Prev: Should I upgrade my Dell Mini 9 netbook?
Next: Any info on upcoming DELL netbooks
From: Daddy on 18 Dec 2009 09:59
On 12/17/2009 5:40 PM, Steve W. wrote:
> Daddy wrote:
>> I'm asking for opinions on whether an outbound (software) firewall is
>> still necessary, but first here's a little background to put my question
>> in context.
>>
>> The reason I'm asking is because I have this "thing" about running a
>> lean configuration.
>>
>> The question I'm asking is only applicable to users who are
>> knowledgeable about security risks and conscientious in their practice
>> of safe computing in the first place. I like to imagine myself in that
>> group.
>>
>> If your outbound firewall is alerting you, that means you're already
>> infected. Malware got past your own defenses and those provided by your
>> malware detector. But those malware detectors are getting better all the
>> time.
>>
>> My question boils down to this: Is the added overhead of a third-party
>> software firewall - and the effort needed to understand what the he**
>> it's doing - worthwhile in light of the advances being made by malware
>> detectors?
>>
>> The better malware detectors are updated continuously and their response
>> to zero-day exploits is getting better and better. They increasingly
>> rely on behavioral analysis and they're getting better at it.
>>
>> Sure, there's nothing wrong with a belt-and-suspenders approach to
>> security, but when do you say "enough"?. Do you need KIS if you have
>> KAV? Still need NIS if you have NAV? Enough with the poetry...you get my
>> drift.
>>
>> Daddy
>
> I would say it is even higher priority now than it was to have an
> outgoing firewall. Look at how many of the latest viruses have been able
> to shut down the AV and AS products. About the only way your going to
> notice those is when they start sending out traffic.
>
>

You make a good point. But if malware is smart enough to disable
someone's av/as scanner, and/or prevent someone from accessing their
cloud-based scanner(e.g. Prevx, Panda), you don't think it's also smart
enough to disable or spoof a firewall?

For that matter, have you heard of a firewall popping up a prompt saying
"Trojan.Kiss.My.A. is trying to access the internet. Do you wish to
permit the connection?" You're more likely to get prompted about
Trojan.Kiss.My.A. by your malware scanner.

Daddy
From: Daddy on 18 Dec 2009 10:09
On 12/18/2009 8:41 AM, Bob Villa wrote:
> On Dec 17, 2:06 pm, Daddy<da...(a)invalid.invalid> wrote:
>> I'm asking for opinions on whether an outbound (software) firewall is
>> still necessary, but first here's a little background to put my question
>> in context.
>>
>> The reason I'm asking is because I have this "thing" about running a
>> lean configuration.
>>
>> The question I'm asking is only applicable to users who are
>> knowledgeable about security risks and conscientious in their practice
>> of safe computing in the first place. I like to imagine myself in that
>> group.
>>
>> If your outbound firewall is alerting you, that means you're already
>> infected. Malware got past your own defenses and those provided by your
>> malware detector. But those malware detectors are getting better all the
>> time.
>>
>> My question boils down to this: Is the added overhead of a third-party
>> software firewall - and the effort needed to understand what the he**
>> it's doing - worthwhile in light of the advances being made by malware
>> detectors?
>>
>> The better malware detectors are updated continuously and their response
>> to zero-day exploits is getting better and better. They increasingly
>> rely on behavioral analysis and they're getting better at it.
>>
>> Sure, there's nothing wrong with a belt-and-suspenders approach to
>> security, but when do you say "enough"?. Do you need KIS if you have
>> KAV? Still need NIS if you have NAV? Enough with the poetry...you get my
>> drift.
>>
>> Daddy
>
> From what I have heard, if you are behind a hardware firewall with
> good password protection...then all that is needed is the Windows
> (XP,Vista,Win7) firewall.
>
> bob_v

Thanks, RnR and Bob.

Backing up is a critical part of PC security, and it's something I do
regularly and in several different ways. In fact, if my computer were to
be infected - something I've been able to avoid thus far - I'd be more
likely to just restore a good backup rather than dealing with the
infection. Today's malware is just too good at what it does.

A hardware firewall - which, for most people, is a NAT router, possibly
with SPI - will prevent unsolicited packets from entering a network. But
if a user willingly downloads that infected e-mail attachment, a router
won't stand in the way.

The argument in favor of having a software firewall even if you're
behind a router is to protect your computer from the other computers on
the network.

Daddy
From: William R. Walsh on 18 Dec 2009 11:37
hi!

> I'm asking for opinions on whether an outbound (software) firewall
> is still necessary

The short answer (from me) is "you can use one but is it really wise
to do so?"

> If your outbound firewall is alerting you, that means you're already
> infected. Malware got past your own defenses and those provided
> by your malware detector. But those malware detectors are getting
> better all the time.

Unfortunately, so too are the malware authors. They're digging deeper
into the system, getting better at their programming and making their
false alerts look a lot more convincing.

Here's my line of thought about a third party outbound-filtering
firewall: it's a great theory with some problems.

