# Firewall usefullness in pure *nix network



## segfault (Apr 11, 2013)

I am more than a little ignorant on the subject of firewalls, and the only time I deal with them is to curse and whine about them as I fumble around trying to get them to allow our identity management traffic to reach the various servers in organizations that run nothing but Microsoft. Why are these wretched things needed in the first place I keep wondering.

Now I can see a firewall helping secure Windows since it seems to have so many "magic" ports always listening for heaven's knows what (WMI, builtin-SQLExpress instance, etc.) but what does a firewall do for FreeBSD machines? The FreeBSD kernel doesn't listen on any ports, and if a program isn't listening on a port then why would we need a firewall blocking that port?
I must be missing something because it seems to me that the whole firewall concept is a clumsy stopgap to secure poor OS design at best, and at worst nothing more than a job security, fear-mongering tactic by self-important Windows "IT security" types.

I've asked a few guys and they never give a straight answer leading me to believe they don't really know.

So I'm asking here: Are there indeed some ports that Windows is always listening on that cannot be easily controlled? If I was running a network of all *nix machines, would I even need a single firewall?

Thanks for your patience and knowledge.


----------



## Anonymous (Apr 11, 2013)

segfault said:
			
		

> ...So I'm asking here: Are there indeed some ports that Windows is always listening on that cannot be easily controlled? If I was running a network of all *nix machines, would I even need a single firewall



It pretty much depends on the usage scenario.

For example I am running  a FreeBSD Server/Gateway into the internet for Mac OS X and Windows client machines at home. The FreeBSD Gateway is sitting at the boundary to the internet and it protects my local network using a very restrictive stateful firewall + NAT setup. The firewalls of all the local clients (also the Windows ones) are deactivated.

On my Mac OS X notebook I defined different named sets of network adjustments for different usage cases (Locations). The set "Travel" got the firewall activated, and I would do the same on other *nix notebooks and on Windows notebooks too.

In any case you want to enable the firewall, if you connect into the internet directly from your client machine, for example with PPPoE via DSL or with DHCP via a cable modem. Giving the client a public IP address without any firewall in place opens it to all sorts of attacks, regardless of what OS it is running.

It is always better to put a cheap SOHO router in the middle, so your clients are sitting in a LAN behind NAT. This would pretty much protect the clients from all sorts of direct attacks from the outside, even if the firewall on the router is inactive.

However, the story is totally different, if you cannot trust your LAN - like in big companies with hundreds/thousands of users. In there, I would switch-on the firewall (if the admins would let me - regardless of the OS).

At the bottom-line:
You need a firewall and/or NAT at the frontier of a trusted to an untrusted network zone, for most of us this is usually the LAN/WAN boundary, and you need it exactly there regardless of what OS is in charge at that point. Firewall adjustment on clients within *trusted* networks is not necessary, even not for Windows clients. If admins are leaving firewalls activated on clients in their own trusted LANs, then this shows only that they aren't completely trusting their own act.


----------



## SirDice (Apr 11, 2013)

segfault said:
			
		

> I've asked a few guys and they never give a straight answer leading me to believe they don't really know.
> 
> So I'm asking here: Are there indeed some ports that Windows is always listening on that cannot be easily controlled?


No, it just takes some effort and knowledge of the system. Especially that last seems to be missing with a lot of Windows admins.



> If I was running a network of all *nix machines, would I even need a single firewall?


If only to protect somebody from accidentally opening the backdoor. And keep in mind, even though you're running a unix you can still fall victim to malware. That's not exclusively the domain of Windows. It's an urban myth that unix (or unix-like) systems are better protected. People that say that don't know shit about either systems.

But, as you say, a firewall isn't much use if there are no services listening. If all ports are closed there isn't much use for it. But a firewall is mainly used to add just another layer of protection, the more layers you have the more difficult it will be for hackers to get in.


----------



## kpa (Apr 11, 2013)

Protecting listening ports is one matter that is easily controlled by a firewall. However if filtering of outgoing connections (initiated by LAN hosts) is desired the picture gets much complicated. Simple filtering by destination port numbers is not going to be enough because viruses and malware may hide their identity by using common port numbers for "phoning home". That's where so called "layer 7" filtering is needed. For example a transparent proxy server that accepts only HTTP(S) connections is basically a layer 7 filter if all connections are forced trough it.


----------



## ondra_knezour (Apr 11, 2013)

You don't need firewall as long as you know, that your network is secure and will stay secure for given time. As is yours network getting bigger, things get complicated. 

You start with perfectly secure network without any rogue activity there. Then somebody get email or open web page or try some new cool program, get infected. Infections are calling home and trying to spread into neighborhood. Even if all others computers in network are secure, your network can be inflicted by new, unwanted traffic and you are DoSed. Additionally, users bring their own devices, notebooks, tablets, phones, each of them having its own set of bugs packed for free. No mentions about their own WiFi access points with poor security settings if any at all.

And you don't have only end users devices there, there are printers, switches, routers, each of them competing on bugs market with their own bugset. Even network adapters can be theoretically attacked.

