Why do personal software firewalls still exist?

[Zero_One]

Unless you are sitting on a public IP address (you shouldn't be!), why would anyone bother installing another firewall on their PC? Unless they are worried about malicious outbound traffic (don't get me started on that one, why are you generating nasty outbound traffic hmmm?). Any modern router (linksys, cisco, netgear etc) has a built-in turned on by default firewall protecting you with NAT as well as general firewall capabilities. They usually won't inspect outbound traffic, but again, any traffic emanating from your internal network should be safe. If your internal network is generating malicious traffic (IE your systems are already infected), you should install BluePoint, clean up those systems generating that nasty traffic and let BluePoint lock them down correctly!

Check out this illustration as an example




Thoughts?

[Laser]

OKAY, so what your getting at is no need for a third party firewall, if your using a Desktop or laptop in your home the windows firewall whether it be xp, vista whatever. With your broadband provider providing static ISPS. also by using a router with wep encryption BluePoint should easily take care of the rest. Most third party firewalls even some that use very little RAM still use RAM.

[Dapper]

I have to say, I completely disagree with this. The purpose of a firewall is not simply to prevent 'malicious' traffic from leaving ones network, they also serve the purpose of controlling which applications and processes have the right to make outbound connections.

Most consumer grade routers have simplistic firewalls that, for the most part, have no ability to control outbound traffic. Unless one upgrades the firmware to something like dd-wrt or open-wrt that employ a full iptables based firewall and thus do provide outbound control, or unless one uses a cisco or juniper box a software firewall is an essential component.

In essence, if you don't care about the traffic leaving your network, adopt the aforementioned approach. if you desire any kind of control over which applications may connect and moreover, where they connect to, then get a firewall.

[BluePointSecurity]

Dapper,

Welcome to the forums!

Referring to personal firewalls that operate at the network layer rather than application layer. BluePoint could technically be considered a firewall, albeit at the application layer. If you have a need to control network traffic on a per application basis, then by all means personal a firewall would be necessary. This is generally not something an average user would need imho.

If all of the applications on a machine are trusted, can you provide an example of needing to control which applications are connecting outbound?

[buckslayr]

Excellent point. With BPS nothing excepted programs that you know to be good are allowed to run.

[BluePointSecurity]

Another part of my thinking on this one is that I've yet to see a personal firewall properly stop outbound traffic when it really counts. If the firewall stopped all outbound traffic, then it would be quite secure, although your pc would be quite useless. With that in mind, you can already guess that some things will be allowed through, good and bad.

Here's an example that will bypass most if not all outbound inspecting firewalls:

A simple executable that posts information to a receiving PHP script on a web server via a simple HTTP "POST".

I've confirmed a working example of this with CIS 4.1.x (default settings), from within the sandbox no less. The example successfully sends IP info, currently logged in user, other system information.

It would be tough for them or any solution to stop something like this, trouble is, many legit apps use this same functionality.

Now you see why I don't believe in inspecting outbound traffic on an average users machine. Not worth the popups, and they are easy as pie to bypass.

Only allowing trusted code to execute makes the aforementioned example impossible, as my example executable would have been blocked from running anything in the first place.

Bypassing a system like that, is a challenge indeed.

[KhAoZ]

Question is..what can they really do with that info(ip add...system info)?

[BluePointSecurity]

That was just an example, what if they decided to grab your my docs folder and send those out (which could be done easily)? Most, if not all sandboxes allow read access to the disk, which opens you up to data/information theft.

Allowing malware to run even in a sandbox, is dangerous. That's one reason why we're not huge believers in sandboxing. Or personal firewalls.