What is the Truth about Firewalls?

Hello,
Access the website by typing the address yourself in the address field.
Mrk

 

My bank login procedure makes any keylogger desperate and crying. So my on-line banking is the least of my worries.

 

My take on firewalls...I will not support any computer that is not behind NAT, meaning..a computer that is directly on a public IP address. (a very rare exception being a few servers that I take a lot of time to strip services and lock down)

Experience has shown me, over the years in being in IT, people who plug their computers directly in their broadband modem..and obtain a public IP address...have systems that are usually hosed..infested. All those self spreading viruses out there which help themselves to unprotected computers that are behind on windows updates...pop up messages from messenger service...kids gaining access to C$ because so many people leave their Administrator password blank, things that help themselves to a computer directly on a public IP address without user intervention...all of these problems go away if the computer is put behind NAT.

Once the computer is behind NAT...the computer can only get a problem through some action of the user...IE the majority of issues stemming from downloading, e-mail, surfing bad sites, installing junk software or warez or P2P junk, etc.

My concern is usually just inbound protection..hide that computer, hence the preference for being behind NAT.

Outbound protection...I don't use it, I don't really insist that my clients use it either, it's a personal preference though...for those that insist on knowing everything that's going on, who may be of higher risk thus possibly have some bad stuff on their computer, and don't mind the nagginess of them..go ahead.

One thing I've noticed though....I don't believe I've seen one single post..where a software firewall user has jumped up and praised his product for "Stopping a trojan that all my other products didn't catch". The majority of users will just stare at some "Waiting for approval" warning...not know what it is, and approve it to be allowed out anyways.

While on the subject...I'll mention one thing that is growing in popularity...UTM appliances..."Unified Threat Management" routers that are built on various linux distros. These NAT boxes take the place of conventional broadband routers, and do much more. Not only NAT, but deep SPI, IDS (Intrusion Detection..usually via Snort..with constantly updated rules), antivirus scanning of web, POP3, SMTP, and FTP traffic), SPAM removal of POP and SMTP, and ad/spyware blocking of web traffic. And yes fairly tight control of outbound traffic. Since this is your gateway...any/all PCs behind this device automatically get this protection. For those users who like a layered approach to protection...here's one that will not bog down your PCs. Also you get great performance...install these on a 1GHz or higher machine with 512 or a gig of RAM...and you'll run circles around any home grade router as far as performance goes...and most business grade routers for under 5,000 dollars for that matter. For users who want top performance for online gaming, or those users who do those P2P apps which normally bog down most home grade routers..these are beefy units.

I'm using these more and more at clients of mine..for their business networks.
www.untangle.com
www.endian.it
www.copfilter.org

Untangle is fantastic!

 

Stonecat-

I will not run a desktop without a NAT, but with a notebook that is really not possible. [There is some hardware gadget which hooks in through a software driver. Perhaps it is an improvement over a software firewall, but it is pricey and an extra drain on the battery.]

I agree with you that outbound filtering is overblown. I have not seen any anecdotal reports of outbound filtering saving the day either. Its a great concept for marketing software firewalls and security suites.

As for setting up a Linux box, if done right the result is a very powerful appliance. Its too advanced of a concept for the average person, plus there is the power consumption and noise of another computer to deal with. [Someone around here said the noise was not a problem as he kept this machine in his basement. I don't have a basement.] It is a viable option for a larger network.

-Ron

 

I can't help but wonder how can it make any difference placing a pc behind NAT if the individual using it insists on downloading and executing malware from email and P2P, as well as surf dodgy sites? NAT can't possibly prevent this kind of careless behaviour from happening, can it, or am I missing something? To me this is not a firewall problem, rather it's a problem with the individual using the pc. I'm pretty certain that if the individual uses and maintains their machine in a responsible manner, they will not incur infestations if they use only a properly configured software fw or even Windoze basic fw, along with a decent, updated antivirus. Of course it goes without saying that a responsible individual would also maintain a fully patched machine and use a limited account for the basics.

