Ditching the software firewall?

[Spatula]

Ive been running Commodo Firewall Pro for a while now, but recently its become a bit more bloaty with some extra stuff, and it takes ages to boot up, and i cant turn the damned thing off by FSAutostart anymore. So, with the other thread running about network wireless routers etc, i thought i might ask some Qs. I run a Linksys WAG200 ADSL 2 wireless router at home, and im wired into it via cable (the missus is on the wireless). I also run firefox with noscript (never use IE), thunderbird, Avira AntiVir, and Windoze Defender, and regularly update PC, defs, yadeyadeyadee...
I was wondering if i could do without the Commodo Firewall Pro, since i got a hardware firewall on the router.

http://www-nz.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=NZ%2FLayout&cid=1172712873708&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=7370869952B02

Opinions??

[wabbit]

Your hardware firewall, doesn't protect you against outgoing connects, which Comodo will. If you get infected in some way, and your anti-malware software doesn't catch it, then your last line of defense is Comodo,(software firewall), alerting you when the malware tries to call home.

If you feel comfortable, that your anit-malware software and hardware firewall can protect you, then you can take the risk, but either way, it's a risk.

I use Comodo, and yeah it's usually the last startup program to load, however I disable the 'Defense' portion as it's too annoying and I'm comfortable that my anti-malware software can protect me just as well. I only run the firewall portion to give me alerts when something tries to connect.



Wabbit

[BaldEagl]

Ditto.  I run a SW firewall for the same reasons Wabbit stated. 

I've got an older version of McAfee firewall that I run because it allows me to set permissions from full access to filtered to deny access for programs individually.  Very few applications on my systems have even filtered access much less full.

While I often turn off anti-virus, etc. to reduce background programs, my SW firewall is never turned off.

[MrRiplEy[H]]

Use sandboxie for all your web browsing and e-mail and comodo is unnecessary for all goods and purposes. But you need to be 100% sure never to browse or read email without it - otherwise you might get infected and spread crap around the world for years never knowing it. Like reportedly 30% of the whole worlds computers are doing right now as we speak.

[Vulcan]

Your hardware firewall, doesn't protect you against outgoing connects, which Comodo will. If you get infected in some way, and your anti-malware software doesn't catch it, then your last line of defense is Comodo,(software firewall), alerting you when the malware tries to call home.

Thats the theory. The reality is personal firewalls only really do well at locking down legit apps. Comodo is by far the best choice - but if you're behind an NAT/SPI box I'd ditch it.

BaldEagl, turning your AV off and leaving your SW FW on is, well, just... dumb (sorry, see comment above).

The reality is a good AV setup is going to stop it before the SW FW gets a chance to act, and most modern malware targets SW FW's and bypasses them (or tries too) anyway.
 
I've not used a SW FW for about 3, maybe 4 years now.

[MrRiplEy[H]]

Thats the theory. The reality is personal firewalls only really do well at locking down legit apps. Comodo is by far the best choice - but if you're behind an NAT/SPI box I'd ditch it.

BaldEagl, turning your AV off and leaving your SW FW on is, well, just... dumb (sorry, see comment above).

The reality is a good AV setup is going to stop it before the SW FW gets a chance to act, and most modern malware targets SW FW's and bypasses them (or tries too) anyway.
 
I've not used a SW FW for about 3, maybe 4 years now.

And you might be another bot of the few million. Have you checked your outgoing traffic flow lately?

[BaldEagl]

I once picked up some adware/spyware.  The only reason I ever knew it was there was my SW firewall caught it communicating outbound.  As soon as it did, I ran virus and spyware scans and sure enough.

I do know exactly where and when I picked it up.  It's the one and only time I've ever been infected.

[wabbit]

I disagree with vulcan's reality. Software firewalls, do an excellent job of alerting a user that their system is infected in some way. They work well with not just legit programs, but the non-legit ones also.

I've seen many a client whose only alert to a malware infection was his software firewall letting him know when the malware tried to call home.  As a result of this experience I advise my clients to be aware of this and report it when they see such an alert.


Wabbit

[llama]

Frankly, running an outbound software firewall is like closing the barn door after the horse got out.

It's like having an alarm on your house that only goes off AFTER a burglar has taken your stuff and closes the front door on his way out.

Sure, it tells you your running a bot, but then what? You're still owned and the firewall didn't prevent it from happening.

In that sense, it makes a good diagnostic tool that's handy to check on the status of a system, but the overhead of running it constantly is hardly worth it, not to speak of the contstant annoyance of a firewall always asking you if you want your legitimate apps talking to the Internet. Sometimes when cleaning out a screwed up system (and trust me, there's BIG MONEY in doing it), I'll install Commodo just to see if it blocks anything, and then uninstall it after it doesn't see anything.

Generally, you SHOULD have been running good AV (and not halfassed AV) all the time and probably good antispyware monitoring typical hidey-holes, browsing with an alternative browser, and been getting Windows Updates automatically to keep this problem from happening in the first place.

In other words, I agree with Vulcan here.

-Llama

[MrRiplEy[H]]

Frankly, running an outbound software firewall is like closing the barn door after the horse got out.

