Well, it's true that I personally run only Windows XP/Pro SP2's firewall; it's simply enough for me since I am still on dial-up connection, and additionally I use common sense, and so I wasn't actually infected yet. Well that's not entirely true, buti it was rather a result of my "experimenting"; see the CastleCops /Fixed: My PC probably infected; now I am afraid to reboot thread that I've created here at CastleCops forum ...


But you see, it's that many people argue (especially on Ars Technica forums where I also participate) that there outbound traffic monitoring firewalls are useless, since once the malware is on your computer you are already owned and that the malware could in turn turn-off your firewall and disable the Windows "Security Center" altogether. However, although I think that this is true (i.e. that it certainly could turn-off the protection programs), but I also think that there is too a possibility that it wouldn't, since there are so many different firewall-programs out there, that it's almost impossible to "target" them all.


P.S. -- If you want to, see this post of mine (it's a reply to this bash666's post), and later on see also Accs's reply to mine post where this was discussed on Ars Technica forums in a thread titled Kaspersky AV vs. F-Secure AV.


cheers, satyr

Hmmm strange, but I suddenly cannot edit my post anymore.


I just forgot to explicitly ask the actual question I am interested in. Anyway, so my question is the following (similar to thread's title): do we need outbound traffic monitoring firewall-programs at all, what's your opinion on this ??!


satyr

I do not agree with the folks at Ars Technica at all. An inbound/outbound firewall is necessary. While some malware does, in fact, attempt to turn off an "in/out" firewall, most are unsuccessful at doing that, and most of the good in/out firewalls are hardened to protect against that problem.

Simply to say, "well such and such can turn off a firewall, so why use one in the first place" is just being blind to the numerous other threats out there that can be caught by a good in/out firewall. If similar logic were used in medicine, we would still be fighting smallpox, and everyone would have AIDS.

Remember, good, solid protection has to be like an onion, with many different layers of protection: a hardware router/firewall, a single good AV and in/out firewall, and several compatible anti-malware programs, many of which do different things to prevent malware. A threat which can penetrate one layer, will often run head on into the next one, and that's why a good layered protection package is needed.

PC Bruiser can you explain how efective a hardware firewall actually is? If im correct a modem leaves all your ports forward whilst a hardware firewall blocks some. I how ever dont use a hardware firewall but am considering buying one. My pc security is aleady thorough and I would liek to think i block malware at all angles. I already use Zone alarm free firewall what could a hardware firewall do to bolster my security more?

By the way I may not reply to up for a week as im on holiday at the moment


Thanks

Tib

A little over a year ago I co-authored a paper on securing XP. Among other things it discusses what a hardware router/firewall does. You can view the article here:

http://www.tweakhound.com/xp/security/page_1.htm

One further comment regarding port blocking. A good hardware firewall will block all ports, both inbound and outbound, except for permitted ones. For permitted outbound ports it would typically permit those that are doing everyday things - browsing, file transfers, etc. And similar for inbound. However that's where the second critical firewall element becomes critical, i.e., Stateful Packet Inspection ("SPI"). SPI will only allow packets to enter your LAN from the Internet that have been specifically requested such as email, a web page, a file download, etc. Any inbound packet that was not requested by an outbound packet will be blocked regardless of what the port blocking settings may be.

Good home units should add considerable security for you at a cost of $50 - $100 for decent ones. An entry level commercial unit will run about $300, plus another $100/year or so to add full packet inspection for viruses, malware, intrusion techniques, etc.

One further point to make: I firmly believe in protecting my gateway with the strongest possible protections. The virus, port scanner, etc. which cannot make it past my gateway is one that my software doesn't have to worry about. A good hardware unit could save you considerable problems in this world or rapidly morphing threats.

Regarding the neccessity of an outbound firewall.....
Yes, it is definitely needed!

I agree wholeheartedly that an outbound filtering pc fireweall should be used. Further to that, you could bolster you machine's security with a HIPS application. A very good free version can be found here System Safety Monitor

Just be careful to not use "Learning mode" and also be prepared for quite a number of pop-ups in the early going. If you have a decent understanding of system processes and how they they can act as a parent launching other applications (the child), then there should be no real problems getting the hang of it. The forum is a good place to ask questions, where the developers even participate in.

I'm going to get flamed for this but....


I would say an outbound filtering firewall is not really a necessity. Inbound is way more important.

The problem has I see it is, that the guys at Ars Technica are right, most users run in windows with full admin rights, so any malware that executes pretty much can do anything it wants, so the game is up anyway, whatever your firewall does.

For example there are many documented ways (and a ton of undocumented ways) to bypass (not even requiring termination which would give the game away) most firewalls using generic methods.

Look at Comodo PF, they are trying really hard to block all leak tests and they are the best of the bunch, and yet some known ways are not blocked by default because it would be too memory intensive.

Also even if malware can't bypass your firewall, they can do also all kinds of damage to your system, it might be a bit trivial then to worry about network connections.

Of course if you start running super tight restrictions (limited accounts) and/or run HIPS to guard the integrity of your system , then it starts to make things difficult for the malware.

I believe in such a situation, outbound filtering starts to make some sense.

Of course, even if outbound filtering isn't 100% effective, it still doesn't mean it can't be useful sometimes to justify its use.

But I personally feel that a newbie who is not comfortable with all those prompts, could be better off concentrating on keeping malware off his system rather than worrying about keeping malware 'contained' once it manages to execute on his system.

It's probably too late then anyway.

Hi ErikAlbert,

No flames from me

Actually, since my Aug 28 post, I have given this subject a great deal of thought, and do agree that inbound filtering is definitely far more important, and that should be done with a NAT router.

Everyone using a home pc should invest in a NAT router They can be had for well under a $100, especially the non-wireless ones. A router keeps all the Internet "noise" from bombarding the machine in the first place, a huge first step in keeping attacks away from the machine.

I would say that if a pc router is not used, then a HIPS app probably could be used instead. But like you say, the pop-ups can be very confusing for beginners. Of course a good, updated antivirus app is a must as well.

And thanks for that link ErikAlbert; I've just noticed your post ...


satyr