Inbound firewall: Necessary?

If a computer has all ports closed (disabling specific Services, ie: Messenger) do you feel that an inbound firewall is necessary?

thanks,

rich

 

software of hardware/router firewall? In theory not necessary, in your outline, but i find it useful to have

 

Why do you find an inbound firewall useful?

----
rich

 

It may be very useful when you plug your laptop to the different networks from time to time (or connect different WiFi networks). For a home network this is not needed if you are behind the hardware firewall/router (not to forget to disable remote control for your HW firewall/router)

 

so i don't have to worry that various ports are closed, or some service becomes vulnerable before i patch it, because i like tinkering, because i'm human and it provides additional protection against my errors. I can guess the trust of your argument and you have a valid point but just like the people who don't need AV because they are that good i find them useful

 

Got it!

thanks,

rich

 

For me, without question. No computers that I support will ever not be behind a NAT router. A NAT router gives the entire network solid inbound protection by default. It is an inbound firewall.

A Windows PC without one, sitting directly on an IP address, is trouble waiting to happen. Services fail, malware corrupts services, vulnerabilities come out. Over the many many years of supporting computers for a living, I cannot ignore the ratio of PCs that I've seen hit by worms 'n other problems...sitting on public IP addresses. Whereas PCs behind a NAT router never got touched by those mass spreading worms that hit vulnerabilities like RPC services, Blaster for example.

 

I was also under the impression it is hard to close some windows services so having a firewall there will block packets to those services.

 

Once upon a time, I ran Win2k for over a month without any firewall of any kind, no router, nothing, just closed my ports as you mentioned and that was it. Nothing happened, much as I suspected. So it can be done.

It's just easier to run with a router I think. That's what I do now. No overhead on the PC, and it removes any concerns about possible slips ups.

 

Example that you have observed?

How did the malware get onto the computer?

Explain, please.

I believe Blaster required an open Port 135.

Recent conficker required open Ports 139, 445. In my scenario, the ports are closed.

----
rich

 

I also - I remember we discussed this in another thread. Someone else in another forum did the same with XP.

I think this is certainly good advice. I want to come back to this later...

----
rich

 

It seems to vary, according to what Services are being used by what software.

----
rich

 

I got hit by the Blaster worm back in the day. I didn't have Router I was using a internal modem which plugs into your mother board. and it was fresh install of windows as soon as I got on the net before I even had a chance to load a single web page BANG the worm just simply walked straight in. It is the result of microsoft's excelent thinking of having these ports open by default. This is why I have the seconfig xp and WWDC tools in my Sig which closes/disables these vulnerable ports.

 

Exactly my reason too. Also I agree with YeOldeStonecat's reasons. Regarding all that unsolicited Internet noise, why let it bombard your PC's direct network connection in the first place? Why not, if possible, let a router handle all the unsolicited crap, taking a huge burden off the duties of the PC's connection and affected services that do need to listen?

Rmus, you are probably leading up to stating that inbound hardware firewall protection is not required because it is possible to close unnecessary services or control other affected ones, and you are no doubt right. I just like the idea of the outer perimeter sentry handling the bulk of the noise, even if it's protecting only one machine. The possibility of slip ups that Kerodo alludes to is all the more likely with the average security unconcious person. I would say in this latter case, YeOldeStonecat throughout his considerable experience in this field has seen a lot of this. He mentions it frequently in this forum but no one seems to take him seriously.

 

Thanks for the responses. I was just curious as to how people felt about the necessity for an inbound firewall. As Kerodo and I have demonstrated, you can be protected w/o one if your ports are secure.

Certainly this is not a blanket recommendation for others!

In Win9x days, I and my computer-friends did not use a firewall. It was pretty easy to secure things in those days. When Win2K came along, the feeling among most was that Services presented a challenge to securing ports and that a firewall was recommended.

I started researching and became intrigued with Kerio 2 because it is very simple, so I got one and learned about rule sets. I recommended it to many people and even wrote a tutorial.

