Two firewalls better than one, or just a redundancy?

Hey!
Can anybody give me a well-grounded explanation as to why (if at all) one should still have a software firewall running, although located behind a NAT router with a working stateful firewall?

They are both software firewalls, and in fact you will find Linux embedded inside many routers/firewalls.

If you don’t trust the other machines on the network, you might want to run a firewall on SUSE. Personally I don’t run one. I have IPCop on the perimeter. All the machines on my LAN are under my control. A firewall on each machine just gets in the way when I want to do things and doesn’t make me any safer. I am more concerned about possible bugs in web browsers and flash plugins.

Only a couple of days ago there was an update for flash. How many of you just let flash panels on websites autoplay? Now there’s a drive-by vulnerability if you happen to go to an infected site. Install the flashblock addon and control what you allow to play.

Oh, I got the ultimate protection against flash animatons: my Konqueror just crashes every time it sees one…:wink:

Looks like the DoS attack via flash is working on you. :wink:

I have IPCop as the first thing from the modem and then a wireless router with a firewall right after. I figure the tactics to bypass a software firewall may not work on a hardware firewall. Plus even if my kids have friends over with wireless netbooks they are still having their content filtered :wink:

As I’ve already mentioned there’s no such thing as a “hardware firewall”, they are all software firewalls. You will not find gates and flip-flops in embedded firewalls handling the filtering rules. :slight_smile: The main difference is where the software is loaded from. On an embedded router, it’s loaded from flash memory, which makes it diskless. But it’s still running an OS with network filtering, and often that OS is Linux. In fact the FSF is suing Cisco/Linksys for violating the GPL copyright by not publishing their changes to GPLed code that was put into Linksys routers.

Wireless routers have other risks due to the nature of the medium. I hang my wireless router on a separate blue subnet of the IPCop router.

Because it is your policy decision.

I don’t do that, I have my internal boxes behind 1 internet facing gateway, and initially without default route, so they must use the gw as a proxy.

So define what you are protecting, the cost of intrusion, and then you can decide on your policies.

If you are offering services through port forwarding, then that machine is at higher risk, and you might feel the need to firewall the internal network, though creating a DMZ and having such boxes in a different physical network is far preferable.

In general, multiple layers, provide higher security and slow down attackers, and increase chances of becoming aware of it, than the hard brittle shell approach. Once compromised, if your gateway is trusted then every node on the home network is very likely lost to.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you own every box on the network and you know you won’t be hacked by
your own or others’ errors, sure, possibly disable the firewalls, but
unless you are really confident I wouldn’t recommend it. The big
question is… why disable? If/when somebody compromises one system do
you want them to have unfettered access to others? The firewall doesn’t
prevent anything outgoing (I’ve never seen a valid report that it did
anyway) and while it prevents incoming on all ports (by default…
easily changed via GUI interfaces) most of the time your workstation
doesn’t need incoming packets to be allowed (file sharing being the
biggest exception, I think).

There are a couple security models involved here… the last
comparisons for them were ‘crustacean’ and ‘pool ball’. The former is
what you’re going for disabling internal firewalls… basically it means
as soon as you hit that Flash bug somebody can wander around your
network for fun without much in their way. The exterior is hard, but
the inside is gooey and squishy and delicious to the attacker. The
latter is more like a pool ball… get through the first layer and you
get another hard layer.

Good luck.

JosipBroz wrote:
> Hey!
> Can anybody give me a well-grounded explanation as to why (if at all)
> one should still have a software firewall running, although located
> behind a NAT router with a working stateful firewall?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJT7m43s42bA80+9kRAp8JAJ4slOtoFoXlbkZU66cQz11USSvYZQCfQucy
Obg/pSN6noDQsL4aNMpXLBs=
=cgjo
-----END PGP SIGNATURE-----

Phew! Lots of knowledge lurking around these forums! Thanx for all your answers, guys, you surely got me thinking!:open_mouth:

Hi,

I can’t but I can give you one why it makes no sense in most cases.

