Outbound Firewall For Extra Security?
A curious AskBob reader says: “I understand why I need a firewall to protect my computer from inbound threats. But a friend is telling me that I need another type of firewall software, which blocks outbound traffic as well. If I have anti-virus software, do I really need this outbound firewall?” Good question, here’s my take on outbound firewalls... |
What Kind of Firewall Do You Need?
Most people think of firewalls as barriers between their computers and bad things “out there” on the Internet. Inbound firewall protection blocks attempts by external entities (hackers or malware) to connect to your computer. See my related article Do I Really Need a Firewall? for my advice on INBOUND firewall protection. (Yes, you do need it, but you probably already have one.)
But remember, the Internet is a two-way highway. Outbound firewall protection is just the opposite of inbound. It blocks attempts by software that resides on your computer to access the Internet. So if your computer is infected with a keylogger or some other data-stealing malware, an outbound firewall should prevent that rogue from transmitting your passwords and other sensitive information to its evil masters. If another type of malware is using your computer to send spam to millions of innocent parties, an outbound firewall should prevent that as well, in theory.
In practice, though, outbound firewalls provide little useful protection, consume computer resources, may interfere with legitimate programs, and are generally more trouble than they are worth. They can also give you a false sense of security.
By default, the firewall in Windows 7, 8 and 10 provides only inbound protection. You can enable outbound protection as well, but then no program on your machine will be allowed to connect to the Internet! That means no browsing, no Windows Update, no email, no other updater programs, etc. You have to manually configure permission for every single program or process that you want to have access to the Internet, and update that configuration regularly. I don’t know about you, but that doesn’t sound like my idea of fun on a Thursday afternoon.
Other Reasons to Stick With Inbound Firewall Protection
Outbound firewalls tend to spew many false positives. That is, they warn you about programs that really are not a problem. After seeing many false positives and ignoring them, it’s all too easy to ignore a legitimate warning of malware. Imagine a security system in a retail store that flagged every customer leaving the store as a potential shoplifter.
There are legitimate reasons why some software on your computer may need to make an outbound connection. Some programs poll a remote server to see if there are any fixes or updates available, and install them automatically. Others send anonymous statistical data, or use collaborative feedback mechanisms. A weather or stock market widget on your desktop will need to poll for the latest data periodically. And then there are all the cloud-based apps that let you store and edit files online.
It can be very hard for the average user to figure out whether a given program should be allowed to access the Internet. Most outbound firewalls give only cryptic descriptions of what is trying to access the Net, so only the most technically savvy users can decide what to do about it. The chances are pretty good that you’ll block a program you do need, and later wonder why something isn’t working.
Outbound firewalls don’t do anything to prevent your computer from becoming infected, which is the most effective line of defense. If an outbound firewall warns you that malware is trying to access the Net, it’s already too late; your inbound defenses have been compromised somehow.
See my article PC Matic 4.0 – My Review if you need to beef up your malware protection. PC Matic has been my antivirus solution since 2018, and I happily recommend it. The whitelisting technology it uses is unique and works really well!
A router configured to use NAT (Network Address Translation) is my preferred alternative to software firewalls, inbound or outbound. Such a router effectively hides your computer from everyone “out there” so malware can’t even find it. It protects an entire network from a single point, instead of having to install firewall software on every device on the network. The router also does the heavy lifting, freeing resources on your local machine. The good news is that you probably already have a NAT router. See Do I Really Need a Firewall? for more information about routers and inbound firewall security.
Expert users may have to resort to outbound firewalls occasionally. If you know every legitimate program that should be allowed access to the Net, an outbound firewall may alert you to hidden malware. Large enterprises may employ outbound firewalls to make sure sensitive or confidential data isn’t leaking out. But some malware is clever enough to disable your anti-virus or firewall protection, or fool the outbound firewall into letting it slip past.
The bottom line: Outbound firewall protection is of very marginal benefit and can be an enormous irritation. See my advice and links above concerning INBOUND firewalls and malware protection, and you’ll be better off.