I found the application monitoring feature to be very useful, and it's helped in watching how exploits work. For example, in the PDF exploits, assuming the browser has scripting and plug-ins enabled, the PDF file will load, and the malicious code inside the file will use the Reader to connect out to a server to download malware. A firewall will alert:

​

Sadly, the simplicity of Kerio has given way to more complex firewalls.

Which brings me to IPv6.

At some point, Kerio will not be effective as an inbound firewall.

One consideration is to just configure Kerio to permit all inbound traffic and use it just to monitor outbound -- essentially not having an inbound firewall.

Another consideration is to get a router and use Kerio just for outbound monitoring as above.

Well, IPv6 is some time away, but one needs to think ahead!

----
rich

 

If all ports are closed, then there is no need for a firewall.
If you have ports open, but the services are only listening on local networks, then you probably also do not need it, unless you connect to untrusted LANs.

But it's simpler to have one and forget about it.

Mrk

 

I think the greater danger is when you run a piece of software that opens a port. Shutting down services is easy. It is those programs one does not test that can lead to an open port, and then the possibility that could ensue. I don't worry because I test everything I install, but for many, that is probably why they like application aware firewalls.

I run mostly with only a router. Sometimes I engage XP Firewall, but usually not. After years of watching firewall and router logs, I don't see the point as long as you know what you have installed. An occassional peek with netstat is most all I ever do anymore. Erm, well I do have some ipSec rules in place, which seals the deal for me.

Sul.

 

True. I was running a PC a year without a firewall (ports closed) and any other realtime security software and PC passed with green mark even with cracks, p2p.

 

and how do you protect yourself from port scanning?

[E.g., stealth scan: xmas scan, FIN scan, half open scan,...]

 

you beat me to it developers I was about to post the same thing. While we have all the non needed ports closed. there is still ports that we need open. Port 80 being the main one. and forwarded gaming ports etc. So in some ways there needs to be a firewall to filter the incoming traffic on the Allowed Open ports. Most of us here already have measures in place to deal with any Malware etc. But if you are being targeted by sophisticated hackers then I would recommend something like a hardware firewall with deep packet inspection like one of the Sonicwall series.

 

Port 80 is remote (http). If you run a server I suppose you might need it, depending on what you're doing, but for a typical pc I don't see how port 80 locally comes into play, unless I'm missing something.

 

I would call myself a standard user, browsing, listening music, playing games, but none of these need an open incoming TCP port except p2p.
As for browser IE, it uses only UDP In/Out and TPC Out, though Firefox requires TCP In in order to work, at least last time I checked it, it did.

Well of course, talking about hackers, targeted attack, "Resistance is futile ))", but talking about common automatic mallware, it is quite easy to resist.

 

I've never found it necessary to allow any incoming connections to a browser. In addition to the usual outbound TCP connections, the browsers I've used all request UDP loopback connections when they first start up.

SeaMonkey and K-Meleon seem to function normally whether I allow the loopback connection or not. Internet Explorer gets very sluggish if I don't allow that connection.

There's a lot of variance in how firewalls handle loopback or local connections. Some don't filter them at all. Depending on how you look at them, they are both inbound and outbound connections. It's possible that these are what your firewall is calling inbound connections to your browser.

 

I look at it as prevention protection- if nothing can get in, then there is no worry of anything getting out.

 

For years I've heard people complaining that this or that firewall sucks, Windows firewall sucks worse... (I wonder what sucks better)

Bottom line: Why curse that much? They could be doing charity, instead. Helping needing people.

Then, and lately, we've seen news saying: Hey, guess what? US Power Grid got hacked... Hey, guess what?...

They all are behind firewalls, and better security systems than ours. The question is: Are they any better than my grandma?

Asking the need for a firewall (inbound/outbound), is the same as asking the real need for an antivirus, etc.

Is there a real need? Maybe not... Will people feel they're safer? Yes, but depends. Most don't even know they aren't running any antivirus, until some friend complains they sent an infected file.