What is the Truth about Firewalls?

I hope this is the right forum for this question. If not, feel free to move it. Besides spending a lot of time here at Wilders, I also frequent many of the newsgroups, some of which have some very knowledgeable people when it comes to networking and firewalls. The one comment I keep hearing over and over from some of the more technical people is that a software firewall is essentially useless. Some of the people actually ridicule those of use who use software firewalls. Personally, I find it hard to believe that they are useless. I realize that firewalls can be compromised, but with the multitude of users on the net, I would think the chances of a hacker targeting one particular computer is slim. I would also think that they would be going after the many users who use no firewall whatsoever, do not have their systems patched, have no security software, and are much easier targets. I just find it hard to believe that software firewalls don't provide at least some measure of security. So I guess my question is, Who is right? Am I right to believe that my firewall, while not keeping my invincible by any means, does add some measure of protection? Or, is it like the techies say... that my firewall basically provides nothing but a false sense of security? Perhaps some of you more advanced than myself in networking technology could shed a little light on the subject.

 

Hello KDNeese,

I see many "Blogs" and such where "firewalls are useless" or "die without a firewall", such and such.

You have been around on this forum for a while,.. what do YOU think? Come on, you should be able to think about this ! You tell me !

 

Some things that they can do:

1. Provide good logging so you can see what is going on outside your computer, which may encourage you to find out more info if something looks suspicious. ie. if you are getting a lot of probes on port xxx, you might want to find out what they are probing for and whether it will affect you. Some software firewalls provide much better logging than routers and log inbound and outbound stuff. Some can selectively log certain rule matches and ignore logging other rule matches, so your log isn't filled up with unnecessary events. If you want, you may be able to use the log to monitor the activities of other users of your computer.

2. Blocking outbound access to malware IP addresses for certain appz or all appz. Have you read this thread:

https://www.wilderssecurity.com/showthread.php?t=136452&highlight=gromozon

3. Monitoring and/or blocking outbound access to IP addresses for software you own. For example if you own and trust Flashget and you upgrade to a new version and find out all of a sudden that v1.73 communicates with the mother ship while your favorite v1.72 does not, you will know about it. Or can be used for restricting appz to certain ports only.

4. Etc. Etc.

 

Like most things, they serve a role that is context sensitive.

The main issue is that if communications are being initiated by a compromise, the system itself is compromised and integrity of the firewall is potentially in question. The thing is, that qualifier "potentially" is a very big qualifier. Yea, it can happen. Lots of things "can happen". A meteor "could" land on my house tonight, but I'm not going to be consumed with worry about that possibility.

Let's put a realistic probability on that - say < 0.00000001%? Random individual home users worried about a directed attack are, to be pefectly blunt, delusional.

Precisely, it's referred to as harvesting the low hanging fruit.

I tend to view firewalls as providing a measure of user control, and that level of control can manifest as providing some aspects of security.

Again, focus on control. If you have control, that can provide a measure of security, or not, depending upon how that control is administered. Is it better than nothing? Of course it is.

The false sense of security argument is really a red herring if you approach a firewall as a communications management tool. Like any other tool, it can, in principle, be compromised.

The issue I have with most critiques of computer security floating around out there is a focus on elaborate scenarios, in which a multitude of things have to occur precisely right, and it is then implied that this precise sequence of events is lurking around the corner ready to pounce on virtually everyone. This is ridiculous.

Let's be real. A firewall allows you to control some aspects of computer operations. If the computer is compromised, you may (or may not) lose that level of control. If you lose that control, chances are, you're more likely to notice than if you didn't have access to that level of control in the first place.

Blue

 

I have used PC with and without software firewall. I have used PC with just inbound only windows firewall. Verizon says get a software firewall even with hardware firewall router. Comcast use to tell me no need for any firewall none! This was in the old days before SP2. I do not know what their position is now. They do McAfee Suite with firewall so maybe they have changed their mind .

I personally think the inter workings of firewalls are complicated. Logging who the hell except some of the great experts that hang here know how to figure them out.

I actually believe all that is necessary is inbound protection. Hardware FW, router or just Windows SP2. Now we have Vista with in and out protection. This seriously puts at least software Firewall only "security softwares" on the endangered list imho.

