Firewalls Useless ?- Part 2

Discussion in 'other firewalls' started by Blackcat, Dec 14, 2002.

Thread Status:
Not open for further replies.
  1. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    I know there was a recent thread along these lines but as a newbie to firewalls I was not sure what the final conclusions were as replies were rather mixed. I hope the questions I list below are not simply repeating the previous post! :doubt:

    I have recently moved house to the 'sticks' so I have only a slow dial-up connection. However, I should be connected to broadband/cable in a couple of months. Further, although I have 2 computers, one of which is a laptop, these are not networked together (I will get round to this!!!).

    Overall, I have been led to believe that a software firewall is only of use if you are on a cable connection and your computer(s) is on a network. My major concern is keeping my personal details such as credit card numbers safe from potential hackers, particularly as here in the UK, some banks and credit card companies are now telling clients they must use a firewall as part of any new contract. Therefore,

    1. Is a software firewall of any use on a dial-up connection? i.e. do I need to use one at the present time?

    2. Even when I switch to the faster cable do I need a firewall if none of my computers are networked?

    3. I have a couple of AV programs; do I need a separate AT program to take care of possible trojan attacks or will the software firewall take care of this area of defence?

    4. Would I be better looking at a hardware firewall rather than a software firewall?

    o_O
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I will let others more knowledgeable answer 1-3. As I understand it, if you are only going to have one firewall, a software firewall is prefered. Hardware firewalls only block incoming, whereas a GOOD software firewall will block both incoming and outgoing (Trojans). Please note, a software firewall will only block the Trojan, it will not remove it. Good luck.
     
  3. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Blackcat,

    I think I owe you an apology as I am probably the source of most of your confusion in the context of the earlier thread.

    Let me just make this fast and quick. I believe that most people connected to the Internet need some form of protection. This could be a hardware or software NAT-enabled router, a software firewall or a 'hardware' firewall appliance. In your instance, based on what you have said, I would recommend a software firewall -- at the moment.

    Now, if you
    • Don't know a lot about firewalls
    • Don't want to spend a lot of time learning about firewalls
    • Don't want to spend money, if you can avoid it, and
    • Don't care to spend a lot of time in the care and feeding of a firewall
    then, it would probably be advisable (at the moment) to take a look at something like the free version of Zone Alarm. Unfortunately, I can't recommend a particular build of this product for you to look for, but I assume LowWaterMark or someone else could.

    However, you've done a bit better than most and indicated a particular source of concern, and in that instance, you actually need something a bit more than a straight-forward software firewall -- you need something that will examine outbound communication packets to ensure that they do not contain the specific information that you would like to keep private. Now, some of the software firewalls provide this as additional functionality, and I believe that there are also stand-alone products to do this.

    Now, that assessment is what I would disagree with. For the most part, the nature of your connection is irrelevant; it could be dial-up, cable, ISDN, DSL. Similarly, it's not really relevant if you're only 'connected' for 15 minutes or 15 days at a stretch. And, unless you've been really obnoxious and high-profile on the 'net, it probably doesn't make much difference whether you have a dynamically assisgned IP address or a static IP address. The people who do this aren't looking for you, specifically, they're simply looking for a vulnerable machine to exploit -- and they look for lots of people at one time. All you have to do is be using one of the IP addresses that they check at the time they check it.

    To illustrate, let's go back to the first few days of August 2001, specifically Aug 1-4. That was when the 'net got hit with CRv2 (the modified version of Code Red that was actually released in mid-July 2001), and before what was later referred to as Code Red II (which appeared on 4 August). I estimate that eighty per cent of the machines that were actually infected were machines that were only occasionally on the Internet. It's difficult to tell from the information available, but it certainly looks like most of these users were on dial-up and had dynamically assigned IP addresses for each new Internet session. Now, at the height of this little outbreak, the average time from when you got signed on to the Internet until the first time you were likely to see a CRv2 probe (to determine if you had a vulnerable machine) was on the order of eight minutes! See the problem?

