Helping people with computers... one answer at a time.

Many software firewalls will alert you on suspicious outbound connections. The biggest problem is that if correct, by then it's too late.

Isn't an outbound firewall really important in many situations? I deliberately installed a free version of a key logger on my system and ran thorough scans through my anti virus and anti spyware programs. But the running key logger wasn't detected even though the key logger icon was right there in the system tray.

You have said that when an outbound firewall stops something it is already too late. But don't you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not?

A firewall with outbound detection can have a place, I suppose, but you've captured my thoughts already: if it finds something to detect, then it's too late.

Let's review what it means to be an outbound firewall, why I don't value them all that much, and perhaps why your key logger wasn't detected.

Firewalls protect you from the certain classes of bad things out on the internet.

Note that's "protect you from them". That implies that the primary function of a firewall is to prevent bad stuff "out there" from reaching or affecting your computer.

My preference is to use a hardware device such as a router with NAT (Network Address Translation) enabled. This does an incredibly effective job of hiding your computer from outside access. You can connect out, but outside computers cannot initiate a connection without your having explicitly configured your router to allow it.

Using a router also takes the burden of that work off of your computer. In fact, a single router can act as a single effective inbound firewall for all the computers that are connected behind it.

An "outbound" firewall looks for threats originating on your computer attempting to connect out to the internet. In a sense, it's "protecting them from you". While that may be very generous of you to protect everyone else from your computer, the real difference is that it will presumably block and more importantly tell you when something suspicious is happening so that you can take corrective action.

"My preference is to use a hardware device such as a router with NAT ..."

Outbound firewalls have several shortcomings, both technical and conceptual:

  • It's too late. As you pointed out, if an outbound firewall detects something that is, in fact, malicious in nature it's because your machine is already infected. Something in your inbound defense failed and your machine has acquired some form of malware. Yes, I suppose it'd be nice to know, but in fact those very inbound defenses - firewall and anti-malware scanners - should have already either prevented or detected the problem. With adequate inbound protection, an outbound firewall is redundant.

  • It's intrusive. Outbound firewalls are only practically available as components of software firewalls that you install on your machine. As such, these firewalls take up additional resources to do their job. Rather than do that, a router will give you the inbound protection you need without taking up additional resources on your machine.

  • It's frequently wrong. One of the very common complaints about outbound firewalls are warning messages that are either incomprehensible, overly frequent, or don't give the average user enough information to make an informed decision. Frequently, they'll simply report a connection attempt to or from an IP address with little or no additional information. I also commonly see people asking about warnings that arise from totally legitimate processes on their machine accessing the internet for things like software updates or the current time and date. With too many errors, indecipherable messages or false positives, people tend to ignore the warnings after a while, rendering the outbound firewall ineffective.

Now, don't get me wrong: software firewalls do have their place. In particular, when traveling and using open WiFi hotspots I'll absolutely turn on the built-in Windows firewall. Software firewalls are also a good choice if you have no router, or if you cannot trust the other computers that share your router. But in either case that's for the firewall's incoming protection against external threats, not the outgoing.

Is there a case for an outgoing firewall at all? Many experts will disagree with me and say absolutely, that they add a lot of value and that the issues I've raised are simply off target or over-stated. But I remain of the opinion that if an outgoing firewall is, in fact, adding value it's because your incoming protection is inadequate. If you're going to focus additional energy and resources at becoming more secure, I'd much rather have you focus on preventative solutions rather than solutions which will only kick in after it's too late.

Now, about your key logger.

My first reaction is that if it's showing up in the system tray I'm not sure I'd classify it as malware. It's open about what it's doing, and easily visible. A key logger isn't in and of itself necessarily malware - there are many legitimate uses for the technology. So part of my reaction is that I'm not really surprised that it wasn't detected as malware, because it's not behaving like malware.

But lets assume that you did get infected by a truly malicious key logger - one that was attempting to hide, and send all your keystrokes to some overseas hacker. Well, at the risk of repeating myself too many times: it's too late. Your machine has been compromised, and you can no longer trust it; and that includes trusting your firewall. Yes, your outbound firewall might block the transmission - or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware's communication through. It's been done.

This is almost worse than having no outbound protection at all. With the outbound firewall you might think you're protected, but in fact you're not. Without an outbound firewall, you know, and you know to focus your efforts on inbound protection to avoid the problem in the first place.

Like I said, I know that others will disagree with me, and I'm sure there'll be some compelling cases made in the comments.

