Purpose of personal firewalls?

Wow, lots of interesting posts so far, but what I'm wondering from all of this is that why would I need any type of packet filtering, state inspection, etc. type of firewall ( excluding the application ones ). I use my laptop the majority of the day. I dont offer any services so if someone were to scan me, I doubt it would cause me to panic. For that matter what would a firewall be useful for except at points of entries into the network. If you or the company are running a web/ftp/whatever server, you would have to still open up the ports so that users can connect to it. So what would the purpose of the firewall be in that case? It shouldnt prevent anyone from connecting to the service because you offered it. In certain situations I can understand the need for a firewall, such as banning certain IP addresses. Then that would mean you really only need a few firewalls. The primary one would be the entry from the Internet into the network. The 2nd one might be from a DMZ to the internal network. Would there be a need for firewalls anywhere else?

My concern are about programs that dial out, whether they are on a laptop or PC. How can I be sure that as I've said, XYZ program doesnt connect to Timbuktu? Granted I shouldnt be installing software from sources that arent trustworthy, but I use my laptop a majority of the time. I like to mess around with new software. I'm not going to be told ( and by whom? :p ) that I shouldnt install the software because its unsafe. I want to know that after I install it, if it connects out. I want to say, ok this program is dialing out for some reason that I'm not sure of and I want to stop it. That goes for any program that I install. I guess this comes down to an issue of trust. I want to trust that my software isnt making who knows what connections to who knows where. And if it is, I want it to stop.

Would a firewall be used in this case? Would it even be called a firewall? I guess it might be a "reverse" firewall. One in which outgoing connections are prohibited. I dont care about connections that come in ( well maybe a little ).

Before I forget, I did try out the XP ICF, it seemed simple enough except I couldnt trust it. I checked that little box that would alert me about any outgoing connections and it didnt do it :confused: . Fired up my browser and not a peep. Used the LiveUpdate feature from Norton Ghost and nada. Dont even want to know what else that things not telling me. :p

Although I really can't disagree with anything said here, I would like to point something out:

Quote:

---

Here I am redesigning my home network, ...

---

So my questions ( which seem relevant to me )

1) What Operating Systems will be running? ( Win98, ME, or only NT type and *nix ? )

2) How good are you at securing these systems?

3) Who will be using these systems, and how computer security literate are they? Are You?

4)

Quote:

---

It can also act as an early warning system if you are actually paying attention or have reporting done on the logs.

---

How well will these systems be monitored?

5) How much control do you have over the other clients on the network?



My opinion:

If all the systems are XP Pro, you are very well versed on securing them, have control over them, set up proper accounts and permissions for users, and all users know basic things like proper browser habits, not opening email from unknown sources, not opening attachments, etc., then interior firewalls might be redundant.

But what if he ( she ) has a kid or sibling that uses ME and insists on using p2p networks and downloading everything they can? Or they have no control of the box that the uncle who lives upstairs uses, which is on the same network, who insists on downloading cartoon pron?

Couldn't internal firewalls be beneficial in these or similar circumstances?

g3neration posted while I was writing, so maybe I can answer the next questioned asked.

What you really want is an application firewall that monitors both incoming and outgoing connections. The firewall that comes with XP won't monitor outgoing connections ( at least at this time. )

Try to make sense of all that has been said in this thread, especially the parts concerning properly securing your laptop, setting up and using a non-privileged account, then using an application based firewall for that box. Just remember, some free firewalls won't monitor outgoing connections. Also, some free firewalls ( such as Zone Alarm ) will not monitor ( at least to my experience ) more then one external facing device. Example: ZA free version will monitor your Ethernet card, but not your dial-up modem. If both are connected you may need the Pro version to do that.

Also, checking outgoing packets from another box ( if you are actually testing software you downloaded ) run from a “ sacrificial box” is probably a better idea then testing it on your regularly used box.

Hope this helps.

Quote:

---

So first you say that you don't agree with the idea of increased complexity reducing security... and then in your very next statement you say the systems are already "insecurely complex". You sound confused.

---

So first you take a direct statement, twist it to your own means, and act haughty. You sound like an arrogant snob. I don't agree with the statement that the firewall itself decreases security by increasing complexity. The system is already insecure, how can a properly configured firewall further decrease security in that situation? Please explain this single point before sharing more passive-aggressive superciliousness.

Quote:

---

How does an internal firewall close avenues of attack? If you have a filter segregating that network segment what points of attack are you worried about?

---

Does every single network you've ever participated in have this segregation of segments by service/port/protocol? Lucky you. We should all be so lucky. I'd actually buy some lottery tickets, maybe.

Quote:

---

Attacks from the outside will be dealt with by the external filter.
Attacks from host based malware can be prevented by disallowing in installation/execution of unsigned executables.

