This probably wont make a scrap of difference but you said

"My point was a home user running Windows XP with an anti-virus, automatic updates, and possibly Firefox and an anti-spyware program does not need to have a firewall turned on. I have not changed my mind, I still don't use the Windows XP firewall (although the SP2 firewall is more friendly than the SP1 firewall)."

Well I've installed firewallls on three Win XP computers belonging to friends and one on another friend's Win 98 computer. They are always stunned when they see the logs particularly when I explain that these attacks were always happening and now they are not succeeding. I've seen viruses go straight past a working updated anti-virus only to have their activity ( trying to access the internet ) stopped by a decent firewall.

In my humble opinion not having a decent firewall on a Windows computer is as stupid as poking your finger into a meat slicer just to see if it is working.

These are my snort logs for one day, note I am on dial-up

SmoothWall IDS snort log
Date: 11 March

Date: 03/11 06:44:48
Name: MS-SQL Worm propagation attempt
Priority: 2
Type: Misc Attack
IP Info: 220.163.44.59:4202 -> 202.61.208.132:1434
Refs: http://vil.nai.com/vil/content/v_999....com/bid/5310,

Date: 03/11 06:45:27
Name: ICMP PING CyberKit 2.2 Windows
Priority: 3
Type: Misc activity
IP Info: 219.38.84.58:n/a -> 202.61.208.132:n/a
Refs: http://www.whitehats.com/info/IDS154,

Date: 03/11 08:03:59
Name: MS-SQL Worm propagation attempt
Priority: 2
Type: Misc Attack
IP Info: 219.146.177.150:1096 -> 202.61.208.132:1434
Refs: http://vil.nai.com/vil/content/v_999....com/bid/5310,

Date: 03/11 17:58:31
Name: ICMP PING CyberKit 2.2 Windows
Priority: 3
Type: Misc activity
IP Info: 219.130.246.160:n/a -> 202.61.205.169:n/a
Refs: http://www.whitehats.com/info/IDS154,

Date: 03/11 18:28:39
Name: ICMP PING CyberKit 2.2 Windows
Priority: 3
Type: Misc activity
IP Info: 61.138.111.65:n/a -> 202.61.205.169:n/a
Refs: http://www.whitehats.com/info/IDS154,

Date: 03/11 18:33:35
Name: ICMP PING CyberKit 2.2 Windows
Priority: 3
Type: Misc activity
IP Info: 194.207.237.21:n/a -> 202.61.205.169:n/a
Refs: http://www.whitehats.com/info/IDS154,

Date: 03/11 19:06:58
Name: ICMP PING CyberKit 2.2 Windows
Priority: 3
Type: Misc activity
IP Info: 208.57.191.112:n/a -> 202.61.205.169:n/a
Refs: http://www.whitehats.com/info/IDS154,

Date: 03/11 19:22:29
Name: MS-SQL Worm propagation attempt
Priority: 2
Type: Misc Attack
IP Info: 130.67.93.62:4620 -> 202.61.205.169:1434
Refs: http://vil.nai.com/vil/content/v_999....com/bid/5310,



I won't post my firewall logs for today as there isnt enough room on these pages, it sometimes will run into 10 - 12 A4 size pages.

I'll say it again, In my humble opinion not having a decent firewall on a Windows computer is as stupid as poking your finger into a meat slicer just to see if it is working.

floppy

I didn't dig for the thread; I responded after someone else did and pushed it to the front.

In any case,you remain vulnerable without a firewall. How? Because there are undiscovered vulnerabilities in Windows - and in Linux. You really don't need to worry too much about the script kiddies and about the high-profile vulnerabilities because those are (usually) patched pretty quickly. You need to worry about the good cracker who has quietly identified a vulnerability and is exploiting it without telling anyone. This is certainly not a hypothetical; it is happening and it is how many systems are being compromised. The kiddie porn explosion, the russian bride scams, the phishing scams are all coming about because of compromised machines. Once compromised, trojans and rootkits can be added so that the system remains under the cracker's control even if it is later patched. A firewall can help with this, even if the system is compromised. Of course, a firewall will usually prevent the system from becoming compromised in the first place.

A firewall provides another layer of defense. More layers are always better than fewer layers. More layers provides protection against failure of any layer, and provides protection against user mistakes. Properly implemented, layered security imposes a very minimal impact on users.

I am presently writing this message on a Mandrake 10 box, which is running an iptables firewall and Privoxy. This machine connects to a lan in my home that also includes several windows machines and a couple of other linux machines. The internet connection is through a hardware router appliance with built in (and activated) firewall.

