What good is a firewall?

I'm doing a paper on home internet security and wanted to ask network
gurus a couple questions about firewalls:

What is the real benefit of a firewall for a home internet user? If the
only thing a user does is surf the web and send/receive email. What
protection does it provide? I know the Windows service port can be a
target, since it can't be disabled, but that notwithstanding, what does
a user risk?

I think people see the firewall as a panacea. The problem for most home
users is not what they block, but what they allow. Email attachments,
malicious activeX scripts, etc. are the real cuplrits, correct?I know
that packets arriving at the computer are processed, but if the
destination port they target has no running service, they're discarded.
Of course, DOS attacks can be launched that overwhelm a system but that
can still happen with a firewall, right?
So whats the benefit?

--
"My Break-Dancing days are over, but there's always the Funky Chicken"
--The Full Monty

Lorenzo wrote:
> I'm doing a paper on home internet security and wanted to ask network
> gurus a couple questions about firewalls:
>

you want to read a book about network-security


firewalls protect vulnerable computers. And most computers are.

* Infected Computers open backdoor-ports, but firewalls protect them.
* Worms seek for computer with vulnerable appplication on open ports,
but firewalls prevent them.
* automatic scanners make internet-maps to look for easy targets:
firewalls prevent them.
and so on. And we are not even talking about protocoll-aware-firealls here.

peter






--
http://www.goldfisch.at/know_list

Lorenzo wrote:
> I'm doing a paper on home internet security and wanted to ask network
> gurus a couple questions about firewalls:
>
> What is the real benefit of a firewall for a home internet user? If the
> only thing a user does is surf the web and send/receive email. What
> protection does it provide? I know the Windows service port can be a
> target, since it can't be disabled, but that notwithstanding, what does
> a user risk?
Well there is some way that someone might get into your files via SMB,
but thats very unlikely. But now, with the infinity of worms around the
net... Have you heard of blaster? That was a worm which uses a
"vulnerability" in the RPC (remote procedure call) of Windows and makes
the computer to power off. Once and again, every time you connect to the
net. Other worms make your machine a spam server slave.

> I think people see the firewall as a panacea. The problem for most home
> users is not what they block, but what they allow. Email attachments,
> malicious activeX scripts, etc. are the real cuplrits, correct?
Part true. The windows default install (see the paragraph above) is not
secure at all.

> I know that packets arriving at the computer are processed, but if the
> destination port they target has no running service, they're discarded.
No. By default the OS answers "excuse me sir, there is no service
running here". and stuff. when you use linux IPTABLES with a DENY it
does that. If you do a DROP then the packet is silently discarded.

> Of course, DOS attacks can be launched that overwhelm a system but that
> can still happen with a firewall, right?
I don't think so. If the firewall drops packets, then the sending
systems are more likely to stop sending packets at all, because they
will think that either you have a firewall or that your host is down
already, and look for another victim.

> So whats the benefit?

Make a default install of Windows XP not SP1 or SP2 and connect to AOL
(easy target for scanners). Your computer WILL be pwnt in a matter of
hours, if not minutes.

hjf

--
Sí esta atascado, fuércelo. Sí se rompe, es que necesitaba ser reemplazado.

http://www.hjf.com.ar/

Hernán Freschi wrote:
>
> Make a default install of Windows XP not SP1 or SP2 and connect to AOL
> (easy target for scanners). Your computer WILL be pwnt in a matter of
> hours, if not minutes.
>

wildtime of winXP without SP is down to about 10 minutes in open networks.

peter


--
http://www.goldfisch.at/know_list

"Lorenzo" <(E-Mail Removed)> wrote in message
news:lorenzo-(E-Mail Removed) m...

> What is the real benefit of a firewall for a home internet user? If the
> only thing a user does is surf the web and send/receive email. What
> protection does it provide? I know the Windows service port can be a
> target, since it can't be disabled, but that notwithstanding, what does
> a user risk?

The benefit is that he can tell, reliably, what his system is doing.
With a typical home computer, you cannot really tell what it's doing on the
network, what connections it's making, and so on. Malicious software can
cause your computer to make outbound connections that you don't want it to
make. A firewall can alert you and block the connections.

