Is there a huge need for a software FW?

cgeek · Feb 21, 2011

darpa999 said:

Yes, I am a home user. And yes, I have the XP Firewall enabled too. Buts thats only inbound.

I know that router firewalls just blocks inbound stuff, but If I keep my PC locked-down so that I do not get the bad stuff in the first place.
Also, I keep a fresh clean image of the Windows XP, so incase I ever have an infection, I can just restore the OS image.
Click to expand...

I hope you have your router locked-down as well!

noone_particular · Feb 21, 2011

TheMozart said:

noone_particular said:

In the last year or so, we've seen successful attacks against the DNS system, attacks on modems and routers, and an increasing number of legitimate websites being compromised. The results of the first 2 is that it's no longer assured that the site you want to visit is the site you'll arrive at. The last makes it possible for sites that were safe yesterday to be malicious today. It's now possible for any user to end up at a malicious site, no matter how careful they are. The users security policy and software should reflect that possibility.
Click to expand...

The website cannot do anything if you are smart and disable javascript. I use Firefox + Noscript, problem solved.

And if I need to access a website with javascript, then I run it through sandboxie, problem solved.
Click to expand...

The attack on routers that I remember exploited UPnP with Flash. I seriously doubt that it will be the only one. Yes, disabling javascript will break a lot of web attacks. For that matter, you pretty much have to disable Flash and Java as well as they're both heavily exploited. While this will protect you from most malicious and compromised sites, it will also break a lot of sites or make many features on these sites non-functional. Disabling web functions like javascript, flash, etc is a tradeoff. Most users don't want to spend their time building and maintaining permission whitelists for websites.

Besides, no matter how many web functions you disable, it won't protect against the biggest problem, social engineering.

atomomega · Feb 22, 2011

a software firewall is necessary when you want to gain granular control over the internet usage of your network.
granular control as in:
1) Specific port blocking
2) Blacklist/Whitelist of programs allowed to connect to the internet
3) Network restrictions
4) Web filtering
5) Network rules
6) Inbound/outbound traffic filtering

If you don't mind, then a router and WFW should suit your needs pretty well.

Heimdall · Feb 22, 2011

Do you have an IPv6 enabled operating system, in it's default state?
Are you operating behind a standard NAT 4 router?
Do you have any way to control IPv6 Traffic?

Are you sure you're 100% safe...

PJC · Feb 22, 2011

Code:
Is there a [B]huge need[/B] for a software FW?
-Huge Need? No.
-Partial Need? Maybe...It depends on how much Outbound control you need.

I don't use a software FW.
However, I have configured my NAT/SPI Modem-Router.

safeguy · Feb 22, 2011

Huge need? Software firewall?

Let's have a look at both sides of the coin...

There are several serious flaws in the reasoning that outbound, host-based firewalls will actually stop attacks. The one that seems to elude everyone that claims a piece of software can stop arbitrary other pieces of softare from making outbound connections is that all software running within the same user context can control any other software within the same user context. Put more simply, if you permit any application to communicate out, over any port, then any other piece of software you execute as the same user can communicate out over that same port.

Let's say you run application A, a web browser. The browser runs as you, user Bob, who is a standard user. The browser tries to connect to some server, and the outbound host-based firewall detects that and asks if you wish to permit it. If the administrator has enabled it, you can permit that yourself, otherwise you may need an administrative account to do it. For the sake of argument, let's say you can enable it yourself. More than likely, you would enable it to connect to all web servers, since a web browser is far more useful that way.

Now some distant friend of yours, Paul, e-mails you this cool app he found, and you run it. The application gathers up all your stored passwords, your Microsoft Money file, all your recent e-mail messages, and any documents you have access to. It then needs to send this stuff to the criminals, but, the outbound host-based firewall would stop it, right? No. The malicious application could do a couple of things. First, if you have the ability to open outbound ports the application, running as you, could just open the ports it needs, transfer the data, and close them again.