    Technically, that's some form of privacy software that you are concerned about -- something running full-time and memory-resident which carefully monitors all outgoing communications from your machine and then either automatically blocks the transmission or at least alerts you so that you can choose whether you wish to authorize the communication or not. In all honesty, that's a bit beyond the capabilities of many of the current crop of software firewalls.

    In the situation you specify, I would advise you do so.

    Short answer? Yes. However, if your cable configuration involves the use of a NAT-enabled router, then that may provide much of what you need.

    Having an AV program is a necessary, but not a sufficient, condition -- again, especially for the situation you describe. Specifically, the AV program must be run continually as a memory-resident application. More to the point, you must ensure that both the program and its signature database are regularly updated. Now, most of the AV programs also check for signatures of well-know (i.e., popularly used) Trojans. I think NAV, for example, currently checks for around 400. However, a dedicated AT programs checks for over 4,000 these days. So, ask yourself this question: Am I only worried about 'popular' Trojans or am I worried about all Trojans that might somehow, one way or another, manage to get installed on my machine?

    Hmmm, probably not at the moment. Once you've got the cable connection and have possibly established an in-home LAN, it might be worthwhile to take a look at a firewall 'appliance. But let's save that discussion until later, okay?
     
  4. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I am going to politely disagree with my esteemed colleague Joseph on the hardware firewall issue. Here's why:

    If you wish to network your computers you will need a hub, switch, router, or a second network card in same machine.

    If security is a concern which it should be if you have credit card numbers on either machine, you'd better take care of this asap.

    Why not solve multiple problems at once? If you buy a hardware router, it has a builtin firewall and will provide you with the networking ability you desire. A trojan cannot effectively listen for connections because no incoming ports will be open. This doesn't stop a trojan from sending data out, so you will still need a software firewall (unless they are indeed useless).

    This all would be a fine start to building some security, just don't ever let yourself be convinced you are bulletproof.

    PS yes get a decent AT, I recommend TDS-3. DCS has a good deal on their stuff right now, I'd look into that if I didn't already own it.
     
  5. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Well, when are ya gonna do it??!! :cool: You actually haven't disagreed with me at all, yet (i think).

    Well, let me explain my reasoning on his stated situation a bit further. At the moment, he's only got dial-up. He will (shortly, I presume) be getting a cable connection. Sometime (undefined) after that, he may or may not get around to establishing an in-house LAN.

    Now, he may end up with a router as part of his cable connection package. (I don't know and can't tell from what he's said.) However, if he rushes out and buys one now, it may be one that his cable provider won't provide support for. See the problem?

    Once he's got cable, I would recommend he use a NAT-enabled router, rather than a hub or a switch, if he wants to have an in-house LAN. And I don't think that there are that many routers out there these days that support both analog dial-up and digital cable modems. Besides, there are some routers that more or less come with built-in 'hardware' firewalls, and for only a pittance more. But, at least to the best of my knowledge, these 'enhanced' routers are digital-only compatible -- so they would be of little use to him until the cable connection is in place. (I'm working real hard here at not getting into recommendations of particular products.)

    Agreed -- and again, part of the reason that I recommend the migration path that I did originally.

    Query on your second statement above: Are you simply referring to the NAT capabilities of most commonly available routers for home use? That's not quite what I meant by a 'firewall' appliance. I was thinking more along the lines of something like the LinkSys Firewall Router or the D-Link DI-604 (Damn!, got me to mention specific products, didn't you? :D ) -- at a minimum.

    Agreed.

    Also agreed.

    What was it we disagreed about? :rolleyes:
     
  6. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    BlackCat,

    Also, for your enlightenment, you might want to take a look at an ongoing poll on Wilders about firewall configurations (or the lack thereof). You can find this at http://www.dslreports.com/forum/remark,5161647~root=security,1~mode=flat~viewpoll=1 . Just bear two things in mind: These are primarily responses from people using cable/DSL connections and from people who are security-conscious.

    A bit further down in that thread ( http://www.dslreports.com/forum/remark,5190455~root=security,1~mode=open ) you'll find my synopsis of what this poll may indicate.

