Convince Me I Should Use a Firewall and AV Software

[Vicsun]

Here's the deal: I never ran a firewall, and still don't - I couldn't really be bothered setting Windows Firewall up so it doesn't break Azureus, so I disabled it, and I don't have any anti-virus software installed. When I feel paranoid (read: for some reason Windows isn't running as I think it should) I run an online virus scan, but I have yet to find an infection (read: Windows wasn't behaving as it should for what can be considered no reason at all). I have Norton Anti-virus somewhere but it's such a goddamn resource hog I refuse to use it on a different than 'on-demand' basis.

Am I doing something wrong? All self-proclaimed computer gurus I've talked to keep advising me to get some protection but they have all failed to give me reasons other than personal anecdotes which count for absolutely nothing. And this is why I lay the question to the wisest wisefolk at gamebanshee. Do I really need AV software and a Firewall, considering I keep windows updated and don't open attachments from unkown senders called I.SWEAR.THIS.ISN'T.A.VIRUS.OKAY.MAYBE.IT.IS.EXE?

[Ned Flanders]

What kind of an Inet connex do you have and do you keep your machine running 24/7.

[Vicsun]

[QUOTE=Ned Flanders]What kind of an Inet connex do you have and do you keep your machine running 24/7.[/QUOTE]
256/256 ADSL, running about 8 hours/day unless I'm downloading something large in which case it is running 24/7. It's not connected directly to the internet, but through the living-room computer which has also always run without any AV-software or a firewall. It is online most of the time (it's shut-down overnight for maybe 3 nights of the week), and, again, I've had very little problems with it that were related to viruses, or other malicious software.

While my computer is a decent Athlon2100+ with 512MB RAM, the computer directly connected to the internet is a Pentium 3 600MHz with 256MB of RAM (I think...) and I am somewhat reluctant constantly running any AV software or Firewall (especially heavyweights like Norton's products) as I think it'll likely abuse the hell out of the machine.

edit: while you're at it, care to recommend a good firewall and anti-virus? You know, just in case... I've heard good things for both Avast!, Nod32, and BitDefender, but I've done very little research myself.

[Ned Flanders]

The best firewall you can make for the price (which is also very high in quality) is convert the machine you have connected to the Internet into a multihomed Red Hat firewall. It will be 100X better than any of the cheap retail firewall/routers one can purchase.

Now, the machine you have connected to the Internet, what exactly is it? Is it a multihomed machine or is it a windows box running ICS?

[Vicsun]

[QUOTE=Ned Flanders]The best firewall you can make for the price (which is also very high in quality) is convert the machine you have connected to the Internet into a multihomed Red Hat firewall. It will be 100X better than any of the cheap retail firewall/routers one can purchase.

Now, the machine you have connected to the Internet, what exactly is it? Is it a multihomed machine or is it a windows box running ICS?[/QUOTE]
While I'd love to install Red-Hat to play around with, the machine connected to the internet is actively being used as a multimedia machine (along with a TV-Tuner which I might or might not be able to get to run under Linux...) and internet terminal by people other than myself, so installing a different OS is out of the question.

And yes, it's a Windows box running ICS.

[Skuld]

Well redhat is no longer in development as a home use OS, that's been spun off as the Fedora Project. It's basically the same thing as redhat, but not under that name. And redhat/fedora is one of the larger more bloated linux distros out there, but any good distro your comfortable with and does what you need it to will do. Anyway... for the entire time I was using windows I almost never had a virus problem and I rarely had a virus software installed, and never setup windows firewall. As long as you don't neglect your computer you should be fine. Keep your disks clean of junk, if you get spy/adware hunt it down and get rid of it(I've managed to do it rather successfully without the aid of software, but there are a few good free ones out there), defrag often(weekly), and reformat 1-2 times a year to keep it running really clean. And the newer linux distros have support for a ridiculous amount of hardware, just check out their home pages. http://www.distrowatch.com .

You would be surprised how easy it is for someone who's never seen linux before to run an OS like redhat/fedora. If you use KDE it's setup to make the windows translation painless, and with redhat/fedora they have great package management and easy to install applications so you don't have to worry about doing things the old fashioned way.