Your thoughts on this topic are welcome! Post your comment or question below…
This article was posted by Bob Rankin on 16 Sep 2021
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Geekly Update - 15 September 2021 |
The Top Twenty |
Next Article: Was Your Email Account Just Hijacked? |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved Privacy Policy RSS/XML |
Article information: AskBobRankin -- Outbound Firewall For Extra Security? (Posted: 16 Sep 2021)
Source: https://askbobrankin.com/outbound_firewall_for_extra_security.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Outbound Firewall For Extra Security?"
Posted by:
Bob K
16 Sep 2021
My experiences in the far past ( think with ZoneAlarm then) were far too bothersome. With that program, every outbound address was presented to you to either allow, or deny. It remembered your desire, and you never got to consider that connection again.
But today, so many programs are using some for-hire server or VPN to handle their traffic, you don't know where a particular connection might be going to.
A better approach is to use your HOSTS file to block known bad destinations. You can add a domain to your HOSTS file easily -- blocking DoubleClick.Net would be maybe worthwhile. On the web you can find plenty of HOSTS files that have many bad sites preconfigured for you.
Posted by:
Renaud Olgiati
16 Sep 2021
Using a HOSTS file to block known baddies is good if you only have one machine hooked to your router, but is a pain to maintain over several boxes on a LAN, also it does not protect your WiFi.
Is such a case, using a Raspberry-Pi configured as a primary DNS server, and which has the list of nasty URLs, improves your security, as well as browsing experience, no end.
Pi6Hole (https://www.raspberrypi.org/blog/pi-hole-raspberry-pi/) is easy to install, come with a mountain of known baddies sorted by type (Pub, Betting, P*rn, Violence etc.) and is admined from your desktop/laptop through a web interface.
Highly recommended, and runs on any raspberry from Zero up..
Posted by:
RandiO
16 Sep 2021
Partially true: "You can enable outbound protection as well, but then no program on your machine will be allowed to connect to the Internet!"???
I maybe the odd-man-out but I happened to like and depend on my outbound firewall. I don't see that much of a (resource, memory or cpu) loading, using such a useful provision. Although, setting it up to work w/o such described annoyances is not a 'chore' but must be realized as part of doing business.
Surely, if you are the kind to own a gun for security purposes; I don't think becoming intimate with the proper usage of the gun is to be considered a 'chore' but truly 'essential'. Ditto for security of the software kind.
I don’t like advertising for PAYware but Glasswire has been my cohort and my ‘software gun’ for additional security, in the last decade.
Posted by:
JP
16 Sep 2021
While not a firewall, Malwarebytes Anti-Malware will block your web browser from attempting to connect to a malicious web site.
Posted by:
Jim1
17 Sep 2021
AS Bob often says: Back up, back up, back up. Keep it simple. Use the scheduler to back up at the close of each day.
Posted by:
gene
17 Sep 2021
I use Malwarebytes Pro, have a lifetime license from back when they offered that, it will interpose anytime you're about to go to site that isn't safe. It also acts as a software firewall, as do MANY browsers now. I've also got a hardware firewall in my router so definitely don't need more than that. Have NEVER had a bit of malware or virus get to my machine in nearly 30 years of having a Windows desktop, laptop and other Apple devices.
Posted by:
buddie risner
17 Sep 2021
I at one time had a program that blocked words and numbers from going out. I used this for bank accounts ssan and things of that nature. It really worked.
Anytime one of my protected numbers or passwords also, was sent out the program would alert me and ask "do you approve this?" I have to search for that program again. It worked.
Posted by:
Myron
19 Sep 2021
Using the hosts file is the most effective outbound blocking. Spybot S&D (free version works) inoculates the hosts file with known bad sites. So basically acts as an outbound filter.
Posted by:
thenudehamster
20 Sep 2021
I'm with Bob on this.
I used ZA for some time, disabling the outbound after a while as a bit of a nuisance, but changed to PC-Matic about the same time as Bob. It can occasionally delay things for a second or two while you confirm a new program, but, overall, adds no appreciable delay to my system. AFAIK it's the only anti-malware that blocks EVERYTHING that's not specifically permitted. Regular scans show nothing out of the ordinary, so I guess it must be working... and it covers up to five - everything I have, and more - machines. (usual disclaimer applies, of course)