Slashdot Mirror
Are Desktop Firewalls Overkill?
Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"
why not both?
I prefer the phrase "completely inadequate."
Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.
'nuff said.
So how does this protect users against infected flash drives, downloaded tarballs, &c.?
In my experiences deal with corporate IT, the windows firewall does far more bad then good. It's better to have one Firewall with the appropriate policies then X that may or may not be correct. I thought everyone did this.
I'll give him the benefit of the doubt in that the use of the term "desktop" means just that and excludes mobile devices that might be connected up to uncontrolled and potentially insecure networks, but even so this is still dumb. There are plenty of security applications out there, on all OS platforms, that allow centrally managed security policies to be pushed out to clients, so why wouldn't you use one if you have the budget and know how? For instance, if you know the IPs of your IT/management workstations (you did put them all in the same subnet, right?), then why on earth wouldn't you lock down access to your client based remote admin tools to just that subnet? Equally, why would you want your desktops to be able to connect to any other key server (DNS, SMTP, Proxy...) other than the official ones?
Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...
UNIX? They're not even circumcised! Savages!
...that you have uninterrupted flow of shared network resources on your network. Unless, of course, permissions are set up to prevent that.
I run a hard firewall and gateway at home as well as MAC address access so I can keep others off of my wired and wireless networks without having to compromise the ease of use a home network should allow. It's nice being able to have a media center with data files, and attached carousel drives so I can actually watch any movie or listen to any music from any spot in my house. To do that easily and with little hassle, I got rid of all of my soft firewalls. It also means that I have a remote or two laying around instead of stacks and stacks of DVD cases, CD cases or MP3 players and rats nests worth of dongles, audio/video input cables and such laying around and cluttering up the place. Less junk for the pets and kids to chew on, yank on or destroy as well.
Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network. Especially when the guy next to you clicks on a genuine-looking link in a forged email :-P
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.
Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.
"Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."
Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here
This guy apparently never heard the words "defense in depth."
What about when you are on your AirCard and not behind the Network with the Firewall appliances and all? So you should be completely exposed to all that is out there on the internet. What if you are connecting to a network at a Clients location, You are not sure what they have for protection in place.
Assume Joe User brings in an infected USB stick and his local AV misses the new bug. A desktop firewall on other machines could prevent it from spreading to them (if designed to spread through the network.)
At work we're putting L3 ACLs on our switching gear to help with that risk but I wouldn't want to disable firewalls via a GP just yet.
Trolling is a art,
A machine firewall does what...it protects the computer from the listening ports that the OS allowed ITSELF to open.
A simple correspondence list of listening port to application would have killed this issue dead at the beginning. Of course, then people would ask why so much crap needs to be open by default on Microsoft operating systems. For added hilarity, the OS now allows applications to insert their own machine firewall exceptions.
And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
If you can control every network connection behind your main firewall, and every machine, and can verify they are all always patched and malware free at all times. Of course laptops that travel around and places where anything can be plugged in pretty much make this impossible.
I Am My Own Worst Enemy
One of the ways the Conficker worm spread on Windows was via admin shares. It is also a technique used by other malware.
Having a centrally managed firewall between the Internet and the Intranet is fine but you need protection against malware spreading if it gets onto the Intranet.
In order to get a terminal which does something as simple as read all websites, it has to support a ton of bloated technologies, which more or less forces you to run some expensive bloaty OS, with a bunch of other protections. Gigabytes of support libraries to display a page. Websites are supposed to be universally readable. Thankfully now mobile devices are popular and low-powered, perhaps now the universal-readable concept and argument will gain more strength over the most-visual-selling argument.
Build your own energy sources from scratch. http://otherpower.com/
seriously.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.
But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.
Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.
It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.
2*3*3*3*3*11*251
The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.
This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.
Lurking at the bottom of the gravity well, getting old
A firewall doesn't give any protectiong against those, either... It's the antivirus software that should take care of those. Evem of you meant "Okay, but suppose that an infection manages to bypass the centralized firewall and get into the network AND antivirus doesn't remove it, what then?" but I don't think that it is such a problem. Assuming that centralized firewalls are implemented properly (as opposed to some absurdly horrible "Lan of 500 computers and a single firewall between their gateway and the internet" solution), it shouldn't be able to spread far within the network and should be located quickly. It might even be preferrable to a situation where a desktop is infected but the infection is hidden from the network by a working desktop firewall.
But yeah. Obviously the main benefit of desktop firewalls is the ease of customization. Each computer can - if necessary - be whitelisted for some type of traffic that most of the computers shouldn't have. That can be done with a centralized solution, too, but is usually somewhat more complicated.
I dunno. Perhaps we'll get rid of this distinction if all this cloud-buzz actually gets us somewhere.
