Is it worth to install Firewall in home pc?

[Soda_Popinsky]

I wasn't gonna say anything... I was gonna let the 11 green seniors settle it between themselves, but I agree with gore. This argument is over when you show us how to do what you say you've done, which is secure your OS with no firewall, or give the IP to someone who can test yours. You can defend it all you want with words and certifications, but that doesn't mean very much until we see it for ourselves.

PLEASE do it, I want to see your concept proven.

[!mitationRust]

Originally posted here by Soda_Popinsky
I wasn't gonna say anything... I was gonna let the 11 green seniors settle it between themselves, but I agree with gore. This argument is over when you show us how to do what you say you've done, which is secure your OS with no firewall, or give the IP to someone who can test yours. You can defend it all you want with words and certifications, but that doesn't mean very much until we see it for ourselves.

PLEASE do it, I want to see your concept proven.

What somthing like this:
"I will set up an IIS server and I will run any web script on it you like, hell I'll even but cmd.exe within the web root, I'll disable urlscan and I'll set anon access to run as the admin account. After all that you still will not be able to even change the home page."

Well, I for one don't run any firewall nor antivirus, going about a month now no problems, I'll let you know when somthing happends. The closest thing to that third party software I run is active ports www.webattck.com

You know if the advice given by some is to ADVANCED for you, shut the FU*K AND HAVE A COKE & READ SOME PDF's!!!!

I mean " Yeah let's talk about security, but speak in facts... not personal attacks, accusations, or highly subjective terms... personal observations and the likes. "

Is is just me or don't "high security/high assurance systems", basic principals apply to lesser systems. That is how you know they are logically correct right ???????????????????????

Here is a screenshot i'm running no AV nor Firewall, just active ports.

Mood : Drunk just returned from a metro bar.
Music : Nirvana, Lounge act

You know maybe they should create a forum called Security Dumbed Down For The Masses, that way newbies would know where to post & reply!

[chsh]

Originally posted here by catch
I stated fact. Firewalls are intended for X|Y if neither X|Y are true, the firewall is not called for.

That may be your opinion, but firewalls have many more functions than the black and white situations your present.

Where did I say this?

All through your posts. Intrusions are acceptable if the value of the data is outweighed by the cost of protecting it. That may be suitable for governments, but perhaps not everyone else holds their data to such low standards.

You view my solution as a lack of protection merely because it is not a type of protection to agree with or understand, it is still protection.

No, I fail to see how it fits within any modern commonly-accepted home computer security model. I invite you to examine the two linked SANS documents in the previous post. Even if you find SANS to be a complete joke, you should at least do the courtesy of actually researching the material I present, as I have done for you.

My intent would be to have the original poster have the highest security, usable system... do you think they'll get there by listening to me or by installing Zone Alarm?

And yet you continue to dodge providing me a tangible reference to the examination of how a firewall decreases the security of the overall system in a practical sense. If theoretically you are correct, it should be trivial to provide numerous examples of it, should it not?

All that can be done is provide a framework, depending on how forceful that frame work is and or the cooperation of the system custodian controls the rest.

Exactly. In such a situation, you would not value increasing the security, due to some theoretical clash of your view of how a firewall *should* be used?

First, the firewall deals with the security of the network, however if there is no network between the firewall and the systems it is securing, well than what is it securing?

Actually, that is but one type of firewall.
Wikipedia: Personal Firewall:

A personal firewall is traditionally a piece of software installed on an end-user's PC which controls communications to and from the user's PC, permitting or denying communications based on a Security Policy.

A personal firewall differs from a conventional firewall in that there is no separation between the firewall software on the user's PC and the user's application software. A personal firewall will not usually protect any more than the one PC it is connected to, unless other PCs are sharing Internet connectivity via the protected PC.

Another distinction from conventional firewall software/devices is that personal firewalls are able to control communications using methods such as prompting the user each time a connection is attempted, and 'learning' from the responses, to determine what Internet traffic a user would like to permit to/from their PC.

This software may also provide some level of intrusion detection, allowing the software to terminate or block connectivity where it suspects an intrusion is being attempted.

Simply because this clashes with your view of what a "firewall" is, doesn't invalidate its use, nor does it decrease the security of the system. Show me the various exploits you have applied to various versions of personal firewall software. If you are going to make claims that it in fact decreases the security of the system, then back them up with hard evidence.

Second I stated: "Adding to the complexity of ANY system without altering it's security functionality (and even then if this functionality falls outside of the reference monitor) makes the system less secure." Clearly a firewall is outside of the systems reference monitor.

Actually, considering your view of a firewall, that may be the case, but as I stated above, your view is not the only view.

Not at all, suggesting a different counter-measure is a part of risk mitigation, which falls under the risk portion of computer security. Policy development deals classifying and implementing the selected counter-measure from risk management. Security Policy has nothing to do with choosing between two types of counter-measures.

Of course it doesn't. That isn't the issue here. The issue is your statements that have yet to be validated in any manner.

How do you know it isn't? have you ever looked into it? Either way, it still holds valid. IS security is just logical math, rules apply. Extremes are easier to prove, if you cannot find a paradox in the extreme, then you can't find one in the subtle where things get murkier.

Practical and theoretical are not always the same. Again, back up the statements regarding the security of a home system being adversely compromised by installing a personaly firewall with hard evidence.

Yes, because most people are lazy and uneducated. It's "wisdom" cause it kinda sorta works, otherwise it'd be called "knowledge."

I don't see what this has to do with the section you quoted. Such wisdom is no less valid simply because the user doesn't obtain it from firsthand experience. Or are you advocating that everyone spend the sum of their lives doing nothing but ensuring humanity actually has things right in all areas?