It's like having an alarm on your house that only goes off AFTER a burglar has taken your stuff and closes the front door on his way out.

Sure, it tells you your running a bot, but then what? You're still owned and the firewall didn't prevent it from happening.

In that sense, it makes a good diagnostic tool that's handy to check on the status of a system, but the overhead of running it constantly is hardly worth it, not to speak of the contstant annoyance of a firewall always asking you if you want your legitimate apps talking to the Internet. Sometimes when cleaning out a screwed up system (and trust me, there's BIG MONEY in doing it), I'll install Commodo just to see if it blocks anything, and then uninstall it after it doesn't see anything.

Generally, you SHOULD have been running good AV (and not halfassed AV) all the time and probably good antispyware monitoring typical hidey-holes, browsing with an alternative browser, and been getting Windows Updates automatically to keep this problem from happening in the first place.

In other words, I agree with Vulcan here.

-Llama

The point is that most of the times Comodo is needed is when the AV splipped through adware or a zero-day exploit. In that case without a software wall you are TRULY pwned - at least with it you can contain the situation and disconnect from the net + reformat if necessary.

[Spatula]

The router i have claims to have SPI on it. Does this 'inspect' packets both in and out? Surely if i screw down the outbound ports to the bare minimum any malware etc will not be able to get out - or do they tunnel over say port 80 to avoid detection?

Im in two minds about SW firewalls. Just thought that if my particular device did a good enough job, it may make my SW firewall redundant. That being said is there any hardware firewalls which i can run alongside my router, or ADSL router & firewall in place of my router.

Are they're any light-wieght lean and mean SW firewalls worth a damn anymore?

And is Windows Defender all that good? I know AntiVir scores pretty well for a freebie, but how much better is the non-free NOD32?

[Vulcan]

I disagree with vulcan's reality. Software firewalls, do an excellent job of alerting a user that their system is infected in some way. They work well with not just legit programs, but the non-legit ones also.

I've seen many a client whose only alert to a malware infection was his software firewall letting him know when the malware tried to call home.  As a result of this experience I advise my clients to be aware of this and report it when they see such an alert.


Wabbit

google "firewall leak tests". If you're giving advice on a professional basis I suggest you do some more research of SW FW's.  If you're clients are getting malware in the first place you're doing something wrong.

mrripley, my hardware firewall would alert me to any outbound malware activity, and no I've never had any problems (and yes it has full historical logging).

Spatula, yes most malware will attempt to tunnel, only a l7 device is going to have a decent chance at spotting it. Oh and just buy Nod32 mate, it is worth it.

[Spatula]

Vulc, couple more Qs, mate. The NOD32 AV, it says it covers all internet threats like virus' , trojans, malware etc. Does this mean i can ditch windows defender and just run NOD32?? And, do you have any thoughts on the ESET SmartSecurity SOHO product??

Might do some trialling.

[MrRiplEy[H]]

google "firewall leak tests". If you're giving advice on a professional basis I suggest you do some more research of SW FW's.  If you're clients are getting malware in the first place you're doing something wrong.

mrripley, my hardware firewall would alert me to any outbound malware activity, and no I've never had any problems (and yes it has full historical logging).

Spatula, yes most malware will attempt to tunnel, only a l7 device is going to have a decent chance at spotting it. Oh and just buy Nod32 mate, it is worth it.

Umm.. wrong. Your hardware firewall will only detect known malware which have been coded in the firmware. Every other packet goes freely out of your box since your hardware firewall has no way of knowing who/what initiated the connection. With a good soft fw every connection attempt has to be approved by you and approved again if a dll version or md5 changes. That's astronomically higher level of detection than a hardware wall can ever give - simply because you the user will verify the legitiness of the traffic.

And if something so bad gets on the machine that it can actually pass comodo detection AND slip through your antivirus of choice .. then you're pwned. At least untill you manually sniff your packets and analyze them.

[humble]

Vulc, couple more Qs, mate. The NOD32 AV, it says it covers all internet threats like virus' , trojans, malware etc. Does this mean i can ditch windows defender and just run NOD32?? And, do you have any thoughts on the ESET SmartSecurity SOHO product??

Might do some trialling.

NOD32 is easily the best IMO...but none of them are bulletproof. I run NOD32 with threatfire on my business machine and AVG with with threatfire and defender on my gaming rig (which has a seperate OS install for AH with nothing else on it). Going back to your original question a SW firewall is mostely redundant. As either vulcan or llama pointed out above its biggest value is confirming you've got a problem after the fact by detecting outbound traffic.

The actual difference between NOD32 and AVG is actually pretty minimal statistically, more problems come from not havng security updates or things like Iframe attacks where a user bypasses/circumvents his own system warnings etc. NOD does a very good job on the zeroday threats and broader malware (which AVG {free or otherwise} doesnt handle well). Threatfire is a suprisingly good product and fills this gap pretty nicely so your dealing with a "percentage of protection" issue of maybe 98.8% for the "freebee suite" and 99.5% for NOD or something similiar....but nobodys going to get you to 100% coverage...