Is an Outbound Firewall Really Needed

First, read this: http://ask-leo.com/is_an_outbound_firewall_needed.html

I think an outbound firewall is needed, I just want your opinions. :slight_smile:

There is a debate in the comments in this post (not my post), and I also made a article about it.

Yes, an outbound firewall is needed in many situations.

The most important one I face (and the reason I am looking at Comodo) is that I need additional coverage for my large network.

Viruses, trojans and malware in general are getting more complex and using more and more methods of delivery and attack. It is only inevitable that we will have attacks that come in through a browser going to a trusted site that delivers a brand-spaking new infected ad from a newly infected marketing server.

It is extremely difficult to block zero-day attacks that can bypass detection, especially if your end-users slip up and do things outside the norm (by accident or curiosity / stupidity).

If I have a salesman that messes up and infects himself with a new malware program, Windows Firewall is NOT going to block attacks from the computer if they are on the same network. A loophole. I would feel much safer if my workstations were only allowed to communicate to the Internet (via certain applications) and to certain servers / printers and nothing else. Removing the ability of an infected PC to probe other possible vulnerable PCs on the network would greatly improve the robustness of my network even if we have people voluntarily letting malware loose on their own PCs.

LHammonds

As being a Network System Engineer in a large Enterprise i can assure you that outbound firewalling is needed.
Not only at pc level also on the corporate network, you can prevent so much damage with it, it needs to be best practice.

Have the hospitals that got a confliker infection 3000 pc’s infected !!
That happened because their network topology is apparently flat and allows all pc’s to access all pc’s so they can happily infect each other.

If they segmented those pc’s in to smaller networks and firewalled the traffic “outbound from the pc’s”. then the infection could have been isolated in to a few segments, instead of infecting the whole hospital.

And that’s just a small example, how about spambot’s sending out spam with your ip address, so you end up on a blacklist and your real email get’s blocked also !!

ET Phone Home behavior from all kinds of different apps etc etc…

ET Phone Home behavior from all kinds of different apps etc etc..
I agree :-TU

Adobe CS4 products are probably the best example (AND THE WORST OFFENDER) THAT I’m aware of that does this. If some of you people have adobe cs4 products and have a dial-up connection. I’d recommend editing the host files to stop this sneaky method of secretly phoning home. It’s bad enough dial-up is slow >:( Its even worse when there is software secretly sucking up your dial-up bandwidth. >:(

Thanks you guys. :slight_smile:

I used some of your answers here. If you want me to remove or change your quote, just PM me.

:slight_smile:

yep, i need to control what’s going out from my machine, wich ip, wich prog, some can use svchost.exe or explorer.exe or IE,etc, to send data from my machine.
it can prevent some trojan to send data or my machine used as a bot to launch attacks against servers or spaming, nothing can detect 100% of malwares so the outbound control is needed in case some strange process wants to go out or use windows process to do it.

To LHammonds and Ronny:
Now this is very interesting, and here is why:

I’ll repost of my own post on other forum:
I guess CIS’s inbound protection is better than my Edimax router’s inbound protection and Windows XP firewall protection turned on?

It’s very interesting I finally found the way how to disable router’s protection if I want only for CIS to protect me from both inbound/outbound attacks. I simply went into DMZ and typed LAN’s IP address.

Plus, my computer is 100% clean.

But can you explain me why I have been never attacked seriously?
Basically I’m using router, Avira Antivirus (free) and Windows XP firewall turned on. I’ve never been infected, and I’ve been visiting truly all kinds of websites.
It just doesn’t make any sense to me for the dangers you’re talking about since I never experienced not a single one, never been infected.
I still don’t understand this, by the post where you were describing dangers of surfing, despite malware is going more and more complex and tougher, I’ve never experienced such thing and again I’m only using router, Avira Antivirus (free) and Windows XP firewall turned on.
This works also for outbound protection.

I wish anyone here can explain me this, I would be truly grateful.
Thanks to all.

Maybe you are infected but you don’t know it. :stuck_out_tongue:

Doesn’t need for novice user.

Hi Ultra-Bot,

It’s about layers of defense, you don’t want to depend only on your gate at the yard, you also have a front door with a lock on it, and once their in your house you keep your valuable stuff in a safe, those are “layers”.

IF something brakes trough one layer there could be an other layer to alert or stop it from going further.

And there is nothing wrong with having a few layers of security, but it also depends on your “situation”

If you have only one pc in your network you are not likely to infect other pc’s on a LAN.
But if you have a corporate network with 100+ pc’s you don’t want one pc to infect all the others.

That’s where outbound firewalling makes more sense then on one’s single pc LAN.

