Is a firewall really necessary for home use?

Must be the latter, because if it were the ISP I would see stealth in scans of both my computers, I assume...

Nothing of networking has been tweaked or changed on this XP laptop. File Sharing was unchecked when I set up a connection. Later, I'll enable it and run another port scan.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hello,
Yup, I know.
Pretty convenient. I wonder why not everyone does that. The second machine can even be an old garbaged Pentium I.
Still, nice to hear from ya!
Cheers,
Mrk

 

Test Completed

I just completed a four-day test simulating running without a firewall:

Test Results

Conclusion:

It is possible to run safe on the internet with inbound protection without using a firewall or router.

regards,

-rich

 

It is possible yes. But you better hope your windows updates are on the dot, and that no worm appears exploiting vulernabilities that are unpatched yet appears.

Without a firewall filtering those ports, any such worm would own you in a second.

Also I seem to recall it is possible to crash a machine using some exploit or such, but it's not a big deal.

 

One could technically go without an AV as well.. but I wouldn't advise it.

 

The last time I reformatted, my comp kept crashing. So I reformatted again. Crashing kept occurring. I had my cable modem hooked up while doing this and someone suggested I unplug it while installed everything. I didn't reconnect it until I had my firewall up and this time, it went smoothly.

My best guess is that I picked up the Sasser worm twice when xp was configuring my internet connection. I couldn't have been online more than a couple of minutes either time.

 

This is the reason I like NAT routers, at least you are protected while installing and they can always be bridged in case you don't wish to have NAT protection and run a software firewall instead.

 

I ordered also a router (very first one) for my new computer :
D-Link DI-604 DSL/Cable Internet (39 EURO)
http://www.dlink.com/products/?pid=62
I hope it's a good one or at least good enough

 

D Link is a very good value, just make sure to keep the firmware frequently updated.

 

Big relief and thanks for the firmware tip.

 

You are welcome, to stress the router, I would do a P2P test and see how it goes.

 

Can you explain how a worm can enter a closed port?

thanks,

-rich

 

To have peace of mind, yes, I use a software firewall (now Outpost) with my router. Is it necessary? Maybe not, but I like having outbound protection.

 

Well it's can't. But most people will have at least one if not a couple of open ports, due to various services, barring tweaks. I just built another Winxp Home system over the weekend, and yes it has the usual ports open 135, 137-139, 445,1025 etc. I don't know what magic you are doing to have most of these ports closed without doing any tweaking or firewall or isp filtering.

And even then according to your post 42, you have at least one port open.

 

Remember, I'm using Win2K, but the same can be done with XP. I stated that the ports are closed by the OS; I didn't go into detail, but the disabling of Services, tweaks to close ports, and various hardenings of the TCP/IP stack are well-known.

I mentioned in the test that I left Port 135 open to demonstrate that by disabling the Service, the vulnerability is removed and there is nothing for the worm to feed on. Old saying: The barn door is open, but there's nuttin' inside.

In this case, the exploit for Port 135 is msblaster, and my loggings show a definite probe, according to the description given of the worm.

But your comment about most people having open ports due to various services, etc is pertinent, because it may not be practical to disable a particular service that is needed, and not everyone would take the time to learn the other tweaks.

So, it would not be wise to turn off your firewall at all unless you are sure of what you are doing, since a computer can become infected almost immediately, as the BBC article pointed out.

Even though I've been careful not to encourage anyone to do this - I've done it successfully just to prove a point - I wouldn't want anyone to have something bad happen by trying it without being completely sure.

So, I would like to end the discussion on that note and close the thread.

Regards,

-rich

 

It has been decided to keep this thread open due to is valuable content. A warning not to try this has been edited into the 1st post.

Cheers.

Blackspear.

 

I would like to make a few comments on this whole thing. While it is possible to run without a software firewall or router (As an experiment, I have done what Rmus is doing here for over 1 month without any harm coming to my system), it is not recommended for the following reasons:

First, most people WILL have ports open in their default situations on their machines, whether it be new PC or whatever.

Second, most people will NOT know how to close all their ports.

Third, even if they do succeed in closing all ports, they still need to remain ever vigilant about keeping them closed, watching in the future to make sure nothing they install or do opens new ports and so on.