    You can also find my own personal understanding about the options offered in the poll at http://www.dslreports.com/forum/remark,5171179;reverse=0;root=security,1;mode=open .

    Also, in that thread, jaykaykay asked a very interesting question, to which you can find my response at http://www.dslreports.com/forum/remark,5172874~root=security,1~mode=open . My point, in this instance, being that a lot depends on what you've got and where you're going.
     
  7. controler

    controler Guest

    I have been dealing with some of the cable and DSL ISP's
    I have not dealt with MSN's DSL service yet and so I don't know if you can attach a seperate router to their modem.
    Some of these companies are only supplying a cable or a DSL modem without it being a router at all. Find out what kind of ISP you are going with and what system they are using.
    For instance, Qwest was going to force all it's customers to MSN DSL
    THAT didn't go over very well and so now offer these options.
    1. Internal Intel 2200 PCI card. One computer only
    2. External INtel USB modem. One computer only
    3. Cisco 678 Modem Router. Can network and only need a hub
    4. Actiontec's 1520 Router- Modem wich includes many options. conect one computer via RJ45 , connect one computer via USB. Also includes 4
    RJ45 ports for a small LAN. Get this Is Wireless ready. This means with an actiontec wireless card attached to the 1520, all you need is the matching PCI PCIMA cards for you computers and you have a wirless LAN.. I am liking that.. It comes with IP Masquerading and a built in Firewall. The user interface is similer to Linksys's interface. By that I mean it is a browser interface.
    I have been working too many hours and haven't had a chance to check on MSN's DSL modems much yet. I do know of a ton a people wanting to set up a small home LAN and have MSN.
    Yes you should still use a personal firewall while on Dialup.
     
  8. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Just so no one puts too much emphasis on my own advice: I'm still on dial-up (no viable, reliable cable or DSL service available here -- yet). But, from what I've heard from luckier people, you're right: Things can be a bit different in terms of the 'offered' package from various cable/DSL ISPs and in different areas of the country.

    Got a query on that option: It's a modem router but you still need a hub?

    Now, that sounds like an option that BlackCat might want to check out -- since he's out in the boonies. I, on the other hand, am living in a townhouse community and already have problems with interference (maybe ham radio operators?) on both cell phones and wireless phones. Besides, it would be just to easy for someone to eavesdrop on my LAN if I used wireless.
     
  9. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I have cable from an ex- @home provider that does it themselves now. I have a 3com 3c510 home ehternet gateway/router with built in firewall. It has support for dial up but the modem must be external so the router can be in between that and the computers sharing it. It is no longer sold by 3com but other products with similar capabilities are out there.
     
  10. controler

    controler Guest

    yes the Cisco 678 is a modem router but only supplys one rj45 out.
    With this modem, you connect the RJ11 phone line right from your house to the RJ11 input. You also can plug your phone into this modem
    You then have a output to your PC network card. I have run that output directly to a hub to get a network. If you run from the Modem to you PC, you need a crossover cable. If you run to say a 3COM 8 port hub, you just use a streight thru Cat 5 cable. The interface to this
    modem-router is by way of telnet or what I use is Hyperterminal
    and a serial cable from the modem-router to your serial port on your PC.
    I believe @hone is by Charter.. Charter seems to be a dang good provider.
    I heard Media One is ok too.
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi Blackcat,

    I'm going to agree with much of the above and say that you do need to act right away, and that the action you should take, given that you are on dialup right now and are unsure of your exact equipment needs for your future broadband connection, is to install a free software firewall.

    Zone Alarm would certainly do the job, but, there are other products if you prefer. Which ever you choose, you can post back here and find help with the configuration of the product.

