mosesr
join:2002-09-20
Lake Elsinore, CA
 ·Comcast Formerly ..
|  Isn't a Bi-Directional Firewall Over Kill?
I'm just asking...I've used NIS going back to Version 2002 and now we have XP-SP2 firewall blocking incoming only. Isn't this enough with a good anti-virus software and maybe 1 or 2 anti-spyware software on a system? Also, routers with NAT capability also add another layer of protection which should be enough.
Do we really need more bloating, performance degrading software of a bi-directional firewall to "fight the good fight"?
Convince me I need a bi-directional Firewall! |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
1 edit | I can't convince you, but I have convinced myself and have always had layered security. I do have a router and a software firewall, so I do have bi-directional information. I want to know and be able to control what is not only coming into my machine but what is attempting to leave it. I feel that having the bi-directional ability, I am making use of the same thing when I lock my doors. If someone got into my house, I sure as heck would like to know if they've left and perhaps what they took/are trying to take with them. Bi-directional capability allows me that with my computer. |
|
rustydog999
join:2002-06-17
the internet
1 edit | reply to mosesr
I sit behind a firewall router with nat and run a software firewall on each machine connected to the router
I have found many programs that had no need to access the net trying to . Its nice to block such things |
|
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| reply to mosesr
Have a look at these posts: »Anti-Spyware Tests (Round 1), and: »New Anti-Spyware Tests, which pretty much illustrate, that no single anti spyware application is foolproof. One need only search this forum to find similar illustrations concerning other forms of malware, that AV's and AT's occasionally miss for one reason or another.
So wouldn't it seem prudent to know what is trying to connect out from your pc, as well? |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | reply to mosesr
Anti-Programs only protect against known malware.... Having outbound protection allows you to control which programs can use the internet. Adware, spyware, trojans, worms, etc... are big these days on unsecured computers. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to mosesr
If you read this forum for a long time you will see many users whose first indication of a problem is their Software Firewall asking permission for an unknown program to access the Internet. Certainly by phrasing the question as quote:
Do we really need more bloating, performance degrading software of a bi-directional firewall to "fight the good fight"?
you are trying to influence the answer. I would contend you can get a good software firewall that blocks outbound and is not bloated or performance degrading. The object of running a layered defense is that new threats occur on a regular basis and no layer is perfect. The object is to use layers to lower the risks. Lowering the risk, some percentage, over a large number of users, over time has a major effect on the spread of malware and damage caused by Malware.
--
Dog and Butterfly |
|
mosesr
join:2002-09-20
Lake Elsinore, CA
·Comcast Formerly ..
| reply to rustydog999
Thanks for the post folks...keep them coming.
Here's the deal...Like I said earlier, I've used a bi-direction FW for a very long time...several years to be precise, but the point is I've only had to block outgoing internet access on a very few programs that insist on phoning home and sending "so-called" relative info back home.
I assume my spyware and my anti-virus killed anything else that tried to gain access.
I think the new XP-SP2 FW might be all we need now...of course, also anti-virus, spyware removal software and a hardware NAT router to complete the layered protection.
Rod |
|
Jtmo
Premium
join:2001-05-20
Novato, CA
·Comcast
| reply to mosesr
Non 'bi-directional' firewalls don't protect you against driveby download spywares. The only reason I knew was Zonealarm popped up asking whether I wanted to let the program access the internet.
Hell NO.
Router, Norton Virus, Spybot, and Microsoft did not protect me, Zonelalarm did.
Goodbye IE, hello Firefox after that mess.
--
»www.mpia-hd.mpg.de/homes/bell/pr···ster.jpg GEMS_Galaxy collage |
|
mosesr
join:2002-09-20
Lake Elsinore, CA
·Comcast Formerly ..
| reply to TheWiseGuy
Thanks for all the input...Keep them coming!
Wiseguy,
I am not trying to influence the outcome of this thread.
I'm just asking wouldn't it be better if we had a firewall that gave us control over outgoing access to the net instead of software that provides bi-directional protection?
Couldn't we just use XP-SP2 firewall and something else to block the outgoing? That would reduce the software we would have to install for optimum protection.
Rod |
|
mosesr
join:2002-09-20
Lake Elsinore, CA
·Comcast Formerly ..
| reply to Jtmo
Hey Jtmo,
Could you explain a little more about "Driveby Download Spywares" please? Are you saying that if I have a router FW that has NAT capability which makes ALL my ports stealths/invisible a driveby can access my machine?
Are you also telling me (us) that changing the SSID and incorporating MAC filtering on the router wouldn't have prevented driveby access to a WI-FI system?
Question Anyone...is there a program/FW/software available that is NOT bi-directional and only provides total control of OUTGOING programs trying to access the net?
Rod |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
·Verizon Online DSL
2 edits | Lets say you use IE, and due to an exploit IE allows a program to run/install itself on your computer. Lets say this program was a trojan which would be installed by the GDI+ exploit for example, you have a trojan which has just installed itself, and edited the registry to allow it to be a server behind your back also through the XP SP2 firewall.
So now you have no outbound control when this trojan is contacting a irc server, and your computer is now a zombie which does what its told to do by the remote server. Also your computer is listening on a port which could allow someone full control over your computer via a remote link. Don't be naive, this is not as improbable as you think....
