December 4th, 2005, 05:59 PM
Purpose of personal firewalls?
Here I am redesigning my home network, installing the OS's, building my server. As I sat there, trying to figure out what firewall I liked, something kind of just hit me. One of those mini-revelation things. I guess I'm just kind of slow in figuring this out, but on an internal network, what is the need for a firewall or at least a packet filter? I like packet filter firewalls but as I was playing around with CHX-I, it hit me. What do you need a firewall for on an internal network? Granted you need something in place. But for what? Am I really worried about being port scanned, hacked into, etc.? Why would I be? I'm not offering any services on my laptop or my work PC. So what do I need a firewall for? The only thing I really have to worry about are any programs/services/etc. dialing out, something that might "phone home", or at the very least, something that makes a connection to somewhere that I do not wish for it to make.
I dont like application firewalls very much ie. ZA, etc., but from my thinking, that would be what I am looking. Do I really need a packet filtering firewall? Does anyone really need any type of packet filtering firewall or any other type of firewall for that matter on an internal network ( well besides one that stops applications from making unknown connections )? All a user/admin has to really worry about is about what connections are going out from a PC, not one that is coming in.
Does anyone have any recommendations? I really like CHX-I so I guess something along those lines but for stopping any applications from dialing out.
December 4th, 2005, 06:04 PM
You don't need a firewall.
I'm not offering any services on my laptop or my work PC
The only use for it is...
And common sense can mitigate those risks.
The only thing I really have to worry about are any programs/services/etc. dialing out
As Catch has stated on several occasions, firewalls lower system security by making the system more complex, and in many cases offering another avenue of exploitation.
If you're on an internal network... You don't need one. You are behind a gateway firewall, correct?
December 4th, 2005, 06:11 PM
Yes I am, but sometimes I connecto to other wireless networks and I have been port scanned. Annoying I guess but not harmful.
As for the applications dialing out part. Can common sense really reduce the risk? How do I know that a program that I downloaded to try out from company ABC or website XYZ didnt dial out? Or maybe I somehow have a trojan on my system. Its just that thinking about the "personal" firewalls that are offered and the amount of programs that I might/will run gives me a headache. Trying to configure rules for everything that might dial out is like being in admin hell.
December 4th, 2005, 06:17 PM
If you have no external services... you don't need a firewall to protect you from the outside.
First of all... you shouldn't be running unknown applications on an unsecured account. The idea is containment.
Can common sense really reduce the risk? How do I know that a program that I downloaded to try out from company ABC or website XYZ didnt dial out? Or maybe I somehow have a trojan on my system.
And if you are on SP2, there is already a good firewall available to you, with application control.
If you think you have a trojan Use Housecall from TrendMicro It's a good online scanner.
December 4th, 2005, 08:49 PM
If you are worried about trojans please try:
But I would make the comment that if you have let that sort of stuff get into an internal network, you have already failed
Using an internal firewall would generally be some sort of "security blanket" without real validity in a secure system.
After all, if you are using something like that on an internal network and it is actually catching or blocking things, you have much more serious problems with your security model/policy/design.
December 4th, 2005, 09:07 PM
Going along with what nihil said... sounds as if you are on a corporate net?
If so, there should be a enterprise AV in place, most likely with email scanning, the primary way for a trojan to get in. Also, many times, you can have filters running at the gateway to help catch malware.
December 5th, 2005, 12:10 AM
Ok, I'm gonna go against the grain here. I'm not going to dispute any of the points made here, but I am going to say that host firewalls on systems inside your network can be beneficial, if you've taken the other appropriate measures.
I don't buy the comment about firewalls lowering security by making them more complex. When you consider the default build of Windows or a comon *Nix, or even the typical corporate build, you'll see the system is already insecurely complex ipso facto. What do you have to lose by adding something that could potentially close avenues of approach or attack?
As catch and his oompah loompahs are always reminding us, secure systems, designed properly from the ground up, don't need the level of attention for patch management, firewalls, and security applications. However, last time I looked, hardly any of us USE systems of this pedigree.
I've said it before...Information Security is about defense in depth. "Why have host firewalls? I have a perimeter firewall already!" What if the perimeter firewall fails? As nihil said in a different context, if baddies get inside the network, you've already failed. You can make your failure complete by having zero internal stop gaps or defenses, or you can have a fighting chance with internal measures layered upon other measures.
But please, feel free to put all your egg's in one basket. (Wow, centuries old wisdom applied to modern digital security practice! Who'd a thunk it?)
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
December 5th, 2005, 12:55 AM
December 5th, 2005, 03:03 AM
The best way I can explain my point is... it's like a leak in a hose... If you put duct tape on it, it stops the leak, but the hole remains. You need to plug the hole. Lock down your services, and save yourself the system load.
insecurely complex ipso facto
December 5th, 2005, 03:16 AM
So first you say that you don't agree with the idea of increased complexity reducing security... and then in your very next statement you say the systems are already "insecurely complex". You sound confused.
I don't buy the comment about firewalls lowering security by making them more complex. When you consider the default build of Windows or a comon *Nix, or even the typical corporate build, you'll see the system is already insecurely complex ipso facto.
How does an internal firewall close avenues of attack? If you have a filter segregating that network segment what points of attack are you worried about?
What do you have to lose by adding something that could potentially close avenues of approach or attack?
Attacks from the outside will be dealt with by the external filter.
Attacks from host based malware can be prevented by disallowing in installation/execution of unsigned executables.
Internal worms will use the same channels as internal trusted communications so a filter again will not work unless it is integrated with malware detection which needs to be maintained.
So where are these attack avenues?
From the ground up? Following basic security principles... (control what users do, control what code can be run, control what services are used) and suddenly these internal firewalls become a non-issue.
As catch and his oompah loompahs are always reminding us, secure systems, designed properly from the ground up, don't need the level of attention for patch management, firewalls, and security applications.
Would you run a personal firewall or AV system on Linux? Why not? Because people tend to use normal, non-administrative accounts. There is no fundamental difference in structure that allows these attacks against Windows and not Linux.
I've said it before... "defense in depth" does not mean doing the same **** multiple times in slightly different ways. Think of mantraps... you want as few very high assurance bottlenecks as possible and nothing else. Each checking different things. Firewalls, network guards, reference monitors are all fine examples.
I've said it before...Information Security is about defense in depth.
Then it fails...
"Why have host firewalls? I have a perimeter firewall already!" What if the perimeter firewall fails?
Given resources of X... what is less likely to fail... one very high assurance firewall that uses all of X or 3000 bad firewalls each costing 1/3000 of X.
Unless each of those firewalls is configured different what is gained? Why would the failure of one not pass to the failure of others?
If your primary firewall is compromised do the host firewalls even matter? Or can an attacker easily subvert the hosts through traffic control?
No one is suggesting this... different controls need to be used... the first concern is detection of the failure... then host hardening, etc. More firewalls is not defense in depth.
You can make your failure complete by having zero internal stop gaps or defenses, or you can have a fighting chance with internal measures layered upon other measures.
Security is about assurance... not a pile of crap.
But please, feel free to put all your egg's in one basket.
Single points of the highest affordable assurance are always better... the same reason a reference monitor is the ideal way to handle OS security.
Why you got positives is beyond me... the community is just full of people who have no concept of basic math skills. Damned American public schools.