Is a firewall necessary?

[Tigers!]

At work we have been having a conversation about the virtues and necessity of firewalls.
It caused me to think again about my recent (and still on-going) dramas about my home network's connectivity issues.

A chap at work is quite emphatic that f/w are unnecessary. If you have a router then you are ok provided that you scan all incoming e-mails. Call him the purist. At the other extreme are those who have a f/w on all computers and have the f/w turned on on all routers, switches etc: Call them the panic merchants. Then there are those like me who want security at the lowest cost.

Who is most correct? Do we need a f/w at home (for example) if we have a DSL router? Presumably an anti-virus package is essential.
But is e-mail the only way that viruses, tojans etc: can enter the network or are there other ways?

[Suncoast]

In its purest form, a computer firewall simply prevents hackers (more properly called crackers) from accessing, damaging, or otherwise affecting your computer through the network due to operating system flaws or weak security, such as weak passwords. More advanced firewalls can do much more, from restricting where other computers can connect from to looking at the data as it passes through looking for malware.

Because the crackers are sometimes one step ahead, it is prudent to look at the firewall the same way you look at anti-virus products, prophylactic.

And the DSL modem is separate from the home router. A DSL modem alone does NOT have a firewall. And there are several exploits already in the wild that attack home and commercial routers that do not have current firmware updates. While many people keep their Windows systems updated with security updates, very very few think about updating their home routers firmware. Router firewalls are extremely basic, and often give some a false sense of security.

[Suncoast]

I learned today that some vendors like Netgear do have combination Modems and Routers.

[jonquilmcd]

Actually most of the DSL modems being released to home internet users now have built in router firmware even if they're unable to support more than one connection at a time. They then have the option to upgrade to modems that have the full functionality of routers (supporting more than one ethernet connection, wireless, etc.). The only situations you're really going to find where the DSL modem does not have router firmware built in is if the modem is old, if it's for a business (and even then they usually have to specially request a modem that is nothing more than a bridge), or if the person specifically requested a bridged modem instead of the standard modem/router hybrid.

I know it just makes things more confusing but at the same time I can see the ISP's point of view on the matter, too. The firmware makes setup a lot easier for the user in a lot of cases and the NAT helps add a little extra security for users that normally just connect straight to their modem (and A LOT of them do that!).

[Suncoast]

So they could start blocking VOIP if you don't use theirs, or file sharing ports, or whatever they like, and the subscriber has no control over it. And the ISP's can create huge subnets and nobody will be able to see how much broadcast traffic is traversing and wasting their DSL and Cable connections. Since all Windows computers, even directly connected ones have firewalls on by default, I suspect ulterior motives. Fascinating.

[jonquilmcd]

I'm not aware of any ISPs actually doing any of those things, but it is a possibility that they started including firmware on their modems in order to exert extra control later on down the road.

Anything they would do though that would share your internet connection would be on the ISP side and invisible to you to begin with.

[Suncoast]

Well, nothing like that right now in a Democratic country. But I suspect that's due to the efforts of groups supporting Net Neutrality. But putting ISP controlled firewalls on a customers DSL or Cable modem would be a short step away. Now if this firewall was something the customer could access, I would have no problems with it.

A large network is divided into smaller subnets, also called broadcast domains with routers to reduce broadcast traffic. Broadcast traffic is normal traffic sent to all devices on a subnet. If an ISP wanted to reduce costs, it could increase the network size by reducing the number of routers or router interfaces. This would result in more broadcast traffic going to every device, over every link, thus occupying more bandwidth. I recently looked at a Firebox router that had been up for about an hour, and it had already received 687,000 broadcast packets from the WAN port. The typical Broadcast packet is the minimum packet size of 64 bytes, so that was about 44 megs of traffic.

[Freeze Support™]

Personally, I'd recommend getting a firewall. Really, it depends on what activities you're undergoing when online; if they attract potentially unwanted traffic or personal, it'd be advisable to implement some form of firewall protection. If you're running a Windows platform with a Service Pack of two (2) or higher, I'd recommend enabling the Windows Defender Firewall. Though not the greatest protection agency, the Windows Firewall offers effective protection for the general population. If you feel as though your system may have been compromised, or is vulnerable to an attack, I'd recommend upgrading your protection to either a basic software firewall (such as Comodo) or even taking it one step further, and purchasing a firewall (hardware) to guard your network or Personal Computer.
If you'd like to discuss this issue in more detail, please reply to this thread detailing your concerns.

[jonquilmcd]

All the firmware is easily accessible to the customer and full featured (at least the firmware I've seen). It usually even comes with the capability to run several tests on your connection and alert you to any problem areas that you may need to call technical support about (and provides the number). What's particularly interesting is how some models have made port forwarding and port triggering so easy to do that anyone who needs to do it (with the port number) can do it.

It's interesting that you mentioned getting a hardware firewall for a personal network. We've been having this discussion my LAN technologies class. Personally I feel that a hardware firewall for a personal network is throwing money away on resources that will never be used and not at all practical for the average home user. The only thing that makes hardware firewalls more secure than software firewalls is the fact that their software is not as easily compromised. That being said what black hatter that is skilled enough to exploit a good personal software firewall much less a good enterprise software firewall is going to waste their skills on an average home user? I can understand if you keep a lot of confidential information at home that may mean a lot of money for someone who breaks in to your network but how many people have information that is that sensitive on their home PCs? The information they do have - their personal information - is of greater value to black hatters in mass attack schemes such as phishing, email scams, and malware. For this reason I would recommend the home user that is having serious issues with security in terms of head on attacks despite having a good personal software firewall try upgrading to a business or enterprise class software firewall and not a hardware firewall. If you can't afford to do that even just switching to another personal firewall may do the trick as all the attacks may be due to some well known exploit in the particular piece of software you're using.

