Software Firewalls? Do we need them?

View previous topic View next topic Go down

Software Firewalls? Do we need them?

Post by Guest on 6/5/2010, 06:02

For years I clung to the paradigm of 1.Real time Anti-virus,2: Either a real time "anti-spyware" application,or a hard disk full of on-demands. 3: A software firewall.

I phased out the real time "anti-Spyware" at about Avira version 9,that added that function to the free version.

Real-time Av was sent to the Elysian Fields,when I teamed first Returnil 2008,and latter ShadowDefender with Sandboxie.

The huge arsenal of on-demands were whittled down when...They just started to seem silly.

The last,and hardest was to give up the third party firewall.

For years I noticed that with my NAT router ,I passed all of the on line "firewall tests" with or without the third party firewall enabled.

Over the years I had devolved from the HIPS equipped,test passing Super Firewalls such as OnlineArmour/Comodo to the ancient Kerio 2.1.5,that gave basic 2-way protection.

With Sandboxie full,I discovered I could lock down my internet facing applications just as well,as I could with the firewall.

I make no bones about it,I do not understand Firewalls.
"packet filtering" sounds like a lager brewing technique to me.

Is there something I am missing?

If malware is already on my system (I thank not!!) How does it "call out" in absence of an outbound firewall?
pretty basic I guess,but I never knew.

noor

Guest
Guest


Back to top Go down

Re: Software Firewalls? Do we need them?

Post by ssj100 on 6/5/2010, 08:47

Very difficult subject. I remember asking some (genuine) firewall experts to explain things to me, but I never really understood what they were talking about.

I'm going to make things as simple as I can (mainly because I don't know that much to start off):

1. Firewalls aim to control inbound and outbound traffic
2. For the home PC user, the main aim of controlling inbound traffic is to prevent you from being hacked "remotely" and to "filter incoming packets". Windows Firewall (even XP's) does both of this very well in default configuration. All I know is that filtering incoming packets helps to prevent "screwed up bytes of traffic" and therefore ensures your connection is always stable and running. I don't think it contributes anything to specifically prevent "hacking".
3. Controlling outbound traffic would only be useful if you are already infected by malware. Now there are some (more paranoid) people out there who want to control exactly what their computer is sending out (even though all software they are using are from trusted sources). I'm not one of those people! For example, those (more paranoid) people may want to block explorer.exe (a genuine windows process) from sending out information about new executables you are running. Another example would be when security software wants to send out information about your system so that they can "improve" their software etc.

I've been there and done that. The fact is that optimally configuring a Firewall's outbound control is extremely technical and difficult for the average or even above average user. Most people simply install Comodo Firewall, Online Armor Firewall, Outpost Firewall, Kerio Firewall, Look 'n Stop Firewall etc, and simply use default-like configurations. These default configurations may still be able to protect you from any malware already on your system from calling out.

The fact is that I don't plan on having (active) malware on my system with my security setup/approach. I also use Sandboxie to isolate all my malware threat-gates (eg. web browser, online games, chat programs etc) - this means these threat-gates have no access to the sensitive files on my system, and also only certain (trusted) processes are allowed to start, run, or access the internet.

And that's why I only use Windows Firewall.

The final fact is, all you'd really need is a NAT Router, since (I think) this can filter inbound traffic as well as prevent hackers from seeing your system and hacking it remotely. I'm behind a NAT Router, but I enable Windows Firewall as a habit - if I ever used a lap-top in a public place, Windows Firewall would come in handy, as I won't be behind a NAT Router.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by Guest on 6/5/2010, 09:09

Thanks ssj100!!
That is pretty much my understanding as well.
I will NOT be installing a third party firewall in the future,
barring someone showing me in a convincing manner I need one.

noor

Guest
Guest


Back to top Go down

Re: Software Firewalls? Do we need them?

Post by Sully on 16/5/2010, 23:55

It does take some time to learn how to use a firewall in more than the typical fashion most use it in. It is well worth the effort though if you fancy actually comprehending rather than simply following directions.

I don't believe most people need one. It can be useful in the hands of an experienced user. For example, if you have your firewall set up, and don't normally see pop-ups, when you do see one you should pay attention. Maybe it could be use as a sort of "early warning system" for rogue apps that somehow might get installed.