[Xandax]

Problem is that with 24/7 connections your computer is open to portscans unless you have a firewall blocking these.
This means that you open yourself up for trojan horses attacks, basically opening your computer up to the attacker and possible making your computer into a "zombie" (used for DOS attacks on websites).
And trojan attacks can come easily withouth being a mail attachment, but directly directed at open ports on your computer.
A firewall will also help you to avoid programs accessing the Internet without your express desire, because you can block them when they request access until you are sure that you want them to.
I would recommend you getting a firewall at the least.
Personally - I'd never run on a broadband Internet connection withouth a firewall, because of the activity I can see my firewall is notifiying me about.
Dial up is not as big an issue unless you spend many hours on the Internet which is more rare with dial-up.


As for antivirus software, then that is much more subjective. Virus often comes in e-mails, and with 2-3 simple precautions one can avoid most any virus.
1) Never open e-mails (preview window counts as opening) from people you dont' know.
2) Never open or run attachments you haven't asked for, from people you don't trust 100% to run a secure/clean machine - friends can be infected as well, so be carefull with them as well.
3) Never follow links in e-mails from people you don't trust.
Following these and you'll likely never get a virus from an e-mail.
So personally - I would say one could easily live withouth Antivirus software.... however, personally - I run it anyway, just to be on the safe side.

As for Norton being ressources heavy, then it is true (to a degree), and my likeing Norton has dropped seirously with the 2005 version (crap crap crap - but I loved the 2003 version) - however, in this day and age of fast and cheap hardware being ressources "heavy" is less of an issue, then it was 2-3-4 years ago.

[Vicsun]

Well redhat is no longer in development as a home use OS, that's been spun off as the Fedora Project. It's basically the same thing as redhat, but not under that name. And redhat/fedora is one of the larger more bloated linux distros out there, but any good distro your comfortable with and does what you need it to will do. Anyway... for the entire time I was using windows I almost never had a virus problem and I rarely had a virus software installed, and never setup windows firewall. As long as you don't neglect your computer you should be fine. Keep your disks clean of junk, if you get spy/adware hunt it down and get rid of it(I've managed to do it rather successfully without the aid of software, but there are a few good free ones out there), defrag often(weekly), and reformat 1-2 times a year to keep it running really clean. And the newer linux distros have support for a ridiculous amount of hardware, just check out their home pages. http://www.distrowatch.com .

You would be surprised how easy it is for someone who's never seen linux before to run an OS like redhat/fedora. If you use KDE it's setup to make the windows translation painless, and with redhat/fedora they have great package management and easy to install applications so you don't have to worry about doing things the old fashioned way.

As I said, the main reason I won't be changing the OS is the fact that I'm not the only one using the computer, and seeing as one of the users is a C# developer (amongst other things), the change to a non-MS OS won't go over well

I was under the impression Trojan Horses, like viruses, are at their core applications - to get my computer remotely controlled (and f.ex. used in a DDoS attack) I'd have to manually open a file which actually executes code on my machine. And it won't really take me a long time to notice the massive amounts of outbound traffic a DDoS attack from my computer would generate

And trojan attacks can come easily withouth being a mail attachment, but directly directed at open ports on your computer.

Can you be a bit more technical on how? I'm certain an open port number, by itself, is not enough for an attacker to run code on my machine...

A firewall will also help you to avoid programs accessing the Internet without your express desire, because you can block them when they request access until you are sure that you want them to.

While an outbound traffic filter is a relatively interesting feature to have, it's not particularly useful; I rather rely on not acquiring any software that needs to be blocked before it accesses the internet, rather than having blocking it once it's on my computer

As for antivirus software, then that is much more subjective. Virus often comes in e-mails, and with 2-3 simple precautions one can avoid most any virus.
1) Never open e-mails (preview window counts as opening) from people you dont' know.
2) Never open or run attachments you haven't asked for, from people you don't trust 100% to run a secure/clean machine - friends can be infected as well, so be carefull with them as well.
3) Never follow links in e-mails from people you don't trust.
Following these and you'll likely never get a virus from an e-mail.
So personally - I would say one could easily live withouth Antivirus software.... however, personally - I run it anyway, just to be on the safe side.

