Inbound firewall: Necessary?

Discussion in 'other firewalls' started by Rmus, Jun 16, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If a computer has all ports closed (disabling specific Services, ie: Messenger) do you feel that an inbound firewall is necessary?

    thanks,

    rich
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    software of hardware/router firewall? In theory not necessary, in your outline, but i find it useful to have
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why do you find an inbound firewall useful?

    ----
    rich
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    It may be very useful when you plug your laptop to the different networks from time to time (or connect different WiFi networks). For a home network this is not needed if you are behind the hardware firewall/router (not to forget to disable remote control for your HW firewall/router)
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    so i don't have to worry that various ports are closed, or some service becomes vulnerable before i patch it, because i like tinkering, because i'm human and it provides additional protection against my errors. I can guess the trust of your argument and you have a valid point but just like the people who don't need AV because they are that good i find them useful :)
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Got it!

    thanks,

    rich
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    For me, without question. No computers that I support will ever not be behind a NAT router. A NAT router gives the entire network solid inbound protection by default. It is an inbound firewall.

    A Windows PC without one, sitting directly on an IP address, is trouble waiting to happen. Services fail, malware corrupts services, vulnerabilities come out. Over the many many years of supporting computers for a living, I cannot ignore the ratio of PCs that I've seen hit by worms 'n other problems...sitting on public IP addresses. Whereas PCs behind a NAT router never got touched by those mass spreading worms that hit vulnerabilities like RPC services, Blaster for example.
     
  8. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I was also under the impression it is hard to close some windows services so having a firewall there will block packets to those services.
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Once upon a time, I ran Win2k for over a month without any firewall of any kind, no router, nothing, just closed my ports as you mentioned and that was it. Nothing happened, much as I suspected. So it can be done.

    It's just easier to run with a router I think. That's what I do now. No overhead on the PC, and it removes any concerns about possible slips ups.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Example that you have observed?

    How did the malware get onto the computer?

    Explain, please.

    I believe Blaster required an open Port 135.

    Recent conficker required open Ports 139, 445. In my scenario, the ports are closed.

    ----
    rich
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I also - I remember we discussed this in another thread. Someone else in another forum did the same with XP.

    I think this is certainly good advice. I want to come back to this later...

    ----
    rich
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It seems to vary, according to what Services are being used by what software.

    ----
    rich
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I got hit by the Blaster worm back in the day. I didn't have Router I was using a internal modem which plugs into your mother board. and it was fresh install of windows as soon as I got on the net before I even had a chance to load a single web page BANG the worm just simply walked straight in. It is the result of microsoft's excelent thinking of having these ports open by default. This is why I have the seconfig xp and WWDC tools in my Sig which closes/disables these vulnerable ports.
     
  14. wat0114

    wat0114 Guest

    Exactly my reason too. Also I agree with YeOldeStonecat's reasons. Regarding all that unsolicited Internet noise, why let it bombard your PC's direct network connection in the first place? Why not, if possible, let a router handle all the unsolicited crap, taking a huge burden off the duties of the PC's connection and affected services that do need to listen?

    Rmus, you are probably leading up to stating that inbound hardware firewall protection is not required because it is possible to close unnecessary services or control other affected ones, and you are no doubt right. I just like the idea of the outer perimeter sentry handling the bulk of the noise, even if it's protecting only one machine. The possibility of slip ups that Kerodo alludes to is all the more likely with the average security unconcious person. I would say in this latter case, YeOldeStonecat throughout his considerable experience in this field has seen a lot of this. He mentions it frequently in this forum but no one seems to take him seriously.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the responses. I was just curious as to how people felt about the necessity for an inbound firewall. As Kerodo and I have demonstrated, you can be protected w/o one if your ports are secure.

    Certainly this is not a blanket recommendation for others!

    In Win9x days, I and my computer-friends did not use a firewall. It was pretty easy to secure things in those days. When Win2K came along, the feeling among most was that Services presented a challenge to securing ports and that a firewall was recommended.

    I started researching and became intrigued with Kerio 2 because it is very simple, so I got one and learned about rule sets. I recommended it to many people and even wrote a tutorial.

