the nessessity of a firewall?

[valhallen]

also you run the risk of d/l something that may open one or more ports to establish an outgoing connection - without a firewall alerting you to this then you wouldn't know unless you are monitoring your traffic.

Much like everyone else I have my ports closed and then have a firewall as an extra safeguard

v_Ln

[pooh sun tzu]

also you run the risk of d/l something that may open one or more ports to establish an outgoing connection - without a firewall alerting you to this then you wouldn't know unless you are monitoring your traffic.

Once again this is an administrative thing, not a security thing. I understand your need to worry about objects you download, but I personally download nothing until I know bit by bit how it is going to behave on my system according to preexisting reports. If it is going to open a service, then it will only ever open it on my computer because I allowed it. This brings us back to admins relying on a crutch, and our origonal statement... if there are no services running, what makes a firewall a security?


I think this is generally boiling down to the admin (as I should have guessed :X ) A firewalled + new admin can be just as secure as a no firewall + good admin. Thus I can see everyone's points very cleary. However... I still see no reason for me to use one again This is a great discussion guys, keep it up. Hearing your opinions and views makes me double check how I operate on an OS.


EDIT: MsMittens 2nd post was an amazing perspective on admins and security in general. If I could give her cookies over the internet I would.

[ttau]

If you mention closing ports or disabling services to most computer users you'll get nothing but a blank stare in return. I think the majority of users have a limited view of their computers,
they want to surf the net or play in photoshop or use the office apps, etc. but they don't want to deal with the internal workings. I want to live in a house, I don't know or want to know how to build one. So I think for a home user a firewall is a good investment, and I would suggest a hardware over a software firewall for ease of use.

[pooh sun tzu]

Now _that_ I can agree with. I'm sure grandma and grandpa would slap my wrists for saying the words "disabling ports". I had thought about this before, and I agree with it too. A firewall for the typical homeuser crowd may be the correct method. I'm still curious if anyone knows a need for it in my situation. Is there a way into a system that I am not aware of, that involves a computer without any running services? (or one service continually updated?) Or is no services + proper admining just as solid as a rock steady firewall?

[MrLinus]

Do you use Internet Explorer?

[pooh sun tzu]

-nods- I use MyIE2, which is a front end for IE 6. IE is also patched fully with ActiveX and java all set on "only on permissions", security level's blocking out the banned sites that I've noticed try to force malicious software too. MyIE2 blocks the popup ads, resticts banners I say, and provides that nice neat little tabbing feature Mozilla Firebird has, but with out the Mozilla Firebird

[extremez]

is no services just as solid as a rock steady firewall?

Valhallen has brought up a crucial point, and the answer is YES.

Firewalls for the home user are as much or more important in protecting a computer from outgoing activity as incoming activity. Even if you have no services running whatsoever, and regularly review you pc to make sure of this, you are still very much vulnerable. One of the most common hacks for an internet user, is exploiting their browser/email client, which are not a service but a client. Once that is done, arbitrary code can be run on your computer, and a backdoor service installed on your computer. FOr the sake of the argument, even if you checked your open ports every single day, a wiley hacker could schedule the trojan to run for only a few hours during the middle of the night and you would never discover it. Agreed, a firewall should never be a pancea but without one you don't have a hope against an attack like this, and don't think this is far fetched either, even as an astute an warey pc user, you may still fall prey to tricks like this.

[MrLinus]

I've never used MyIE2 so I can't comment on that and how effective it is (I'll trust your judgemetn to it being secure). But, IMHO, IE is a nightmare application that opens up far too much. I'd say that's one way in.

I'd also like to comment on this:

Is there a way into a system that I am not aware of, that involves a computer without any running services? (or one service continually updated?)

Not that I know of but that doesn't mean it can't happen or won't happen. At one point, man thought it impossible to fly. Today we spend hours in line waiting for the privilege of tossing ourselves up into the air. We thought the moon was made of cheese and the universe consisted of our meager solar system. Today we're contemplating a $1 trillion possibility of landing on Mars and we know the Universe is so large that some of us cannot conceive of all the possibilities out there.

Just because today there is no answer doesn't mean tomorrow someone won't break in. My view would be that you've made it tough for an attacker to break in, why not make it tougher?

[pooh sun tzu]

One of the most common hacks for an internet user, is exploiting their browser/email client, which are not a service but a client. Once that is done, arbitrary code can be run on your computer, and a backdoor service installed on your computer

I am sorry, but I do not agree with a single thing in your post. Your responce once again falls in the lap of the admin, choosing to secure their client browser or not.

but without one you don't have a hope against an attack like this,

I have all hope I configure my browser and client properly. By doing that everything is done with my permission, my choices, and with research if something I know isn't 100% trustworthy from experience and others. You assume that the admin can forget about client security, and thus falling upon a crutch again. If the browser is just as secure as the computer, (and trust me.. it is.. MS patches fix things that the normal user could already change, but wasn't default) then why even bother?

Msmittens posted:

My view would be that you've made it tough for an attacker to break in, why not make it tougher?

THAT is the question I have been waiting for! Since I see no need for a condom over a condom if the first condom is steel, then I would rather not lose net speed (and every firewall I have tried always sucks up a ton of time with the filtering it preforms). Zonealarm, port sentry, etc etc... tried it, been there.. done that.. lost a lot of processing time and bandwidth. Of course, once again this comes down to personal opinion and how good an admin is with their system. If you know anyway I can not sarafice so much bandwidth, then I will more than happily take on your point of "it can't hurt". And thanks for adding so much to this conversation, as it has made me recheck my own policies of using the computer as well as become enlightened to a few things I never thought of.


edit: As a side note, I do hope my comments are not upsetting anyone, as I can almost feel the friction starting. If you ever feel like I am coming down hard or forcing my opinion too strongly, please let me know. I am amazed at how well this topic went, since most modern day admins are so "firewall is the answer to everything!!11five", so my thanks to the maturity of everyone here and their ability to have an openminded discussion!

[extremez]

I am sorry, but I do not agree with a single thing in your post. Your responce once again falls in the lap of the admin, choosing to secure their client browser or not.

It's good that you have your clients securely configured and patched, which goes a long way, once again I'm not advocating that you get a firewall and not bother with this, the system must be secured properly first then the firewall added to fill unforseen holes.

I have all hope I configure my browser and client properly. By doing that everything is done with my permission, my choices, and with research if something I know isn't 100% trustworthy from experience and others. You assume that the admin can forget about client security, and thus falling upon a crutch again. If the browser is just as secure as the computer, (and trust me.. it is.. MS patches fix things that the normal user could already change, but wasn't default) then why even bother?

I'm sorry but if you depend on microsoft to keep IE secure with their rate of patches to discovered exploits you are suffering from "ostrich syndrome"