---

Yes, well, not every organization can function in this fashion because they don't have the benefit of your divine omnipresence on staff.

Seriously, someone in the organization needs the ability to install software, somewhere. Most companies don't fund for and can't afford a complete and definitive test environment, the staff to maintain it, and the stakeholder buyin to support the whole affair. Welcome to reality...we've been wondering when you'd drop by.

Quote:

---

Internal worms will use the same channels as internal trusted communications so a filter again will not work unless it is integrated with malware detection which needs to be maintained. So where are these attack avenues?

---

I believe we've already told you. Untrusted systems can be plugged in; systems can be rebooted with bootdisc's. Crafty users can break policy and do things they aren't supposed to do.

catch I really didn't want to make this a personal attack, but to be brutally honest, your position and point of view can be so infuriatingly narrow-minded that I can't help but be a *****. You always approach everything as if it is so infuriatingly simple, and we're all a bunch of idiots. The real world is comprised of thousands of companies, millions (or perhaps billions) of home users, college campuses with students, public libraries...the interconnectedness of our world, and the technology that allows it to function, is not built in this trusted secure model you revere.

If all these trusted models and proven secure systems solve the problems we talk about, why do nations pass laws like Sarbanes-Oxley? Why do we have standards and regulations and policies that dictate, beyond process and practice, accepted behavior or rules for such? We have them because your trusted systems don't solve all security problems via technology. The human factor will nearly ALWAYS find a way to defeat, bypass, or overcome the technical barrier.

I'm guessing here, but it sounds like you have a fair amount of exeperience in the government or defense systems security/technology field. Perhaps I'm mistaken, but I am associated with a large number of people in this arena, and I know their jargon and slant on things. And I see many similar veins in some of their arguments as with yours.

In the end, most of us work in this real world I speak of. We don't have the luxury of working in these rigourously segmented and compartmentalized networks, where the C-level execs have signed off on users being completely restricted from installing anything except signed code, and we all use digital certificates for any and all authenticated sessions. We work in flawed environments. On flawed systems. With flawed policies. Yet we manage to get the job done, for the most part. It is imperfect, and I would like to see your better way of doing things become the standard; but that won't happen across the board...not anytime soon.

g3neration if you are unconcerned about the possibility of an internal breach...or at least you are not abnormally concerned...then don't bother with the host firewalls. But if you want to do the extra step that could very well help you out, I'd suggest you look into local measures to protect the systems. If you are fortunate enough to be dealing with a locked down and rigourously regimented set of systems as our friend catch describes, don't waste the cycles...if anything DOES get through, your already so hosed it won't matter.

And if even one of these systems is mobile and could be placed on another network...particularly one which you don't have control over...absolutely take every single precaution necessary. Smug righteousness won't save your ass when a zero-day get's through.

Cheers.

Quote:

---

Does every single network you've ever participated in have this segregation of segments by service/port/protocol?

---

Yes... and by your suggestion it is better to have every single system on its own network segment (behind a firewall).

Quote:

---

Seriously, someone in the organization needs the ability to install software, somewhere.

---

Yeah, that is what a control management process with digital signing is for (like I said previously). Applications can only be installed if they are signed by a set of trusted CAs... not complicated. If an unsigned application is approved by test it can be signed by the InfoSec department. If the organization is a dev house... different signing techniques can be used.

Quote:

---

Welcome to reality...we've been wondering when you'd drop by.

---

I've been employed directly or as a consultant for over a dozen companies with market caps of eleven digits. I know plenty about the "real world", how dare you try to pass your ignorance off as just "the way things work" to people who don't know better.

Quote:

---

I believe we've already told you. Untrusted systems can be plugged in; systems can be rebooted with bootdisc's.

---

Why do you allow these actions? And what do these actions have to do with personal firewalls?
As soon as you allow the installation of unapproved objects (applications/drivers) you defeat the personal firewall completely.
As soon as you allow the systems to be alternatively booted you defeated the personal firewall completely.
Welcome to the world of common sense.

Quote:

---

catch I really didn't want to make this a personal attack, but to be brutally honest, your position and point of view can be so infuriatingly narrow-minded that I can't help but be a *****.

---

Well, that sounds like a you problem, not a me problem.
My methods work, and they work very well. If you are happy to do business as usual... following the advice of such luminaries as Steve Gibson... more power to you, some of us look to try a little harder.

Quote:

---

You always approach everything as if it is so infuriatingly simple, and we're all a bunch of idiots.

---

How do you think I feel with people needlessly complicating everything. Security is achieved through assurance, which is achieved through simplicity and analysis. Not through adding heaps of crap the complicates the situation so much who the **** knows which way is up.