It's called defense in depth. You don't want a config screw up on your main firewall to put all of your computers at risk.
I was given that very advice recently while strapping on the seat-belt.
From a nurse, no less.
And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...
Mit der Dummheit kämpfen Götter selbst vergebens
Having an end user using any additional security software that is not managed by the enterprise is just asking for a headache.
Kickass Cheap Web Hosting
Generally, I view the software firewall as adding a final all around security strategy to the protection afforded by your hardware firewall, but there's a catch. Hardware firewall is there for prevention and mostly to block "bad stuff " from coming in and occasionally from going out. The software firewall is more of an alert system. Generally, I find it more useful for being alerted to opening up potential attack vectors than anything. If you run a program that opens up some ports you are alerted to it and it makes you think (assuming you have the background and proper information) on whether or not you really want that port opened. Additionally, it might alert you earlier if you've managed to actually catch "bad stuff" and tell you it's time to format.
All that said, it means that for the average user it's useless. For them it would need to be run in transparent mode with all suspicious actions sent to someone that can actually interpret them.
That said, if you are on a foreign network, something is better than nothing. Frankly, in the case of foreign networks, I try to always make use of a small hardware firewall/router/wifi AP that I keep in my laptop case as my primary treat the software firewall as an alerter/backup.
Code softly but carry a big magnet.
Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.
Quo usque tandem abutere, Nimbus, patientia nostra?
And this, ladies and gentlemen, is why John Honeyball is writing about IT, rather than actually solve any problems with it.
That, or possibly the other way around. It's hard to judge cause and consequences.
But, lest anybody be confused, there is no single point where security is not a concern. The only way to reach adequate (heh) security is to stop all components from doing more than they need, rather than just one. A functioning such approach pretty much obsoletes the need for specific "security devices" such as firewalls (although they may be nice to have as an extra safety net). Any approach which relies solely on specific security devices leaves you vulnerable as soon as you have failed to predict an attack from a direction they do not block - and there will always be one of those.
May we live long and die out
Ever since man invented the wall, first around his own house, then around the village and eventually around an entire city, they have still kept locks on their doors (where available)
If something penetrates the outer defence you need to keep yourself secure in your own dwelling, and you also need to have some security against a threat from within.
Firewalls should be on every PC capable of storing information separate from the server (so, a dumb terminal needs no security beyond logon scripts etc)
The End.
Desktop firewall is to protect you from the other idiots in the office and their zombiePCs
.
As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.
Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.
Firewalls were pretty much invesnted to protect Windows machines. They are still required for that task.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Would you put your desktops on the Internet with no firewall?
It's basically the same thing. One infected machine basically nullifies your outer firewall that's "protecting" all your desktops. Running no firewall on a machine means you trust all the machines within that segment of your network. Desktop machines get infected all the time. You shouldn't trust them. That's why all machines should be running with some sort of protection.
WRT the article, yes, you should have many many gatekeepers. Some gatekeepers you pay more attention to, sure. There's nothing wrong with having lots of gatekeepers. Its like saying "We lock the gates to the city at night. There's no reason to have a lock on your front door."
You can't trust everyone all the time. Just the way it is.
Other posters have pointed out the obvious. What if your LAN firewall is breached? What if there's a rogue computer brought into your network? Rogue flash drive? Or just Rogue? She could absorb all your powers and then you wouldn't be IT. You'd be just. like. everyone. else.
One of our departments runs egress filtering on their desktops -- only certain applications and external ports can be accessed: 80, 22, 443, etc. If a computer gets infected by a new virus, it can't jump from computer to computer nor take advantage of other systems with non-normal open ports on or off the network.
I have yet to actually find an instance where a desktop firewall helped in any way. Mostly they just get in the way of things and create another piece of software that has to be naggingly trained and updated.
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
YES.
There are all sorts of nasty things that can be done unless incoming IP access is filtered. Worms are spread in this way.
If you aren't using a door, leave it closed.
My work PC, however, is a different story. IT maintains strict control of the computers and has all kinds of security crapware installed. You can't navigate around windows explorer without it taking a second or two (in some cases, longer) to display contents of directories and open files. System startup takes forever - when I get to work in the morning I'll turn the computer on and go to the cafeteria to get breakfast... sometimes it *still* isn't responsive by the time I get back.
I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.
AntiFA: An abbreviation for Anti First Amendment.
so why wouldn't you use one if you have the budget and know how?
Those are two pretty big ifs for a lot of SMBs, including the one where I'm responsible for this stuff. I got my job because I was the most computer savvy person in the office (not saying much), and I managed to convince that my ability to write elementary macros in Excel and simple SQL queries made me qualified to manage a ~40 workstation, 4 server network. God help me if anything serious happens.
