Are firewalls a waste of time? No. Here’s why.

Are firewalls a waste of time? No. Here’s why.

blog_main_firewall

Everyone knows the term firewall, but few people know why they would ever need one. Go on the Internet and read around, and you’ll find that there are not only many different ideas of what a firewall is supposed to do, but there are also many different technical concepts that fall under the term.

The basic idea of a firewall is a “wall-layer” that protects against attacks from the “other” side. This may seem simple enough, but then many people go on to wonder: Where should that wall be placed? And what, actually, are “attacks”?

To begin, let’s start out with an overview of the places where a firewall can reside.

Hardware firewalls

For high-end users, large networks or servers, a hardware firewall is usually a standalone device. For home users or small businesses, it is typically a component built into a router/modem. When a hardware firewall is used, all network traffic is routed through it before the data reaches individual computers.

firewall_illustration

As traffic passes through, the hardware firewall takes a deep look into its content to decide what should be let through and what should not. Some firewalls just follow plain rules that the user has defined.

For example: Don’t let anyone from the Internet initiate a connection to any local computer that sits behind the firewall – only allow outgoing connections.

Other firewalls adopt more advanced rules, using protocol-based filters. For example: Let users connect to the Internet, but only through port 80 (the HTTP web server port), and route the incoming traffic to a web server behind the firewall before it reaches individual computers. Still other firewalls are even more sophisticated and inspect every data package deeply on an application layer. Here a rule might be: Allow incoming traffic on port 80, unless it contains any code sequence that may be used to hack the web server residing behind the firewall, such as a cross site scripting attack or an exploit against a database the web server works with.

pro-iconThe advantage of hardware firewalls is that they are very literally separate from the computers they protect. All traffic must go through the dedicated, hardware firewall or it will not reach the local, target computer at all. Furthermore, there is no extra “surface area” within a hardware firewall for a malicious data package to sneak through by using manipulative code, such as there might be with a software-based firewall. The data either gets through or it doesn’t. A square peg cannot fit through a round hole.

contra-iconThe disadvantage of hardware firewalls, however, is that because of their separation and limited surface area (i.e., brain power) the firewall doesn’t really know what’s happening on the computers behind it. The hardware firewall only sees the data traffic generated by these computers, but it doesn’t know which applications are generating this data.

Therefore, if a user tells a legitimate application to connect to the Internet and that application tries to connect in a way that the hardware firewall is configured to block, the hardware firewall will prevent the application from connecting. Wrong decisions stemming from too strictly configured rule sets that block legitimate services are an inherent problem of hardware firewalls – and they typically result in unhappy users.

Network Address Translation (NAT) Routers

A special form of a hardware firewall is a Network Address Translation, or NAT, router. Most DSL routers in use today are using NAT, and in technical terms they are actually not firewalls, but they have a similar effect.

The idea behind NAT is simple. Many households have more than 1 Internet-connected computer, but the Internet account has only one public IP address. That IP address is like your Internet phone number, and it can be reached from anywhere in the world. With NAT, your public IP address is assigned to the router. Incoming data packages must then pass through the router before they reach their destination computer.

A NAT router enables this passage by converting each incoming data package sent to the public IP address to a special IP address that is exclusively used on local networks. These exclusive-use IPs usually start with 10.* or 192.168.* and they can’t be reached from the outside directly. These IPs are actually used multiple times by millions of local networks around the world.

As an example, consider the case of a local computer requesting a website from a public web server. First, a NAT router will replace the computer’s original, local IP with the account’s public IP. At the same time, the NAT router will “wrap” information about the original, local source IP within the data package request, so that it can keep track of which computer it belongs to when it returns. When the web server responds, it will then send the data back to the public IP –  at which point the NAT router will “unwrap” the information it appended about the local source IP and forward the data package to the computer with that local IP.

pro-iconNAT routers give us a huge advantage: Computers that are in a NAT can reach everything on the outside, but nothing on the outside can directly connect to a computer in a NAT, unless the NAT router is specifically configured to forward individual protocols to single machines. In this way, NAT can enable a very powerful “firewalling” effect, despite the fact that NAT is not usually called a “firewall.”