    There is much good and insightful information posted above, but, I just have to say, JV - great post!! (i.e. reply #2)

    Best Wishes,
    LowWaterMark
     
  12. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    ok fellow newb get either zap pro or nortion firewall the new one then buy a hard ware fire wall ask paul which one he is useing cause it most likely is the best then ask paul how to config it and thats that your done lol.

    your going to get a 1000 replys on difrent firewalls but the truth is zap and nortion seem to be the most newb frindly

    its the newbs choice of a new genration lol thake it from a newb lol like me im not just a newb but im the newb president lol
     
  13. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Black Cat.I live in a rural area(you could call it the "sticks").I'm also on dial-up.That's the only reasonably priced internet service that I can afford.Do you need a software firewall with a dial-up connection?I would strongly recommend installing a software firewall!!The people that already responded know a lot more about firewalls than I do.I know that my firewall program(Sygate free version)has blocked incoming traffic for me regularly.Once I got an alert about Code Red which was blocked,fortunately.I feel that it doesn't matter what connection you have.You just have to be at the wrong place at the right time to be hacked etc..If you have an "always on" connection,you are just available or vulnerable more.With either connection I wouldn't get on the net without a software firewall!!!
     
  14. butthead

    butthead Guest

    the latetest version of zone alarm freeware firewall does have a bug. Potection is good otherwise. ZoneLabs is awear of the bug. Until and/or if the bug is fixed all persons should be made awear of it since.
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hey there Blackcat,
    Now that J V twisted your arm to start a new firewall Useless thread I will make it short and sweet. The answer to every one of your questions is one word "YES". :D

    Except for the title.....

    Why make it multiple choice ?
     
  16. Vampirefo

    Vampirefo Guest

    Do you need a firewall? Well that's a personal choice, Some people use them some don't. Are all the people using firewalls safer than everyone not using a firewall? No.

    If one doesn't understand or know what services or programs, to allow or disallow, then indeed the firewall is useless to them.

    Firewalls are not a cure all program, I see a lot of people recommending to new users to get ZA and set it and forget it, this of course is the worst advice you could give anyone.

    Think about it, if you set it and forget it, you might as well have no firewall, cause in reality, you have none.

    New security threats, and holes are discovered daily, so one's firewall should be tested daily, also.

    Many new Trojans attack firewalls, they may just leave the icon in tact, but the firewall is disabled, So those who set it and forget it, just see the icon of their firewall. and they feel safe, all along their personal data is be stolen, their computer is being used as a zombie.

    I have talked to a lot of kiddies, that use Trojans, and they prefer ZA users, over other firewalls, simply because the user with just let the Trojan right out, without question.

    Of course not all ZA users, but most new ones, you know the ones that just set it and forget it kind of user.

    Anyway, I use I Linksys Router for inbound protection, plus Kerio firewall for outbound protection,.

    The most important thing is to know what should be allowed, then disallow everything else, until you see what the program does, and what it wants to do.

    Two AVP's, in my opinion are not as good as one AVP, plus a Trojan scanner, I use other tools, SSM, packet sniffers, Active Ports, and the list goes on and on.

    A firewall is only as good as the weakest link, in your security, and that is you. If you don't know, nor take the time to learn what to allow or disallow, there is no way your firewall will know either.

    The firewall simply asks you, and You the user tells the firewall yes this application is OK, or not.

    Get a firewall, and see how it goes, if you don't like it try another one, If none of them suit you then use none of them.
     
  17. controler

    controler Guest

    I have to say>>> Blackice has the prettiest gilr on it's main page. :D
    See the Wireless Honorable mention?

    Key Features:
    BLOCKS hacker attacks instantly
    PREVENTS destructive applications
    REPORTS attempted attacks and identifies intruders
    SECURES any Internet connection, including wireless

    here is a must see!!!

    http://blackice.iss.net/product_pc_protection.php

    Go to the web page, click on the demo . A Flash Demo pops up and
    tells a bit about hpw firewalls work in gerneral.
    I wonder if the same lady speaking in the Flash Demo is the same lady as on the front page?
     
