be on the closed side of things.

Stealth has one thing going for it, it sounds cool.

And yes, it's a very old debate. Even on Wilders. Much less othjer places.

 

Ok, FYI my computer is connected directly straight to my cable modem via a 100 MBPS ethernet wire. You can visit my ISP at www.starhub.com and I am using Maxonline 2000. I'm not sure if i REALLY need a router, and I do not know if almost everyone here uses a router.
A router is usually for more than 1 computer. Correct me in any way if you think I'm wrong.

Like you said, a software firewall provides more information, finer control, as well as many more opportunities to be misconfigured and unintentionally subverted by a novice user if it's the only communications component used.

There are some more knowledgable people who know how to correctly configure a firewall and in some cases of some firewalls, you can password-protect the firewall to prevent it from being misconfigured or unintentionally subverted by a novice user if it's the only communications component used. If i get a router, then i'll need to connect my computer to the router, then to the modem?. Its just like adding more wires to my connections. Also, my cable modem has a standby button that I can press to temporarily stop ALL traffic incoming and outgoing. I don't have a router, but I have a software firewall that I still can rely on and the standby button. Not everybody has the same method when it comes to securing their own computers.
Its all a matter of choice and preference. Man, machine and method.

 

Unless your ISP routinely issues more than one internet routable IP address to an account, the only way to connect more than 1 PC from that location is via a router. So in that sense, a router is usually for more than 1 PC.

My point, in the greater hierarchy of security measures a router makes more sense per dollar spent than a software firewall (assuming paid here) for anyone and, IMHO, more technical sense for a casual broadband user than a free firewall. My personal reasons cover both security and nonsecurity issues and are:

• Multiple PC's from a given location are now accommodated, that flexibility is nice to have.
• It is the only sensible approach for wireless connectivity if that's desired. In principle you could use a simple wireless access point for 1 PC, but if that is what is structurally required, setting a wireless router up as an access point is typically preferred as well
• The concept of load balancing shouldn't be neglected. Unsolicited inbound does not make it to the PC in question for a proper configuration of either option, but with a router PC based CPU cycles are not consumed.
• For the vast majority of users, it is plug-it-in and you're done. Very robust against misconfiguration. Not impossible, but you have to work at it to achieve it.
• If you are not in a position to properly analyze the information, too much information can be counterproductive. The vast majority of home users are better served by a distinct box that they soon forget exists rather than an on-PC firewall that presents a steady stream of logs ready to be the source of inordinate concern. That might seem a harse sentiment, but I believe it is a realistic one for the vast majority of home users. Remember, almost by definition, anyone that finds this site - I'm not saying someone who understands all the material being discussed here, but simply finds this site - is probably well above the typical home user. Think about that for a moment.

While password protecting a software firewall may seem to be a reasonable approach, and it is with a group of users of varying expertise, doing this as a general approach means everyone has a local resource to go to at any time. That's not realistic today.

As for more wires..., this is a technical problem how? Why add wires at all, go wireless if the physical sight or simple logisitics is a problem.

This is a trivial situation that anyone can mimic today, physically unplug or shutdown your system while away. When you start letting any traffic in, any unsolicited communications reach your PC as well. In your case it is handled by your software firewall, in my case it never reaches my PC. It doesn't matter what happens on my PC, that stuff doesn't reach it. Can you say the same? What happens if a software conflict kills your firewall? Can you guarantee that will never happen? OK, I'm absolutely certain that you will notice it. I am almost as certain that many casual users would not. What then?

In large measure yes, but if my less computer knowledgable friends ask, my preference is to direct them towards a solution that should always work with no to inconsequential user interaction required post installation. As a general guide that I follow, if they feel compelled to ask the question and have not researched it fully before asking, and they don't have a router yet, my recommendation is to install a router. If they have a router, and again have not fully researched the topic, my recommendation is to go with a solution that provides application based communications control. If they wish to go beyond that, it's time they start some self education in the area...

Blue