Why install a firewall?

After some exchanges via PM with Blue, I got the impression that firewalls are pretty much useless (except for controlling outbound protection) for the "single home user". This is because no one would bother attacking the "single home user". Rather, they would attack large businesses where the "yield" would be larger. Please feel free to reply and clarify your thoughts on this Blue, as I may have mis-interpreted your comments.

Following this vein of thought, if you contain/block all malware threat-gates and attack vectors, and you start off with a clean PC and follow a good "security approach", wouldn't firewalls (hardware and software) be pretty much useless?

For example, with my setup, Sandboxie acts as a very strong firewall by preventing anything except what's trusted from connecting out in each sandbox. So what is the software or hardware firewall actually doing?

 

Sounds good. In my previous post, I guess I was meaning the (software or hardware) firewall is useless in terms of adding "security".

With regards to a trusted application and a system component, wouldn't you have configured them to be allowed to connect out anyway? With regards to the "unknown/untrusted" applicaton, these should never be run on the REAL system in the first place, and therefore shouldn't be an issue if you have a good "security approach". Again, I still can't see the point of the firewall (software or hardware).

Why? If you have blocked/contained all your malware "threat-gates" and "attack vectors", why is this required?

I don't quite understand this "attack vector". What is a real-world example of what you've written there? And again, if you have all malware "threat-gates" and "attack vectors" contained/blocked, what is there to worry about?

Again, this isn't a security issue, and as you said, probably won't make any noticeable difference to 99% of people out there.

I can see this may become a "security" issue. I don't know much about LAN networking holes and vulnerabilities to comment though. Good thing I'm not on a home network, and even if I was, I would fully trust the people that are on it. If I can't trust them, they wouldn't be living with me. Because since they live with me, they have direct physical access to my computer anyway...

The user can also stop all traffic with ZERO clicks - just physically turn off the modem haha.

Again, wouldn't a good "security setup" which contains/blocks all malware "threat-gates" and "attack vectors" be enough?

Thanks for your time and patience noone_particular! Apologies in advance for my ignorance and (probably) stupid questions.

 

Thanks for that. I'm starting to realise this more and more.

I think noone_particular has outlined some uses for a firewall, and the only valid ones seem to be unrelated to "preventing" malware attacks.

Sorry for being selfish, but I'm really only asking these questions to understand why I've got Comodo Firewall installed haha. Ultimately my question is (in the context of my security setup): do I really need Comodo Firewall, and if so, how is it actually protecting me and adding to my level of "security"?

Ilya seems to think a software firewall is important, as he's adding it to DefenseWall 3. Xiaolin also seems to think outbound control is important. But do they think it's important as an "anti-malware" device? Perhaps I am truly missing something big here, and noone_particular is 100% correct in his implications that narrowing what IP addresses various executables can connect out to will increase security and prevent malware attacks (and that this can only be achieved with a software/hardware firewall).

Thanks for any replies.

 

Everyone seems to want to communicate via PM these days haha. Here's a really good explanation to us noobs by Blue:

Based on this, it seems I will be keeping my Hardware Router/Firewall, and I'll probably enable all those optional settings too. Now the question is whether I'll keep Comodo (software) Firewall. I'm really trying to go for simplicity here.

 

If one asks me, there are roughly two reasons to install a firewall. Ok, maybe three:
1) To block unwanted inbound traffic. For example, you have an open file sharing port that you don't want available to the whole world.
2) To block unwanted outbound traffic. For example, you're running some malware that you don't want to be able to connect to the mothership so it can upload all the data it wants to steal from your system.
3) To feel safe.

Reason number 1 is reason enough for most everyone to run a firewall. The other reasons aren't really that great in my opinion, but sometimes can be useful.

Outbound filtering can sometimes protect you against something malicious. And in all those cases that I can think of you either have malware already running on your system which is something you should prevent in the first place or some trusted software connecting to some address that would do something malicious if it could. For an example of the latter, you click on some link that takes you to a rogue AV site trying to get you infected, and a really tightly configured firewall might prevent connecting to that site at all even with your perfectly legit web browser, in which case you obviously couldn't have any problem with the rogue infecting you even if all your other security measures failed since you couldn't access the site. Additionally, some people might not want their OS components or trusted software connecting to various addresses for privacy reasons or what not. But as malware protection, the outbound filtering feature of a software firewall really isn't that great or needed. You shouldn't let the malware execute in the first place, and if it can't execute, it can't make any outbound connections. Sometimes, if you mess up, it might be genuinely useful, though - such as in a case where you execute a password stealer and then get a warning from the firewall that this file you thought was innocent is suddenly trying to connect to some unknown FTP server.

