Is a firewall really necessary for home use?

Discussion in 'other firewalls' started by Rmus, Nov 27, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Warning
    do NOT try the following
    unless you are fully prepared to format your system and start again
    (at the very minimum)



    I decided to find out, and have been running all day with the firewall set to permit everything In<-->Out.

    I would have disabled it except I want to watch the log.

    Running Win2K; All ports (except you know which) are closed, of course:

    http://www.rsjones.net/img/grc.png

    The computer runs in a virtual type of environment with White List protection,
    preventing unauthorized installation of executables, or modification of any existing executable.

    The only other tool is a trial version of RegDefend to watch the Registry.

    So far I've received no alerts about executables or Registry entries.

    I started posting my Log this evening:


    Has anyone else tried running without a firewall?

    -------------------------------------------------------

    EDIT: Just completed a four-day test:

    Test Results

    Conclusion:

    It is possible to run safe on the internet without a firewall or router for inbound protection.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited by a moderator: Dec 1, 2005
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    A firewall is a compulsory must-have for all computers. No one should run without a firewall at all. I don't dare to connect to the internet without a firewall. Also, your log does not seem to exist, when I click on your link, it gives me a "url not found" error. o_O
    Even if lets say for example you're running with a router, you must still have a firewall to monitor outgoing traffic.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why?

    I wouldn't make such a blanket statement for everyone

    Why?


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    How typical is that of most home systems today? It is still a potentially vulnerable service exposed to the Internet. Which OS are you running and what steps did you have to take to have one open port/service? Are these steps something most home user are likely to do?

    Yes, for testing purposes, but it is not something I would normally do or recommend.

    Yes, it is a critical component and first step to securing one's system/network.

    Regards,

    CrazyM
     
  5. Clweb

    Clweb Registered Member

    Joined:
    Dec 28, 2002
    Posts:
    127
    Location:
    France
    And what's about the URL of your log ?
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Three that I know of.

    Win2K; I don't remember - When I first installed Win2K I didn't have a firewall, and after configuring the internet connection, I did the GRC port scan and all ports were closed except 135 but I disabled DCOM.

    I don't know how likely, but certainly possible.

    I'm trying it myself and am just wondering if anyone else has.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not sure what the problem is - it comes up for me:

     
  8. kalpik

    kalpik Registered Member

    Joined:
    May 26, 2005
    Posts:
    369
    Location:
    Delhi, India
  9. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    I'm not sure it's an absolute must to use a firewall to monitor outgoing traffic, it may be what you prefer however.

    I for instance use the Windows Firewall and have TCPView to keep an eye on my connections.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Not at this point if you are running Jason's new Appdefend. It blocks all network access unless you give permission.

    I would actually consider dropping software firewall, except I occasionally use dialup which isn't behind the router.

    Also just for peace of mind. (real technical reason eh._
     
  11. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I do agree with Rmus here. As I've noted elsewhere, in any security scheme that I follow, a hardware router is the first recommended component and a software firewall is the last recommended component and optional at that. See El Cheapo Router Challenge for why I'd put a router at the head of the list - it is a simple physical device plugged into the system and you're done at that point with respect to unsolicited inbound control. For the vast majority of users, this is the best solution.

    You do need something, either a router, software firewall, or native Windows ICF enabled. A router, is by far, the most robust solution. A software firewall provides more information, finer control, as well as many more opportunities to be misconfigured and unintentionally subverted by a novice user if it's the only communications component used.

    How many casual users would even know what to look for in reviewing firewall logs? If you're generating information, and simply do not know how to use it, it does beg the question "why do it?" Any untoward communications needs to be initiated by some application. If I have a finite number of calories to expend in securing a system, it makes more sense to me to enhance the robustness and completeness of the signature and behavioral based options than adding something that a typical user is ill-equipped to deal with.

    For the record, I do use a software firewall, not to control/monitor malware, but to exercise control of which applications - malware or not - are allowed internet access. That's it and in all the time I've used it, the only active control has involved valid applications initiating valid connections. It's not a security component on my system, it's a pure control component to allow me to make the final decision of what software on my machine is allowed external access.