As is the case many times BLUE has at least a good answer. It is about control. I remember a long time ago Moderator creature BUBBA, going back to very old version of Zone Alarm just for the in and out control; seemed to like the light weight simplicity of it. Another good example of just use it for traffic monitoring where you are in control.

I think the firewall is slowly losing it's position as a security product and is becoming a traffic cop on a otherwise secure system and I do mean Anti-malware plus AV and fully patched system, then add the thing between our ears, and the PC should be relatively secure. Add behavior product or if one of the above includes it and with inbound blockage of unsolicited traffic; you have a good secure system you can sleep easy at night with.

And that is just what I think about it.....

 

Using a firewall (software and/or router) by themselves may not provide a lot of security, but as part of a layered-approach I think they play a significant role in security. Imagine going on the baseball field with only six players. I don't care how good the six are, they are going to be even better with the help of another three because they can better cover the whole field. A firewall is going to help the layered-defenses cover the whole spectrum of possibilities.

 

For users without some sort of hardware firewall, software firewalls can provide inbound protection from hackers.

Application control (outbound protection) is another story.

 

If software firewalls are useless, all of us notebook computer users who hook into public wifi spots are are in a world of hurt.

As far as outbound filtering and leak testing go, I believe its overblown, but others around here think it is everything. There might not be a real answer to that one.

 

Stem,

My personal opinion is that firewalls are not useless, or I wouldn't use one. Also, I'm not talking about blogs on some website, but conversations I've had with a lot of guys who are network admins and whose knowledge is so far above mine its not funny. They start talking about the inner workings and all of that and it's like they are speaking a foreign language. I've been trying to understand exactly what they are saying, but it's simply way too far above my head. I know what I've read here, and have learned a lot, but I don't have the knowledge to even begin to argue with these guys who criticize software firewalls. Basically, I just wanted some other input as to why these guys might be wrong in their assessment, hopefully on a much simpler level that I can understand.

 

Well, if you're talking to network admins, also verify that you're both talking about exactly the same situations and user populations.

Recall that their are plenty of folks who will blithely state that classical AV's are worthless, that they don't use them, and they're none the worse for it - and all those points can be both correct and completely irrelevant to the discussion at hand.

Blue

 

Software firewalls are a long way from useless. They're not an ultimate security tool or an answer to all possible security issues, but IMO, they're an essential part of a layered security package, even when a hardware firewall is also used. On my system, a software firewall is one of the core enforcement tools of a default-deny security policy. Only the traffic that's necessary for an app or system to function is allowed. Routers and hardware firewalls can't control traffic on an application level.

The chances of an actual person singling out your PC is slim, assuming you haven't done something that draws their attention. The chances of automated port scans and malware randomly probing your system is much higher. Some time ago, I used a firewall that alerted me every time a port scan touched my system. I couldn't get anything done! Every few minutes, an alert. Even when I used dialup and a floating IP, they were almost constant. My hardware firewall, Smoothwall 2.0 logs these, usually several pages of them each day. Blocking unsolicited inbound traffic is a big part of the battle. Control over outbound traffic not only helps to protect your privacy by preventing unwanted "calling home", it's also an additional layer or protection against malware connecting out, should the user unwittingly install compromised software or an app bundled with adware/malware.

If they're calling software firewalls useless based on their inability to defeat certain leaktests or block specific exploits, keep in mind that these aren't always the firewalls job. Those who base the value of a firewall on how it defends against all possible problems want a combined security suite and expect that one suite to protect against everything. I wish them luck as that perfect security suite doesn't exist. I consider traffic control important enough that I want it controlled by a single purpose program, not one that's trying to multitask. For me, that's a rule based firewall like Kerio 2.1.5. Many firewalls or firewall suites as they should be called have application control or HIPS components. I also consider that important enough that it should be separate. On my system, that's SSMs job. These cover 2 of the 3 items I consider critical. The third is control over the content of the allowed traffic, such as Java, Javascript, ActiveX, Flash, ads, etc. For this, I rely on Proxomitron, esentially a rule based filtering program. In a multi-user environment, user control is also a necessity. That includes the systems owner as no security app can completely compensate for the bad decisions of the one at the keyboard.

