The recently-patched ASN vulnerability has been called the most severe security flaw ever found. Microsoft was also notified of the issue last summer. They release their patch and say they don't know of anyone exploiting the issue, but it's impossible for them to know what has happened with every person and every computer on earth in the past six months. If it became a widespread problem, I'm sure we would have heard about it. Just like the poorly coded net worms that choke off an entire network's bandwidth while trying to spread, huge infections attract attention. If it were coded to spread to one PC each day, it would take a long time to be noticed. It might take a year before a substantial number of machines were infected, but it would also go undetected for that long. For a year, it could do whatever it wanted on those few infected machines. There's nothing to say that nobody took advantage of that hole in the past six months, being subtle and sneaky rather than using the massive attempts we're now used to. If someone really wants to be malicious with a worm, keeping it low-key is the best way to ensure it spreads for a long time. It's a good thing script kiddies don't understand patience
I recently noticed that Comcast was giving us multiple IP addresses so I removed our NAT router. I'm now using only McAfee AV and Kerio Personal Firewall for "security". I plan to shut off McAfee just to address your challenge. Why? Because I haven't seen it pick up a virus for a long time. The only ones I can remember it finding in years are the mass-mailed worms, which I purposely copied from email attachments to examine. The AV detected their presence, but I still wouldn't have been infected even without AV software
Note that a NAT router is inherently a firewall for inbound connections. Due to the way NAT works, a connection from the internet can only get to a PC on the LAN if special forwarding rules have been set up on the NAT router. Using the default configuration on a Linksys (or whatever) router, it's impossible for me to connect to port 5678 of your PC behind the Linksys. It's just not possible without reconfiguring something. You're using a form of a firewall as your main defense, yet you say they're unnecessary
Personal firewall programs do have their bugs, just like any other software. Most bugs will only let you shut the firewall down or bypass the firewall, at which point the PC is now at the same security level as if you didn't have the firewall (which is your situation). It's pretty ridiculous to say that you shouldn't use a firewall because it could have bugs (which I do admit could create a false sense of security), when you're talking about using a firewall to protect yourself from Windows bugs
Personally, I've found that NAT routers are more of a pain for clueless users to configure than personal firewalls. Ever had to explain why they can get their email and surf the web, but can't send files in AIM? Heck, they can talk to the person in AIM even, but they can't send files! With a personal firewall, it's a matter of allowing aim.exe to access a few more ports. With a router, it's a matter of finding the PC's IP address, figuring out a port range to use (different for each PC too, in case others are using AIM), specifying the port range(s) and corresponding IP address(es), then configuring AIM on the PC(s) to use the specified port range(s)
A properly configured firewall will allow any connection you want, and stop any connection you don't. Unfortunately, most people don't like answering all those popups, and completely open up all access for that program. A firewall that doesn't actually do any selective blocking really is a waste of CPU cycles. Even if you do give every program full access when it requests it, you'd still get a dialog asking you if some trojan tried to make a connection. While you may not be blocking everything you should, you'd know as soon as you were infected with something that tried to make a connection
Personally, I agree that a multi-layer defense is best. Let's create a test scenario. You have your NAT router and AV, I have only Kerio Personal Firewall. Let's say there is some new Windows hole found, or a new virus created. Before MS gets a chance to patch it or the AV vendors can make new definitions, we both get hit with it. Let's say it's like Blaster and it spreads via direct TCP/IP connections. Your NAT router blocks it. So does my KPF. Ok, let's say it's the common email worm attachment. Most likely, neither of us would actually get infected with one of these, but for the sake of argument let's say it's a really good worm and analyzes past email conversations and uses an advanced AI algorithm to create a very convincing email, so we both run it. Your PC starts shooting out super-realistic worm emails to all your friends, unaffected by your router or AV. KPF tells me that kwyjibo.exe is attempting to make an outbound connection on port 25. I block it. We're both technically "compromised" now, but in one case it can't spread. What if it were sending out personal data instead of just more emails? Personal firewalls stop connections, regardless of whether a hole is fixed or AV software is updated. In most cases, keeping your software patched and your AV software updated will keep you perfectly safe. Unfortunately, the little speech given by David Aucsmith (
http://news.bbc.co.uk/1/hi/technology/3485972.stm) where he said that vulnerabilities are NEVER exploited before a patch is released just isn't completely true. He himself says he can only remember one time that it's happened. Once > never. And I'm pretty sure his count of 1 is based on some very complex definitions of "hackers" and "holes" that most people wouldn't use
I do realize that you're making a distinction between NAT routers and personal firewalls, but if you think a firewall is so useless, I dare you to forward all incoming connections from your router to your PC (effectively negating the firewalling effect of NAT) or just hook your PC up to your connection directly. And remember that NAT is only an inbound firewall. KPF does the exact same firewalling for me in both directions. I have to respond to dialog boxes occasionally, but it's a lot easier for me to allow direct connections for IM file transfers and such, and I can block or allow outgoing connections as I see fit too. You'd be surprised how many programs "phone home" when you run them. While most are simply version checks or other harmless things, I'm a good little paranoid web bloke, so I like to know exactly who each of my programs are sending data to. While it may slow the connection down some, I used it on dialup before and now use it with Comcast cable. I commonly get 300KB/sec transfers, which is 2.4Mb, without figuring in overhead. Even if it is slowing it down, that's fast enough for me for the added security I get.
----- Spiderman wrote: -----
However, as soon as these bugs are found Microsoft issues a security fix
which is automatically installed by Windows anyway (if so configured). Not
to mention, the firewalls themselves can have bugs that are abused by the
crooks...not to mention unintentional bugs that "screw up" your system (such
as with my ICS problem). Anyway, your logic sounds similar to George
Junior's for invading Iraq...and I just don't get it. I think I'll keep the
firewall (and paranoia) down, and trust that the "evil doers" will be dealt
with by the proper authorities!