 

EPIA platform

 

Many of the DSL modems are actually modem/router combo units. All of the ones my ISP supplied were. While a router does help against some attacks from the net, a properly configured firewall does too, properly configured being the key term here. Unfortunately, most users don't know how to properly configure a firewall. A software firewall is all I used for years. Last spring, I added a hardware firewall to my setup, Smoothwall on an old Win95 box. Even with a hardware firewall, I keep Kerio 2.1.5 running for the extra control it gives me over traffic in both directions.

By far, the majority of PCs are infected by the actions (and inactions) of the user.

This very thing happened when I installed Kerio 2.1.5 on a friends WinME box. The AV, which was up to date, missed the trojan for who knows how long. When I rebooted the PC, Kerio alerted to the trojans attempt to connect out. While this doesn't happen very often, it does occasionally happen. Unfortunately, the average user wouldn't know the difference between that trojan and a normal system process. I've seen it twice in the last 5 years, both times on PCs I was servicing for the first time. Both had far more problems than a single trojan.

A firewall should be considered a necessity with Windows. Whether it's hardware or software, a firewall is not a total solution to security issues. It's part of a package.
Rick

 

That's nice, but usually Linux firewalls are built on throwaway pc's. There is always a solution, if you want to spend some money. That includes hiring someone like Stonecat, who knows what they are doing, to set it up. In a large network setting, it does not matter. Offices are noisy. Just stick it somewhere and let it go.

 

Throwaway PCs can be made very silent, if you aren't afraid of hand work
I think that this board is the ultimate thing to build a powerful (dual processors at 1 GHz) and silent (fanless) Unix gateway.

 

A firewall of any kind (software or hardware) won't keep someone from becoming infected. If anything, a good software firewall might catch some outbound traffic resulting from an infection, but that's not guaranteed by any means.

 

If you re-read my post a bit more slowly...you'll see I did specify the differences of self spreading stuff that did not require any user intervention to hit a machine...stuff like that was prevented by being behind NAT.

Take a Windows 2000 or Windows XP machine...without any service packs or windows updates. Plug it into a cable modem..with a public IP address. Turn it on..don't use it..don't do anything on it..walk away for an hour. Come back..reboot the machine..and see how she runs. You'll have some fun for sure.

Anyone who has done IT for a living for a few years knows that this machine will be infested. Recall some DCOM vulnerabilities..such as Blaster?

Primary reason why I will never do an installation with NAT, or support any clients PC that's not behind NAT. I've been doing this long enough to know that..clients PC on a public IP address...it's a mess, I don't want to bother with it. A NAT router will not stop hiding the computer, it will not fail in that aspect. If you take your PC, slap on a software firewall..and stick in on a public IP without NAT..yeah it's protected..for awhile. But software firewalls can have vulnerabilities...they can become corrupted, they can fail, a service may not start, one reboot it may not start..and the PC is suddenly unprotected...and BAM, it's hit. There have been some exploits that have taken down some popular software firewalls. Thus I don't trust them, but I do trust NAT...NAT doesn't break, it doesn't fail you one morning and decide not to protect you....your PC is always on a private class C IP address and thus not able to be molested by the junk out there directly.

Re-read what I stated above. I did mention that NAT could not stop things that the user did to themselves...like problems brought in via e-mail or using P2P stuff or installing pretty waterfall screensavers.

 

Yeah..laptops...but IMO..those are short time, brief usage. Not as much of a target, and more importantly....when you're "surfing" on an open wireless connection..or internet cafe..something like that...your risk is nowhere near as bad as if you were plugged right into a broadband modem on a public IP address. Most wireless hotspots and networks are still behind a NAT router...you're only sharing that IP range with a very small amount of other users...realistically usually under a dozen other PCs. Not early the risk as if your PC was sitting on a public IP exposed to the rest of the world.

Most people build these linux routers on "small form factor" PCs...not necessarily as small as little Epia boxes like linked above..but small business desktop platforms like Compaq Evos or Deskpro ENs or little Dell Optiplex 170 models. A little box like this..with the CPU barely peaking at 3%...barely a couple of bucks more per month in electricity than an off the shelf home grade router, and very quiet. More and more are even being installed in VMWare (home use also free)...so you're running them inside of an existing PC on the network.

