how-to block ads
|
|
Uniqs:
49058 |
Share Topic
 |
 |
|
|
|
 VampirefoPremium,MVM
join:2000-12-11
Huntington, WV
kudos:1 | reply to Anav
Re: Leo Laporte says software firewall not needed! said by Anav:He obviously does not have kids. (or more to the point let them use his computer LOL) I have 4 kids 9 computers and yes the kids each has and uses a pc, none have application checksum firewalls.
--
Best RegardsVampirefo | |
IGGYNo Guru Just Here To HelpPremium,MVM
join:2001-03-30
Chatham, IL | reply to gate1975mlm
I now have proof that Leo Laporte does recommend software firewall use. The photo linked below in fact shows that Episode 234 of Call For Help did in fact cover software firewall use. Leo at no point stated anything in regards to negatives of using this form of security protection.
»iggyz.com/blog/_archives/2005/10···850.html
--
Test Your Security Cable Diagnostics
My BLOG ZoneAlarm Help | | |
|
 DanielPremium,MVM
join:2000-06-26
San Francisco, CA
1 edit | reply to gate1975mlm
Well, this podcast was done just a few days ago, and in it he clearly states that he doesn't believe it to be necessary if you have a router.
I'd go with the more recent info if I were you. 
--
dmiessler.com -- grep understanding knowledge | |
VampirefoPremium,MVM
join:2000-12-11
Huntington, WV
kudos:1
2 edits | reply to IGGY
What is in the pic? | |
 GeekNJPremium
join:2000-09-23
Waldwick, NJ | reply to IGGY
I don't think Leo is against using them. In the episode you grabbed the picture from, do they discuss routers? This whole thread is based on the premise that you're behind a NAT router and that software firewalls are redundant in the protection they provide.
Now, before everyone responds without reading the thread, the *threat* is on the inbound side. The alerts you get on the outbound side that indicate an issue means just that - you already have an issue. And your software firewall didn't prevent you from getting that issue, so tell me how it protected you? Remember... If you have a NAT router then...
--
Tweaked your connection? | Mail Parse | Speed Converter | |
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to gate1975mlm
Yeah well you have been deaf to the fact that users do the oddest things, they are not all savvy.......perfect example.......
»Internet banking/Firewall Problem
I hope a SW firewall is in place.
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"LlamaWorks Equipment | |
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to Bane75
Bane,
Sorry, just got back into town late Thursday and have only today had a chance to look at these questions and formulate an initial reply. (This thread has grown like crazy!)
said by Bane75:To all those that agree with Leo. Answer these questions: If you do not have outbound protection how would you ever know that you been compromised? The answer to this is two-part -- and is completely independent of a firewall of any kind. First, malware does not need to come in via your primary internet connection that may be monitored by either a SOHO NAT Router, a hardware firewall appliance, or even a host-based (hardware or software) firewall. It could as easily come in via a firewire or USB connection or a dial-up modem, completely unmonitored by an installed firewall; it could come in via a multi-media card reader, via a floppy, or via a CD or (egads, we forget!) a ZIP drive. Second, malware does not need to attempt to communicate outbound via the firewall-protected connection in order to compromise your system. Malware is a far wider concept than this.
Old-line viruses were probably the earliest form of malware and have absolutely no dependency on an internet connection whatsoever. Your permanent data storage and applications (including the OS) can be modified or rendered inoperative; your machine can be rendered unusable; your machine can be used to spread the corruption to other machines (ever hear of Sneaker-net?). In all of these situations, your machine has been compromised and your firewall won't tell you a damn thing about it having happened.
The most obvious countermeasure to this is the well-known anti-virus application, regularly updated and run frequently (or constantly). Anti-Trojan and anti-spyware applications, on the other hand, primarily address internet-related malware which have functionality far different from the standard virus. (And then there's the little matter of keyloggers and point-to-point dialers, both of which are also malware with absolutely no necessary dependence on your Internet connection.) These are not firewall functions; but they may be functionality included in a security suite.
Furthermore, there are several other types of security applications (again, totally independent of the firewall) in addition to the traditional AV, AT, AS applications that rely on either signatures or heuristics to identify malware.
Anything that compromises your machine involves the installation, loading, and then execution of some sort of executable software in order to accomplish their purpose. You catch this and the host-based firewall providing outbound control is totally irrelevant. Indeed the outbound monitoring firewall is a very poor solution to these problems.
