General Discussion General discussion on...anything!

Reply
 
Thread Tools Display Modes
  (#1) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default Do you need a firewall? - 07-19-2009, 08:01 PM

I know pretty well what a Firewall is and how it works, and I can write packet filtering rules for a firewall if I need to, I just have one question about firewalls and hopefully I can get some feedback.

Most home networks these days have a router which uses NAT (Network Address Translation) which makes all the computers "behind" the router from the internet's point of view invisible and unaddressable. Only the address of the router is visible from the internet, and the router remembers the state of all the connections going through it to make sure that the clients on the inside of the network can still get around online just fine. Outbound connections work fine as the router knows who's trying to talk to who on what protocol, and who the packets should go back to. Inbound connections don't have this information, the most information they could have is the IP address of the router. Unless port forwarding or DMZ is set up, anyways.

So for a home network which has a router which performs NAT, and doesn't regularly have untrusted hosts connecting (e.g. don't have your aunt, with an old laptop running Windows XP SP1 which takes 4 minutes to finish booting and regularly gets popup ads, connecting to your network all the time...or e.g. little (WEP) or no (open) wireless encryption), does not need a firewall. This is the majority of home users's situation these days. I never see any of these facts mentioned when people are recommending that you get a firewall. It's just a blind automatic reaction. A network cannot provide virus protection, but firewalling is handled adequately at the network level.

Now, if you are in this situation where you have a NAT and nothing to fear from other computers on your LAN, you're usually best off just disabling any software firewall. Especially third-party ones which ask you every time some widely-used well known app that isn't Internet Explorer wants to connect to the internet, be it to chat or get updates or whatever. I've also seen firewalls do incredibly stupid things for no apparent reason, such as block DHCP requests (the protocol your computer uses to get an IP address from your router) and normal internet traffic.

On something like a netbook, if you normally just use it around the house, it's probably safe to turn the firewall off. If you use Ubuntu, or OS X, it's fairly safe to run without a firewall, (if OS X, disable all the network services you don't actually use) if you use Windows, it's safe to run without a firewall on a network of trusted computers. Obviously if you take it to someone else's house or a resturaunt which offers wifi, you would want to turn it on, but I know that Vista and Windows 7, when connecting to a new network ask you what kind of network this is, and choosing "public" is all it really takes to be safe.

Now, if your computer connects directly to a dumb modem (one that does not combo as a router), you are NOT safe without a firewall. I ran a computer like that once, and on a fresh install of Windows, it was minutes before my computer was remotely rebooted. Any computers hooked up like that will NEED a firewall of some sort.

How to tell if your computer needs a firewall:

Windows XP:
Click start, run. Enter "cmd". Type "ipconfig" into the command prompt window.

Windows Vista, Seven:
Click start, type in "command" to start search bar, hit enter. Type "ipconfig" into the command prompt window.

The output it gives will look something like this:

Code:
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80:blahblahblah
   IPv4 Address. . . . . . . . . . . : 192.168.1.101
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
For Windows XP it will say "IP address" instead of IPv4 address.

If your IPv4 or IP address starts with 10, 172, or 192, you probably don't need a firewall. If your ip address starts with something in the 20's, 50's, 60's, or 70's, you WILL need a firewall.


This is just my analysis. Not authoritative nor uninformed.


My question is this, is there something I'm missing, that people who do not need firewall software are told that they need it anyways?


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
  (#2) Old
holmes4 holmes4 is offline
Administrator
 
holmes4's Avatar
 
Posts: 6,156
Join Date: Nov 2008
Location: New Hampshire
Default 07-20-2009, 12:06 AM

Yes, you're missing something. A firewall also prevents malware from connecting out from your computer to the Internet. Also, NAT is not an absolute barrier to intrusion, though it makes it harder, and most routers these days have their own firewall for inbound access.

I would say all computers need a firewall.


Steve
Mini 9|2GB RAM|64GB RunCore|Intel 5300|Windows 10
Reply With Quote
  (#3) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default 07-20-2009, 01:09 AM

Quote:
Originally Posted by holmes4 View Post
Yes, you're missing something. A firewall also prevents malware from connecting out from your computer to the Internet.
That wouldn't stop the spread of malware. It would stop it from sending spam maybe, but many ISP's block outbound port 25 (I know mine does) and the kind of malware that won't be stopped by a NAT usually doesn't spread via unsecured ports. What you need then is detection and removal far more than you need a firewall.

Quote:
Also, NAT is not an absolute barrier to intrusion, though it makes it harder, and most routers these days have their own firewall for inbound access.
I'd like to know more about this, as I have NATted boxes on my network I would like to communicate with without port forwarding. What's the technique called? Also I'd like to mention that my Unix boxes that are behind a NAT have never shown any intrusion attempts without DMZ or ports forwarded in their logs.