It has a real use though when you have processes running that wish to accept inbound communications, such as remote control applications like VNC or RDP. You must open ports in the router first, but once you do, a software firewall in my mind is crucial. You do not want just anyone hitting those remote control ports. Changing the default ports helps too, but for my remote applications, I use very strict rules in the firewall to ensure only my IP addresses or MAC addresses are allowed.

For everyday use, likely a firewall is not needed in most cases.

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

View user profile

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by ssj100 on 18/5/2010, 10:40

Sully wrote:It does take some time to learn how to use a firewall in more than the typical fashion most use it in. It is well worth the effort though if you fancy actually comprehending rather than simply following directions.

I don't believe most people need one. It can be useful in the hands of an experienced user. For example, if you have your firewall set up, and don't normally see pop-ups, when you do see one you should pay attention. Maybe it could be use as a sort of "early warning system" for rogue apps that somehow might get installed.

It has a real use though when you have processes running that wish to accept inbound communications, such as remote control applications like VNC or RDP. You must open ports in the router first, but once you do, a software firewall in my mind is crucial. You do not want just anyone hitting those remote control ports. Changing the default ports helps too, but for my remote applications, I use very strict rules in the firewall to ensure only my IP addresses or MAC addresses are allowed.

For everyday use, likely a firewall is not needed in most cases.

Sul.

Thanks Sully. Opening ports is something I've never fully grasped, in terms of whether it genuinely increases exposure to hackers. Currently I don't have any opened ports in Windows Firewall but I have port-forwarded a few ports in my NAT Router to allow me to host games on Battle.net for Starcraft:Brood War. On probing these opened ports with GRC ( https://www.grc.com/x/ne.dll?bh0bkyd2 ) it returns the result of "Stealth". This must be because Windows Firewall is still hiding those ports from the outside world?

I occasionally use uTorrent and realised long ago that I need to open a port for it to communicate to the outside world more effectively. With uTorrent, I need to open the port up with both Windows Firewall, as well as with my NAT Router. When I configure it like this, GRC reports that my port is "Closed" (which I think means that leet hackers could potentially stuff me over via this port). In saying this, I think these leet hackers are fairly limited to what they can do, as they can only communicate to me via the program I am using to listen to that port (in this case, uTorrent). Since I don't have any malware on my system, they can't communicate via that process. Furthermore, I always sandbox my uTorrent (as well as Starcraft). With these added protection measures, I'm not sure how much (if anything) the leet hacker can do to my system via this "Closed" port.

Any explanations/elaborations for the above behaviours Sully? Thanks.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by Sully on 18/5/2010, 11:50

I am not as adept at this stuff as some, but over the years I have learned a thing or two. I will try to explain.

A port exists, as a window into or out of your computer. Ports are typically broken down into 3 categories: well known, registered and virtual. The well known ones are from 0 to 1023. You will see these used by common protocols, such as ftp, http, dns. The others, mainly between 1024 and 49151 you will see in programs and games, stuff like that. Typically you might see ports on your machine open that are in the well known group, such as NETBios ports. Windows XP had some ports open by default that were advisable to close.

Sites like the GRC have been espousing closed and stealthed ports for a long time now. I always tell people that ports are doors and windows in your house. Your house has roughly 1024 doors, and some 64,000 windows of some kind. The main traffic (such as ftp or http) traverses through the doors (like port 21 or 80). Other traffic than the most common use the windows.

Just because your house has doors and windows does not mean that they are open. Most of the time they are shut. When a salesman comes to knock, and you do not answer, he thinks no one is home. He can see the doors, and he can knock on the doors, but he gets no reply. The salesman knows the doors are there. This might be considered stealthed. If you are behind a router, it is like having a large sheet over your entire house. The salesman knows there should be a house there, but cannot see it, and also cannot see the doors, so he figures there is no house and no doors at this address. It is also a stealthed address.

If the salesman knocks on a door, and you reply from inside "Dave's not here", the salesman knows that the someone lives here, and that someone is behind the door, although the door is closed. He cannot open it, but he does know it exits. It is a closed port.

