the nessessity of a firewall?

[pooh sun tzu]

I'm sorry but if you depend on microsoft to keep IE secure with their rate of patches to discovered exploits you are suffering from "ostrich syndrome"

I trust them yes. Development cycles is not the God of security, nor is their current list of exploits. This was a very anti MS comment towards IE, and it almost disheartens me, especially with a direct insult. I trust IE and MS enough that I support their products, beta test their software, and have never once in my entire use of windows been cracked. IE's security patches are protecting the users that are not already securing it by hand via the settings. I would rather you not reply to this, as this is my own opinion I just stated, and would rather this not turn into an opinion flame war over MS. You stated yours, I stated mine, please let it die here.

[MrLinus]

Zonealarm, port sentry, etc etc... tried it, been there.. done that.. lost a lot of processing time and bandwidth. Of course, once again this comes down to personal opinion and how good an admin is with their system. If you know anyway I can not sarafice so much bandwidth, then I will more than happily take on your point of "it can't hurt". And thanks for adding so much to this conversation, as it has made me recheck my own policies of using the computer as well as become enlightened to a few things I never thought of.

Actually, it comes down to how you setup your network. You are basing your judgements solely on host based firewalls (and free ones at that). You might want to look at having another computer offer firewall services (an old, cheap Pentium to offer iptables or the BSD firewall -- whose name escapes me) or invest in a simple hardware router/firewall. You'll see almost no degradation in speed.

Remember that a host based firewall becomes another application on your system so it shouldn't be surprising that it slows down (I won't get into my person issues with MS and how they run their systems). The same can be found when you run AV software and it slows down at boot.

In this case, the reality is you get what you pay for. Free firewalls are ok for the masses I suppose but if you need to get fancy and effect, you will pay a little more (e.g., hardware firewall)

[extremez]

I trust them yes. Development cycles is not the God of security, nor is their current list of exploits. This was a very anti MS comment towards IE

You misunderstand me. I am not a MS basher, I have no loyalty to any OS, I use windows on some of my computers, I do not imply that Windows is neccessarily secure/insecure, that is debateable, I'm simply refering to the fact that IE is the most targeted and publicized browser on the market.

You stated yours, I stated mine, please let it die here.

Agreed.

[Tiger Shark]

Pooh:

You have fallen into the trap that many of us here do. You find this stuff all rather easy and understandable yet you pitched the original question against home users. Home users are not capable of comprehending what it is you are talking about. You said yourself that your Granny would slap your wrist for mentioning disabled ports. The reason she would slap your wrist is that she has no clue whatsoever what a port is.

If you think about it, you and I and many others here know an awful lot about a very complicated subject. Joe Public and his wife Josephine know nothing of this. They know even less about the way things can be exploited. So off they go to Best Buy with thier annual Xmas bonus check and buy themselves the latest, greatest box on the shelf. The instructions are all pretty clear - color coded plugs for color coded sockets and power that baby up. Bingo, they are on the Internet..... "Isn't this sooooo kewl Joe......"

Little do they know they have their "front door" wide open. The problem really is not that they are unaware that thier front door is open but that they even have a front door at all. So Pooh comes wandering by and tells them they should probably stop all their services to close their ports..... What kind of reaction do you think you are going to get? I'll tell you - because I get the same look from any ten of my 650 users on any day - It's kind of a glassy eyed, tearful, glazed over kind of look that is clearly telling you that while they nod sagely so as not to appear to be a complete idiot they have not one clue about what you are talking about.....

..... That's why home users should have firewalls..... period.

I think what you would be better off arguing is "should competent network administrators save themselves the cost of a firewall by properly closing their ports on their home machines"?

My answer to that is: I am a network admin. I have 4 computers at home and I want them networked. If I close all the ports then I can't network them the way I want to. So, to allow me to network my systems the way I want to I use a firewall to keep the unwashed masses away from my network.

[valhallen]

One comment I would like to make is that alot of virii are not discovered until they are wild and infecting computers - this is very much the same for exploits. You could have all ports locked down, have your browser and any other client securred with the most recent patches but someone may discover a new way round these things and you may fall victim before it is widley known to exsist.

Some exploits are discovered before going wild but not all - you state that a firewall could be seen as a crutch for admins but then again so could security updates!

A firewall is not 100% secure - then again neither is locking everything down by hand so why not combine both? I use outpost personnal firewall on an adsl connection and have never noticed in reduction in speed. So to me this is not an issue.

Basically what am trying to say is that there maybe an undocumented exploit for IE which at the time of going wild has no fix leaving you vunerable.....but if you have a firewall it may stop you from becoming vunerable.

