Windows Legacy OS forum

General discussion

What's the Point of Firewalls?

by RMskater / May 3, 2006 10:45 AM PDT

I was just reading an old CNet subscriber letter about using wireless internet in hotels. Lots of people were talking about different ways to prevent your data being stolen, including an "evil twin".

Well, a few people mentioned using firewalls. I used to use one a while ago (ZoneAlarm) and liked the way it worked, however, here's my question, how exactly does it protect the data that you SEND.

I can understand that it would be protecting your computer from people who try to get onto your own computer, but I thought of it as somewhat like a brick wall, keeping those that you wanted out of your computer on the other side of the brick wall.

Do firewalls protect the data that you send also? I was thinking of it being like (another goofy analogy, haha) lining a garden hose with steel tubing, so that way no one can come over and puncture the hose and steal your water from the hole. Can firewalls protect outgoing data, and not just incoming data and protect against incoming threats and attacks on your computer? Thanks so much!

Oh yeah, no need to brief me on anti-virus, I've already got that worked out, just wondering if firewalls protect the data that you send. ;-D

Thanks so much!

Discussion is locked
You are posting a reply to: What's the Point of Firewalls?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: What's the Point of Firewalls?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
the filter in the garden hose
by linkit / May 3, 2006 11:03 AM PDT

Firewalls don't protect data along the way. It only protects at the wall (a wall of fire). So, the analogy is not the lining in a garden hose; it is more like a filter or screen at one point in the hose.

Some firewalls like Windows Firewall don't allow certain data INTO your computer. Other firewalls like ZoneAlarm provide protection from unauthorized data from going INTO and OUT OF your computer (a two-way firewall).

Collapse -
Interesting....
by RMskater / May 3, 2006 11:15 AM PDT

Interesting....thanks!

Just wondering, what kind of data does ZA prevent from going out of my computer?

Collapse -
about ZA
by linkit / May 3, 2006 11:39 AM PDT
In reply to: Interesting....
Collapse -
Haha, Thanks :D
by RMskater / May 3, 2006 11:51 AM PDT

Thanks for the response and the better analogy. Grin

Collapse -
Firewalls....
by Papa Echo / May 3, 2006 11:25 AM PDT

...prevent data from going in(or means of) - only those permited by you can go in. More impotantly, they limit data from going out(or means of) - only those permited by you can.

Collapse -
Is ZoneAlarm okay?
by RMskater / May 3, 2006 12:02 PM PDT
In reply to: Firewalls....
Collapse -
It is OK on my computer
by jayfin / May 3, 2006 10:39 PM PDT
In reply to: Is ZoneAlarm okay?

I use ZA Pro 2006 and have had no trouble at all with the exception that I can't use AVG's anti-virus software.(Note: AVG works ok with the free version of ZA. The feature that I use most is that with just a click of the mouse, I can shut down all internet activity even though I am on an "always on" Cable network. If I am doing word processing or anything else that does not involve the internet, I just click the ZA icon. Whenever I leave the computer, I do the same.

I am using XP Home with SP2

Collapse -
They don't
by Ahmad Nawaz Cheema / May 3, 2006 11:33 PM PDT

One of the most common misconceptions people have about firewalls is that they function like anti-virus programs and scan incoming/outgoing traffic for signs of nefarious things. They don't. Well, certain types do, but even that's fairly limited.

To borrow the garden hose analogy, firewalls are more like a kink in the hose that can selectively block water flow.

The only thing they do is block traffic based on a set of rules they are given. Some will also look at the individual packets of data and make sure they seem to conform to RFC specifications, and then send it on its way. Higher class firewalls, known as stateful firewalls, will look at all packets in the scope of a connection which provides better protection against specially crafted data packets. However, it's NOT a feature you'll find in any of the free software firewalls for Windows.

But a firewall does not scan incoming traffic to make sure it's not from a hacker or some sort of spyware as most people think. If set up correctly, it can make it more difficult for a hacker to get a foothold into your system, but that's it. If you allow ANY data into your computer, there's a hole in your firewall that a hacker could get in through. ZoneAlarm is good for blocking automated probe programs run by social malcontents on the Internet, that seek out systems to exploit, but that's about all. If you get the attention of an actual hacker, your only defense is pulling the connection. If you're lucky, ZoneAlarm will tip you off to their efforts and give you enough time to do so, but it won't stop them from getting in.