Setting the IP of your PC to DMZ host make sure all the packets that arrive from the internet to your router are passed trough your router without interference of it’s firewall so you’ll see all traffic hitting your firewall logging and the internet is full of probing traffic to find something to exploit…

On the remark that your system is 100% clean that’s always a tricky one…
You could be infected with a very nice good Rootkit that was written especially for you… small chance your going to detect it.

There is no such thing as being 100% secure… maybe 99% but for stuff that people can create there is always one that can break it, or find other way’s to get what they want.

So having a good router/firewall configuration for incoming traffic is good and will lead to no “infection” based only on the assumption that they would attack an open port.

But if your browser if vulnerable for a drive-by-download and your AV misses it it will only take a second to infect your system, and that drive-by-download could be caused by a site you “trust” but that has been infected using for instance a SQLInjection…

How would malware that has infected your system and was not detected by Avira be stopped then ?
Virus scanners are always to late, and there is no virus scanner that catches all just based on patterns…

Once that happens your firewall will kick in and you are alerted to something suspicious… just and extra layer of caution, theft alarm so to say… if they want to walk out your door the alarm goes…

Actually, my computer is full of “garbage”(unused files), but not malware, otherwise I would really see any difference so far.
I think I’m experienced enough…
When I first got computer I was dumbhead, and my computer was infected with 15 000 malware samples (ok, that’s how much I counted, and at that time I didn’t know that I need firewall and antivirus at least), but this was at least to me an golden opportunity to test the best anti-malware programs.
Since than I never got infected, I also grew more experienced and could recognize malicious process.

Ok, I need explanation what is drive-by-download?
is it the same when I was installing new version of Avira 9 from sourceforge.net and Avira alerted me that Trojan.Downloader wants to install?
Did you mean that?
I know a couple of websites which Avira has been blocking installation of malware-does this refer to drive-by-download?
And what really is “http: smuggling” (this term I’ve seen on Wilders Security forums), can Comodo Firewall protect from that?

But most likely my conclusion is that attackers don’t really target home computers that, unlike cororate computers, right?

Thanks.

There is a small wiki here
Basically it comes down to the following.

You visit a site you trust, but that site is infected, in it’s web page there is a link to a so called “exploit”
that could perhaps abuse your PDF plugin, your Flash Player plugin or what ever plugin to silently download and execute a malware most of the times a small downloader that will start downloading other bad malware on your system once activated.

I once analyzed one that waited 30 minutes before even trying to accessing the internet…

Believe me i have seen it happen, and if you have CIS installed your glad it tells you Internet Explorer is trying to save a file c:\bladiebad.exe do you wish to allow ? Euh i did not download anything… oops it abused an exploitable old version of the Flashplayer i had installed on that test system…

Now the difference between a Virus scanner and a HIPS (Defense+) is that HIPS will always alert you that IE is trying to download/save suspicious files and a Virus scanner can only do that if it “knows” that specific file is bad…

is it the same when I was installing new version of Avira 9 from sourceforge.net and Avira alerted me that Trojan.Downloader wants to install? Did you mean that?
I think the Avira Trojan.Downloader is caused by the fact that the installer probably loads network dll's and has code that will download the rest of the installer, you see that more often, you download a small installer that will download the rest of the program once started, almost sure it's a False Positive.

So not that’s not a drive-by-download, this got triggered because the file was scanned and found suspicious.

I know a couple of websites which Avira has been blocking installation of malware-does this refer to drive-by-download?
Hard to tell, maybe the Avira logfile can give you a clue why it got blocked...
And what really is "http: smuggling" (this term I've seen on Wilders Security forums), can Comodo Firewall protect from that?
[url=http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf]Here's[/url] a good document on HTTP Request smuggling, and i don't think CIS can protect this because it only targets devices that are running HTTP, and if you would host a web server/cache i don't think it will block this either because the attack happens in the HTTP data, that would require a tool like Snort to detect packets "inside" an allowed packet. A firewall does not check the data of packets (only the headers if they don't match the RFC "Protocol analysis, you have to activate that manually in CIS (firewall, advanced, attack detection 2nd tab).
But most likely my conclusion is that attackers don't really target home computers that, unlike cororate computers, right?

Thanks.


Depends those mass SQL Injection attacks are done to create as many infections as possible to create a large Bot network of infected machines, those code’s don’t care about a home PC or a corporate PC.

If a hacker is out to specifically attack a company then it’s a totally different story that is a directed attack and it could be the hacker is trying to attack your home PC because he expects to jump from that PC to your corporate network because you have for instance a VPN connection to the company

So all sorts of things possible… but for a “normal” single PC user with a good sense of security that would not be stuff to be scared of.