So long as you don't do something really dumb and get a reasonable
firewall, the firewall itself cannot be compromised for all practical
purposes. So it serves as a reliable boundary between you and the rest of
the world.

DS

Hernán Freschi wrote:
> Lorenzo wrote:
>
>> I'm doing a paper on home internet security and wanted to ask network
>> gurus a couple questions about firewalls:
>> What is the real benefit of a firewall for a home internet user?

Minimal psychological comfort to waste of CPU cycles

If
>> the only thing a user does is surf the web and send/receive email.
>> What protection does it provide?

None...more or less. An anti-virus is better for the above since you
have already accepted these packets of information. Some people might
argue that a firewall can do stateful packets inspection. I concede the
point if you have oodles of money to spend and your information is
sensitive. For your average normal user, it is a total waste of time IMO.

I know the Windows service port can
>> be a target, since it can't be disabled, but that notwithstanding,
>> what does a user risk?

If the OS does not allow disabling of a port then the risk is how
weak/robust is the program that's listening and processing incoming
requests. I guess MS will respond very quickly if it can be shown that
their program is at fault ... but what the hell - one more or one less
vulnerability in Windows comes as no surprise to anybody.

>
> Well there is some way that someone might get into your files via SMB,
> but thats very unlikely. But now, with the infinity of worms around the
> net... Have you heard of blaster? That was a worm which uses a
> "vulnerability" in the RPC (remote procedure call) of Windows and makes
> the computer to power off. Once and again, every time you connect to the
> net.

inoculated by most antivirus if you run one.

Other worms make your machine a spam server slave.

Question is why is your home station running a server?
If you are running a server then that puts you in a different category
to '... only thing a user does is surf the web and send/receive email.'
Again, an antivirus program is more effective than a firewall for thsi
problem.

>> I think people see the firewall as a panacea. The problem for most
>> home users is not what they block, but what they allow. Email
>> attachments, malicious activeX scripts, etc. are the real cuplrits,
>> correct?

Everybody now have heard of firewalls and have been scared to death that
their computer will be invaded and destroyed if they don't run one. So,
they think they need one and the vendors are rubbing their hands in glee.
You are correct though. There is no defense against the naive user who
will merrily click on the link which promises the pot of gold or asked
to retype their password or account number to reconfirm their records.

>
> Part true. The windows default install (see the paragraph above) is not
> secure at all.

Really? what sort of install is there apart from a default Windows
install? Do you mean IE defaults? I think MS is trying to address this
issue. If you are talking of server install, that's a different story
and we are no longer talking about your user who just want to surf the
web and receive email ... but let's agree that Windows as an OS is not
great for security - firewall or not.

>
> > I know that packets arriving at the computer are processed, but if the
>
>> destination port they target has no running service, they're discarded.
>
> No. By default the OS answers "excuse me sir, there is no service
> running here". and stuff. when you use linux IPTABLES with a DENY it
> does that. If you do a DROP then the packet is silently discarded.

and what vulnerability is that if there is nothing listening on a port?
DOS attack? I have not seen one on a non-server user station in all my
years in IT. Don't forget there is a switch which turns the machine
off/on and there is no damage to your computer. In windows, you don't
even need an attack to reach for this button. Control-Alt-Delete is also
a frequently used response in Windows for a number of other situations.
So, no need for a firewall here again.

>
>> Of course, DOS attacks can be launched that overwhelm a system but
>> that can still happen with a firewall, right?
>
> I don't think so. If the firewall drops packets, then the sending
> systems are more likely to stop sending packets at all, because they
> will think that either you have a firewall or that your host is down
> already, and look for another victim.

I have heard and read about DOS attack so many times and quite frankly I
think it is just scaremongering. DOS attacks are specific. You have been
targeted. It is a co-ordinated from one of more machines to kill your
server and have the specific aim to embarass a company .. just to show
that it can be done. For the ordinary user, the chances of this
happenning are zilch. I would not lose a moment sleep on it.