It's also a myth that the Windows firewall doesn't block outgoing data. The gold and SP1 incarnations of the Windows firewall were only configured to deal with incoming traffic, since that's where 99% of the threat lies, externally to your computer. With SP2, it is set to function much like ZoneAlarm, allowing selective blocking of traffic going both ways. A policy that will be reversed in Vista as a capitulation to the likes of ZoneLabs, McAfee, and Symantec. A lot of people here seem to think that a firewall like ZoneAlarm is great for finding hidden spyware on your system, and I agree with that. I just think the better solution is to create a situation where it's near impossible for spyware/malware to infest your system in the first place. This can be effectively done by not using Internet Explorer, or any other product based on Internet Explorer such as Outlook Express. There's also the no-P2P and pirated software policy, as those are other common spyware/malware infestation routes. Doing this virtually eliminates the need to monitor outgoing traffic.

For a number of reasons, I prefer hardware based firewalls devices/appliances. A firewall can consume a large amount of resources to do its job, so having dedicated hardware frees up those resources on your computer for something else. Most of the times the firmwares are based on Linux and use it's excellent stateful firewall IPTables. Rules can be written once and applied to many computers. They don't hinder internal LAN traffic (if you have more than one system). A botched update won't affect your computer beyond it's ability to communicate on the network. It doesn't flood you with pop up notices about this or that program wanting to access the Internet, using alarmist wording, leading to a situation where you just start clicking "Yes" to get the things to go away.

As I recommend to most people, it's important to know the basics about firewalls. A well configured ZoneAlarm will provide more protection than the best enterprise level firewall with a number of large gaping holes in its ruleset. You can learn these things on a site such as Security Focus. Just be wary of anything by Steve Gibson or grc.com, which is his website. If you believe almost every other security expert (many of which you can meet on Security Focus's mailing list BugTaq), Steve Gibson is as poor a security expert as he is a skilled marketer, and he is a very skilled marketer.

Collapse -
What Are the State Level Firewalls?
by RMskater / May 3, 2006 11:45 PM PDT
In reply to: They don't

Just wondering, what the ones that pass the state inspection (can't remember the terminology)?

Collapse -
Links only about STATEFUL INSPECTION.
by R. Proffitt Forum moderator / May 3, 2006 11:52 PM PDT
Collapse -
Thank you
by shankru85 / May 4, 2006 6:10 AM PDT
In reply to: They don't

First of all ,
my congratulations & thanks for this
MASTERPIECE (simple & precise)

I've read the article
about new Windows Firewall in Windows Vista & Windows Server ''Longhorn'' too
& under ''Technical outgoing/ingoing support''
it says that , by default configuration ,
it will block all incoming traffic unless it is
allowed & it will allow all outgoing traffic unless
it will correspond
to configured exceptions .
So not many changes on this side .
That is main problem :
the difference between ''doing'' &
''possibility of doing'' .
Windows won't cofigure exceptions automatically but
every user can prevent applications
from listening to ports .
Every user can also get safer by coding &
authenticating packets thanks
to IPsec client in Microsoft Management Console , allowing to
enable more control on the packets during its
route in Transport/Tunnel mode but ,
before creating rules ,
Windows Firewall does not provide
an acceptable level of security .
While Zonealarm comes with efficient
predifined rules & that is
very important (& sufficient ?)for millions of
people that cannot/do not have time/do not want
to spend time configuring IPsec .
Furthermore it makes easy to
set the rules for every single application by
showing simple & easy-to-use interface , plus
it displays fairly detailed & useful real-time log
very easy to comprehend .
All these features could be unuseful for
very expert users , just like you are , so
you can focalize your attention on optimizing
connection & system performance(i know
that many expert users say Zonealarm is only
a resources hog) , but for me & all
people not as expert as you are , these features could
help improving security level .
Hope that evolvement of IPv6 will solve some of security current
issues(...probably 2025 i've read...)