blog_content_breaker_firewall

Software firewalls

A software firewall runs on a local computer, but basically does the same job as a hardware firewall. Software firewalls inspect network data packages and decide which data to block or allow, based on rules.

software firewall illustration

pro-iconOne of the biggest things software firewalls have going for them is that they are usually not as expensive as standalone hardware firewalls. Another major advantage of a software-based firewall is that in addition to analyzing network traffic, it can also link each data package with the program that generates it – which is exactly what hardware firewalls can’t do. A software firewall can analyze traffic and program behavior as a whole, which means it can make decisions with much more precision than a hardware firewall ever could.

For example: If a data package genuinely originates from a program that was made by a trusted software vendor, there is no need to ask each time whether to allow it, even if it violates some pre-configured rule. A software firewall will recognize this benign origin and grant an exception.

A good software firewall is one that shows almost no warning messages, unless it is certain that there is a real attack and that some malicious program is attempting to gain access to your computer. An overabundance of warnings is not a good thing because it desensitizes the user to alerts.

contra-iconToo many warnings can be like the boy who cried wolf, or in firewall terms “the security software that shows multiple alerts every single day.” Who has not dealt with a product like that? You see so many warning messages that you eventually just click “Allow,” no matter what the warning says. These types of software firewalls are in reality just a waste of computing resources because even when they detect real threats, their users unknowingly (and understandably) allow those threats to get through.

A good software firewall is also one that doesn’t block needed applications. This is after all what most users get so annoyed about with hardware firewalls (maybe you’ve experienced this at work ;). Granting permission to a certain legitimate application on a hardware firewall can be quite laborious. First, you have to open the admin interface; then, you have to find the right configuration tab and set up a complicated rule – provided of course you can understand the rule set.

pro-icon Software firewalls are better here as well because they are always locally at hand, and they are actually even smart enough to discern harmless actions, eliminating the need to configure new rules all by yourself.

When do you need a software firewall, then?

The truth is, if you exclusively connect to the Internet via a local home DSL or cable account that works with NAT, you should save the money you’d spend on a software firewall and get your best mates a cup of coffee instead. A reliable antivirus software with a great detection rate and a powerful behavior blocker is all you will need. If however you are using a computer that frequently connects to the Internet via third party networks, a software firewall is worth the investment.

coffee-iconThink of public WLANs, like at the coffee shop you took your friends to, or plugging in a network cable at some foreign hotel. Once you are connected, every other computer user on such a network can try to connect to your machine. And why would they want to do that? To try to find a leaky component that can be exploited to take control of your computer for financial gain, or to steal private data (also for financial gain). A software firewall that hides all the open ports on your computer effectively reduces the surface area and success rate of such attacks.

Frequent misconceptions about software firewalls

Misconception 1: Firewalls detect malware

The main purpose of a software firewall is to eliminate potential entry points attackers could use to get onto your computer from the outside. Software firewalls are not made to detect active malware that is already on your PC and communicating with some stranger half way across the world.

castle-iconWhy not? In short: Once there is active malware on your PC, it is too late. There is simply no point in blocking outgoing connections sourced by malware, because if the malware managed to run it probably also managed to disable your entire firewall and manipulate all sorts of system settings. This is not because firewalls are incompetent – it is simply because they are not designed to block malware. Blocking malware is the work of anti-malware. A firewall instead “hides you” from the outside, by denying communication with other programs through certain “channels” or ports.

Misconception 2: Firewalls are always HIPS (host-based intrusion prevention systems)

Not so long ago, all software firewall products available did exactly what users expected them to do: Filter network data. Today, that’s still the classic definition of the term “firewall;” however, since firewall technology was soon developed to death (no more space for innovation -> all vendors offering a similar level of quality), vendors started to add new and somewhat overkill features to their firewall products, such as monitoring of all sorts of operating system changes and detection of all sorts of non-standard-compliant code executions by programs and thousands of other ‘suspect’ things that tend to fall under the term HIPS today.