Quote:
I would say all computers need a firewall.
My OpenBSD box disagrees.


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
  (#4) Old
woodscomp woodscomp is offline
Senior Member
 
woodscomp's Avatar
 
Posts: 128
Join Date: Jul 2009
Location: TN
Default 07-20-2009, 01:50 AM

Well you could answer this, try it on your Windows box and come back here and post your results. Just think if your right you could potentially shut down a multi million dollar a year industry and save us all a lot of grief and time with these programs.


Mini 10v, 270, 2GB, BCM92046 BT, Cheap 5300 knockoff wifi, 160GB, 6 cell, Win XP, Jade Green



"Life is tough, but it's tougher when you're stupid."

John Wayne
Reply With Quote
  (#5) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default 07-20-2009, 02:14 AM

Quote:
Originally Posted by woodscomp View Post
Well you could answer this, try it on your Windows box and come back here and post your results. Just think if your right you could potentially shut down a multi million dollar a year industry and save us all a lot of grief and time with these programs.
Doing it right now.

[Network layout, version info, and security measures enabled and disabled removed]

[Following promise no longer applies as of 2:50 AM EST Friday Jul 24 2009]
I promise not to hold anyone legally accountable for anything that happens on this system, since I'll just nuke and pave it if something happens to it.

This is more than most crackers get to know about their targets. Show me some magic.

EDIT: I'll answer any other questions about my network too, if you do want to try to get at me.

EDIT 2: I also have a desktop behind a different NAT that I can leave running 24/7, running VM's of any version of Windows as up to date as it can be. If it'd be easier to find an exploit to make it known on a windows 2000 box that unauthorized entry has been made, I'll be perfectly happy to get that set up.

EDIT 3: Somebody actually gave me a good reason, so I'm taking exposing information down and changing the network layout.


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
  (#6) Old
palawan palawan is offline
Senior Member
 
palawan's Avatar
 
Posts: 110
Join Date: Oct 2008
Default 07-20-2009, 07:50 AM

i remember reading somewhere (i tried to search for it but didn't find it) that someone setup a windows box unpatched, no fw, no av software behind a linksys router (no management or port forwarding from the internet, i think) and published the outside ip address and it ran for over a year (maybe longer, i just don't remember too many details) and it was never cracked.

it's very difficult to get to the box behind the linksys, as the address is non-routable private address (192.168.x.x or 10.x.x.x). without port-forwarding on the linksys, any attempt to initiate a connection from the internet to the windows machine is going to be rejected. the windows machine can still be compromised if it visits a malicious website, but it's not a fw issue (more av and sw patch related such as java/flash vulnerabilities)

if i was working for your isp and i have access to your default router, i can sniff your traffic, redirect your traffic, inject malicious data on the information going to you, but again, the fw on your machine is not the issue.

so do i agree with you that you don't need a fw? for the most part. if you are willing to be "restricted" in the safety of your network, then i guess no one can touch you. what happens when you have to share a network with machines that maybe infected? or you have to tunnel/vpn to a network with a large number of machines (ie work network)? or if you have to use an aircard (which offers some protection when i did a grc internet portscan, but not all the ports were protected)? use a public wifi? (altho after i discovered bt4 and sidejacking, i'd never use a public wifi without initiating vpn to my home router, much thanks to somms for that. fw won't protect you from sidejacking)

dell mini's are portable machines and i bring mine everywhere... i don't usually recommend a sw fw to friends and family, because i know windows already has it running by default, but i did insist that they have a router facing the internet, which lately is not really even mentioned anymore as it's pretty much a default now in home setups (with wifi being standard nowadays). after discovering bt4/aircrack, i am slowly converting them to wpa security.

fw or no-fw? i rarely turn off the built-in winxp fw and i have os x fw on selective applications... but it's just me. ymmv.

good luck.


my notebook: dell inspiron 11z - 11.6" display | intel core i3 330um | 6gb ddr3 ram | 80gb Intel ssd | Linux Mint 12 OS - Cinnamon 1.4 [Virtual Machine - WinXP SP3]
Reply With Quote
  (#7) Old
mfruit mfruit is offline
Senior Member
 
Posts: 291
Join Date: Apr 2009
Default 07-20-2009, 10:06 AM

Quote:
Originally Posted by Z4i View Post
That wouldn't stop the spread of malware. It would stop it from sending spam maybe, but many ISP's block outbound port 25 (I know mine does) and the kind of malware that won't be stopped by a NAT usually doesn't spread via unsecured ports. What you need then is detection and removal far more than you need a firewall.
I don't care about spam, I care about sensitive information being sent back to the mothership. Even if it's a software package phoning home.