Quote:

---

The real world is comprised of thousands of companies, millions (or perhaps billions) of home users, college campuses with students, public libraries...the interconnectedness of our world, and the technology that allows it to function, is not built in this trusted secure model you revere.

---

Hence the importance of a black boxed methodology. Hence the point of defense in depth which is:

Control physical environment
Control network traffic
Control system configuration
Control rights propagation

If you fail any of these, the system is doomed.

Quote:

---

If all these trusted models and proven secure systems solve the problems we talk about, why do nations pass laws like Sarbanes-Oxley?

---

SOX is NOT an IT Security law... it is a financial reporting law that has one section (404) on IT Security so that Sr. Management can't blame IT controls for flawed reporting.

Quote:

---

Why do we have standards and regulations and policies that dictate, beyond process and practice, accepted behavior or rules for such?

---

Because unfortunately companies choose to not control the four points above... much like the manner that you are suggesting. Mostly because they don't know how or don't think they should... or they feel, as you do that extra controls on one point will mitigate fewer or none on another.

Quote:

---

Perhaps I'm mistaken, but I am associated with a large number of people in this arena, and I know their jargon and slant on things. And I see many similar veins in some of their arguments as with yours.

---

Yes, my background is in Information/Cyber/Electronic Warfare... but I have significant financial experience more recently.

Quote:

---

In the end, most of us work in this real world I speak of. We don't have the luxury of working in these rigourously segmented and compartmentalized networks, where the C-level execs have signed off on users being completely restricted from installing anything except signed code, and we all use digital certificates for any and all authenticated sessions. We work in flawed environments. On flawed systems. With flawed policies. Yet we manage to get the job done, for the most part. It is imperfect, and I would like to see your better way of doing things become the standard; but that won't happen across the board...not anytime soon.

---

We are talking to a user who is redesigning his network from the ground up! Why must we build in all the agreed up flaws of poorly managed organizations?

Quote:

---

Smug righteousness won't save your ass when a zero-day get's through.

---

The beauty of my systems is that they have proven to be quite immune to 0-day attacks.
cheers,

catch

Quote:

---

... If an unsigned application is approved by test it can be signed by the InfoSec department. If the organization is a dev house... different signing techniques can be used.

---

I'm interested in this signing process/procedure. How do you normally "approve by test" an unsigned application? Any references?

Peace always,
<jdenny>

Quote:

---

I'm interested in this signing process/procedure. How do you normally "approve by test" an unsigned application? Any references?

---

Many organizations do this... users submit "work related" applications to the change management team, who forwards it to a QA-like team that will test the application to ensure that is isn't malware and sufficiently complies with system use policy.

Once this is done the QA-like team may sign the application installer (using a trusted CA of course... even if it is just an internal one) and then copy it to an application archive where users of appropriate groups can access it and install at will.

cheers,

catch

ps. I used "test" in "approved by test" to mean the testing department/team/organizational unit/whatever.

Well it requires a really solid trusted QA team and policy then. How hard and how long an unsigned software is usually quarantined? After a software is signed, will it still be monitored? I wonder if there's ever a case that a signed software (by trusted CA) found to be malware at a later time?

Peace always,
<jdenny>

PS: If all I had in this world is time, I could embed a malware into a decent software that only activates itself (the malware section) on the last day of the 3th quarter of its life since it's installed/upgraded (the "first version" is clean of course, it's the version 1.1, released 6 months after, that contains malware) :)

Quote:

---

Well it requires a really solid trusted QA team and policy then.

---

The QA team and policy don't need to be ideal... even just a cursory check to ensure no obvious malware is typically more than sufficient for normal systems.

Quote:

---

How hard and how long an unsigned software is usually quarantined? After a software is signed, will it still be monitored?

---

These answers depend on the requirements of the given environment.

Quote:

---

I wonder if there's ever a case that a signed software (by trusted CA) found to be malware at a later time?

---

This is why things like least priviliege are still useful.

The idea isn't perfect security... the idea is to reduce risk to an acceptable level within a budget. This can be a very efficient method of reducing risk with a minimal budget when compared against other methods giving similar results.

cheers,

catch

Woohoo... only 5 more posts until I retire! ;)

Ah, risk reduction with minimal budget. I understand you more now. Thanks for the explanation.

But I'm still thinking about my idea of sleeping malware though... :p

Peace always,
<jdenny>

catch I had a whole reply lined up, but I've deleted it.

I, like others, am done discussing things with you. I won't ignore you, because I do value your input, but I recognize you have a strong opinion on how you think things should be done and do not respond to others suggestions or opinions, except to point out how flawed they are in your view of the universe.

I hope you are lucky enough to continue to work in sorts of environments you've described. The rest of us will continue to 'get by' in the trenches as we have.

Cheers.