The major problem with these technologies is that for all their monitoring and detection capability they are relatively dumb. They tend to raise an alert for each and every action that could possibly lead to an attack, but the truth is that about 99.9% of all such alerted actions are not malicious. As mentioned before, such alerts are annoying and even dangerous because they can train users to click “Allow,” day in, day out.

geek-iconHIPS are therefore recommended for experts only, who can fully understand the large amount of alerts they produce and take advantage of the extra protection layer this can provide. This doesn’t make HIPS irrelevant to everyday users, though. In fact, the technology behind HIPS is what eventually evolved into behavior blocking, an essential component of modern anti-malware.

Thanks to what behavior blocking borrows from HIPS, false alarms from antivirus software using the technology are now extremely rare. Behavior blocking isn’t HIPS though, and neither term is freely interchangeable with “firewall.”

Firewalls and Emsisoft

Emsisoft has gathered knowledge on firewall-, HIPS- and behavior blocking technology for almost a decade now. The Emsisoft Online Armor product is a HIPS that combines with a solid software firewall component, but it is mostly a product made for geeks. The brand new Emsisoft Internet Security on the other hand is made for everyone.

Emsisoft Internet Security adds a software firewall component to the proven technology of Emsisoft Anti-Malware, which means it can protect you from malware AND keep you invisible to network intruders. This makes it a perfect fit for home users and small businesses, who frequently travel beyond their home network and who want something simple-yet-intelligent that will keep their information secure, no matter where they go.

 

Have a great (firewalled) day!

 

  • BZ Softnick

    Still not clear to me :
    Is the firewall component of EIS just the same firewall as geeky Online Armour – or is it somehow simplified version for everyone?
    Does it contain HIPS ?

    • Christian

      Emsisoft Internet Security uses an enhanced version of Online Armor’s firewall core (added IPv6 support, etc). It does not include the HIPS of Online Armor though. The Behavior Blocker is based on the same technology but gives far less alerts and represents a technological evolution therefore.

      • Мик

        Don’t make me laugh. See simplified firewall is not responding.

      • Mark Cohen

        Hope all this talk of Emsisoft Internet Security being a technological evolution, etc, doesn’t mean you are looking to abandon development of Online Armor!

  • Ami Kranci

    Excellent Article! Well written in layman’s terms. I have been using firewalls and malware for 15 years or more and I now understand some of the finer details. Good to see Emsisoft is keeping their core audience and user in mind.

    Here’s my question:
    I understand from what you said that a software firewall used in conjunction with a NAT router is overkill because the NAT will ‘hide’ me from the Internet therefore making the software firewall somewhat redundant.

    However, is it not true that the software firewall could serve to ‘hide’ my own laptop from other devices inside my home network. Assume, for example, some device inside my network has been compromised. Would the software firewall on my laptop protect provide any protection from a virus or a backdoor from within my own network?

    • Steve

      Hi Ami,
      Great question. Yes, Emsisoft Internet Security can offer such protection. By default, the software allows all traffic from your internal network because blocking it can cause problems, but this can be modified in the settings. If you need help with this, please feel free to send an email to support@emsisoft.com. If on the other hand you’d like to start tweaking things yourself, just be sure to make a backup of the original configuration first, using the “Export Settings” button in the General section of Emsisoft Internet Security’s settings. That way you always have those original settings to fall back on.

  • Мик

    Emsisoft Anti-Malware + Emsisoft Online Armor = BEST. Everything else is nonsense….

  • Мик

    Emsisoft Internet Security 9 = Weak anti-virus with confusing settings

    • Thanks for your feedback. We would appreciate it if you could share your experience in an email to support@emsisoft.com or in a post at support.emsisoft.com. We would love to help you with any issues you have and to improve your overall experience with the software

      • Мик

        Hello. 1 – icon in the tray is something strange and perverted. 2 – configure firewall minimal and confusing. 3 – during the upgrade, the computer freezes. CHANGE the sign in the tray!!!

  • Emsisoft Internet Security 9 = Superb Protection for All.

    • Dontrell M’BuluBulu

      Agreed. By far the best. Thanks Emsisoft!