Finally the salesman knocks on a door and you answer it by opening it up. Now the salesman has an open port with which to communicate to you, that he is selling something you don't need.

Thus, you have a stealthed port, your router possibly being the mechanism that keeps the probe away from your computer. You have closed ports, which exist and don't mind announcing they exist, but are closed regardless. And then you have the open ports, those that are opened up and allow communication. What is the difference between a closed port and a stealthed port? Only that the salesman knows it is a house under the sheet. He cannot do anything to open the port, he just knows it exists.

Moving on, in order for one of these doors or windows to be open, you or someone in your house must open them. Your wife, whose name is SERVICE, opens them when she cleans. Your son, whose name is APPLICATION also opens them when he plays. They both need to communicate to the outside, such as ordering the take out pizza, or telling the neighbor that they are being too loud. There are good reasons to open your doors and communicate.

However, your wife, SERVICE, does not always know to keep salesmen from climbing in through the windows she opens. She is not strong enough to stop them. They take advantage of this VULNERABILITY and slip in, trying to sell something useless and sometimes stealing from your house. Your son, APPLICATION, sometimes lets other boys in, and they too are named APPLICATION, and they are happy to open doors of thier own back to thier house, so that thier mischevious brothers may sneak into your house.

If you have a wife and son who have flaws, other people will try to sneak in. Even if they don't have any apparent flaws, there are salesmen who watch and wait for a flaw to be found. Everyone has a flaw, and eventually it will be made known.

But, luckily you may hire Mr Clean. He is big and strong. His job will be to patrol all the doors and windows, and only allow the wife and son to open the ones that you tell him it is ok to. He will keep all others closed. And more than that, he makes sure that if your wife is allowed to open a window, and your son a door, that they cannot open each others door/window. They are limited to exacting standards by Mr Clean. His is a wall of strength, ready to put out any fire that disgruntled salesmen might wish to start in your house. He is a Wink firewall.

But, next enter Mr T. His job, as he comes with Mr Clean, is to monitor everything else that might happen. It is not enough that Mr Clean has the power to shut the doors and limit the wife and son to opening only what you want. Mr T, he patrols the house, waiting for your guests to even come into your house. If cousin Vinny comes over for lunch, Mr T says "is he allowed to be here?". Depending on how you answer Mr T, he might just forget about Vinny, or he might shadow him and ask if it is ok for Vinny to sit down, or go into the kitchen. Mr T is the HIPS that goes with most firewalls. The two together mean trouble for anyone wanting to do anything you have not told them it is OK to do. But, they both report to you often if you have many different guests over. Sometimes you don't want thier help, it is just too exhausting, so you tell them to take a break.

Now, suppose that your wife SERVICE had a few doors open, and your son APPLICATION had a few windows open. You might just choose to move your house into the gated community of ROUTER. In ROUTER, there are armed guards. If your wife or son wish to communicate out of the community, they must have the guards send the message out. The guards have no problem doing this. If you don't want this to happen, then you need to stop it inside your house, it is not thier business. And when the message returns, the guards of the community ROUTER examine what is returning. If it was requested, they let it pass. If it was not requested, they block it.

But, sometimes cousin Vinny wants to send a note to you, but you can't tell the guards that he is going to do this. So you tell the guards to allow any messages that are heading to window # 21 to be allowed and don't block it. The guards comply, and do thier job on every window and door in your house except window # 21. Depending on how much you spent to get into the community of ROUTER, you might be able to tell the guards to only let a message from Vinnys address to enter window # 21, and to block all others.

As you can see, ports are for communicating. If you have a service or program that is accepting incoming connection requests, a router using NAT will normally block these without an exception, called Port Forwarding. As well, if you are using a firewall, when the message passes from the router to your computer, unless you make an exception the firewall will block it.

But, why the worries? You wanted to start a program that allows others to connect to you, right? Well, yes, many times that is the case. However, there are some services or programs that are weak, or well known. If you allow them to hold a port open for communication, they might be easy prey to crack into and allow things inside that you don't want. In XP there were some services you had to shut down because they were holding ports open. All operating systems are the same. If you want to use NetBios, you must allow communication, but it might be easily targeted.