The first category that comes to mind is file authentication utilities. These utilities, which can be run either on-demand or memory-resident, can usually configured to identify any executable file that is installed, deleted, or modified on your machine. If you don't know what you did that resulted in such an alert flag, you have a problem that needs to be corrected. This has nothing whatsoever to do with your firewall.
The second category that comes to mind is registry monitoring utilities. To be executed, a malware process has to be loaded into memory (RAM). One common way to do this is via an appropriate registry entry to load and execute the process when the system is booted or when a particular user logs on. Registry monitoring utilities concentrate on the registry (speaking Windows here) for any entries that are installed, deleted, or modified on your machine. If you don't know what you did that resulted in such an alert flag, you have a problem that needs to be corrected. This has nothing whatsoever to do with your firewall.
The third category that comes to mind is process monitoring utilities. And this is the truly insidious possibility -- somehow, something malicious gets on your PC, but it isn't stored as a file on any of your persistent storage media -- instead, it is injected directly into RAM as part of a running (often system-level) process. Process monitors look for this load and execution sequence. If you don't know what you did that resulted in such an alert flag, you have a problem that needs to be corrected. This has nothing whatsoever to do with your firewall.
Yes, there are software-based firewalls (PSFs in my terminology) that have been extended (with varying levels of success) to address these issues, but stuffing this crap into a PSF is neither the best nor even the most desirable solution for this sort of security utility. (Indeed, one often ends up with very spotty protection without realizing it.)
. . . If had software firewall, a hash would be taken when the new files was executed and tell you that the file was modified. To put it bluntly, that's not the function of a PSF and most PSFs are doing it very poorly. Most PSFs only 'authenticate' an internet-enabled application when it is first loaded; they do not (typically) 'authenticate' executable code subsequently called by the main application -- either statically (i.e., all the time) or dynamically (i.e., as required). These 'called' executable code blocks are ubiquitous in Windows. To the best of my knowledge, none of the existing PSFs continue to monitor a 'called' module after it is initially loaded; consequently they cannot tell you if the module is subsequently and dynamically modified. (Try using Process Explorer against iexplore.exe; see just how many 'called' executables are associated. Would you know which are valid, whether they had been modified, or even whether the 'call' had been redirected? Probably not, and the PSF in most cases is very unlikely to even note this, much less tell you what to do.) File authentication utilities handle the first part; process monitor utilities handle the second part.
Or tell you that windows component that should not ever be contacting the internet is in fact doing so. Well, let's take Windows Explorer (explorer.exe, the authentic application). Should this or should this not be allowed Internet connectivity? Depends on how you've configured it, doesn't it? Some people may in fact have configured explorer.exe to access the internet for specific purposes; others may have prohibited this. What about the main components of Microsoft Office? All of these are internet-enabled. Which should the average user allow to do so (and for what purpose); which should not? The 'average PC user had no idea of the appropriate answer to either of these questions. Most of the PSFs that I've seen provide no guidance whatsoever on this issue (and that's presuming that they even support fine-tuned configuration); it's all or nothing. (Most 'average' users have absolutely no conception of just what various Windows standard apps and Microsoft Office apps can or can't do using the Internet.)
The view of not having outbound protection is very shortsighted. All it takes is one exploit such as this, and your NAT router is worthless. I'll even challenge this statement. Most PSFs (in their default configuration, which is where they are often left by the 'average' user) either completely allow or completely prohibit Internet communication by standard applications. Given that Microsoft Office apps, as an example, can be controlled by macros, you could actually have Microsoft Word sending/receiving FTP transfers that are transparent to the user while the only thing the 'average' user thought they were doing was allowing a Microsoft Word document to be "sent as E-Mail". This is false security at its worst; and most 'average' users have no idea whatsoever that this is what the default 'permit' Microsoft Word actually allows. (And it can be far worse than this.)
--
Regards, Joseph V. Morris | |
| reply to gate1975mlm
lol. The only reason why people use software firewalls in a home environment is to stop pirated software from phoning home.
Inbound protection is all that's necessary. If a piece of malware has evaded inbound protection, it could easily disable any form of outbound protection.
All software firewalls do is make using the internet more difficult for you and only you.
