Is it worth to install Firewall in home pc?

[Tiger Shark]

Mox: your post was more then 250 words.... It bored me... Catch, OTOH, has time to assimilate this information and will reduce you to tears if you care that much about the response....

Catch: Give it up..... For your "let's go get us a 'puter" people that come here your answers are less than "responsible". You and I can discuss the "finer points" but let's not think for a second that we are talking to the general populus.... We aren't... period!

You are right..... No doubt..... But you are wrong where people who are just "discovering" the internet are concerned........

I really love having a WAP in my pub..... .... Makes for good flames.......<ROFL>

[chsh]

Originally posted here by catch
Running no services on a server?

Yes, it's a very trivial concept which I'm sure is within your grasp.

You cannot assume that a local firewall will help this either, there are better ways to secure the desktop.

No, there are complementary ways to secure the desktop, but an app firewall is the best way to go about packet filtering on a per-application/user basis.

In that case it would be a server, the reason all these terms exist are so people know exactly what each other are talking about, if you wish to use the language loosely enough to pull different meanings from things, don't be surprised when a misunderstand occurs.

Actually, by your definition then, NO modern desktop operating since Windows 3.11 has been a desktop, which thereby invalidates the rest of your argument.

For what reasons? Not knowing how to use the term "Server"?

Perhaps your unwillingness to accept the widely-accepted meaning of the term Server is the issue here.

All the local AV and firewall do is give local code more juicy targets, as they tend to require a great number of permissions.

You've never actually set them up have you? IME, AV software requires no more permissions than say, Office. Generally, client-side firewalls would be a bit of an extravagance on a corporate network (at least IMO), however, we are discussing the home, where there are no admins to set tight security policies. I would love to hear your thoughts on how they are "more juicy targets".

Also now you need to worry about exploits in you firewall, your AV, and you OS instead of just the OS.

Please link me a comparison with the most used corporate Anti-Virus' vulnerability list and the vulnerability list for Microsoft Windows 2000 Professional/Windows XP. I would like to know the percentages on it, since you cite it as an obvious danger, I would like to quantify the level of danger involved.

AV systems should only be used on filtering systems same with firewalls. High assurance, isolated proxying systems the clean network traffic, they have no place on standalone systems, especialy such low assurance systems as the standanrd COTS desktop.

Actually, you are mistaken, they have perfect placement on "standalone" systems, that is what their target is. Stop being ludicrous and arguing that your point about corporate desktops is right about home PCs. It isn't.

Cite your source for this figure please.

I don't see why I should cite my sources when you are unwilling to do the same. Kind of ironic and hypocritical of you all at the same time.

The CISSP in particular is geared toward a general theoretical understanding of IS security, no more no less.

It fails even in that endeavour. It targets specifically server environments, and leaves the desktops to the wolves, essentially.

The reason for this is that overall poor foundation of security in the vast majority of commercial systems.

I disagree, I believe it is the overall poor education of the people in charge, and that many technical managers are no longer given the leeway they need to make the appropriate purchases and/or hiring decisions.

So much of modern COTS security is is just bad versions of problems fixed in the 70's believe it or not. Reinventing the wheel is all that is happening now.

Cite references then, if that's the case, I'm curious to know what 'new developments' aren't really new.

[quote]This is very true, especially from an insider (this of course isn't much of a concern with a single user home system) but I still feel that a local firewall isn't the best solution for this type of problem. Firewalls are not designed to protect boxes, they are designed to protect and control connections.[/quote[
They are not designed to protect connections whatsoever, they are designed to protect services and regulate connections and services. Firewalling itself as a feature has been implemented in numerous other places.

Defense of the box rests on the box itself. All protections against attackers, malware, and evil users in general need to be found within the TCB, otherwise anything you slap on after the fact is only going to hurt the security of the system.

The utterly fatal flaw in your argument is that "anything you slap on after the fact" can compensate for the underlying system's incapabilities, while still not compromising the security of the system. If you don't believe this, then I ask why do so many major operating system vendors provide extra security tools? Consider MS ISA Server, or any of IBM's advanced network management and security software, or 3Com, or Cisco. Those companies obviously believe the "slap-on-after-the-fact style" OS/Firmware additions are worth the time and effort.

Granted this may be above the average user's capabilities, but I assumed they were here to learn. Besides, 10,000 other people will tell them to install Zone Alarm, so what value does that really have?