  • Donald Laurie Thunder

    I paid 3000 for my computer, and I still get hacked. Even though I have Microsoft essentials and all the B.S. it sucks

    • Trond Larsen

      High end BMW’s and Land Rovers with the latest in automotive security for example get stolen everyday and they paid a heck of a lot more than 3000 bucks. Security is not set and forget. :-) Ask the NSA.

  • Eagereagle

    Hi Philip. Interesting reply. In your last sentence you meant “peace of mind” for sure and not “piece of mind” unless you meant of course to say that you were giving us a “piece of your mind” i.e., your version of the working of a firewall in this case…Enjoy the day and thanks again for your contribution. John aka Eagereagle

    • Philip

      Let us stick to formal: definition of give piece of your mind from U.K. English Cambridge advanced dictionary open source of course. P.S. my Japanese is perfect also. In the U.S. they say “love to have a piece of mind” but I agree with you English is best and is the correct use of the word. “Peace of mind ›a feeling of calm or not being worried: For my peace of mind, please check that the door is locked.” And now what do we do with a U.S. stroller because it is no longer a person who strolls, it’s a pushchair. And so on and so on and so on. ( ? ).

  • Andrew Bell

    the concept of a firewall is to keep nasties out

  • Andrew Bell

    also HIPS has a load of problems when running it can slow the machine (my other name is techienumber1)

  • Cat Tilley

    I agree with the Firewall being overkill, recently when installing MS Office 2010 Pro Plus, Online Armor alerted me no less than 40 times, likely more, just over 3 or 4 legit processes within. Have used this same optical disc it’s on dozens of times to install the suite w/out issues & now OA warns me? Of course the amount of times the alert shows varies by computer, the above was the last & worst time.

    It’s the job of installed security to detect installing malware loaded software, or that w/out a digital signature (Windows may also warn of the latter). I agree with the author on this, since many times we already have the software in hand, be it downloaded or purchased in-store.

    One can take charge of their own NAT based Firewall built into most of today’s routers, the first of course is to disable remote administration, second to disable UPnP unless needed for a specific reason (I’ve got by w/out it fine for years). Finally changing the obvious name of the network, normally the make & model of the router, which is easily looked up to find weaknesses, to something that doesn’t let the neighbors & drive by attackers to know & exploit. Plus changing all of the default passwords to a strong, yet easy for the user to remember, adding a couple of the symbol keys (!@#$%^&*() to prevent a brute force attack. To include the wireless passphrase.

    Turn OFF guest network option if not used, as one highly popular brand doesn’t allow the creation of a complex password to prevent brute force attacks.

    Finally, change passwords every few weeks to months, depending on need & if guest access is needed, enable this option & disable once finished. Be sure that the Windows Firewall is active, when running any security, even Emsisoft Anti Malware. However if an Internet Security pack is used, such as Emsisoft Internet Security, the Windows one should be disabled. Note that some brands that says ‘Internet Security’ on the package doesn’t include a Firewall. Seems misleading, yet technically it’s not. It’s up to the consumer or business to ensure a Firewall, if desired, is included.

    Taking charge of one’s networking goes a long ways towards their Firewall protection, at no cost except taking a little time when setting up the router, rather than just plug in & go.

  • Sam0077

    Gee whiz I’m then a geek – well thanks Emisoft – and then thought average user – used OA since day one before you bought it. Still going to stay with it as it is a stand alone and doesn’t need to do much more than it does alert me to who on my computer is calling home so I can decide to allow or block and been using computers well before Windows launched in late 90’s.
    As you say we dont need your package unless lazy as our routers these days do a good job too so together with OA I’m good til 2020 running Windows 7.
    So a firewall really doesn’t need input stands alone and with our routers now today also standing between OA firewall and the internet – we’re all safer than ever before too, so why change? So you dont make the case at all – in fact opposite.
    I’m sticking with OA best firewall ever IMHO some say Comodo is but it is much more complicated than OA which is the best always has been. Shame on you – missing a business opportunity by not carrying on licensing it.
    Could you at least let me know if you consider selling