The best thing to do is have up to date antivirus and antispyware software and a good SPI NAT router. | |
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to ghost16825
Re: Leo Laport says software firewall not needed! said by ghost16825:said by jvmorris:Indeed, many of the 'pay for' PSFs provide a capability to authenticate the DLLs called by these executables; but most of the users actually turn off this capability because it slows the system down incredibly and they've no idea whatsoever as to what the appropriate choice(s) may be. Off topic: Additionally, many dlls may be detected as 'modified' during normal operation, which results in a high rate of false positives. This lowers the overall detection rate of 'malicious' activity significantly, making this feature ineffective overall. I think this was an attempt by fw vendors to make up for a lack of filtering of the Application Layer with regard to the OSI definition. But I think it has been an overall failure. Yeah, ghost, I think I know what you're referring to here, but trying to explain it to some people that think they're getting something 'extra' from a PSF with 'DLL authentication' requires a good deal more explanation than I think most readers of this thread care go work their way through. Most of the 'DLL authentication'-capable PSFs that I've seen not only slow throughput down to a crawl but also can result in a lot of false positives for the reasons to which you allude. People turn off this functionality, indeed, they are often told to turn this functionality off by knowledgable security types in order to eliminate both the slowdown and the false positives! I would be much happier if this entire issue was addressed by something other than an 'enhanced' PSF.
On topic:
This thread could continue indefinitely unless the term 'software firewall' in the context that Whatever-his-name stated it is clearly defined. Additionally the usage of the firewall within the network needs to clearly defined as well. (with router or without). (The term router would need to be defined as well then). A consensus cannot be reached on such a broad and ill-defined question. . . . Yes, another salient observation. Different respondents are, in fact, talking about 'software firewalls' but really talking about multi-function suites (some of which are obvious, some of which are not) from different vendors, and possibly with different features activated or configured in certain manners. I'd prefer to talk about PSFs in their most elemental form, especially since many of the 'enhancements' available in the 'enhanced' PSFs are also available (possibly from different vendors) as stand-alone utilities. Quite frankly, many of these 'enhancements' can more appropriately be obtained by appropriately configuring their web browsers and e-mail clients. And these apps often provide more protection (if appropriately configured) than can a PSF attempting to generically provide such protection for any conceivable browser or e-mail client. Furthermore, if the security can be obtained by appropriately configuring the specific internet-enabled applications used, what's the point in relying on a PSF to do it?
--
Regards, Joseph V. Morris | |
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to gkweb
Re: Leo Laporte says software firewall not needed! said by gkweb:. . . Finally, my personal opinion, reformulated, is that even if I agree that PF may cause more hassle than real security benefits for a particular kind of users, I would find it very sad to give up and to say them to remove their firewall. If they are supposed to be uneducated, I prefer to educate them than to remove potential security (thus decreasing the hassle, and increasing the gain). Well, not everyone's got a router. (But that's not the situation which Leo and Steve were apparently discussing; they were talking about whether a PSF provides any substantive advantage to a user who does have a SOHO NAT router alread inline.) Now, I do use PSFs in addition to a fairly hefty SOHO NAT router with its own rather decent embedded hardware firewall (which can be configured for both inbound and outbound, but not -- obviously -- application-level control). This is a personal cost-benefit analysis based largely on the value that we attach to the information on the various boxes here. Some of this is (to us) very valuable -- I don't want it either destroyed, corrupted, or stolen. I don't think we've lost any information to malware so far (nor have our systems been used to exploit banking information or to launch attacks against other systems). Machines come and go on the private LAN; in many instances they have (and will continue to be) used (here or elsewhere) by individuals who do not necessarily practice 'safe hex'. Our PSFs (incidentally, from different vendors on different boxes) are primarily then nothing more than a second line of defense -- and (as long as everyone is reasonable) seldom provide any alerts whatsoever. (But then, neither do my AV/AT/AS apps!)
However, I would never tell someone already using a PSF in addition to a SOHO NAT router to remove the PSF! I took the OP to refer exclusively to the issue of someone who already had a SOHO NAT router needing to also use PSFs on each and every machine behind the SOHO NAT router. It's not necessary (in my opinion), but it won't hurt. Like Leo, however, I must ask whether -- for the 'average' user -- the additional benefit justifies the additional (and continuing effort). To me, the answer for the 'average' user is likely no, it does not.
--
Regards, Joseph V. Morris | |
 DrunkulaPremium
join:2000-06-12
Denton, TX
 ·Verizon FiOS
| reply to gate1975mlm
My god! I can't believe you people are still debating this.
If you use a software firewall - good for you.
If you don't - also good for you, but you won't be using any of my network resources. I'm sure you can live with that.
Let it go already....
