Why install a firewall?

To be honest, I don't think I need Comodo Firewall at all. However, Comodo Firewall also comes with the very powerful classical HIPS called Defense+, which I have "disabled" by default. But keeping Comodo Firewall installed gives me the option to enable it any time I want.

Besides, as I've said before, Comodo Firewall is completely free for life, and it doesn't cause any noticeable slow-downs whatsoever for my system.

 

When you say your system what are you running over there? Desktop, Workstation, Laptop or Server? Still everyone going to have a different setup, hardware, software an etc running. I can't run Comodo FW nor it's CIS just does some crazy things on my systems. I can just the plain FW from Windows plus tighten up the Group Policies, Local Security Polices and disable stuff in Services.msc still have effective system. What I see that the system starts up quicker. Once you start OS.

There is a software company online that has Windows Firewall Companion for the Windows Firewall. The WFC adds outbound protection. They claim it's for free but it has a nag screen that can be taken care of. I didn't install it looks like a rouge piece of software to me.

Now run Symantec Endpoint Protection the same software that CSC uses for it's clients, still on one desktop system it found 5 Trojans where as Avira PE, Rising RAV, and Comodo AV didn't even spot? Go figure only 5.9KB for memory still not bad!

 

Desktop.

 

Okay then desktop you just keep it plain and simple? Nothing fancy right?

 

Yes, I've gone for simplicity mate.

 

Cheers!

 

Isn't there like a 'Holy Grail' of why to or not to use a firewall somewhere? Then these questions could be referred to it. I like discussing it and seeing different viewpoints, but for those who are really asking the question 'Do I need it' and don't understand the technical details, it would seem some sort of 'super duper resource' would be nice.

Sul.

 

The thread is about "Why install a firewall?"

Did you install windows firewall?

By the way, this type of ironic questions 1. have no effect on me 2. offer nothing to the collective knowledge.

 

Many firewalls filter based on IP, port and timeout (like with connectionless protocols). TCP offer greater control that should be implemented. As mentioned, Windows Firewall will look for TCP flags, and filter out malformed, which is more than home routers (and many software firewalls) will do.

That would depend on the level of filtering implemented. With home routers, unsolicited connection attempts (SYN packets) will be dropped (ignored/not replied to), as this would be specifically hard-coded. All other packets which are not treated equally (invalid flag combinations), will be replied to in accordance with protocol standards.

Unfortunately, this is the fact that must not be disregarded. Problem is that vendors will advertise incorrectly implemented, or actually absent features.

If I am not mistaken, no firewall will help in this case. I can create a rule to filter RST, but what about the other side of connection? It will still get RSTs from me

 

Maybe you can answer me Seer - what is the point of filtering out malformed TCP flags? Apologies if this has already been answered, but I still don't understand the point of this.

 

The RST is made against the server, the server does not reply, just drops the connection.


- Stem

 

Comcast does block the traffic by means of throttling back uploaded traffic for seeding for peer-to-peer. I was able to do downloading without issue but uploading wasn't the same at another location. Still most of the P2P clients have transport encryption RC4, IP filtering internal and external software PG2 and PB. Just to mask out your presents on your ISP network.

Windows Firewall can be use in this case along with Group Policy and Software Restriction Policies. Hardware Firewall on most firmware vendors can be use to block most other features from the source. DD-WRT gives you more options when it comes to P2P more rules based for your router that supports this firmware.

Again to answer to the thread posting the fact was the Firewall was use to block attackers from taking over your system. If you didn't use a router and just use a modem (dial-up) back then it was easy pickings for those who knew how to attack users online in private live chat rooms.

Now so many newer users just connect to the modem (adsl or cable) without using a router extra hardware firewall defense, they just rely on the software firewall (internet security package) that hardware vendor might have installed at the time of purchase of such desktop or laptop. The only problem with such software then tend to expired and stop functioning after a certain time.

So the need for to install a firewall would be yes for those who don't use a router and only use adsl or cable modem with their desktop or laptop. But here is where it gets tricky do you still install one if you have the router?

Yes and why is that for that added security layer it provides. But that is just one layer, there are the things that can get through and mess up your system. Then you need more security to defend off those pest. Not 100% still but anything is better than nothing!

