Ok, late response but I'm a bit late to this party as you know, and although threads like these intrigue me like no other I figured I'd better get my stuff together before commenting.
segfault said:
I am more than a little ignorant on the subject of firewalls, and the only time I deal with them is to curse and whine about them as I fumble around trying to get them to allow our identity management traffic to reach the various servers in organizations that run nothing but Microsoft. Why are these wretched things needed in the first place I keep wondering.
Although I may now repeat things which have already been said I'm going to go ahead anyway to make sure the story as I want to lay it out is as complete as possible. Because I get the feeling that one part of your problem is that you're often hit with plain jargon when dealing with firewalls. And the problem with jargon is often that at first it appears as a bit of "abracadabra" which often will start to make sense when you get a better understanding.
Obvious problem: to get a better understanding you more than often need to get through a lot more jargon which doesn't make things easy.
...having that out of the way.
Firewalls are required to provide an extra and controlled security layer to your system. Because generally speaking (trying to briefly address Windows here as well) these services do not provide means of differentiating between visitors. They don't really provide a means to determine who does and who doesn't get access.
Of course this differs when we're dealing with services such as identity management, mail services and the likes. But even here it can be very helpful to keep one in place.
For example; on Unix environments a very common way to gain remote access to your system is SSH (Secure SHell). However, SSH isn't the perfect super-safe solution, even this program can have issues like all software has, you can get a nice overview when you're checking the CERT database for
SSH vulnerabilities.
While this doesn't have to provide a problem perse, it is something to keep in mind. For us FreeBSD users (or so I assume most are) we have tools like
freebsd-update and of course
portsnap to help us keep our systems up to date.
But here's the thing: why risk it if you know for sure that only yourself and a few others of your (admin?) team will require access to said server?
Then it makes sense to block the whole thing out and only allow specific access. What you gain by this is that "bad guys" who are trying to exploit a software issue in SSH will now have to cope with 2 layers: first they need to penetrate your firewall,
then they can get their hands on SSH.
Not only does this make things a lot harder on them, it also provides you with all the means to get alerted to their scheme before it even starts, thanks to monitoring and logging services. Which are basically not really part of a firewall, but that's a bit nitpicking though on my end ;-)
segfault said:
Now I can see a firewall helping secure Windows since it seems to have so many "magic" ports always listening for heaven's knows what (WMI, builtin-SQLExpress instance, etc.) but what does a firewall do for FreeBSD machines? The FreeBSD kernel doesn't listen on any ports, and if a program isn't listening on a port then why would we need a firewall blocking that port?
Careful there though. Windows has many ports which it uses to listen on, that is true, but the essence is really no different than the "basics of firewalling" (to give this a name).
And those magic ports you speak of really aren't as obscure as you make them out to be, even Windows has options to carefully monitor what is going on, for example: [CMD="PS>"]netstat -a | more[/CMD] (where PS is obviously used to address PowerShell).
However, the main difference here is that Windows has a "pre-TCP/IP" based history where it used other protocols as well. But that time has been long past, though it never hurts to check up them because the list can sometimes be a little vague too, for example by using: [CMD="PS>"]Get-WmiObject Win32_Networkprotocol | Format-List name,description,status[/CMD].
But back on topic again; you're right. On a pure Unix ( -like) network there wouldn't be a need for a firewall perse since the services which it listens to are limited.
However, then we need to keep another thing in mind. Although ports below 1024 are considered to be privileged (so only a root user can open them) everything above that is free game. When looking at my new FreeBSD server I can tell you one thing; the last I'd want to happen is some customer going to play with his shell environment and setup all sorts of nastiness. I don't know; maybe an IRC server of some sorts (though not nasty by definition, I maintain one myself, they're often used for nastiness).
That's where a firewall can come in handy too. He/she may have all the means to setup an IRC server of his own, getting his buddies to actually access the critter becomes a completely different story.
segfault said:
I must be missing something because it seems to me that the whole firewall concept is a clumsy stopgap to secure poor OS design at best, and at worst nothing more than a job security, fear-mongering tactic by self-important Windows "IT security" types.
I think you're partly right here, because on Windows environments there are
many companies out there which try to sell you firewall-based solutions in order to enhance your safety. While the fact of the matter is that it's a lot of bollocks.
The Windows firewall in its current state (Window 7 and up) maybe a bit vague from a certain perspective (it certainly is "special", I'll give you that) but it can easily cope with, for example, netfilter which we have available on FreeBSD.
Which is the key aspect here; a lot of things on Windows aren't as ideally setup as they could have been, but that's a completely different (offtopic) story.
segfault said:
I've asked a few guys and they never give a straight answer leading me to believe they don't really know.
So I'm asking here: Are there indeed some ports that Windows is always listening on that cannot be easily controlled? If I was running a network of all *nix machines, would I even need a single firewall?
The problems isn't so much Windows, it's the idiots who think they should apply changes to it when in fact it isn't even necessary. Windows access can easily be regulated by your firewall, the main problem is that in order to do that you need to setup some sane firewall rules, and that's where disaster often strikes.
At one time, but obviously I'm not going to go in full detail here, I've seen a "free" version of one of Microsoft's core components, SharePoint Foundation, actually add insecure changes to the firewall which effectively would allow just about anyone to gain access to its WMI services. Or in plain English; provided them with the means to try brute-force logon attempts.
That's not an example of Windows being insecure, its an example of an idiot allowing obscure changes to find their way into a software installer.
But as illustrated above; even if you were only using a Unix environment it would still make sense to keep a firewall in place. Though the priority of setting one up may be a little lower than it is on Windows-based environments (generally speaking).
Right, even though I do repeat some of the things already mentioned by others I do hope this can help as well.