Ceci n'est pas un sig.
between the dos/os2 to windows95/os2 warp days network security environments were referred to as "crunchy on the outside gooey on the inside". i don't want to go back.
Having to work for a living is the root of all evil.
Once you lock down the network to tight that Windows clients can not harm each other, you have lots a lot of flexibility. If you are willing to go that far, and the worker will not claim your skull for that, you can also employ a thin client arch like SunRay and you will be much better of.
I'm not going to beat the dead horse because a number of people said this already, but you absolutely need to have defense in depth. Some stuff you can forego, others you cannot. In fact, I'd wager more for host-based firewalls than route-based firewalls for the simple fact that you can control each host individually if needed, and you leave no rock uncovered for your security.
For example:
Clients <-> Firewall <-> Servers
You might be able to protect clients -> servers and servers -> clients, but clients -> clients and servers -> servers are not protected.
Now, if you did host-based on each, you could at least lock down to the application/port level.
Beyond that, you would need some more advanced stuff.
It shouldn't be any more painful than either managing something like group policy (If you're using Windows, this is a snap) or managing routers/hardware firewalls. In fact, it would likely combine the functions as needed.
I keep my network guarded by a hardware firewall and virus scanner and do not allow users to "poke holes" in it, even myself. That way, we only need to run firewall software on laptops that may go outside of the company network. Servers that need to be accessible to the Internet do so via proxies and they run a hardened OS such as SELinux with appropriate access rules. Inside the network, additional security software such as workstation-based software firewalls and runtime virus scanners only help to degrade overall user productivity and system performance. All workstations have virus scanners installed that do additional scanning on anything downloaded from the Internet just to be on the safe side, but running in-memory/on-access scanners generally only serves to irritate people and reduce their efficiency.
Sometimes, real fast is almost as good as real-time.
It depends on your situation. Your average home user is probably behind a router that SHOULD protect against most casual attacks, and an enterprise user SHOULD be behind an enterprise-class firewall. In theory you don't need a desktop firewall in either situation. But let's look at a real world example now:
I work for a university with ~32,000 students and we've got roughly 3,000 computers on campus that are owned by the school. We have an excellent firewall protecting our network from the Internet. We also have a wireless network with a few VLANs set aside for it that the students, faculty, staff, guests, etc are free to use. Now let's assume that none of the computers on campus are running a firewall since "Hey, we've got one protecting the whole school." A lot of faculty and staff also have laptops with docking stations and they move freely from wireless to wired networks, not to mention using these computers at home, on trips, in coffee shops, etc. Now lets say that someone gets infected with a virus - pick any of those people, it doesn't really matter. Then their machine connects to the wireless network and manages to infect a bunch of machines since they aren't running firewalls and have out of date AV definitions (happens a lot more than you think). Some of those machines then end up being put into docking stations and start pushing the virus out on their subnet as well as any others they can manage to get to. Internal security isn't as much of a concern so traffic between subnets doesn't have to get through the firewall. Suddenly one student computer with a virus turns into an infection that affects the whole campus.
This sounds like some sort of made up perfect storm situation but we had almost EXACTLY this issue crop up a few years ago. An infected thumb drive spread a virus (don't remember which one off the top of my head) to half the campus in less than a day.
This space for rent...
Why would you ever allow new inbound sessions to a desktop machine, outside of a few known exceptions?
I want to delete my account but Slashdot doesn't allow it.
The whole point of a firewall is blocking connections. I don't know about anyone else, but I make a point to not run services that I don't want people to connect to on my machine. How hard is that?
An outgoing firewall though is immensely valuable. I love seeing everything that every little shareware app or office suite tries to phone home with. When doing local web development, I've even been surprised to find a number of open source CMS/frameworks phoning home with more info than I care to share.
..Jon Honeyball was hired to create buzz..
Desktop firewalls should be considered a mediocre security mechanism as trust goes down when usability goes up.
Ideally...
If you're a home user wanting to protect your Desktop from the evils of the port scan world, the best thing you can do is get some kind of device you can throw dd-wrt or openwrt on and set that up as your gateway firewall, right behind your USB/DSL modem. A crappy old linksys wrt54g or buffalo wifi router will work fine, just turn off the wifi radio.
/apps/firefox/firefox
If you want to stay safer browsing the net, install vmware, virtualbox or whatever and mark the virtual disk read only. Do all your browsing from the virtual machine. If it gets infected, rebooting cleans it up.
If you're on Linux or other *nix, setup Firefox to run as a different user other than who you are logged in as. If your browser gets smoked, your home directory (your login) is still safe if you have permissions set correctly. It's not that hard:
sudo -u webuser
If you really want to have better security, use ssh -X to a machine where firefox is installed and run it from there, or use NXClient or VNC over ssh tunnel.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Should you rely on your government to protect you from hostile space aliens or should you also wear a tin foil hat? Sure, it's easier to not wear the hat, but does it really hurt you? The worst outcome is your are safe from their mind control rays due to the actions of the government while wearing tinfoil. However, should the government fail to protect you, or worse, is in cahoots with the aliens, you have taken steps to protect yourself.