Spyware real-time protection is
a feature that only advanced & often expansive firewalls
have . In my opinion it could be very useful but
should be integrated with a software projected & intended only
to do this kind of work (i'm thinking
at Ewido , as i always do) :
i always follow this 5 rules :
http://reviews.cnet.com/5208-7813-0.html?forumID=32&threadID=166246&messageID=1841368

Using other browser than IE , just
to get safer , is only partially acceptable
(chronologically speaking) , in my opinion .
Every browser is vulnerable :
time ago , when Mozilla Firefox was not
as popular as today , we all thought that it
had much less vulnerabilities than any other ,
today people interested in reading articles & reports
know that it has several vulnerabilities too .
I think the problem is related to the Market's
situation & evolvement :
the more a product get popular , the more it
could be a business for Companies interested
in partnership & advertising , for Software houses &...
even for hijackers...
I think this is not Browser vulnerability's but
commercial advisability's issue .
Altough is still true that Firefox is
safer than IE , that could become false
in short time , just time enough for
Market to change its direction , following
million of people choice .


By the way , newsletter received today :

- Firefox 1.5.0.3 corrects vulnerability -

Madrid, May 4, 2006 - A new version of Firefox (v.1.5.0.3)
has been released to correct a vulnerability in this popular browser.
Mozilla advises all users to install the update to prevent possible attacks.

The corrected vulnerability was caused by an error processing certain JavaScript calls.
The problem lay in the js320.dll and xpcom_core.dll due to the fact
that the browser did not correctly handle the code included in the iframe.contentWindow.focus() function.

An attacker could create a web page which when viewed could cause a denial of service.
In addition, this vulnerability could potentially be used to cause an exploitable buffer overflow,
allowing an attacker to execute arbitrary code and remotely compromise the system.

More details about the corrected vulnerability and the new version of Firefox 1.5.0.3
for Windows, Linux and Mac OS X are available at: http://www.mozilla.com/firefox/releases/1.5.0.3.html

Thank you (one more time) for sharing your
knowledge & for the useful link .

Regards

White [ITA] http://fileforum.betanews.com/detail/SIW/1097934999/1

Collapse -
Old Argument
by Ahmad Nawaz Cheema / May 4, 2006 7:31 AM PDT
In reply to: Thank you

Microsoft has been trying to push the popularity argument as long as they've been trying to push their security through obscurity (if no one can see the Windows source code, no one can find any flaws that might be exploited) argument, and both of them are a complete load that has clogged many a low-flow toilets.

The popularity argument ignores a very simple, and very fundamental, angle. That being that Microsoft designs software where EVERYTHING, including security, takes a back seat to usability. Meaning that it is EASIER to exploit Microsoft products over any other software written with a higher security to usability ratio.

It's not hard to write a virus for Linux or Mac OS X. It's actually probably easier, given how Linux and OS X have very complete development environments included with the operating system. The reason there are so few for either platform doesn't have anything to do with their market share, the major key lies in the Unix style user model that both operating systems use. Every user besides the root user account is pretty well sandboxed and isn't able to affect system critical areas. This is somewhat less true with OS X compared to Linux, but even OS X's idea of an admin level user doesn't have anywhere near the sort of free reign that a Windows admin user has. If I wanted to, I could go and delete key files needed by Windows to function, and intentionally render my system useless. I also have a much higher probability of doing this quite by accident with Windows.

Another thing Microsoft likes to do to draw attention away from itself, is compare raw numbers of exploits. They like to compare something such as XP against a popular Linux distribution such as Fedora Core. When you look at the raw numbers, Fedora Core seems to have a considerably higher number of exploits. However, once again it's the details that are key. Fedora Core comes packaged with literally hundreds of different applications and a wide array of different servers. XP doesn't come with more than a handful of bundled programs and only XP Pro comes with a copy of IIS IIRC, and it has to be installed AFTER the operating system.

