Firewall Necessity

[Jupiter Jones [MVP]]

"a waste of computation to me"
What is really a waste is a computer getting a worm and spreading the
same worm because the owner was irresponsible and did not add the
proper protection even when he knows better.
I will repeat You are living in the past.
What was adequate a few years ago is grossly inadequate today.
It is called technology and it moves on whether we do or not.

I suppose you also lock the front door of your house and leave windows
open and back door unlocked.
Antivirus without a firewall is very similar.

 

[HillBillyBuddhist]

Can
| anyone give me an actual example of an outside attack on a non-virus
| infected PC that causes ACTUAL damage or theft to the PC...
|

Yes. One good reason (among many already mentioned) to run a firewall. DDos
attacks. (see link below)

http://whatis.techtarget.com/definition/0,289893,sid9_gci557336,00.html

You see where it says;

"On the Internet, a distributed denial-of-service (DDoS) attack is one in
which a multitude of compromised systems attack a single target"

You know what those "compromised systems" making these attacks are? They are
thousands of personal computers belonging to every day people just like you
and me. These systems all became "compromised" when software installed on
their computers carried a hidden payload that "compromised" their system and
turned it into a zombie to be used in an DDos attack.

Antivirus software isn't stopping it. A NAT router won't stop it. *A
properly installed and configured firewall on the other hand will.* DDos
attacks can only occur if the "compromised" computer can make an outbound
connection.

As many others have told you times have changed. For example when Windows XP
came out inbound firewall protection seemed to be good enough. Now it isn't.
Windows XP SP2 will address the issue by making their firewall
bi-directional. Even Microsoft can see the need . <g>

I know you're too smart to be taken in. That's what the thousands of already
compromised computer owners thought/think. You could be compromised right
now but without a firewall to warn you of a parasite attempting to make an
outbound connection from your computer you'd have no way of knowing it.

Not your problem? Sure is. DDos attacks alone are costing the IT community
millions of dollars in lost productivity and security expenditures. (yes
millions) Who do you think ultimately winds up paying for the increased
cost? That's right you and me. Internet service, banking, software,
Antivirus subscription renewals, cellular service, anything you can name
that uses technology (and what doesn't) costs more because of these types of
security concerns. In today's Internet environment it is everyone's
responsibility to take proper steps in securing their own computers. This
includes a firewall.

You said in your first post you wanted to hear from the experts (of which I
am decidedly *not* one) You've heard from several and they all agree, yet
you continue to argue. Why again did you ask?

--
D

I'm not an MVP a VIP nor do I have ESP.
I was just trying to help.
Please use your own best judgment before implementing any suggestions or
advice herein.
No warranty is expressed or implied.
Your mileage may vary.
See store for details.

Remove shoes to E-mail.

 

[jch]

Can
| anyone give me an actual example of an outside attack on a non-virus
| infected PC that causes ACTUAL damage or theft to the PC...
|

Yes. One good reason (among many already mentioned) to run a firewall. DDos
attacks. (see link below)

http://whatis.techtarget.com/definition/0,289893,sid9_gci557336,00.html

You see where it says;

"On the Internet, a distributed denial-of-service (DDoS) attack is one in
which a multitude of compromised systems attack a single target"

You know what those "compromised systems" making these attacks are? They are
thousands of personal computers belonging to every day people just like you
and me. These systems all became "compromised" when software installed on
their computers carried a hidden payload that "compromised" their system and
turned it into a zombie to be used in an DDos attack.

The firewall will not stop your system from becoming compromised will it?

Antivirus software isn't stopping it. A NAT router won't stop it. *A
properly installed and configured firewall on the other hand will.* DDos
attacks can only occur if the "compromised" computer can make an outbound
connection.

I firmly believe a NAT router will stop it. If the threat is as real as you
say it is then I know a NAT router and AV programs are effective because I
use them w/o a firewall and do not have a compromised system.

As many others have told you times have changed. For example when Windows XP
came out inbound firewall protection seemed to be good enough. Now it isn't.
Windows XP SP2 will address the issue by making their firewall
bi-directional. Even Microsoft can see the need . <g>

I know you're too smart to be taken in. That's what the thousands of already
compromised computer owners thought/think. You could be compromised right
now but without a firewall to warn you of a parasite attempting to make an
outbound connection from your computer you'd have no way of knowing it.