Run a virusscaner, patch your OS AND applications (Use Secunia PSI for instance to detect vulnerable software on your system) Install a Firewall and maybe a HIPS and scan once a week with Anti Malware scanners like MBAM or SuperAntiSpyware then your good to go.

O and if you do online banking, close your browser before you login, and close it again after your done…
Don’t bank with 5 tabs open to other sites :wink:

I have to ask you this:
If this the case you’re talking about, than how so I have not been hacked for the last 2 years?
Could I consider myself a lucky guy?
Maybe it’s because I really don’t download newer versions of PDF plugins?

How come I never visited an kind of websites which could exploit my Windows XP?
OK, here is the thing: 90% of the time I visit science and technology websites, however 10% of websites I visit are quite dangerous. These websites are known as crackers websites, now although I never download there anything, I still don’t understand how can malware from there do anything if all ports are closed?

Could you give the name of website you were visiting where is a link to “exploit”?
And you’re saying this website is totally trusted?

You’re talking about Internet Explorer, but the fact is I always use Mozilla Firefox, does Firefox have vulnerabilities that could be used for drive-by-download?

Doesn’t the fact that all ports are closed simply nullify Windows XP (SP2 in may case) vulnerabilities (and of course Windows updating should fix any bug and nullify vulnerabilities)?

You said:
“Believe me i have seen it happen, and if you have CIS installed your glad it tells you Internet Explorer is trying to save a file c:\bladiebad.exe do you wish to allow ? Euh i did not download anything… oops it abused an exploitable old version of the Flashplayer i had installed on that test system…”

My question is: Can the upgrade of newer version of flash player or newer version of Mozilla Firefox or Internet Explorer resolve all of their vulnerabilities, or there will always be some vulnerability of any web browser, operating system and etc… and that’s why HIPS like in CIS which is indeed extremely powerful is always needed?

AND MORE IMPORTANT, how often, for example, do you get alerts from CIS’s HIPS when it comes to drive-by-downloads?
I mean what trusted websites do you visit?
I almost always visit science and technology websites, but according to you I should not trust, although they should be trusted because of the content they have!?

About the router: Than I can simply disable router’s protection and enable CIS full protection, right?

About USB: In my computer management I have disabled autorun, so basically if I have an malware on USB, CD, HDD, DVD or any other portable media, does it mean malware can’t run itself?
But what when I manually open USB from example, will malware run than-does it mean you have to manually directly click on malware itself just to execute/run its malicious content?

The question is simple: Is HIPS really neccessary if I disable autorun regarding USB, CD, HDD, DVD or any other portable media?

My computer’s resources: I want to install CIS again, because I’ve been using it since 2.4 version, but here is the problem there is about 190 MBs or something on Hard disk.
I have nearly 80 GB of hard disk, and 91% is basically free space on D:/ and 88% free space on C:/.
It’s interesting that CIS on RAM is extremely low 15 MB I think, at most.

But I don’t understand than why when I go in task Manager before I used CIS used space of RAM was 290-300 MB of 1592 MB, and without CIS, it comes back to 218 MB of 1592 MB.
It doesn’t make any sense, since CIS takes only 15 MB at most in RAM, shown in task manager.

Ronny, I apologize for so many questions that are a bit confusing, but this comes from my still confused mind.
I hope I wasn’t too invasive with all the questions.

Cheers.

Few year’s ago, i do have experience that potential virus files (not exe or plugin, migbt be jar file) downloaded from website(s) that do not detect by Avira realtime scanner. I used other on-demand AV to find that out. Might be they are just FPs, might be Avira was not as strong as today, might be I was the lucky guy. ;D

Well you have “created” a part of that luck because you care about your security…
Most people don’t bother about that “annoying” antivirus that has expired 3 years ago :wink:

Maybe it's because I really don't download newer versions of PDF plugins?
Well then they should be really really really old so that no one attack's those versions anymore...
How come I never visited an kind of websites which could exploit my Windows XP? OK, here is the thing: 90% of the time I visit science and technology websites, however 10% of websites I visit are quite dangerous. These websites are known as crackers websites, now although I never download there anything, I still don't understand how can malware from there do anything if all ports are closed?
Well this is a thing of the last year so only that will count, and of course a good coded website is not vulnerable to SQL Injection so you can't get infected from that.