An outbound firewall should help prevent those things from happening.

Quote:
My OpenBSD box disagrees.
OpenBSD is pretty damn secure but there have been two remote exploits in the default install and according to Wikipedia, a number of remote exploits included with packages that aren't active by default.


Dell Mini 9 | 2 GB RAM | 64 GB STEC SSD | 16GB RiData SDHC
Triple Boot: Windows 7 | OSX 10.6 | XP
Reply With Quote
  (#8) Old
Z4i Z4i is offline
Senior Member
 
Posts: 101
Join Date: May 2009
Location: Tampa, FL
Default 07-20-2009, 12:56 PM

Quote:
Originally Posted by mfruit View Post
I don't care about spam, I care about sensitive information being sent back to the mothership. Even if it's a software package phoning home.

An outbound firewall should help prevent those things from happening.
This would only be likely to be a real benefit in the absence of an antivirus program, would stop it before it gets to the point where it can try to phone home, and rather than being indiscriminant, an antivirus program generally does a pretty good job only detecting malicious software and leaving legitimate stuff alone.

Quote:
OpenBSD is pretty damn secure but there have been two remote exploits in the default install and according to Wikipedia, a number of remote exploits included with packages that aren't active by default.
Two remote exploits, one of which in a still barely-used protocol (IPv6) which required malformed packets that internet routers would have rejected, and one SSH vulnerability that could be rendered unexploitable by enabling privilege separation, which was a security feature they'd been working on that worked perfectly on OBSD but not as well on other systems. Firewalling port 22 made nowhere near as much sense as turning on privilege separation.



Quote:
i remember reading somewhere (i tried to search for it but didn't find it) that someone setup a windows box unpatched, no fw, no av software behind a linksys router (no management or port forwarding from the internet, i think) and published the outside ip address and it ran for over a year (maybe longer, i just don't remember too many details) and it was never cracked.
I believe it. That's why I'm comfortable publicizing these details of my network, because it's just plain unaddressable from the internet.

Quote:
so do i agree with you that you don't need a fw? for the most part. if you are willing to be "restricted" in the safety of your network, then i guess no one can touch you.
This is most user's situation most of the time.

Quote:
what happens when you have to share a network with machines that maybe infected?
Obviously that's different, and a firewall would be helpful there. Vista and 7 ask you whether a network is public and untrustred or private and trusted, choosing public should provide enough protection.

Quote:
or you have to tunnel/vpn to a network with a large number of machines (ie work network)?
Ask your IT at work, as it's their network.

Quote:
or if you have to use an aircard (which offers some protection when i did a grc internet portscan, but not all the ports were protected)?
That's not NATted, so it's outside the scope of what I'm talking about.

Quote:
use a public wifi?
Tell Windows it's a public network.

Quote:
after discovering bt4/aircrack, i am slowly converting them to wpa security.
Yep, anything less is insecure these days.


Unix fanatic
Vostro A90, 16GB SSD, 2GB DDR2, US-INTL Keyboard, FreeBSD 7.2-STABLE
Latitude E6400N, 2.4GHz, 4GB, 320GB, Opensolaris 2009.06 updated to build 118
Dell Tech Support agent
Reply With Quote
  (#9) Old
mfruit mfruit is offline
Senior Member
 
Posts: 291
Join Date: Apr 2009
Default 07-20-2009, 06:06 PM

Quote:
Originally Posted by Z4i View Post
This would only be likely to be a real benefit in the absence of an antivirus program, would stop it before it gets to the point where it can try to phone home, and rather than being indiscriminant, an antivirus program generally does a pretty good job only detecting malicious software and leaving legitimate stuff alone.
Antivirus doesn't stop programs from phoning home or 0-day exploits.


Dell Mini 9 | 2 GB RAM | 64 GB STEC SSD | 16GB RiData SDHC
Triple Boot: Windows 7 | OSX 10.6 | XP
Reply With Quote
  (#10) Old
Theophilus Theophilus is offline
Junior Member
 
Posts: 7
Join Date: Jan 2009
Location: Kentucky, USA
Default 07-20-2009, 10:26 PM

I run my old T450 with Windows XP SP3 24/7/365 without a firewall. I'm just using the Netgear router without any problems I know of. I also have it setup for port forwarding for my vpn. Been doing it a couple of years now.


I own 3 DELL's
Mini 9
XPS M140
XPS T450
Reply With Quote
Reply

« Asus EEE 1005HA | Need outlet Coupon »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Copyright © 2008-2016 MyDellMini.com.