Slashdot Mirror
Personal Firewalls Mostly Useless, Says Mail & Guardian
hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."
Well, that's what happens when you try and introduce a complex topic like network security into the consumer market, and subsequently fail at that task. They (the software manufacturers) fail not only in raising a suitable amount of awareness (if every single computer on the planet was behind a firewall, how many worms/malware would this stop?), but they also fail to do the job properly (not blocking outbound traffic) for those who do install their software.
There is nothing interesting going on at my blog
Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that? You get hundred of warnings from obscure services trying to send unknown data to somewhere you do not want to know. Users are clueless about it, they will just check the box that say "shut up and hack by box" if it prevents further messages from appearing.
Stupidity is the root of all evil.
I'm just curious, since the article doesn't mention it, but which firewalls were tested? I've look at the website for the magazine that did the testing, but my German is rather rusty and I can't seem to find the original article. The only one mentioned in the article is the Windows XP firewall.
I stole this sig from a more creative user.
So if I have a hardware firewall in my router is a software firewall useful as a last ditch defense? Or is it nothing more than an annoyance and resource hog?
Download my free songs!
FTFA: Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP, reports PC Professionell. As far as I'm concerned, the main purpose of using personal firewalls is to prevent unwanted outbound connections, for example from Microsoft products. Hardware routers only block incoming traffic, and can't do it on a per-program basis. The article is too quick to dismiss personal firewalls for not being every man's savior.
I still remember the lone time I got virused, as it also was the lone time when I put a non-firewalled machine on the internet.
Basically the story is that I had managed to fry my home machine, didn't have a second computer at the time, but hey, looks like I got enough older parts for one (or a couple of them.) Stupidly enough, the firewall program (Sygate was my favourite at the time) was among the few things I had never backed up, but otherwise I could have a computer to play with in an hour or so.
Now I could have, of course, went and bought some security program, or could have downloaded it at work and burned it on a CD, or whatever. I chose to just do a sacrificial install instead. As in, you know, install Windows, go online unprotected long enough to download a firewall, reformat, reinstall Windows. I fully expected the first install to get virused, but that's ok, since it would get reformatted a few minutes later.
It also was Windows 2000, not XP, so no activation hassle.
Well... let's just say that what I didn't expect was how fast the thing got virused. I expected it to get virused eventually, yes, but it got owned within a couple of minutes. Scary.
A polar bear is a cartesian bear after a coordinate transform.
I think the problem here is Software vs. Hardware firewalls.
Compair a Cisco PIX 501 to Nortons latest and greatest software firewall
Software firewall basically starts off blocking what it thinks are potential viruses or threats to your computer.
A hardware firewall such as a PIX 501 just blocks everything until you tell it otherwise.
A software firewall basically is a nusence with all its little security warnings "CAUTION Your getting on the internet"
Hardware firewall just stays out of the way and does only what its told to do.
The biggest of them both is the fact that software is so much easier to bypass than that of a Hardware firewall. Software only blocks what comes into your computer where as the hardware is there right when traffic passes your modem.
Also you get what you pay for...a PIX 501 runs around 400-500 where as norton with ANti-Virus is what...50 bucks? You basically get what you pay for and cant expect much more.
The greatest revenge in life is massive success.
If slashdot, digg and friends were to link to printable versions, how long would it take for those sites either to remove the print version or to put their ads there?
Instant Karma's gonna get you, Gonna knock you right on the head (John Lennon, 1970)
I used to work tech support for Verizon DSL (ick) and we saw problems with this all the time. People would have Mcafee installed and it would spontaneously decide to deny IE outbound access. (Now, customers using IE is a whole separate can of worms, but I don't feel like writing a novel so I won't go into that here...I "fixed" many computers by removing the IE shortcut from the desktop and installing Firefox.) The Mcafee issue happened frequently enough that I doubt it was something that the user misconfigured, some of the people didn't even know they had Mcafee (it came with the computer). The symptoms would be: you could ping anything you wanted, but any attempt at websurfing would time out, even to other devices on the LAN (like the cheap routers we supplied). I even saw times where Mcafee would deny access to the 192.168.x.x LAN address but allow general internet access. We didn't support firewalls when I worked there, so the customer was instructed to disable the firewall and then access came back. Trying to use a firewall to block *outbound* traffic is kind of dumb. If there's malicious software on your computer, it's already too late for more software to solve the problem.
Now, I didn't RTFA, but it seems the whole point it is trying to make is that software firewalls AREN'T doing just that.
.There are ways around personal firewalls, therefore personal firewalls are useless.
So says an article linked by an article linked by an article that I can't really read. Pardon me if I am not convinced.
I'm quite content with the personal firewall I have. It stops lots of outbound connections from applications that like to phone home. If there is an app on my system that searches for IE windows and uses them to surrepticiously send data out -- I'm already f*d. Fortunately, my firewall blocks IE so I'm not vulnerable to that one. (It could use Firefox though).
Okay, we are talking about Windows users: they will simply click 'Yes' to anything that pops up on the screen.
Click here or here.
And if you don't want to use a firewall or anti virus, please come to my college and connect to the network. Wait 10 minutes while your computer gets owned.
