# Is a firewall necessary?



## Tigers! (Apr 3, 2006)

At work we have been having a conversation about the virtues and necessity of firewalls.
It caused me to think again about my recent (and still on-going) dramas about my home network's connectivity issues.

A chap at work is quite emphatic that f/w are unnecessary. If you have a router then you are ok provided that you scan all incoming e-mails. Call him the purist. At the other extreme are those who have a f/w on all computers and have the f/w turned on on all routers, switches etc: Call them the panic merchants. Then there are those like me who want security at the lowest cost. :grin:

Who is most correct? Do we need a f/w at home (for example) if we have a DSL router? Presumably an anti-virus package is essential.
But is e-mail the only way that viruses, tojans etc: can enter the network or are there other ways?


----------



## Suncoast (Jul 28, 2009)

In its purest form, a computer firewall simply prevents hackers (more properly called crackers) from accessing, damaging, or otherwise affecting your computer through the network due to operating system flaws or weak security, such as weak passwords. More advanced firewalls can do much more, from restricting where other computers can connect from to looking at the data as it passes through looking for malware. 

Because the crackers are sometimes one step ahead, it is prudent to look at the firewall the same way you look at anti-virus products, prophylactic.

And the DSL modem is separate from the home router. A DSL modem alone does NOT have a firewall. And there are several exploits already in the wild that attack home and commercial routers that do not have current firmware updates. While many people keep their Windows systems updated with security updates, very very few think about updating their home routers firmware. Router firewalls are extremely basic, and often give some a false sense of security.


----------



## Suncoast (Jul 28, 2009)

I learned today that some vendors like Netgear do have combination Modems and Routers.


----------



## jonquilmcd (Aug 24, 2009)

Actually most of the DSL modems being released to home internet users now have built in router firmware even if they're unable to support more than one connection at a time. They then have the option to upgrade to modems that have the full functionality of routers (supporting more than one ethernet connection, wireless, etc.). The only situations you're really going to find where the DSL modem does not have router firmware built in is if the modem is old, if it's for a business (and even then they usually have to specially request a modem that is nothing more than a bridge), or if the person specifically requested a bridged modem instead of the standard modem/router hybrid. 

I know it just makes things more confusing but at the same time I can see the ISP's point of view on the matter, too. The firmware makes setup a lot easier for the user in a lot of cases and the NAT helps add a little extra security for users that normally just connect straight to their modem (and A LOT of them do that!).


----------



## Suncoast (Jul 28, 2009)

So they could start blocking VOIP if you don't use theirs, or file sharing ports, or whatever they like, and the subscriber has no control over it. And the ISP's can create huge subnets and nobody will be able to see how much broadcast traffic is traversing and wasting their DSL and Cable connections. Since all Windows computers, even directly connected ones have firewalls on by default, I suspect ulterior motives. Fascinating.


----------



## jonquilmcd (Aug 24, 2009)

I'm not aware of any ISPs actually doing any of those things, but it is a possibility that they started including firmware on their modems in order to exert extra control later on down the road. 

Anything they would do though that would share your internet connection would be on the ISP side and invisible to you to begin with.


----------



## Suncoast (Jul 28, 2009)

Well, nothing like that right now in a Democratic country. But I suspect that's due to the efforts of groups supporting Net Neutrality. But putting ISP controlled firewalls on a customers DSL or Cable modem would be a short step away. Now if this firewall was something the customer could access, I would have no problems with it. 

A large network is divided into smaller subnets, also called broadcast domains with routers to reduce broadcast traffic. Broadcast traffic is normal traffic sent to all devices on a subnet. If an ISP wanted to reduce costs, it could increase the network size by reducing the number of routers or router interfaces. This would result in more broadcast traffic going to every device, over every link, thus occupying more bandwidth. I recently looked at a Firebox router that had been up for about an hour, and it had already received 687,000 broadcast packets from the WAN port. The typical Broadcast packet is the minimum packet size of 64 bytes, so that was about 44 megs of traffic.