    Obviously, this is a topic with a number of schools of thought.

    Blue
     
  12. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I can't see the point of running a firewall for outbound, especially if you have white list protection. The only things that could connect out are the ones you have on your white list and I guess they're only on the list because you trust them.

    I run with a router and no firewall.
     
  13. tanatos

    tanatos Registered Member

    Joined:
    Nov 27, 2005
    Posts:
    1
    The firewall isn't necrssay in home use. Default windows firewal, i believe, is enought. But, not in my LAN=) the disturbed DoS for your neighbour is normal practice - it i a war. And good firewall - is a huge wall. Without it, your computer is in danger))) The choise is up only for you.

    p.s. i working only with firewall
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I asked 9 friends - casual users - before starting this thread: none knew what a firewall log was. Five of them use a firewall.

    Agreed.

    Is it too much to assume that your approach above would catch malware before it could attempt to hijack an application outbound? Therefore, all other applications needing outbound would be legitimate?

    If the user could set up the OS with closed ports (as above), would you still say a router is necessary?


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  15. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    About what I figured on a gut level - but you have some good personal data to informally back it up. It makes the point.
    No, that's a good assumption borne out by a number of years experience in my own case. All the instances that I can recall using my firewall to prevent communication involved perfectly valid connections to perfectly valid sites for completely valid reasons. For various reasons, mainly my desire to have complete control over updates or to not be continually bothered with alerts that a new version is available and so on, I prefer to block this communication for some applications and not for others.
    Hmmm, yes.

    Ports that are closed can be opened, it doesn't matter how, then where would you be. From my simplistic seat, it just makes sense that the IP of the machine I sit at not have an internet routable IP address. That alone (i.e. NAT) has security implications, although not by design.

    Blue
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The Witty Worm is a good example of bypassing seemingly secured systems:

    ------------------------------
    The Spread of the Witty Worm
    http://www.caida.org/analysis/security/witty/

    "Witty was the first widespread Internet worm to attack a security product... the fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end-users apply patches to plug security holes is not viable."
    -------------------------------

    And the case of a router allowing inbound traffic:

    -------------------------------------------
    Unsolicited UDP gets by NAT?
    http://www.dslreports.com/forum/remark,13468899
    -------------------------------------------

    Regarding opening closed ports - - whether closed by the OS, or by a router or firewall, there is still the possibility of the bypass.

    The question always is, how likely is something similar going to occur?

    How tight do I want to batten down the hatches?

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hi,
    I have written it several times, but no one seemed to take interest.
    I have configured a simple ICS home network. Simply by doing so, I have turned all computers, INCLUDING the gateway, have all their ports closed, with firewall turned off. The modem I have is not a router.
    Potentially, I could run without firewall and have all my ports closed. Still, I love firewalls and therefore I run them on every machine I have, in all my environments.
    Needed or no, I recommend firewall. It's a good police officer that watches your traffic.
    Mrk
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    And of those 9 friends, how many do you think could close ports/services on their system without crippling their OS or some other program they use that may be dependant on one of these services?

    A router is a great investment in security these days with current pricing. Your system or home network is not exposed to the Internet and it is something that is independant of your system(s).

    If you read BlueZannetti's earlier link, El Cheapo Router Challenge, along with the related thread, First winner - El Cheapo Router Challenge, they discuss what it took to get a few unsolicited UDP packets through the router. I don't think this is something the home user has to worry about.

    Regards,

    CrazyM
     
  19. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    By using ICS on your gateway system you have turned it into a router of sorts. So you may not have a hardware router, but your gateway system is doing what a router would do.

    Regards,

    CrazyM
     
  20. Arup

    Arup Guest

    Even though an UDP packet did pass by the router, nothing much can be done if your system is hardened, routers are indeed a cheap and good way of protection, specially for those who are new PC users or aren't' willing to bother learning about setting up a software firewall, all we need then with a router is some sort of outbound TCP/UDP or other protocol outbound alerts and blocker.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don’t know their situation/knowledge at all. But to address the closing of ports/services, and your question in an earlier post as to how I closed all of my ports - I had to go back through my notes, and I see that all I did was disable DCOM via the Registry. I didn’t disable any Services.