You assumed horribly wrong. Users by and large do not want or need to know WHY something works, or how it can work better, or how in your airy fairy world of network design you think it SHOULD work, they want something that will just work. Various app. firewalls are good. I should expect you are a class A mechanic, certified electrician, architect, plumber, and cuisine expert, given your attitude towards how an end user 'should' approach things.

[Atticus|1]

Original question from johnHACK

Is it worth to install Firewall in home pc (only 1 pc)? Since we know that intruders mostly like to attack companies network rather than home pc. Because from my point of view, AV is already enough to protect from viruses, worms or trojan horses, if there is firewall installed, it will consume some amount of memory and proccesor, then the system will become slower as the resource taken by firewall software.

And I noticed that, Firewall doesnt effective if we just a normal surfer (pc not 24hrs online).

Maybe the "experts" should assess the skill set of the person posting the question. If it`s a beginner question answer it that way.

JohnHACK

If you have been following this thread, I would say it is in YOUR best interest to install a firewall.

[gore]

This sure as hell has gone off topic a few times. Regaurdless of if you guys don't like each other, or each other's opinions, the fact remains that this has turned into one of the best discussions this front page has seen in a while about running a firewall.

Catch is a pal of mine, and I do think he is very intelliget, and if you don't like him, well, super, but he has gotten a lot of responces, turning this into a great discussion. The original question started out with should a home user install a firewall, and now we have a whole thread showing the upside and downaide of doing so.

Doesn't matter if anyone in this thread likes anyone else in it, the fact still remains that I think it is an awesome thread for anyone who wants to know a little more about both sides of installing a firewall.

Now, for me personally, I have a software firewall on all of my boxes in my LAN. I went through about 8 of them before I found some I liked, and now, all the Windows boxes here run Macfee with customization done by me, and my Linux boxes run a mix. Mainly IPtables, but SuSE and Mandrake systems run the firewalls they come with, as think they are good at what they do.

The router I use also has a firewall built in, and again, those settings are all customized by me for my particular LAN environment.

I do have services running on my Linux boxes, as I use those for when I'm at school, and have forgotten to grab my homework for example. I can just log in and grab it through a Secure shell.

I have a web server and FTP server running too, and use it mainly for backing up things across the LAN. I have yet to read manuals for either, but got them working, and had TheHorse check them out for me to see how well I did. according to him I did a good job, and even better considering it was my first time setting up FTP and HTTP, and not reading any manuals.

The point I'm going to try and make, is that it really depends on a lot. I run firewalls, and think it's a good idea, not just for the usual reasons, but what about someone who is running an older OS? They could be nuked and crashed, where a firewall would prevent this.

In my opinion, if you are running Windows 9X, then get at least a port blocker, and updated anti virii, that way trojans and virii won't allow a remote compromise, and the port blocker can stop other attacks.

windows 9X has great security, as it was not made for networking, and so it doesn't have a lot of built in services running. I think this makes it a bit secure in THAT respect, because well, it doesn't have much to go after in the form of a compromise. (Hacking exposed 3rd edition).

People who still run DOS, probably don't worry about much. Most versions of DOS have no way of having multi users. Heh, sort of funny how a lack of features can be a great thing for security huh?

As for catch saying a firewall can be bad, well, I understand what he means, as the more code you have running on your system, be it a text editor, an AIM session, or a firewall, it still gives more chance for a compromise.

I'm not the type to say a firewall is bad, because I think with proper configuration, they can be set up great and actually used properly. As for not running one at all, well, me for example, I could do that, but I would never be putting a machine into my DMZ, because my router gives more protection to my LAN.

Anti Virii I do think is a must, in at least SOME form. Even if you don't install any, you should at least go to Macfee or Norton's site and do the online check every few days. If you do this, and take the proper meassures, you could get away without installing an ounce of Anti Virii.

I think the problem with Catch and Chsh going back and forth is because they both know they know what they are talking about, but both have had experiance in different areas where one idea is good for one area, and bad for the other.

It's a clash of knowledge, just you two quit ****ing around before you core dump.

