What Good...

Hi Guys,

For a long period of time I used 'ZoneAlarm' then ditched it for 'Comodo's firewall. I then learned it wasn't so much the software providing 'Stealthy' ports, but my router. Next came advocates of no software firewall, & use routers 'SPI' for firewall. Now for a long time I've been software firewall free. I'm all 'stealth' according to GRC's Shields UP. I've never been infected, so what's all the hoopla about software firewalls, or why are they necessary?

Take Care
Rico

 

Not everyone has a router for their connection and if you have someone visit and connect to your network, well, if they have a worm then you might have a problem. The windows firewall has minimal impact so why not use it with a router?

Also, some want to control some outbound connections and usually a router doesn't have full capability to do this compared to a software firewall. For XP, you would then need a 3rd party firewall.

 

Hi Mem,

I know router protects against 'incoming', xp's firewall protects 'incoming' only. You would have two firewalls protecting in one direction.

3rd party firewalls protect incoming & outgoing.

If stealthed with router why have a software fw?

Rico

 

people use 3rd party firewalls out of paranoia IMO or if they dont want certain apps connecting out, but i just believe in not letting the infection in, in the first place rather than trying to contain it on my computer lol....

 

No. People use 3rd party firewalls because they want proper packet filtering. Those who don't care about proper packet filtering (vast majority) use home routers.

 

sounds like paranoia to me, router only and no infection or malfunction of any sort so idk what benefit it is giving then...

 

When you aren't on your home network (traveling with a laptop) your home router is no good to you. Wouldn't you want a software firewall then?

 

yes in that case i can understand and id definitely use one, im talking about the people on a home network with router who still use a 3rd party firewall.

 

I have a router but still use a third party firewall. One reason is for when I am not at home and the other is for controlling outbound connections. I just prefer to control when programs can connect out. For instance I installed a program today to try it and immediately upon first run it wanted to connect out. With my software firewall I was aware of this attempt and was able to allow or deny it and then research where it was trying to connect to and why.

 

Paranoia? Why is it a paranoia if I want to filter a SYN/RST flag? It is a personal preference. Can you do this with a router?
But I do understand, people tend to think of firewalls as an anti-malware device. You personally may not have a need to filter out bad TCP flag combinations, but this doesn't mean a 3rd party firewall is useless.

 

Do you have friends come over with a computer and use your network connection through the router? Do others access your LAN? If so they present a threat if infected and you don't have a software firewall since your ports and possibly listening programs would be open to them as the router is a perimeter security device.

 

agreed, i think of a 3rd party firewall more as a tool than an antimalware program personally., yet sooo many people believe a software firewall is gunna save ur life WHEN THE INFECTION IS ALREADY ROOTED IN UR SYSTEM...

The firewall built into the OS will handle inbound just fine.

 

@mem - So someone comes to my place hooks up to my network, assume there infected, the infection leaves there machine 'outbound' then gets past my router 'inbound' to my machine? What happens if my machine is off?

@Seer - proper packet filtering, how does this help? How can you tell proper from improper?

I thought if I'm truly "steatlhed', the malware would pick on a non-stealthed

Rico

 

if ur machine is off, u have nothing to worry about, since ur router does not have a hardrive thers no place for that malware to stay, and as long as u have windows FW on, even wen ur system is on as long as u dont allow sharing in ur home network (the way mine is setup) ull be fine. ive set my windows FW to work so nobody on my home network has a connection to my PC, no wireless printers, nothin.

 

Proper packet filtering will help you to, as a simple example, stay protected from various types of stealth scans, and not just the usual TCP SYN scan performed by those test sites. Take a quick look at the link I provided above. I know, it is not the best of reads, but it should get you going. I'll try to find a better one.

There are many more benefits to proper packet filtering, I have mentioned some before, but let's not add to the confusion here and now.