They are wicked easy to build and setup...you do not need to know linux at all. Download an ISO..burn the CD..boot from the CD...and an easy wizard holds your hand through the entire setup/install process. Managing the firewall is done through a web browser just like any old Stinksys, DStink, or Nutgear router.

 

Stonecat-

I am tempted (you are tempting me) to set up one of these Linux powered babies, but for now will rely on a Buffalo WHR-HP-G54 running Tomato 1.07.

The notebook thing is a matter of degree. Sometimes in an airport there will be a couple of dozen users. In some hotels I might be online for hours every day for several days. Its nowhere as bad has having to use an internet cafe machine though. Once I forgot to log off, and Firefox saved my log on without telling me (that is its default behavior once another user tells it do do that for your particular mail service, and if your mail service is yahoo, Gmail, or Windows Live that could happen every day). Some SOB sent a nasty email to a female family member as a reply to something in my in-box. Needless to say, I changed my email password immediately and a bunch of other passwords just for good measure.

-Ron

 

My apologies Stonecat, I was distracted by the picture of the Sunshine Girl in the newspaper this morning

You got that right! Several years ago, installing XP while plugged into my modem (no router yet), I was nailed by the Blaster virus immediately after the install completed! At least I noticed it right away, then re-installed unplugged from the ‘Net.

Interesting comments and I like what you have to say Stonecat My opinion is a software fw can still provide excellent protection, but it does take sheer diligence and considerable knowledge by the individual to quickly notice when something doesn’t look right. If the machine is fully patched and other security software is in place, infections should not occur too easily, I would think. However, I also firmly believe that NAT is a great investment for anyone using a pc on the Internet. Thank you for your input!

BTW, you have also inspired me to build one of those Linux fw's. I just need to scam (legitimately) a second pc from somewhere

 

Tomato is also based on Linux. There's a third-party firmware ( PacketProtector) for the Linksys WRTSL54GS or the ASUS WL-500g routers which adds UTM features

Code:

intrusion prevention (Snort-inline) 
intrusion detection (Snort) 
remote access VPN (OpenVPN) 
content filtering/parental controls (DansGuardian) 
web antivirus (DG + ClamAV) 
a local certificate authority (OpenSSL) 
secure management interfaces (SSH and HTTPS) 
advanced firewall scripts for blocking IM and P2P apps 
IP spoofing prevention (Linux rp_filter) 
basic protocol anomaly detection (ipt_unclean) 

Still, you're limited by the performance of such small devices. A PII with 128 MB of RAM runs circles around them.

You won't be disappointed

The main concern (IMO) on shared LANs (airports, public WLANs, etc) is packet sniffing (i.e. eavesdropping). The best solution is tunneling via VPN/SSH your notebook to your home router/gateway.

 

Lucas,

On a small network (usually 3 machines) bittorrent seems to be the one thing that brings routers to their knees. Tomato has a QOS feature that reserves bandwidth, and I have seen some posts on the Linksysinfo.org forum with a how to. That will be my next experiment.

On another note, I have thought about Stonecat's comments regarding the situation with notebooks on public wifi. A machine plugged directly to the internet is in contact with literally over 100,000,000 other computers. Behind a router wireless access point, a notebook user might be exposed to 200 at most. Those instant worm infections are why XP SP2 had the software firewall enabled by default. I know people who got hit by worms, bam, in under a minute. On a desktop I would take a NAT over any software firewall, if I could only have one or the other. I have also seen software firewalls fail to load or initialize correctly, and they are remarkably easy to mis configure.

-Ron

 

Interesting - my hardware firewall is set up to send me an e-mail once a day to let me know what is happening and to send me an e-mail if attacked. Every day I get a rather dull e-mail telling me that the time has been checked and that's it.