OK, so a firewall is a good device to alert you to a problem. - but not to
stop a problem from having gotten to you. Let me ask you this, would you
take your NAT router out, remove your AV program, and go online with only
your zone alarm firewall???? Of course not.
Listen - to each their own. If your experience has led you to believe you
have to have extra layers of protection for your home network (we *are*
talking home networks here aren't we?) then you should do what you think is
best. I happen to agree with Spiderman that perhaps the firewall is not
needed in light of a NAT router, good AV program, and running Ad-Aware
routinely. Had my system been compromised from this level of security I'd be
doing something else but nothing else is required and my DSL network is
online 24/7.

 

[HillBillyBuddhist]

| OK, so a firewall is a good device to alert you to a problem. - but not to
| stop a problem from having gotten to you.

So what you're saying then is that all the damage that's being done, that
could easily be prevented by a simple and free firewall is not a problem as
long as *your* computer is ok?

(or perhaps I'm making the whole thing up and it's a big bright safe
Internet world out there)

|Listen - to each their own.

A good motto up to the point where the other guys "each" affects *my* "own."

Un-firewalled computers are costing us all money it's a fact that simply
cannot be denied. A blanket "you don't need a firewall" statement is
irresponsible. I'll think of you next time I can't do my banking because my
bank has been DDos'd off the net. ;-)

 

[Jym]

I think a firewall is more of a protection against a hack , which can read
or remove files. This is a pretty basic fact. Whether this invasion happens
to me or you , it could happen much more easily without a firewall design
for this exact purpose. Jym

 

[Bruce Chambers]

Greetings --

The Blaster and Welchia worms were not propagated via email, but
rather by direct TCP/IP broadcasting, using the same mechanism that
spammers use to create messenger service pop-ups on unprotected
machines.

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Spiderman]

OK. How can someone remove a file from someone else's virus-free PC if all
file-sharing services are disabled? I just don't get it.

 

[Spiderman]

Can
| anyone give me an actual example of an outside attack on a non-virus
| infected PC that causes ACTUAL damage or theft to the PC...
|

Yes. One good reason (among many already mentioned) to run a firewall. DDos
attacks. (see link below)

http://whatis.techtarget.com/definition/0,289893,sid9_gci557336,00.html

You see where it says;

"On the Internet, a distributed denial-of-service (DDoS) attack is one in
which a multitude of compromised systems attack a single target"

You know what those "compromised systems" making these attacks are? They are
thousands of personal computers belonging to every day people just like you
and me. These systems all became "compromised" when software installed on
their computers carried a hidden payload that "compromised" their system and
turned it into a zombie to be used in an DDos attack.

Antivirus software isn't stopping it. A NAT router won't stop it. *A
properly installed and configured firewall on the other hand will.* DDos
attacks can only occur if the "compromised" computer can make an outbound
connection.

As many others have told you times have changed. For example when Windows XP
came out inbound firewall protection seemed to be good enough. Now it isn't.
Windows XP SP2 will address the issue by making their firewall
bi-directional. Even Microsoft can see the need . <g>

I know you're too smart to be taken in. That's what the thousands of already
compromised computer owners thought/think. You could be compromised right
now but without a firewall to warn you of a parasite attempting to make an
outbound connection from your computer you'd have no way of knowing it.

Not your problem? Sure is. DDos attacks alone are costing the IT community
millions of dollars in lost productivity and security expenditures. (yes
millions) Who do you think ultimately winds up paying for the increased
cost? That's right you and me. Internet service, banking, software,
Antivirus subscription renewals, cellular service, anything you can name
that uses technology (and what doesn't) costs more because of these types of
security concerns. In today's Internet environment it is everyone's
responsibility to take proper steps in securing their own computers. This
includes a firewall.

You said in your first post you wanted to hear from the experts (of which I
am decidedly *not* one) You've heard from several and they all agree, yet
you continue to argue. Why again did you ask?

I really DO want to hear expert opinions...that's why I asked. The example
you just gave is, once again, regarding a PC that has been infected with a
virus. Virus-infected PC's don't count in my thinking since they've ALREADY
been compromised...usually through user-error. Now, user errors aside...why
do I need a firewall if I'm vigilant about keeping viruses (and faulty
programs in general) off my PC? Since I haven't gotten a good reason, I will
keep my firewall down, and I suggest the more educated computer users out
there do the same. Don't believe the hype!