--
Some people are like Slinkies©... Not good for much, but they still bring a smile to your face when you push them down a flight of stairs. | |
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to caffeinator
said by caffeinator:. . . What about dialup users? My mom has dialup, and there's no way i'm going to try and find a router that supports it when all I've had to do to keep her safe is tighten the system, install AV and 8signs..which won't give her popups to worry about, spybot, and spywareblaster. That's very nice, but it's not the issue that Leo Laporte and Steve Gibson were discussing. And I think their statements need to be evaluated in the context of what they were discussing.
Incidentally, there are SOHO NAT routers that work quite nicely with dial-up -- the SMC Barricade 7004ABR and 7008ABR come to mind from personal experience. The PSF would likely go to 'silent running' mode if either of these routers is used (especially if it's a stand-alone PC).
Then I sat her down and told her in simple terms WHY she had to make sure to let the AV update when she went online, and to update spybot/SWB at least once a week. Yes. Now that is important in either situation -- and I hope you've taught her to have the AV running memory-resident at all times.
. . . I went over and about had a heart attack...DL'd the free McAfee Suite that they offered, then told her to watch as I turned it on. Within 15 seconds she was portscanned. Sure, that's a very important illustration that you gave her. (We routinely get people here who finally get around to looking at either their PSF or SOHO NAT Router firewall and freak out.) My point is that she could have been as easily enlightened by reviewing a SOHO NAT router firewall (presuming, of course, that logging was enabled). She would have seen the same thing.
. . . (sorry, NAT alone won't keep you safe) Well, you've still to illustrate what 8signs found that a SOHO NAT router would not have and I'm talking exclusively in her usage in her Internet connection.
. . . My software firewall's auto-ban and tarpit features actually crashed his network. He wasn't happy since he works for an ISP and figured I'd be toast using only software FW on win98se at the time, but I was quite happy. . . . . A SOHO NAT router (if you had one) would do the same thing and would likely continue to function at higher probe rates (your PSF processes the probes using CPU cycles; the SOHO NAT router has its own CPU that does not have any impact on your PC's CPU). I've no idea what your PSF could have done that would have crashed his network and suspect that this was some unrelated problem.
But, he was wrong if he thought that using a PSF on Win 98 SE would make you toast. I ran that way (no SOHO NAT router) using early versions of NIS for years -- no one ever managed to 'crash' me with a DDoS attack. I think David (Crash Dummy) Stockbridge holds the record in that he deliberately invited DDoS attacks several years ago and no one ever managed to 'crash' his system. (But things can get a bit slow if you actually invite such attacks. )
--
Regards, Joseph V. Morris | |
 caffeinatorComing soon to a cup near you..Premium
join:2005-01-16
WA, USA
kudos:3
 ·CenturyLink
1 edit | I agree actually.
Actually, I was shopping for a SMC Barricade. Then realized I had no need to spend the money with the solution I already had. 
I have no need for NAT without a network of machines here.
Since you had mentioned it, here's the description of the Tarpit feature that caused my friend such troubles:
Tarpit States
State Explanation
Connecting
The remote system tried opened a connection (sent a SYN packet).
Accepted
The firewall accepted the connection (sent a SYN|ACK packet) but has not received a reply (the final ACK packet that completes the TCP connection sequence).
Stuck
A connection has been established. To be precise, the remote system has established a connection and the firewall has replied to make it appear that the computer on which it is running has accepted the connection. In fact, the computer has no knowledge of it and has not allocated any resources for it. The firewall maintains the "connection" statelessly, using no more resources for each entry in the tarpit and is able to handle an unlimited number of tarpit entries. The display, however, is limited to 256.
Leaving
The remote system has requested that the connection be closed (sent a SYN packet). The firewall ignores the request, forcing the remote system to resend the close request until it eventually times out.
Escaped
The remote system either closed the connection forceably or sent a close request more than 5 minutes ago, in which case it is safe to assume they have closed the connection after a timeout.
That's why I can cause troubles for scanners. I set a rule for that traffic, and click a box to auto-ban and/or tarpit when triggered. Same for automatic defense of portscans.
I was DDoS just the other day, no problems.
I have faked packets waiting for them. I don't know of any Router/FW that can do this behavior without a lot of work. Perhaps pfsense?
Yeah, I know, it's OT..I'll shut it now
-CaFF | |
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by caffeinator:. . . Yeah, I know, it's OT..I'll shut it now . . . Yes, but tarpits are fun, aren't they? 
--
Regards, Joseph V. Morris | |
|