Granted, the hat isn't going to protect you from the alien's death ray but it's a good stopgap. Chances are you won't be a complacent drone when the aliens deploy the death ray and you stand a better chance of escaping to your underground bunker.
In summation: Build a network of fortified underground tunnels. Stockpile food weapons and ammunition. Run windows firewall. Wear your tinfoil!
Just like she's been told.
Now of course, her machine is incredibly slow trying to run the latest and greatest of every bit of bloatware that MS spews out on here 5 year old machine.
So I've disabled all her anti-virus.
She uses hotmail for email and also, effectively, as backup and also, effectively, as anti-virus.
Is this what they call the Cloud?
To prevent apps from calling home when they should not.
just like a safe deposit box in a bank vault
This looks like a honeypot to me
EDIT: Sorry Honeyball.
Knowing that only one system needs be configured wrong makes me feel the opposite of warm and fuzzy.
I strongly disagree with Jon Honeyball. The best security researchers take the onion (layered) model. Relying solely on end point security is a very poor idea. Putting all of your eggs in one basket is never a good idea. Certainly, place some emphasis on having secure end-points but firewalls on everything is a good idea. Having desktop and server firewall software adds one additional layer of protection, should the end point become compromised. I have no idea why there is such a big push at end point security at the expense of a layered approach other than some academics pushed the idea and Symantec decided to market it. What happens if a piece of malware or an intruder gets through the end point and then obtains root access through a poorly-written web application? Had good extra security layers been in place, this might have been less likely to happen.
Basically admitting that securing Windows is hopeless, concentrating efforts elsewhere.
You can have my Little Snitch when you pry it from my cold dead flippers.
I use an ActiveDirectory domain at both work and home, I've configured both, using group policy to enable the Window firewall with no exceptions other than those in the policy when not on our internal networks.
When internal, the firewall service is disabled.
What this does is let me assume that myself and my users are running a firewall when they aren't already in a trusted and controlled environment.
When in those trusted and controlled environments, the firewall doesn't get in the way of people getting things done and doesn't require tedious configuration, I just let my BSD boxes handle the firewalling for everyone, Windows and non-Windows alike. Far more reliable and nothing is going to get past it like a windows virus that turns off the firewall or adds exceptions.
Now it does mean that if something does penetrate my network, it can spread across the internal subnet its on like no tomorrow, but that hasn't happened yet thanks to good border protection for things like mail and web access. We don't do anything for USB devices but then again, even as a company who sells USB flash drives, we rarely use them, thats what the network is for. When we do use them, its generally outbound, so we just grab a clean stick, throw whatever on it, and ship it off to whoever needs it, we rarely take them from outside for anything other than returns, which get wiped by a BSD machine before going anywhere near any other machines in the office.
The Windows Firewall has its time and place, its a basic layer of protect that is really useful if you're traveling about and have to connect to an untrusted network.
Running it internally on your own trusted network just seems silly to me, and a big hassle for little return.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I'd rather have security baked right into my building design than scattred willy-nilly around my windows and doors.
it seems to me that there's much sense in concentrating your security into a small number of trusty security guards than relaying on a fog of barly maintenanced security locks.
well kinda sounded like that to me.
also since when does anyone have to guard more than 1 entry into a object. that would really be overkill
nobody would climb into a window while the security guards are changing shifts or sitting there and watching tv..
And who might they be? Which corporate/government hacks am I supposed to trust with the security of my system?
Power does not corrupt - power attracts the corrupt.
custom firewalls usually prompt you to unlock applicarions. they are essentally as smart as the user. given the fact that we're talking about windows users, they are pointless. the best windows firewall is linux. second comes the fw that xp sp2 introduced. i heard a ms employee give a speach about the fact that users are stupid but perseverent. that was an official speach at ms days to which i went for the free lunch. until they build a decent kernel which wouldn't allow fauna, all security measures are pointless. the mac is also amazing at this and simple to use too. my gf installed an antivirus that was so slow that the computer was totally safe. user input was so slow that you could feel your hair grow.(mcafee). ubuntu is not quite there yet but after a month of messing with it i guarantee you will never go back to winblows.
I use OpenDNS + iptables.... what is this Windows Firewall you speak of? Does it run under WINE?
Make America grate again!
Many networks are exactly as the article describes, no firewalls on desktops or individual servers and instead relying entirely on the border firewall connecting the company lan to the internet...