What does a firewall do and how does it work? A firewall is a software which manages the network traffic from one network to another by giving and denying access to services from one network to the other one. Mainly this is done by opening or closing TCP/UDP-Ports even though there could be additional rules. So it mainly protects services which are offered in one network (e.g. the lan) and should not be offered in the other network (e.g. internet).

Let’s think about the three main scenarios why perhaps you should use a desktop or personal firewall on a machine:

  1. You don’t offer any service with that machine

Do we need a firewall? No, we don’t. We do not have anything running which listens to any port. So noone can access that machine via the network. Only traffic which was initiated by that machine will come in. All other incoming traffic will hit closed ports and receive a connection refused message.

  1. We offer services like file service, print service or whatever

Do we need a firewall? Yes, we do but not on that machine. Why do we normally install a server? To offer the service to other computers in our network. So what do we have to do in the firewall configuration? We have to allow that incoming traffic. If we don’t do so the service is unreachable and makes no sense.

All other ports should be closed. So for those counts what I said under the first point. The firewall is useless.

  1. The machine has been exploited and a malicious software opens a port.

Can a firewall help us? Not on that machine. The machine is corrupted which means that every piece of software on that machine could be manipulated within the firewall. So the firewall is useless in that case too.

So in the three main cases you don’t need a firewall or it is useless. In the third case also a external firewall can be tuneled very easy. A malicious software could use e.g. port 13578 for incoming and 80 for outgoing traffic. So for the firewall it looks like an outgoing http packet and so it can pass. Or do you close port 80 outgoing? :wink: If you do so, I cannot help you. You cannot read this. :wink:

In a fourth case it could be usefull and that’s what personal firewalls are for: computers that move from one network to another like laptops. For example in your office you have to offer services to have access from the desktop computer to the files. Now you are in a hotel and you don’t like to stop all services but just protect them against the other guests or against an direct internet access. So you launch the firewall in that case to close those ports your servers are listening to.

So why we should switch it off? First of all because I don’t like to spend my system ressources on useless things. I need them for work.

Second every piece of software which is running on a machine is a potential risk. You never know if and when a software can be exploited. So a useless software which is risky is a dangerous software. And you should never run a dangerous software.

And if you don’t trust other ppl in your network you also don’t need any firewall. Don’t share files with them. You need a good right managment in that case and not a personal firewall. If you need a high security part of your network, so split it in two and put the firewall between them. If you need to expose servers in the internet, so put them in a DMZ. Every security problem has it’s own solution. The notebook needs a personal firewall. Most of the others don’t.

HTH

Greetings

Erik

I saw reference a while ago to some manner in which you can scan all of the open ports you have. Does anybody know how to do this easily?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is all nice information, but there are a few things missing.
First, the firewall is always running in Linux… it’s just a question
of which rules are implemented. By default SUSE blocks everything
coming in except established connections (going from memory) and
whatever else you allow. If you “stop” or “disable” the firewall you’re
just changing these rules to accept all traffic
incoming/outgoing/forwarding. Your point about all software having
holes and things is semi-valid for this… first, it apply in that who
knows when a build of randomSoftwareX is going to open a port on
accident needlessly and suddenly people can poke inside it. Second, it
doesn’t apply to the firewall for reasons mentioned above…NetFilter is
always there as it’s a default part of the kernel. So, on to your examples.

  1. There is no reason to NOT have it on. You’re not sharing things,
    the firewall won’t cause problems, and it will prevent random software
    from accepting connections when you don’t realize it. Anybody run
    VMware Server on their desktop because it’s free? It opens up ports by
    default (902, 8222, 8333) all of which scream VMware. If you only use
    VMware Server locally the firewall would protect you in a default setup,
    but if you disable it just because you don’t want it on now you’re blocking.