When you get to a level where you might feel you know quite a bit, you have just hit the tip of the iceberg... Some people are ultra paranoid, some look at their situation to see if its a good calculated risk, and some might just ignore problems.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
Juliet
Premium
join:2004-07-19
Dallas
| reply to mosesr
said by mosesr  :
Hey Jtmo,
Are you also telling me (us) that changing the SSID and incorporating MAC filtering on the router wouldn't have prevented driveby access to a WI-FI system?
Changing your SSID and enabling mac filtering are very, very weak protections. They're are visible via certain aps and broadcast in your packets - available to be read and spoofed. You need to enable WEP encryption at the very least.
As for your other question regarding an outbound monitor only... I guess I'd be interested too if I thought it took that much less overhead.
I run sygate (along with my linksys router). I've found it to have the lowest overhead on my system of any other program. I doubt that making it monitor outbound only would save me much.
--
"Government big enough to supply everything you need is big enough to take everything you have ... The course of history shows that as a government grows, liberty decreases."
-Thomas Jefferson |
|
mosesr
join:2002-09-20
Lake Elsinore, CA
·Comcast Formerly ..
| reply to BlitzenZeus
So BlitzenZeus,
Without getting to deep into details are you saying if I had a Bi-directional FW I would see the ZOMBIE trying to do some outbound activity, correct? If Yes, than
just having XP-SP2 wouldn't be enough. I understand that and that's why I'm asking isn't there a "outbound ONLY' firewall that would work with XP-SP2 FW?
Or is this concept too stupid?
Rod |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| You should be prompted for the connection outbound by the zombie program, and it should be implicitly blocked until you actually allow it outbound.
If your going to run a software firewall, just run the 3rd party firewall which your using in place of the XP SP2 firewall as its going to filter inbound traffic also. Firewalls are either inbound only, or bi-directional for the most part. There is no reason to need to run two software firewalls, and running two at the same time can cause conflicts/problems.
If you really wanted to, you could use a hardware firewall, and a software firewall so you don't have to worry as much about one configuration, but hardware firewalls actually require you forward ports to certain machines if they really need to act like a server, otherwise you don't really need to do much, unless its a wireless router which is an entire other topic on how to try to secure wireless routers from people war driving/your neighbors.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
mosesr
join:2002-09-20
Lake Elsinore, CA
·Comcast Formerly ..
| reply to Juliet
"As for your other question regarding an outbound monitor only... I guess I'd be interested too if I thought it took that much less overhead."
Good...finally got someone who might also be interested in a "outbound monitor". Does something like this exist?
Thanks trinity_tx for your input.
Rod |
|
Juliet
Premium
join:2004-07-19
Dallas | You're welcome. ; )
I don't think there is an outbound-only firewall out there. I think it would take almost as much overhead as a bi-directional one, so the developers don't bother. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
2 edits | Its not suggested, but you could take a rule based firewall, have it allow all inbound, then just filter the outbound, however there is a huge issue with one acting as the 'big dog'.
For example my firewall Kerio 2.1.5 gets traffic before the xp firewall, and it gets a chance to allow or block it before it gets its hands on it. If you allowed it in the 3rd party firewall, its not guaranteed that it would actually be blocked by the other firewall, it might say it was, but since it was already given permission by the first one it could be too late as it was already received by the operating system while the second one claimed it was blocked, I have seen this happen before when testing software firewalls.
Too many programs accessing the tcp/ip interface, and who gets the traffic first is a huge issue, its also where the conflicts/problems usually come from, if its not due to the drivers are causing problems with the other firewall driver in memory.
Lets not forget the local xp firewall exploit of programs giving themselves permission to be a server behind the users back....
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
mosesr
join:2002-09-20
Lake Elsinore, CA
·Comcast Formerly ..
| reply to BlitzenZeus
BlitzenZeus,
I understand exactly what you are saying BUT what I'm getting at if we have inbound activity covered with XP-Sp2 FW all I need is some way to monitor outbound activity which would lower system overhead; we shouldn't need a 3rd party full blown firewall any more.
By the way I should have stated earlier I use WEP 128 in addition to the other security protection, which by themselves are weak.
Rod |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| Your asking for something which most people would prefer in one program, not trying to configure two separate programs for two directions of traffic, and an outbound only firewall is not really useful in reality.
Programs like Kerio 2x, and Look n Stop are rule based, if you knew what you were doing this could be easily accomplished, and these programs use little resources. However they are not very user friendly to the inexperienced user... Then there was the previous 'big dog' issue, and if your already using a wireless router which works like a firewall that could act as your inbound firewall so for the most part you just permitting programs outbound with your software firewall.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to mosesr
Difference strokes for different folks. I don't run any outbound firewalling (other then no IRC/IRQ gets past the firewalls in either direction, unless we are trying something  ). Everything is logged here so nothing moves without being noticed and honeypots are used constantly as well so monitoring is pretty heavy (network is partitioned as well with monitoring at all the partition interfaces), so far no problems. Now some people I'm sure would freak at our security configuration either way, but it works for me.
One thing that I would suggest to people is schedule a weekly full scan of every system. You might have been infected before the signature was available and a weekly full scan might pick it up, plus what else are your systems going to do Monday morning at 4 am?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