We discussed this before as well about hardened systems by default. The system in question will not be hardened in anyway, in fact it will be significantly weakened (remeber what I said about using extremes as they are easier to prove?)

I don't quite understand what that would gain anyone. The box will be infected with one of a dozen viruses within a matter of moments of it being put online. What point are you trying to prove exactly?

I will offer a windows 2000 http/ftp server with the following:
1. The ftp root will be world writable and contained within the http root for simpler execution.
2. All anon access for the IIS user will be via SID:500
3. The admin account policy will not be altered in anyway
4. IIS will be in default installation

All this will prove is that default installs aren't secure on Windows 2000.

You will be free to upload any malicious scripts that you feel like, any trojans, cmd.exe if you like so you can have a command line.
All you need to do is deface the homepage, which will be owned by and have full control by SID:500.
Does this sound fair to you?

If I win and the system cannot be compromised in 96 hours, I never get attacked again for my advice by anyone who attempts in addition to a public apology.

If I lose, I will admit that I was wrong, apologize in public and not return to this site.
Deal?

No deal under those conditions, I am not seeking anyone apologize, or leave a site or anything here. You threatened to do that once before, I see no point in continuing this melodrama. If I were to do this at all it would be for research purposes.

I am continuing this discussion because I am intrigued in the answers you have to various questions. If you can keep on track, maybe people here will learn something concrete about firewalls, or, this will go down in the AO archives as just another argument that was never satisfactorily resolved.

[allenb1963]

Damn boys...hurry up and empty those bladders....this is getting old.

[catch]

That may be your opinion, but firewalls have many more functions than the black and white situations your present.

Like what? Be objective.

[quote]All through your posts. Intrusions are acceptable if the value of the data is outweighed by the cost of protecting it. That may be suitable for governments, but perhaps not everyone else holds their data to such low standards.[quote]
You know what? You are absolutely correct, home users need the absolute highest security availible, because any intrustion is one too many. First we are going to deal with the system itself... I suggest a nice XTS-400 system with the tempest shielded case. Obviously you'll want a random speed fan on to keep the acoustics in the room unpredictable, don't want attackers being able to tell what you are typing... need I go on?
The fact is, home users work exactly the same way, if the loss of data is equal to one hour of effort in a complete compromise, and a complete compromise is only expected once a year, I don't think your home user is going to want to spend $200 million in protecting that system.
If you spend more on protections than the asset is worth, then you've already lost more then you would have if you were compromised. Does this not make sense to you? If you ever want to be some sort of corporate decision maker and not just lackey, you'll want to read up on this stuff.

No, I fail to see how it fits within any modern commonly-accepted home computer security model. I invite you to examine the two linked SANS documents in the previous post. Even if you find SANS to be a complete joke, you should at least do the courtesy of actually researching the material I present, as I have done for you.

You have not done for me as you still haven't a clue about how to manage risk. The modern, commonly accepted home security models are wrong. Why are the wrong? Because they make the assumption that the home user does not have free access to the level of expert found on sites such as this one. They assume that home users will need to just set it up themselves with help at best from programmer friends or system administrator friends or other people with perhaps a high level of skill in implementing policy, but not developing it.
If I wasn't willing to help these people, I'd tell them to just use an app firewall, cause if they don't plan on implementing the other security elements required in lieu of that... well at least the app firewall in that case helps mask poor configuration.

And yet you continue to dodge providing me a tangible reference to the examination of how a firewall decreases the security of the overall system in a practical sense. If theoretically you are correct, it should be trivial to provide numerous examples of it, should it not?

Fine you want an example:

System A. All ports closed, all client software compartmentalized.
System B. Same as system A plus firewall X.

Zero day exploit for firewall X is discovered. System A is still secure, system B dies a horrible death. You want actually real world examples? Look up any application firewall for past exploits. The benefit of appliance firewalls is that if they are exploited, the systems they protect are not compromised (though they may be eventually if the attacker is lucky and careful) however application firewalls need to run at a low level on the system, their compromise tends to lead to catastrophic failure.

To sum up much of the rest of this, you would resign yourself if I was able to find a single exploit in any personal firewall? Because that is all it takes to have them be less secure than not running one. A quick look through securityfocus will indicate a large number of known exploits for personal firewalls, and it is important to remember that even the local exploits are dangerous as a user may run an otherwise harmless malware that utilizes the local firewall exploit into leveraging more power as the firewall is prolly running under SYSTEM which would have more power than a normal user.

There are countless examples of these personal firewall exploits, what more proof are you looking for? Should I pick out a specific exploit and walk you through an attack?

I don't quite understand what that would gain anyone. The box will be infected with one of a dozen viruses within a matter of moments of it being put online. What point are you trying to prove exactly?

All this will prove is that default installs aren't secure on Windows 2000.

In that case it should be a snap right?

I submit that the system will not be infected with anything and the only thing that will change is the contents of the one folder and the logs (which I will post as well).

catch

Edited for: typos and suggested corrections to tune this down a smidge.

[MrLinus]

Damn boys...hurry up and empty those bladders....this is getting old.

I second this. I'm tempted to close the thread but I'm sure someone will whine they didn't get the last word in and how come someone else did.

[Tiger Shark]

Last word.....

/thought I'd slip that in there before Ms. M. makes her decision.... Quick, close it Ms. M.

[MrLinus]

Actually, not a bad idea. If I may suggest, catch and chsh, start a thread in GCC or in Cosmos, keep the APs out of it and have at it there.

For now, this is closed.