Ah security, one of the most widely discussed computer related topics across the planet. Start a new thread on any forum and label it something like “What is your security setup?” and you’re almost certainly guaranteed a lively response – everyone, it seems, likes to share details of their security arrangements. Trouble is, all that imparted information is of very little use to anyone else. Why? Because the best security always starts between the ears, and levels of security requirements are largely dictated by user habits and the scope of their online activities.
Throw in the massive diversity of software configurations, plus divergences in available hardware resources, which can alter dramatically from machine to machine, and a ‘one shoe fits all’ solution becomes the impossible dream. I’ve seen lists of installed security software which defy belief, they have included so many products I often wonder how these people ever managed to avoid conflicts and retain enough leftover resources to continue their normal day to day computering (spell checker informs me that “computering” is not a proper word – well it should be :)).
These user submitted lists often include an outbound firewall, and I have no problem with that. I’m sure an outbound firewall can be beneficial in certain situations. But, given normal circumstances, where a home user is utilizing sufficient inbound protection including connecting to the internet through a quality router, I can’t help wondering if the negatives don’t often outweigh any positives.
Have I ever utilized 3rd party firewalls with outbound monitoring… yes. Did they deliver any real benefits… no. I’ve installed a fair selection of free firewalls over the years, most haven’t lasted very long but I did stick with one in particular for almost 2 years. That firewall was Online Armor and I persevered with that one mainly because it was slightly less intrusive than all the others. Then, one day, it dawned on me… in all that time Online Armor had not flagged one malicious process nor indeed any activity which was in the least suspect.
Not that Online Amor didn’t issue warnings, there were plenty of them, it’s just that they were always for known/safe processes – so much for the ‘learning’ process. I lost count of how many times I informed Online Armor that Avast was a ‘trusted’ application – it made not a scrap of difference, every time Avast attempted to connect and download updates up popped Online Armor’s security warning.
This is one of my main concerns with these firewalls – they are not designed to distinguish between legitimate and malicious processes, so the vast majority of ‘warnings’ emanate from benign sources and any decision making is then largely down to the end user. That may be fine for most savvy users, but what about the legions of novice and less experienced users out there who don’t have the necessary acumen to identify and assess flagged activity, especially based on the often meager details provided by the firewall. Because of frequent false positives, the general lack of definitive information, plus related difficulties involved with identification and evaluation, many users just end up ignoring the warnings altogether… which, of course, then renders the outbound firewall completely ineffective. And please don’t tell that activating a firewall’s HIPS component will afford extra protection. In my experience, that merely creates a massive increase in the numbers of disruptions and only serves to exacerbate the situation.
Ask anyone who has been fixing errant machines over a long period of time, whether it be professional or on a part time basis for family or friends – third party firewalls will often present more problems than they prevent. One of the most common issues I have had to deal with is when the less experienced user has answered a firewall’s prompt incorrectly, denying a perfectly legitimate/safe process access.
I’m a great believer in prevention over remediation. In my opinion, if an outbound firewall does in fact detect something malicious then it is indicative of a weakness in the inbound defenses. Admittedly, an outbound firewall will generally prevent some types of malware from phoning home and possibly intensifying any damage but isn’t it better to prevent the initial infection in the first place rather than have to deal with it after the fact?
I realize a lot of people will disagree with this assessment, as is their prerogative. I am certainly no expert and have never professed to be – I can only tell it the way I see it. Rather than relying on something which only delivers after a machine has already been infected, I would prefer to see users focus their attention on strengthening preventative measures – in my opinion, with sufficient inbound protection, including a cautious attitude and quality router, an outbound firewall is redundant.
What do you think?
23 thoughts on “Do outbound firewalls really offer any substantial benefits?”
Totally with you on this. It’s something I’ve been saying for years, literally. ( http://ask-leo.com/is_an_outbound_firewall_needed.html ) – I do suspect you’ll get some pushback as I know many who are just as convinced they’re necessary.
One scenario where they can make sense, however, is when the operator of the computer can’t really be trusted. In cases like that not only do you want additional protection on all other computers behind the router with it (i.e their software firewalls turned on), but an outbound firewall on that computer can help prevent the spread of malware that inadvertently makes it in. Of course there are other techniques to perhaps secure that scenario a little better, but that’s a case where , at least in my opinion, an outbound firewall could have a role.
Hi Leo – Thanks for dropping by mate.
I’m a long time ‘Ask Leo’ reader and fan. I read through your article some time back, I concurred at the time and obviously still do – and openly admit your article was in fact part of my source of inspiration.
You make a valid point re shared connections – if someone in my household could not be “trusted” they would not be allowed to connect in the first place, problem solved! 🙂 I can see where you’re coming from mate, particularly where a child or errant teenager might be involved.