 

Stem (or anyone who knows), I've discovered something strange. When I enable this protection with my NAT router:

I don't pass this stealth test (some ports are identified as "closed" and not "stealthed"):
https://www.grc.com/x/ne.dll?bh0bkyd2

But if I disable the above DoS Protection, I get a PASS. What's going on?

EDIT: wrong information corrected!

 

Unable to say without seeing a log of the scan, usually "Syn flood" protection is just a limit on the number of half open connections, but maybe the router is sending back RST packets (or ICMP) after the limit of inbound SYN packets is reached.


- Stem

 

If so, what would be the benefit of enabling/disabling SYN packet protection etc.

 

On a router, (IMHO) I dont really see any benefit. The protection is usually in place for server applications (such as P2P/ game servers) and is best controlled on the Host.


- Stem

 

Thanks Stem. I'm happy with the inbound protection I'm getting with my simple (and cheap haha) NAT Router. I pass all the Shields Up! and PCflank stealth tests just with the NAT Router.

With regards to outbound protection with a software firewall - I simply don't see any need for it personally. On my system, all malware threat-gates are contained/blocked by Sandboxie anyway.

With regards to malware testing with VirtualBox and Sandboxie, I couldn't care less if information about my PC (eg. I'm using Windows XP SP3...big deal!) is being sent to anyone out there. I also have resource protection within each sandbox/threat-gate for areas of my computer like "My Documents", thus preventing any information within these possibly sensitive areas from being stolen or leaking out.

Possible scenarios where I can see benefit from using a software firewall:
1. My ADSL connection dies (temporarily) and I choose to connect via my dial-up modem (thus losing the protection benefits of a NAT Router).
2. ?Connecting to a LAN.

Anyway, this is easily solved by not using dial-up (I wouldn't use it unless I was really desperate anyway haha), and not connecting to any LANs - there's no need for me to do so anyway.

However, If I ever decide to re-install a software firewall, it will have to be COMODO Firewall again - there's just nothing that is completely free and runs as light and as effective.

 

With no control of what is going out, then there is no filtering of what is being returned.
How I personally see this;

With some comms, such as an example:- DNS(UDP) lookups, I want to ensure, the best I can, that the reply is checked to ensure it is a legitimate reply. Now OK, UDP is limited in what checks can be made, most packet filters at best check the IP/port, but a check on Identification can also be made. (that is a random number (between oX0-oXFFFF) that is sent with (embedded in) the request, the reply should also contain that same number). In TCP there is much more info that can be checked to verify that the returned packets are genuine, such as state/sequence number. Now I know some put forward this is not needed, but that info is contained for added security of the protocol(s), so why not use them?

We see the onset of IPV6 which is not only being introduced for the expansion of the addresses available, but also to add more security, but most vendors do not filter IPV4 to the best security, so I cannot see them taking time to implement filtering IPV6 on the security level available.
We see mainly today, vendors with implementations of an HIPS with a very basic packet filtering. I prefer to use a good packet filter(I can always add a sandbox or AV etc)

- Stem

 

Nice thread. Reminded me of why I'd need a more robust firewall.

I sometimes connect on a public WiFi network, that's certainly not the safest environment and is the PEBKAC issue with worms that otherwise install without knowing anything.

I have limited bandwidth otherwise, as I connect through my cell-phone. Having anything unwanted connecting to the internet could be very expensive for me.

My primary concern is identity theft, I can't really afford to have my credit card get out, or anything like that, so software that phones home

 

I guess the question here is what you're trying to protect against. I still don't quite understand the importance of packet filtering. I guess it's far too complicated for me to understand.

For me, the "threat-gates" on my system are sandboxed with Sandboxie. Within these sandboxes, resource access protection is enabled to prevent any access to sensitive areas of my computer that I care about - eg. "My Documents". This means that these internet "threat-gates" cannot tamper or steal data from areas of my computer that I care about. That's what I want to be protected from. Furthermore, take for example my IE 8 sandbox - nothing can start/run or access the internet except for "iexplore.exe". Sure, "iexplore.exe" can connect out to/through various IP addresses and ports (I think). But what can it actually do to harm my REAL system? Remember, "iexplore.exe" is also run in a fake environment (virtualised with Sandboxie) and everything that changes is also done virtualised.

Does a software Firewall with outbound control add anything to this setup? I still fail to see how it adds anything in this context. I could understand using a software Firewall if it made the internet connection more efficient (that is, get faster download/upload speeds, or get faster latency times etc) - I haven't got a direct answer yet about this...perhaps it does?

