Inbound protection of software firewalls

Hello Climenole,

Thanks for the explanations!

What then can the sender do to exploit the computer in operation?



regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

@Climenole and Rmus: Thanks for your replies. They are very imformative.

Is it now safe to say, then, that as long as a software firewall can be configured to stealth all ports, it offers good inbound protection?

 

Take a look at the three way handshake. Hopefully it makes some sense.

 

Hello, Climenole,

I understand, but if a person's IP address changes on each login (dynamic) I don't see a concern for a home user.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hello Climenole,

In Win9x days, I never used a firewall. We were taught about securing the OS and configuring NETBIOS and all of that stuff.

Win2K introduced the potential problems with Services and Ports. When I finally upgraded to Win2K I began reading about firewalls, and due to a certain website, became aware of the Closed vs Stealth thing.

What caught my eye in various discussions around the Web were numerous references to the idea that Stealth is not RFC compliant. Then I came across many opinions ranging from "they'll hammer away at your closed port because they know you are there and will eventually get in and steal all of your stuff" to "a closed port is a closed port."

Comments on stealth ranged from "you are totally invisible" to "I bet that being closed will make the bots go away, and being stealth will make them retry many times or hang on you, just a guess."

I found amusing the fact that many who were arguing for stealth were running P2P, FTP, certain chat apps, which as you point out, "If your run a server or a server like program you lost your stealth status..."

All of this made for interesting reading, but didn't really prove anything. So, I ran a test w/o a firewall but all ports closed (as in Win9x days) and later Blake (LinkLogger) did the same at DSLR.

Now, he had tools to monitor, where I had to leave the firewall enabled but Permit ALL In<->OUT in order to Log.

When it was all over, I concluded that for myself as a home user, it was much ado about nothing.

Ironically, all of this is a moot point because most software firewalls are Stealth!

Thanks for your comments and explanations.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I did the same thing here a few years ago and posted on Wilders about it at the time I think. Ran a Win2k system on a cable connection to the internet with no firewall. I did everything necessary in order to close all ports then tested it online to make sure everything was closed. I actually ran that way on cable, no firewall, for a month and a half, 24/7. Absolutely nothing negative happened, and when I finally put a firewall back on and checked the logs, there was no sign of increased traffic or anyone hammering at me or anything, and no problems on the PC of course. So I concluded that it can be done too, and that a closed port was a closed port, and nothing could be done with it from the outside. In my mind, whether someone "sees" you there or not is irrelevant to the average home user. Now I have the router, and it's all pretty much moot, but I agree with you that "stealth" is much ado about nothing for the average home user.

 

I'm afraid, you're mixing things up. You have to differentiate between client and server applications. A server listens at a special port which has, logically, to be open, otherwise no one else would be able to have access to that server. However, a web browser is a client application. It connects via the TCP/IP stack to a remote web server through (usually) port 80 on that server. The TCP/IP stack rejects any incoming data without a previous corresponding request by the client application. Therefore, there aren't any open local ports on your computer when using a web browser or another client application. On the other hand, open ports caused by server applications (usually services on your Windows machine) must be closed by the firewall if those services can't be stopped.

In other words: Without open ports caused by services there wouldn't be a need for inbound protection. In Ubuntu linux, e.g., the firewall is deactivated by default as there are no unnecessary services and therefore no open ports.

 

I know, what you mean, but I was reffering to allowed aplications in a firewall like a browser or an email client, through which most malware come from, so inbound protection talking about firewall seems to me a bit an inaccurate description. That is why I consider firewall to be somewhat useless, so I do not use any, though I have a few opened ports by services.

 

Dont miss the "four way handshake"

 

Router Firewall, Windows Firewall, Antivirus, and HIPS. That's enough for me and this is coming from a security software junkie.

 

Sorry, but I'm not sure at all that you know what I mean. What has the use of a client application to do with inbound protection in a firewall?

That's more than careless unless you're behind a router or have your services configured accordingly as explained in detail on http://www.ntsvcfg.de/ntsvcfg_eng.html

 

I am just trying to point out, that since vulnerable aplications are allowed, then a firewall does almost nothing to provide an inbound protection, maybe it protects against about 0,1% threats, but then in fact, we can not really talk about an inbound protection, when talking about firewalls and that is the reason, why I do not use any, because I do not need an outbound protection and that is, what makes firewall worth its money, but that is just my viewpoint.

No router here, just Vista with a few TCP ports opened 49152-49157. But it is not as dangerous as it seems. I apply the only, almost 100% effective protection, and that is: not to anger any hacker, because if I would do no security aplications would save me, they would just give me some time and that would be all.

 

Trouble is, even some legit applications or processes require restricted outbound access. Perfect example: svchost.exe. Why would you want this to connect unbridled to anywhere it's directed to, especially when M$ likes to sometimes use it for "calling home" purposes?

Having said that, in your case you likely need not worry. If memory serves, you have quite possibly the most limited services profile of anyone in the computing world

 

Mostly depends if you have vulnerable or exploitable services holding those ports open. If so, then you're in trouble. If not, then it really doesn't matter much.

 

Not anymore, I have found out, that so called useless services are not so useless after all, like Task Scheduler or Error Reporting. If I would use WWDC, it would close those ports, but it would disabled their services. By the way, I like reporting to Microsoft, I have enabled customer user's experience reporting in Vista, WLM and Google too.

I am sure, that some of those services are vulnerable, if they are not, they will be for sure, talking about zero days exploits or even unknown exploits, but that is the risk I am willing to take, since I have nothing really valuable in my PC.

 

Thanks to all who replied to this thread. Learned a great deal in the discussions, especially in those *handshake links.

This thread made me appreciate CHX-I and Windows Firewall more.. am an avid CHX-I user btw.

A big handshake to all!

 

Hardware firewalls are nice, but some of us use notebook computers on public hot spots, so a software firewall will have to suffice.

Its nice to say close all your ports, but Windows listens on a bunch of ports by default.

 

Hear hear

 

Hello,
Interesting to see what everyone thinks is/as "inbound protection".

For me, personally, inbound protection from a firewall is its abilty to filter the inbound packets.
Yes, we look at "closed ports" shown on scans, what are these,.. these are closed ports, no entry, full stop. So as I have said before, the results of a "scan" are of no concern unless you see "open" posts. Closed ports are closed, there is no way to open these externally unless an application is present/installed on the system.

I got very tired of (quite a while ago) this need for "Stealth", (complete waste of time to me), but a good selling point for firewalls.

 

The ability of a firewall to give "Stealth" in no way shows its ability to give inbound protection.

OK, I admit, the TCP/IP stack in the OS is now more protected due to patching/ updates from microsoft, but you need time to check of possible inbound attack. We can go through many. I personally have found all others know better than I (as they put forward) so I will leave this to them (for now).

 

I think the stealth idea came out of the stealth flyers that were invisible to AA artillery. If you can't see it, you can't shoot it down.