The thing to do, IMHO, is to examine what ports are actually open. If you are behind a NAT router, theoretically you don't have much to worry about. But what if another computer in your LAN becomes infected? Now the router has no control, and you are relying on what ports are open or closed, and whether the firewall is protecting you, or the HIPS part of the firewall. It might well be that the ports you are holding open are not very vulnerable, so you don't worry. Or it might be that the stupid OS has some service running by default that can be compromised. You might want to shut the service down if you don't use its functionality.

Anyway, this explanation usually helps people to understand what a port is, very simplistically. I used to use it to describe to them how running without a firewall was rather risky. But that was on dialup or early DSL, before NAT routers were the norm. Now, I don't worry about it too much because the NAT really is the best defense.

HTH>

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

View user profile

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by ssj100 on 18/5/2010, 12:20

Thanks Sully. Good explanation! However, I don't think you answered my own questions specifically (or maybe I just didn't get it!)

1. I have port forwarded some ports in my NAT Router in order to host games on Battle.net (Starcraft).
2. I have also opened up the same ports in my Windows Firewall (let's say they are permanently open).
3. However, despite this, GRC tells me that these ports are "Closed".

Why is that? And if these ports are opened (or closed), how can the hacker target it? I understand that when the ports are closed, leet hackers can still theoretically open them and hack your system. If the port is open, then it's much simpler for them.

In saying that, I remember reading that hackers can only use whichever program is listening to that opened port to hack your system anyway - if your system is malware free, this requires a vulnerability in the program (eg. uTorrent). I suppose my last question therefore is whether a sandboxed program (eg. uTorrent) with start/run/internet access restrictions can still be targeted and hacked via an open port.

Thanks!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by Sully on 18/5/2010, 21:04

The answer is in the "article" I wrote lol, just in very generic terms.

Your answer lies in whether or not the port is actually being held open for communication. If you run a software/service that opens a port, say for instance port 100, it is ready to talk. When GRC comes in, first your router will have to allow a request to local port 100 to pass. It does this when you make a hole with port forwarding. Once the router lets the inbound request to port 100 pass, next your firewall will block it, unless you make an exception in your firewall that allows inbound requests to port 100. Or, your firewall is turned off.

However, if the software/service that opens port 100 is not active, then port 100 is not being held open. Or, it could be that the protocol used on port 100 is different than the protocol being used by the incoming request, and they cannot communicate properly. It could be that the program holding the port open specifically requires something to communicate. If you use battlenet, it may be that only a battlenet client might attache to your machine.

So in your case, to see if the port is open, you must have the programs running that you have made exceptions for, and they must allow a generic connection request.

Now, think of someone wanting to hack into your computer. First, they must verify you exist. Your router, set to deny WAN pings, tells a hacker that either nothing is at the address or there is a router refusing connection. For most hackers, time to move on unless they know something about what lies behind the router, such as it being Fort Knox or something.

But, if you have ports forwarded etc, the hacker looks for an answer. They know which ports they want to approach. They know common programs being used by people that have ports open, such as filesharing and netbios. They don't attack just any port, but ones they know might be vulnerable. When your computer responds with a closed or open message, the hackers now must decide if they are to proceed based on what your reply was and if the ports they see open are worthwhile to attack.

In reality, standard services that the OS uses that hold ports open are probably the most attacked, followed by popular applications, maybe an IM client or something. Obscure ports being used by lesser known applications, they are much less likely to be attacked, unless they are really easy to circumvent.

If you port forward a lot, hopefully you don't have the programs running all the time. Game and such, usually not a problem. Opening a hole in the router is no big deal if the port is not actually open all the time. If you do become a "host", and hold a port open, awaiting communication, it would be wise to use a firewall or examine more details on the matter in your router. For example, I have ports forwarded for some games, but I dont' worry about those because I don't feel they will be compromised and they are not on that often. But I also have a machine that is a TeamSpeak server, and has tightVNC installed. On that machine, those two programs hold ports open 24/7. I have it firewalled very well, because the threat just jumped significantly.

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

View user profile

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by Guest on 19/5/2010, 00:18


Guest
Guest


Back to top Go down

Re: Software Firewalls? Do we need them?