By themselves, none of the 3 mentioned are sufficient, not the firewall, not the HIPS. It's the combination of the 3 and their enforcing the default-deny security policy that makes them a very effective package. Take away any one of the 3 and the package is much less effective. It's also critical that the user adopts that same default-deny policy when faced with a decision. Firewalls and HIPS software don't stop much when the user clicks "Allow".
Rick

 

I don't know much about how really firewalls work, either as software or hardware.

But one thing I know for sure and that is my firewall (like most of them properly configured) will stealth all of my ports while surfing the net. Steve Gibson's website has become a must to try out your visibility.

Now if this is a 'myth', and they (the crackers) can still spot you, I don't know, but this alone makes it worthwhile to have one.

 

Hello,

I don't think (software) firewalls should be treated as something to stop malware. In that regard, they could really be useless.

Firewalls are intended to control traffic - untrusted / trusted inbound and trusted outbound. See the catch?

You use firewall to lessen the noise from outside. But outbound, you use it to monitor applications that you WANT on your machine but you might NOT WANT to connect to the Internet at a specific time (or ever).

There's no point having an unwanted program on your PC to see how your firewall fares. Why should you have anything unwanted on your PC? If it's there, installed, then you have put it there, because you want it. And now, you decide when it may or may not dial out.

Firewalls are not needed to control malware, but what about Windows components. For example, wgatray.exe or such? When it tried to connect to MS every reboot? Now here, supposedly is a piece of software that goes with your machine (assuming Windows is a trusted choice), but you don't wish this crap to connect. A firewall comes handy here.

Inbound, anything will do.

Mrk

 

1. Control - Whether someone wants control over 'trusted' apps connecting out is really up to them, as some of the above posts have pointed out. This a personal decision, for privacy, etc., IMO.
   
   
2. Security - Can your firewall protect itself and network drivers (tcpip.sys, ndis.sys, etc.) from malware such as rustock.b, srizbi, etc., which modify those drivers to bypass firewalls, sniffers, etc., and connect out? If not, you know certain malware can bypass your firewall if allowed to execute (accidently, for instance), so relying on a firewall alone for security or information can be unreliable - if that's the case.

 

BlueZannetti explained it very well, it depends only on a user. Normal user needs a firewall, a user, who knows a little about security might not need one and IT expert does not actually need it, but the point is, it is somewhat usefull, though it can be replaced with some network monitoring tools like Wireshark and so on.

I am not expert, just a simple folk and I do not use a firewall and I do not miss it. When I stopped using it, it looked to me like I got doubled network connection speed, since there was nothing, that would control packets. Also there is no difference between stealthed and closed ports, only opened/listening ports matter.

 

Hello,

Firewalls are everything but useless. There is a trend existing which says indeed that using a software firewall is ridiculous, same for antivirus, and even same for Windows, etc... However that is not true.

Like Mrk, not speaking about malware, but simply about traffic, a software firewall enable you to choose which traffic you want to allow, and which not. Speaking about outbound, there is some legit softwares that try to connect out, that I personally don't want to (Video/DVD players, Windows components, etc...). Also simply, a software firewall enable you to detect any unusual activity (inbound or outbound), to be aware of it, and to allow or block it. In the scheme of a layered approach, I hardly see how a software firewall could be useless, it's just another security management tool.

You know, if you believe that kind of supposed "knowledgeable people", you would run without firewall, without antivirus, without HIPS, you would not even update Windows. Likewise, you can drive in a car which do not have an airbag, and still drive well. Just cross your finger to not have any accident...

Software firewalls are not a panacea, that's what I try to demonstrate on firewallleaktester, they cannot handle everything. However combined with a hardware firewall, and at least an antivirus, they are very useful.

At the end, like said Blue, they are context sensitive, some people may not need any in their context, but that doesn't make them useless for everyone in any context.

Regards,
gkweb.

 

In fact that is a good comparison, it is about, what is in your computer and what you can afford to loose.
If you have nothing valuable there like music, software, games, then there is actually nothing to protect.
Eg if I would decide to use an internet banking, I would use at least a firewall and some HIPS for sure.

 

Hello,
Why? What's so different in visiting your bank site or your email account?
Why do you need HIPS if you wish to buy a book on Amazon or check your balance in your bank account?
Mrk

 

Becuase if your email account get stolen, you can just get another in a min, but if your bank account get stolen, you will never get money back.

