Firewalls - are they really needed?

Hi,

I wanted to start a healthy debate on firewalls, specifically outbound firewalls and are they really required?

I've personally gone from ZA, to Comodo to Online Armour. I'm currently sitting behind a NAT'd router with an inbound hardware firewall and Windows XP SP3 Firewall turned on. Nothing more. No outbound filtering.

A couple of interesting articles and a quote or two from each:

http://ask-leo.com/is_an_outbound_firewall_needed.html

http://technet.microsoft.com/en-gb/magazine/2007.06.vistafirewall.aspx

 

Let me show you just one simple example on outbound protection.

Imagine, you have downloaded "something", then you accidentally started this "something", and then this "something" has stolen your ICQ login/password and sent it to somewhere where it was immediatley used to spam your friends from your contact list.

This is just a very basic and relatively harmless example. You can say "never download and start "something"". Yes, I agree, but .. but people can do mistakes sometimes, they can be tired, they can be drunk, they can be sick .. You cannot be all the time "on guard", so at one or other time you can fail your strong security policy in mind. But the chances to miss alert "something wants to connect xx.xx.xx.xx (China) on port yy" are very low, IMHO.

 

As the technet article says, malware can disable the outbound firewall. Malware can also hijack an existing session of a program you’ve already authorised and you won’t even see the dialog...

Personally I'm savy enough to believe the chances of me getting said spyware/malware is very slim however I would still advocate installing and running anti-virus scans, anti-spyware scans and anti-malware scans. I've also got Windows Update turned on and SP3 installed. I'm also using Firefox with add-ons. Finally I'm not into downloading from P2P, notoriously riddled with nasties.

 

My installed firewall does include outbound filtering, but I'm not convinced about all this leak test necessity. Malware can disguise itself as something legitimate that could potentially fool somebody. Also it's a good point about how Malware can disable a firewall altogether.

 

The only arguments in that article are that malware will disable and bypass everything anyway and user is probably stupid/newbie .. therefore use the windows firewall. It is usually much easier to disable the XPFW, I've seen malware add themselves to the exception list. This is because the XPFW relies on some API's that can be disabled easily. Most of the 3rd party firewalls have self protection/defence techniques.

If you can have software that does inbound and outbound filtering, why not use it or does it do harm to have both?

 

The article is written by a Microsoft employee anyway. I find it quite ironic that a MS employee writes about malware owning everything, hijacking software by hooking/injecting etc.

 

I think nowadays one can attempt to catch outbound if one so desires, but there is absolutely no guarantee that outbound will indeed be caught. That pretty much sums it up.

 

Simple - the overhead they incur, the extra processor usage, extra memory usage, slow boot time and a myriad other performance hits

As I've said before I believe in a multi-layered approach of running anti-virus scans, anti-spyware scans and anti-malware scans in addition to a hardware firewall and the Windows XP Firewall SP3. I'm still yet to be swayed in favour of outbound firewalls...

As the technet article says,

 

This depends on an outbound firewall in the first place. Once firewall is armed with BB, HIPS, heuristic and AV this starts to be very questionable. In any case I'd be happy to see malwares that can disable armed FW. Do you have the examples ? My VM is always ready for the tests

 

Rather than disable, I think it's even more likely that malware would just go around over or under....

 

I went from ZA to just a router. No Windows XP firewall or anything other than my Av. I'm not running naked, more like in a Speedo.

 

Given I share my router with other housemates and I'm not 100% sure of the laptops, hence the inbound protection of Windows XP Firewall in addition to the inbound protection of the router...

 

Understood. A smart move on your part.

 

IMHO outbound firewall is not required. Most of the time you get lots of pop ups which wastes time or it can whitelist the programs on your computer which reduces security. And most average users (like me) don't understand the significance of the alerts anyway. I believe in "prevention is better than cure", so I use Sandboxie to prevent malware from getting on my real computer in the first place.

 

Thank you for this link, so I will stay with Windows XP Firewall

 

I mainly rely on my hardware firewall. I haven't run a full software firewall for quite a while its just the standard xp/vista firewall for me. It keeps things simple and helps avoid any conflicts. On my linux system i run no firewall at all as theres no listening services. I do run online armor on one system however i don't use the firewall part just the hips.

 

There are light firewalls and with modern hardware performance shouldn't be an issue. If a firewall consumes 30mb of memory and doesn't use much of CPU, is it really a problem when people have over 1024mb of memory and multicore CPU's?

 

Yes, it is.

As to outbound, don't get infected and no worries about being own3d...

Mrk

 

The experience I've had with ZA, Comodo and Online Armour is quite a performance hit with grabbing memory and esp. boot times... There's the obvious checking of all settings and every pop-up box to make sure human error doesn't creep in.

Doesn't seem much point to be honest...

Now - to Sandbox Firefox or to not Sandbox Firefox...

 

Malware can disable the av too and i guess if its disabled the firewall its already done that to the av too.personally i think they are a good thing aslong as they dont interfere with other apps too much.
ellison

 

My opinion on firewalls....
I insist every client of mine has their computers behind a NAT router. I won't support a computer that is not behind one. Even if you're just a single PC home user. Too many worms/trojans/viruses spread around on the internet infecting PCs that are hanging on public IP addresses (like if your PC is plugged directly into your cable modem).

For my busines clients networks (which 99.9% of my clients are), plain NAT routers are no longer enough. I've been replacing their traditional NAT routers with UTM appliances, such as Endian and Untangle (mostly Untangle for the past year).

Software firewalls...I don't insist clients have them, I don't use them myself, for some people who want a more comfy feeling...they're fine.

However, I've noticed something with software firewalls and 99% of users out there. Due to the nagginess of software firewalls, many users just try to shut up the firewalls naggy prompts by clicking that "allow" button. "Explorer.exe is trying to connect to the internet, what do you want to do?" Or..."SVCHost.exe is trying to connect to the internet, what do you want to do?"

Since most end users just end up clicking Allow...how effective is it now?

 

Hello:

An interesting post.

My opinion is already "known" on FW's is:

1) It depends on the individual user's risk profile, does he/she do online banking? purchase things using a credit card? So it cannot and should not be answered in the general sense, no one answer fits all.

2) The quotes provided to initiate debate are also interesting. But not impressive, is the quote on vista FW, there is a IN/Out FW in vista but the user must turn it on to get the outbound.

So the knowledge of this person is not something I would want to reply on.


If WSF members want solid views on what is needed and how the FW's work I suggest reading and studying the stickies here at the top of this forum.

It would be wonderful to reply only on no baddies coming in thus no need for outbound. But in the real world we should know by now that even "reliable vendor " software can have and have had rouge or error code some call it "spy" code imbeded in these packages. I prefer to minimize the unapproved by me sending of packets of data to far flung servers in China or other such locations. One well know sender is MS Media Player it should be blocked from internet connections on it's whim.

Block by default allow by exception.

 

Correct me if I'm wrong but I believe he was saying Vista has an outbound firewall which you can configure rules for. Does it's firewall act in a similar way to 3 party firewalls by alerting you when something wants to get through?

 

How? messsage 2 short

 

You can turn it on with Control Panel = Administrative Tools = Windows Firewall With Advanced Security

It is there but not friendly at all. If you use Vista Firewall Control it will do the configuring for you.