There are two ways to tell if your firewall is capable of proper filtering. The first, easy one, is to look into the rule creating mechanism of your firewall. Good firewalls (example: Look'n'Stop) will give you a possibility to create granular rules down to the TCP flag numbers. With such a firewall it is easy to create rules to drop all types of scans.
The second, more complicated way (if your firewall does not have the ability to write granular rules i.e.) is to test a firewall from outside by using tools such as nmap. I am not aware of any online test that will do the same thing as nmap. This way involves creating a testbed of at least 3 PCs directly connected (not through a router) and is somewhat complicated to perform by our average Joe.

You are not truly stealthed if an online scan tells you so. These scans only show that an unsolicited inbound request (a TCP SYN packet) will be dropped by your firewall/router and not replied to by a RST flag. In either case (stealth or not), a "malware" as you say, is still a long way from getting to your PC in such a way. In 99% of cases, a malware is delivered to your PC in a payload of a TCP ACK packet, a perfectly legitimate one.

So, if your only concerns are to stay malware-free, I suggest you drop the online stealth scans hype and get a good anti-malware app. Or apply some common sense into the equation, your choice.

Cheers,

 

If your PC is off nothing on it is presented on the LAN to infect so no problem.

For the router...there are two interfaces 1)the Internet facing one (WAN to LAN) and 2)the LAN facing one (LAN to LAN). Notice that the router has two IP's assigned to it - one from the ISP (WAN) and one for the LAN (a local IP address). The firewall of the router protects the WAN to LAN interface, not the LAN to LAN interface. This is where the software firewall can be used to close open ports exposed on the LAN to other LAN PC's. Some routers allow isolation of LAN IP's to minimize 'cross exposure' but the major pupose of a router is to allow communications between PC's for sharing. But the specifics of your question are dependent on your hardware and LAN configuration. As an example, I do not allow wireless clients on my home LAN to communicate with each other directly but they are able to reach wired clients on the router for the network shared folders and printing.

 

Outbound control is not paranoia. It's a necessary part of a good security package. Ideally, keeping malicious code from infecting a PC is the goal, but in the real world it happens. A software firewall can prevent that malware from connecting out. No, it's not a total solution, just part of a package.

Stealth isn't as important as some make it out to be. The concept is based on security through obscurity, aka hiding makes you safe. When internet service was primarily dialup and IP addresses changed every few hours, the user had a better chance of remaining hidden. Now, PCs are connected 24/7 and are often running 24/7. IP addresses change far less often, sometimes not at all. The users PC is a much more stationary target, easier to find. Stealth applies only to your visibility to port scans. There's many other ways that your PC reveals its presence.

One of the big advantages of a software firewall is the ability to control traffic for individual applications. Routers work on a system level. The firewall section of this forum has several "learning threads" for specific firewall makes. These covered the details of configuring firewalls to perform specific functions and controlling traffic to and from specific programs and system components. There's a lot of good material in them no matter what make of firewall you use.

Regarding GRC Shields Up, it only scans the first 1056 ports. There's 65,535 ports that can be open. This site can scan them all.

 

.
This business of stealth Vs closed ports is only a very small part of the security picture. When broadband first became available and people started leaving their computers on 24/7 it was discovered that many of them were visible to a simple port scan and accessible because they had "Netbios over TCP/IP" and "file and printer sharing" enabled by default. The Shields Up test helped people understand this issue and explained how to turn off Netbios over TCP/IP and unnecessary file sharing. To thwart hackers who found computers through port scanning the idea of "stealthing" the ports was created. Normally when a port is queried it will respond even when closed, but it's possible to disable the response. If all ports don't respond then the computer seems hidden, but it is simplistic to think this makes you safe. In any case this is not generally the malware attack vector. Malware enters the system through email attachments, tainted downloads, or "drive by" downloads from infected sites.

 

My all you guys still at it.. Sure the router can protect and it's better to use then the software on you PC side which can crash and don't protect you. The OS firewall is limited for inbound. Outbound is important because the way a lot of software applications like to spy on you or like to phone home as they say. All software need to be update so it's going to go outbound. Sure you can use software firewall to block that application from connecting back to it's home.