----------



## Freeze Support™ (Aug 28, 2009)

Personally, I'd recommend getting a firewall. Really, it depends on what activities you're undergoing when online; if they attract potentially unwanted traffic or personal, it'd be advisable to implement some form of firewall protection. If you're running a Windows platform with a Service Pack of two (2) or higher, I'd recommend enabling the Windows Defender Firewall. Though not the greatest protection agency, the Windows Firewall offers effective protection for the general population. If you feel as though your system may have been compromised, or is vulnerable to an attack, I'd recommend upgrading your protection to either a basic software firewall (such as Comodo) or even taking it one step further, and purchasing a firewall (hardware) to guard your network or Personal Computer. 
If you'd like to discuss this issue in more detail, please reply to this thread detailing your concerns.


----------



## jonquilmcd (Aug 24, 2009)

All the firmware is easily accessible to the customer and full featured (at least the firmware I've seen). It usually even comes with the capability to run several tests on your connection and alert you to any problem areas that you may need to call technical support about (and provides the number). What's particularly interesting is how some models have made port forwarding and port triggering so easy to do that anyone who needs to do it (with the port number) can do it. 

It's interesting that you mentioned getting a hardware firewall for a personal network. We've been having this discussion my LAN technologies class. Personally I feel that a hardware firewall for a personal network is throwing money away on resources that will never be used and not at all practical for the average home user. The only thing that makes hardware firewalls more secure than software firewalls is the fact that their software is not as easily compromised. That being said what black hatter that is skilled enough to exploit a good personal software firewall much less a good enterprise software firewall is going to waste their skills on an average home user? I can understand if you keep a lot of confidential information at home that may mean a lot of money for someone who breaks in to your network but how many people have information that is that sensitive on their home PCs? The information they do have - their personal information - is of greater value to black hatters in mass attack schemes such as phishing, email scams, and malware. For this reason I would recommend the home user that is having serious issues with security in terms of head on attacks despite having a good personal software firewall try upgrading to a business or enterprise class software firewall and not a hardware firewall. If you can't afford to do that even just switching to another personal firewall may do the trick as all the attacks may be due to some well known exploit in the particular piece of software you're using.


----------



## Freeze Support™ (Aug 28, 2009)

jonquilmcd said:


> All the firmware is easily accessible to the customer and full featured (at least the firmware I've seen). It usually even comes with the capability to run several tests on your connection and alert you to any problem areas that you may need to call technical support about (and provides the number). What's particularly interesting is how some models have made port forwarding and port triggering so easy to do that anyone who needs to do it (with the port number) can do it.
> 
> It's interesting that you mentioned getting a hardware firewall for a personal network. We've been having this discussion my LAN technologies class. Personally I feel that a hardware firewall for a personal network is throwing money away on resources that will never be used and not at all practical for the average home user. The only thing that makes hardware firewalls more secure than software firewalls is the fact that their software is not as easily compromised. That being said what black hatter that is skilled enough to exploit a good personal software firewall much less a good enterprise software firewall is going to waste their skills on an average home user? I can understand if you keep a lot of confidential information at home that may mean a lot of money for someone who breaks in to your network but how many people have information that is that sensitive on their home PCs? The information they do have - their personal information - is of greater value to black hatters in mass attack schemes such as phishing, email scams, and malware. For this reason I would recommend the home user that is having serious issues with security in terms of head on attacks despite having a good personal software firewall try upgrading to a business or enterprise class software firewall and not a hardware firewall. If you can't afford to do that even just switching to another personal firewall may do the trick as all the attacks may be due to some well known exploit in the particular piece of software you're using.


You raise a few interesting points there. I suppose it's really up to the user and how much potentially compromisable information is stored within the network. If you own a business or website and keep many confidential details that could be stolen or damaged, it'd be worth getting a better firewall. But, as you said, for the average home user, there is no need to implement such means of protection that may eceed the capabilities of a regular, software firewall.


----------



## Suncoast (Jul 28, 2009)

You might be amazed at how many probes are constantly hitting your Internet connection. Since you're taking classes, you're probably aware there are all kinds of hackers out there. Connect your PC directly to the Internet sometime and run Wireshark. Set it up to block broadcast packets, then just watch the screen fill up with port probes. It's really amazing to me anyway. It's not like 12 years ago, where if you saw someone probing your system you would find and email the network admin for that netblock. Now it's just a part of networking. 

And another thing many people don't realize is how very basic the firewall is on a home router/gateway. The only thing they usually block is upnp and the file sharing ports. The only real protection is in NAT. 