On the Windows machines (Win2K), no one but me has administrative privileges. All run firewalls and proxies, and anti-virus, and spyware sweepers. In spite of that, I periodically find things on those systems - trojans and viruses. My kids are under orders to not run IE but Mozilla instead, but I am sure they don't always obey. Because I won't let the kids run with administrative privileges, these bad guys don't get deeply embedded into the system and I can remove them easily. Because I have the security dialed up, when they make a mistake it doesn't tear everything apart.

But the point is that, even with heavily secured systems, some things still get through. The firewalls on those machines (Zone Alarm) have warned me on more than one occasion of something that made it through.

Without a firewall, Windows is NOT adequately secured. Period. The alert and careful user may very well get away with it, but the less alert (or less skilled) user will wind up with an infected system - certainly - without a firewall. With a firewall, the unskilled user will at least be warned of the problem before it is too deeply embedded, and the firewall will in any case act to protect against most things most of the time.

For real security host based firewalls aren't enough but a backup to a good solid hardware based firewall ie netscreen, pix etc... Also a firewall will not prevent exploitation of a vulnerable service that has to be open to the public unless you are using deep packet inspection and your rules are finely tweeked. My two cents.

what makes you say that?? personally, i find netfilter on gnu/linux to be a very solid firewall solution... what do you mean by real security?? could you please elaborate??

Quote:

Also a firewall will not prevent exploitation of a vulnerable service that has to be open to the public

yeah, because that is the application gateway's department - NOT the firewall's... zorp is a good example of an application gateway that works side-by-side with your firewall:

http://www.balabit.com/products/zorp/

Not having a firewall on your Windows box is just asking for trouble....

I wonder if this guy ever heard of the blaster worm?? And you can be certain there will be many more exploits based on port 135 to come (port 135 is a port you can't close on Winblows btw). So stick your finger in the meat grinder once again, that is if you have any left...

A firewall is just ONE tool in the security toolbox. Unless you want to lock down your system entirely you need to also consider how your various public services (httpd, named, pop, smtp, etc) are configured.

To cite just a couple of examples: Postfix should be configured to only accept outgoing mail from trusted IP addresses or subnets or it can become a tool for spammers. named should be configured so that it only provides info for those domains for which it is authoritative unless you deliberately chose otherwise. Perhaps the most vulnerable service is httpd. You must make sure you have it configured correctly.

See www.insecure.org for a list of security tools to test your system. I would above all recommend nessus (www.nessus.org). I have three linux boxes for my small business and they each do nessus scans on each other. The process can be automated so you can run the scans as cron jobs. nessus produces a nice html page for its report.

And, of course, all server software should be kept current!!

One previous post said the risk is more than just your own computer. If cracked, it can become a relay for attacking other machines. Since it looks like it is coming from your machine, you can be held legally liable. You could lose service from your ISP or much worse such as criminal charges.

"what makes you say that?? personally, i find netfilter on gnu/linux to be a very solid firewall solution... what do you mean by real security?? could you please elaborate??"


Good practice tells you that your firewall should be a dedicated piece of hardware running for one purpose
and one purpose only. By the time I get done building a iptables firewall it is about useless for anything other than a firewall because it is stripped of every binary and daemon that isn't absolutely necessary for it to function. Netfilter makes an excellent firewall just that I totally disagree with firewalls on the host for your only protection. One good rootkit and you are completely blind to what your firewall and machine are doing. We usually run a hardware firewall in front of our servers and then iptables on each of the servers behind it to firewall off from each other.


Deep packet inspection is kinda like morphing firewalls and inline ids's together. Most all of the commercial firewalls today are doing it in some form or the other so it's not really an application gateway feature any more. Cisco still doesn't have it quite right.

i can see what you mean now, and i completely agree...

i use the term dedicated firewall for those type of boxes, though... calling them hardware-based firewalls can be misleading sometimes, IMHO (makes people think cisco and forget gnu/linux)...

yeah, a host-based firewall is no replacement for a good dedicated firewall (be it cisco, netscreen, linux/netfilter, etc.), especially in the enterprise... and like you pointed-out, mixing the two is a great idea...

BTW, anyone interested in reading a little about deep packet inspection check-out these two papers i googled from securityfocus.com:

http://www.securityfocus.com/infocus/1716

http://www.securityfocus.com/infocus/1817

=)

Good articles.

I figured we were both agreeing on the same thing we just didn' know it

I have mixed feelings about firewalls. On the one hand, they ARE a necessary part of securing your system, especially if you're running Windows, an OS that, despite Microsoft's best efforts, still has far too many security holes.