But I'm not convinced, and outbound firewalls are not something I use or advise.

Article C3484 - August 29, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

17 Comments
Leon Muhlick
August 29, 2008 7:40 PM

Where I have found the outbound firewall helpful is with "bloatware". Several useful applications came on my system from the manufacturer. The problem is, of course, that they want me to sign up and pay for upgrades that I don't need or want. About every third time I bring them up they want to go to the internet and give me a pitch on how I really need more than what was provided with my system. By blocking them with my internal firewall I don't have the hassle.

novice
August 29, 2008 9:54 PM

Wow that was quick. I see your point: if computer is infected you can't trust it and that includes firewall on it. Focus on prevention instead.

Btw, I installed the keylogger just to check what would happen if someone else did it on my machine. Paid version of the keylogger does have the option to hide it. Free version hides it temporarily. Name of keylogger was in the mail. I suppose some keyloggers are legitimate commercial software and are specifically left out, because another keylogger with similar functionality my anti virus didn't even let me install.

Tony
August 30, 2008 12:39 PM

I believe that a software firewall is necessary layered security is a must in this day in age a hardware firewall is not enough. search for a blog called Melih and read his article on this point of view.

Kido Lee
August 31, 2008 10:49 PM

I have McAfee Desktop Firewall Enterprise edition. Everytime a program in my computer tries to call his mother ship via port 6660 to 6669, McAfee Desktop Firewall will prompt if to allow or deny outbound connection. The McAfee Antivirus Enterprise edition didn't block IRC both ways, I think outbound firewall is essential if you're concerned about privacy.

I got infected with Virtualmonde or Trojan Vundo before. The McAfee antivirus couldn't even totally get rid of this trojan. The McAfee Desktop Firewall came in handyuntil I got Malwarebytes Anti-Spyware that totally got rid of all sort of parasites in my destop.

Fred Love
September 1, 2008 12:09 PM

I have to agree that by the time an out going firewall alerts you of a problem , you already have one.
But in some cases, that is the first ,and possibly, the only indication that you have the problem. As well they are very handy at stopping malware downloaders.

Chris
September 1, 2008 12:37 PM

Keep in mind that a software (in/outbound) firewall has to go thru the header of EVERY SINGLE packet being sent AND received. This means it will require a variable amount of resources, depending on how you use your connection.

If you download/upload a lot of information (even if you unblocked the program), your software firewall must still spend CPU resources to read all those packet headers.
If you're playing a game, downloading a movie, or even using your instant messenger, it will have to read EVERY SINGLE packet, going both in and out. You can expect at least 15-20% of your CPU to be used AT ALL TIMES for a heavy user.

Not to mention the fact that a user behind a NAT router (which provides inbound protection already), also running a software firewall, (which provides inbound protection again, but this time using your computer's resources), simply makes no sense.

A NAT router alone though, takes care of the problem at it's source, does it only 1 time, and saves you all the resources you so very need from being wasted.

Leo's philosophy is true: If it's already on your computer, it should be assumed that it should be, and should be left just as that.

An alternative to this, if you are somewhere with an unmanaged network, or if you are connecting to a place you don't trust, Windows Firewall (which also only does inbound protection) will do, pretty much the same job as your NAT Router, on the road. And, since it's inbound only, it will use less than 1/2 of the resources, your in/outbound firewall would require (5% CPU).

novice
September 1, 2008 5:20 PM

does it read every packet or just only every program connecting internet?

Depends on the specific firewall being used, and perhaps its settings. But it certainly could.

-Leo

Don Davis
September 2, 2008 8:49 AM

One Exception! At the time this occurred I was 70 years old with no interest in pirating DVD's. I had purchased and installed DVD X Copy because in the advertising it sounded as if it could be used to make multiple copies of MY HOME RECORDED videos for family members. I was given a prercorded DVD for Christmas and made the mistake of watching it on that computer. A program included on that DVD that was ostensibly a DVD player asked for permission to go out to the web. Innocently I gave it that permission. It returned immediately with a trojan That deactivated X Copy which I intended for a perfectly lawful purpose. Further it destroyed all of my personal photo files on that computer. Without the out going firewall the damage would have been done and the cause would have been a complete mystery. Obviously considering these vigilante tactics I now have no sympathy for the DVD industry and there supposed problem with piracy. D.D.

Adrian
September 2, 2008 5:19 PM

I'm with Fred on this one.
Snip: "In some cases, that is the first, and possibly the only indication, that you have a problem."