What this means however, is that a single rogue employee, rogue wireless access point, mobile device or laptop, or an exploit which penetrates the border firewalls (browser based, email based etc) results in a catastrophic breach as it becomes trivial to compromise everything once you get behind the main firewalls.
Now don't get me wrong, desktop firewalls are a nasty crutch too - desktop machines should _NEVER_ be offering services to the network, especially by default, and therefore shouldn't need a firewall to block access to these services... The fact that windows comes with several services listening by default on a workstation configuration (msrpc, smb, etc) is just stupid, the fact these services are a pain to disable even more so, and the fact people would rather hide these services behind a firewall instead of turning them off is just laughable - if noone needs to access them they shouldn't be running at all, not hiding behind a firewall.
Ideally your network should have a secure and well monitored gateway to the internet, as well as a secure and well monitored gateway between servers and workstations (and if possible treat the workstations as totally untrusted and make them use a vpn)...
The workstations themselves should expose no services to the network, or at most expose a single admin service which can only be reached from a predefined management network.
The firewalls should be for logging rather than filtering, on the basis that if a service doesnt need to be accessed it shouldnt be listening, not relying on a firewall to block it.
Servers should only expose their intended services to the client lan, admin services should be separated from client services.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
We seem to have a consensus that a layered security approach that incorporates multiple points of control is ideal.
I just wanted to refute the argument that it is easier to manage "Fewer secure gateways" as opposed to a firewall on every pc... There are many management applications out there that allow masses of computers to be managed from a single point of control. Its just as easy to create a group policy object that mandates firewall settings as it is to manage a secure gateway.
A statement I would expect from someone with a last name of Honeyball... Network firewalls protect the perimeter - if you turn off your client firewalls and one client in the network segment gets infected (there are many ways this could happen), the worm will run rampant from system to system within that network segment. Protecting at perimeter only should have died off with the birth of the first network worm.
I don't see why there is so much stress on firewalls. Nobody should have insecure ports open they are not using. Fix the systems don't obscure their security holes.
Yes, software is flawed etc but if you need that port open the firewall isn't going to do much. Too much is put onto firewalls as the solution to all our problems.
You shouldn't need a desktop firewall unless your system is BROKEN by design.
Outgoing connections are another issue:
Actually, all OS should include an update API! The API can protect against information loss under the guise of software updates. Security / Privacy are still way behind.
Democracy Now! - uncensored, anti-establishment news
Someone needs to tell PC Pro's Jon Honeyball about these two.
Do we really need clueless assholes everywhere disabling their firewall because some asshole from UK said so?
Of course the network is secured enough that the firewalls *could* be disabled... but as soon as I see someone doing that I'll fuck him in the ass with my shoes!
... and that's precisely why it's dangerous.
You and I might know enough to find TFA's assertions ridiculous, possibly even amusing in how wrong they are. But you and I don't control corporate policy (assuming that the reader of this is not a PHB). Any media spouting non-news raises the risk that someone will take that non-news for reality and begin making decisions based on that view. Even obvious parody like the Onion has caused its share of kerfuffling among the confused and less-informed, and let's not forget War of the Worlds. The danger is even greater with media like PC Pro that has at least some semblance of being real news (including in this category the opinion statements of apparent experts, as Honeyball here is presented by PC Pro).
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
One can think of the modern era of desktop security akin to being a police state. So much has "gone down" that the conventional system of trust between client and server has been broken. Clients acting like servers spreading "problems" in the network degrading performance, taking down clients and servers is no way to run affairs. In a more civil situation, then we need only worry about the borders, everyone is happy, and rainbows shoot out of our butts.
Reality has to take into account portability. Sure, if you have a non-portable system on the network then having a firewall on it is only for the layered-onion approach to security. However, any portable device that could go onto another network that you do not control ought to have a firewall on it - whether Windows, Mac, Linux, etc - to protect it when it is not on your own network. It's one thing when you can 100% control the equipment, where its located, and what it talks to; but an entirely different issue when you can't, and network administrators need to plan as if they can't in order to secure the whole network.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Get a better job and MTF out of the ghetto if you are so scared of home invasions that you do all this.
Blar.
If by "accident" you mean something like King Kong, Megatron or Cloverfield monster picking up the car, tearing off the roof and then holding it upside down until the occupants of the vehicle fall out.
In real life, accidents are usually not that colorful, most of them being just the vehicle impacting another moving or stationary object.
Mit der Dummheit kämpfen Götter selbst vergebens
This is only true if your desktop firewall actually filters out something that the server-based solutions do not. There is often-times a lot of overlap, so that the desktop filters are made redundant.
Redundancy is bad in some areas but it is *good* in mission critical and security related areas. When the server-based solution gets misconfigured, the server compromised, etc you may still have some degree of protection.
workstations should have a desktop firewall mostly to monitor outbound connections. (good for keeping apps from phoneing home etc).
most nasty inbound traffic should be blocked at the router but it's nice to be able to block an extra port or random IP when needed on a per machine level.
