Do I really need a firewall?

[Techknowledge]

I know that a firewall is a piece of software (like windows firewall) or hardware (like your router) that blocks incoming and/or outgoing traffic from your computer/network to outside the network or internally. However, is installing it necessary if I don't have any ports open at first place? Here are my questions:

1) I only use computer to browse websites (port 80) send emails (port 25) and receive emails (port 110). Are all other ports in my computer opened by default if no software or application is behind them or if I don't have a firewall?

2) How can a remote computer access my system (if ports are not open by default) and there is no firewall too? Can I remote computer/user open a port in my system?

3) Let's say I have open ports in my system, but no applications running on those port in question, how can an attacker misuse or do anything if they get access to a port, without an application running on it?

4) I know a firewall allows you to open and close ports, but is that the job of firewall and there is no other way to open or close a port in a local computer?

5) Let's say I don't have a firewall installed, and also I don't have any application running with a ports open, question is how can someone access my computer without an open port OR with an open port but no application/service behind it?

6) If none of my application internally is opening a port, how can an outside application access my computer (through what port)?

Do I really need a firewall in that case?

Please share example(s) of when a firewall is not enabled how can outsiders get access to my machine (if my ports are not opened at first place), can they open it, if so how and what kind of things can they do by giving illustration. For example port 123 is open, but port 123 doesn't have an application listening, and attacker can connect to host + port 123 and do damage.

Thanks

 

[blankslate]

If the all OSes shipped without any vulnerabilities then I suppose you wouldn't need a firewall.

However, if a remote person looking for computers to compromise can see your computer who knows if they have an exploit to take advantage of an unpatched zero-day vulnerability on the OS installed on your computer?


Better to have a good router that is set to not respond to any port scans (many routers refer to this as "stealth mode") so that if anyone is looking for computers to try to attack they're less likely to see your computer.
If your computer isn't obvious and responding to any and all port scans then it's harder attack your computer.

http://whatismyipaddress.com/port-scan




--

 

[Mushkins]

Windows Firewall is built into the OS and defaults to being turned on for a reason.

Asking "do I really need a firewall?" is kind of like asking "should I lock my front door at night?" Any computer connected to the internet that is not protected by at least some sort of basic firewall is as easy to compromise as walking in that unlocked front door.

Simply put, yes, you need a firewall.

 

[Techknowledge]

Thank you Blankslate and Mushkins. Does this mean a firewall's job is to only open and block ports on a computer it is monitoring it's traffic? Secondly, if a service that is listening on a designated port is not buggy, then even if you don't have a firewall, an attacker cannot do anything i.e. expose an open port that doesn't have service/application running at first place? I need to understand the logic behind open ports vs listening ports and actual hacking happening due to open ports/listening vs buggy service running over an open/listening port.

 

[MrColin]

An open port generally suggest that a potentially vulnerable service is running (often specific to certain port numbers).

Firewalls can do more than just block in/out traffic on certain ports but that's the main thing.

 

[blankslate]

Thank you Blankslate and Mushkins. Does this mean a firewall's job is to only open and block ports on a computer it is monitoring it's traffic? Secondly, if a service that is listening on a designated port is not buggy, then even if you don't have a firewall, an attacker cannot do anything i.e. expose an open port that doesn't have service/application running at first place? I need to understand the logic behind open ports vs listening ports and actual hacking happening due to open ports/listening vs buggy service running over an open/listening port.

The best thing I can tell you is to look up articles on port sniffers and the uses for them.

I am not an expert in networking. I can't go into depth on how open ports impact your system vs. listening ports.

I can tell you articles I've read about computer security in regards to the benefits of using a firewall even on a fully patched computer has convinced me of the costs (slightly increased system resource usage) vs. the benefits (lessening the likelihood of a compromised computer) of a firewall favor having one between your computer and the wide open internet.