Another poster already mentioned that some malware will shut down your
defenses, possibly forcefully. Well, that includes the firewall
software. And I'm sure there will be malware coming--if there isn't
some already--that will shut down personal firewall software. If
there's a way to stop these programs from a user's perspective, you
can bet the bad guys will figure it out and take advantage of it.

The other problem I see is complexity. I'm not aware of an add-on
software firewall that just sits quietly and does its job in a simple,
integrated manner. This is the biggest point that something like the
Windows Firewall offers: yes, it's simplistic but that means there is
a lot less to potentially break and leave you unprotected. Every add-
on Windows firewall software package I've examined seems to be
designed around the principle that some big foreground application
should provide the firewall service as opposed to, you know, an actual
service that does the work. Sometimes that foreground program doesn't
run until the machine has finished starting up or a user has logged
on.

Perhaps the biggest thing working against a firewall that offers
outbound filtering are the alerts. The average user won't know what to
do with them, and one of two things will happen:

1. The user will allow absolutely everything.
2. The user will disallow absolutely everything.

Firewall software developers can help to mitigate this a little by
collecting information on a wide variety of running processes.
However, there's no way to account for the immeasurable number of
software programs and configurations that their users will run into,
even if they try to collect statistics on what programs their software
sees while it is running.

Responding sensibly to an alert can be a challenge for even a more
accomplished user, especially if extensive research is required to
figure out what a given program or component actually *does* and it if
should be wandering out into the public Internet or not.

I maintain that application-based firewall filtering software is "feel
good" software. There are too many ways to subvert it, and I dare say
it would not hold up well at all in the face of a rootkit or other
serious system compromise. Therefore I also maintain that it can lull
someone into a false sense of security.

The Windows Firewall (in Windows XP SP2 and later) is at least
somewhat capable of outbound filtering--if a program attempts to
create a service on a TCP/IP port, the Windows Firewall can (and does)
filter this. Programs that merely establish connections to other
servers or computers won't necessarily set it off--nor will they
necessarily set off other firewall software.

If you want a good firewall, even a cheap NAT routing device such as a
wired or wireless router will do a lot by "privatizing" your network
from the outside world. These days, nearly all of them contain an
inbound-filtering firewall to further wall things off. Programs that
attempt to act as Internet-facing servers will be blocked by default
as well* by these devices, unless you arrange for them to be allowed
out. And if you need something better than that, it would not be a bad
idea to look at building a proper firewall appliance using something
like m0n0wall running on an older PC. A firewall appliance can be used
to make a very precise and effective filtering system by controlling
what sort of communications are allowed to start with.

Finally, using a dedicated device means that a weakness in the
firewall software will have somewhat less chance of compromising or
performing a denial-of-service against your PC. Should your PC become
compromised, it can also raise the bar a bit by offering some
additional assurance that your firewall device will remain in effect,
so it could help contain some of the problem**.

William

* UPnP is a notable exception to this, in that it allows applications
that need to modify a firewall device's effective policy to let them
through to the outside world by way of port forwarding. This can be
done without your knowledge or consent if UPnP support is enabled on
your NAT/firewall device. (Most devices support it but leave the
setting disabled.) Unless you require UPnP for a specific application,
you will be well advised to leave it disable or ensure that it is
turned off.

