Personal Firewall?

[Morten Skarstad]

Ron May skrev:

I agree we're talking MAINLY about preferences rather than thwarting a
serious security threat, but by extension, since all but a MINISCULE
amount of internet traffic is "innocent, benign, (or) harmless," your
argument against a two-way firewall could be made against having ANY
firewall at all.

Not quite. On some systems (a fresh default installation of Windows XP
comes to mind) some sort of incoming firewall is not only recommended
but _required_ if you want your computer to last more than two minutes
after connecting it to the net. NAT and/or the built-in XP firewall may
be simple, but they give sufficient protection from worms such as
Blaster and Sasser. If not you better have a CD with SP2 handy, because
hoping to update a fresh default Windows XP installation using Windows
Update without enabling the firewall is like dropping your pants,
closing your eyes and bending over during carnival season in Salvador.

That being said, you do have a point. Even incoming (personal) firewalls
are in many ways the wrong solution to the problem, and the only
reason it is needed in the first place is because of fundamental design
flaws in systems such as Windows. I mean, imagine that you build
yourself a huge house. On this house you put a large number (hundreds)
of doors. Then you leave doors 137, 139 and 445 wide open, put out the
"Welcome!" door mats and turn on lights. Then you realize that maybe you
don't want visitors anyway, so you get yourself some bricks and put up
large walls in front of your doors.

Lastly, (and here's where I think you're missing the point) you seem
to suggest that OTHER precautions need to be taken INSTEAD of using a
two-way firewall. What I'm saying (as are others in the thread) is
that OF COURSE you take all the other precautions, but IN ADDITION, an
outgoing firewall provides an occasional alert that you might not have
received otherwise, and more importantly, gives you the OPTION to
decide how you want to handle it, INCLUDING things like drilling down
into a program's preferences and disabling the option to "check for
updates every 15 minutes." <g>

From a personal privacy point of view: Filtering outgoing traffic may
be a way to give you this. But having self updating applications banging
their foreheads in vain against a firewall, and possibly throwing up
error messages about it as well, hardly strikes me as an optimal
solution. But if it keeps you happy, then fine.

From a computer security point of view: The idea of preventing a
compromised computer from sending out data with a piece of software
running on the same computer is fundamentally flawed. It does not add a
layer of protection. It does not strengthen your existing security
efforts. It probably does not work, and it definitely cannot be trusted.

 

[Ron May]

Ron May skrev:

Not quite. On some systems (a fresh default installation of Windows XP
comes to mind) some sort of incoming firewall is not only recommended
but _required_ if you want your computer to last more than two minutes
after connecting it to the net. NAT and/or the built-in XP firewall may
be simple, but they give sufficient protection from worms such as
Blaster and Sasser. If not you better have a CD with SP2 handy, because
hoping to update a fresh default Windows XP installation using Windows
Update without enabling the firewall is like dropping your pants,
closing your eyes and bending over during carnival season in Salvador.

That being said, you do have a point. Even incoming (personal) firewalls
are in many ways the wrong solution to the problem, and the only
reason it is needed in the first place is because of fundamental design
flaws in systems such as Windows. I mean, imagine that you build
yourself a huge house. On this house you put a large number (hundreds)
of doors. Then you leave doors 137, 139 and 445 wide open, put out the
"Welcome!" door mats and turn on lights. Then you realize that maybe you
don't want visitors anyway, so you get yourself some bricks and put up
large walls in front of your doors.


From a personal privacy point of view: Filtering outgoing traffic may
be a way to give you this. But having self updating applications banging
their foreheads in vain against a firewall, and possibly throwing up
error messages about it as well, hardly strikes me as an optimal
solution. But if it keeps you happy, then fine.

From a computer security point of view: The idea of preventing a
compromised computer from sending out data with a piece of software
running on the same computer is fundamentally flawed. It does not add a
layer of protection. It does not strengthen your existing security
efforts. It probably does not work, and it definitely cannot be trusted.

You're STILL missing the point. In what way does a ONE-WAY firewall
provide the same or better security than a TWO-WAY firewall, all other
things being equal? The answer is that it obviously DOESN'T.