  2. The firewall protects services besides those being offered. The
    examples above of rogue software or software you didn’t expect to open
    things up still applies. Also what about attacks that target network
    things and not just applications? Certain types of attacks where
    malformed packets are sent can be easily blocked by NetFilter while
    letting everything else through. Even normal things like SYN packets
    can be limited (as they are by default on SLED in its firewall
    configuration when you open a port) so you don’t get a SYN flood causing
    your box to burn up memory needlessly. This isn’t a mindless firewall
    in windows… this is a semi-decent default configuration.

  3. An exploited box is gone with the wind, but if they only have
    user-level privileges a firewall can be a pain for them. Tunneling
    aside it still generates logs, can prevent them from opening ports and
    being able to connect inbound (they must login again to do something
    like get data to the box, which means you could setup more logging for
    an interactive session and catch the stinker), etc.

And a final reason… you can get logging of failed connection attempts
by default if you have the firewall on. Evidence is good.

Good luck.

erikro wrote:
> Hi,
>
> JosipBroz;1912887 Wrote:
>> Hey!
>> Can anybody give me a well-grounded explanation as to why (if at all)
>> one should still have a software firewall running, although located
>> behind a NAT router with a working stateful firewall?
>
> I can’t but I can give you one why it makes no sense in most cases.
>
> What does a firewall do and how does it work? A firewall is a software
> which manages the network traffic from one network to another by
> giving and denying access to services from one network to the other one.
> Mainly this is done by opening or closing TCP/UDP-Ports even though
> there could be additional rules. So it mainly protects services which
> are offered in one network (e.g. the lan) and should not be offered in
> the other network (e.g. internet).
>
> Let’s think about the three main scenarios why perhaps you should use a
> desktop or personal firewall on a machine:
>
> 1. You don’t offer any service with that machine
>
> Do we need a firewall? No, we don’t. We do not have anything running
> which listens to any port. So noone can access that machine via the
> network. Only traffic which was initiated by that machine will come in.
> All other incoming traffic will hit closed ports and receive a
> connection refused message.
>
> 2. We offer services like file service, print service or whatever
>
> Do we need a firewall? Yes, we do but not on that machine. Why do we
> normally install a server? To offer the service to other computers in
> our network. So what do we have to do in the firewall configuration? We
> have to allow that incoming traffic. If we don’t do so the service is
> unreachable and makes no sense.
>
> All other ports should be closed. So for those counts what I said under
> the first point. The firewall is useless.
>
> 3. The machine has been exploited and a malicious software opens a
> port.
>
> Can a firewall help us? Not on that machine. The machine is corrupted
> which means that every piece of software on that machine could be
> manipulated within the firewall. So the firewall is useless in that case
> too.
>
> So in the three main cases you don’t need a firewall or it is useless.
> In the third case also a external firewall can be tuneled very easy. A
> malicious software could use e.g. port 13578 for incoming and 80 for
> outgoing traffic. So for the firewall it looks like an outgoing http
> packet and so it can pass. Or do you close port 80 outgoing? :wink: If you
> do so, I cannot help you. You cannot read this. :wink:
>
> In a fourth case it could be usefull and that’s what personal firewalls
> are for: computers that move from one network to another like laptops.
> For example in your office you have to offer services to have access
> from the desktop computer to the files. Now you are in a hotel and you
> don’t like to stop all services but just protect them against the other
> guests or against an direct internet access. So you launch the firewall
> in that case to close those ports your servers are listening to.
>
> So why we should switch it off? First of all because I don’t like to
> spend my system ressources on useless things. I need them for work.
>
> Second every piece of software which is running on a machine is a
> potential risk. You never know if and when a software can be exploited.
> So a useless software which is risky is a dangerous software. And you
> should never run a dangerous software.
>
> And if you don’t trust other ppl in your network you also don’t need
> any firewall. Don’t share files with them. You need a good right
> managment in that case and not a personal firewall. If you need a high
> security part of your network, so split it in two and put the firewall
> between them. If you need to expose servers in the internet, so put them
> in a DMZ. Every security problem has it’s own solution. The notebook
> needs a personal firewall. Most of the others don’t.
>
> HTH
>
> Greetings
>
> Erik
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJUBDU3s42bA80+9kRAsJQAJ0XYiN3FN2zPmAuesA15k53+Ea0iwCgiDa1
v78M2lSs1ia5ef/3bxK044U=
=C+re
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scanning your own ports is silly… just ask netstat what you have open:

netstat -anp | grep 'LISTEN ’

Notice the space after LISTEN as it is important.