Finally, you can encounter rogue employee, quick googling says about 60-80 % of network security incidents start internally.

Given that, I would prefer to have some control about packets on wires under my supervision


----------



## tingo (Apr 11, 2013)

Also note that most firewalls keep logs; if you put a firewall between the internet and your (local) network, you have a a centralized point where you can notice (or look for) signs of network traffic that isn't normal. Ignoring all the script kiddie attempts, you can find both real attack attempts, and malfunctioning devices on your own network.


----------



## throAU (Apr 15, 2013)

segfault said:
			
		

> So I'm asking here: Are there indeed some ports that Windows is always listening on that cannot be easily controlled? If I was running a network of all *nix machines, would I even need a single firewall?
> 
> Thanks for your patience and knowledge.



Windows uses some ports for active directory and other services, these are documented on Microsoft's site.

As to needing a firewall with purely 'nix machines, it depends on how paranoid you are.

I think paranoia is justified.  If something doesn't NEED to be open, close it.

I have Cisco IOS based ACLs in front of all of my edge FreeBSD machines, blocking everything except for the ports required (e.g., 53 UDP/TCP for my DNS server, along with ICMP packet too big and unreachables).  SSH in from outside is blocked (require IPSEC VPN to internal network first).

I have Cisco ASA based rules between my edge machines and my inside networks.

I have host based firewalls on my internal machines (mostly Windows).


Why?  Because:


root kits for Unix machines do exist
compromise often as not comes from inside your perimeter
thinking you're safe because "you run a secure OS" is just false security
just because you have no known holes in your machine, doesn't mean there aren't holes


----------



## ShelLuser (Apr 20, 2013)

Ok, late response but I'm a bit late to this party as you know, and although threads like these intrigue me like no other I figured I'd better get my stuff together before commenting.



			
				segfault said:
			
		

> I am more than a little ignorant on the subject of firewalls, and the only time I deal with them is to curse and whine about them as I fumble around trying to get them to allow our identity management traffic to reach the various servers in organizations that run nothing but Microsoft. Why are these wretched things needed in the first place I keep wondering.


Although I may now repeat things which have already been said I'm going to go ahead anyway to make sure the story as I want to lay it out is as complete as possible. Because I get the feeling that one part of your problem is that you're often hit with plain jargon when dealing with firewalls. And the problem with jargon is often that at first it appears as a bit of "abracadabra" which often will start to make sense when you get a better understanding.

Obvious problem: to get a better understanding you more than often need to get through a lot more jargon which doesn't make things easy.

...having that out of the way.

Firewalls are required to provide an extra and controlled security layer to your system. Because generally speaking (trying to briefly address Windows here as well) these services do not provide means of differentiating between visitors. They don't really provide a means to determine who does and who doesn't get access.

Of course this differs when we're dealing with services such as identity management, mail services and the likes. But even here it can be very helpful to keep one in place.

For example; on Unix environments a very common way to gain remote access to your system is SSH (Secure SHell). However, SSH isn't the perfect super-safe solution, even this program can have issues like all software has, you can get a nice overview when you're checking the CERT database for SSH vulnerabilities.

While this doesn't have to provide a problem perse, it is something to keep in mind. For us FreeBSD users (or so I assume most are) we have tools like freebsd-update and of course portsnap to help us keep our systems up to date.

But here's the thing: why risk it if you know for sure that only yourself and a few others of your (admin?) team will require access to said server?

Then it makes sense to block the whole thing out and only allow specific access. What you gain by this is that "bad guys" who are trying to exploit a software issue in SSH will now have to cope with 2 layers: first they need to penetrate your firewall, _then_ they can get their hands on SSH.

Not only does this make things a lot harder on them, it also provides you with all the means to get alerted to their scheme before it even starts, thanks to monitoring and logging services. Which are basically not really part of a firewall, but that's a bit nitpicking though on my end ;-)



			
				segfault said:
			
		

> Now I can see a firewall helping secure Windows since it seems to have so many "magic" ports always listening for heaven's knows what (WMI, builtin-SQLExpress instance, etc.) but what does a firewall do for FreeBSD machines? The FreeBSD kernel doesn't listen on any ports, and if a program isn't listening on a port then why would we need a firewall blocking that port?


Careful there though. Windows has many ports which it uses to listen on, that is true, but the essence is really no different than the "basics of firewalling" (to give this a name).

And those magic ports you speak of really aren't as obscure as you make them out to be, even Windows has options to carefully monitor what is going on, for example: [CMD="PS>"]netstat -a | more[/CMD] (where PS is obviously used to address PowerShell).

However, the main difference here is that Windows has a "pre-TCP/IP" based history where it used other protocols as well. But that time has been long past, though it never hurts to check up them because the list can sometimes be a little vague too, for example by using: [CMD="PS>"]Get-WmiObject Win32_Networkprotocol | Format-List name,description,status[/CMD].

But back on topic again; you're right. On a pure Unix ( -like) network there wouldn't be a need for a firewall perse since the services which it listens to are limited.