But in short? Software firewall outbound filtering is "nice", but it's not something one can't be secure without. You could surely use outbound filtering to do things like block ads or prevent some trusted software from phoning home for privacy reasons - but this doesn't really have much to do with malware.

 

Just for the readers and so it's not misinterpreted, ssj100 has my permission to post the PM above (typos/grammar issues and all).

I wouldn't say useless. IMHO firewalls are about control, not security. Control has security implications, just like NAT does, but it's really distinct a distinct topic and most of the utility of firewalls really have more of an impact on the privacy arena (e.g. by defining a specific set of applications for which you'll allow communication to the internet, and only that set.) than on security.

For most users, the somewhat arcane rules for really granular and effective firewall usage requires substantial technical understanding. For that reason, I tend to view their main utility at an application level and that's the only level that I've found productive for myself. In addition, the potential for misconfiguration (either preventing desired communication or allowing undesired communication) is high with a casual user, so given the situation, I will invariably suggest that a user (even if the only one in a location) get a router, take advantage of the side benefits of NAT, and dispense with using a firewall. The other main benefit here is in load balancing (put CPU utilization off the PC and onto the router hardware).

The one other context in which a firewall can be useful is as a diagnostic tool. Again, while this has security implications (i.e. gee - all that bandwidth is being sucked up here - let's examine closer), but it's different than security per se.

Blue

 

This is why there are no pure firewalls around anymore. Honestly I find useless discussing the need of a pure firewall since the market has moved on and all the vendors offer more complete products that add more to everyone's security.

 

look n stop is close as u can get to pure firewall.

 

In fact, I believe that both inbound and outbound filtering may benefit to the end user. Just let me explain why:

1. Outbound filtering can prevent spam-bots from "calling home" for instructions, e-mail addresses and templates. If you use a sandbox to protect your computer, it will not wake up after reboot or closing all the untrusted processes, but before it will spam you and your friends with "Canadian farma"...
2. Inbound protection allow to cover exploitable ports (like 445) that, other hand, may lead to sandbox security model bypass. Kido is the bright example of it.

So, yes, DefenseWall V3 has a strong both-directional sandbox firewall to give more protection to its users.

 

windows FW is more than capable of basic inbound filtering and i dont think people shuld be worrying how to not let the spam bot out but instead shuld work on how to not let the spam bot onto ur system in the first place...

 

It really depends on what would be described as "Attacking".

We only need to look at the long debate concerning Comcast and how they would “delay” peer-to-peer traffic to ease the load on their network by sending spoofed RST packets.
That sort of disruption I have seen on quite many home users who are running game servers, or P2P, simply by someone sending spoofed packets to their server port. It may not be malicious in the fact that it does not compromise the OS/system, but it causes problems that the user thinks are due to other problems.

- Stem

 

As to "Why install a Firewall".

Looks like 2 of the main reasons have been missed.

1: To go on forums and moan and groan about them
2: To have an endless argument on who`s is better.


- Stem

 

That's funny and so true.

 

Have you not experienced Windows Firewall recently?

 

That's exactly right. Even so, I'm still skeptical at the importance of inbound filtering (for any "security" purposes), particularly if one is connected to the internet via a NAT router.

Completely agree with "preventing" the spam bot from even coming on to the system in the first place. And anyway, eg. with Sandboxie's protection, the spam bot may come into one of my virtualised sandboxes, but it will be unable to start/run/execute and will be unable to connect to the internet anyway.

Anyway, after a few more exchanges with Blue, I've decided to keep my software firewall (Comodo). It's free, I don't notice any performance hit whatsoever, and I have the option to enable its classical HIPS component when I want/need it.

Interesting discussion though.

 

very tru, people forget about sandboxie's network access limitation, u can set it so only ur chosen programs can connect out, so really no firewall required, a firewall is a tool for certain individuals needs, not an antimalware program that everyone needs simply because its advertised that way.

 

Aside from a HIPS/IDS like firewall that can be real anti-malware software:

Inbound control: Use the Windows firewall if nothing else. Configure it properly. It's free and it uses almost no resources.
Routers: they don't offer 100 % protection, the same goes for software firewalls. Routers with full SPI may not provide full SPI (oversimplification).
Third party software firewalls have their own strengths and weaknesses.
Both routers and software firewalls can be disfunctional and ineffective.

Outbound control: depending on the software it may or may not block malware. For me, it's mostly about control and privacy. I don't like the Acrobat Reader or other software phone home for the company's interests.