 

[Spiderman]

| OK, so a firewall is a good device to alert you to a problem. - but not to
| stop a problem from having gotten to you.

So what you're saying then is that all the damage that's being done, that
could easily be prevented by a simple and free firewall is not a problem as
long as *your* computer is ok?

(or perhaps I'm making the whole thing up and it's a big bright safe
Internet world out there)

|Listen - to each their own.

A good motto up to the point where the other guys "each" affects *my* "own."

Un-firewalled computers are costing us all money it's a fact that simply
cannot be denied. A blanket "you don't need a firewall" statement is
irresponsible. I'll think of you next time I can't do my banking because my
bank has been DDos'd off the net. ;-)

It's not un-firewalled computers that are the problem. It's uneducated users
that are easily fooled into installing infected software on their systems. I
think if the public were better educated on what a virus is and how they're
spread then NOONE anywhere would need a firewall. It's like having sex in a
full body rubbersuit when all you need is a jimmy hat!

 

[Spiderman]

Greetings --

The Blaster and Welchia worms were not propagated via email, but
rather by direct TCP/IP broadcasting, using the same mechanism that
spammers use to create messenger service pop-ups on unprotected
machines.

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Blaster seems to be the only example offered...however, if your PC was kept
up-to-date on the latest Microsoft updates, it would have been impossible to
get infected by Blaster. For example, I didn't get infected...but, I keep my
PC up-to-date and virus free. So, I guess educating the public on effective
PC usage is must less important than paranoia-driven propaganda. By that
reasoning, I suppose I should walk around with a surgical mask (ala Michael
Jackson) simply because "you never know" what bad things could be in the
air!

 

[jch]

Windows types which


I really DO want to hear expert opinions...that's why I asked. The example
you just gave is, once again, regarding a PC that has been infected with a
virus. Virus-infected PC's don't count in my thinking since they've ALREADY
been compromised...usually through user-error. Now, user errors aside...why
do I need a firewall if I'm vigilant about keeping viruses (and faulty
programs in general) off my PC? Since I haven't gotten a good reason, I will
keep my firewall down, and I suggest the more educated computer users out
there do the same. Don't believe the hype!

I agree Spiderman. As I stated earlier, all I use is a NAT router, AV
software, and I run Ad-Aware periodically to clean things up. My system has
never been compromised. What am I missing here? I'll challenge those who
swear by their firewalls. Remove your NAT router and AV programs (since you
say they aren't adequate). Just run your firewall and see how long you last.
I know how long I'll last w/o a firewall. My network is up 24/7. I've read
and continue to read of so many user network problems caused by the personal
firewalls they try to configure. Why? I have the same question you do. If
you practice safe computing why do you need a firewall?

 

[Bruce Chambers]

Greetings --

In the case of Blaster, the vulnerability was identified and a
patch made available before the exploit was unleashed onto the
Internet. This isn't always the case. And even so, many hundreds of
thousands of PCs were almost immediately infected. Why? Because most
people don't install patches in a timely manner. And what to do in
those cases where the patch/fix/remedy cannot be made available until
after the exploit has been released?

There are several essential components to computer security: a
knowledgeable and pro-active user, a properly configured firewall,
reliable and up-to-date antivirus software, and the prompt repair (via
patches, hotfixes, or service packs) of any known vulnerabilities.
The weak link in this "equation" is, of course, the computer user.
All too many people have bought into the various PC/software
manufacturers marketing claims of easy computing. They believe that
their computer should be no harder to use than a toaster oven; they
have neither the inclination or desire to learn how to safely use
their computer. All too few people keep their antivirus software
current, install patches in a timely manner, or stop to really think
about that cutesy link they're about to click. Therefore, I (and
anyone who's thought about the matter) always recommend the use of a
firewall. Naturally, properly configuring a firewall requires an
investment of time and effort that most people won't give, but even
the default settings of the firewall will offer more automatic
protection than is currently present.

I fail to see how you can classify our advising people to take
reasonable precautions against well-known and widespread hazards as
"paranoia-driven propaganda." I base my technical recommendations on
real-life, professional (and personal, of course) experiences and
observations. The Internet is an unfriendly place, and so some
precautions are warranted; were I actually paranoid about it, I'd be
recommending that people disconnect their PCs from the Internet. It's
not that "educating the public on effective PC usage" is unimportant;
it is. Unfortunately, however, the simple fact of the matter is that
the overwhelming majority of computer users simply don't want to be
"educated."