So again, use those firewalls folks. Don't follow the foolish and the careless. Microsoft didn't spend millions adding a Firewall to Windows on a whim. It's there for your protection.


----------



## jonquilmcd (Aug 24, 2009)

Those probes you see are usually mass attacks though that are targeting one or more specific vulnerabilities. You know how many worms are designed to scan random IPs from its host PC looking for trojan-created backdoors to exploit alone? I'm just saying the average user is not very likely to have someone manually breaking their way in to their network.


----------



## Suncoast (Jul 28, 2009)

jonquilmcd said:


> Those probes you see are usually mass attacks though that are targeting one or more specific vulnerabilities. You know how many worms are designed to scan random IPs from its host PC looking for trojan-created backdoors to exploit alone? I'm just saying the average user is not very likely to have someone manually breaking their way in to their network.


Who say's it's a manual process? The Bots worm their way in, then the malware automatically starts capturing keystrokes with credit card and bank account numbers and passwords. Suddenly these average home users are victims of identity theft. Every computer I've worked on that has been infected with key loggers have been home users, and they've had to deal with bogus credit card charges for weird club memberships and porn and/or identity theft victims.


----------



## Suncoast (Jul 28, 2009)

jonquilmcd said:


> trojan-created backdoors


 And many more looking for back door exploits in "as released" software. Systems that have never been infected before. That's why closing off unused ports through firewalls works.


----------



## Suncoast (Jul 28, 2009)

This News article just came out on The Register that is related to this thread about buggy routers.


----------



## Tigers! (Apr 3, 2006)

This thread I started is most timely. On 31/08 I was the victim of a trojan attack. :upset:
My wife opened an e-mail from a friend of her's that had some pictures. One of the pictures was malignant.
I seem to have cleaned my computer sigh: ) for the present.
But it does make me wonder what good my firewall and anti-virus software are when this got through.
I wonder if I am doing something wrong with the setup of the f/w and anti-virus? :4-dontkno


----------



## Suncoast (Jul 28, 2009)

Sorry to hear about that. I was wondering why we hadn't heard from you since you started the thread. The Firewall doesn't deal with that, the Anti-Virus does. Or it should. I would be concerned that it didn't catch the malware before it infected your system.


----------



## Tigers! (Apr 3, 2006)

I've always wondered whether anti-viruses work in real time or not. I am using AVG. It must have some way to look at e-mails beofre it allows them to be opened. Although to be fair the anti-viruses will always be a little behind. They have to know what the virus can do before they fix it.


----------



## Tigers! (Apr 3, 2006)

I have a Thompson/Alcatel SpeedTouch 500 as my DSL router. It doesn't seem to have an on-board f/w.

I am using a Siemens Speedstream to provide wireless access.


----------



## ebackhus (Apr 21, 2005)

I work for an ISP and can attest to the necessity of a firewall. Generally the only modems that have any sort of firewall are also the ones that also serve as routers.

If you don't use a software firewall I suggest you at least use a hardware one. Most routers include this feature.

Also, crackers and hackers are difference. Crackers exploit software to make it function differently. For exmaple, a cracker will bypass a registration requirement for a program to run. A hacker will break into the computers of the company who makes the program to get the program directly or just to have fun.


----------



## Suncoast (Jul 28, 2009)

ebackhus said:


> Also, crackers and hackers are difference. Crackers exploit software to make it function differently. For exmaple, a cracker will bypass a registration requirement for a program to run. A hacker will break into the computers of the company who makes the program to get the program directly or just to have fun.


I find it interesting how these terms have changed over the past two decades. I would still submit a Hacker is someone who is either a skilled programmer who enjoys making average code extraordinary, or someone like Mitnick who used a combination of Social and Technical skills to penetrate secured systems. Where a cracker is one who explores and exploits weaknesses or faults in Operating Systems and/or Software Applications to cause it to operate in a way other than which it was designed. However, I believe in another decade the term cracker will only refer to Saltines.


----------



## jonquilmcd (Aug 24, 2009)

It's best to scan attachments before you open them manually if you can. Anti-viruses aren't always right on the money with their real time scanning. 

What ISP do you work for ebackhus? Verizon and AT&T puts the firmware on all their modems and routers unless the customer specifically requests a plain bridge modem or orders a static IP. I work for Verizon Business.