A firewall is supposed to isolate the computer from the network (assuming you have only one computer which is connected to the internet).

It's just another layer. Why risk listening services or open ports ?

You may be relatively safe not using a firewall, but then, you may also be relatively safe not using an AV or LUA+SRP.

And I agree with Ilya.

 

True but keep in mind it has no control over which remote addresses or ports those chosen applications can connect to, nor does it have any protocol control. That said, this is of little concern anyways because the Sandbox is going to allow only trusted programs. It's just something to point out.

Lately, I've chosen not to use a software firewall. All the machines are behind a router and services on the XP machines are limited to a "Safe" profile so almost nothing of concern is "listening", other than the alg service, but this I might disable as "startup type" in the profile as well. My latest decision to ditch the software firewall is based on seeing too many buggy issues with the various ones I had been using; my patience was wearing thin waiting to see them resolved.

 

I actually think that when discussing a software firewall, then we should put aside routers. I have seen it far too many times where it is mentioned that a firewall (or should we say packet filter) does not need various packet filtering because a user does have, or should have a router (I have even seen that from some vendors). For me, I look at a packet filter for what it does, not for what it needs to do only behind a router on a trusted home LAN.

Of course, as they say, prevention is better than cure, however, from my point of view a 3rd party firewall is primarily a packet filter that (on windows) is to replace the windows inbuilt firewall. Most firewalls do not correctly do that. We only need to look at the simple XP firewall, which at its base level filters out invalid flagged TCP packets. I know some state such filtering is not required (mostly the vendors), but as I have said before, if it is not needed then why did MS implement it. So from my point of view, if a 3rd party firewall is replacing the windows firewall, then it should be adding to the filtering, not taking away its basic filtering.


- Stem

 

Thanks for the information Stem. I've got a few questions. Why exactly is it important to filter packets with a software firewall? Does it make one's internet faster? Does it prevent malicious "attacks"? If so, how? And is it realistic enough to worry about?

You mention filtering out "invalid flagged TCP packets" - how do these packets cause harm? Do they perhaps cause inconvenience or internet slow-down/cut-outs?

Anyway, I've always configured my Comodo Firewall like so:
http://forums.comodo.com/firewall_guides/setting_up_firewall_for_maximum_security-t30535.0.html

In addition, I've now enabled all protection features of my router firewall like so (except ICMP from LAN):
https://www.wilderssecurity.com/showpost.php?p=1555772&postcount=3

By the way Stem, if you get time, could you please clarify what exactly each of those features does exactly? Thanks.

I don't know if I just got lucky last night, but my internet didn't cut out a single time! Usually my internet cuts out at least once a day. I'm wondering if enabling the hardware firewall features have made a difference.

 

I dont mean to skip over your questions, but a discussion about attack vectors via invalid/malformed packets usually ends with most believing it is a problem for the OS vendor to sort out, rather than it being a 3rd party firewall vendors implementation requirement. For a full/correct discussion then examples would need to be put forward, which is against TOS.

Let us look at this from a simplistic point of view.

From your linked post:-

Now those are invalid flagged packets that are used for scans. They are used for scans because most firewalls do not know how to correctly handle them and a reply is made.
There should be no need to "enable" such filtering, such packets should simply/silently be dropped from the perimeter and from any current connection. But instead we see this advertisement from vendors of "Extra protection"
For me, such filtering should be there without the "singing and dancing" or "flag waving, trumpet blowing", such packet filtering should be there by default.

- Stem

 

Maybe you could PM me with further information if you're worried about things going in the wrong direction publicly.

In any case, I guess I've made the right decision to enable all those "flag waving, trumpet blowing" features of my hardware firewall haha.

 

I am curious and interested to know the implementation made.
Is the filtering just on the perimeter (closed ports) or does it also filter current connections?


- Stem

 

To be honest, I've got no idea. As I said, I've only enabled the features as I posted before - those features were under my router's "Firewall" page. There weren't any other features on that "Firewall" page, although there are some other features on other pages that look firewall-related to me that I've left alone haha.

 

I don't see why you don't just run Windows Firewall with all those extras you run LUA + KAfU + SRP + DEP + SuRun (this one also for limited user) still tighted up Group Polices and then use your Sandbox. I don't see the need to run Comodo with your setup. But I guess you feel you have too. This thread Why install a firewall? Why not install one! Play it safe or use the OS built-in one. Just too by Microsoft didn't think to make it's free firewall smart enough to protect the OS in/out. To much corners cut with them!