Regardless, I'm still using a software Firewall for the various reasons I've already stated (in other threads also).

 

Possible loss of internet due to incorrect packet filtering for one point.

Let me expand on the post I made that you quoted above.
With ref to this current thread concerning "DNS server Attacks" IMHO this should not be happening. If an implementation was made as I described, then the firewall would know that the packets where in fact late DNS replies and would not block the DNS servers.
Lets look at illegal flagged TCP packets, these packet have no place on the Internet, although some are used for scans. Now those packets should be dropped, not just because they may be a scan, but because they should not be entering the system. There are at time where these illegals will be seen, but it is possible not because of a scan, but due to some problem in transit, or even due to a problem with server hardware, so they should be filtered out. Now you dont have to even think of it as a protection against an attack, you could think of it, lets say, like a spam box in an e-mail client, it simply keeps the junk out.

- Stem

 

The built in windows firewall doesn't scan for "low level" packets?

 

Ahhh, Seer & Stem thanks for the posts, it helps to demistify the magic of Routers and Software firewalls

Most Nat Routers only restrict UDP to Address and TCP to Address and Port.

A SPI capable firewall only adds sequence checking within the expected range.

All the heavily marketed application level filtering which is mentioned on most 'better' SPI /NAT routers is only on protocols going through a specific port. Then it recognises ahh this is the start of a Torrent session.

Then there is the 'iron' law of protocols, a certain request/command simply generates an answer/reply, that it is why it is a protocol, a chain of events which facilitates communication in an orderly manner.

Protocols simplified is like Jack Nicholsen in the Shining saying "Here comes Johhny . . . . " and the victim responding (broadcasting) I am here , I am here

Due to the fact that these devices are used by end-users they are made simpler to set up. DHCP for instance is great, but convienance comes with a sacrifice of security. It is like married with children: you can't have one without the other.

To be honest I have no idea how the spoofing protection works in my router. I simply can't find the information. So I feel I am treated like in a wash powder advertisement, "New Omo (a brand) with TAED (a new attribute, problably a chemical ingredient), washes cleaner than ever." How or what it does this "washing clean my network loundry packets" is a mystery to me. Therefore I use static IP addresses, deny all access to the router on Mac and IP address, except for the few PC's in range. On teh PC's we use the OS internals (Vista FW 2 way) or internal with outbound (XP-inbound with DWv3 looking at outbound)

I also think Vista/Win7 FW is heavily underrated. I would ask the moderators to make "STEM's how to" a sticky in the FireWall section. Also some Matousec winnners do a lousy job on their basic function "filtering packets" (Comodo's has some options, but it has the protocol monitoring DEselected by default for instance)

Cheers Kees

 

It's tough to implement spi with UDP and ICMP protocols because they are both connectionless protocols, so they don't really have a true "state" like TCP protocol. With UDP, besides using the source port/ip address of the host and server, a timeout value can be placed in a table so that if it's exceed then the connection can be blocked and with ICMP maybe tracking the type and code values is about all that can be done. With TCP I would think checking at least the sequence flags in the packets as Stem has mentioned most 3rd party firewalls don't even do, would be an adequate level of SPI implementation.

 

Umm, is this all really that necessary on a home network with desktop rigs, maybe a small LAN? As long as the router is not opening DMZ or forwarding ports and things of that nature, is there much of a chance of anything 'bad' happening?

As far as firewalls go, presuming that all computers in the network (LAN) are properly configured/managed so that a virus is not running rampant internally, is a firewall really necessary? Sure, to stop unwanted outbound access of a software, or to shut ports being held open that cannot or are not desired to be shut down it can do a job.

But assume that I have 3 computers, each with imaging or rollback or some feature, each clean with proper security implemented to keep 'most' common threats under control. Is a firewall really going to make it any 'safer'. Is tuning the router really making things 'safer'?

And yes, an educated opinion based on fact that says 'Sully, it could be detrimental certainly if X happened while Y was open, and this is fairly common' is sure to perk my ears up, just as 'Sully, odds are if decent security is implemented, odds are slim that X will happen even if Y is open' would leave me happy with the way things are.

If that makes sense. I have not been following firewall/router issues much and wonder if I am missing some critical information.

Sul.