Firewalls - are they really needed?

Discussion in 'other firewalls' started by daf, Dec 22, 2008.

Thread Status:
Not open for further replies.
  1. daf

    daf Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    27
    Hi,

    I wanted to start a healthy debate on firewalls, specifically outbound firewalls and are they really required?

    I've personally gone from ZA, to Comodo to Online Armour. I'm currently sitting behind a NAT'd router with an inbound hardware firewall and Windows XP SP3 Firewall turned on. Nothing more. No outbound filtering.

    A couple of interesting articles and a quote or two from each:

    http://ask-leo.com/is_an_outbound_firewall_needed.html

    http://technet.microsoft.com/en-gb/magazine/2007.06.vistafirewall.aspx

     
  2. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Let me show you just one simple example on outbound protection.

    Imagine, you have downloaded "something", then you accidentally started this "something", and then this "something" has stolen your ICQ login/password and sent it to somewhere where it was immediatley used to spam your friends from your contact list.

    This is just a very basic and relatively harmless example. You can say "never download and start "something"". Yes, I agree, but .. but people can do mistakes sometimes, they can be tired, they can be drunk, they can be sick .. You cannot be all the time "on guard", so at one or other time you can fail your strong security policy in mind. But the chances to miss alert "something wants to connect xx.xx.xx.xx (China) on port yy" are very low, IMHO.
     
  3. daf

    daf Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    27
    As the technet article says, malware can disable the outbound firewall. Malware can also hijack an existing session of a program you’ve already authorised and you won’t even see the dialog...

    Personally I'm savy enough to believe the chances of me getting said spyware/malware is very slim however I would still advocate installing and running anti-virus scans, anti-spyware scans and anti-malware scans. I've also got Windows Update turned on and SP3 installed. I'm also using Firefox with add-ons. Finally I'm not into downloading from P2P, notoriously riddled with nasties.
     
  4. TrojanHunter

    TrojanHunter Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    151
    Location:
    United Kingdom
    My installed firewall does include outbound filtering, but I'm not convinced about all this leak test necessity. Malware can disguise itself as something legitimate that could potentially fool somebody. Also it's a good point about how Malware can disable a firewall altogether.
     
  5. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    The only arguments in that article are that malware will disable and bypass everything anyway and user is probably stupid/newbie .. therefore use the windows firewall. It is usually much easier to disable the XPFW, I've seen malware add themselves to the exception list. This is because the XPFW relies on some API's that can be disabled easily. Most of the 3rd party firewalls have self protection/defence techniques.

    If you can have software that does inbound and outbound filtering, why not use it or does it do harm to have both?
     
    Last edited: Dec 22, 2008
  6. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    The article is written by a Microsoft employee anyway. I find it quite ironic that a MS employee writes about malware owning everything, hijacking software by hooking/injecting etc.
     
    Last edited: Dec 22, 2008
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I think nowadays one can attempt to catch outbound if one so desires, but there is absolutely no guarantee that outbound will indeed be caught. That pretty much sums it up. ;)
     
  8. daf

    daf Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    27
    Simple - the overhead they incur, the extra processor usage, extra memory usage, slow boot time and a myriad other performance hits

    As I've said before I believe in a multi-layered approach of running anti-virus scans, anti-spyware scans and anti-malware scans in addition to a hardware firewall and the Windows XP Firewall SP3. I'm still yet to be swayed in favour of outbound firewalls...

    As the technet article says,

     
    Last edited: Dec 22, 2008
  9. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This depends on an outbound firewall in the first place. Once firewall is armed with BB, HIPS, heuristic and AV this starts to be very questionable. In any case I'd be happy to see malwares that can disable armed FW. Do you have the examples ? My VM is always ready for the tests :)
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Rather than disable, I think it's even more likely that malware would just go around over or under....
     
  11. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I went from ZA to just a router. No Windows XP firewall or anything other than my Av. I'm not running naked, more like in a Speedo.;)
     
  12. daf

    daf Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    27
    Given I share my router with other housemates and I'm not 100% sure of the laptops, hence the inbound protection of Windows XP Firewall in addition to the inbound protection of the router...
     