[Freeze Support™]

Quote:

Originally Posted by jonquilmcd

All the firmware is easily accessible to the customer and full featured (at least the firmware I've seen). It usually even comes with the capability to run several tests on your connection and alert you to any problem areas that you may need to call technical support about (and provides the number). What's particularly interesting is how some models have made port forwarding and port triggering so easy to do that anyone who needs to do it (with the port number) can do it.

It's interesting that you mentioned getting a hardware firewall for a personal network. We've been having this discussion my LAN technologies class. Personally I feel that a hardware firewall for a personal network is throwing money away on resources that will never be used and not at all practical for the average home user. The only thing that makes hardware firewalls more secure than software firewalls is the fact that their software is not as easily compromised. That being said what black hatter that is skilled enough to exploit a good personal software firewall much less a good enterprise software firewall is going to waste their skills on an average home user? I can understand if you keep a lot of confidential information at home that may mean a lot of money for someone who breaks in to your network but how many people have information that is that sensitive on their home PCs? The information they do have - their personal information - is of greater value to black hatters in mass attack schemes such as phishing, email scams, and malware. For this reason I would recommend the home user that is having serious issues with security in terms of head on attacks despite having a good personal software firewall try upgrading to a business or enterprise class software firewall and not a hardware firewall. If you can't afford to do that even just switching to another personal firewall may do the trick as all the attacks may be due to some well known exploit in the particular piece of software you're using.

You raise a few interesting points there. I suppose it's really up to the user and how much potentially compromisable information is stored within the network. If you own a business or website and keep many confidential details that could be stolen or damaged, it'd be worth getting a better firewall. But, as you said, for the average home user, there is no need to implement such means of protection that may eceed the capabilities of a regular, software firewall.

[Suncoast]

You might be amazed at how many probes are constantly hitting your Internet connection. Since you're taking classes, you're probably aware there are all kinds of hackers out there. Connect your PC directly to the Internet sometime and run Wireshark. Set it up to block broadcast packets, then just watch the screen fill up with port probes. It's really amazing to me anyway. It's not like 12 years ago, where if you saw someone probing your system you would find and email the network admin for that netblock. Now it's just a part of networking.

And another thing many people don't realize is how very basic the firewall is on a home router/gateway. The only thing they usually block is upnp and the file sharing ports. The only real protection is in NAT.

So again, use those firewalls folks. Don't follow the foolish and the careless. Microsoft didn't spend millions adding a Firewall to Windows on a whim. It's there for your protection.

[jonquilmcd]

Those probes you see are usually mass attacks though that are targeting one or more specific vulnerabilities. You know how many worms are designed to scan random IPs from its host PC looking for trojan-created backdoors to exploit alone? I'm just saying the average user is not very likely to have someone manually breaking their way in to their network.

[Suncoast]

Quote:

Originally Posted by jonquilmcd

Those probes you see are usually mass attacks though that are targeting one or more specific vulnerabilities. You know how many worms are designed to scan random IPs from its host PC looking for trojan-created backdoors to exploit alone? I'm just saying the average user is not very likely to have someone manually breaking their way in to their network.

Who say's it's a manual process? The Bots worm their way in, then the malware automatically starts capturing keystrokes with credit card and bank account numbers and passwords. Suddenly these average home users are victims of identity theft. Every computer I've worked on that has been infected with key loggers have been home users, and they've had to deal with bogus credit card charges for weird club memberships and porn and/or identity theft victims.

[Suncoast]

Quote:

Originally Posted by jonquilmcd

trojan-created backdoors

And many more looking for back door exploits in "as released" software. Systems that have never been infected before. That's why closing off unused ports through firewalls works.

[Suncoast]

This News article just came out on The Register that is related to this thread about buggy routers.

[Tigers!]

This thread I started is most timely. On 31/08 I was the victim of a trojan attack.
My wife opened an e-mail from a friend of her's that had some pictures. One of the pictures was malignant.
I seem to have cleaned my computer ( ) for the present.
But it does make me wonder what good my firewall and anti-virus software are when this got through.
I wonder if I am doing something wrong with the setup of the f/w and anti-virus?

[Suncoast]

Sorry to hear about that. I was wondering why we hadn't heard from you since you started the thread. The Firewall doesn't deal with that, the Anti-Virus does. Or it should. I would be concerned that it didn't catch the malware before it infected your system.

[Tigers!]

I've always wondered whether anti-viruses work in real time or not. I am using AVG. It must have some way to look at e-mails beofre it allows them to be opened. Although to be fair the anti-viruses will always be a little behind. They have to know what the virus can do before they fix it.

[Tigers!]

I have a Thompson/Alcatel SpeedTouch 500 as my DSL router. It doesn't seem to have an on-board f/w.

I am using a Siemens Speedstream to provide wireless access.

[ebackhus]

I work for an ISP and can attest to the necessity of a firewall. Generally the only modems that have any sort of firewall are also the ones that also serve as routers.

If you don't use a software firewall I suggest you at least use a hardware one. Most routers include this feature.

Also, crackers and hackers are difference. Crackers exploit software to make it function differently. For exmaple, a cracker will bypass a registration requirement for a program to run. A hacker will break into the computers of the company who makes the program to get the program directly or just to have fun.