Gamers
Torrents
Need to use the 3rd-party software firewall even though they have a hardware firewall.

HTPC
Browsers
Don't need to use the 3rd-party software firewall only if they have a hardware router firewall.

If you don't have a router and are connected directly to your cable or dsl modem then you'll need extra protection from 3rd-party software firewall to play it safe with outbound packets.

Most hotels, hot spots, airports and ships don't even bother with encryption and have the wi-fi wide open for it's customers. Now if you are one of these travelers I would recommend you use 3rd-party software firewall on your system and EAP-TTL extra protection.

 

actually im a gamer and torrenter and i prefer not to use a firewall and those are 2 of the MAIN reasons, a software firewall causes soo many more issues than u want wen ur a gamer, wether it be latency or loss of connection or unable to connect at all, theyre all issues that affect gamers who use software firewalls, any gamer u talk to will most likely tell u they just use windows FW, same goes for torrents, speeds drop when using a software firewall and MANY issues are caused from it when trying to connect with a torrent. u can create all the rules in the world, but thers always an issue that pops up with games and torrents, like the issue i had with Look n Stop and CoD 4 a while ago, no servers wuld show up no matter how many rules i made.

 

I hear this opinion so many times, and I have no idea what sheltered environment these people are living in. The types of software that try to "phone home" are very often not even classified as malware, FYI.

For example, let's say you download a WMV from usenet or as a torrent. You play it, and WMP can't find the proper codecs (or license for DRM). WMP calls out and looks for the codec/license (either because you forgot to configure WMP not to do this or it decided not to obey your configuration), and that's it. You're infected because you didn't have a firewall to let you know the your media player is a worthless pile of junk from Microsoft.

There are other variants of this scenario that don't involve any particular media file. Numerous media players are known to collect usage information and send this stuff out (i.e. every media file you've ever played, including "Double-stuffed Debutantes from Dallas"). How are you going to control this? How will you know that it's happening?

Let's say you configure Firefox to use a proxy (e.g. Tor), and you specifically tell it to use that proxy and not connect to the internet directly. Your life depends on it continuing to access the internet only through that proxy. Too bad you didn't understand that Firefox will do whatever it wants, and you didn't have a firewall to let you know that it was attempting direct internet access to the site.

I think you would have to be more boring than my grandparents not to have anything that you want to protect from "trusted" applications making outbound connections without your consent. But even if that's true, you should understand that other people don't want to share their daily activities with who knows who. You may not care, but others do.

A combination HIPS/firewall can most definitely catch a zero-day attack that your antivirus will just let slide by. It's the difference between a dumb blacklist and an intelligent behavior-based system. If I had a choice between an antivirus and HIPS/firewall, I would take the latter any day of the week.

I personally care less about a virus messing up my system than anything connecting out without my permission. And please don't give me that tired line about not being able to trust my firewall/HIPS after my system is infected. It would be pretty rare for malware to be able to disable quality security software. But even if it could, the firewall/HIPS would be worth it just to control the "trusted" applications that I don't trust, including anything from Microsoft that's integrated into Windows.

 

Gaming side still question mark about the software firewall? As for Torrents just open the ports on both ends on router and software firewall. I see no issues doing that.

Rising IS 2009 - no need to open ports
Rising IS 2010 - need to open ports
PC Tools IS or FWP - no need to open ports
Comodo CIS - need to open ports

I've measured speed no difference in download which is really based more on the seeders and how they have bits set to (no limit) or (limit xx) Your router NPU and the available RAM is what would make those connections for gaming and torrents really move.

Best software firewall was Armor2net for speed but can't be used anymore though.

 

lol uve just basically proven my point about paranoia more than practicality, any HIPS app will block those malicious actions better than a firewall ever wuld. and the other stuff about "info collecting" is just as i said, u proving my point about paranoia over practicality, no media company knocking on my door now is ther?