I just can't see the value of being ignorant about what programs are
trying to access the internet without your knowledge or approval. Even
if you THINK you can do an adequate job by manually monitoring
connection logs, that's NOT an argument against using an outgoing
firewall as an automated backup. It doesn't prevent you from doing
BOTH if you want to.

More importantly, when we consider your model of a "compromised"
computer system, what that means is that ALL of your other
precautions, INCLUDING your incoming one-way firewall have ALREADY
failed, right? In that event, an outgoing firewall alert MAY be your
FIRST AND ONLY INDICATION of some kind of rogue software AFTER all of
your OTHER security measures failed to prevent or detect it in the
first place. Even if using an outgoing firewall is not an absolute
guarantee of detection, the odds are certainly in favor of it working
as opposed to NOT working in your scenario.

Bottom line, if you're going to run ANY firewall, it makes NO sense to
run one that DOESN'T monitor both incoming and outgoing commections
and give you the OPTION to restrict or allow traffic as you see fit.

 

[Kerodo]

Not quite. On some systems (a fresh default installation of Windows XP
comes to mind) some sort of incoming firewall is not only recommended
but _required_ if you want your computer to last more than two minutes
after connecting it to the net. NAT and/or the built-in XP firewall may
be simple, but they give sufficient protection from worms such as
Blaster and Sasser. If not you better have a CD with SP2 handy, because
hoping to update a fresh default Windows XP installation using Windows
Update without enabling the firewall is like dropping your pants,
closing your eyes and bending over during carnival season in Salvador.

This is not always the case. I used to regularly reformat and reinstall
here without any firewall, exposed to the internet for hours before
putting one in. Nothing every happened. This is because my ISP blocks
135-139 and 445 and a few others for me. Many ISPs do this. So to say
that an exposed machine will be raped within minutes is misleading in
many, if not a majority of the cases.

And, if one is concerned about this, one can also use IPSEC quite
easily, especially in the case of a Win2k reinstall where there is no XP
firewall.

From a personal privacy point of view: Filtering outgoing traffic may
be a way to give you this. But having self updating applications banging
their foreheads in vain against a firewall, and possibly throwing up
error messages about it as well, hardly strikes me as an optimal
solution. But if it keeps you happy, then fine.

From a computer security point of view: The idea of preventing a
compromised computer from sending out data with a piece of software
running on the same computer is fundamentally flawed. It does not add a
layer of protection. It does not strengthen your existing security
efforts. It probably does not work, and it definitely cannot be trusted.

I would have to agree that the best thing to do is keep the bad stuff
and malware off the machine to begin with. That is my strategy here and
it works well. However, there can be some merit to receiving a warning
about something happening. A software firewall with 'outbound app
control' can give you at least a warning that something odd is
happening, at which point one can try to track down and remove the
problem, or even better reformat completely. With no 'outbound', there
very well may be no warning. That however, is about the only use I can
see for outbound control. It surely will not prevent the machine from
being compromised to start with. And once you get the stuff on the
machine, it's usually a mess.

 

[Morten Skarstad]

Kerodo skrev:
[Blaster, Sasser etc]

This is not always the case. I used to regularly reformat and reinstall
here without any firewall, exposed to the internet for hours before
putting one in. Nothing every happened. This is because my ISP blocks
135-139 and 445 and a few others for me. Many ISPs do this. So to say
that an exposed machine will be raped within minutes is misleading in
many, if not a majority of the cases.

True. Around here "everybody" has some sort of broadband these days,
which usually means a router with NAT. That also prevents this sort of
things. But I've had several cases of Blaster in my family, mostly from
dialup users. And of course there is always the risk of having other
infected computers around in your local network. For instance, if the
old computer you put in the kids room for them to play with has caught
some form of venereal disease, or your broadband router has a wireless
interface you didn't bother to lock down and you get infected from your
freeloading neighbor.

The bottom line is that you better be sure that the vulnerable ports of
your newly installed wonder is not exposed to anything hostile before
you have everything patched up. NAT, external filtering (which would
include that done by your ISP), personal firewall, or even not
connecting to the net at all until you have installed all patches from a CD.

 

[Morten Skarstad]

Ron May skrev:

You're STILL missing the point.

Which point? "A lot of protectionware is better than a little
protectionware"? If so, I see it just fine, I just don't agree with it.
If you're point is something else then you're right: I'm missing it.