So let's make it a little more fair, and compare like products, such as Internet Explorer vs. Mozilla Firefox. Raw figures don't really tell you anything useful. What's important is the severity of the exploit, and the length of time for it to be patched. If you look at IE v Firefox, you'll see that almost all IE flaws compromise the entire operating system, while most Firefox flaws are limited to Firefox. Similarly, IIRC, the average patch turnaround time (the time from when the flaw is discovered to it's being patched) for Firefox is measured in weeks. Microsoft, OTOH, has a patch turnaround time measured in months.

Here is a listing of IE 6.x bugs, and if you scroll down you'll see there are still some of them that are unpatched from 2003. The pie charts also show that the majority of these are remote exploits and that the largest chunk of them result in system access.

Here is the listing for Firefox 1.x (so 1.0-1.5.0.3) which seems a little unfair, but it's what we've got to work with. You can see that Firefox has less than half the unpatched exploit rate of IE, and a much higher patch rate. There's no data on the exploit window for the various exploits, but since Firefox is developed in a fairly open fashion, there is more pressure for them to patch things quickly. Microsoft has been known to sit on patches for weeks and even months.

The situation isn't as clear cut as it might seem at first blush, and indeed even I'm simplifying things a bit. There is one indisputable fact however: Regardless of the reasons why, Internet Explorer is the more or less exclusive target for spyware/malware. Until that situation changes, not using Internet Explorer can only bolster your defenses against spyware/malware infestation and thus overall system security.

Collapse -
IE
by shankru85 / May 4, 2006 11:00 PM PDT
In reply to: Old Argument

Your technical & close examination
of single sides of the problem is
very deep & i'm glad to learn from you .
Risking an off-topic reply ,
i'd like to clarify that i do not approve
Microsoft's deviating statements as well
as i do not approve its monopoly
position on the market .
On the contrary , i think that monopoly
can only lead to indolence , laziness ,
indifference towards customers & partners , abstraction &
imprecision .
For all these reasons , should be clear that i did
not intend to deny that Microsoft neglect to
deeply examin & correct software flaws , in particular
security ones , nor that it focalize its attention almost
exclusively on usability , just to get people confidence(we all care about usability ,
which is immediately compprehensible , while
only few of us care about security , which requires more knowledges) .
What i intended to say is that this is not the main problem .
Concerning this specific subject ,
i'm convinced that technical issues must take second place .
Assuming that all softwares have technical flaws ,
vulnerability of a product can be discovered only
by making attempts on its integrity ; the more you try , the more flaws
you can discover .
So which OS could an hijacker be interested in
attacking ?
XP , MAC or LINUX ?
Although it's true that Microsoft used/uses to sacrifice
security pro usability , maybe we ignore MAC or LINUX policy
just cause nobody is interested in analyzing them so deeply .
I'm registered at BetaNews website & use to visit daily or
even more , i see all software releases day by day & i could
realize that the relationship between softwares designed for XP
& softwares designed for MAC OS is about 200 : 1 .
So where is the BUSINNES ?
For which OS are Software houses interested in developing products ?
On which OS are Commercial Companies interested in publishing their own pop-up ?
Of Which OS could flaws be more "interesting" for hijackers ?
...most important : who are hijackers ?...why do they hijack
OS as well as softwares ?...why do they violate everyone's privacy ?
Leaving out every other subjects , i think that these last three
are the critical questions , the point where the discussion should
start .
If it's true that most part of the truth is hidden
("The situation isn't as clear cut as it might seem at first blush") ,
we're missing the main part of the problem :
not HOW (technical) a software is hijacked but
WHY (politic-commercial) it is .
In my opinion , technical subject is consequent from Political-economical ,
not the contrary.
From there we should start anylisis , looking
for effective solutions & able to solve security issues ;
patches & security features are just transient solutions ,
assuming that malware evolvement is faster than security
softwares & devices one .

Unix style of Linux & MAC (& FREE BSD http://fileforum.betanews.com/detail/FreeBSD_for_i386_ISO/953609528/1)
subject could explain single cases(particular)
mostly related to unjudicious use of
pc user\admin himself (downloading cracked/patched softwares
, online "cards games" , pornographic images & videos & so on)
, but should not be able to explain whole problem(univerasl).
Jyst like saying that is an "event" , not the "rule" .
Furthermore Unix style could be an issue for an
hijacker , who has to consider that cannot fully
get admin "help" but does he choose Windows 99% of times only for
the problem related to admin faculty ?
This could be a deterrent , not insormountable wall : do you think
that , in an hypothetic future , when Market
focalizes its attention on MAC or LINUX ,
WINDOWS will remain most targeted OS ?
(by the way , i could cause sys crashes too...very , very
easily : WINLOGON in System32 directory...)
I agree to your words :
"you'll see that almost all IE flaws compromise the entire operating system" .
Uncouth Microsoft's mistake to make a browser vital part
of the OS .
Altough this subject is properly related to consequences of
attacks & not strictly to prevention of attacks ,
that could be a good reason to avoid using IE .

Finally , we come to similar end :
IE is currently the most VULNERABLE browser in your opinion
(as far as i could understand) ,
just most TARGETED in my opinion .
Surely it's better to use other browsers than IE now ,
but this could be not true in a (not so far) future.
As well as there is no "Magic Shield" & there are no AVs able to
prevent all existing viruses , there are no invulnerable
softwares or OS .
While OS subject must be unfortunately omitted , cause Microsoft
will remain market leader for hundreds of years ,
browser subject could change its direction soon ,
thus IE could become "safer" than another browser ,
the one that will be leading the market .
Firefox is not "safe" , is CURRENTLY(chronologically-limted
consideration) "safer" than IE .


http://www.virusbtn.com/index
http://www.viruslist.com/
http://www.nod32.it/home/home.htm italian language
http://www.pandasoftware.com/
http://www.betanews.com/
http://en.wikipedia.org/wiki/Main_Page

One more time Thank you very much , it's a pleasure for me
to discuss with you .
p.s. I apologize for my "italian-english mixed" language...i'm studying !

Regards

White [ITA] http://fileforum.betanews.com/detail/SIW/1097934999/1

Collapse -
Quick and simple
by Ahmad Nawaz Cheema / May 4, 2006 11:32 PM PDT
In reply to: IE

No one aside from the most zealous of users for any non-Windows platform will claim that their platform is perfect. Humans will make mistakes, and when you're dealing with thousands of lines of code, mistakes will happen. That's not so much the issue, it's more about how those mistakes are dealt with when they are found to be problematic for security. Further, whether or not the construction process of the software is one that is going to lend itself to making more of these mistakes happen.

In the case of Linux and OS X, both are based on a modern Unix, the result of almost 30 years worth of trial by fire, while Windows doesn't. This gives Linux/OS X an edge, but doesn't make them immune.

When it comes to web browsers, there's one real key difference. IE's ActiveX works by downloading compiled executable code, not unlike any other executable program on your computer, and running it. It opens up a number of interesting possibilities, such as Windows Update, but it's also a huge risk. The problem here, is that Microsoft's whole security model around ActiveX seems to be based on the idea of having people digitally sign ActiveX controls so that if they do something bad to your computer, you can sue the person who made it. The obvious problem with that, is that the damage is already done at that point, even assuming every single control were to be signed.

One other problem I see, is the whole push Microsoft and Apple have been making for lowering the level of knowledge required to be able to use a computer. It's a noble idea, but there comes a point when it's counter productive. We American's love our automotive analogies, so... It's kind of like just letting anyone drive a car, without making them go through some sort of instruction first on how to properly drive a car.

Finally, couple of minor things that have nothing to do with anything being discussed here. First, I wish I could learn another language as well as you've picked up english. At my peak, my French was probably only about as good as a toddler's. Secondly, you don't need to hit enter every time you hit the end of text box. It will wrap automatically to the next line.

Collapse -
Still...
by RMskater / May 4, 2006 8:56 AM PDT
In reply to: Thank you

Still though, IE is on version 6, coming out with version 7 soon, and it has had all of these flaws. Firefox is only on 1.5.0.3. Firefox is still a baby, and is safer than IE6. I'm sure when Firefox 6 comes out, it will smash IE32 (or whatever version they'll be on then) in security.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?