 

Hello,
Bank accounts cannot get stolen, unless your bank is a joke.
Most banks employ so many securities even normal users have problem doing things, let alone would-be hackers.
Mrk

 

Well, I am glad to hear, I have never used an online payment, I just think about getting Paypal account someday to buy software. I guess, that all those stories about getting an account number and money afterwards are the same lies like "You will get infected as soon as you connect to the internet without an AV".

 

An interesting topic.

1. Let's talk about inbound protection first. Here we have to differentiate between client and server applications. A server listens at a special port which has, logically, to be open, otherwise no one else would be able to have access to that server. However, e.g., a web browser is a client application. It connects via the TCP/IP stack to a remote web server through (usually) remote port 80 on that server. The TCP/IP stack rejects any incoming data without a previous corresponding request by the client application. Therefore, there aren't any open local ports on your computer when using a web browser or another client application. On the other hand, open ports caused by server applications (usually services on your Windows machine) should be closed by a firewall if those services can't be stopped as explained on http://www.ntsvcfg.de/ntsvcfg_eng.html since there have been prominent examples in the past of worms that exploited security leaks in such services (e.g. Sasser). The Windows firewall is abolutely enough to provide perfect inbound protection. The same is true if you're behind a router - although I recommend to keep the Windows firewall enabled also in this case as there have been cases of (low-cost) routers with security leaks.

2. The more interesting and controversial aspect is outbound protection. Here we are talking about applications "phoning home" and "leaktests" that try to show if the firewall is able to prevent that. Does this make sense? Well, it depends. If you want to block malware phoning home, that's okay. On the other hand, this means that your computer is already compromised and you're having a big problem. However, if it's not malware but a trustworthy application, it's most probably just looking for updates - nothing to worry about. In this case you're blocking something useful.

Note, that I'm not trying to condemn outbound protection in Personal Firewalls. All I want to say is that PFWs require a good understanding what's going on on your computer. For example, I think that most users of PFWs don't know the distinction between local and remote ports and between client and server applications. And I'm convinced that probably 80-90% of all users don't know what to do if they get a pop-up with "services.exe" or "svchost" requiring net access.

That said, I agree that a PFW with good outbound control can be a valuable additional control layer for people who know what they are doing. And I also agree that there are probably applications even from respected companies that do not behave as expected (gathering personal infos that they wouldn't really need) - that's more a privacy than a security issue. But nevertheless I think for most users it's much more important to practise safe computing by:

• only installing trustworthy, well-known applications from trustworthy, well-known websites
• keeping your OS always updated (do NOT disable automatic updates!)
• keeping your applications always updated
• NOT using any software cracks (which are mostly contaminated with trojans)
• disabling ActiveX in Internet Explorer and - even better -
• replacing IE with Firefox or Opera and Outlook Express with, e.g., Thunderbird
• NOT executing any software/mail attachments you don't know
• using an anti-virus software
• using a limited user account that makes your computer much more secure.

If you follow these guidelines, outbound protection isn't as important as it seems to be at first glance.

 

Just take most of what Mrk, gkweb and tlu said, and that's pretty much my take on software firewalls too

In the hands of a knowledgeable user a software firewall is useful. If malware gets on the machine, tough luck. Restore an image or reformat.

 

Interesting little back and forth b/w TheTom and Mrkvonic there.

I would like to weigh in on this. I beleive when it comes to banking, brokerage, buying a book from a site so on...a clean system well protected by good AV with or with seperate applications that address trojans and spyware are more important. Also a behavioral app. would be nice to. Inbound protection like windows SP2 is all that is necessary. I beleive you are no more or not that much more secure with a full blown in and out traffic cop firewall.

I have to agree with Mrkvonic banking site for example has security of their own as well there is encryption. What makes banking increase the need for a firewall. It doesn't. But you better make sure your system is clean that is the important thing.

Finally what is most concern and scares me is false sites and redirects that steal your passwords. Now we are talking real trouble and lost moneys. How are we protected from that....

 

Phishing: Don't click links provided in emails.
XSS: use Firefox with Noscript and SecureLogin.