Let's say, however, that you would have to ask your administrator to open ports (notwithstanding the fact that no administrator, and no user, would ever put up with that in the long run). That would stop the malicious application, right? No. That won't work either. The application would simply look for some other application that can communicate outbound. It would find that the web browser can do so. Cool. The malicious application would launch the web browser, which opens the hole in the firewall, attach to it using standard debugging techniques, and then ask the web browser to take the neatly packaged information it stole and send it to whereever it wants. This would be done by simply injecting code into the running web browser. The web browser, essentially unaware that this was even happening, would go ahead and do it. The host-based outbound firewall would only know that the web browser sent some data out, which it is permitted to do, and would not take any action to stop it.

Since there is no application isolation between applications running within the same user context there is no real way to prevent this from happening.
Click to expand...

Source: At Least This Snake Oil Is Free

A few more links:
Deconstructing Common Security Myths
Windows Firewall: the best new security feature in Vista?

I am of the opinion that this goes to show that denying the initial execution of the unknown executables/code would probably play a more important role in a security setup. With a default-deny mechanism in place, one may argue that the need for outbound firewall is neither huge nor worth the alerts thrown at the user, more so that it can be 'bypassed'.

However, to be fair, there do exist a practical use of outbound firewall in today's context, for the majority of malware that exists. You didn't stop using your AV, HIPS, Sandbox, LV just because it doesn't catch everything, did you? Some people prefer to go by the concept of least privilege and that if there's a chance to block unneeded connections, no matter how weak the protection it provides, no matter the fact that it can be 'bypassed', then it's worth a shot....the more hurdles for the attacker, the better.

Firewall Outbound Protection: It can augment a security plan
Outbound Monitoring: catching an exploit

Having looked at both perspectives, I see a software firewall more of an additional useful addition to inform the end-user of outbound connections (not necessarily malware) and by far, it's no security panacea or an end-cure to all unwanted connections. I wouldn't depend on it to stop everything...the least of it an infection. If I were to make use of it as a security tool, it would be among the last in line of my defense setup layers...

The fact is, that if you're connecting your network to anything else, you're running a risk. Period. Usually, that risk can be reduced, often dramatically, by employing basic security precautions such as firewalls. But a firewall is a risk reduction system, it is not a risk mitigation system -- there is, always, some danger that something can go fatally wrong with anything built by humans.
Click to expand...

Source: The Ultimate Firewall (by Marcus J.Ranum)

P.S.Some users have the misconception that they can willy-nilly execute an infected file (with admin rights) hoping that their firewall would kick in, without considering of the possibility that the said program/process may tamper or disable the firewall. Arguably, HIPS can play a part here to provide further self-protection (which is why you see more and more 3rd-party firewall providers bundling it...leak tests, etc etc) but I wouldn't ever make the assumption that it's impenetrable.

Heimdall · Feb 23, 2011

Having looked at both perspectives, I see a software firewall more of an additional useful addition to inform the end-user of outbound connections
Click to expand...

I think that's a pretty good summary. Firewalls of virtually any ilk, will not prevent a particularly well written and determined piece of rogue software, from completing it's task, even on a well configured firewall, with well crafted rules and configuration change password protection. On a firewall without those, well...

The choice of whether or not to use a software firewall, will ultimately come down to your particular requirements, environment and ways of working. If you have a well configured NAT router with SPI and you have little concern about the outbound connectivity of the processes and applications on your PC(s), then you probably won't want to implement a firewall.

If, on the other hand, you do wish to have some interaction/control with observable outbound connectivity, with or with out a router, then a firewall might be for you.

As a final consideration, if you have a native or tunnelled IPv6 address, which you are using in conjunction with a NAT 4 router, even if it has IPv6/ip6tables support, but is running a 2.4 without ip6tables 'state', then you probably don't have much, if any, control over both inbound and outbound IPv6 traffic. You could, of course, implement an IPv6 enabled firewall

Log in or Sign up

Is there a huge need for a software FW?

cgeek Registered Member

noone_particular Registered Member

atomomega Registered Member

Heimdall Registered Member

PJC Very Frequent Poster

safeguy Registered Member

Heimdall Registered Member

Log in or Sign up

Is there a huge need for a software FW?

cgeek Registered Member

noone_particular Registered Member

atomomega Registered Member

Heimdall Registered Member

PJC Very Frequent Poster

safeguy Registered Member

Heimdall Registered Member

Useful Searches