Is an outbound firewall needed?

Regarding "it's too late".
Suppose keylogger or trojan already infected computer. It's no good, i agree. But outbound firewall *prevented* this bad thing from sending out electronic payment system details, hence made keylogger or trojan useless as it never succeeds in completing its objective - sending data to its master.

|| But lets assume that you did get infected by a truly malicious key logger - one that was attempting to hide, and send all your keystrokes to some overseas hacker. Well, at the risk of repeating myself too many times: it's too late. Your machine has been compromised, and you can no longer trust it; and that includes trusting your firewall. Yes, your outbound firewall might block the transmission - or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware's communication through. It's been done. ||

You are reffering in this example to unknown vulnerable firewall software, but applying conclusions to outbound firewall in general. Is that slyness or fortuity?
Why haven't you told anything about outbound firewall software which is guarded by Host Intrusion Prevention System (HIPS), which *prevents* malware from:
- including any code to firewall;
- reconfiguring it ;
- modifying operating system in other way in order to send data bypassing outbound firewall.
Comodo Internet Security (CIS) is example of such firewall software. Maybe there are some other firewall products out there which can do same? Pls, inform me.

|| You have said that when an outbound firewall stops something it is already too late. But don't you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not? ||

You substituted "outbound firewall" for unknown leaky outbound firewall software. Why?
There are real world outbound firewalls that don't leak (i know one - CIS).

|| It's intrusive. Outbound firewalls are only practically available as components of software firewalls that you install on your machine. As such, these firewalls take up additional resources to do their job. Rather than do that, a router will give you the inbound protection you need without taking up additional resources on your machine. ||

"Additional resources" is subjective term. For example, what is better: spend system's additional resources (how many? :) ) OR save resources, but risk to be infected with trojan (zero day virus - anti-virus won't detect it) that will leak electronic payment system login & password.

|| It's frequently wrong. ...With too many errors, indecipherable messages or false positives, people tend to ignore the warnings after a while, rendering the outbound firewall ineffective. ||

In some cases *people* "tend to ignore the warnings...". But what's wrong with outbound firewall? Lack of clarity etc. is subjective not to say more. And differs from user to user, from one firewall software to another.

|| Is there a case for an outgoing firewall at all? Many experts will disagree with me and say absolutely, that they add a lot of value and that the issues I've raised are simply off target or over-stated. But I remain of the opinion that if an outgoing firewall is, in fact, adding value it's because your incoming protection is inadequate. ||

Many ordinary users may have their pc infected even with adequate incoming protection. Friend's infected flash drive, executable from trusted source which in fact is malware, social engineering, malicious e-mail attachments.
What to do with those examples when people's computers (those behind NAT or those part of closed enterprise networks) got infected from "inside"?
Anti-Virus-Spyware and other signature-based detection software will NOT detect malicious executables (trojans, keyloggers) if they are zero day viruses/malware (those viruses/malware, for which specific antivirus software signatures are not yet available).

as a long time member on wilders security and some one who is always testing security products with live malware I am going to make Comment.

Regarding the "it's too late".comment. It is not an outbound firewalls job to prevent infection from happening in the first place. An out bound firewall is designed to do just that Police all out going traffic, not prevent the installation of malware.

Yes it is possible for malware to bypass out bound firewalls. But I wouldn't go as far as to say an outbound firewall is not needed. Going by that logic one could also argue that zero day malware can also disable and bypass Anti virus Programs so therefore it is a waste of time using an anti virus program as well.

While Router with Nat is good to have, a Router with Nat alone will not save you from getting keyloggers neither will it prevent the keylogger from making outgoing connections.

That said a lot of software outbound firewalls are improving in strength they have now added in "Host Intrusion Prevention" components to prevent the infection/installation of malware.

To sum this up it is better to have a layered security approach ie Nat Router, software firewall, AV, and a backed up Image of your OS. Rather than just using A Nat Router.

As a network consultant, my experience is that software firewalls cause much more trouble than they prevent. If a PC can't connect to the network, can't share resources, or has mysterious trouble connecting for some (but not all) purposes, quite often a software firewall is the culprit. It's probably because a non-expert user has said "no" to the firewall's prompt that something (legitimate) is trying to go in or out. Sorry, but it's not the average user's responsibility to be technical enough to manage a firewall.

Your major point, "it's too late," is flawed in at least one respect. While listening on an Incoming port generally requires Administrator access, Outgoing connections may generally be initiated by clients with User level access. If a non-administrative user were to run hostile code on the machine, it would have access to everything to which the user has access - including the ability to initiate outgoing connections; thus a backdoor with User-level access could be loaded on the infected machine and could connect back to a host machine and wait for commands. This serves as the sharp point of the wedge which can then be metaphorically driven into the infected machine through privilege escalation vulnerabilities. See this link:

http://www.plenz.com/reverseshell

I get your point, and agree with your logic, as I agree with the Catholic Church's logic that condoms put people at risk of getting AIDS, (feel too safe and you may take risks you shouldn't be taking).

I’m not convinced with your “It's too late” argument. By the same standard, an AIDS test is not worth; because once you got AIDS, you’re dead. If you were infected, wouldn’t you want to know early on? If your password was stolen, wouldn't you want to know about it so you can change it? And take corrective measures?

Even when I know that it's not 100% secure, the outbound firewall makes me less paranoid, so I don’t have to be running tcpview and checking windows firewall’s advanced settings periodically

I now use MSE and I'm mostly happy with it. However, I miss my old F-Prot’s outbound firewall because it let me know when a "legitimate" program was trying to connect without my knowledge for the first time (yes I'm a control freak when it comes to my PC). I once had MS Media Player change the cover & tags of all my mp3s, and spent more than a month fixing them, just because I forgot to set MSMP's options right after an upgrade. I also had other programs do nasty stuff like that, or just connect and take my bandwidth without my knowledge.

Summarizing:
-I agree that an outbound firewall may be inconvenient or dangerous for the average user (similar to giving teenagers condoms and telling them to f**k at will).
-But, they certainly have a use under certain circumstances and for certain users
- I once read something about PC security being about securing several critical points. (http://ask-leo.com/internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html) Why is another security layer a bad idea?
PS: Is there a way to make Windows Firewall behave like these firewalls asking for permission for unknown programs trying to connect to the internet? I know you can manually block applications going in or out, but how about an “ask for permission”?