Can Software firewall protect against worms such as sasser?

[sumyungai]

As the title states, let say my OS (Windows XP) was not patched against the Sasser worm or any new threat and I was connected directly to the internet (no router), and all I have is Zone Alarm or some cheap software firewall. Can my system still be infected with a worm?

This question was inspired by another thread about ICS. I was thinking that most people use a router rather than ICS due to NAT to protect us against worms.

 

[Lemon law]

I try to keep up with security issues---and tend to believe that a softwall firewall is every bit as effective and more configerable than a hardware firewall. And most worms and viruses get in with some elements of either social engineering or software exploits of operating system and browser vulnerabilities. Neither a hardware or software firewall will help in these cases.

A firewall, in MHO, is just a first line of defense---and one should have at least three additional layers of defenses behind the firewall.

But I have tried to practice the common sense advice found on places like the the spyware warrior forums---and in the past few years---nothing worse than a few tracking cookies have gotten by. And those don't last long on my systems.

But an fully updated active anti-virus program should also stop worms in their tracks the moment they try to penatrate or install. As will a proper process control program.

Its a total myth that a firewall alone is all you need to have secure computer.

 

[bluestrobe]

I wouldn't let any unpatched OS sit right on the internet with only a software firewall. Firewall, anti-virus, and anti-spyware are the three tools any computer connected to the internet should have along with a fully updated OS. Most of the computers that are attacked are owned by people who think updating or patching is for the geek crowd. Basically with out one of those four, you?re gambling with your security and stability.

 

[c3p0]

Can Software firewall protect against worms such as sasser?

NO!!!

c3p0
:beer:

 

[nweaver]

A S/W firewall is (imho) a feelgood layer of protection. A good root kit will let your s/w firewall think it's all hunky dory (no popups/errors/etc) while doing it's thing.

Played a Sony music CD lately?

 

[Viperoni]

Originally posted by: bluestrobe
I wouldn't let any unpatched OS sit right on the internet with only a software firewall. Firewall, anti-virus, and anti-spyware are the three tools any computer connected to the internet should have along with a fully updated OS. Most of the computers that are attacked are owned by people who think updating or patching is for the geek crowd. Basically with out one of those four, you?re gambling with your security and stability.

QFT

 

[Lemon law]

The somewhat unanswered question is a hardware firewall any better than a software one?

I am on record as saying no but no router types have gone on records to the contrary. But in some ways--the implication is yes--because you can have one and only one active software firewall running at at time---otherwise they will fight each other---but you can have a hardware and software firewall firewall running at the same time---and now--most win XP computers have sp2---and you get a software firewall regardless if you want it or not.---but a hardware firewall can't be hacked---and a software one can. So why not have both a software and hardware firewall?---and get a two way software firewall to replace the microsoft sp2 firewall.

Even though there seems broad agreement that a firewall alone is not enough to have a secure computer.

I also note from recollection that much of the damage the sasser worm did occured on large networks. Once the worm got behind the firewall---sasser spread like wildfire to every computer on the network.

Another thing worth noting is that you can test your firewall at quite a large number of sites on the internet---Gibson research's Shield up is just one such site. A non passed test is an alert that you are vulnerable.

 

[JackMDS]

Link to: Basic Protection for Broadband Internet Installation.

:sun:

 

[Lemon law]

Good link JackMDS.

 

[sumyungai]

Originally posted by: Lemon law
The somewhat unanswered question is a hardware firewall any better than a software one?

I am on record as saying no but no router types have gone on records to the contrary. But in some ways--the implication is yes--because you can have one and only one active software firewall running at at time---otherwise they will fight each other---but you can have a hardware and software firewall firewall running at the same time---and now--most win XP computers have sp2---and you get a software firewall regardless if you want it or not.---but a hardware firewall can't be hacked---and a software one can. So why not have both a software and hardware firewall?---and get a two way software firewall to replace the microsoft sp2 firewall.

Even though there seems broad agreement that a firewall alone is not enough to have a secure computer.

I also note from recollection that much of the damage the sasser worm did occured on large networks. Once the worm got behind the firewall---sasser spread like wildfire to every computer on the network.

Another thing worth noting is that you can test your firewall at quite a large number of sites on the internet---Gibson research's Shield up is just one such site. A non passed test is an alert that you are vulnerable.

I created this thread to answer your question in this thread http://forums.anandtech.com/messageview...atid=36&threadid=1938078&enterthread=y .

Sasser type worms will infect a system without user intervention by finding an ip and infect a system thats unpatched. Correct me if I'm wrong, most people use a router rather than using ICS to network to prevent these types of infections since worm can't reach you if you're behind a router, unless of course, you download the worm and click on the executable.

 

[Lemon law]

To Sumyungai,

All your contention amounts to is that a hardware firewall on a unpatched PC is better than absolutely nothing.

