Do I really NEED to have a software firewall alongside with my hardware FW?

Discussion in 'other firewalls' started by Matt_Smi, May 21, 2005.

Thread Status:
Not open for further replies.
  1. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    I know another one of these threads! And I know that this is a security forum so a software firewall will probably be advocated. But both computers in my house, mine and my family computer have no software firewall, they are both however hooked into a Linksys router will firewall protection enabled. I have tried various firewall port scans and tests and the computers come up as basically invisible (according to the tests). This is the most important aspect of a firewall IMO, to stealth ones computer and it seems as if I already have that accomplished with just the router. Now I know that a software FW would show me outbound apps trying to connect to the internet, but I know that my machine is 100% clean and nothing strange is trying to connect out (as seen by my NOD32 IMON compatibility setup list).

    I also like to keep my machine as minimal as possible, and pride myself on that, nothing running at startup that does not need to be (I have two things), no un-necessary processes or services running in the background. In fact right now with no other programs open I have only 18 processes running, the only security app that runs real time is NOD32, I have a pretty big slew of on-demand scanners however (A2, Ewido, Spybot, Ad-Aware, CureIT to name some). I also am a very safe surfer and do not use p2p and never go to risky (porn, crack, ect) sites. The only other real time security app I plan on adding is process guard and possibly reg defend. With all this said and keeping in mind my minimalist attitude towards real time apps and running only what is absolutely necessary, am I still leaving myself open/vulnerable by my lack of a software FW? And is it really something that is deemed “must have” even when a HW FW is already present?
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Matt,

    Short answer - no. The only thing you give up is outbound control of applications. It's a nice thing in principle, but the least needed layer of a layered scheme. The router does virtually all the heavy lifting.

    Blue
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't use any of the other programs you list, so I don't know what kind of alert you would get for a pharming attempt, for example.

    In my firewall, I set up a separate HTTPS rule with a set of custom addresses for all of my secure sites. If there is an attempt to connect to another site, the firewall rule alerts. There are other solutions - see more on this "The dangers of HTTPS" thread at

    https://www.wilderssecurity.com/search.php?searchid=386285

    -rich
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Your router will provide good protection against unsolicited inbound connections. It will basically limit communication to that initiated by systems behind it. Software firewalls on systems behind the router are optional, but do allow you to filter what applications on these systems are permitted network access and also for applying other restrictions for users. Many users prefer to use this additional layer of security. You need to assess your requirements keeping in mind all users/systems behind the router. User education, practicing safe hex and following best practices go a long way in reducing risk and keeping your systems secure and healthy.

    Regards,

    CrazyM
     
  5. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Matt,

    When I read your post, I thought you were describing me, all the way, right down to: I also am a very safe surfer and do not use p2p and never go to risky..... I'm even using the worse browser on the planet according to some and I'm not worried.

    I don't think you're leaving yourself open. The only other thing I have running is WinPatrol which is not real time and uses 3,360K Peak Memory Usage. I feel very safe with my setup.

    Regards,

    Jaws
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    In a word, no. Don't let anyone around here freak you out about outbound protection. It may help in some circumstances, but overall it has a poor cost benefit ratio. The objective is to keep from getting infected in the first place.
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    What you should keep in mind here is that what the router does is route incoming connections to the computer that requested it. If an incomming connection is attempted that was not requested, the router doesn't know where to send it, so it has to just drop it. It's a very black and white way of "firewalling" that doesn't filter anything, unless you have a router with SPI (even then you'll be somewhat limited). Considering your circumstances, you could probably do without.. but I would at least do some system hardening (see my sig, especially WWDC & HardenIt in this case) to avoid potential vulnerabilities, like WINS broadcasting, that have occured in the past - a router probably wouldn't help you with that.