Within 1 hour of moving into my apartment on campus, Zone alarm has logged almost 1,000 inbound access attempts...now that's scary.
I always get a kick out of people who set their firewall to prompt on every attempt to access the net, especially when they're running as admin on their boxes.
Even without the user running as admin, it's fairly easy to create a program to bypass outgoing firewalls. Basically the trick is it piggypack your communications over an existing application that's trusted.
Nearly everybody is going to trust IE (or Firefox, or whatever browser) to access the network. All you have to do is figure out a way to use that program to do your communications for you.
I once wrote a proof of concept app (in VB no less!) that used IE to do exactly this. I setup a simple piece of server software that accepted requests via HTTP GETs and returned the response as base64 encoded text in an HTML body. When my app needed to access remote data I just used IE to request that data from the server and then base64 decoded it. I could have also done something like have the server software act as a proxy so I could request any remote data I wanted, even if it wasn't hosted by my server. It was trivial.
The best part was that *every* major outgoing firewall failed to detect this attempt, despite that fact they claim to be able to tell when one application is using another to piggyback communications. Perhaps it was the way the COM interface worked, I'm not sure... but it never failed and never prompted me to allow it to happen.
Why?
Yeah, it'd be nice to stop the stupid user stuff with outbound attacks and such... but most of that threat is better mitigated through the use of malcode-analyzing proxies and other filtering systems (we quarantine email attachments, haven't had a 0-day in years, use centralized ad and malcode blocking for web browsers, etc).
The REAL threat that we could actually get benefit from using PFW software on was for inbound traffic (ie WORMS). We tested many PFW applications in our labs, and many of them were horrible (They didn't even begin blocking until the user logged in, they opened listening ports for their own management, etc). We found that the firewall bundled with XP SP2, however, is actually a very good product. It is up on boot, DROPS rather than rejects packets, is controllable via scripting, and has good logging. The problem, as always, is in allowing our staff to administer windoze clients remotely. This requires certain ports be opened.
The easiest tradeoff (and we remain worm-free) was to simply block all inbound ports unless the client is connected to a trusted corporate network (in which case we open them all up again). This is done through some Active Directory probing during initialization scripting and also on interface up/down changes. It works very well.
It's not perfect, nor is it the most uber-super secure solution (a user could theoretically bypass our default wireless configuration to bridge while connected to a trusted wired network since our windows AD guy doesn't know a way to dynamically block with the firewall per interface -- it's a risk covered by our security policies which we don't mind). But it does what we need it to do, provides adequate security, and does not disrupt business.
Here are the requirements that we had going into our testing, and the XP SP2 firewall did a very good job at addressing them:
Of course, they aren't perfect. But I've a got a friend who was having a recurring problems with varioius malware. I set her up with Zone Alarm, Anti-Vir, Ad Aware and advised her to download Firefox to browse with rather than using IE. Without Zone Alarm to block the malware traffic while Anti-Vir downloaded updates to its signature files, her internet connection was saturated with so much malware traffic that she couldn't connect to anything else. Further, she gets to see what programs try to access the internet.
I love how, whenever I go to my grandparents to fix their computer (after they've dealt with their ISP's tech support) the ethernet cable is always running straight to the PC and bypassing the router. It's hard enough to get average Joe to understand the usefulness of a hardware routing/firewall device, but when the ISP is actively having them bypass it I can see a software firewall being somewhat useful at times.
openSuSE 10.1 actually makes it sickeningly easy to configure a firewall, subnet masquerading, DNS merging, and port forwarding. It took less than an two hours to get it all working (including dial-up and DHCP network alteration of the DNS forwarding.) IIRC it took almost two days to get it working with RedHat 5.2.
I realize it's not a fair comparison, as there is over 5 years of dev work in between the two, but the point is you don't need much knowledge, just a spare dual-nic box that'll run one of the more recent distros.
A friend of mine is a bit annoyed. It was faster and easier to set up SuSE's firewall and have it working reliably than his WinXP dial-up node. :P
I do not fail; I succeed at finding out what does not work.
It also makes dynamic loading and unloading of device drivers impossible, which is why it doesn't make any sense for desktop system. Security can only be achieved through properly granting permission, not through outright avoiding granting permission. A scheme that is too restrictive will simply get turned off or worked around by the end users, and thus is not particularly useful, and indeed may actually be harmful to security because of developers making security assumptions that are no longer valid in such a situation.
Want to really improve security? Create multiple separate privilege sets in the kernel instead of a single "root". Make different executables setuid to a user with privilege sets that allow certain operations. Your kernel extension loader has sufficient privileges to load a kernel extension, but still can't write directly to kernel memory or listen on low numbered ports or access raw devices or bypass filesystem permissions. Your software that requires the ability to listen on low numbered ports doesn't get permission to bypass filesystem permissions or load kernel extensions. And so on.
Don't get me wrong, it's perfectly okay to have a "root" user, but no executable should ever be setuid root in such a scheme, and that root user should only be used for very limited administrative tasks.
Check out my sci-fi/humor trilogy at PatriotsBooks.