However, then we need to keep another thing in mind. Although ports below 1024 are considered to be privileged (so only a root user can open them) everything above that is free game. When looking at my new FreeBSD server I can tell you one thing; the last I'd want to happen is some customer going to play with his shell environment and setup all sorts of nastiness. I don't know; maybe an IRC server of some sorts (though not nasty by definition, I maintain one myself, they're often used for nastiness).

That's where a firewall can come in handy too. He/she may have all the means to setup an IRC server of his own, getting his buddies to actually access the critter becomes a completely different story.



			
				segfault said:
			
		

> I must be missing something because it seems to me that the whole firewall concept is a clumsy stopgap to secure poor OS design at best, and at worst nothing more than a job security, fear-mongering tactic by self-important Windows "IT security" types.


I think you're partly right here, because on Windows environments there are _many_ companies out there which try to sell you firewall-based solutions in order to enhance your safety. While the fact of the matter is that it's a lot of bollocks.

The Windows firewall in its current state (Window 7 and up) maybe a bit vague from a certain perspective (it certainly is "special", I'll give you that) but it can easily cope with, for example, netfilter which we have available on FreeBSD.

Which is the key aspect here; a lot of things on Windows aren't as ideally setup as they could have been, but that's a completely different (offtopic) story.



			
				segfault said:
			
		

> I've asked a few guys and they never give a straight answer leading me to believe they don't really know.
> 
> So I'm asking here: Are there indeed some ports that Windows is always listening on that cannot be easily controlled? If I was running a network of all *nix machines, would I even need a single firewall?


The problems isn't so much Windows, it's the idiots who think they should apply changes to it when in fact it isn't even necessary. Windows access can easily be regulated by your firewall, the main problem is that in order to do that you need to setup some sane firewall rules, and that's where disaster often strikes.

At one time, but obviously I'm not going to go in full detail here, I've seen a "free" version of one of Microsoft's core components, SharePoint Foundation, actually add insecure changes to the firewall which effectively would allow just about anyone to gain access to its WMI services. Or in plain English; provided them with the means to try brute-force logon attempts.

That's not an example of Windows being insecure, its an example of an idiot allowing obscure changes to find their way into a software installer.


But as illustrated above; even if you were only using a Unix environment it would still make sense to keep a firewall in place. Though the priority of setting one up may be a little lower than it is on Windows-based environments (generally speaking).

Right, even though I do repeat some of the things already mentioned by others I do hope this can help as well.


----------



## throAU (Apr 22, 2013)

One other thing I'll add with firewalls:

You should also be filtering *outgoing *traffic from your LAN as appropriate.

e.g., you should block outgoing SMTP from non-SMTP servers on your LAN in case an internal machine gets hacked to use as a spam origin/relay.  This will prevent an internal machine compromise from getting your entire netblock added to various anti-spam block-lists.

In practice, if your firewall is a modern stateful firewall you can usually get away with:


block known bogus sources incoming from the internet (private IPs ranges, etc.)
allow incoming traffic for specific ports you want to host
block all other incoming traffic
allow what you want to get out, with "keep state" option (with whatever option your firewall of choice specifies to handle state).  "Keep state" means to keep track of the connection, and allow return traffic associated with that connection even if it is not explicitly allowed by other rules.
block all other outgoing traffic


Yes, you may need to run tcpdump  (or a Google search) a few times if something doesn't work to determine what traffic it attempts to send or receive, but having a firewall which is "closed by default" really helps prevent you shooting yourself in the foot, or any potentially infected machine on your LAN becoming an active botnet participant.

In short, if you're using a seperate firewall machine - assume that your internal machines are vulnerable to incoming attack.  Also assume that when filtering outgoing traffic that they are potentially compromised.


If you don't block incoming/outgoing traffic that shouldn't be happening, all it takes is a rogue user with root (either granted, or obtained via a local exploit), or compromise via a web exploit, etc. and your network becomes a launchpad for attacks to other networks


----------



## Crivens (Apr 22, 2013)

What bugs me in thus thread is this: most users think that they are in their private network and thus "safe". Really?

You are behind your modem/router/whatever and you are not safe from the evil out there, but that depends on the router not being hacked/open/... Many of those allow updates from the ISP. Some have default passwords, known bugs, whatever - to consider them a safety feature is IMHO not correct. You have not had a chance to audit the source, to check the build, to mess with the settings. You have no control over that equipment.

I have firewalls in place on all of my machines in the network, they allow connections from selected machines, and none of them is the router. A set of rules who-can-do-what is in place to keep anyone who might get in bussy for some time. That time I have a chance to get him, to see him. Without a firewall and rules in place, I may be compromised and not even know it. 

So yes, I consider a firewall a benefit. Using it may not make my systems bullet proof, but it certainly makes it a harder target. And as with running away from a bear, you do not have to outrun the bear but the slower parts of your team. Be the harder target.


----------



## kpa (Apr 22, 2013)

Most people I know don't bother to change the password on their router/modem but leave it to admin/admin or whatever the default is. Guess how easy it is to turn that router and the connected network to a bot net...


----------



## Crivens (Apr 22, 2013)

My guess would be ... simple?
Yes? Do I win 6 month of McAffee? Sorry, just kidding.


----------