    My personal opinion is that a software firewall is still a very good idea. I believe filtering/controlling traffic to be as important as allowing/denying. A software firewall can allow you to restrict applications to only expected behavior, for example you can set rules to only allow your email client to connect to your email servers, as opposed to a spammer's or malware writer's server/website, and can help protect against exploits in other software that you use in the same way. I wouldn't underestimate the protection that this can provide. At the very least it can help keep your spam to a minimum ;)

    If you're using Windows XP SP2, you can use Sphinx Software's XP Firewall Control to keep things minimal.
     
    Last edited: May 21, 2005
  8. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    All,
    Blue, CrazyM, and Diver all make very good points that can be proven in the real world to be just as they say.

    Here is how average nontechnical user feels (me). I start net life with no Router. I had a software firewall from day one. Always on broadband first in my area to get it. Zone Alarm free. Running with no firewall under those conditions is certain death to your machine unless you are really good at fixing stuff and love the pain :D I mean fun.

    Then I got my NetGear Wireless with hardware firewall and never knew how silent a pc could be. :-* Wow. I slowly turned off most security software to come on at boot. My thinking was turn it on after OS is up and running one piece at a time. Again this work very nicely. Just do not forget what needs to be manually turned on. I for one like to use the firewall for outbound control and to double check the inbound protection. Just me I guess. Like Blue said once you get that Hardware Firewall it is the least needed layer. Like Diver said it is a likely to be a poor ratio of protection when set against resource useage. I am still working on this in my mind. "Hmmm, is it worth it." Also the objective is not to get infected in the first place. That is correct, prevention is the key. Better to stop the fire before it starts rather try to put it out once it gets started. ;)

    Matt, I surf like you and ask myself the same questions so you must be a really smart creature. :D :D
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There are two issues here, security and control. A hardware firewall with restrictive rules settings can provide moderate security if and only if you take steps to ensure that each application permitted access is locked down and any potential attack vectors within it blocked.

    In the case of email, the attack vector would be an infected attachment or an HTML email containing links to a malicious website - counters to these would be anti-virus scans on email and setting the client to display text only (at the very least, disable downloading of HTML links).

    In the case of browsers the situation is more complex. Java, Javascript and ActiveX (for IE) can be used as attack vectors. Many software firewalls can filter these but in your case you would either have to disable them in your brower or use a separate web filter. Web filters tend to be easier to adjust on a site-by-site basis and one of them, Proxomitron offers the most control but takes time to learn to use effectively. Other attack vectors have been used in the past (like corrupted image files) but these tend to be issues best handled via browser patches.

    The point here is that while it is possible to secure things, it is not easy and not always obvious. A software firewall gives you more leeway to make mistakes in that it allows you to set tighter limits for your applications and can alert you to suspicious traffic if your system does get compromised.

    Now onto the control - many applications nowadays are network-enabled and may connect to sites without you knowing it. While in most cases this can be for simple things like update checks, you have little or no way of controlling such behaviour without a software firewall (which makes the security side harder too - if you do not know what is connecting out, how can you possibly close off possible attack vectors?).

    A software firewall can also partially restrict applications (e.g. you could block your email software from contacting anything other than your ISP's email servers, which would not only prevent it from downloading web bugs but also prevent some trojans from using it to connect to other mail servers to send spam).

    My view therefore is that a software firewall is the most important security instrument. You can avoid viruses in emails by deleting any with attachments without opening them, you can avoid trojans by not downloading files except from verified websites and you can avoid spyware by using third party browsers with locked-down settings. However you cannot control what Windows does on the network or monitor what your other software gets up to without a software firewall.
     
  10. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Matt,

    I feel lucky that my paranoia level is such that I don't have to deal with software firewalls. Just look at all the software firewall posts to see the turmoil with this software. There's no one shot bullet that's going to solve the problems with the internet. Software firewalls seem to be the most controversial and most talked about, cause the most problems and are the hardest piece of software to configure and understand (at least for me), unless you're a “security expert”

    As an aside, and in keeping with your minimalist attitude, for those rare times you may be having problems with your internet connection and you want to plug your modem directly to your computer to check if your router is causing a problem, there are links Here & Here to enable IPSec (something already on your computer). And with one click you can turn IPSec on or off, there's no need to mess with your registry. BTW, my last post on the first link was my attempt at sarcasm. I use IPSec all the time as a backup and specify my DNS servers with no problems

    As for outbound control, ProcessGuard would seem to cover your needs in this area, *From PGs site “For example, a trojan could simply terminate your personal firewall before attempting to transmit your personal details over the Internet, effectively rendering the firewall useless and leaving the user with a false sense of security.”* To me, unless you're not using a router, a software FW is way down the list in must have software.