Good luck.

dragonbite wrote:
> I saw reference a while ago to some manner in which you can scan all of
> the open ports you have. Does anybody know how to do this easily?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJUBEo3s42bA80+9kRAjldAJwL6tsWGcpjCW0VeoizEmGS5vhIvwCfbWoh
82J5melBpITOUY7WCyiBRS0=
=mTp1
-----END PGP SIGNATURE-----

All these posts about exposing ports…

Are so “yesterday” and not applicable to many of today’s threats.

First, it should be understood that port assignments different than default have only marginal effectiveness(generally against automated attacks). Today, it’s trivial for an attacker to identify services behind non-default ports so it’s likely more trouble than it’s worth and naive to change default port assignments believing your machine is more secure.

Multiple firewalls (this thread’s subject line) is one important way to combat threats by deploying security layers, but to be most effective each layer should be designed to be dissimilar (eg different OS) and maybe even to proxy connections (act on behalf of another, not just filter).

Also, the days are <very> long ago since you could trust the efficacy of perimeter firewalls, there are too many ways exploits can be planted behind firewalls (eg VPNs, unscanned uploaded files, mail attachments), so Host-based (not just perimeter) firewalls become necessary.

Probably the most effective measure to take today is to harden your machines, which for most non-IT folk means to automate your patching system and periodically verify it’s working. If you’re in IT, you should take more active measures to minimize attack surface and build additional protective layers plus periodically read the logs.

So, are two firewalls better than one? Yes, but without much thought the benefit might be marginal.

Changing the port of, say, ssh should never be relied on as the primary protection. A configuration should be made to be secure even if the port is known. This means turning off root logins, restricting the hosts allowed to connect, cutting down the list of users with AllowUsers, requiring strong passwords and if at all possible the use of keys instead of passwords. However changing the port is good for removing the numerous messages in logs about attempts.

Much is made about port changing being useless because of port scanning. The reality is that port scanning is hardly ever done by casual crackers. I have never seen one logged in intrusion logs on the numerous machines and servers I maintain. Possibly because it’s very obvious and sets off alarm bells, and possibly because crackers prefer to go for low-hanging fruit.

If you have multiple firewalls but you punch the same set of port forwards through them what’s the point? Anybody who runs a public webserver will see lots of attempts to guess the path of phymyadmin and other PHP apps, which historically have lots of holes. Also don’t forget the obvious, you may allow autoregistration or comment submission, so webbots will try to inject spam into those. If possible you should run webservers and other public services like mailservers in a DMZ.

Don’t also forget egress filtering. You may filter the incoming connection heavily but allow any connection outwards which is the default for all home routers. If your Windows machines get infected, they can start making connections outwards and receiving commands from bot masters. A really strict site will require clients to go through proxies, where at least they can be monitored for signs of infection. But this makes more hassles for users so it would have to be a policy decision.

ken yap schrieb:
> As I’ve already mentioned there’s no such thing as a “hardware
> firewall”, they are all software firewalls. You will not find gates and
> flip-flops in embedded firewalls handling the filtering rules. :slight_smile: The
> main difference is where the software is loaded from. On an embedded
> router, it’s loaded from flash memory, which makes it diskless. But it’s
> still running an OS with network filtering, and often that OS is Linux.

The main difference is elsewhere: it’s whether the firewall software
is running directly on the very computer it tries to protect, or on a
separate piece of hardware that sits between that computer and the
Bad World Outside.