Do you cross a street without looking for on-coming traffic? Why
not? Are you paranoid? You've managed to do so safely for several
years now, so that must mean that you won't get hit by a car tomorrow,
doesn't it? Of course not. But does that mean one should let the
fear of potential theoretical problems govern ones life? Should one
do nothing because something _might_ go wrong? Sorry, not for me.
Life's too short to live it in constant fear. I say: Asset the risks
rationally, take reasonable precautions, and press on.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Bruce Chambers]

Greetings --

Hmmm.... You admit that you need to use spyware removal tools to
clean up your system periodically, and yet claim not to need a
firewall. Have you actually listened to yourself? If you need to use
Ad-Aware to clean things up, how can you possibly assert that your
system has never been compromised? How can you claim to be practicing
"safe computing?" You're contradicting yourself.

Like WinXP's firewall, NAT-capable routers do nothing to protect
the user from him/herself. Again -- and I _cannot_ emphasize this
enough -- almost all spyware and many Trojans and worms are downloaded
and installed deliberately (albeit unknowingly) by the user. So a
software firewall, such as Sygate or ZoneAlarm, that can detect and
warn the user of unauthorized out-going traffic is an important
element of protecting one's privacy and security. Most antivirus
applications do not scan for or protect you from adware/spyware,
because, after all, you've installed them yourself, so you must want
them there, right?



Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Spiderman]

make

I agree Spiderman. As I stated earlier, all I use is a NAT router, AV
software, and I run Ad-Aware periodically to clean things up. My system has
never been compromised. What am I missing here? I'll challenge those who
swear by their firewalls. Remove your NAT router and AV programs (since you
say they aren't adequate). Just run your firewall and see how long you last.
I know how long I'll last w/o a firewall. My network is up 24/7. I've read
and continue to read of so many user network problems caused by the personal
firewalls they try to configure. Why? I have the same question you do. If
you practice safe computing why do you need a firewall?

I'm sure there are more out there that agree but are too afraid to "go
against the grain" and join the firewall-free coalition. I don't bring up
these issues to create conflicts...It just amazes me how the masses can be
tricked into buying into the most ludicrous assumptions and actions. The war
in Iraq is the most obvious example of pulling the wool over the public's
eye. Wouldn't that 87 billion be better spend on education so that we don't
have C-calibre induhviduals like George W Bush running the largest
organization in the world? By the same token, wouldn't the Internet and the
computing universe in general run better if all the money/time/press
attention that is being spend on "Internet boogeymen" were spend on REAL
EDUCATION? Don't know...I guess everyone is selling something...it's the
American way!

 

[Jupiter Jones [MVP]]

Your precise thinking is a major reason why when a new exploit is
released, so many get caught.
The layered protection is necessary to properly protect the computer.
Instead you count on antivirus or patches which is specific to the
exploit while a firewall closes and bars all the doors.
They need to work together and not either/or.

Properly configured a firewall adds little overhead to the computer.
Your inability to properly configure your firewall is by no means a
reason for others to drop necessary protection.

You should keep the politics of Iraq out of this.
This is at least the second time you have brought it up.
Not only are you ignoring the practical reasons people have given, you
are apparently attempting to further inflame the discussion with your
irrelevant political jabbering.
Take your political garbage elsewhere, it does not belong here.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/


I'm sure there are more out there that
agree but are too afraid to "go

 

[Spiderman]

Your precise thinking is a major reason why when a new exploit is
released, so many get caught.
The layered protection is necessary to properly protect the computer.
Instead you count on antivirus or patches which is specific to the
exploit while a firewall closes and bars all the doors.
They need to work together and not either/or.

Properly configured a firewall adds little overhead to the computer.
Your inability to properly configure your firewall is by no means a
reason for others to drop necessary protection.

You should keep the politics of Iraq out of this.
This is at least the second time you have brought it up.
Not only are you ignoring the practical reasons people have given, you
are apparently attempting to further inflame the discussion with your
irrelevant political jabbering.
Take your political garbage elsewhere, it does not belong here.

The "political garbage" is an analogy to illustrate/exemplify the points I'm
making.