In what way does a ONE-WAY firewall
provide the same or better security than a TWO-WAY firewall, all other
things being equal? The answer is that it obviously DOESN'T.

Better security? No. Same? Yes.

I just can't see the value of being ignorant about what programs are
trying to access the internet without your knowledge or approval. Even
if you THINK you can do an adequate job by manually monitoring
connection logs, that's NOT an argument against using an outgoing
firewall as an automated backup. It doesn't prevent you from doing
BOTH if you want to.

Am I a terribly lax person if my immediate response to this would be
that I prefer to do neither?

More importantly, when we consider your model of a "compromised"
computer system, what that means is that ALL of your other
precautions, INCLUDING your incoming one-way firewall have ALREADY
failed, right?

Right on. No matter how high your firewall is it is not a guarantee.
Especially if the user is inclined to be pleasantly surprised whenever
he finds a wooden horse on his doorstep.

In that event, an outgoing firewall alert MAY be your
FIRST AND ONLY INDICATION of some kind of rogue software AFTER all of
your OTHER security measures failed to prevent or detect it in the
first place. Even if using an outgoing firewall is not an absolute
guarantee of detection, the odds are certainly in favor of it working
as opposed to NOT working in your scenario.

Sure, you'll probably hear the faint chime of a penny hitting the floor
when you see the LED on your NIC blinking like crazy while your personal
firewall is reporting a grand total of zero traffic. Then you look
closer and discover that your AV is running blind, your task manager is
disabled and typing "REGEDIT.EXE" only opens solitaire.

You seem very concerned about monitoring, detecting and logging a lot of
stuff. Fine, I'm sure your firewall keeps you plenty happy. And I'm all
for a last line of defense, it's just too bad that egress filtering does
not give you that. It's more like the reinforcements that arrive too
late and get ambushed on own soil.

Bottom line, if you're going to run ANY firewall, it makes NO sense to
run one that DOESN'T monitor both incoming and outgoing commections
and give you the OPTION to restrict or allow traffic as you see fit.

I reserve the right to prefer my own ignorance to options, bells,
whistles and four way firewalls asking me whenever something hits the
loopback interface. Especially if they come bundled into a bloated
package that drags half my system down with it.

Oh, and speaking of options, this thread made me remember this great
post that was made on another newsgroup some while ago. This person had
installed some third party firewall, and kept getting warnings popping
up that iexplore.exe wanted to access the Internet. The solution? Delete
iexplore.exe, discover that surfing was suddenly rendered impossible,
and then go to a newsgroup and ask how to fix the problem D

 

[elaich]

If your computer wants to send anything it is not supposed to send, it
can only be assumed that your computer is compromised. If your computer
is compromised, you can not trust the software running on it. That
includes your operating system, that includes your applications, and
that includes your Chinese firewall.

Smart people know how to tell when their computer is compromised. They
don't rely on software to tell them. Also, smart people know how to KEEP
their computers from being compromised.

I only use my firewall to stop all the things that Uncle Billy wants to
call out and report home.

Why don't you offer something positive, instead of endless rants about
firewalls? If someone was dumb enough to allow malware to be installed on
their computer, they aren't listening to you to begin with.

You could begin by saying "trusted apps are not stopped by a firewall."

 

[Craig]

@news.broadpark.no:



...begin by saying "trusted apps are not stopped by a firewall."

Exactly! Thanks for that Elaich.

-Craig

 

[Art]

My 2 cents on what has become a long OT thread:

I've never been interested in file/printer sharing, and starting way
back in my Win 98 days with just one PC on the internet, I bound
adapters to TCP/IP only, removed NetBios, and disabled other services
as necessary to make sure all internet ports were closed. I flirted
with the use of free sw firewalls anyway, and found them useful for
alerting me to the fact that my ISP's connection sw was "calling out"
for alleged legit purposes. That caused me to dump their sw and simply
set up a network dialup connection instead. Since RAM and other
resources were precious in those days, I chose to not use a sw
firewall on a regular basis since I didn't need one for anything. That
approach continued on for years, even after getting DSL service.

The idea that you need a sw firewall only for broadband is, of course,
nonsense. It's tied in with the risky notion that being online for
just a short time with dialup and open ports/enabled services is
ok. What's a "short time"? Sure, people have gotten away with
it, but basically it doesn't make any good security sense, and it's
bad general advice.