  13. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Understood. A smart move on your part.:)
     
  14. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    IMHO outbound firewall is not required. Most of the time you get lots of pop ups which wastes time or it can whitelist the programs on your computer which reduces security. And most average users (like me) don't understand the significance of the alerts anyway. I believe in "prevention is better than cure", so I use Sandboxie to prevent malware from getting on my real computer in the first place.
     
  15. progress

    progress Guest

  16. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I mainly rely on my hardware firewall. I haven't run a full software firewall for quite a while its just the standard xp/vista firewall for me. It keeps things simple and helps avoid any conflicts. On my linux system i run no firewall at all as theres no listening services. I do run online armor on one system however i don't use the firewall part just the hips.
     
  17. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    There are light firewalls and with modern hardware performance shouldn't be an issue. If a firewall consumes 30mb of memory and doesn't use much of CPU, is it really a problem when people have over 1024mb of memory and multicore CPU's?
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Yes, it is.

    As to outbound, don't get infected and no worries about being own3d...

    Mrk
     
  19. daf

    daf Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    27
    The experience I've had with ZA, Comodo and Online Armour is quite a performance hit with grabbing memory and esp. boot times... There's the obvious checking of all settings and every pop-up box to make sure human error doesn't creep in.

    Doesn't seem much point to be honest...

    Now - to Sandbox Firefox or to not Sandbox Firefox...
     
  20. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Malware can disable the av too and i guess if its disabled the firewall its already done that to the av too.personally i think they are a good thing aslong as they dont interfere with other apps too much.
    ellison
     
  21. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    My opinion on firewalls....
    I insist every client of mine has their computers behind a NAT router. I won't support a computer that is not behind one. Even if you're just a single PC home user. Too many worms/trojans/viruses spread around on the internet infecting PCs that are hanging on public IP addresses (like if your PC is plugged directly into your cable modem).

    For my busines clients networks (which 99.9% of my clients are), plain NAT routers are no longer enough. I've been replacing their traditional NAT routers with UTM appliances, such as Endian and Untangle (mostly Untangle for the past year).

    Software firewalls...I don't insist clients have them, I don't use them myself, for some people who want a more comfy feeling...they're fine.

    However, I've noticed something with software firewalls and 99% of users out there. Due to the nagginess of software firewalls, many users just try to shut up the firewalls naggy prompts by clicking that "allow" button. "Explorer.exe is trying to connect to the internet, what do you want to do?" Or..."SVCHost.exe is trying to connect to the internet, what do you want to do?"

    Since most end users just end up clicking Allow...how effective is it now?
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hello:

    An interesting post.

    My opinion is already "known" on FW's is:

    1) It depends on the individual user's risk profile, does he/she do online banking? purchase things using a credit card? So it cannot and should not be answered in the general sense, no one answer fits all.

    2) The quotes provided to initiate debate are also interesting. But not impressive, is the quote on vista FW, there is a IN/Out FW in vista but the user must turn it on to get the outbound.

    So the knowledge of this person is not something I would want to reply on.


    If WSF members want solid views on what is needed and how the FW's work I suggest reading and studying the stickies here at the top of this forum.

    It would be wonderful to reply only on no baddies coming in thus no need for outbound. But in the real world we should know by now that even "reliable vendor " software can have and have had rouge or error code some call it "spy" code imbeded in these packages. I prefer to minimize the unapproved by me sending of packets of data to far flung servers in China or other such locations. One well know sender is MS Media Player it should be blocked from internet connections on it's whim.

    Block by default allow by exception.
     
  23. daf

    daf Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    27
    Correct me if I'm wrong but I believe he was saying Vista has an outbound firewall which you can configure rules for. Does it's firewall act in a similar way to 3 party firewalls by alerting you when something wants to get through?
     
  24. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    How? messsage 2 short
     
  25. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL

    You can turn it on with Control Panel = Administrative Tools = Windows Firewall With Advanced Security

    It is there but not friendly at all. If you use Vista Firewall Control it will do the configuring for you.
     
Loading...
Thread Status:
Not open for further replies.