So for the above reasons, it seems far easier and more practical, not to mention safer, to just run a firewall, whether it be software or hardware, or even both. It may seem tempting to lighten up the load on your PC and run without firewall or AV at times, however, for the most part, it is far easier all around to just run these programs and use a little ram and cpu, and rest easy.

 

I agree.

If one doesn't want to bother monitoring firewall logs, granting/denying permission etc all one needs to do is turn on the Windows Firewall (SP2). It will provide far more protection than no firewall.

Plus, its impact on resources will be little to none.

 

Interesting, I had the impression you were claiming that you had everything closed without doing any tweaking. That was the context in which i was posting.

In fact you could possibly surivive without even closing those ports, , assuming fully patched, though there would be annoying effects. But that's something I don't want to test.

Maybe that particular vulnerability is gone.

However if port 135 is still open doesn't that mean there is some other (rpc dependent?) service still keeping it open? Or does it?

You may have disablled messanger service and Dcom but does that mean you are safe? Are you sure there isn't some exploit out there for whatever service is keeping that port open?

Or is there really nothing listening on port 135?? Can you enlighten me?

Are you fully patched? If so That means MSblaster wouldnt have hurt you anyway even if you didnt close down your services.

As pointed out already, you also have to make sure good old Bill gates doesn't reenable those services during an update.

Well i'm all for the drive towards minimal setups, but I think it's much safer to ensure all ports are closed at the very least, and if you can't do it, use a firewall.

 

I never checked to see what was holding the port open - I just wanted to see if dissabling the known services that were vulnerable to the msblaster and messenger spam exploits would prevent them from getting into the system. I think it has. I'm not aware of any new exploits, but if I were going to continue to run in this way, I would just close that port and forget about it.

No, I didn't install those patches. I wouldn't have run this test without having the system set up to alert for any executable trying to install, and being able to easily restore to a previous good state.

I would agree!

regards,

-rich

 

Re: Closed -vs- Stealth

Another area I was interested in learning more about with this test, is closed and stealthed ports. No one challenged my premise that closed ports are secure. But ask the question: which is better: closed or stealth, and everyone has an opinion.

closed: the probe received a "connection rejected" from that port...

stealth: the probe didn't get any response from that port...

Some comments on stealth from forums:

Pro

--> I Like the idea of stealth. It makes you invisible. A stealth system will appear to be offline and so the hacker will pass it by. (Just like a burglar, scoping out potential houses to break into, will pass up an empty lot.)

--> Simply put for me....if I don't exist I can't be bothered. I'm so into stealth now, I don't think I could undo it all other than shuting down OutPost

--> With a closed port- somebody could basically craft crap and throw it at the closed port. Maybe this could elicit some kind of buffer overflow and make remote code executable. Who knows. It could happen.

Con

--> I await the first repeatable experiment that shows that throwing crap at a closed port can create a buffer overflow....Being stealthed is snake oil, plain and simple.

--> A closed port is one with no service attached, so the only way you're going to "exploit a closed port" is if there is a bug in the underlying TCP stack, which is quite a bit less likely than an exploitable bug in the firewall software itself.

----------

A closer examination reveals a lot of marketing hype. Most firewalls today offer stealth. So, if I turn on the firewall and run the GRC scan again:

http://www.rsjones.net/img/stealth_grc.gif
------------------------------------------------------------------------------------------------------

This, compared to the scan in my first post, where ports were closed. Am I more secure with Stealth? (Take your choice of arguments)

Firewall vendors want you to think that you are not secure unless stealth. In running the Sygate scan with the firewall set to permit all inbound traffic, ports show closed by the OS. Sygate’s messages:

http://www.rsjones.net/img/stealth-sygate1.gif

http://www.rsjones.net/img/stealth-sygate2.gif
--------------------------------------------------------------

Of course, Sygate hopes you will purchase their firewall. (Sygate is used as an example - other firewall vendors have similar tests)

Ever wondered about multiple probes to the same port that show up in your logs?

http://www.rsjones.net/img/stealth_1.gif

http://www.rsjones.net/img/stealth_2.gif

One of the arguments for stealth is that you are hidden (no response to the probe). However, several writers have made this observation:

----------------------
The "absence of a response" (i.e., so-called "stealth") is indeed a piece of information. It does NOT say that the IP address does not exist -- instead it implies that the packet was lost OR that the port is "filtered" (purposefully set to a "no response" mode). If multiple probe packets go unanswered, then the likelihood of all packets being lost is very low. Therefore, the attacker can assume that address is viable but that the ports are being filtered (stealthed).
---------------------

Does this mean hackers are lurking out there waiting to pound your IP, even though you are stealthed, because they discover there is a filtered (stealthed) port out there? Are you really more secure than with just closed ports? Can you prove it?

