Is an outbound firewall needed?

I have to agree that by the time an out going firewall alerts you of a problem , you already have one.
But in some cases, that is the first ,and possibly, the only indication that you have the problem. As well they are very handy at stopping malware downloaders.

Keep in mind that a software (in/outbound) firewall has to go thru the header of EVERY SINGLE packet being sent AND received. This means it will require a variable amount of resources, depending on how you use your connection.

If you download/upload a lot of information (even if you unblocked the program), your software firewall must still spend CPU resources to read all those packet headers.
If you're playing a game, downloading a movie, or even using your instant messenger, it will have to read EVERY SINGLE packet, going both in and out. You can expect at least 15-20% of your CPU to be used AT ALL TIMES for a heavy user.

Not to mention the fact that a user behind a NAT router (which provides inbound protection already), also running a software firewall, (which provides inbound protection again, but this time using your computer's resources), simply makes no sense.

A NAT router alone though, takes care of the problem at it's source, does it only 1 time, and saves you all the resources you so very need from being wasted.

Leo's philosophy is true: If it's already on your computer, it should be assumed that it should be, and should be left just as that.

An alternative to this, if you are somewhere with an unmanaged network, or if you are connecting to a place you don't trust, Windows Firewall (which also only does inbound protection) will do, pretty much the same job as your NAT Router, on the road. And, since it's inbound only, it will use less than 1/2 of the resources, your in/outbound firewall would require (5% CPU).

does it read every packet or just only every program connecting internet?

One Exception! At the time this occurred I was 70 years old with no interest in pirating DVD's. I had purchased and installed DVD X Copy because in the advertising it sounded as if it could be used to make multiple copies of MY HOME RECORDED videos for family members. I was given a prercorded DVD for Christmas and made the mistake of watching it on that computer. A program included on that DVD that was ostensibly a DVD player asked for permission to go out to the web. Innocently I gave it that permission. It returned immediately with a trojan That deactivated X Copy which I intended for a perfectly lawful purpose. Further it destroyed all of my personal photo files on that computer. Without the out going firewall the damage would have been done and the cause would have been a complete mystery. Obviously considering these vigilante tactics I now have no sympathy for the DVD industry and there supposed problem with piracy. D.D.

I'm with Fred on this one.
Snip: "In some cases, that is the first, and possibly the only indication, that you have a problem."

Too right mate. If something does happen to get past your defences, what Leo is suggesting would let it do what ever the hell it likes without you ever knowing. Well, at lest till the day you find that you've taken out a $250k loan in another country and some debt collectors want you to pay it back!

Leo:
SNIP: "Frequently, they'll simply report a connection attempt to or from an IP address with little or no additional information."

Google is your friend. (-: They usually tell you the process/program name, and which folder it's in. A legitimate process name in the wrong folder is a virus. IP lookup/whois can also give you some good clues as to the status of any outgoing connection request. It pays to be vigilant.

But there's an even better solution to this whole problem. Use Linux! (-: No need for FWs or AVs. End of story.

Thanks for all the great newsletters and articles Leo.

Well, an advanced user may find the software firewall helpful. Suppose you have set up your PC to be accessed via VNC through the Internet via your Home NAT Router by opening specific ports. The software firewall detects numerous connection attempts per minute on those open ports giving you an oppurtunity to block them. Had it not been there & you would not have supplied a good password to VNC, you can imagine the consequences.

It becomes necessary in such cases but for the average user, yes being behind a NAT router with good browsing habits is sufficient.

Ravi.

novice, any packet, whether the program is connected to the internet or not, will be checked by the software firewall (even though it might not be going out).. The port # is located in the header of every packet. The file MUST be scanned in order to find out which program it relates to (something a software firewall must do).
Depending on if it's set to check both incoming and outgoing packets or just 1 or the other, is the only situation where you may see a difference--Windows Firewall only checks incoming connections for example.

Leo's way is the best/most practical way to do it. If you have a NAT router (which makes sure all unused ports are closed) & if you keep your system clean from the get-go (ie have decent virus protection -- i recommend NOD32), then you never have to worry about "bad things, trying to get out", because "bad things" will never get on. In cases like this, an outbound firewall is totally redundant..