As I said in my preamble:
I’m a bit confused by what you call “outbound firewalls”. I can only hope this recent encounter falls within this topic and can shed some positive feedback. I d/l tv shows for viewing via torrents. I also use Kaspersky Internet Suite for protection. The torrents I d/l are typically avi or recently mp4 formats. Sometimes the torrents are bundled with added files like for another language or text information. They never contain an exe file. But just last month, I received a very informative screen warning from my Kaspersky package informing me it had blocked a torrent because it detected something suspicious. Boy was I relieved to see that. Oddly enough, the sites I use to d/l my tv torrents do verify what they supply, but this time something slipped by, and my software detected and blocked the file.
Would this detection be firewall orientated, or a/v, or a/m, Mindblower!
Hey MB – First up, that warning would be connected to “incoming” rather than “outbound”. And I suspect the warning was most likely from the AV component of the Kaspersky suite – not from the Firewall.
Incoming = anything which attempts to connect to your computer via the internet from an external source.
Outgoing (or outbound) is the opposite = anything which attempts to connect FROM your computer via the internet TO an external destination; e.g. when installed software ‘phones home’ to check for updates.
Third party Firewalls generally monitor connection attempts in two directions, incoming and outgoing. Windows native Firewall includes both but only incoming is pre-configured and enabled by default.
What do you mean by “3rd party” firewall? Do you mean any software firewall that’s not part of the OS, or do you mean only outbound software firewalls?
Hi David – Yes, a 3rd party firewall is one which is installed separate from the OS. As far as I am aware all popular 3rd party firewalls include both incoming and outbound monitoring enabled. My article is aimed specifically at the outbound component of third party firewalls.
Hope that clarifies,
Well Jim, you might be right about outbound firewall protection. Once a program is given permission, this then grants for incoming and outgoing connections. It’s much easier to block outgoing calls/connections in the Startup Manager. Been doing this for years.
A silly question, if the o/s firewall is the 1st, why are others refereed to as 3rd? Whose 2nd? Brings fond memories of whose on first, what’s on second, and I don’t know on third, Mindblower!
LOL. A great sketch MB.
Yes, it’s easier to block some outgoing calls via a Startup Manager but that is entirely dependent on you knowing about them in the first place.
Wikipedia says this about 3rd party software:
So I guess the OS is primary (number one), the user is number two and any software from any other source becomes number three.
Hey Jim. Probably many, including yours truly, get caught up I the logic: If a baddy is on your machine, it can call home for its own kind of support. The problem with that logic, as Microsoft points out, is that the best defense is to not let any nefarious program or such onto your machine to start with and then you won’t have to worry about outbound issues. The problem I have with two-way firewalls is that they spend so many resources watching — or trying to watch — every last move that one’s computer slows to a crawl.
Absolutely Chuck. You’ve hit the nail squarely on the head.
This is very educational content and written well for a change. It’s nice to see that some people still understand how to write a quality post!
Hi Jim. I tutor seniors in PC use and security is big subject. I try to convince them to have routers between them and their internet connection. Most ISPs these days supply one. I also point out that firewalls were originally designed to prevent attacks on computer systems from external entities – Internet or other incoming connections. A router provides this in a more secure and safer manner. There is some incoming control in modern routers but are for special purposes generally. I emphasise that incoming protection is much more important and necessary and outgoing control is not really necessary.
If they want to know if programs/apps are trying to access the internet without their knowledge then I suggest they run Winpatrol on their PC this monitors program/app installation and warns user and gives them the option to enable or disable. Winpatrol also provides feedback on changes to windows registry during installation and also allows user more/easier control over what is running on their PC including Startup Manager.
Hey Gazza – Yes, all modern routers (that I know of) come with NAT (Network Address Translation) enabled. With NAT enabled, external sources cannot initiate a connection without the user specifically configuring the router to permit it. I cannot stress enough…EVERYONE should be connected through a quality router.
Good point about WinPatrol too. I also highly recommend WinPatrol: http://www.davescomputertips.com/2012/01/winpatrol-the-ideal-way-to-augment-your-security/
I’d imagine tutoring your seniors would be great fun, if maybe occasionally somewhat frustrating. Thanks for your input.
kind of like if you don’t get sick, you can’t pass it on so keep infections out and don’t get excited about outbound traffic. I have used both types of FW and currently am using CIS 5.10 but generally want any protection to handle all incoming. With CIS, one also does not require WinPatrol. for those interested, check this link re CIS 5.10 http://www.youtube.com/watch?v=ao3s_yjNKNU
It’s a lose/lose situation recommending CIS, but I’m glad you’re satisfied with this company, Mindblower!
I think there’s probably a lot of sense in what you and Leo say. However, I have an outbound firewall enabled, simply because that’s the way it comes from the supplier, andI suspect a lot of others are in the same boat. I use Zone Alarm’s Extreme Security suite, largely because many years ago my late wife’s IT manager recommended ZA as his preferred choice for anti-malware protection, and I’ve just grown up with it. At that time, a commercial suite seemed to me to be the best protection; Microsoft had nothing (I’m talking twelve years back…) and the free systems were… shall we say less than competent? …on average.