Toggling the Windows XP on/off is certainly not beyong my abilities. All I
know is that when it's on, everything runs WORSE. That's the reason I'm
here...to try and figure out WHY I need it...especially since I've never
been infected with a virus (let alone a net attack) in my 20+ years of PC
usage. Anyway, I think I will retire from this discussion...I was hoping to
extract some useful facts and information, but I've failed in that mission.
Instead, I will just continue running my systems firewall, virus and bug
free. Thank you for your participation.

 

[jch]

Greetings --

Hmmm.... You admit that you need to use spyware removal tools to
clean up your system periodically, and yet claim not to need a
firewall. Have you actually listened to yourself? If you need to use
Ad-Aware to clean things up, how can you possibly assert that your
system has never been compromised? How can you claim to be practicing
"safe computing?" You're contradicting yourself.

I'm not one to continue these types of discussions and I'm *way* over my
limit at this point but, Yes I listen to myself. The types of things that
Ad-Aware picks up are cookies and stuff that web pages have tied to them. I
guess if you've never used it you wouldn't know. I won't get in a semantics
debate but using a firewall just to be an alarm that something is going on
doesn't sound so very secure to me.

Like WinXP's firewall, NAT-capable routers do nothing to protect
the user from him/herself. Again -- and I _cannot_ emphasize this
enough -- almost all spyware and many Trojans and worms are downloaded
and installed deliberately (albeit unknowingly) by the user. So a
software firewall, such as Sygate or ZoneAlarm, that can detect and
warn the user of unauthorized out-going traffic is an important
element of protecting one's privacy and security. Most antivirus
applications do not scan for or protect you from adware/spyware,
because, after all, you've installed them yourself, so you must want
them there, right?

Of course the various cookies/adware stuff that gets on your system aren't
wanted or needed but a firewall does nothing to keep them out. So... if a
NAT router, AV program, and adware removal program aren't adequate for you
then step up to the plate. Run your network with just a firewall and see how
long you're up. Let us know.

Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

24/7.

 

[Bruce Chambers]

Greetings --

At what point did I, or anyone else, ever make such an absurd
recommendation? Everyone has clearly stated that the use of a
firewall is only one part, albeit it an important one, of any
reasonable computer security model. No one claimed that a firewall is
the be-all and end-all of computer security.

Oh, and Ad-Aware does considerably more that just "pick up cookies
and stuff." I know this, because I do use it to clean up customers'
spyware-ridden machines.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[jch]

Greetings --

At what point did I, or anyone else, ever make such an absurd
recommendation? Everyone has clearly stated that the use of a
firewall is only one part, albeit it an important one, of any
reasonable computer security model. No one claimed that a firewall is
the be-all and end-all of computer security.

Oh, and Ad-Aware does considerably more that just "pick up cookies
and stuff." I know this, because I do use it to clean up customers'
spyware-ridden machines.

What else does Ad-Aware do then? If you don't use it yourself then you've
still got all of that 'stuff' on your own machine. A firewall does nothing
to keep it off your hard drive. This could go on forever. Clearly I'm happy
with my setup as it has been virus/worm/firewall free for 2 years now ever
since I got DSL. If you're happy and see the benefit of heaping another app
on your system then do it. BUT you shouldn't just blindly make
recommendations to everyone as if they were golden rules. Thanks for the
debate. I don't mind a clean difference of opinion on a topical issue.

See you round....

 

[Hans-Georg Michna]

I agree Spiderman. As I stated earlier, all I use is a NAT router, AV
software, and I run Ad-Aware periodically to clean things up. My system has
never been compromised. What am I missing here? I'll challenge those who
swear by their firewalls. Remove your NAT router and AV programs (since you
say they aren't adequate). Just run your firewall and see how long you last.
I know how long I'll last w/o a firewall. My network is up 24/7. I've read
and continue to read of so many user network problems caused by the personal
firewalls they try to configure. Why? I have the same question you do. If
you practice safe computing why do you need a firewall?

It can be done. I also had my computer openly connected to the
Internet for some time without any firewall. Many Internet
servers have to run that way anyway.

I did it because I accessed this computer from other places
through the Internet, and that was convenient.

I was aware of the risks and protected myself against Windows
networking access by using NTFS access rights and share rights,
actually even leaving some public data open for reading.

I installed the security patches as soon as they appeared.

Nothing untoward happened, but the constant vigilance is a bit
of a problem. Make a little mistake, and somebody might scan and
find the gap.

Nowadays I'm running a WAN router with a good firewall, which is
much easier on the nerves.

But, as I said, it can be done.

Hans-Georg