Sygate says unless stealthed, you are exposed to TCP/IP vulnerabilities - SYN Flood Attacks, Fragmented Packets, etc. But these have been addressed by Microsoft which has documented various "hardening" tweaks (below). Many who use a stealthed firewall say you need to harden anyway. Who is right? You might log packets that slip through, but it this dangerous? How can you prove it?

------------------------------
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableFragmentChecking"=dword:00000001
"DefaultForwardFragments"=dword:00000000
"SynAttackProtect"=dword:00000002
"TcpMaxHalfOpen"=dword:00000064
"TcpMaxHalfOpenRetried"=dword:00000050
"TcpMaxPortsExhausted"=dword:00000005
"TcpMaxConnectResponseRetransmissions"=dword:00000003
----------------------------

So, while it’s possible to use Windows to secure ports and harden the stack, Microsoft has not made it easy, and it’s a daunting task to track everything down.

While I know several who have successfully done it, I have to agree with Kerodo’s assessment. Read it again - #67 above.

Regards,

-rich

 

Seems obvious to me without testing that if it is known that a worm exploits service X, then if you don't run service X, the worm can't infect you. But that's just me. No testing required

I thought you were actually testing something else. That these were the only 2 things you need to worry and nothing else can hurt you.

You might not be aware, but that doesn't mean they don't exist. Keep all ports closed by either filtering them or closing all services listening.

If everyone agrees that closed ports are secure, then in what sense can stealthed ports be sure to be more better? Are people saying stealth is more secure than closed?

The absence of any response, gives you away in fact according to many "experts".

LOL. What does all this have to do with 'stealth'? Do not confuse arguments for the use of a packet filter with arguments about the superiority of stealth vs closed.

The way to handle syn flood attacks or similar DOS attacks is a question of how the system (either packet filer or operating systems) responds to and allocates resources to say multiple TCP connections. This has nothing to do with 'stealth'.

A packet filter firewall can be equally designed to give a "closed" response to a probe (in fact this is the norm in none-windows systems) and still provide resistance to DOS attacks.

The arguments for stealth is resolves around the danger of so called giving away your position by responding. That's totally different.

 

I hope not. The focus on stealth, and the need for stealth, is severely misguided IMHO.

Blue

 

This has been an interesting read. I consider myself fairly security conscious, i.e. don't download questionable programs, don't go to porn, hack, crack sites, disable unnecessary services, don't do peer to peer, don't use IM programs, etc., etc., yada, yada.........

I'm running a couple of Win XP-SP2 computers with all security patches and both computers are attached to a hardware router. That's where the similarity stops. My primary PC, that is used exclusively by my wife and myself, is also running WinPatrol, Arovax, DiamondCS RegistryProt, Avast AV, ewido, SpywareBlaster, Spybot Search & Destroy, Ad-Aware and a software firewall (currently Commodo). I also use TCP-View to monitor connections, ProcessViewer to monitor running processes and I check the router logs for my PC daily.

My other PC is used by my 13 year old son....for god knows what
He says he’s only using it for gaming

Anyway, it is only connected to the router...no AV, no software firewall, no additional security of any kind. It has been set-up and used this way for almost a year now and I decided to check it out a few days ago by downloading and running ewido, Ad-Aware, Spybot S&D and running online scans at Kaspersky and TrendMicro. Much to my surprise the only thing detected were a bunch (and I do mean a bunch) of tracking cookies. Talk about your shock and awe!

I'm not posting this as an advocate for or against the use of firewalls and/or other security programs. Obviously for my primary computer I believe in taking the safe approach. I just found it interesting that this other PC that has not had the additional protection as my primary PC was not infected with all sorts of nasties.

Maybe the kid really is only using it for gaming

 

Indeed. Thank Steve Gibson for inventing the term.