More nonsense is the idea that "stealthing" hides your PC. All it does
is inform a potential attacker that the PC at your IP address is
online and using a firewall. If you are offline or powered down,
the attacker receives a response from your ISP.

Early last year, I wanted two PCs to share our DSL service, so I
purchased a NAT router/firewall. Since I'm still not interested in
file/printer sharing, both PCs have all unnecessary services disabled
anyway, according to my old habits and custom. Even though
resources aren't a issue now, I still don't bother having a sw
firewall active continually. I do use Sygate once in awhile
because of its excellent traffic log. It's one of my generic testing
tools for finding potential spyware/malware before I do backups.
I just don't depend on it, or any one means of checking port
activity.

In haunting the virus newgroups for years, I've sometimes seen
complaints like "I just disabled my firewall for a short time and ..."
they take hits. People don't realize that it just just takes a few
minutes nowdays to take hits. A external fw/router is the best bet in
any event.

Recently, I had occasion to try a install of Win 98SE. I did my
customary hardening and then went to Windows Update (WU)
to see if there were any critical security patches available.
I found that the WU Trojan had re-enabled NetBios and file/printer
sharing. So anyone not using a external fw/router had better
have the install file of their favorite sw firewall handy on CD
to install immediately after installing Windows and before going
online to WU.

With Windows XP, closing all internet ports is a daunting task, and
most users will not be able to do it and wouldn't even try. The use of
the XP fw is sometimes recommended by experts as all XP users need.
It makes more sense to me to relegate the task of blocking unsolicited
incoming to a external dedicated box rather than software.
These heated arguments/debates over sw firewalls have been
going on on various newsgroups and forums for as long as I've been on
the internet. I really feel sorry for newbies trying to get some
straight info and answers to their questions. I now advise the
use of a external NAT fw/router with a third party sw fw strictly
as a option .... depending on individual wants, needs and preferences
.... regardless of which OS they're using. Again, I find Sygate in
particular to be a very nice " optional tool" for testing and
monitoring purposes. But that's all.

Art
http://home.epix.net/~artnpeg

 

[Susan Bugher]

No matter how high your firewall is it is not a guarantee.
Especially if the user is inclined to be pleasantly surprised whenever
he finds a wooden horse on his doorstep.

That's a wonderful description. ISTM teenagers in particular are often
like that. Advising that one should be wary of Greeks bearing gifts
doesn't help, they don't/won't listen. Ah, the joys of parenting.

Susan
--
Posted to alt.comp.freeware
Search alt.comp.freeware (or read it online):
http://www.google.com/advanced_group_search?q=+group:alt.comp.freeware
Pricelessware & ACF: http://www.pricelesswarehome.org
Pricelessware: http://www.pricelessware.org (not maintained)

 

[Al Klein]

Ron May skrev:

Better security? No. Same? Yes.

Same? No. Less? Yes. It doesn't prevent programs from "phoning
home".

You seem very concerned about monitoring, detecting and logging a lot of
stuff. Fine, I'm sure your firewall keeps you plenty happy. And I'm all
for a last line of defense, it's just too bad that egress filtering does
not give you that. It's more like the reinforcements that arrive too
late and get ambushed on own soil.

Not for a program that, say, sends your email address book, or
password file outward. Then it's the only line of defense you really
need, since the program does very little other damage (like eating CPU
cycles).

Oh, and speaking of options, this thread made me remember this great
post that was made on another newsgroup some while ago. This person had
installed some third party firewall, and kept getting warnings popping
up that iexplore.exe wanted to access the Internet. The solution? Delete
iexplore.exe, discover that surfing was suddenly rendered impossible,
and then go to a newsgroup and ask how to fix the problem D

You're equating computer illiterates with those who have been using
computers for decades?

 

[Kerodo]

Same? No. Less? Yes. It doesn't prevent programs from "phoning
home".


Not for a program that, say, sends your email address book, or
password file outward. Then it's the only line of defense you really
need, since the program does very little other damage (like eating CPU
cycles).

I think the point here is that some folks argue that no personal
firewall can stop determined malware from getting out, so why try?