And unfortunately does not touch the harder questions of interest such as------

1. Is a software firewall better than a hardware firewall?

2. Is one better off running BOTH a hardwall and a software firewall?---rather than one or the other.--or are there downsides to running both?

3. If one goes just a hardware firewall---is NAT enough---or should one be sure to also get a router with SPI?

 

[networkman]

One reason for having a software firewall in addition to a hardware firewall is for those items that come into the PC other than via the network cable, for instance via floppy disk, CD, USB flash drive, etc. The s/w firewall is(properly configured) going to alert you to requests going OUT to the internet in addition to those items coming in.

 

[RapidSnail]

My suggestion along with the other comments is to create a layered security defense for you PC.

This should include:

Firewall - Both an NAT router (hardware firewall) and a software firewall are advised.

Anti-virus - AntiVir, AVG, and avast!, etc.

Anti-trojan - Ewido, a-squared Free

Anti-spyware - Windows Defender, etc.

Of these, I would advise that at least the anti-spyware, anti-virus, and obviously the firewall offer active protection. Other security layers, such anti-trojan, anti-rootkit, etc., should be available for on-demand scans if not as active shields.

One of the most overlooked pieces of security software is the HIPS/IDS (Host Intrusion Prevention Software/Intusion Detection Software). While anti-malware software block infection based on signatures from the parent company, HIPS/IDS blocks intrusion by allowing or denying access to programs attemption to change, exucute, install, etc. on your PC, much like a firewall. If used correctly, this additional layer of security can make you almost bullet proof. However, when using these programs, it is recommended that you be an experienced user. That being said, it is an excellent option to keep your PC more secure. If there is one program that you had to pay for, HIPS/IDS would be your best choice out of everything.

Article on layered defense using free software.

Round-up of IPS/IDS solutions.

One of the best, if not the best, IPS/IDS around.

 

[RebateMonger]

If you have a high-speed Internet connection (especially a "Home-class" connection), it's likely that many of the commonly-exploited inbound TCP ports are blocked by your ISP. For better or worse, ISPs take it on themselves to block common worm entry points.

 

[bsobel]

Originally posted by: c3p0

Can Software firewall protect against worms such as sasser?

NO!!!

c3p0
:beer:

Completely incorrect.

 

[sumyungai]

One person says yes and another says no. Now I'm confused.

 

[JackMDS]

Entry Level Router?s NAT Firewall does not protect the computer from any infestation.

Protecting the computer with software (Firewall. Anti Virus, Ad ware, etc,) is a matter of programming decision, the programmer can program the Software Firewall to stop almost any thing that you KNOW off?

Are the current Software Firewalls programmed to do so? I do not know check all of them and see what they state about their own capacities.
Look here see example of part of what Norton?s Firewall Blocks.
http://www.ezlan.net/network/nis-trojan.jpg

:sun:

 

[spidey07]

Originally posted by: sumyungai
One person says yes and another says no. Now I'm confused.

Well the fact is a software firewall can't stop all attacks or worms.

Sasser, blaster, nimda were very special worms that attacked ports that HAD to be open for a windows host to function properly.

 

[sumyungai]

Spidey, what's your take on Jack's comment that NAT does not protect from ANY infestation? From the way NAT works, I thought entry-level NAT routers would protect from Sasser, Blaster, and Nimda since those worms had no way of connecting DIRECTLY to the host PC if I'm behind a router.

 

[JackMDS]

Internet infestation is not like an Alligators in Florida sitting on an edge of a pond and waiting to a person to come by.

Worms, Trojan, etc. are not monsters that sit on the Internet trying to "Bite" your computer from the outside in.

Most of them come in through email attachments, Files, Java, and Active X controls that you bring into your computer on your on Volition. Any thing that you brink in on your own volition, by downloading, or just logging to a ?Bad: Site, is not stopped by Router?s NAT Firewall. Once it is already in and gets executed on your computer, it starts the infestation.

Good protection software identifies it before execution and offers you to get rid of it before trouble starts.

:sun:

 

[sumyungai]

Originally posted by: JackMDS
Internet infestation is not like an Alligators in Florida sitting on an edge of a pond and waiting to a person to come by.

Worms, Trojan, etc. do not sit on the Internet trying to "Bite" your computer from the outside in.

Most of them come in through email attachments, Files, Java, and Active X controls that to you bring into your computer on your on Volition. Any thing that you brink in on your own volition, by downloading, or just logging to a ?Bad: Site, is not stopped by Router?s NAT Firewall. Once it is already in and gets executed on your computer, it starts the infestation.

:sun:

That I already know. However, I was under the impression that Sasser type worms would infect a host without user intervention, such as, email attachments, Files, Java, and Active X controls.