 

[Tuffrabbit]

What is the proper method to see which port(s) are open or closed at any given time when using a computer online ? (Windows and or Mac)
Thanks

 

[Mushkins]

Thank you Blankslate and Mushkins. Does this mean a firewall's job is to only open and block ports on a computer it is monitoring it's traffic? Secondly, if a service that is listening on a designated port is not buggy, then even if you don't have a firewall, an attacker cannot do anything i.e. expose an open port that doesn't have service/application running at first place? I need to understand the logic behind open ports vs listening ports and actual hacking happening due to open ports/listening vs buggy service running over an open/listening port.

A firewall's job is essentially to stand between your PC and the wild wild west of the internet. It's the gatekeeper. It blocks ports, it allows ports, it notifies you when something potentially unusual (or *anything* if you want that level of protection) attempts to connect in or out or even programs that try to run without your consent.

As for your question about open ports, it entirely depends on the port and the attack vector. A good example is Windows Remote Desktop Protocol. For all intents and purposes, there's no bug or exploit here, if you have RDP enabled on your PCs and you don't have a firewall blocking RDP connections from the outside world anyone can open up the built-in RDP client, type in your IP address, and now they're staring at *your login screen*. From there they can focus on attacking your password to gain total control of your PC. RDP doesnt care if that connection request is coming from you sitting at your other PC in the bedroom or from some guy in Taiwan, it's performing as designed. A firewall is what lets you say "I can connect from the PC in my bedroom, but deny that guy from Taiwan."

 

[PrincessFrosty]

Thank you Blankslate and Mushkins. Does this mean a firewall's job is to only open and block ports on a computer it is monitoring it's traffic? Secondly, if a service that is listening on a designated port is not buggy, then even if you don't have a firewall, an attacker cannot do anything i.e. expose an open port that doesn't have service/application running at first place? I need to understand the logic behind open ports vs listening ports and actual hacking happening due to open ports/listening vs buggy service running over an open/listening port.

Computers without a firewall would simply have every port open, and any application listening on one of those ports would be capable of receiving data and if it was exploitable somehow then it would be vulnerable.

Firewalls generally speaking block all ports until you explicitly allow one open, that could be via a static rule you set, or via a rule that meets certain criteria, that really depends on the firewall and how configurable it is.

The introduction of home routers which put all home and small businesses computers on to a LAN behind the router meant that you kind of got a firewall for free, because packets aimed at the router would simply stop there, you had to specifically enable NAT and port forwarding through the router so it understood how to route packets from the internet back to the many computers on the LAN. Modern routers also have firewalls (usually bad ones)

Everyone ideally needs a firewall, the default stance in security is to block absolutely everything and minimize access between any devices/agents, unless you have a very specific reason to allow otherwise, a firewall is key in implementing that.

 

[unokitty]

I know that a firewall is a piece of software (like windows firewall) or hardware (like your router) that blocks incoming and/or outgoing traffic from your computer/network to outside the network or internally. However, is installing it necessary if I don't have any ports open at first place? Here are my questions:

1) I only use computer to browse websites (port 80) send emails (port 25) and receive emails (port 110). Are all other ports in my computer opened by default if no software or application is behind them or if I don't have a firewall?

2) How can a remote computer access my system (if ports are not open by default) and there is no firewall too? Can I remote computer/user open a port in my system?

3) Let's say I have open ports in my system, but no applications running on those port in question, how can an attacker misuse or do anything if they get access to a port, without an application running on it?

4) I know a firewall allows you to open and close ports, but is that the job of firewall and there is no other way to open or close a port in a local computer?

5) Let's say I don't have a firewall installed, and also I don't have any application running with a ports open, question is how can someone access my computer without an open port OR with an open port but no application/service behind it?

6) If none of my application internally is opening a port, how can an outside application access my computer (through what port)?

Do I really need a firewall in that case?

Please share example(s) of when a firewall is not enabled how can outsiders get access to my machine (if my ports are not opened at first place), can they open it, if so how and what kind of things can they do by giving illustration. For example port 123 is open, but port 123 doesn't have an application listening, and attacker can connect to host + port 123 and do damage.

Thanks

Since I don't know what you are trying to protect or who you are trying to protect it from, I can't respond to the question 'do you need a firewall.'

But I will respond to your other questions:

1. By default, different operating systems and different distributions leave different ports open. For example, if you have a public IP address, I can scan your system from any other system anywhere on the Internet and discover what O/S you are running and what ports that you have open. Google 'Nmap.'