    Just my opinions.

    Regards,

    Jaws
     
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    So far as locking down things goes, my approach is to use Firefox with java turned off (unless a site has to have it) and any mail application other than Outlook/OE. To date, the only Firefox exploits I have seen are java based.

    Most other net aware applications (other than P2P) don't have a lot of exposure. A lot of them just use port 80 for things like the CD database or updates.

    An awful lot of it is attitude and awareness. A download of some media files should not have an exe file extension. If you can't open it using Winrar, pitch it. Don't run anything unless you know what it is. Know the source. Either it is from a reputable software publisher (no matter how small) or from an outfit like Sourceforge. If in doubt, wait a week to run it. By then it is likely that your AV definitions have caught up.

    Watch out for crap like Real Player. It is really close to the line as spyware. Most third party screen savers will do nothing but muck up your system and these are a frequent source of spyware.

    Utilities from Sysinternals are very useful. These include Tcpview, Process Explorer, Regmon and Rootkit Revealer. If something is wrong, these will usually reveal it. Another good place to look for bad stuff is the hidden devices view in Device Manager.

    IMO the more stuff running on your machine at start up, the worse off you are. There is no excuse to have 50 processes running on an XP box, but I see it all the time. I have only 16 processes including the task manager and two for my AV. That means Windoze runs with only 13 processes, and I hear it can be done with less. A lean system is a happy system, and a secure one as well.

    You should know what each process is and what each active port is for. If you don't know, then learn about it.

    A good AV is a must. Probably KAV is the strongest followed by Mcafee. NOD and Bitdefender are ok, as these two companies seem determined to bring their detection rates up into the elite class.

    Beware of phishing. Any unsolicited email that asks you to confirm a password is a phish. There is one going around right now that looks just like Wells Fargo's banking site. These represent a threat that is two orders of magnitude greater than the possibility of a zero hour attack getting past your AV. Only awareness can protect you here.

    Run as a limited user if you possibly can do it. Some badly written windows apps will not run.

    Believe me, your brain and some diagnostics are more effective than any automated security system. No way is outbound application checking by a software firewall more important than good procedures.
     
  12. Arup

    Arup Guest

    With a hardware firewall, all I would use is a IPS/IDS like Prevx or similar along wit a good anti virus which uses web scanning.
     
  13. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Diver, those are some very good points made, and almost all of them I already follow. A lot of it is just common sense, and man do I agree about Real Player haha, what a terrible program! Based on the responses so far it sounds like an software firewall is still a good idea and nice to have as an additional layer, but not something that is defiantly necessary for me to run. Thanks for the good replies!
     
  14. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    There have been some good points made. Like you I am behind a f/w router, but still feel more comfortable with a s/w one as well to control outbound. I have several programs that like to connect for some reason. Without the f/w I would not be aware that that is happening.

    It might be interesting for you to try a f/w (most of them have a trial period or free) and then you could see for yourself whether there is any need for you to have one on your system.
     
  15. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Another sw firewall bonus is easier log analysis and reporting. HW firewalls (routers) are not created to support non expert users in this field. In fact, for soho use this may not be needed, but if you're curious about all that happens to your connection, and if you need enhanced control (as Paranoid just mentioned) a sw firewall can help.
    Professional class hw firewalls log all kinds of events, that you could analyse, if you had the tools for it. Still, it is very difficult to do log analysis and log coorelation in an effective and efficient way, even with expensie tools.
     
  16. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    The point about logging with a software firewall is well taken. My router does some logging, but it is minimal.

