Is a firewall really necessary for home use?

IPSec is indeed very effective and uses least amount of resources, the Open Source WINIPFW uses the same IPSec but with a GUI, there is also a GUI for IPSec from Analog X which doesn the same job much more tidily than using MS's own interface for IPSec.

 

Well, first off, that's not the question posed.

Well, without proper context, the answer is yes, it is questionable. If the question is "can a computer directly connected to a network (any network) be hacked?" Sure, thats a given. But for many users even terms like directly connected need to be made more explicit.

I know it's a sorry state of affairs, but much of the knowledge one needs to successfully make it through the day is not with us from birth. We learn it along the way with times/circumstances/conditions changing the answers on a regular basis. Revisiting what seems obvious can be educational to many, even by those considered learned in the field.

Blue

 

Probably because this is nonsense. I tested a system right out of the box using ICS on, several ports were open

Most likely you tweaked some settings like turning off Some services.

You do know that disabling DCOM neuters many of the 'services' that causes open ports?

 

I'm sure that's the main reason, however, I used to collect posts in other forums where users doing the grc probe test discovered that some ports were open (135, 445,) even though they had a firewall. So I assume that worm exploits got through on systems like that; hence the phrase, breakdown at the firewall level.

You have mentioned the "average" user - how many of these know if their firewall is configured correctly? How many have ever heard of a router? How does the average user become "informed" about these things?

You may remember I asked you in another thread about teaching security to the "average" user and you remarked that it is a formidable task.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

I for one would rather see a noob behind a router than a software firewall where he/she would have no understanding of the pop ups.

 

I do not think that firewall is really that necessary for home use.

1. There are millions of computers online nowadays. Even if you have all the ports open, there is little chance that a hacker will find your computer. Even if a hacker has located your computer, he/she may be too lazy to hack into your computer. As you know, a hacker is more interested in the computers of banks or large companies than a personal computer.

2. There are so many backup software out there. Even if the computer gets infected by a virus spreading through the net, one can easily restore with the backup.

3. As far as one does not store important data (credit card no, bank account, etc) on the computer (I never do), one does not need to worry about applications having out bound access.

4. There are millions of people out there getting online without a firewall, and most of them do not get any problem at all. They have no idea of computer security, and they have less to worry about. Why can't we be one of them?

A firewall is just like a home security system. There are millions of people living in the houses without any home security systems, and they get no problem at all. It all depends. If you have a lot of treasure in the house, you'd better get a security system. But if you have nothing in the house, you can sleep with door wide open and be a happier man (Ladies are another story).

 

BBC showed a unprotected PC getting infected withing minutes of being connected on the net, all kinds of worms, Trojans etc. from millions of zombots around, in lieu of that, I would definitely try and make an effort to block all that.

 

I notice that you are running Tiny Firewall Pro 6.5...

 

I am protecting my computer from nothing. I have been using a firewall for a long time, and never found a threat. That makes me feel that a firewall is useless.

 

Really? The problem seems more serious now. About five years ago, I was using Windows ME. I got online without any firewall, and I was just fine. I never scanned my computer for worms, trojans, and so on at that time though.

 

Before Win2k, I did not use a firewall.

Along comes Win2k. At first, I didn't use a firewall. After a while. I became concerned about all of the talk about ports and service vulnerabilities, even though I saw that my ports were closed. Not having the knowledge to question this, I followed the pack and got a firewall. But recently, I became curious about several things, hence, trying running w/o firewall and wondering if anyone else had done the same. So far, no one, and can't blame anyone because unless running with something like Shadow User, and Registry protection, probably not wise...

So far, after two days, not a peep from RegDefend; no alerts about any executables attempting to run; check of the HD shows no files modified, no new files created... boring.... Kerodo sent a PM saying I might have to wait a long time before seeing anything...

I wonder what they mean by unprotected... would love to see a port scan. Why don't I see any hits like that here? Must be because my ports are closed (by the OS)??

In the meantime, questions of closed ports:

--> Are all closed ports created equal?

--> Can the GRC scan tell if ports are closed by the OS or a firewall?

--> Is a port closed by the OS any less secure than one blocked by a firewall or router?

--> If not, and the ports are closed in XP, as my scan shows, why include a built-in firewall ?

Yes, there was a web site in those days showing everything about DCOM. My comment was referring to manually disabling Services in the MMC.



regards,

-rich
________________
~~Be ALERT!!! ~~

 

Unprotcted meant fresh install, right out of the box, no SP2 firewall, no anti virus, nothing.

 

Very interesting! My laptop with XP SP1 is "out of the box" so to speak, in that I've done no network tweaking at all, ICF turned off; and the GRC port scan showed all closed ports (but one) as I posted earlier. Something doesn't make sense...

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Thats your ISP doing it for you, with my GPRS connection, I am all green at GRC.

 

I thought about that - if so, why are the scans different for my Win2k and XP systems? See Posts #1 and #21

If the ISP is doing it, scans of both systems should return the same results. (I would think...)

regards,

-rich
________________
~~Be ALERT!!! ~~

 

So in Win2K you get open ports and in XP closed?

 

Win2K:

all closed except 135


WinXP:

1 open (1025 - Task Mgr)
5 stealthed (the trojan/netbios ports)
all others closed

regards,

-rich
________________
~~Be ALERT!!! ~~

 

The real question/mystery is, what is stealthing those 5 ports on the XP machine, considering you have no router and no firewall on it and it's otherwise unprotected..

 

Yep, I am truly flummoxed at this.

 

It's clear to me from your questions, you don't understand even the basics of this. Quite surprising to me.

An open port, is dangerous not inherently because the port is open, but because there is a program behind it that is actively listening to and responding to probes.