2.Ports are used for communication. If you have open ports on a machine with a public IP address, then any remote machine anywhere on the Internet can connect to it. Google 'Banner Grabbing.'

3. An open port indicates that you have a service that is using that port. Whether you have an application that is using that port or not isn't relevant. Again see 'Banner grabbing.'

4. Firewalls are communication devices. They are configured by a human. The firewall configuration, not the firewall, determines what ports are open. Google 'iptables.'

5. Ports are considered open when you have a service running on it. Again Google "Banner grabbing.'

6. Your applications are irrelevant. Your O/S and its services determine what ports are open. Anyone can access your computer though any open port.

If you have a default O/S install, you have open ports. If you are accessing the Internet, you have open ports.

If you want examples, you can find plenty of them at Mitre's Common Vulnerabilities and Exposures database.

Best of luck,
Uno

 

[SecurityTheatre]

It's a bit important to recognize this distinction:

Ways you can refer to a TCP port:
Open - The port is "open" if a service is actively listening behind it and is responding to requests for new sessions
Closed - The port is "closed" if it is accessible to the network and not blocked by a firewall, but has no running service on it. This port will respond with a RST packet when a connection is attempted. This RST packet can be used to fingerprint the OS of the system, but generally does not enable attacks.
Filtered - The port is often said to be "filtered" or "blocked" if there is a firewall hardware/software that is blocking traffic. A connection request to this port will be met with silence.


That said, the primary risk of not having a firewall are the services you don't know about. When you fire up a Windows system, no less than 9 ports are opened by various components of Windows. You will see NetBIOS, WINS, SMB and RPC. In some cases you will see RDP (terminal services), DNS, Kerberos, LDAP and others. This machine may still be sitting at the login screen, having never been used, but exposes these things anyway.

These services present various risks. You can brute-force local passwords against SMB ports, you can probe for extraneous services using RPCmapper, you can attempt to capture credentials by spoofing local WINS responses (need to be on the LAN segment). You can target weak services in the OS. If guest browsing or null mapping of shares is enabled (default in many pre-Windows 8 systems), you might be able to read some unprotected files.

So, the Windows default is now to enable the firewall.

Also, almost every cable modem/router/wifi bridge today acts as a firewall. Most of these devices provide destination NAT (network address translation) services, and being a firewall is REQUIRED in order to provide a typical many-to-one destination NAT. This type of service doesn't make sense otherwise because it translates ports to multiple IPs. It must, inherently, block unused ports, which, by definition, makes it a firewall.

So, if you have an "internal" IP address (in the 192.168.x.x or 10.x.x.x or 172.16-25.x.x range), then you almost certainly have a firewall between you and the Internet.

If you have a default installation of Windows, you also have a software firewall.

Neat!

 

[Savatar]

Computers without a firewall would simply have every port open, and any application listening on one of those ports would be capable of receiving data and if it was exploitable somehow then it would be vulnerable......

While this statement may help people conceptually think about a firewall, it's not true in practice. Most systems don't have anything near every port open... only a select few. If an application is not listening on the port, then it is considered closed, not open. However, you are correct that those ports that are open would all be 'reachable' without a firewall (assuming you're not using a router which requires port forwarding in order for external systems to hit your internal system's ports). In fact, because most people use wireless routers nowadays, most people don't have to worry too much about incoming traffic at all... they mostly just have to worry about outgoing traffic since most malicious software developers know that most users have routers for their internet connection... for example, a dropper executable connecting outside and downloading malicious software, and then this software would subsequently make outbound connections as well. Since most droppers just make outbound connections to common ports (FTP, HTTP or HTTPS), even good firewalls may not block this nowadays because they would allow HTTP and HTTPS outbound by default for web browsing.

Is a firewall still useful? Yes, it has some value, but it's not nearly as important as it was back when most people connected directly to the internet. It is still important for web servers or other systems directly reachable from the internet. If you have a wifi router which uses internal subnetting (usually 192.168.*), even if that router doesn't have firewall functionality, you're still pretty safe from incoming traffic because your system would first need to make an outbound connection (again, unless you use port forwarding for select ports/services).