I'd argue you're being overly paranoid, but that would have little relevance to the discussion - I've yet to be infected by an e-mail spread virus and get no spam on my main email account so I'm probably doing something right

As for Norton being ressources heavy, then it is true (to a degree), and my likeing Norton has dropped seirously with the 2005 version (crap crap crap - but I loved the 2003 version) - however, in this day and age of fast and cheap hardware being ressources "heavy" is less of an issue, then it was 2-3-4 years ago.

The minimalist in me disagrees - that extra second it takes for Windows to load is not only noticable, it is annoying. The extra RAM can always be better spent on something else; more power is no excuse for sloppiness. That and I'll likely also be running AV on my other 600MHz/256MB RAM machine

[Ned Flanders]

Thanks Xan, most of your post is where I was headed.

Yes Vicsun, an open port number is not enough for an attacker to run code on your machine. However, the IP address and an open port number is enough for an attacker to run code. So yes, without any protection at all on a broadband connection, it is pretty easily facilitated.

Now, a wrench is thrown into this with ICS. I don't know the inner workings of ICS but I'd say I don't think your particular machine is at risk unless of course you visit a malicious site and make the requests necessary to execute code. The computer with the direct connection to the Internet (the multimedia player you mentioned) is at risk.

The bottom line is if you've got no problems and you're happy, don't change a thing. My own two cents: I wouldn't want to have my machines on a unprotected network and I'm amazed given the lack of security on your network you haven't had problems before. But if that's the way it is, that's the way it is.

[Xandax]

[QUOTE=Vicsun]<snip>
I was under the impression Trojan Horses, like viruses, are at their core applications - to get my computer remotely controlled (and f.ex. used in a DDoS attack) I'd have to manually open a file which actually executes code on my machine. And it won't really take me a long time to notice the massive amounts of outbound traffic a DDoS attack from my computer would generate

Can you be a bit more technical on how? I'm certain an open port number, by itself, is not enough for an attacker to run code on my machine...
<snip>
[/quote]

Well - I'm by no means a security wizard, so I'm not sure how technical I actually can become. I'm more of an experienced user who has some technical knowlegde, and read a lot (it is somewhat related to work)

However - Trojan horses are in effect named for a reason. They act/tell the computer they are something but infact they have the nasty server application payload which if infected will allow the client software direct access to your computer.
A trojan horse communicates with your computer via the IP address and portnumber, and if your port isn't closed for incomming traffic the trojan can infect your computer, and I'm pretty sure they can do so without you having to do anything, because the computer thinks it is a legit packet comming to the port - so why should it ask you to run it? It isn't like the old days when you recived an .exe file via mail, and had to execute it - many things run automatically these days.
Firewalls help here firstly by "closing" all unused ports, so a portscan will not show that the port is active. Further more it will scan incomming traffic for signatures which will reveal if the packet is infact a trojan horse.

Also - software have holes, so while you update windows regular, it will still have security holes that will allow somebody to take control of your computer and execute code. This is why many people "complain" about the security in Internet Explorer because it is riddled with holes allowing for code to be run via it - often these are buffer overflow holes (basically meaning that a long string of information is send to the program which it cant contain fully, so the "left over" string can be interpreted as code, and executed.... I think )
It is similar, that nowadays "they" can hide code in jpeg images, which if unprotected (software not "up to date") can run even as you view the image itself. Again - it isn't like it was 5 years ago, when such things were much more manuel and much rare.

In the old days you almost only had virus spreads via discs that people lend to each other with games or something similar. Now a days vira and trojan horses are very complex buisness.

As for detecting the traffic if ones computer is used for a DoS attack, then I don't think it will be that noticeble as you seem to indicate. Remember that thousands of computer-zombies are involved in such attacks and try pinging a website/domain and notice how little traffic that generates. It isn't much - however - it isn't really the main argument for a firewall.

One of the arguments is that if do get infected by a trojan, then the trojan will access the Internet - and here the outgoing trafic monitor would kick in and warn you that some service is trying to access the Internet.

Thus the 2 main reasons - in my view for getting a firewall is closing all ports to a port scan, and containing the problem if you do get infected.