    I found the application monitoring feature to be very useful, and it's helped in watching how exploits work. For example, in the PDF exploits, assuming the browser has scripting and plug-ins enabled, the PDF file will load, and the malicious code inside the file will use the Reader to connect out to a server to download malware. A firewall will alert:

    [​IMG]

    Sadly, the simplicity of Kerio has given way to more complex firewalls.

    Which brings me to IPv6.

    At some point, Kerio will not be effective as an inbound firewall.

    One consideration is to just configure Kerio to permit all inbound traffic and use it just to monitor outbound -- essentially not having an inbound firewall.

    Another consideration is to get a router and use Kerio just for outbound monitoring as above.

    Well, IPv6 is some time away, but one needs to think ahead!

    ----
    rich
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    If all ports are closed, then there is no need for a firewall.
    If you have ports open, but the services are only listening on local networks, then you probably also do not need it, unless you connect to untrusted LANs.

    But it's simpler to have one and forget about it.

    Mrk
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I think the greater danger is when you run a piece of software that opens a port. Shutting down services is easy. It is those programs one does not test that can lead to an open port, and then the possibility that could ensue. I don't worry because I test everything I install, but for many, that is probably why they like application aware firewalls.

    I run mostly with only a router. Sometimes I engage XP Firewall, but usually not. After years of watching firewall and router logs, I don't see the point as long as you know what you have installed. An occassional peek with netstat is most all I ever do anymore. Erm, well I do have some ipSec rules in place, which seals the deal for me.

    Sul.
     
  18. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    True. I was running a PC a year without a firewall (ports closed) and any other realtime security software and PC passed with green mark even with cracks, p2p.
     
  19. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    and how do you protect yourself from port scanning?

    [E.g., stealth scan: xmas scan, FIN scan, half open scan,...]
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    you beat me to it developers I was about to post the same thing. While we have all the non needed ports closed. there is still ports that we need open. Port 80 being the main one. and forwarded gaming ports etc. So in some ways there needs to be a firewall to filter the incoming traffic on the Allowed Open ports. Most of us here already have measures in place to deal with any Malware etc. But if you are being targeted by sophisticated hackers then I would recommend something like a hardware firewall with deep packet inspection like one of the Sonicwall series.
     
  21. wat0114

    wat0114 Guest

    Port 80 is remote (http). If you run a server I suppose you might need it, depending on what you're doing, but for a typical pc I don't see how port 80 locally comes into play, unless I'm missing something.
     
  22. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    I would call myself a standard user, browsing, listening music, playing games, but none of these need an open incoming TCP port except p2p.
    As for browser IE, it uses only UDP In/Out and TPC Out, though Firefox requires TCP In in order to work, at least last time I checked it, it did.
    Well of course, talking about hackers, targeted attack, "Resistance is futile :)))", but talking about common automatic mallware, it is quite easy to resist.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I've never found it necessary to allow any incoming connections to a browser. In addition to the usual outbound TCP connections, the browsers I've used all request UDP loopback connections when they first start up.
    browser loopback.gif
    SeaMonkey and K-Meleon seem to function normally whether I allow the loopback connection or not. Internet Explorer gets very sluggish if I don't allow that connection.

    There's a lot of variance in how firewalls handle loopback or local connections. Some don't filter them at all. Depending on how you look at them, they are both inbound and outbound connections. It's possible that these are what your firewall is calling inbound connections to your browser.
     
  24. benton4

    benton4 Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    158
    Location:
    Oregon
    I look at it as prevention protection- if nothing can get in, then there is no worry of anything getting out. :)
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    For years I've heard people complaining that this or that firewall sucks, Windows firewall sucks worse... (I wonder what sucks bettero_O)

    Bottom line: Why curse that much? They could be doing charity, instead. Helping needing people.

    Then, and lately, we've seen news saying: Hey, guess what? US Power Grid got hacked... Hey, guess what?...

    They all are behind firewalls, and better security systems than ours. The question is: Are they any better than my grandma?

    Asking the need for a firewall (inbound/outbound), is the same as asking the real need for an antivirus, etc.

    Is there a real need? Maybe not... Will people feel they're safer? Yes, but depends. Most don't even know they aren't running any antivirus, until some friend complains they sent an infected file. :D
     
Loading...
Thread Status:
Not open for further replies.