Too right mate. If something does happen to get past your defences, what Leo is suggesting would let it do what ever the hell it likes without you ever knowing. Well, at lest till the day you find that you've taken out a $250k loan in another country and some debt collectors want you to pay it back!

Leo:
SNIP: "Frequently, they'll simply report a connection attempt to or from an IP address with little or no additional information."

Google is your friend. (-: They usually tell you the process/program name, and which folder it's in. A legitimate process name in the wrong folder is a virus. IP lookup/whois can also give you some good clues as to the status of any outgoing connection request. It pays to be vigilant.

But there's an even better solution to this whole problem. Use Linux! (-: No need for FWs or AVs. End of story.

Thanks for all the great newsletters and articles Leo.

Ravi Agrawal
September 2, 2008 11:37 PM

Well, an advanced user may find the software firewall helpful. Suppose you have set up your PC to be accessed via VNC through the Internet via your Home NAT Router by opening specific ports. The software firewall detects numerous connection attempts per minute on those open ports giving you an oppurtunity to block them. Had it not been there & you would not have supplied a good password to VNC, you can imagine the consequences.

It becomes necessary in such cases but for the average user, yes being behind a NAT router with good browsing habits is sufficient.

Ravi.

Chris
September 3, 2008 6:48 PM

novice, any packet, whether the program is connected to the internet or not, will be checked by the software firewall (even though it might not be going out).. The port # is located in the header of every packet. The file MUST be scanned in order to find out which program it relates to (something a software firewall must do).
Depending on if it's set to check both incoming and outgoing packets or just 1 or the other, is the only situation where you may see a difference--Windows Firewall only checks incoming connections for example.

Leo's way is the best/most practical way to do it. If you have a NAT router (which makes sure all unused ports are closed) & if you keep your system clean from the get-go (ie have decent virus protection -- i recommend NOD32), then you never have to worry about "bad things, trying to get out", because "bad things" will never get on. In cases like this, an outbound firewall is totally redundant..

Koreem
December 25, 2008 6:55 PM

Several popular commercial software programs are (at least arguably) spyware - some versions of a very common media player have been mentioned for example. There was no option to tell it not to send a list of the files you played back to them. An outbound firewall can protect you from this. Many antivirus or antispyware programs will not detect popular commercial software (for fear of legal liability).

black jack
March 16, 2009 5:16 PM

Regarding "it's too late".
Suppose keylogger or trojan already infected computer. It's no good, i agree. But outbound firewall *prevented* this bad thing from sending out electronic payment system details, hence made keylogger or trojan useless as it never succeeds in completing its objective - sending data to its master.


|| But lets assume that you did get infected by a truly malicious key logger - one that was attempting to hide, and send all your keystrokes to some overseas hacker. Well, at the risk of repeating myself too many times: it's too late. Your machine has been compromised, and you can no longer trust it; and that includes trusting your firewall. Yes, your outbound firewall might block the transmission - or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware's communication through. It's been done. ||

You are reffering in this example to unknown vulnerable firewall software, but applying conclusions to outbound firewall in general. Is that slyness or fortuity?
Why haven't you told anything about outbound firewall software which is guarded by Host Intrusion Prevention System (HIPS), which *prevents* malware from:
- including any code to firewall;
- reconfiguring it ;
- modifying operating system in other way in order to send data bypassing outbound firewall.
Comodo Internet Security (CIS) is example of such firewall software. Maybe there are some other firewall products out there which can do same? Pls, inform me.


|| You have said that when an outbound firewall stops something it is already too late. But don't you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not? ||

You substituted "outbound firewall" for unknown leaky outbound firewall software. Why?
There are real world outbound firewalls that don't leak (i know one - CIS).


|| It's intrusive. Outbound firewalls are only practically available as components of software firewalls that you install on your machine. As such, these firewalls take up additional resources to do their job. Rather than do that, a router will give you the inbound protection you need without taking up additional resources on your machine. ||

"Additional resources" is subjective term. For example, what is better: spend system's additional resources (how many? :) ) OR save resources, but risk to be infected with trojan (zero day virus - anti-virus won't detect it) that will leak electronic payment system login & password.


|| It's frequently wrong. ...With too many errors, indecipherable messages or false positives, people tend to ignore the warnings after a while, rendering the outbound firewall ineffective. ||

In some cases *people* "tend to ignore the warnings...". But what's wrong with outbound firewall? Lack of clarity etc. is subjective not to say more. And differs from user to user, from one firewall software to another.