** Since most of these devices are administered via a web-based user
interface that utilizes some scripting tricks to get the job done, it
has been discovered that issuing a command script to some devices will
cause them to follow the instructions. Malicious web pages (or HTML
content in general) can try to exploit this by way of so-called "cross
site scripting" attacks. For this reason, you should *always* change
the default password on your device and consider changing the user
name as well, if it's allowed.
From: Daddy on 18 Dec 2009 12:04
On 12/18/2009 11:37 AM, William R. Walsh wrote:
> hi!
>
>> I'm asking for opinions on whether an outbound (software) firewall
>> is still necessary
>
> The short answer (from me) is "you can use one but is it really wise
> to do so?"
>
>> If your outbound firewall is alerting you, that means you're already
>> infected. Malware got past your own defenses and those provided
>> by your malware detector. But those malware detectors are getting
>> better all the time.
>
> Unfortunately, so too are the malware authors. They're digging deeper
> into the system, getting better at their programming and making their
> false alerts look a lot more convincing.
>
> Here's my line of thought about a third party outbound-filtering
> firewall: it's a great theory with some problems.
>
> Another poster already mentioned that some malware will shut down your
> defenses, possibly forcefully. Well, that includes the firewall
> software. And I'm sure there will be malware coming--if there isn't
> some already--that will shut down personal firewall software. If
> there's a way to stop these programs from a user's perspective, you
> can bet the bad guys will figure it out and take advantage of it.
>
> The other problem I see is complexity. I'm not aware of an add-on
> software firewall that just sits quietly and does its job in a simple,
> integrated manner. This is the biggest point that something like the
> Windows Firewall offers: yes, it's simplistic but that means there is
> a lot less to potentially break and leave you unprotected. Every add-
> on Windows firewall software package I've examined seems to be
> designed around the principle that some big foreground application
> should provide the firewall service as opposed to, you know, an actual
> service that does the work. Sometimes that foreground program doesn't
> run until the machine has finished starting up or a user has logged
> on.
>
> Perhaps the biggest thing working against a firewall that offers
> outbound filtering are the alerts. The average user won't know what to
> do with them, and one of two things will happen:
>
> 1. The user will allow absolutely everything.
> 2. The user will disallow absolutely everything.
>
> Firewall software developers can help to mitigate this a little by
> collecting information on a wide variety of running processes.
> However, there's no way to account for the immeasurable number of
> software programs and configurations that their users will run into,
> even if they try to collect statistics on what programs their software
> sees while it is running.
>
> Responding sensibly to an alert can be a challenge for even a more
> accomplished user, especially if extensive research is required to
> figure out what a given program or component actually *does* and it if
> should be wandering out into the public Internet or not.
>
> I maintain that application-based firewall filtering software is "feel
> good" software. There are too many ways to subvert it, and I dare say
> it would not hold up well at all in the face of a rootkit or other
> serious system compromise. Therefore I also maintain that it can lull
> someone into a false sense of security.
>
> The Windows Firewall (in Windows XP SP2 and later) is at least
> somewhat capable of outbound filtering--if a program attempts to
> create a service on a TCP/IP port, the Windows Firewall can (and does)
> filter this. Programs that merely establish connections to other
> servers or computers won't necessarily set it off--nor will they
> necessarily set off other firewall software.
>
> If you want a good firewall, even a cheap NAT routing device such as a
> wired or wireless router will do a lot by "privatizing" your network
> from the outside world. These days, nearly all of them contain an
> inbound-filtering firewall to further wall things off. Programs that
> attempt to act as Internet-facing servers will be blocked by default
> as well* by these devices, unless you arrange for them to be allowed
> out. And if you need something better than that, it would not be a bad
> idea to look at building a proper firewall appliance using something
> like m0n0wall running on an older PC. A firewall appliance can be used
> to make a very precise and effective filtering system by controlling
> what sort of communications are allowed to start with.
>
> Finally, using a dedicated device means that a weakness in the
> firewall software will have somewhat less chance of compromising or
> performing a denial-of-service against your PC. Should your PC become
> compromised, it can also raise the bar a bit by offering some
> additional assurance that your firewall device will remain in effect,
> so it could help contain some of the problem**.
>
> William
>
> * UPnP is a notable exception to this, in that it allows applications
> that need to modify a firewall device's effective policy to let them
> through to the outside world by way of port forwarding. This can be
> done without your knowledge or consent if UPnP support is enabled on
> your NAT/firewall device. (Most devices support it but leave the
> setting disabled.) Unless you require UPnP for a specific application,
> you will be well advised to leave it disable or ensure that it is
> turned off.
>
> ** Since most of these devices are administered via a web-based user
> interface that utilizes some scripting tricks to get the job done, it
> has been discovered that issuing a command script to some devices will
> cause them to follow the instructions. Malicious web pages (or HTML
> content in general) can try to exploit this by way of so-called "cross
> site scripting" attacks. For this reason, you should *always* change
> the default password on your device and consider changing the user
> name as well, if it's allowed.

Wow!

Thank you very much, William, for your detailed and - as usual - well
thought-out ideas.

I must say I tend to agree with you, and with Larry Osterman, who wrote:
"IMHO outbound firewalls are 100% security theater."

As an addendum: I disabled UPnP support in my router. As far as I can
tell, I don't have any UPnP devices on my network, and don't wish to add
any such thing. At least, not until I understand UPnP much better.

Daddy
From: William R. Walsh on 18 Dec 2009 12:17
Hi!

> Thank you very much, William, for your detailed and - as usual -
> well thought-out ideas.

You are certainly welcome. I won't gloat (much) and absolutely don't
claim to know everything, but I've been doing this for a long time and
have come across a lot of different ideas over time. And I experiment
with technology a lot--I love the stuff and like to keep up with
what's going on. I like to tell people that I don't know what is wrong
with me that I enjoy tinkering with computers so much, but I sure do.

> I don't have any UPnP devices on my network, and don't wish to
> add any such thing. At least, not until I understand UPnP
> much better.

Windows XP and later have some support for UPnP, at least on the
receiving end. It can be used (when it is used, which doesn't appear
to be terribly often) to discover other devices on your network that
are advertising services. Windows could (in theory) configure itself
to communicate with the device, supposedly in an effortless manner.

And that's the whole premise upon which UPnP is built--if you buy some
sort of device or software program that needs to configure your
network a certain way for it to work, UPnP can allow that to happen,
silently and without asking the user a bunch of technical questions.

I suppose it's great for "honest" applications and those who barely
understand the network they have. I see it as a security risk, because
I know that all of its uses may not be aboveboard, and also as a
potential headache because it could conceivably break something that
has been Carefully Arranged(tm) to work in a certain way. If something
is going to break my network, I'd just as soon it was me, because then
I know what I've done and will probably have the lightbulb go on at
some point to fix the problem.

William
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: Should I upgrade my Dell Mini 9 netbook?
Next: Any info on upcoming DELL netbooks