 

[Ron May]

Ron May skrev:

Which point? "A lot of protectionware is better than a little
protectionware"? If so, I see it just fine, I just don't agree with it.
If you're point is something else then you're right: I'm missing it.


Better security? No. Same? Yes.


Am I a terribly lax person if my immediate response to this would be
that I prefer to do neither?

No, not lax at all. Just totally clueless about programs on your
system that MIGHT be accessing the internet without your knowledge.
The logic of how you consider that level of ignorance to be a GOOD
thing escapes me.

Right on. No matter how high your firewall is it is not a guarantee.
Especially if the user is inclined to be pleasantly surprised whenever
he finds a wooden horse on his doorstep.

What you seem to have been saying throughout this exchange is "I don't
need a two-way firewall because I take all necessary precautions"
implying perhaps that those who follow your example wouldn't need or
benefit from an outgoing firewall.

No one is arguing against the need to take all the necessary
precautions or that somehow using an outgoing firewall would replace
other common sense security practices. In fact, I think it's a rather
arrogant assumption on your part that the typical member of this
newsgroup WOULDN'T follow security measures at least comparable to the
ones you employ, especially considering the level of expertise,
knowledge and experience of the average ACF reader with respect to
downloaded software.

What I've been trying to say is that, assuming two users take
IDENTICAL precautions with the sole difference being their choice of
firewall options, the one with an incoming AND outgoing firewall
enabled has a security advantage over the user who DOESN'T know that a
program is trying to access the internet without her or his knowledge.
I'll grant you that in the vast majority of cases, that "behind the
back" approach has a benign purpose (e.g., checking for updates) but
how can you KNOW what the purpose is if you're living in blissful
ignorance of surreptitious connections on your system?

Sure, you'll probably hear the faint chime of a penny hitting the floor
when you see the LED on your NIC blinking like crazy while your personal
firewall is reporting a grand total of zero traffic. Then you look
closer and discover that your AV is running blind, your task manager is
disabled and typing "REGEDIT.EXE" only opens solitaire.

My NIC light is in back with the cables. The traffic lights on my
router and cable modem "blink like crazy" all the time. That's just
how my Comcast service works. I "see" the traffic on the common
server and not just the traffic originating from or terminating on my
WAN IP alone. I do get an indication on my firewall icon in the
system tray showing MY incoming AND outgoing system traffic. <g>

Your "doomsday scenario" above is the result of stringing too many
conditional "ifs" together that have to happen in order to make it
work.

You set up a straw man argument and then try to tear it down in a
feeble attempt to show that a two-way firewall has no value. I would
submit for your consideration that it's possible for something to get
on your system that has the capability to do major or minor harm,
while at the same time, DOESN'T have the capability to totally render
every known outgoing firewall completely useless. THAT is where your
argument breaks down.

In fact, I would suggest a scenario that is FAR more likely than
yours, and that is that some trojan finds its way on to your system
undetected and does no IMMEDIATE harm, but tries to connect to the
internet to download some malicious code that can completely HOSE your
system. (And before you argue that's a long shot, I'll expect you to
explain how a "universal outgoing firewall disabler" in YOUR scenario
is a greater risk, AND what your strategy is to prevent that unique
threat.)

You seem very concerned about monitoring, detecting and logging a lot of
stuff. Fine, I'm sure your firewall keeps you plenty happy. And I'm all
for a last line of defense, it's just too bad that egress filtering does
not give you that. It's more like the reinforcements that arrive too
late and get ambushed on own soil.

I think it DOES add one more layer of security (except in your
"universal outgoing firewall disabler" worm/virus/trojan scenario,)
and whatever level of protection or detection it provides is certainly
more than you have with a firewall that only works in one direction.

I reserve the right to prefer my own ignorance to options, bells,
whistles and four way firewalls asking me whenever something hits the
loopback interface. Especially if they come bundled into a bloated
package that drags half my system down with it.

You haven't tried many firewalls if you believe the reason for "bloat"
is in the difference between one-way and two-way versions. I don't
know what kind of system you're running, and if it's a bit outdated
and underpowered, some firewalls may cause more of a performance hit
than is reasonable, but in the past, for instance, I've used Kerio
2.1.5 on a P166 laptop with a 2G HD and 32M RAM under Win98 and it
used very little resources. The contemporaneous Zone Alarm version
back then, however, would have used more resources than I would have
felt was acceptable under the circumstances. Both are/were two-way
firewalls. The "bloat" differential was due to other factors.