|| Is there a case for an outgoing firewall at all? Many experts will disagree with me and say absolutely, that they add a lot of value and that the issues I've raised are simply off target or over-stated. But I remain of the opinion that if an outgoing firewall is, in fact, adding value it's because your incoming protection is inadequate. ||

Many ordinary users may have their pc infected even with adequate incoming protection. Friend's infected flash drive, executable from trusted source which in fact is malware, social engineering, malicious e-mail attachments.
What to do with those examples when people's computers (those behind NAT or those part of closed enterprise networks) got infected from "inside"?
Anti-Virus-Spyware and other signature-based detection software will NOT detect malicious executables (trojans, keyloggers) if they are zero day viruses/malware (those viruses/malware, for which specific antivirus software signatures are not yet available).

Dave
June 26, 2009 5:03 PM

as a long time member on wilders security and some one who is always testing security products with live malware I am going to make Comment.

Regarding the "it's too late".comment. It is not an outbound firewalls job to prevent infection from happening in the first place. An out bound firewall is designed to do just that Police all out going traffic, not prevent the installation of malware.

Yes it is possible for malware to bypass out bound firewalls. But I wouldn't go as far as to say an outbound firewall is not needed. Going by that logic one could also argue that zero day malware can also disable and bypass Anti virus Programs so therefore it is a waste of time using an anti virus program as well.

While Router with Nat is good to have, a Router with Nat alone will not save you from getting keyloggers neither will it prevent the keylogger from making outgoing connections.

That said a lot of software outbound firewalls are improving in strength they have now added in "Host Intrusion Prevention" components to prevent the infection/installation of malware.

To sum this up it is better to have a layered security approach ie Nat Router, software firewall, AV, and a backed up Image of your OS. Rather than just using A Nat Router.

Bob
November 9, 2010 6:55 PM

As a network consultant, my experience is that software firewalls cause much more trouble than they prevent. If a PC can't connect to the network, can't share resources, or has mysterious trouble connecting for some (but not all) purposes, quite often a software firewall is the culprit. It's probably because a non-expert user has said "no" to the firewall's prompt that something (legitimate) is trying to go in or out. Sorry, but it's not the average user's responsibility to be technical enough to manage a firewall.

James
April 19, 2011 10:32 AM

Your major point, "it's too late," is flawed in at least one respect. While listening on an Incoming port generally requires Administrator access, Outgoing connections may generally be initiated by clients with User level access. If a non-administrative user were to run hostile code on the machine, it would have access to everything to which the user has access - including the ability to initiate outgoing connections; thus a backdoor with User-level access could be loaded on the infected machine and could connect back to a host machine and wait for commands. This serves as the sharp point of the wedge which can then be metaphorically driven into the infected machine through privilege escalation vulnerabilities. See this link:

http://www.plenz.com/reverseshell

Barcillo Barsiniestro
September 6, 2011 7:42 PM

I get your point, and agree with your logic, as I agree with the Catholic Church's logic that condoms put people at risk of getting AIDS, (feel too safe and you may take risks you shouldn't be taking).

I’m not convinced with your “It's too late” argument. By the same standard, an AIDS test is not worth; because once you got AIDS, you’re dead. If you were infected, wouldn’t you want to know early on? If your password was stolen, wouldn't you want to know about it so you can change it? And take corrective measures?

Even when I know that it's not 100% secure, the outbound firewall makes me less paranoid, so I don’t have to be running tcpview and checking windows firewall’s advanced settings periodically

I now use MSE and I'm mostly happy with it. However, I miss my old F-Prot’s outbound firewall because it let me know when a "legitimate" program was trying to connect without my knowledge for the first time (yes I'm a control freak when it comes to my PC). I once had MS Media Player change the cover & tags of all my mp3s, and spent more than a month fixing them, just because I forgot to set MSMP's options right after an upgrade. I also had other programs do nasty stuff like that, or just connect and take my bandwidth without my knowledge.

Summarizing:
-I agree that an outbound firewall may be inconvenient or dangerous for the average user (similar to giving teenagers condoms and telling them to f**k at will).
-But, they certainly have a use under certain circumstances and for certain users
- I once read something about PC security being about securing several critical points. (http://ask-leo.com/internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html) Why is another security layer a bad idea?
PS: Is there a way to make Windows Firewall behave like these firewalls asking for permission for unknown programs trying to connect to the internet? I know you can manually block applications going in or out, but how about an “ask for permission”?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.