Outbound firewall protection is arguably the more important component of two-way firewall software, at least from an anti-malware perspective. So you can imagine my surprise when Chris Hoffman over at How-To Geek boldly asserted that you don't need an outbound firewall on your machine. Someone is wrong on the Internet!
Okay, so maybe someone writing an article including advice I disagree with is not particularly a big deal. But it seems that Chris is not alone in this opinion, as major companies (including Apple) also seem to think people only need inbound firewall protection. The How-To Geek article is simply the tip of an iceberg that is symptomatic of a misunderstanding of the current threat landscape.
Here's why you need an outbound firewall.
Inbound Firewalls vs. Outbound Firewalls
Inbound firewalls only protect against certain kinds of attacks, and with the increasing frequency of new malware and targeted attacks, the best defense is implementing multiple layers of protection. Outbound firewalls are remarkably good at alerting us about unknown things trying to connect out of our machines, which is nice to have. The firewall may alert you about an undetected bit of malware, or it could be alerting you about a piece of software that you know full well that you downloaded, but didn't think would be connecting to the Internet. I'd say that's good information to have.
There are a lot of legitimate processes on your machine that do need to connect out (such as to get email, surf the web, get or update settings, and so forth), but if malware found its way on your computer, you want to be able to prevent it from connecting out to send data or to alert its controller. Two-way firewalls offer real protection because they combat inbound threats and can prevent malicious programs on your machine from calling out to the Internet.
Outbound Firewalls Help Combat Malware
It sounds a bit like the author of the How-To-Geek article may have been using a firewall that required a lot of hand-holding, and making some assumptions about what malware does. For instance, he provided the following reasons to claim that outbound firewalls aren't an effective defense against malware:
- Outbound firewalls just prevent applications on your computer from connecting to the Internet. If you see that a piece of malware is trying to connect to the Internet, you’ve already lost because it’s running on your computer. The malware can do a lot of damage without Internet access.
- If a malicious program were running on your computer and had access to your system, it could likely open its own holes in your firewall software. Again, once the malicious software is running on your system, you’ve already lost.
- Malware could piggyback on other programs to communicate over the Internet. For example, a piece of malware could open a special web address in your browser to ping a server, capture the page that the server sends back, and use the data. It’s difficult to completely isolate an application from the Internet.
Generally speaking, firewalls are getting better at not bugging you about every little thing. And while malware may try to disable firewalls, it may also just stop running because it sees you have a firewall (Flashback.S behaved this way), or your firewall may simply work and alert you about suspicious activity. A good example of this comes from a variant of the Tibet malware; once a Mac was infected, it showed no indication that the computer was compromised, unless the user was running firewall software that detects outgoing network connections, as available in Intego's NetBarrier anti-spyware module.
If there is unknown malware on your machine, you want to be able to prevent it from connecting to the Internet—only firewalls with outbound protection offer this security.
I'd rather err on the side of caution, since my many years working with security software has shown me that it frequently does work just like you'd expect. This is especially true on Macs where having a separate piece of firewall software is less common, so malware authors are less on-guard, and most of the time the firewall will alert you to new malware.
Layered Defense Offers the Best Protection
All this highlights the fact that multi-pronged security, which includes inbound and outbound firewall, is the best way to protect you from those who try to steal information from your machine.
Two-way firewalls are a great way to filter the traffic coming into and out of your machine and to help protect you against the unknown. Combined with other security tools, like Mac antivirus software to help protect you against suspicious and known malicious behavior, you can greatly decrease the possibility of cyber criminals getting access to your machine and the information on it. This is why we strongly encourage Mac users run inbound and outbound firewalls—it makes Macs more secure.
- What's the Difference Between a Hardware and Software Firewall?
- What's the Difference Between Incoming and Outgoing Firewall Protection?