>
>> So whats the benefit?

dubious for the ordinary user but that just my opinion

>
>
> Make a default install of Windows XP not SP1 or SP2 and connect to AOL
> (easy target for scanners). Your computer WILL be pwnt in a matter of
> hours, if not minutes.

aha! MS has addressed these vulnerabilities then. If you go to AOL, you
will deserve all you get.


--
If the rich could pay the poor to die for them, what a living the poor
could make!

peter pilsl wrote:
> Hernán Freschi wrote:
>
>>
>> Make a default install of Windows XP not SP1 or SP2 and connect to AOL
>> (easy target for scanners). Your computer WILL be pwnt in a matter of
>> hours, if not minutes.
>>
>
> wildtime of winXP without SP is down to about 10 minutes in open networks.
>

A practical experience: A freshly installed Windows 2000 was
broken in during the time it took to load the security updates
from the Net (about 20 minutes, ADSL). Back to square one,
and with a firewall between ADSL and the new install, this
time.

--

Tauno Voipio
tauno voipio (at) iki fi

In article <d4on0r$863$(E-Mail Removed)>,
Hernán Freschi <(E-Mail Removed)> wrote:

> Lorenzo wrote:
> > I'm doing a paper on home internet security and wanted to ask network
> > gurus a couple questions about firewalls:
> >
> > What is the real benefit of a firewall for a home internet user? If the
> > only thing a user does is surf the web and send/receive email. What
> > protection does it provide? I know the Windows service port can be a
> > target, since it can't be disabled, but that notwithstanding, what does
> > a user risk?
> Well there is some way that someone might get into your files via SMB,
> but thats very unlikely. But now, with the infinity of worms around the
> net... Have you heard of blaster? That was a worm which uses a
> "vulnerability" in the RPC (remote procedure call) of Windows and makes
> the computer to power off. Once and again, every time you connect to the
> net. Other worms make your machine a spam server slave.
>
> > I think people see the firewall as a panacea. The problem for most home
> > users is not what they block, but what they allow. Email attachments,
> > malicious activeX scripts, etc. are the real cuplrits, correct?
> Part true. The windows default install (see the paragraph above) is not
> secure at all.
>
> > I know that packets arriving at the computer are processed, but if the
> > destination port they target has no running service, they're discarded.
> No. By default the OS answers "excuse me sir, there is no service
> running here". and stuff. when you use linux IPTABLES with a DENY it
> does that. If you do a DROP then the packet is silently discarded.
>
> > Of course, DOS attacks can be launched that overwhelm a system but that
> > can still happen with a firewall, right?
> I don't think so. If the firewall drops packets, then the sending
> systems are more likely to stop sending packets at all, because they
> will think that either you have a firewall or that your host is down
> already, and look for another victim.
>
> > So whats the benefit?
>
> Make a default install of Windows XP not SP1 or SP2 and connect to AOL
> (easy target for scanners). Your computer WILL be pwnt in a matter of
> hours, if not minutes.
>
> hjf

Thanks for the reply. I actually have a Mac, so these Windows related
issues aren't much of a concern. Not that I don't protect my system, I
just don't have those issues.

--
"My Break-Dancing days are over, but there's always the Funky Chicken"
--The Full Monty

See:

http://www.spotswood-computer.net/pr...iptables2.html

This is just scratching the surface. Follow the references
at the end after reading all of the page.

--
Chris Richmond | I don't speak for Intel & vise versa

In article <426fdec7$0$3240$(E-Mail Removed)>,
peter pilsl <(E-Mail Removed)> wrote:

> * Infected Computers open backdoor-ports, but firewalls protect them.
But how does the computer get infected in the first place, if there are
no ports open? Sure, maybe some people are dumb enough to install
unknown shotware that opens ports for them. But if I take a brand new
computer, close all open ports and then connect to the internet, how
will the infection occur? If it happens as malicious activex through
the browser, a firewall won't protect that.
> * Worms seek for computer with vulnerable appplication on open ports,
> but firewalls prevent them.
On a typical home computer, what ports are open?
> * automatic scanners make internet-maps to look for easy targets:
> firewalls prevent them.
> and so on. And we are not even talking about protocoll-aware-firealls here.

--
"My Break-Dancing days are over, but there's always the Funky Chicken"
--The Full Monty