Most routers do NOT include a hardware firewall. They include a handful of firewall like features such as NAT and port stealthing that help to obscure your connection, but they do not replace an actual hardware or software firewall. 

It should be noted that hackers are not necessarily black hatters (people with malicious intent). Many people that work in IT security are considered to be hackers!


----------



## jonquilmcd (Aug 24, 2009)

Suncoast said:


> I find it interesting how these terms have changed over the past two decades. I would still submit a Hacker is someone who is either a skilled programmer who enjoys making average code extraordinary, or someone like Mitnick who used a combination of Social and Technical skills to penetrate secured systems. Where a cracker is one who explores and exploits weaknesses or faults in Operating Systems and/or Software Applications to cause it to operate in a way other than which it was designed. However, I believe in another decade the term cracker will only refer to Saltines.


Personally I like Richard Stallman's definition of a hacker. 

It is hard to write a simple definition of something as varied as hacking, but I think what these activities have in common is playfulness, cleverness, and exploration. Thus, hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have "hack value".

Hackers typically had little respect for the silly rules that administrators like to impose, so they looked for ways around. For instance, when computers at MIT started to have "security" (that is, restrictions on what users could do), some hackers found clever ways to bypass the security, partly so they could use the computers freely, and partly just for the sake of cleverness (hacking does not need to be useful). However, only some hackers did this—many were occupied with other kinds of cleverness, such as placing some amusing object on top of MIT's great dome (**), finding a way to do a certain computation with only 5 instructions when the shortest known program required 6, writing a program to print numbers in roman numerals, or writing a program to understand questions in English.

Meanwhile, another group of hackers at MIT found a different solution to the problem of computer security: they designed the Incompatible Timesharing System without security "features". In the hacker's paradise, the glory days of the Artificial Intelligence Lab, there was no security breaking, because there was no security to break. It was there, in that environment, that I learned to be a hacker, though I had shown the inclination previously. We had plenty of other domains in which to be playfully clever, without building artificial security obstacles which then had to be overcome.

Yet when I say I am a hacker, people often think I am making a naughty admission, presenting myself specifically as a security breaker. How did this confusion develop?

Around 1980, when the news media took notice of hackers, they fixated on one narrow aspect of real hacking: the security breaking which some hackers occasionally did. They ignored all the rest of hacking, and took the term to mean breaking security, no more and no less. The media have since spread that definition, disregarding our attempts to correct them. As a result, most people have a mistaken idea of what we hackers actually do and what we think.​
http://stallman.org/articles/on-hacking.html


----------



## Suncoast (Jul 28, 2009)

I agree about the Firewalls. A true hardware firewall appliance is much more complex, much more secure, and has full and equal control over both in and out traffic. But as a very general and widely accepted term, NAT and port blocking/forwarding provides some basic firewall functions, albeit inbound only. Just like most home routers are actually gateways. Most people don't even want to know what a business class firewall costs, or what it takes to configure and monitor one. Reading through this board, I've been amazed at how many people just turn their Windows firewall off, even when their PC is directly connected to their modem. 

The hacker/cracker definition is my own. You and Stallman make valid points as well. I would just add that whatever the motive, breaking in, even if to "just look around" is still very illegal. Unless the administrators of the target host(s) or network has condoned the activity.


----------



## jonquilmcd (Aug 24, 2009)

I think it's important though that we realize that some young future network security experts are going to work at breaking in to networks illegally... it's inevitable. Usually they target random IPs on the internet. That's where your manual attacks on home users usually come in to play. The funny thing is even if they get reported to their ISP all the ISP will do is cut off their internet. This is probably enough once Jr.'s parents get a letter from the ISP informing them why their internet has been cut off! LOL


----------



## Suncoast (Jul 28, 2009)

I can't believe you're attempting to minimize illegal activity. If you're driving too fast and you kill a baby, you are guilty. It makes no difference that you were late for Church.


----------



## cash0th (Sep 6, 2009)

Hello,

yes,firewall is necessary.I have Sunbelt Kerio and broadband router Linksys - net of 4 pc.

With the software firewall have man better control about the net comunication in her pc - settings,logs...

Go to internet without firewall=slowly suicide:grin:


----------



## jonquilmcd (Aug 24, 2009)

Who said anything about minimizing the illegality of it? I just said people should realize that a lot of these "hackers" they are so scared of are just little kids.


----------