Post by ssj100 on 19/5/2010, 00:42

Sully, despite Starcraft being logged into Battle.net and people joining my hosted game, my port is still deemed as "Closed". I have punched holes in my NAT Router for it (otherwise no one could join my games), but I haven't punched any holes for Windows Firewall. Bizarre isn't it?

Also when a port is opened (eg. with uTorrent open and accepting incoming connections), how exactly does the hacker proceed to "hacking" you? That's what I really want to know, as I'm wondering whether Sandboxie would make a difference here or not. Ultimately, my reckoning is that if someone really wants to hack you (particularly if you like having "Open Ports"), there's not much you can do to stop them, and therefore a third party software Firewall wouldn't make a difference.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by Sully on 21/5/2010, 21:33

ssj100 wrote:Sully, despite Starcraft being logged into Battle.net and people joining my hosted game, my port is still deemed as "Closed". I have punched holes in my NAT Router for it (otherwise no one could join my games), but I haven't punched any holes for Windows Firewall. Bizarre isn't it?

Also when a port is opened (eg. with uTorrent open and accepting incoming connections), how exactly does the hacker proceed to "hacking" you? That's what I really want to know, as I'm wondering whether Sandboxie would make a difference here or not. Ultimately, my reckoning is that if someone really wants to hack you (particularly if you like having "Open Ports"), there's not much you can do to stop them, and therefore a third party software Firewall wouldn't make a difference.
When you are scanning your ports, are you scanning UDP or TCP? For example, in my router I have opened port 8767 UDP for teamspeak. I have also opened 10011 and 30033 TCP for teamspeak. With no firewall, port scanners will show the TCP ports being open, but the UDP ports being closed, because they are broadcast packets, which are different from TCP (addressable/routable) packets. I have never looked to see if there is a port scanner that specifically works with UDP ports in the same way. PortForware dot com has a tool, but it doesn't work any better than an browser scanner.

In my firewall on that machine (Outpost Pro v2.1) I have a pretty strict setup. When it is enabled, those port scans on those TCP ports fail, because the firewall controls the program teamspeak and has imposed limitations.

How someone "hacks" you technically I don't know. Buffer overflow I would presume. Just because you have an open port does not mean the program holding it open is vulnerable. You not only have to have an open port to start with, but what is holding that port open has to have a weakness that can be exploited. If all of these are true, then a hacker would send data to the program on your server and possibly "get through" or cause havoc.

So how would Sandboxie mitigate this? Only tzuk has the real answer, but judging by how SBIE works, if you start a program in a sandbox, and have limitations on it that only that program (or a select few) can access the net or be allowed execution, then you are likely safe. Safe, in respect to what will happen to your system. If the compromised program (assuming it was hacked) were to now start IE for example, the SBIE rules "should" take place and allow or deny IE execution and/or net access. Any files that are modified by the attack would only be modified in the sandbox, unless you allow direct access to the same place the hacker is attempting to tamper with, which is not likely. I would think it would take a pretty sophisticated attack to enter the system via a vulnerable program AND have also take down SBIE. Malware and company ran directly in the sandbox on purpose does not even kill SBIE, so I don't imagine an exploitable program would either. Just like everything else in SBIE, it might work within the sandbox, while that program was running, but would be contained. A simple deletion of the sandbox's content would rectify the issue.

All of these issues are handled very well by utilizing a sandbox for each application. Some may not like doing that and prefer one box to many. But, if you take the time to setup a sandbox for each application that "might" ever pose problems, you will reap the rewards if it ever happens.

If you really want to know how hackers get to you, just check out some stuff on the Blaster worm, which affected millions of unpatched machines. There is plenty of lessons to learn from that one Very Happy

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

View user profile

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by ssj100 on 22/5/2010, 01:21

I'm scanning TCP ports. As I said, it's very odd but it makes sense - my XP Windows Firewall is not allowing any exceptions whatsoever. And yet I can still host games on Battle.net by port forwarding my NAT Router. I'm guessing that Windows Firewall is still holding the Port "Stealthed" or "Closed" somehow.

Yes, it would be very interesting if Sandboxie would also contain such an attack.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Software Firewalls? Do we need them?

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum