do I need a firewall?

[Zill]

I would advocate a firewall in all instances, it is not a one stop solution but is part of a layered defence which is the best process for securing a system...

So, if I understand this correctly, you recommend a software firewall such as iptables/ufw even for machines behind a NAT router? Is there any performance hit in using firewalls, particularly if you use both NAT and iptables?

I agree with the layered defence approach and try to comply with this to the level of my understanding. However, I also believe that Windows systems, in particular, are so loaded up with "security" measures as to make them considerably more bloated and slow than Linux systems. I don't want to drag my machines down to the level of Windows!

...For a start most people think of firewalls as stopping attackers getting in, well what about getting out ...controlling outgoing traffic is as important to prevent reverse connections on arbitrary port creations from malware or malicious code embedded in webpages or bad code in applications etc...

A good point but it is difficult for those of us without "expert" security knowledge to know exactly how to control this without disrupting genuine communications with the internet. Are there any simple but definitive guides on this?

Slightly off-topic but still relevant IMHO, I know that enabling UPnP in a router is regarded as a security hole but how important is UPnP to internet services? i.e. What kinds of internet connectivity will be degraded by disabling UPnP? I am thinking of things like torrents and SIP communications etc.

[haqking]

So, if I understand this correctly, you recommend a software firewall such as iptables/ufw even for machines behind a NAT router? Is there any performance hit in using firewalls, particularly if you use both NAT and iptables?

I agree with the layered defence approach and try to comply with this to the level of my understanding. However, I also believe that Windows systems, in particular, are so loaded up with "security" measures as to make them considerably more bloated and slow than Linux systems. I don't want to drag my machines down to the level of Windows!

A good point but it is difficult for those of us without "expert" security knowledge to know exactly how to control this without disrupting genuine communications with the internet. Are there any simple but definitive guides on this?

Slightly off-topic but still relevant IMHO, I know that enabling UPnP in a router is regarded as a security hole but how important is UPnP to internet services? i.e. What kinds of internet connectivity will be degraded by disabling UPnP? I am thinking of things like torrents and SIP communications etc.

yes, behind a NAT router is irrelevant in my opinion, yes it offers you some protection but like i said a layered defence is best. and a software firewall gives you finer grained controls for your own applications right through the seven layers (as in OSI or 4 if you are a purist

As for performance, a few simple rules in a UFW or IPTables will not effect anything, obviously if its gonna be a HIDS or something then yes you may take a performance hit but a simple UFW/IPTable filter wont do any harm.

In windows nothing is different really apart from a "need" for a malware solution but MSE is fine and doesnt effect performance, if its Windows 8 then it is built into Windows defender, MSE or Defender is as good as any commercial pay for applications outside of a enterprise solution for a email server for example. All AV products are full of false positives and negatives and often "spyware" anyways, best alter browsing habits for a better solution .

As for how do you know, disable all then allow out what you use as you use it, most things have well defined ports or ranges you can see an example here of how to configure it http://ubuntuforums.org/showpost.php...70&postcount=1

A little bit of work initially but then you have a finer grained control of your traffic if you want it that is.

As for UPNP, I never use it, things such as torrents I control manually with my own configured ports for DHT, UDP trackers and torrents in general.

but it is all choice of course, I am not preaching to anyone, merely offering my knowledge and experience based on 20+ years in IT security and seeing many different "secure" systems compromised all the time, and you would be surprised how easy it can be even if "firewalls" and the like are in the way, which is why I get paid so well...LOL. I usually dont bother with these threads or discussions anymore, but seeing as you are open to it I am blah blah blah ing for a little while

Peace

[Zill]

haqking: Thanks for that - food for thought.

I still don't really understand how a software firewall provides protection that NAT does not. For instance, if I run a couple of local services (such as SHH and NFS) on my LAN, how are these visible to the "outside world" after going through my NAT router? eg nmap on my LAN reports:

Code:

Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs

but GRC ShieldsUP claims full stealth mode on all ports facing the internet.

If a NAT "firewall" cannot stop such traffic then why would a software firewall manage to do so?

I appreciate that you make your living selling security knowledge to businesses who are, presumably, running internet services. In such circumstances I know that additional hardening is essential. However, for home users who generally run few, if any, servers, is a high level of hardening really desirable if configuration and maintenance of the necessary rules will make usability difficult?

I must admit that I keep thinking of "elephant powder".

A man was sprinkling white powder on his front yard."Whats the powder for?" asked his neighbor. "It's to keep the elephants off the grass," replied the first man. "But we don't have any elephants around here!" "I know great stuff isn't it?"

[haqking]

haqking: Thanks for that - food for thought.

I still don't really understand how a software firewall provides protection that NAT does not. For instance, if I run a couple of local services (such as SHH and NFS) on my LAN, how are these visible to the "outside world" after going through my NAT router? eg nmap on my LAN reports:

Code:

Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs

but GRC ShieldsUP claims full stealth mode on all ports facing the internet.

If a NAT "firewall" cannot stop such traffic then why would a software firewall manage to do so?

I appreciate that you make your living selling security knowledge to businesses who are, presumably, running INTERNET services. In such circumstances I know that additional hardening is essential. However, for home users who generally run few, if any, servers, is a high level of hardening really desirable if configuration and maintenance of the necessary rules will make usability difficult?

I must admit that I keep thinking of "elephant powder".

I am not saying a software (local) firewall does something your router does not. A typical home user will have a router which will provide a NAT based firewall typically. This is good and yes does offer protection. What I am saying is that this does not mean you are "secure", can an attacker get past a a firewall ? YES...you mentioned NMAP, there tons of different types of scan which yields all types of information aside from the typical NMAP <ip address> which will only be a stealth scan if running with admin privilege otherwise it defaults to a connect (TCP) scan by the way. Anyways without being tool specific, a NAT based home router does not secure you from outside attack, it merely offers a defence, bit like a front gate to your garden, does that mean you don't want a door on your house as well ? so again, layered defence. My point is really this, the majority of Linux users tend to lean towards it is Linux so I am secure which is not correct, this often comes from people who have no real working concept of security or penetration tools, methods, vectors etc.

The idea of a firewall for a lot of typical users means they are protected, obviously this is not true, even if they do have one, have they configured it ? Do they know how to ? even more reason to throw another one in there for a layered defence, when you know and understand how to configure it based on attack vectors then you will understand the "need" to and the requirement to run one locally as well.

NAT offers some protection, a Firewall offers some protection.....so does a coat but it wont stop you getting wet forever.

Do you need to run a local firewall ? NO, should you ? probably ? Would i recommend it ? yes. Will a home router protect you ? NO....will it offer you some protection ? yes, can a skilled attacker get past it ? yes. Will a software.local firewall help you ? yes, will it protect you completely ? NO, in a connected world you are always vulnerable.

As for GRC, i don't even want to get started on Steve Gibson...LOL anyways all that does anyways is scan your Public IP and shows what a typical scan would show when looking at your router, it not trying to get in, it is merely reporting what it can see from a typical scan. There is nothing "typical" about an attacker or penetration tester conducting their scanning phase where they may be using a XMAS, IDLE, ACK, FIN, NULL, UDP, Protocol scan etc etc or using more than one tool to do so.

read here on GRC, he is a joke in the security community:
http://radsoft.net/news/roundups/grc/20060121,00.shtml
https://allthatiswrong.wordpress.com...on-is-a-fraud/
http://www.theregister.co.uk/2001/06...really_is_off/

There are many, you could read what an idiot he is all day long

As for scanning your machine from behind a firewall like a NAT router, there is not enough space here to do so. I suggest you read up on the various scan methods with tools such as hping and Nmap which are the most popular and perhaps read something like these

https://pentestlab.wordpress.com/201...ing-firewalls/
http://nmap.org/book/man-bypass-firewalls-ids.html
http://www.tenable.com/blog/using_nessus_to
http://www.vesaria.com/Firewall/Test..._of_hacker.php


And so on, none of these are complete, they merely offer you some insight. I appreciate only security people know this stuff like anything, which is why i try to help where I can. Just dont rest on the "Linux is secure" laurel that is all.

I love Linux and and consider myself a guru, but with that I am also a security pragmatist and rational empiricist

Edit: oh and please excuse my typing, grammar etc as I have a broken finger...LOL........I guess i should stop poking at firewalls

Peace

[Zill]

haqking: Thanks for the info and the interesting links. Although I have been using Linux for around ten years now I still find much of this above my head. As a retired electronics engineer my background is primarily in "hardware", rather than this new young upstart "software".

I like to keep my systems light and reliable, generally preferring LTS releases and taking best advice with security.

On this basis, I may well try out (g)ufw with my netbook as this would seem to be most at risk due to public wifi connections. It will be interesting to see if there is any performance hit, which should be readily apparent due to the low-spec atom processor!

Of course, I don't run any services to speak of with this netbook, just ssh. It is regularly updated to make sure most of the latest security holes are covered.

Hopefully, (g)ufw will help keep the black-hats out. But, as I mentioned earlier, I never seemed to have any problems without it! Effectiveness of elephant powder is a tricky one to quantify.

[haqking]

haqking: Thanks for the info and the interesting links. Although I have been using Linux for around ten years now I still find much of this above my head. As a retired electronics engineer my background is primarily in "hardware", rather than this new young upstart "software".

I like to keep my systems light and reliable, generally preferring LTS releases and taking best advice with security.

On this basis, I may well try out (g)ufw with my netbook as this would seem to be most at risk due to public wifi connections. It will be interesting to see if there is any performance hit, which should be readily apparent due to the low-spec atom processor!

Of course, I don't run any services to speak of with this netbook, just ssh. It is regularly updated to make sure most of the latest security holes are covered.

Hopefully, (g)ufw will help keep the black-hats out. But, as I mentioned earlier, I never seemed to have any problems without it! Effectiveness of elephant powder is a tricky one to quantify.

for public wireless you should also if not already encrypt your traffic with something like a VPN, wireless sniffing at public hotspots is rife whatever elephant dust you sprinkle...LOL

Peace

[Zill]

for public wireless you should also if not already encrypt your traffic with something like a VPN...

AIUI, VPN tunnelling is to establish a secure connection to a specified server, such as an employer. In my case, I only use the netbook to send and receive the odd personal email (via my isp) and for general web browsing. No secure content there! So I doubt if I would be able to use a VPN connection.

Thanks for the suggestion though and hopefully it will be of use to others reading this thread,

[haqking]

AIUI, VPN tunnelling is to establish a secure connection to a specified server, such as an employer. In my case, I only use the netbook to send and receive the odd personal email (via my isp) and for general web browsing. No secure content there! So I doubt if I would be able to use a VPN connection.

Thanks for the suggestion though and hopefully it will be of use to others reading this thread,

Then you understand it wrong

A VPN is often used in a corporate envinroment for sure but is not only for that.

When you connect to a public hotspot you are giving over all your traffic (which if not encrypted) may sometimes be in cleartext , to the owner of the hotspot not to mention everyone else using that network sat there with tcpdump or wireshark or whatever sniffer they choose.

it takes 30 seconds to create a filter in Wireshark to build a complete trace of a HTTP traffic flow for example so the person sniffing can see your entire browsing experience.

The pages you visit may or could quite easily be an exact copy of the real pages but on an attackers own server as the DNS is coming from the AP you connected to or which has been compromised by someone else in the network etc etc, deigned to capture logins and the like which then redirect you to the real site so you dont even know it happened.

there are tons of VPN services around alot are free, fast and simple and encrypts traffic.

Along with things such as HTTPS everywhere and the like.

But if you dont see your email or whatever you access as important then it is upto you, no one can manage your own traffic except you.

Peace

[JKyleOKC]

there are tons of VPN services around alot are free, fast and simple and encrypts traffic.

But how do you know that any specific one of these services is trustworthy, and not a MITM (man in the middle) using your supposedly secure connection to grab up all your traffic?

Somewhere along the way it always boils down to trust. Unless you control every inch of the connection path -- obviously not possible outside of one's private LAN -- your traffic will always be subject to interception.

Contrary to popular belief, it's possible to have a totally secure computer. However to reach that goal you must remove all capability for input and output, making it quite useless. Once you make the machine usable, it becomes insecure. The only hope is to minimize the insecurity, and that's where the process comes in. Only one person -- yourself -- can determine where the dividing line between "caution" and "paranoia" lies...

[Zill]

...there are tons of VPN services around alot are free, fast and simple and encrypts traffic...

"free" in this case being similar to "free beer" rather than "free speech"!

I'm afraid I am distrustful of such services as I do generally believe the old adage... "if you're not paying for a service then you are the service".

I appreciate that a "free" VPN might improve security from one point of view but then you may lose any advantage by routing data through some mysterious third-party.