For servers where you are expecting random incoming traffic it's better to block all unwanted inbound traffic before it ever gets the sever (ACLs work fine here). You don't need to worry about outbound traffic as much, as long as you are doing reasonable things like blocking outbound port 25 for your web server, port 80 for your mail server etc.
(Now, I didn't read TFA.) It's important that devices on a network have some form of resiliency. A firewall will certainly prevent DDOSes and can help prevent malicious behavior from entering a network, but there's so many ways to get around a firewall that it just can't be the only solution. For example, "anti-virus" on a firewall might block sites known to spread viruses, but it still won't prevent someone from downloading a random zip file with a virus.
No, I will not work for your startup
posting to remove an incorrect mod caused by slip of the finger. Damn why can't /. have a time-limited "undo mod"!?
Build a city surrounded with the tallest, thickest, and strongest walls you can think of (or afford). It's great security, but only from the outside world. Since its impossible to guarantee every citizen isn't a mass-murderer or kleptomaniac, we also have to have locks on individual houses.
Build a network with the nicest firewall/IPS/IDS/whatever you can thing of (or afford). It's great security, but only from the outside world. Since its impossible to guarantee every guest laptop isn't loaded with viruses or malware, we also have to have firewalls on individual workstations.
True story: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5220.msg26559/topicseen,1/
A friend of mine once rode with an acquaintance of his who kept passing cars even at curves in the road.
When asked not to do that, he gave a "Don't worry" and some BS explanation about centrifugal and centripetal forces and the curvature of the road keeping his car and the one coming at him from behind the curve from crashing into each other.
Scary thing is he obviously believed that. Rest of the road was like riding in a car with Christopher Walken.
Mit der Dummheit kämpfen Götter selbst vergebens
I use a local "desktop" firewall on all of my systems, which are behind a NAT router firewall. Mainly because I expect the firewalls to do different things.
I expect the router to keep unexpected things from getting to my local systems. I mostly want the local firewall so that applications that should not be sending stuff out of my computer don't. And so that I can disable an application from phoning home if I catch it. A nice secondary benefit is that my local firewall keeps tab on the md5 of all local applications, and warns me if any application is changed unexpectedly before it let it send data out of the computer.
Of course, a local firewall can be bypassed just by enlisting the browser (or other application that can be expected to have access to the internet). A clever program could sneak a small but critical amount of data out of your system just by passing a specially constructed URL to the browser. I don't know of any good way to completely stop this without crippling normal use of the browser, but one thing that I have done that helps me is to tell my firewalls that IE is not allowed to access the network at all. I never use IE, (anyone who does is clearly not interested in security), so it has no business sending data on the network, and blocking it only makes sense. A server firewall has no concept of what application originated the traffic, it just sees packets, so it can't do the same things that a local firewall can.
I also block all normal IRC traffic both at the local firewall and the router. I never use IRC, and it is a common mechanism for botnet control. So it just makes sense to not leave this hole open if I know I'm not going to be using it.
I'm an American. I love this country and the freedoms that we used to have.
Aren't desktop firewalls useful in cases where attackers use malicious PDFs/Office documents/browser exploits to run reverse shells? If the exploit tries to connect to evilhost.com:443, how can a server firewall know that the connection is not a legitimate HTTPS connection?
As far as I understand, desktop firewalls would block attempts like these, as long as the connection isn't initiated by a whitelisted program. Of course the exploit payload could include methods to whitelist itself, but I assume there is no one single method to do this, so the payload would have to include custom methods for each of the personal firewall vendors.
Disclaimer: I have no experience with personal firewalls, and if I'm talking out of my ass, please correct me.
I shall go and tell the indestructible man that someone plans to murder him.
The Windows firewall is necessary for the average user. When finally turned on in XP it had an immediate effect. If we're talking about the enterprise, that's one thing, but for home users it's a must. For most who read this forum, not so much.
There are cases where it is (in windows at least) desirable to block on an application level. Say I have a program called foobar and I know it wants to phone home. So I do a little traffic snooping ( with all outbound traffic from this machine blocked) and find out where its calling to. I make an entry in my router firewall for this or thees addresses. Does that insure that it will never make the connection home?
No.
What if it tries other address in the future. What if it looks up the address via dns and foobars creators added or changed their dns entries to point to some other block of addresses my router firewall rules don't cover. Blamo! The connection is made - game over.
So as you can see, a global firewall is not sufficient in thees cases.
It's ironic since I just installed the free zone alarm and got that fake virus phishing crap the other day too. I was not fooled by it however I thought it was a cheap attempt to drum up business. So I got rid of that piece of crap and am now looking into other options. Something clean simple and designed for a computer user who does not have a single digit I.Q.