Even finding an open port, with a server behind it is not sufficient, otherwise, webservers like Wilders would have being hacked a lot time ago. The hacker has to in addition know of an exploit that can be employed against the server.

It's the same for Windows systems, by default some ports are held open by some windows services. In theory, a fully patched system, even without any firewall would be invulnerable to known worms or hackers using publicly known exploits, because a patched windows box would be patched for all of them.

Still, conventional wisdom is that why leave the possibility of an attack? After all , if you don't need them, don't expose them. Espically for homeusers.

A closed port is simply that, a probe is sent to a port where there is no application listening and the operating system responds to the probe saying so.

There is no danger at all in this case, unless you are afraid of "giving away your position". But that's silly, they can't hurt you at all.


A stealthed port, sends no response at all to a probe.

The thing to remember is that , whether a scanner calls a port as "opened", closed or stealthed depends on the responses it receives or does not receive.

Interesting question. It depends.

A firewall generally drops all packets so it doesn't respond at all, as such it will be shown as stealthed. While the default response for an OS to a probe to a port where there is no application listening is to send a response saying so, ie "closed"

Consider a service that is running on your OS. If let in its default state it would be open to communicate with the world.

If a packet is sent to the port it is listening on, it will respond. TCP handshake protocol.

So you get a open result. And the hacker will study the connection and next start to figure out what app is running, the version etc.. and try to hack it.

If you "close the port", what you are doing in most cases is actually stopping the service from running at all. Now a packet sent to the same port, will not find anything to connect to, your OS will then bounce back a message saying there is nothing listening on that port.

So you get a closed result

If you put on a packet filter in front of it, but keep the service on, any packets sent to the port will be addressed by the packet filter, and not only won't the service get to see the packert for most default firewall/router setups, it will supress the normal OS response of sending back a response.

So you get a stealthed result

In theory the second case above is far safer, because you have stopped the source of the danger. No app listening, no possible way to get in.

Using a packetfilter will also stop any connection with the service, but it less reliable than solving the root of the problem. There might be ways around your packetfilter or your packet filter might fail. In which case, you will be exposed.

In practise, you can't (or at least you couldn't back when i tried it), close all the services and hence closing all ports without half crippling your system in XP/2K.

In theory if windows shipped with all ports closed by default, there would be little reasons to get a built in firewall that was only one way. But I don't think this is case, Netbios ports for example are open by default.

The fact is, disabling DCOM is way more complicated than it needs to be, if it was simply done by manually disabling services in the MMC, everyone would do it. In fact it would even cripple some functionality.

The point is if you disabled DCOM you shouldnt be surprised, most of your ports are closed. Even then I notice you still have TCP 1025 open, I think I got the same result in the past.








regards,

-rich
________________
~~Be ALERT!!! ~~[/QUOTE]

 

If I did, I wouldn't need to ask questions.

Your explanations are thorough and you should write an article because there isn't much out there written for the non-specialist in networking

In my XP scan the probes to those ports returned stealth. No packet filter. ICF firewall turned off. See post #21.

So, you might get different results from scans depending on what applications you had open at the time of the scan? (assuming no packet filter to drop the packets, as in my case?)

The open port 1025 is my XP system and I didn't disable DCOM or anything else, since I don't normally use it on the internet.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Actually, in Win2k it is quite easy to close all ports. All you need to do is disable netbios, shut down unnecessary services, particulary MS Task Scheduler which listens on 1025, close 135 and 445 with registry tweaks, and that's about it. After that's done, you still have a quite functional system with full internet access and so on. No problems. Only ports open will be those of programs you're running, such as browser, email, etc, when in use.

 

Re. the reference by Arup.

There is a lightweight BBC program called Click Online. This did just what Arup refers to - putting a new Windows PC online without firewall or AV. It took 8 seconds to become infected with the Sasser worm. Sorta went downhill from there.......

This original footage of this is still available to view from the BBC archives.

I have here 2 links:-

Link1 = The page with the actual video used in the program:-
http://www.bbcworld.com/content/clickonline_archive_14_2005.asp?pageid=665&co_pageid=3

Link2 = The archive that contains footage from all the different episodes from Click Online:-
http://www.bbcworld.com/content/template_clickonline.asp?pageid=666&co_pageid=9

Regards - eyes-open .

 

It's just surprising to me that someone who has such an evident interest in computer security, hasn't picked up the basics about this by now.

I'm no expert in network I assure you. I'm a n00b.

Nothing I've written here is really new, you can find such explainations in lots of places, with a lot more technical details.

I don't think it's possible for a 'stealth' result without some kind of filter.

Either your ISP is filtering it, or you have played with maybe the OS built in ipsec filters in the past.

In most cases no. You have to run a specific server type program that is designed to accept inbound connections such as P2P programs with correct settings. Running a web browser on the other hand would never ever leave you open to connections meant for web servers obviously.

I'm pretty sure a virgin XP system without any tweaking or firewall or NAT/ICS in front will have more ports open than just 1025. I'm looking at the one I'm on now, and a netstat shows 135,137-139,445,1025 etc

You probably ran stuff like WWDC, bugoff or whatnot, disabled file sharing or unbinded it from TCP/IP etc etc

But as I said even with all that there is still 1025 open.

 

This has to be msblaster:

http://www.rsjones.net/img/msblast.png

----------------------------
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability
using TCP port 135.

Uses Cmd.exe to create a hidden remote shell process that will
listen on TCP port 4444, allowing an attacker to issue remote commands
on an infected system.
-------------------------

And this is probably the MSDTC exploit:

http://www.rsjones.net/img/msdtc.png


See: http://isc.sans.org/diary.php?storyid=897