Remember that outbound firewall?

Yesterday Lysa Myers, a former senior security analyst at Intego and currently a security researcher at ESET, posted an article to Intego’s blog; Why You Need an Outbound Firewall. The article starts with the following phrase “Outbound firewall protection is arguably the more important component of two-way firewall software, at least from an anti-malware perspective.” This is something I absolutely agree with and I have mentioned this before (“An outbound firewall is just as important as an inbound one.“). Naturally Lysa’s article eventually links to one of Intego’s products (NetBarrier) that provide outbound firewall functionality but do not mistake the article for just a sales pitch. The information is good and worth the read so whether you use Intego software or not, go check it out.

As Lysa’s article mentions, not everyone agrees on the importance of outbound firewalls, pointing out that Chris Hoffman stated some of the following reasons they are not useful:

• Outbound firewalls just prevent applications on your computer from connecting to the Internet. If you see that a piece of malware is trying to connect to the Internet, you’ve already lost because it’s running on your computer. The malware can do a lot of damage without Internet access.
• If a malicious program were running on your computer and had access to your system, it could likely open its own holes in your firewall software. Again, once the malicious software is running on your system, you’ve already lost.
• Outbound firewalls aren’t an effective defense against malware.

I do not agree with any of these statements. “If you see that a piece of malware is trying to connect to the internet, you have not already lost.” In detecting and preventing malware from connecting back to it’s control servers and/or uploading stolen information you have not won the battle yet but you are most definitely ahead of the game. All it takes after blocking the connection attempt is finding and removing the malware which can be done by a number of capable applications.

“…it could likely open its own holes in your firewall software. Again, once the malicious software is running on your system, you’ve already lost.” Theoretically, sophisticated malware can disable or exploit a vulnerability in firewall software though to date none of the available Mac malware has done this. As Lysa points out, Flashback was able to detect the presence of a firewall and disable itself to avoid detection but no malware has actually disabled the OS X firewall, Little Snitch or any of the AV firewall solutions I am aware of. This is not to say it will never happen and this is where layered protection comes in, “security works best in layers“. Relying on just one solution for total protection is not a good strategy. Having a firewall enabled in your OS is nice but if you do not properly configure and patch your modem/router/OS/etc. you may still be exposing your information through a number of vulnerabilities.

“Outbound firewalls aren’t an effective defense against malware.” Outbound firewalls are not designed to defend against malware, antivirus is. This is like stating a BMW makes for a crappy airplane. To defend against malware you need a few things; common sense, patched software, limited access to your network and hardware, an antivirus solution, just to name a few. An outbound firewall is great for detecting malware.

At the end of the day those that agree will agree and those that don’t won’t. Regardless of your stance on the subject, do some research and educate yourself before joining another group’s opinion. You won’t sound like an idiot if the subject ever comes up amongst other people that know the subject matter and you will gain useful knowledge in the process.

Don’t forget to check out Lysa Myers article here.
More information on my outbound firewall of choice, Little Snitch, here.
And more information about hardware firewalls here.