[QUOTE=Vicsun]<snip>
While an outbound traffic filter is a relatively interesting feature to have, it's not particularly useful; I rather rely on not acquiring any software that needs to be blocked before it accesses the internet, rather than having blocking it once it's on my computer
<snip>
[/quote]

As with the trojan example just above, a control of outgoing connections/traffic can help contain the issue of if you get infected.
However - many other things happen "behind the screen" which one might not know of.
When I just recently reinstalled windows, then the first thing it tried to do was the Windows printer spooler wanted to access the Internet, some wierd IP located some place obscure. Now I've no doubt that it was a legit request after all I'd only just installed windows - but I saw no reason what so ever to allow that to access the Internet. I didn't even (and still don't) have a printer driver installed and my printer wasn't turned on, so what on earth did it want to go online for.
So while you might think that you have no software which requiers access to the Internet, and thus is "safe" it is very possible that a large number of your software actually is communicating with the Internet without you knowing it.
This is also a privacy issue, I see no reason for letting software vendors know when I use their programs by allowing them to access the Internet and searching for god knows what.
It might be paranoia, but all it takes is one bad seed, and a computer can be infected in a very short time.

Basically - to me - a Firewall is like insurance. While you dont' have need of it, it feels like a waste, but the moment something pops up - it sure felt good that my computer was (somewhat) protected.

[QUOTE=Vicsun]<snip>
I'd argue you're being overly paranoid, but that would have little relevance to the discussion - I've yet to be infected by an e-mail spread virus and get no spam on my main email account so I'm probably doing something right
<snip>
[/quote]

I've had a minor infection once, and have recived multiple e-mails with vira. I've also recived multiple hits on my firewall from Trojan Horses and portscans.
But I might be somewhat paranoid, but I tribute that to actually knowing something of what is going on in some of the greyer areas of the Internet.

I don't think it is neasceary to have an antivirus. But a firewall in my view is a very good thing although maybe not neacesary. I'd think it is perfectly possible to run withouth ever having anything happen - however it is also perfectly possible to get infected after 10mintues of connecting to the Internet. It is all about luck withouth protection.
And it might seem unnesacary, but I'd much rather be safe then sorry. Supposed a keylogging trojan infected your computer without you knowing ... could be quite expensive, in case of for instance homebanking
If you have no problems, then fine - you don't need it, just like you don't need insurance against theft and similar - I'm not trying to convice you. I'm just giving an alternative perspective. I'm no security freak, I just do that little something which makes it harder to get infected, and doing so for such a small price.
I'd much rather pose the question - what do you loose by running a firewall which makes it unwanted. A few percentage of your RAM and CPU speed is about all.

Hmmm - long rambeling, and I've likely said something multiple times, and some of the things might also be wrong I can't keep up anymore with what I wrote

Edit: or is it "worms" which spread on their own ..... hmm - can't remember, and to lazy to look it up atm

[Vicsun]

...As for detecting the traffic if ones computer is used for a DoS attack, then I don't think it will be that noticeble as you seem to indicate. Remember that thousands of computer-zombies are involved in such attacks and try pinging a website/domain and notice how little traffic that generates. It isn't much - however - it isn't really the main argument for a firewall...

This is relatively minor, but: AFAIK, a DoS attack will utilize all of my upload as it obviously doesn't just ping the website once. Since the purpose of a DoS is to flood a site with packets, the attacker will use as much bandwidth as possible to deliver as many packets as possible. That's the reason a zombied machine on a T3 line would be a lot more valuable than a zombied machine on a 56K

...I'm not trying to convice you. I'm just giving an alternative perspective.

And that's exactly what I was hoping for when I posted the thread. Thanks for the eye-opener.

On a related note, I ran several online port-scanning tests on the machine directed directly to the internet and they all point out all my ports are stealthed except http and ftp (80 and 21). After some reading, I am now convinced my router is acting as a hardware firewall

[Xandax]

[QUOTE=Vicsun]<snip>
After some reading, I am now convinced my router is acting as a hardware firewall [/QUOTE]

That is indeed very possible. (So you do have a firewall )

[Ned Flanders]

by vicsun This is relatively minor, but: AFAIK, a DoS attack will utilize all of my upload as it obviously doesn't just ping the website once. Since the purpose of a DoS is to flood a site with packets, the attacker will use as much bandwidth as possible to deliver as many packets as possible. That's the reason a zombied machine on a T3 line would be a lot more valuable than a zombied machine on a 56K

Not true. Sending ICMP packets will be of little consequence to your own computer but when thousands bombard a web server simultaneously, the DoS attack can shut it down. DoS attacks are meant to bring a web server to it's knees, not cripple the clients. If the clients are crippled, then they can be as efficient in bringing down the web server.

regarding your router/firewall: You ought to be able to login to it and see the firewalling capabilities it has.