In addition I trust the Windows Firewall as about as far as I can throw an exception.
So the place I work has this brilliant policy of disabling host-based firewalls by default. What's more, it's done through group policy, so most users couldn't turn it on even if they wanted to.
Their reason...prepare yourself:
VNC "doesn't work" with the firewall enabled. I guess they never figured out that you can make exceptions. They also believe that there is no way for students (it's a school district) to bypass the URL content filter.
I wouldn't build a castle and put the moat inside the castle wall either. Why manage 2 layers when one done right (external to the PC) is sufficient and the other one, even managed correctly could be doing effectively nothing - if there are OS vulnerabilities as we know some commonly deployed OSes exhibit.
...one that is not running.
Layer your firewalls like the design of a medieval keep. Exterior curtain wall, plus defensible keep.
You don't know whether threats come from inside or outside; therefore when in doubt firewall everywhere.
Although Windows firewall isn't perfect... it can protect against an employee bypassing the corporate network and connecting directly to the internet (either via a USB wireless card), a wiring error that opens a direct connection or VPN to a client's network that isn't protected. Of course, a local firewall is a necessity on a laptop. More annoying than windows firewall are home users who think that if one firewall program is good, two, or three would be even better. Nothing more annoying than firewalls that are busy swearing at each oterh.
Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.
What's there to complement? What exactly would the desktop firewall be protecting against? What ports / services are open on the desktop?
Actually, yes they do. They filter out the attacks from that infected laptop that Johnny Marketting Guy takes outside the "secure" enclosure 90% of the time, and the tunnel from outside that Joe IT Guy and Jane Programmer apparently absolutely can't work without, and that smartphone that's rooted six way to Sunday that Jack Manager absolutely _demands_ to connect to the internal network because he supposedly can't work without that, etc.
A polar bear is a cartesian bear after a coordinate transform.
Ok, I'll take the unpopular opinion and absorb the beating... I concluded that firewalls are next to useless a long time ago. I've been running my Winodws machines with the firewalls shut off since around 1992 when my town was one of the first to get high speed internet via cable modem (firewalls didn't even exist back then, but even when I first got a router, I would run my primary machine as DMZ) and I have never been infected with malware. An infection requires you to run an application with a security hole that can be exploited through a socket that it happens to open. My strategy is and has always been to not run such applications. I also run Windows Update every Tuesday to patch the holes in the applications that come with the operating system itself. Also, any application that I would choose to run - well I have to open the port to that application anyway - so I ask - what is the point of blocking all the unused ports?
In my mind a "firewall" has always been more about logging and centralized management of resources than simply acting to deny access. The terms have been twisted in half over the years to the point where most PPL adminstering firewalls don't bother reviewing their logs. Quite unfortunate.
The central objection to host firewalls in my mind is lets say I install a server application on my computer and it needs people to connect to it. It will either tell me to add an exception to the host firewall for it or just go ahead and call an API to do it itself. At that point what is the salient difference between not listening on a port in the first place and having a firewall block access? The firewall basically ends up becoming an annoying layer of redundancy that does nothing but get in your way.
The classic issues WRT MS worms have been because the OS listens for incoming connections by default... a simple rule that said don't listen for anything by default essentially has the same effect as enabling an MS firewall.
It can be quite useful to control access to resources by IP address using a firewall in cases where applications have no provisions for it. The problem here is I don't subscribe to the flawed idea access control by IP represents an effective security measure. It places too high of dependance on the perimiter which can easily be bypassed by internal spoofing of the wire.
Another exceptionally annoying aspect is the Microsoft "stealth mode" firewall. It messes with ICMP and prevents communicating connection refused messages, tracerouts..etc when systems do not intend to accept connections and there is NO WAY to turn it off without disbling the firewall alltogether. The end result of this stupid exercise is mearly that nmap scans run slower and take longer to complete while pissing off legitimate users who now have to WAIT for connection attempts to timeout instead of getting immediate feedback. It has o legitimate impact on security.
And don't even get me started on all those asshats out there who disable ping and ttl expired in the name of "security".
It's not that desktop firewalls are "overkill" it's that they should be redundant and worthless in any sanely designed system. A much better path is to use IPSec to authenticate connections between peers.
Where the fuck do you live, Baghdad or the Congo?
Christ, what happens if you need a piss in the night?
Do you put on night vision goggles and take your gun to the crapper?
I hate to say it but anyone who would write an article like this should be considered a network hacker/cracker (depending on the term you wish to use) and this should be considered a social engineering attack. I have just turned on an extra firewall and now maintain a double firewall from two different manufactures as well as recommend individual machines be software fire walled and have any port not being used turned off. This is the Internet, if you think everyone is out to get you, you're not paranoid you are just paying attention.