 

You never mentioned that you had a HIPS (or that a HIPS was okay with you). It makes little sense that anyone would deal with anything as inconvenient as a HIPS but have a problem with an outbound firewall (which is relatively simple by comparison). And, that begs the question of why you would be okay with a HIPS. A HIPS is basically a firewall for your hard drive. Most people who are opposed to an outbound firewall believe that once you let the malware execute, you're screwed. Is that not what you believe? Then you shouldn't have a HIPS either because you're relying on this program to catch the dangerous behavior AFTER you've already let it execute. What's to prevent this incredibly dangerous malware from shutting down your HIPS? What if the first step this malware takes is to connect to the internet? Wouldn't an outbound firewall be useful in this circumstance? Contradictions abound. These arguments are the ones I hear all the time for not using an outbound firewall. Guess what, they apply equally well to HIPS.

But really, by your reasoning, you shouldn't be using anything at all. Get rid of your HIPS, AV, anti-malware, etc. If your computer is working fine, then don't worry about anything. If you experience some problems, do an online scan and remove the offending malware. You'll save a lot of money and computer resources. Why are you even here? I've personally not been infected by anything in many years just using firefox. If I was as cool as you , I would ditch everything. There's little practicality in doing anything with such little risk of infection. A HW firewall should be enough. If you don't notice any problems with your computer, then you're okay.

BTW, my first example is malicious action that is most likely to be caught by a firewall (less likely by a HIPS or AV). My third example is a non-malicious action that is most definitely not paranoia if you're facing certain risks that require strict control of your internet access.

- Let's say you download a media file and your AV detects nothing. You open it and WMP automatically connects to a site and infects your computer. This could also theoretically happen with a PDF file and Acrobat Reader. A HIPS may not warn you. There could be countless file/application combinations where the file scans negative with an AV and the application is trusted. But combine the two and you get owned.

- Let's say you have a situation where you have to communicate anonymously (perhaps your life depends on it) and you want to use Tor. Your browser isn't very good at following your proxy settings. How do you keep your browser in line? A HIPS won't do it but a firewall will. Basically, what I'm saying is that if you have any application that you want to grant internet access to and you want to control the way it accesses the internet, a firewall is a must. I would say most applications I've tried have not really honored my settings to my satisfaction.

Perhaps next time you should read more carefully. There's a lot of merit to understanding what's being sent out from your computer. And even my second example, which you would call paranoia, has a lot of merit. Even if you don't care if some company knows your media viewing (or reading) habits, wouldn't it make you mad that they would do it without your knowledge?

And you totally ignored my zero-day attack scenario, where an AV may not yet have the signature. I suppose if you inexplicably have a HIPS but don't want an outbound firewall, you might still catch it (or not). It depends on how the malware operates.

 

ur making SOOO many assumptions of EVERYTHING failing and putting up the firewall as the all mighty saver that can never go wrong. in each of ur scenerio's a HIPS alone wuld prevent anything malicious happening to ur system BEFORE any malware has time to send out ur info because it culdnt infect in the first place just as a sandbox wuld also do this, as wuld many other less intrusive and annoying programs, id rather not have my net connection being throttled by some bloated firewall software that tries to do everything under the moon.

now if ur PARANOID about ur own safe apps connecting out, thats a whole other issue that shuldnt even be discussed in context with malware.

there is no level of rationalization u can give that wuld make me think a firewall CAN NOT be lived without, cuz thats wrong, u can be completely safe without a firewall as i have been, privacy (which matters to some and not to others) is the only real reason id feel id need to use a firewall if any, or if im on an unfamiliar network. i prefer solid proof and experience over any conceptual scenarios that almost never happen. its quite simple, if u dont trust something, dont install it, dont wait for it to call out to the internet to find that out lol cuz then it just shows the persons lack of common sense...