On the opposite side of the coin there maybe an exploit for your firewall but as you ahve your computer locked down as well you are not vunerable.

By using both the wannabe attacker would need to exploit both making it twice as difficult for them
to you get what I mean??

v_Ln

[madbishop]

In my dealings with home users - most of them savvy enough to know what a computer is and what it does, however, they do not understand, or want to understand the concept of security; other than they want it in order to to use their computer on the Internet and not get taken advantage of, or minimize the chances of that happening.

To that end, a tiered approach to security, like what MsM explained earlier is essential. One of those tiers includes firewalls. My overall methodology for home users would go with the most secure, yet easy to use and allows them the freedom to actually enjoy the computer.

My mother-in-law put it to me this way when I was explaining the concept of security. She stopped me in middle-sentence and said "...that's great, but I just want to be able to push the big lit up button and go, the rest of this is a pain to even hear about." And after talking to a few other people along those same lines, they had the same opinion - they wanted to just go.

In short - for the everyday user - firewalls are essential. Hardware and/or software.

Great topic.

[pooh sun tzu]

I still find myself shaking my head and disagreeing with a lot of what people are saying here. Not that I don't respect their seperate opinions, but that in my entire history of windows I've dodged everything that came my way on both unix based and windows based distros. Not just from actual updates, but because as a home admin I keep my eye on everything all the time. I research, I double check, triple check, and still stand firm. In the process (started all the way back in win 95) I have learned invaluable amounts of how security exists on an OS level, and am well aware that some exploits just exist, period. However, I must be doing something undocumented because despite myself being targeted many times for hacking attempts, I've yet to have them penetrate me, or come close.

An admin with an iron grip on his OS and actual experience with the inner workings of it's security is able to overcome all of those viruses, attacks, holes, and never see them trouble him.

But yes, I do agree that a typical user needs one. We can't expect everyone to devote their life to computers, and thus a home firewall is perfect. For experienced and progressive admins, a home firewall ... I just don't see as something needed. Proof is in the pudding I mean, I could always just post my IP and tell you all to go at it, and do your best to prove me wrong by having authorized permission to crack my system.

And yes, an excellent topic.

edit: I just reread this and realised how egotystical it may sound. I really don't mean it to come off that way if it does, moreso meant as a "we need proof of it working, so here it is" sort of thing.

[Maestr0]

I glanced through this thread briefly so forgive me if these points have already been covered. I think its important to note you seem to be referring to hostbased firewalls in particular. From what I understand youre saying instead of blocking access to open ports via the firewall why dont I just turn them off. I think 99% of the time shutting down unneccessary services will do the trick, but this is the case only when we are talking about one host(a home user) and not a network (which is a whole nother can of worms). I say 99% because there are advantages to having the extra layer of security. There are cases where a service simply cannot by disabled because it is needed by the OS. In these instances where services must be running, there is a chance of exploitation regardless of administration. For example the recent RPCSS exploit contained a bufferoverflow in the DCOM code, and although DCOM can be disabled RPCSS cannot (at least in WinNT/2000/XP where the kernel space and user space communicate via RPC). Had the overflow been in a more critical section of the code you would have found that your machine would be vulnerable to remote exploit no matter how tight a grip you have on your OS. This is not a problem with administration, rather a weaknesses present in the operating system at a kernel level. These are the kinds of threats a firewall could help mitigate by blocking any remote access to system services. Of course you could just configure your machine not to accept incoming RPC packets, but then you really just have a host based firewall dont you?


-Maestr0

[pooh sun tzu]

I would accept your point, if...

Had the overflow been in a more critical section of the code you would have found that your machine would be vulnerable to remote exploit no matter how tight a grip you have on your OS.

That exploitable code runs off of port 139, NetBIOS, which is configurable to be turned off, especially if not being used. So, it falls back again, to simply securing the OS for aother bug that Thus, during that entire phase of the worm, I was completely protected from it. It falls back again, as it always does, to securing the OS, and knowing it enough to secure it. Any system services that operate and are a problem to security I disable, none of which are crucial components

And yes, you are correct, as the origonal post states, this is about a home, singular computer scenarior. The table turns completely if this was a buisness.

[Maestr0]

Ahh, do not confuse NetBios with RPC my friend. which is in fact port 135 (Although I believe you CAN use the NetBios ports as well). Although it is possible to disable DCOM, this can cripple or disable some applications, so if you'd rather cripple your OS than firewall it, so be it.


-Maestr0