By gun, do you mean bo staff or shurikens? And, by someone, do you mean a bear (species yet to be determined)?
It would be nice if the fundamental security and measures like firewalling on our standard OS ses would be well enough so that we don't need additional firewalls. Then also attacks from inside a network would be much harder. Sadly this is not true for any of the standard Desktop OS, linux and mac os x included.
I hope this answers the question.
Should I block it?!?!II
When I drive in my car, I enjoy the security of having airbags -- but I still wear my seatbelt. Together, they enhance safety. Desktop firewalls work with network measures to enhance security. Besides, desktop firewalls have the added benefit of letting users monitor what software is always communicating via the 'net...and block it...
Isn't this what some people claim ICE and DEA should do?
While a strong wall is a good thing, there would still be a need for internal security.
Ya cant even trust security companys now with that stunt Zonealarm just pulled this week,and he wants us to shut off our firewall?? HAHAHAHAHAHHA not a chance. There isnt anyone i trust on the internet except me:)
Jack of all trades,master of none
I have a 5 year old, a seven year old, and occasionally, I still have sex...
yes- I lock the bedroom door.. even more than I lock the front door....
every day http://en.wikipedia.org/wiki/Special:Random
The clearly states in the body of the article that he doesn't recommend doing away with desktop firewalls, doesn't think it's a good idea, and certainly isn't going to do it himself. So what was the point of the article again? Clearly, to say something controversial in the headline in the hopes of drawing more eyeballs.
... he recognizes this problem in the article, and calls for different solutions for mobile machines.But still - kind of a dumb article.
He dances with the idea, while caveating everything he says. This is no journalist, and when you look at the results, the examples are pretty dubious. I feel sorry for the guy, except that he's giving bad advice in trade for a hit count.
---- Teach Peace. It's Cheaper Than War.
Layer your security! The USN doesn't have a single "this will stop the missile" systems. They layer defences and even then practice damage control when they get hit.
Machine level
+Desktop firewall and close them ports
+No admin priv in normal login
+Antivirus updated and installed on every machine
+Savvy users who are aware of issues and avoid them and report when there is an issue
+Avoid USB drives when ever possible (email, wikis etc)
Server
+Antivirus on email, files etc
+Network monitoring
+Firewall
+Admin priv
+Savvy admins that are aware of issues and take proactive steps to avoid them and keep users informed.
+
Of course you need firewalls on PC's in an office. Jon seriously can't be this dumb.
People take laptops home where they are subject to untold abuses. Then then bring these festering things back in.
The soon and quicker an intrustion is halted that better. All ports of entry must be gauarded. It's actually easier to deal with issues if they are. And yes it can be somewhat painful to maintain but is a cost that must be factored in. I want my corp machine well guarded against the other managements filth vomiting machines, unholy USB sticks and unsecured private wireless routers.
Jon I wouldn't want to be in your shoes when someone actually follows this advice in order to save money and sinks their company. Jon this is bad advice you give. You are putting companies at risk. You should feel ashamed.
You time would have been beter spent writing something about how we can protect our smart phones and tablets from bring down the corp network.
See, this is the problem. You are practising the Soviet school of thought of defense in depth. Layers upon layers of defenses to absorb the attack and draw in the attacker until he is vulnerable for a flank attack. The problem is, this tactic needs very thorough fieldwork preparation, great amounts of manpower to cover the whole front, more reserve manpower to plug holes in your defenses, massive amounts of hardware and most critically, time. This means that to maintain your defenses, you will need to spend lots of resources until the enemy attacks. The enemy on the other hand has the luxury of choosing his time and place for the attack and will be able to concentrate his firepower where he wants to achieve local superiority where it counts the most. So, choose your defensive strategies carefully. Evaluate if your superiors will have the stomach to absorb heavy losses associated with the defense in depth strategy before you adopt this strategy.
Because if you have adequate measure in place to protect against the business disruption cause by a 0-day exploits, then the periodic, recurring cost of maintaining security on the desktops might exceed the cost of occasional cleanups, especially once you factor in the performance and productivity hit that security on every desktop incurs.
For example, what if all your desktops are booting off the network, and all your important business data is centralised on a server?
A corporate firewall should enforce corporate policy. A DSL/Cable modem firewall should enforce home policy. A desktop firewall should enforce desktop policy.
Desktops will always have more specific requirements than corporations, as desktops are generally doing a whole lot less. Further, users like being able to experiment with software in a sandbox-like environment. Ok, I do. That can include software that uses ports that I don't want outside individuals being able to connect to. Finally, desktop firewalls that log attempts to access closed ports are effectively intrusion detection systems without needing any additional programs running.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)