 

[sumyungai]

"Unlike other worms
Sasser is unlike most worms consumers are familiar with -- it's easy to become infected, simply by connecting the Internet. No e-mail attachment must be opened; in fact, no user interaction is required at all. And making matters worse, traditional consumer desktop antivirus software won't prevent infection, even if it's updated."found here

 

[Dravic]

Originally posted by: JackMDS
Internet infestation is not like an Alligators in Florida sitting on an edge of a pond and waiting to a person to come by.

Worms, Trojan, etc. are not monsters that sit on the Internet trying to "Bite" your computer from the outside in.

Most of them come in through email attachments, Files, Java, and Active X controls that you bring into your computer on your on Volition. Any thing that you brink in on your own volition, by downloading, or just logging to a ?Bad: Site, is not stopped by Router?s NAT Firewall. Once it is already in and gets executed on your computer, it starts the infestation.

Good protection software identifies it before execution and offers you to get rid of it before trouble starts.

:sun:

Trojans yes.. they will definitely require intervention from the user to help them get installed onto the target PC. As will a virus and spyware

Worms NO.. by the very definition, a worm must be self propagating.

Bot nets of 100-200k+ in numbers aren?t being created because everyone is clicking on unsafe material be it a website or executable.

You have between 30sec and 20mins depending on the type of traffic your subnet sees before an unprotected XP computer would be taken over and infected on the internet. No use interaction required.

Just looking at the logs on any firewall device will should the mass amounts of zombie traffic attempting to connect to your PC via known vulnerable ports.

And as for the comment earlier by someone that the ISP?s are filtering out this content.. That is also not true, and I hope it wasn?t the ISP that told you that. They may block in bound connection from personal servers being set up on common ports (mail 25, web 80) but there is entirely too much valid traffic on those ports to block outright. And the hardware doesn?t exist that can scan that much backbone traffic at a high enough OSI layer in real time to pull out the infectious payloads.

Hardware firewall
Software firewall
Anti-virus

Once every 6 months to a year I fire up something like adaware and spybot, and I have yet to find anything. But then again I?m a security professional and know what dangers lie beneath.

If you have a current CPU make sure you have the non executable stack option in the OS turned on.


NX bit info

 

[RebateMonger]

Originally posted by: Dravic
And as for the comment earlier by someone that the ISP?s are filtering out this content.. That is also not true, and I hope it wasn?t the ISP that told you that. They may block in bound connection from personal servers being set up on common ports (mail 25, web 80) but there is entirely too much valid traffic on those ports to block outright.]

You can find the list of inbound ports blocked by Cox Cable (a major ISP) on this page (do a Search Support for the term "ports blocked") Note that they block inbound TCP Port 445, which is used by Sasser. Except for Port 25 and 80, Cox blocks these same ports for Business HSI, also.

Ports blocked by Cox Home (and, mostly blocked by Cox Business, too)
25 TCP SMTP Both* SMTP Relays
80 TCP HTTP Inbound Web servers, worms
135 UDP NetBios Both Net Send Spam/Pop-ups, Worms
136-139 UDP, TCP NetBios Both Worms, Network Neighborhood
445 TCP MS-DS/ NetBios Both Worms, Network Neighhood
1433 TCP MS-SQL Inbound Worms, Trojans
1434 UDP MS-SQL Inbound Worms, SQLslammer
1900 UDP MS-DS/ NetBios Both Worms, Network Neighborhood
TCP Subseven Both SubSeven Trojan

Here's a list of ports blocked by Adelphia, another major ISP. The list includes TCP 445.
80/tcp filtered http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931
4444/tcp filtered krb524
5554/tcp filtered unknown
9996/tcp filtered unknown
27374/tcp filtered subseven

This recent UseNet post claims that Comcast is blocking inbound TCP Ports 135-139 and 445, at a minimum.
Another reference says that Comcast blocks:
67, 68, 135, 137, 138, 139, 445, 512, 520, and 1080

And, no, I wouldn't rely on ISP port blocking to protect my network.

 

[Lemon law]

At one time my isp pre-scanned e-mail for worms or viruses---they no longer do it---but some isp's are better than others in this and other regards---or cable providers for that matter.

Which is exactly zero excuse to not have your own security set in place and working. ---anything they can filter out before it reaches you is nice---but you are still responsible for getting the rest---and you and you alone will pay the price if you get infected---prevention is always easier than removal.

But prevention takes some gasp--self education---the notion that just a dumb NAT is enough to make your security decisions for you is naive---so learn to configure a softwall firewall as just one in many layers of defenses.

The malware writers are getting smarter and they are out to get us---and desired target number one for malware writers is always large networks.

But one point not yet made is that viruses and worms are often the work of vandals---which destroy---but usually yields no profit to the malware writer---its the stuff that steals information we should be also worried about.