  18. Luthorcrow

    Luthorcrow Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    56
    Location:
    California
    Blackcat,

    I think you got some really good dead on advice even if Vampirofo may be over stating his case. I really think this whole "Firewall Useless" argument smacks a bit of hyperbole. For example, I ride motorcycles and safety advocates have pushed laws onto the books in California that you have to wear a helmet at all times. Now the fact is helmets do make riding a motorcycle safer in more ways than just protecting your braincase (improved hearing, vision, comfort, etc). But helmets have serious limits. No helmet manufactured today can take a direct blow greater than 20mph. A lot of new and old riders get a little weak in the knees when they learn that fact. But then again, more often than not your head will not be the body part that directly slams into the ground, and instead is more likely to be dragged or scrapped (which is what helmets are actually designed for). Much like a FW being one piece so is the helmet. Any experienced rider would also wear full leathers, gloves, boots, and if they like to ride fast like I do they are going to make sure those leathers are from a race tested manufacture and incorporates some body armor. If they are really paranoid they might include more exotic protection like a spin protector or airbag vest (BMW paved they way for that product).

    Now at the end of the day, you could have all that, not work on your riding skills and end up a road kill. In fact, the riding skills are actually what is going to keep you alive or with all your skin intact in the long run. That said, you are still safer with that gear than without it. Even if you ride like a squid you are still safer with it than the typical squid uniform of shorts, sneakers, and a tank top.

    To me the FW issue is pretty much the same. It's not a bullet proof vest (which is a whole another topic about false advertising) but it does add a layer of safety. Just don't expect it to be a Red S under your shirt. Nothing beats a well tuned brain.
     
  19. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I agree with everything Vampirefo said except I don't like linksys products. I use a 3com router. Linksys is the microsoft of the soho network world. DON"T allow remote config or you will be sorry.
     
  20. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Thanks guys(and girls) for all your time and effort, particularly Joseph. As a newbie to the firewall scene I shall dip my toes in gradually and start off with a software firewall, on my dialup connection. Due to your advice, I have started to trial Look 'N' Stop( I have loaded enhanced rules set ) on one machine and Outpost (free) on the other.

    Here in the UK there has been only a very slow turnout of cable and those people like myself who are in rural areas are miles away from the nearest link. At least 200 people in a particular area need to sign a cable contract before any extensions to the main link are made. So although I said in my initial thread that I was hoping to be on cable in a couple of months, this may prove optimistic.

    When I am cable connected I will look at a hardwall solution, involving routers and an in house LAN, particularly as I am buying another computer at Xmas. In the UK the cable/phone companies only provide the link- there is no modem etc so it can be fairly expensive; with contracts, modems and other bits and pieces we are probably talking at least $400-500 startup costs, followed by a monthly contract fee. The only other possibilty is a satellite connection ( I know of one person who has this) but this is prohibitively expensive for most people.

    I will post again for the best configuration for the above firewalls if I cannot find the answer in past threads at wilders. Many thanks again. :)
     
  21. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    I like your idea of "I shall dip my toes in gradually" and starting of with two different rule based software firewalls :D

    Feel free to ask away if in doubt about anything. As Vampirefo and others have suggested in this thread and the original one, knowing and understanding your system and what is required is important. You are the best security for your system and you obviously are not reluctant to jump in there and learn.
     
  22. controler

    controler Guest

    This might or might not be important to you. If you go into any chat rooms, IRC ect. , Make sure you get a personal firewall that doesn't autimaticly block that room if you are being spoofed ( Using that servers IP) by someone from that room that doesn't like you. The firewall you chose might just say ,, oh dear I am being spoofed by this
    servers IP and therefore must block it now. This would be an unchangable auto block feature.
    I am not sure if anyone has mentioned this and that is why I said it.
    Any comments ? :D
     
  23. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Mmm, where did you get this info from? Looking at both NTL and Telewest, I don't see this at all. Both provide a cable modem (the link is useless without it), but you need to provide your own NIC to connect the modem to your computer (say £25). Their installation costs are in the region of £50.00 (but may be cheaper, or free, if you time it for one of their many installation offers). So, start-up costs are £25 - £75 (this is $40-$110, not $400-500). There are no other 'contracts, modems and other bits and pieces' to pay for.

    Monthly fixed fees are £25 - £40, depending on what service speed you choose, and whether or not you also have other services from the cable supplier (e.g., telephone or TV).
     
Loading...
Thread Status:
Not open for further replies.