Originally only the latter qualified as a real firewall. But then the
marketroids wanted to advertise packet filtering software that ran on
the target machine itself as “just as good as a real firewall” without
saying so in so many words (which would have gotten them sued for
false advertisement) so they invented the term “Personal Firewall” or
“Software Firewall”. Consequently, “real” firewalls (ie. physically
separate devices controlling the traffic between networks) are now
being called “Hardware Firewalls” to distinguish them from the
locally installed substitutes.

I guess that development is irreversible, and we’ll have to live with
the new nomenclature even though it is technically incorrect. The
image is further blurred by the advent of virtualization and the new
firewalling arrangements it makes possible, such as running a real
(“hardware”) firewall in a virtual machine.

HTH
T.

So, is a safe summary :

  • Ports only need to be opened for RECEIVING signals for services (like if you are running a web server you want Port:80 open, but to just surf the internet you don’t need that port opened
    )
  • Hardware firewalls aren’t (hardware), but are still pretty good for the average person
  • Your crunchy outer shell should be a firewall with no ports open to the internet for safety (unless you need them, i.e. running an externally accessible web server, or want to connect via VPN
    )
  • The crunchy outer shell should also be firewalled internally so outbound traffic is also closed (i.e. Virus on an internal machine using port 1000 to call the mother ship or something
    )
  • Systems inside don’t need firewalls so much and would be redundant (except in the case of the crunchy outer wall being compromized
    ) and if you choose to use a firewall then you should close all unnecessary ports in both directions
  • Laptops and systems that routinely go outside your castle walls should have a firewall up with no open ports (unless needed
    )

Is this a fair summary? If so then the questions I have to beg are:

  1. How to make sure the firewall of the crunchy outer shell or laptop is as closed as possible?
  2. How to close the firewall for internal traffic going outbound (i.e. Virus using Port 1000 example
    )
  3. Which ports will people usually
    want (if any… I think it won’t need anything if the client establishes the connection) open for such things as surfing, IM, streaming video, IMAP, etc.?

1 is fairly easy, by default embedded and hosted firewalls don’t forward any ports. Don’t turn on things like upnp which is a Windows thingy which allows apps to ask the firewall to open ports. Imagine malware taking advantage of that. Consider with care any ports you want to forward. If you can limit the scope as much as possible. E.g. if you forward ssh (and hopefully not on the standard 22), try to limit the allowed peers to a small set of addresses.

2 is quite hard because you’ll have to keep going back to the firewall controls to open ports for yet another protocol you at first didn’t think you used. But you can get very strict firewalls like that, e.g. guarddog. Enterprise sites have to do this sort of thing and make users go through proxies, mail forwarders, etc, so that any misbehaviour of the clients can be noticed.

3 is essentially the same question as 2 viewed from the other side.

I assume you mean by “crunchy layer” to be a local host-based firewalling layer on the machine…

If you are a non-IT home User, you should understand the basic principle that in most cases even if a port is open, if a Service (function) isn’t configured to respond on that port it’s a “no harm/no foul” situation… That’s why I strongly suggest turning your main attention to Patching which hardens your machine against known exploits, and then also generally uninstalling anything you’re not using. This wouldn’t be the optimal solution but should address needs at a level most non-technical folk can handle. Depending on your patching system, Yast Online Update (or something similar) might be all you need (which is why I generally recommend installing from OS repos when possible) but apps from other sources may require manual attention.

Proper firewall configuration and full attack surface configuration requires more advanced IT skills.

Small followup and opinion to Ken’s post immediately before this one,

  • Although uPNP is generally distrusted, I haven’t seen anything specifically exploitable although as a general rule anything that’s automated to ease the Home User experience is dangerous.

  • Generally speaking, restricting access by IP address is next to useless (typically effective only maybe against automated attacks). Without encryption (which itself genreally requires some other authentication method restricting access), it’s trivial to identify permitted IP addresses and impersonate.

I’m not suggesting IP address restriction as a primary security mechanism. It’s like your previous misunderstanding about changing the port for ssh. After you have done the correct primary security configuration, then you do some extra config that reduces noise in the logs due to attempts.