How it attacks you, simply by abusing your browser (and or browser plugins) to download and start the malware, that way they don’t need an open port for incoming connection.
It’s just like downloading manually but in this case they take care that they silently “press” the [RUN] key without you noticing it…

Could you give the name of website you were visiting where is a link to "exploit"? And you're saying this website is totally trusted?
Sorry that would be against policy...
You're talking about Internet Explorer, but the fact is I always use Mozilla Firefox, does Firefox have vulnerabilities that could be used for drive-by-download?
It helps but does not eliminate it, all software is vulnerable some how, it's just a matter of scale. The more people use a "vulnerable" version of something the bigger the chance they get of creating a large Bot network. So the bad guy's are almost always looking for something that is used by as many people as possible, Windows, IE, MediaPlayer, Adobe Flashplayer & Reader etc... best chance of infection.
Doesn't the fact that all ports are closed simply nullify Windows XP (SP2 in may case) vulnerabilities (and of course Windows updating should fix any bug and nullify vulnerabilities)?
No that only prevents you from getting infected over a so called "network spreading" malware that attacks a leak in a process that's listening on that port.
You said: "Believe me i have seen it happen, and if you have CIS installed your glad it tells you Internet Explorer is trying to save a file c:\bladiebad.exe do you wish to allow ? Euh i did not download anything... oops it abused an exploitable old version of the Flashplayer i had installed on that test system..."

My question is: Can the upgrade of newer version of flash player or newer version of Mozilla Firefox or Internet Explorer resolve all of their vulnerabilities, or there will always be some vulnerability of any web browser, operating system and etc… and that’s why HIPS like in CIS which is indeed extremely powerful is always needed?

AND MORE IMPORTANT, how often, for example, do you get alerts from CIS’s HIPS when it comes to drive-by-downloads?
I mean what trusted websites do you visit?
I almost always visit science and technology websites, but according to you I should not trust, although they should be trusted because of the content they have!?


Well that was because i have seen it happen, not on my own system but in our company we have lot’s of users and systems, and a few where affected by this.
So it’s not that you ARE going to be infected but it COULD be… it’s out there

Just like having safe sex, it could save you…

About the router: Than I can simply disable router's protection and enable CIS full protection, right?
Well i would not do that, it's a better layer of security to have a hardware firewall and then let CIS only take care of the stuff that slips trough... just and extra lock on the door incase...
About USB: In my computer management I have disabled autorun, so basically if I have an malware on USB, CD, HDD, DVD or any other portable media, does it mean malware can't run itself? But what when I manually open USB from example, will malware run than-does it mean you have to manually directly click on malware itself just to execute/run its malicious content?
Well autorun wasn't completely disabled even if you took al measure's because of a bug on XP, but if I'm correct they have fixed this with a patch now.

If you put a USB drive in your system CIS will by default not “trust” executable that are on there so it will alert you that something.exe is trying to start…

The question is simple: Is HIPS really neccessary if I disable autorun regarding USB, CD, HDD, DVD or any other portable media?
Well again just an other layer of security, if you leave it's settings default and it starts to complain you better read twice what is says before allowing it ;)
My computer's resources: I want to install CIS again, because I've been using it since 2.4 version, but here is the problem there is about 190 MBs or something on Hard disk. I have nearly 80 GB of hard disk, and 91% is basically free space on D:/ and 88% free space on C:/. It's interesting that CIS on RAM is extremely low 15 MB I think, at most.

But I don’t understand than why when I go in task Manager before I used CIS used space of RAM was 290-300 MB of 1592 MB, and without CIS, it comes back to 218 MB of 1592 MB.
It doesn’t make any sense, since CIS takes only 15 MB at most in RAM, shown in task manager.


Could that happen to be Virtual Size or was that measured during a manual scan ?
Maybe you are running in to a AV Scanning bug…

Ronny, I apologize for so many questions that are a bit confusing, but this comes from my still confused mind. I hope I wasn't too invasive with all the questions.

Cheers.


No problem, I’ll try to answer them :-TU

Here is an other example of a new attack run, 40000 sites infected and counting…

http://securitylabs.websense.com/content/Alerts/3421.aspx

I can see the need for detecting that your computer has been compromised and is sending spam messages but how does Comodo firewall protect against that? I am very new at the use of Comodo and am baffled by most of the settings available.

Hi sdsmall,

Welcome to the forums.
For starters i would try and read the help file, it really explains most of your basic questions.
Don’t start to shove around all kinds of settings before your a bit more familiar with what it does.

Every settings window has a “What do these settings do” link to the help file, that should bring you to the right part of the help section.

It will at least ask you if an application is trying to connect to the internet and if you wish to allow/deny that.
If the color of the Alert is RED be extra carefull, and just read calmly what the alerts say’s.

If you have signed up for ThreatCast you can also see what other users answered to the same question.

Hope this helps a bit.