Is an outbound firewall needed?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

novice, any packet, whether the program is connected to the internet or not, will be checked by the software firewall (even though it might not be going out).. The port # is located in the header of every packet. The file MUST be scanned in order to find out which program it relates to (something a software firewall must do).
Depending on if it's set to check both incoming and outgoing packets or just 1 or the other, is the only situation where you may see a difference--Windows Firewall only checks incoming connections for example.

Leo's way is the best/most practical way to do it. If you have a NAT router (which makes sure all unused ports are closed) & if you keep your system clean from the get-go (ie have decent virus protection -- i recommend NOD32), then you never have to worry about "bad things, trying to get out", because "bad things" will never get on. In cases like this, an outbound firewall is totally redundant..

Several popular commercial software programs are (at least arguably) spyware - some versions of a very common media player have been mentioned for example. There was no option to tell it not to send a list of the files you played back to them. An outbound firewall can protect you from this. Many antivirus or antispyware programs will not detect popular commercial software (for fear of legal liability).

Regarding "it's too late".
Suppose keylogger or trojan already infected computer. It's no good, i agree. But outbound firewall *prevented* this bad thing from sending out electronic payment system details, hence made keylogger or trojan useless as it never succeeds in completing its objective - sending data to its master.

|| But lets assume that you did get infected by a truly malicious key logger - one that was attempting to hide, and send all your keystrokes to some overseas hacker. Well, at the risk of repeating myself too many times: it's too late. Your machine has been compromised, and you can no longer trust it; and that includes trusting your firewall. Yes, your outbound firewall might block the transmission - or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware's communication through. It's been done. ||

You are reffering in this example to unknown vulnerable firewall software, but applying conclusions to outbound firewall in general. Is that slyness or fortuity?
Why haven't you told anything about outbound firewall software which is guarded by Host Intrusion Prevention System (HIPS), which *prevents* malware from:
- including any code to firewall;
- reconfiguring it ;
- modifying operating system in other way in order to send data bypassing outbound firewall.
Comodo Internet Security (CIS) is example of such firewall software. Maybe there are some other firewall products out there which can do same? Pls, inform me.

|| You have said that when an outbound firewall stops something it is already too late. But don't you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not? ||

You substituted "outbound firewall" for unknown leaky outbound firewall software. Why?
There are real world outbound firewalls that don't leak (i know one - CIS).

|| It's intrusive. Outbound firewalls are only practically available as components of software firewalls that you install on your machine. As such, these firewalls take up additional resources to do their job. Rather than do that, a router will give you the inbound protection you need without taking up additional resources on your machine. ||

"Additional resources" is subjective term. For example, what is better: spend system's additional resources (how many? :) ) OR save resources, but risk to be infected with trojan (zero day virus - anti-virus won't detect it) that will leak electronic payment system login & password.

|| It's frequently wrong. ...With too many errors, indecipherable messages or false positives, people tend to ignore the warnings after a while, rendering the outbound firewall ineffective. ||

In some cases *people* "tend to ignore the warnings...". But what's wrong with outbound firewall? Lack of clarity etc. is subjective not to say more. And differs from user to user, from one firewall software to another.

|| Is there a case for an outgoing firewall at all? Many experts will disagree with me and say absolutely, that they add a lot of value and that the issues I've raised are simply off target or over-stated. But I remain of the opinion that if an outgoing firewall is, in fact, adding value it's because your incoming protection is inadequate. ||

Many ordinary users may have their pc infected even with adequate incoming protection. Friend's infected flash drive, executable from trusted source which in fact is malware, social engineering, malicious e-mail attachments.
What to do with those examples when people's computers (those behind NAT or those part of closed enterprise networks) got infected from "inside"?
Anti-Virus-Spyware and other signature-based detection software will NOT detect malicious executables (trojans, keyloggers) if they are zero day viruses/malware (those viruses/malware, for which specific antivirus software signatures are not yet available).

as a long time member on wilders security and some one who is always testing security products with live malware I am going to make Comment.

Regarding the "it's too late".comment. It is not an outbound firewalls job to prevent infection from happening in the first place. An out bound firewall is designed to do just that Police all out going traffic, not prevent the installation of malware.

Yes it is possible for malware to bypass out bound firewalls. But I wouldn't go as far as to say an outbound firewall is not needed. Going by that logic one could also argue that zero day malware can also disable and bypass Anti virus Programs so therefore it is a waste of time using an anti virus program as well.

While Router with Nat is good to have, a Router with Nat alone will not save you from getting keyloggers neither will it prevent the keylogger from making outgoing connections.

That said a lot of software outbound firewalls are improving in strength they have now added in "Host Intrusion Prevention" components to prevent the infection/installation of malware.

To sum this up it is better to have a layered security approach ie Nat Router, software firewall, AV, and a backed up Image of your OS. Rather than just using A Nat Router.

To post a comment on "Is an outbound firewall needed?", please return to that article's main page.