On the other hand, I think they are most effective on desktop systems running no serivces that need to be accessed remotely, like ssh, ftp, http, etc. The minute you start running incoming services, you have to poke "holes" in the firewall to allow remote access, even if it's only the system owner/admin accessing it. Then you have to make sure the services/ports exposed are properly patched and hardened, AND monitor your system regularly to make sure some cracker/script kiddie doesn't use an unpublished exploit on one of those exposed services to crack into your machine.

Even on a desktop machine with no remotely accessed services running, you still have to poke holes for outgoing services like web browsing, email, IM, etc. And again, you've got to make sure the applications using those services are properly patched and hardened, or at least don't have the same vulnerabilities as the ones that need to be patched, like IE and Outlook.

Note that I'm not saying a firewall is unnecessary. Like others for knowledgable than me have said, it's a layer in a multilayed defense system that all Internet users need these days. But it's not a cure-all, not by a long shot, and can give a false sense of security if regarded as such.

The ONLY full proof way of securing ANY system is to UNPLUG it from the Internet all together! Then of course you have to put the box itself under lock and key .

I've just skimmed this thread and wanted to make a simple hypothetical point:

For a linux machine, you know what programs&services are running, and so it is possible to configure each one's settings to listen for inbound connections or not. Thus you can either have nothing listening, and no need for a firewall as there is nothing for another machine to connect to, or you may have a number of programs listening, in which case you should keep them properly patched and configured.
Using a firewall aswell is having another program analyse connections and decided to allow them or not. If you believe this firewall program is any less likely than any other program to have a flaw then why? And how does a 100% correct firewall allowing access only to you listening programs prevent you from exploits in those programs?
Conversly if the firewall program is just as likely to have a flaw as any other program, by running it you are executing more code and possibly increasing the chances of being exploited compared to simply not running a firewall and allowing all connections to listening services.

My point is, as I understand it, you can only be connected to if there is a program running and listening at the designated destination port of a connection attempt. Thus either you physically block all remote access to local programs and remove the point of running e.g. a webserver, or you configure your other firewall program to deal with every connection attempt, trust it to correctly limit connections to your listening programs, and trust them to have no exploits.
Either you ensure there are no possible connections (rip out your network connection or something), or you trust the code (the firewall and the permitted services) to lack exploits. In which case, why not just trust one less app and remove the firewall from the equation?

Just a hypothetical point.

Xylon,

For you and others that do not feel firewalls are necessary, let me remind you of how long it takes some vendors to issue patches to fix security issues. Until that vendor releases a patch, you're vulnerable.

I imagine for services you can either disable them if you're not running a mission critical service or perhaps use a work around if it exists, but what about kernel level exploits?

Example:
http://www.cartel-securite.fr/pbiond...4-icmpleak.txt

Until Linux kernel 2.0.40 was released the workaround was to firewall icmp traffic, specifically icmp replies.

By not using a firewall or manually tweaking your tcp/ip stack options (via /proc) you're placing an unusual amount of trust in your OS vendor.

If you don't use a firewall for anything else, I'd suggest setting up one to log outbound traffic that you're not specifically allowing. By generating a report from that data you can see if you're desktop has been trojaned or cracked.

One of the oddest conversations I had when I first started a CCNA curriculum at a local college was of a student telling me of fighting for control of her mouse. Somebody had cracked her broadband connected Windows XP system and had remote control of it. This was probably via RDP, but perhaps VNC.

Running even a software level firewall would have most likely kept the intruder out or have at least warned something strange was going on.

I can't count the number of people whose computers are being infected with Spyware/trojans/viruses each year. I cleaned a friend's system who was infected with BO. yep, back orifice. Running IE infected his PC and enabled that trojan to be installed. Without a firewall restricting traffic his system would be accessible to all who wanted to search through his stuff.

In summary:

* Firewalls are great for the security conscious and even the clueless.
* Having all services secured will not provide the protection that a firewall + secure services offers.

Granted that there are netfilter exploits for older revisions of the kernel, I would think that keeping your kernel updated falls under weekly/monthly security updates to your system.

Time will tell. Best of luck.

Also, if you're tired of getting replies to this thread PM a moderator and ask them to close it.

Here is a snippet from an iptables script:

What that does is cause the ports to be stealthed to common port scanner signatures. I don't know the tcp/ip stack well enough to know if there are other combinations that will get through, but that stops the bulk of them right there.

Not hard to implement.

Our posts missed each other, but take note where I mentioned network layer vulnerabilities. Having a solid firewall stops most of those.

keep in mind that firewalls don't only limit incoming traffic...