Oh, and speaking of options, this thread made me remember this great
post that was made on another newsgroup some while ago. This person had
installed some third party firewall, and kept getting warnings popping
up that iexplore.exe wanted to access the Internet. The solution? Delete
iexplore.exe, discover that surfing was suddenly rendered impossible,
and then go to a newsgroup and ask how to fix the problem D

Quite frankly, I hope you never learn the value of a two-way firewall
AFTER THE FACT by direct experience the hard way, but no one can say
you weren't adequately informed about the risks. If you're running
only a one way firewall on a cable or dsl connection (rather than
dialup,) and you download software with any regularity at all, I can
virtually guarantee you have programs on your system NOW that connect
to the internet without your knowledge. Are they benign? Probably,
but how can you be sure if you have no inkling that a connection is
being made in the first place?

Since I'm behind a NAT router anyway, in my case it's the INCOMING
side of the software firewall that provides redundancy. The OUTGOING
side monitoring is the primary reason for using a software firewall of
any kind to begin with. Does that mean I should configure my incoming
side to allow all traffic that might get past the router? Of course
not, but it makes as much sense as your argument.

My concern is that the same type of newbie who might delete
iexplore.exe in your example could think the default Windows Firewall
on XP gives her or him all the protection they need without realizing
it handles only one side of the equation.

As others have indicated, this has become a long thread. I'm bailing
out at this point, so the last word is yours if you want it. I'll
read what you say, but don't look for a response.

 

[Al Klein]

I think the point here is that some folks argue that no personal
firewall can stop determined malware from getting out, so why try?

No law enforcement can stop a determined criminal, so why try?

 

[John Fitzsimons]

I think the point here is that some folks argue that no personal
firewall can stop determined malware from getting out, so why try?

Locks, and burglar alarms, may not stop determined burglars. So
perhaps everyone should leave their houses unlocked ?

Er....no.

 

[Kerodo]

Locks, and burglar alarms, may not stop determined burglars. So
perhaps everyone should leave their houses unlocked ?

Er....no.

That's not really a good analogy.. In your case, the guard is you, so
you'd be keeping watch, not the alarm or the lock on the door. Some
folks believe that a personal firewall is useless because malware can
and will get past them. Others believe that they should be used since
they will catch at least some of the attempts of malware to get out. I
can see both sides of the argument I guess. My personal opinion and
philosophy is that the user needs to keep the crap off the system to
begin with. If that's done, then there will be no problems, personal
firewall or not. But I suppose if the user is going to do p2p and
download and install executables from dubious places, go to porn sites,
and surf everywhere imaginable, then he best load up on security apps,
otherwise he's dead meat for sure.. It all really boils down to how you
use your machine and how wise you are about it.

 

[Al Klein]

My personal opinion and
philosophy is that the user needs to keep the crap off the system to
begin with. If that's done, then there will be no problems, personal
firewall or not.

That doesn't help your typical computer illiterate who downloaded what
he thought he was supposed to download, only to find ET phoning home.
And those who are computer literate don't ask questions like these.

 

[Kerodo]

That doesn't help your typical computer illiterate who downloaded what
he thought he was supposed to download, only to find ET phoning home.
And those who are computer literate don't ask questions like these.

Yep...

 

[Aaron]

That doesn't help your typical computer illiterate who downloaded what
he thought he was supposed to download, only to find ET phoning home.

The typically computer illiterate will probably impatiently click
'allow' just to dismiss the firewall prompt anyway

And there's always the question of cost/benefit ratio even for the
computer literate. If for the sake of argument your firewall only blocks
1% (just randomly plucking numbers out of the air), of serious malware,
and the less serious types can be avoided simply by being careful
(reading EULAs for adware type stuff) then the question becomes is it
worth spending the time on configuring the firewall and any resources it
uses?

For some people it might be, for some it would not be because the
benefits are too small compared to the costs.

I'm not saying you shouldn't use personal firewalls, I just find certain
arguments kind of flaky, because they don't consider the cost factor.