[chsh]

Gore, did you miss the latest addition to my signature?
If Catch had even enough sense to do half the things he bemoans other people not having the knowledge to do, he'd clue into the fact that there is no one blanket security fix for every situation, and that whatever he believes is proper to do in a corporate sense has absolutely no bearing on how a home user should try and secure their box. It seems to me like the only reason he participated in this thread at all was to state his irrelevant opinion about some other question entirely. Something the OP didn't ask for sure. Either that, or he really is clueless and reckless when it comes to home user security.
The problem is, people BELIEVE catch knows what he is talking about, but he has been consistently proven to be wrong. He is seemingly always vague enough to not be completely wrong, yet never accurate enough to be completely right.

[TheCreator]

Do I know you people? You all seem to have changed since I joined. Not sure yet if it's for the better or worse, but I'll figure it out. It is a pretty good discussion none-the-less. I can see it now on EIT "AO spotlight: Do you need a firewall? Let's see what AO's latest flame war came up with on the issue" .

/me hugs his firewall.

[!mitationRust]

You know it's sad that the only person who actually requested a form on (in theory)secure OS's (TOS) Trusted Operating Systems. Comes in, makes a educated post and is given a rash of sh*t by "security intell people" . It's just ashame, you know catch could of said shut the F**K UP and look at my credentials, I've worked on DARPA http://www.darpa.mil/ ect......(again SHUT THE F**K UP).

Do you know anyone else who will not post opinions but facts and supply you with reading material PDF's and what not. Which I find very usefull in my studies, hell I have even presented them in class. .......In the end it all boils down to credibility in my mind especially on this site two people come to mind catch & the Horse.
Wow would you look at that DoD workers with CISSP's and laundry list's of security work that are well, just impressive!
I tend to listen and look up to people who actually have exp, NOT people who's(bearded) profile photo looks like the guy who kid knapped Elizabeth smart in CA
http://www.courttv.com/news/smart/

PS:Catch I want to run "finite state machines" made by ford and whatnot, what kind of hardware should I look for on Ebay? Where can I get TOS software since your the only one on the site with actuall knowledge of such OS's?

[Negative]

Tsk tsk... too many people, too many experts, too many opinions...

It's like someone asking if he needs an alarm system on the Ferrari he just bought... "dude, you need the l33t-t3ch 5000 version 34"... "no no old chap, you should go with the tatcher-4500 version 2.0"...

If you buy a Ferrari and you don't know **** about it, get a nice alarm system. If you buy a Ferrari and you do know everything about it, get an alarm system.
If you buy an alarm system, you'll get a KIA for free. Sell the KIA, and buy an ever nicer alarm system for your Ferrari. Drive over to Canada and show off your Ferrari to chsh and HT. Make them design an ever nicer alarm system for your Ferrari in exchange for a pissing contest in the trunk of your Ferrari. Clean out your trunk, have the winner install the alarm system, drive the Ferrari back to the US, park the Ferrari on the sidewalk because you're out of gas, have Gore come over to pee in the gastank, have Gore invite you all to pee in the gastank, and then take a nice nap. Or something.

Never knew it was that hard to answer a simple question...

Someone has one puter, has AV installed, and is worried about a firewall taking away system resources.

In stead of just answering the question, people get into a discussion about how KIA influences American car dealerships (OK, I made that part up...)

How hard is it to just say that a firewall does take away some of your system's resources, that AV-software is different from a firewall, that KIA is a car and not a bicycle?

[gore]

A Kia, not a bike? Dude have you looked at those things? They might as well be!

We all know the best cars come from Germany, and Detroit. And of course props to the Maclaren F-1 *Now drooling*


Damn it Dries, now you got me talking about cars. You must now buy me a 1973 GTO Judge, and pop in a 455, or 502, or buy me a 442....Heh, I'd never get pulled over again. I'd be so far ahead they'd just give up, and my town doesn't use any ariels, so it's keep up with a squad car, or go back to buying a doughnut.

Of course to keep this on topic, I will now bullshit my way into maying an analogy:

Think of your computer like a Maclaren F-1. It's fast...VERY fast. In fact it can do 0-100 MPH in 4 seconds, and reach a speed of 391 STOCK. It also costs over a million dollars. Now of course you'd want some type of security for this thing. Me, I would have an AK-47 hooked up to the car, and anyone who tried breaking in would get a shot in the balls.

And of course you don't want any germs, like Toyota, infecting the car, so you get some antii virii.

Ok fine, I'm done lol.

NP: Lords of Acid - I must increase my bust.

[allenb1963]

Neg....your post had me most confused until gore pissed in the tank and took a nap. It's all so clear to me now.