Can someone explain the point of a Firewall?

Discussion in 'other firewalls' started by Hungry Man, Dec 15, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I run an inbound Firewall on Ubuntu but I don't really see the point.

    I see Firewalls as a way to limit exposure. So let's say I have samba running on my system as an exposed service.

    With a Firewall:
    All ports are closed except those necessary for Samba.

    Without a Firewall:
    All ports are closed except those necessary for Samba.

    So if Samba is my attack surface I have two options:

    1) Disable Samba. With no service behind the port I've removed the vector, right?

    2) Enable a Firewall to block Samba. An attacker can't reach the service, so the threat's removed.

    The only difference I see here is that a Firewall removes access to code but in itself adds its own code. Disabling a service only removes code.

    So what am I missing? What's the point of a Firewall? If I have a Firewall and I open all of my ports but there are no services behind those ports how am I any less secure than having a Firewall with only specific ports open?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Firewalls provide more than just turning on/off access to a/some port(s). There's a lot more granularity on port access, plus a lot of other features, such as blocking certain types of activity or connections, i.e. malicious connection types that have no place in legitimate accesses.

    But, on the first point, using your Samba example... Do you want Samba open to the entire world or are you just using it locally in your LAN? Enabling Samba for open access could mean that anyone, anywhere in the world could access it. But, if your intent is only local LAN access, in your house or business, or perhaps a limited WAN access, say across specific local and remote offices, then your firewall can provide the ability to limit who/what has access and block out the rest of the world.

    A common server-side example for basic website hosting is what is typically done with the MySQL server process... MySQL opens TCP port 3306 for network access to the database. If you have multiple webservers and a separate database server, you'd have to allow the webservers access to port 3306 on the database server. However, it would be foolish to open TCP port 3306 to the Internet and let the world pound away on the MySQL process when there is no need for anyone else to access it. A perimeter firewall could easily allow local webservers to access the database server while keeping the world out. Is MySQL able to protect itself from the world, perhaps, unless some unknown exploit is found. But, why have mysqld fielding all the possible authentication requests and spurious packets from the Internet when you don't want any Internet users to have direct access at all? This saves DB resources at the very least, and a possibly big security hole at the worst.

    We firewall here, of course. There is simply no reason to have everything open to the Internet when some services are only used internally across our hosted environment.

    There's a lot more as far as intelligent blocking of malicious traffic types that come in against public facing servers. The firewall appliance here does a lot of intelligent stuff to offload that traffic and its resource load from the webserver public face.
     
  3. happyfood

    happyfood Registered Member

    Joined:
    Oct 31, 2011
    Posts:
    7
    A firewall can in theory help enforce the principle of least privileges.

    It can to some extent help make sure programs are able to "access (use) only the information and resources that are necessary for its legitimate purpose".

    A firewall can also serve as an additional layer in case of software bugs, maybe you specified to the server that it should disable and not use the built in remote control option but due to a coding error the hacker could still connect. (opera browser for instance currently still loads iframes despite the user specifically say in the settings that it should block iframes, what says that servers can't have bugs..).

    Firewalls can sometimes help detect(log, alert wrong uses) and/or stop attacks (or possible limit the damage).
     
    Last edited: Dec 15, 2012
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Perhaps another way of putting it is that while the app opens the port for expected communications, the firewall regulates the traffic to help ensure that communications are only as expected.

    Additionally, it will help block known network attacks that could create connections that wouldn't happen under normal circumstances.

    A gateway firewall can take this a step further with IDS/deep packet inspection to help filter exploit attempts for various types of clients and servers, and possibly application firewalling to provide even more granular control of the requests/commands/etc (blacklist and/or whitelist) that can be sent to your server.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm not referring to outbound Firewalls here. Just to be clear.

    How can a local Firewall do this?

    Reading on I see you mean perimeter. I apologize, I was unclear. I meant local firewalls/ host firewalls.

    Sure. But if a program has access to one port (we can assume it does if it's being exploited) then does it matter whether it has access to other arbitrary ports? An attacker can simply use the ports available, right?

    To me this is IDS, which would be separate from Firewalls if I'm not mistaken.

    So to clarify:
    What is the purpose of an inbound Firewall for users when they're already behind a network Firewall?

    I guess it would be isolation from other active devices on the same network? But then we're back to "just disable the service" if you don't want local access to it. Or I guess if you use really specific rules with the firewall it might make sense.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You can just as easily set host and/or subnet restrictions on incoming connections with a host firewall.


    It's not about the port itself, but the resource that opened the port; a port itself isn't anything but a sort of address to a program. The port doesn't give full access to everything behind the firewall, unless the program listening for connections is exploited. An attacker would need different ways to compromise each different program.

    Mostly it would help in the event that someone got behind the network firewall (either physically, remotely, or via malware), but it may also offer you more granular control and/or other options that a network firewall wouldn't. There may also be features that you can't use on the network firewall because they cause too much disruption for the other hosts, but not your server.