I have no idea how any of this works so do you have any suggestions as to why no one wants to scan my machines ? I have checked with some of the better known programs and been told that all is stealthed by the Hardware Firewall and had assumed that was why I was not being attacked.

As I don't run any security ( AV, AS, HIPS) I would have thought that I should
be attacked quite often. My belief has been that the hardware firewall is working and that was all I really needed. I do install ( deleted on reboot) on demand programs every week or so - different ones each time -- just to check and nothing ever shows up but it is the lack of attacks that interest me here. There are plenty of bad things "out there" but if they don't attacked me and I don't let them in and as you have said no amount of security will guarantee safety.

 

Most, if not all, of the stuff you see in typical firewall logs is just internet noise.. I seriously doubt if any home user actually gets "attacked" very often, unless it was invited in some obvious way. You can usually just ignore and disregard most of the crap in the logs. It won't stop, and it's generally meaningless. Logs are often useful for debugging your firewall rules and seeing what's going on, but that's about it for the average home user...

 

I agree. Most of my router's dropped TCP packets are ones destined to ports 135, 139 & 445, with the first two octets matching my IPS's range. This is likely due to Shaw having so many subscribers on big, happy LAN segments I'm not sure if these packets are discovery or broadcast or something else, but I do perceive them as harmless, Internet "noise".

 

well this is pretty much all I get every day

"Sat, 2007-09-22 00:00:04 - Send E-mail Success!"

I have only bothered to get the e-mail every day for the last 6 or 7 months.
Even if I check the router log there is nothing exciting - ever.

 

Long View,
A quick way to check is to run a port scan from Shields Up, then see if the scan shows up in your firewall log. Most firewalls can be configured as to what they log or report. It's also possible that your ISP blocks a lot of incoming traffic. Software firewalls are much more noisy in this regard. Quite a few don't let you choose what you want to be alerted about. The alerts are either on or off. Like Kerodo mentioned, a lot of what's in the logs is noise.

My Smoothwall log shows 182 incoming connection attempts in the last 12 hours. A lot of it seems to originate in China. For the most part, the scans target the usual ports, 1026, 1027, 137, 139, 445, 444, 1080. Also seeing a fair amount for 2967.

Firewall logs aren't all that useful to a home user, as long as the traffic is blocked. They're pretty much just information that can be interesting but not that necessary. I look at them occasionally just to see what's being targeted and where it's coming from.
Rick

 

Did shields up and Router did report a port scan.

Shields up reported:

GRC Port Authority Report created on UTC: 2007-09-23 at 19:43:13

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

Have been running a 7 machine network this way for about 4 years. For me this is good enough.

I'm still confused though - your smoothwall firewall is a hardware firewall ?
are you saying that you have it configured just to see who is attacking ? Unless you are doing this for fun why not just set it up to stealth all 1056 ports ?

 

SmoothWall is one of the many Linux/BSD distros which are built to serve as a NAT/SPI firewall and some other goodies. If you have spare hardware, you can build a box which will run circles (performance and features) around home routers and appliances <$1,000.

 

Smoothwall is my hardware firewall. My software firewall is Kerio 2.1.5. I installed Smoothwall 2.0 on an old Gateway 2000, a P5-133 that originally had Win95, primarily out of curiosity about hardware firewalls. The old Gateway was too underpowered even for Win98 but runs Smoothwall quite well. The total cost to build it was for 2 network cards and a crossover cable, about $60 and an old PC that wasn't good for much else. Hard to beat, especially for that price. With hardware this old, it's not the fastest firewall but it's fast enough for 864/160 DSL.
My ports are stealthed, all 65535 of them. Shields Up just scans the first 1056 as scanning them all would take a lot longer. I didn't set up anything special in Smoothwall for this. That info is from its regular firewall logs. Smoothwalls logs are viewable from your browser. I'll try to put up a screenshot of as much of it as I can get into one image. The page scrolls for quite a ways.
Rick

 

Here's a screenshot of part of the log. Used a link as the image is too large.
http://i138.photobucket.com/albums/q277/herbalist-rick/log.gif
This is less than 2 hours worth.
Rick