    I certainly do not believe that a software firewall is a total waste. However, my choice to go hardware FW only has been heavily influenced by performance considerations.

    If you really like having some outbound control, try to keep it simple. In my mind that means something like Kerio 2.15 or Zone Alarm Free without advanced program control enabled (if that feature is available in the free version). Consider it as a way to control known programs rather than a last ditch trojan alarm. There are so many ways to create an outbound connection that leak testing simply is not worth the trouble. Not only is there Internet Explorer, but the windows help system, svchost.exe as a wrapper, firewall termination exploits and the possibility of a trojan that installs a communications driver to bypass the firewall entirely. After a while you are chasing a ghost.

    Stuff like process guard is clever and cutting edge, but ultimately you are going to have to disable it when installing a program, which puts things back at square one: Know what you run.
     
  17. You guys may be right about not needing app control.....But knowing how
    many apps call home nowadays...When I have run a FW without app control
    I felt like a hospital patient in a hospital garb.....

    With my rear end exposed
     
  18. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I only read the title of this thread, not all the posts, so what I am about to say may have already been covered: If you already have everything behind a NAT router then, in my opinion, all you need is one of the freebie software firewalls. For example, the free version of Zonealarm would do you perfectly, there is no need to spend the money on the Pro version with all the useless options, useless since you are behind a router (again, in my opinion). Whatever you do, good luck.

    Acadia
     
  19. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    For those interested in monitoring and analysis of router/firewall logs for routers commonly used in home/SOHO environments there are freeware and shareware utilities available that cover a wide variety of models:
    Log Viewer
    WallWatcher
    Link Logger

    Kiwi Syslog Daemon is also available for capturing logs.

    Regards,

    CrazyM
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    I have to mostly agree with Diver and Jaws comments above.. Good points. I am currently running just CHX-I with no "app control" and am not concerned at all. I do change things frequently, however, I have recently taken up a much more minimalist approach and turned off all kinds of unneeded services and listening ports here, as well as rid myself of most "security" apps. Just run CHX with a good AV and even use the dreaded IE. I have never had one bad thing happen here in many years either.. just use common sense mostly.
     
  21. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Just a question regarding your post:
    - is it because you have a "minimal" computer? Perhaps just two schools of thought? I have 54 processes - but have plenty of CPU, page file, and memory to handle it and more. The reason I ask is because I know this guy - we are members of the same message board. He's always cutting fat while I'm putting on muscle (overclocked mobile barton/gig of ram) It doesn't seem to matter anyway as XP pages for apps when needed. I do admit I use XP anti-spy and Black viper's "safe pro" config. though
     
  22. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    So true do not use it! Real Player called home all the time. Adware too. I have also seen screen savers and wallpapers too, "by downloading this you agree to certain advertising...." so on so on.... Zone Alarm went nuts. :p
     
  23. Arup

    Arup Guest

    Speaking of hardware, both my machines are dual CPU units, one a ancient dual P-III 850, other a brand new dual AMD 64 2800 machine, the former has 1gb ram and the later, 2gb. Even with these machines, I have seen and felt noticeable slowdowns when using security apps that open up too many hooks, processes and CPU calls and therefore have been forced to abandon these. The CPU speed in the PC is also needed by other more important apps as in my case, the compiler or the renderer.

    It has to be a balance and priority question, whether you need the apparent sense of security over speed.
     
  24. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    54 processes. Good luck. I wonder what gets done on that machine other than tweaking security applications and getting everything to work together.
     
  25. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    Just following on from what Arup said about security app impact when you want to run other more intensive apps - in his case compiler and renderer.

    For me my intensive app is video editing (home use not pro) so I have a multiboot setup and the OS partition I use for that I have the NIC disabled (only enable occasionally for windows update). I'm also behind a FW router. This way I just run XP and the video edit apps so there is no impact from security apps. This partition gets scanned regularly by KAV from my main partition, which is the OS partition where I run all my security apps and what I use for surfing.
     
Loading...
Thread Status:
Not open for further replies.