    IDS isn't necessarily separate, although it can work on its own and not all firewalls have IDS. It uses deep packet inspection, which is the next step up from stateful packet inspection. These are more typically found in network firewalls, but not always. You can find application firewalls for both host and network.

    If you're the only person on the network then a local firewall certainly won't be as necessary, but it's still a good layer to have. You never know what the next vulnerability will be.
     
    Last edited: Dec 15, 2012
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Exactly... I was about to say something similar, but this is it in a nutshell. :thumb:
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    What I mean is that if I compromise a browser and the browser has access to ports X Y and Z, I don't need access to A-W, I can just use what I've got.

    I suppose I can see the point for finely grained rules.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada

    If the browser has access to X Y and Z then that is outbound. A browser is not a server process that listens on an inbound connection. It attempts an outbound connection then establishes a two way connection when its outbound attempt is accepted by the remote server. There is a three-way handshake procedure here: Syn - Syn-ack, Ack.
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    And what ports a program uses for outbound depends entirely on the server it's connecting to. A compromised program may not be able to use the ports that are already allowed by the firewall (depending on what it wants to do); for one thing, the firewall SPI would be more likely to detect and stop something like an IRC connection (often used by backdoor trojans) attempted over port 80 (HTTP), as an example. AFAIK this is standard enough in firewalls that what you describe is not attempted anymore.

    A firewall is also going to protect the operating system's network stack, which is actually probably a bigger reason to use the firewall (exploit the network stack and it won't matter what services you have disabled). Besides that, however, if you put a firewall on the system with the samba server, then the firewall is going to help stop attempts to compromise the server using network connection exploits (fragmented or malformed packets and such).

    If the server was compromised then it would not be able to take over any ports that the server is already using, and a firewall would prevent it from opening any new ports; if you locked down outgoing communications as well then it wouldn't be able to connect anywhere at all; it's communication would be limited to what's normal and expected.
     
    Last edited: Dec 16, 2012
  11. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    My take on it is that incoming connection blocking on a desktop computer that is behind a router won't help you much. The only thing you could use it for is if you thought another computer behind your router could be launching attacks on you. In that case you can set up your firewall to only allow incoming connections from a specific address.

    If however you are not behind a router so your computer has an externally routable address, then incoming connection blocking is much more important. You could take it on yourself to make sure no program is configured to listen on the external address, but that is time consuming and error prone. Plus you might get it all done, and a software update later could open you up again without you noticing.

    In this case you could set up your firewall to allow no listening on the external ip. In the case you actually wanted one program to have access, you could then whitelist it.
     
  12. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Malformed packet attacks haven't been a threat in years. Still good to protect against them I suppose.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I suspect there are many people adding other types of Internet enabled devices (TVs, printers, alarm systems, surveillance cameras, thermostats, light bulbs, etc) to their private network. Perhaps such use of a software firewall would be more frequently beneficial than it seems.
     
  14. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Software firewalls, in my opinion, only have value in preventing malware from phoning home.

    Back in the Windows 98 era, remote attacks were common and effective. IIRC, even the Linux kernel was somewhat vulnerable to them. But times have changed and, barring something like an SSH vulnerability or very out-of-date internet facing services, remote attacks are kind of uncommon. Nowadays, it's all about browser-based malware and DDOS.

    If someone used Windows 7 or Windows 8 with Google Chrome and perhaps Sandboxie, and they practiced safe downloading habits (e.g. no bittorrent piracy), then I don't think a Firewall or AV or anything else is even necessary.
     
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i like to keep an eye also on legitimate programs.

    with a firewall that alerts me to outbound connection, i can see if an app is connecting to the internet when there is really no need to.
    if it does, i look for a competing product.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Some installers automatically open a web browser so that the developers/company behind the application can track the percentage of users who actually install it... or something like that. One of the measures one has to stop this, is to have one browser has default and prevent it from connecting to the Internet, while having a second browser that we actually use.

    This has worked fine so far. Any traces left by the portable browser are also cleaned.
     
  17. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Firewall is also useful because it can alert you about inadvertedly installed spyware/adware. Some years ago, i installed a software that was supposed to be freeware. At least the author was claiming so. Soon after, i got an outgoing request from an exe that i didn't know and didn't seem related to the program. It was "bundled" in the installer and with no option to uninstall it during installation. The firewall made me aware of its presence, blocked, uninstalled the proggie too and since then i try to only get software from softpedia. But that's not always possible, as there is often some obscure freeware out there that is downloadable only at author's site.

    Of course at the same way, it can let you know about malware that your AV missed and it uses a not very sophisticated way to phone out instead of hijacking your browser for example. So you see suddenly an outgoing connection and you think "what the hell is that?". And then you start with the on demand scans.
     
  18. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    454
    Location:
    Oklahoma City
    Thanks for posting this....I am behind a router, using Windows 7 built-in firewall and felt I am fairly secure...your post helps reinforce that feeling of security. :)
     
  19. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Among the NSA guides, there's a fact sheet on "Desktop or Enterprise Firewall?" that you can read here (PDF).
     
Loading...
Thread Status:
Not open for further replies.