[Vicsun]

Not true. Sending ICMP packets will be of little consequence to your own computer but when thousands bombard a web server simultaneously, the DoS attack can shut it down. DoS attacks are meant to bring a web server to it's knees, not cripple the clients. If the clients are crippled, then they can be as efficient in bringing down the web server.

For some reason I just saw this post now, and it still doesn't quite make sense to me.

If a server can serve, say, 15 megabytes worth of data per second, and a hacker managed to zombie 15 machines with a 1 MB/s connection, wouldn't that hacker utilize all the bandwidth of those 15 machines in order to flood the server? Yes, the hacker's goal isn't the crippling of the clients, but wouldn't that be a side-effect regardless?
Or are you saying that hackers are able to zombify such copious amounts of machines that they only need a fraction of the bandwidth they have at their disposal to bring a server down, and thus the clients won't notice?

regarding your router/firewall: You ought to be able to login to it and see the firewalling capabilities it has.

After getting a router for direct internet access (I'm no longer connected to the net through another machine) and having a few programs which like open ports cease functioning optimally, I did login, and, as expected, it had blocked most open ports.

edit: ^ o my what a fractured and hard-to-read sentence I managed to spew out ... how absolutely and atrociously abominable ^

[Xandax]

[QUOTE=Vicsun]For some reason I just saw this post now, and it still doesn't quite make sense to me.

If a server can serve, say, 15 megabytes worth of data per second, and a hacker managed to zombie 15 machines with a 1 MB/s connection, wouldn't that hacker utilize all the bandwidth of those 15 machines in order to flood the server? Yes, the hacker's goal isn't the crippling of the clients, but wouldn't that be a side-effect regardless?
Or are you saying that hackers are able to zombify such copious amounts of machines that they only need a fraction of the bandwidth they have at their disposal to bring a server down, and thus the clients won't notice?

<snip>[/QUOTE]

There are litterally thousands zombies involved in a DoS attack.
Also - the attack doesn't really requier sending much data to and fro the zombies, because that would make DoS more easily tracable and detectable.
DoS is requesting data from the server or sending fake packets over and over and over again.

The packets requiered in a DoS (or any request) are rather marginal in size.
What takes bandwith on a network is the sending of graphics and similar information, and that isn't involved in a DoS.

Although I have no figures or that much indebt knowlegde of this, I wouldn't be worried that an active computer is being utlized in a DoS. It is more thoese countless servers hooked to the Internet 24/7 with holes in their security that one needs to worry about.

[Raa]

BTW.
[QUOTE=Xandax]
1) Never open e-mails (preview window counts as opening) from people you dont' know.
[/QUOTE]
Actually, this can easily be remedied... simply do not use Outlook of any kind and you can open whatever email you wish

Outlooks are full of holes, and their fancy flashy multimedia features bring risk of activating anything contained in the email even when just previewing.
For example, Eudora I'm using opens nothing by itself, not even embedded images, until I request it.

Just my 2 cents

[sdwillie]

[QUOTE=Vicsun]Or are you saying that hackers are able to zombify such copious amounts of machines that they only need a fraction of the bandwidth they have at their disposal to bring a server down, and thus the clients won't notice?[QUOTE]

Two things about DOS attacks, the second of which I'm surprised wasn't mentioned before.

First, yes, hackers use such copious amounts of machines etc., etc. Thousands (at once, which have in common (other than having the zombie code) always on high-speed connections and they're all unsecured.

Second, it's essential to DOS attacks that infected client machines show no performance problem-otherwise the users would know something was wrong and either deal with their local problem (unlikely) or else blame their ISP (who btw could easily prevent the attacking traffic from reacing the internet, but have no reason to if their customers aren't complaining).

Check this out, and the links, to see more about DOS.

http://www.grc.com/dos/grcdos.htm