Latest worm is why soho router isn't enough security

[spidey07]

Lots of times we have debates about why a software firewall on a PC is necessary. I believe the latest worm (and previous ones) demonstrate why.

A soho router really is only providing NAT and disallowing any inbound connections (unless you've enabled DMZ or some kind of port forwarding). So any and all outbound connections are allowed, with no notification or logging.

Recent worms and the current one make an outbound connectin to IRC servers. A nat router will not stop this. Once this outbound connection is made the worm simply awaits for instructions - "copy anything *.xls on this PC", "copy any cookies", "send all passwords to server" "launch attack on www.google.com"

So basically the soho router does nothing to prevent this. A hardware or software firewall however will because best practice says a firewall "should block everything and only allow what is specifically needed/configured." If the firewall is configured to allow everything then there might as well not be one.

Some may argue that they cannot be infected due to NAT. That is true to an extent - the active scanning that these worms do will not infect you. But browsing a web page can. Clicking any pop-ups. Opening e-mail can. Company networks are a different beast all together because they are all interconnected with other companies, many times without firewall protection.

For "defense in depth" security it is always recommdend to:

1) use NAT to prevent inbound connections
2) run software firewall on every PC to block unwanted outbound connections
3) Up to date anti-software that checks regularly (many times a day) for new updates
4) Run anti-spyware software.

 

[Aves]

So many people I know try to argue that software firewalls like ZoneAlarm serve no purpose and I just can't seem to get through to them.

 

[Rottie]

I don't understand why we need an Anti-virus program if we use firewall and NAT?

 

[Aves]

Originally posted by: Rottie
I don't understand why we need an Anti-virus program if we use firewall and NAT?

Because a firewall and NAT don't really protect you from getting a virus. If you download an infected file you'll be infected which could lead to lost files, etc.

 

[spidey07]

Originally posted by: Rottie
I don't understand why we need an Anti-virus program if we use firewall and NAT?

because you can get infected by just browsing a web page or really just doing anything on the internet.

 

[JackMDS]

In order to understand the issue you heed to know how Cable/DSL Router works.

When you use few computers to share one Internet connection, the information that comes from the Internet needs to know to which computer it belongs. The main function of Cable/DSL Router is to Route the Internet signal to the requesting computer. This function is called Network Address Translation (NAT).

As result information that comes from the Internet and was not requested by one of you LAN?s computers (e.g. hacking attempts) does not know where to go, and it is blocked, hence NAT Firewall. In other word NAT Firewall is Just a by product of the way the Router mange the sharing of the Internet connection.

When you are connected to a Website or downloading files, a lot of junk can get to your Hard Drive. Since you requested the pages from the site the NAT Firewall will not block what comes in from this page.

If the ?Site Keeper? loaded the page with ?Junk? it will get to your computer.

Since the NAT-Firewall blocks only Incoming, any communication initiated from any of your LAN?s computers will go out to the Internet, and will be answered. As a result programs calling home, spywares, ?zombies? etc. can communicate freely in lieu of the NAT Firewall.

You will not be even aware of these activities unless you monitor the communication locally with a software Firewall.

--------------------------------------------------------------------------------
So you have NAT-Firewall but you can end up with Viruses, Zombies, Trojan etc. "Dished" to you by sites that you visited on your own volition, and you would not about it until your Network get trashed and you lose the connection

--------------------------------------------------------------------------------

Quote from: http://www.ezlan.net/firewall.html

:sun:

 

[syco83]

 

[Rottie]

thanks that is what I wanted to know.

 

[stash]

Since the majority of people who run Windows do so as administrator, it is pretty easy for some malicious code to disable your host-based software firewall. Even if it doesn't disable it, it simply needs to operate over a port that is almost guaranteed to be allowed outbound, such as TCP 80.

In the case of Zotob, it spread using TCP 445. You might be able to get away with blocking this port on a home network, but on an enterprise network where file sharing and Active Directory are used, blocking 445 will make the network mostly useless.

The short term malware prevention benefits of a software firewall are negligible. And in the long term, there is a good possibility that malicious code would increase in prevalence, since the people who write this malicious code would adjust and start using ports that are open on 99.9999999999999% of firewalls.

 

[spidey07]

Originally posted by: STaSh
Since the majority of people who run Windows do so as administrator, it is pretty easy for some malicious code to disable your host-based software firewall. Even if it doesn't disable it, it simply needs to operate over a port that is almost guaranteed to be allowed outbound, such as TCP 80.

In the case of Zotob, it spread using TCP 445. You might be able to get away with blocking this port on a home network, but on an enterprise network where file sharing and Active Directory are used, blocking 445 will make the network mostly useless.

The short term malware prevention benefits of a software firewall are negligible. And in the long term, there is a good possibility that malicious code would increase in prevalence, since the people who write this malicious code would adjust and start using ports that are open on 99.9999999999999% of firewalls.

True.

But in an enterprise the software firewall is controlled by a central policy. For instance only microsoft networking ports are allowd to only data centers and no where else. Least that's how I run them. Sure there are 30 or so data centers, but their addressing is well controlled/defined and doesn't change much.

This is what makes CSA so powerful. No matter what your patch level it will not allow a buffer overrun.