I’ve never been disappointed with ZA; it’s easy to set up (though it does most of it automatically) and after a short learnng period, the alerts are few and far between. Once in a while it tells me that a program is trying to make an outbouond connection, and I can decide whether or not to allow it.
Is it necessary? Probably not, at least not for me. I have six or seven computers running at one time (distributed computing, in case you’re wondering, and most were acquired for next to nothing) and I am, for the most part the only user, so I don’t have errant users to worry about, but the firewall is there, it’s not intrusive, so I live with it.
Hey TNH – My article was primarily directed at the freeware offerings which are generally installed as ‘extra’ protection, note the category… “Freeware”.
That was exactly my point. Although I was referring to stand-alone freeware firewalls not the firewalls integrated into commercial suites. Not that that necessarily makes them any more useful, more unavoidable perhaps.
It’s almost a year after your article but I have alternative views:
The: “if it detects a malicious outbound transfer it’s already too late” argument::
Wrong: if a key logger got past the inbound defences – which even keeping up to date can and does happen then having a popup appear when logging onto say online banking is NOT too late, it was just in time. (The smarter versions of these infections programs will stay quiet until something juicy comes along, i.e. detecting masked input fields.)
The ‘having outbound protection one must then not think they are safe’ argument.
Firstly: **** that very same statement is 100% applicable to inbound protection too. ****
—- so to use it as a reason against outbound traffic is simply wrong.
But here’s the main rub: just because they let you into the museun to see the Mona Lisa would they let you walk out with it because you were flagged as safe when you walked in??? Because once it’s outside it’ll never bee seen again – just like the money in your bank.
— which also speaks to the: “it doesn’t give you anything else your inbound protection already gave you.” argument.
On a completely separate tack; the “it’s simply not useful anyway” argument:
Some countries, (for instance even the supposedly very advanced Australia – still suffering effects of an uncompetitive monopoly that with the blessing of it’s government gets away with ripping people off) suffer [hugely overpriced] volume based internet charging (not because it matters, just because they can) – and so anything to cut useless traffic **in either direction** is a bonus. (Sorry about the rant but internet pricing in Australia sucks.)
For instance every time you eject a USB device some windows process (can’t remember which coz blocked a long time ago) sends a message to some host in Redmond. (Why????) Stuffed if I know why, but for 100% sure it’s something absolutely not needed when on the road paying through the nose for internet traffic.
(There is a huge amount of traffic from windows which is absolutely never needed, – even at home it’s just contributing to internet traffic bloat – which is also why even with outbound firewalls such as ZA it’s even important to review their “standard [considered safe] default rules’.)
So yes, there *** are valid reasons *** for the outbound protection unless:
1. You kid yourself into thinking your inbound protection is perfect (like the old Sears home delivery department you don’t mind your delivery trucks rolling off the yard with extra unpaid-for fridges and washing machines)
2. You think catching something in the act of sending your sensitive data is “too late” – (or in other words you would prefer to wait for your bank statement to find out you’ve just been cleaned out.)
3. you don’t live in (or visit) countries with the overhang of monopolistic organisations gouging you for internet access.
Yes, the outbound protection doesn’t make your system perfect, but it does make it better.
Hey Rob – Appreciate your input here. It’s always great to hear both sides of the story, you’ve presented your arguments well and make some valid points.
The article is largely directed at the massive contingent of your ‘average’ home users out there and on balance I still tend to believe that 3rd party firewalls (including outgoing) are more trouble then they are worth. We shall have to agree to disagree mate. 🙂
But I do agree100% with your assessment of the ISP industry in Aus., even ranted here on DCT about it: http://www.davescomputertips.com/2013/01/rant-for-the-week-isps-and-pay-tv-providers/
ok here’s a stupid question
how do i tell if i have an outgoing firewall?
i use comodo firewall but that’s incoming
Hey Voxpop – Not a stupid question at all. Comodo Firewall includes both, incoming and outgoing. Which means it is monitoring connections coming in and those going out. Most all third party firewalls (those which you download and install yourself) include both.
Even Windows Firewall includes both, but the outgoing side in Windows Firewall is not enabled and there is no built-in easy way to configure it.
Actually on the “average home user” I will agree: as you mention whenever they get a popup they do one of two things – maybe phone somebody like you or I to ask what to do, but mostly choose “yes” because they believe with the all the security software (antivirus included) their machine is impervious.
Look on the bright side: Aus internet may be bad but spare a thought for our neighbours in NZ: their mobile internet is more than twice the price for less than half the data. BTW: loved the foxtel rant ( – also agree: only sports worthwhile- rest is all rubbish).
Comments are closed.