Several popular commercial software programs are (at least arguably) spyware - some versions of a very common media player have been mentioned for example. There was no option to tell it not to send a list of the files you played back to them. An outbound firewall can protect you from this. Many antivirus or antispyware programs will not detect popular commercial software (for fear of legal liability).

Regarding "it's too late".
Suppose keylogger or trojan already infected computer. It's no good, i agree. But outbound firewall *prevented* this bad thing from sending out electronic payment system details, hence made keylogger or trojan useless as it never succeeds in completing its objective - sending data to its master.

|| But lets assume that you did get infected by a truly malicious key logger - one that was attempting to hide, and send all your keystrokes to some overseas hacker. Well, at the risk of repeating myself too many times: it's too late. Your machine has been compromised, and you can no longer trust it; and that includes trusting your firewall. Yes, your outbound firewall might block the transmission - or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware's communication through. It's been done. ||

You are reffering in this example to unknown vulnerable firewall software, but applying conclusions to outbound firewall in general. Is that slyness or fortuity?
Why haven't you told anything about outbound firewall software which is guarded by Host Intrusion Prevention System (HIPS), which *prevents* malware from:
- including any code to firewall;
- reconfiguring it ;
- modifying operating system in other way in order to send data bypassing outbound firewall.
Comodo Internet Security (CIS) is example of such firewall software. Maybe there are some other firewall products out there which can do same? Pls, inform me.

|| You have said that when an outbound firewall stops something it is already too late. But don't you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not? ||

You substituted "outbound firewall" for unknown leaky outbound firewall software. Why?
There are real world outbound firewalls that don't leak (i know one - CIS).

|| It's intrusive. Outbound firewalls are only practically available as components of software firewalls that you install on your machine. As such, these firewalls take up additional resources to do their job. Rather than do that, a router will give you the inbound protection you need without taking up additional resources on your machine. ||

"Additional resources" is subjective term. For example, what is better: spend system's additional resources (how many? :) ) OR save resources, but risk to be infected with trojan (zero day virus - anti-virus won't detect it) that will leak electronic payment system login & password.

|| It's frequently wrong. ...With too many errors, indecipherable messages or false positives, people tend to ignore the warnings after a while, rendering the outbound firewall ineffective. ||

In some cases *people* "tend to ignore the warnings...". But what's wrong with outbound firewall? Lack of clarity etc. is subjective not to say more. And differs from user to user, from one firewall software to another.

|| Is there a case for an outgoing firewall at all? Many experts will disagree with me and say absolutely, that they add a lot of value and that the issues I've raised are simply off target or over-stated. But I remain of the opinion that if an outgoing firewall is, in fact, adding value it's because your incoming protection is inadequate. ||

Many ordinary users may have their pc infected even with adequate incoming protection. Friend's infected flash drive, executable from trusted source which in fact is malware, social engineering, malicious e-mail attachments.
What to do with those examples when people's computers (those behind NAT or those part of closed enterprise networks) got infected from "inside"?
Anti-Virus-Spyware and other signature-based detection software will NOT detect malicious executables (trojans, keyloggers) if they are zero day viruses/malware (those viruses/malware, for which specific antivirus software signatures are not yet available).

as a long time member on wilders security and some one who is always testing security products with live malware I am going to make Comment.

Regarding the "it's too late".comment. It is not an outbound firewalls job to prevent infection from happening in the first place. An out bound firewall is designed to do just that Police all out going traffic, not prevent the installation of malware.

Yes it is possible for malware to bypass out bound firewalls. But I wouldn't go as far as to say an outbound firewall is not needed. Going by that logic one could also argue that zero day malware can also disable and bypass Anti virus Programs so therefore it is a waste of time using an anti virus program as well.

While Router with Nat is good to have, a Router with Nat alone will not save you from getting keyloggers neither will it prevent the keylogger from making outgoing connections.

That said a lot of software outbound firewalls are improving in strength they have now added in "Host Intrusion Prevention" components to prevent the infection/installation of malware.

To sum this up it is better to have a layered security approach ie Nat Router, software firewall, AV, and a backed up Image of your OS. Rather than just using A Nat Router.