    Nor did I attempt to manually close any ports - I don’t know how to do that. I think Win2K just came with ports closed.

    To check with XP - I have a laptop with XP and I’ve done nothing about ports. I’ve only gone on the internet twice - just to check that I set up the connection correctly. So, I just did the GRC port scan. This laptop has SP1 and the ICF firewall is disabled:

    http://www.rsjones.net/img/grc_XP.gif

    I’m not sure why port 1025 is open - I’ll have to see later what it does. I notice the 5 troublesome ports are Stealthed. XP must come that way, for I’ve not done anything.

    So, it seems that the average user won’t have to do anything to close ports?

    Anyway, I would never suggest to anyone that they run w/o firewall or router - I’m just trying it myself and observing what’s going on, and wonder if anyone else has tried it and with what results.

    I stopped posting my logs - it became boring - same old stuff. I never seem to get the esoteric probes that other people talk about:(

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    To focus on one aspect of firewall protection usually emphasized: to prevent
    infection by malicious programs.

    From a typical article on the necessity for a firewall:

    ----------------------------------------------------
    Do I Really Need a Firewall?
    http://www.microsoft.com/windowsxp/using/security/learnmore/atkin_firewall.mspx#EBD

    Absolutely. A system without an active firewall is vulnerable to infection by a variety
    of malicious programs, sometimes within minutes of connecting to the Internet.
    Even if you're typically very careful in your computing practices, your system can
    still be infected by programs that scan random Internet addresses and attempt to
    "slip in the back door" through open ports on your computer. A firewall is necessary
    to keep these random intruders from hijacking or damaging your system.
    ------------------------------------------------------

    The fact that hundreds of thousands of computers worldwide have been
    compromised by worms that have installed malicious programs indicates that
    something broke down at the firewall/router level. It doesn't really matter what
    the reason was, but goes to show that another layer of security is certainly needed.

    Using the msblaster worm as an example:

    From Symantec:

    ---------------------------------------------------
    When W32.Blaster.Worm is executed, it does the following:

    Adds the value:

    "windows auto update"="msblast.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

    This worm attempts to download the msblast.exe file to
    the %WinDir%\system32 directory and then execute it.
    -----------------------------------------------------

    To return to a comment earlier by Blue:

    "Any untoward communications needs to be initiated by some application."

    Programs like Process Guard; or group policies which restrict application execution to those
    on its White List would have stopped msblast.exe in its tracks.

    Again, not to suggest that a person not use a firewall or router. But rather, just to say that
    without thinking through carefully what the writer in that article states, one can come away
    with a false sense of security.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  23. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Not sure I understand you here. How is it a breakdown at the firewall/router level that many of the recent worms were as successful as they were? It is because many of these systems were not behind a firewall/router (exposed to the Internet) and unpatched that contributed to the propagation of these worms.

    Regards,

    CrazyM
     
  24. Arup

    Arup Guest

    I would also like to add that anyone doing P2P and port forwarding with routers or letting inbound with firewall must use a IP blocker like Peer Guardian etc, not only for privacy but for covering up the hole left by leaving the specific P2P open.
     
  25. Someone here may find this interesting reading.


    http://www.brienposey.com/kb/filtering_tcp_ip_packets.asp


    "Practically everyone knows that the TCP/IP protocol tends to be a little complicated. Part of this complexity is due to the fact that it’s made up of many sub components, which consist of ports and protocols. Many of these ports and protocols are necessary for accomplishing day to day tasks. Other ports and protocols are seldom if ever used. These obscure protocols can endanger your network’s security, because a hacker can exploit them to gain access to your network. To prevent a hacker from having such an opportunity, most administrators implement a firewall that’s designed to block unused ports and protocols. What you may not know though is that Windows 2000 has many of these firewall capabilities built in. In this article, I’ll show you how to block ports and protocols through Windows 2000."




    A topic such as the one presented here could explode with numerous ideas and assumptions but really what purpose is served by not using a router/firewall ? An if the only question is "can a computer without a firewall be hacked" ...........is that really qustionable ?


    warm regards

    snowie
     
Loading...
Thread Status:
Not open for further replies.