That said, most firewall software nowadays (Comodo, Emsisoft, etc) bundles a lot of other features that are outside of the scope of what a firewall would normally be thought of as doing, and some of this is incredibly useful - like identifying some malicious web requests before your system connects to the site (this would block the case above, in some situations), some system hijacking protection (protection from keyloggers and so on), limited IDS functionality, some malware scanning, and so on. Nowadays, that functionality may be considered as more important than the firewall functionality itself.

 

[PrincessFrosty]

This is true, it's a slightly simplified take on the situation, when I say it has every port open, I do not mean to say that every port has a service/app listening for connections, rather that the port is simply reachable, of course with no app to respond and abuse it doesn't really get you anywhere.

SecurityTheatre has a good explanation of the states ports can be in, so to speak.

While I agree with what you say about routers to some extent (my prior post reflects this) It's worth noting that MOST modern routers have UPNP enabled by default and so applications are able to tunnel out and enable what is essentially temporary port forwarding on arbitrary ports.

There are some attacks like NAT pinning which abuse UPNP to allow remote users to craft malicious webpages to do this, I'm sure there's other ways of achieving the same thing on most residential routers.

In these cases having firewalls enabled helps stop the attack, obviously the firewall needs to be explicitly blocking the target ports, it's worth noting that (especially with windows firewall) some internet based applications will punch a hole through the firewall, sometimes they'll prompt you and other times they won't, any applications with admin access on your PC can modify the firewall so it's worth reviewing firewall rules from time to time to see what is being allowed through.

 

[Savatar]

This is true, it's a slightly simplified take on the situation, when I say it has every port open, I do not mean to say that every port has a service/app listening for connections, rather that the port is simply reachable, of course with no app to respond and abuse it doesn't really get you anywhere.

SecurityTheatre has a good explanation of the states ports can be in, so to speak.

While I agree with what you say about routers to some extent (my prior post reflects this) It's worth noting that MOST modern routers have UPNP enabled by default and so applications are able to tunnel out and enable what is essentially temporary port forwarding on arbitrary ports.

There are some attacks like NAT pinning which abuse UPNP to allow remote users to craft malicious webpages to do this, I'm sure there's other ways of achieving the same thing on most residential routers.

In these cases having firewalls enabled helps stop the attack, obviously the firewall needs to be explicitly blocking the target ports, it's worth noting that (especially with windows firewall) some internet based applications will punch a hole through the firewall, sometimes they'll prompt you and other times they won't, any applications with admin access on your PC can modify the firewall so it's worth reviewing firewall rules from time to time to see what is being allowed through.

I didn't know that about UPnP being enabled by default on a lot of routers, thanks! I checked my router just to make sure, and verified it was disabled.

 

[JBT]

Filtering source addresses is always a good idea if you can. Say or example you are running a web site on port 80, if its open to the world different servers will respond in a certain way when they are accessed. A Windows server running IIS 7.5 will present different error messages than a Windows machine running Apache 2.2. And again a Linux machine running Apache will be different than the Windows system running it. This helps narrow down to the attacker what type of device they are connecting to. This in turn helps them identify what types of exploits are available.

Even the different versions of Apache or IIS will return different results from patch to patch. If you find one old piece of software it very likely there are more vulnerable apps and it opens that system up to many more attack attempts.

 

[John Connor]

What is the proper method to see which port(s) are open or closed at any given time when using a computer online ? (Windows and or Mac)
Thanks

https://www.grc.com/x/ne.dll?bh0bkyd2

http://www.nirsoft.net/utils/cports.html

 

[WelshBloke]

OP leave your network open with no firewall, install peer block, install an ip list for China into peer block, watch how many alerts you get from random Chinese ip addresses trying to connect to your pc. Reconsider options.

 

[John Connor]

LOL! I have precisely that (peerblock) on a thinclient hosting a torrent and a Teamspeak server and you wouldn't believe all the blocks from China. I have around 17 countries that I block most of them are Arab countries, China and Taiwan and most blocks come from China. Saudi Arabia comes in third with Taiwan coming in second.