Personal Firewalls Mostly Useless, Says Mail & Guardian

hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."

misleading headline

[macadamia_harold]

More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.

The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery.

Re:misleading headline

[iMaple]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)". And that is unpreventable if the user is always logged in as an admin and runs malicious executables (or programs with known security issues, like older versions of browsers). This would be an issue, if a non-admin user could disable the firewall (which I guess is not easy, since the article does not mention that). So there is no real problem with the personal firewall software.

The firewalls are still very useful in preventing attacks due to OS vulnerabilities (like the Windows RPC issues). Anyway that is the main aim of personal firewalls, and the article does not have anything about the effectiveness of the firewall for inbound traffic.

If you want a secure outbound firewall the best bet is to use a dedicated gateway machine with the firewall (I use my very old laptop with BSD on it as a gateway)

Re:misleading headline

[marrandy]

Talk about stating the obvious...this is the most useless article I have read in a long time.

1) Web browser and javascript bugs - nothing to do with hardware or software firewalls.

2) email issues, people going to bad sites etc. - nothing to do with hardware or software firewalls.

3) People should not run as administrator (or root) - wow, really.

4) People should stay up-to-date on patches - wow, totally amazingly obvious.

As you can't control people, they will always do these things. Good software firewalls show-up issues after they have made these mistakes, when rogue software tries to get out.

They also failed (or I missed it) to mention that software firewalls are good when you have multiple computers behind a hardware firewall - basically and infected computer will be blocked infecting other computers e.g. netbios etc.

Good computer security is a layered concept. From incoming hardware firewalls, IDS, software firewalls on individual computers, user training, security audits etc. I wish people and organizations writing articles would finally learn this. There is no 'magic' one solution.

Re:misleading headline

[bytesex]

Software firewalls on the machine itself can do something hardware firewalls can't; it can check to see that the outbound traffic is coming from a trusted application running as an actually logged on user. Without this option, a firewall must assume that all traffic with a destination port 80 or 443 (or 25 or whatever) will be legit, allowing all sorts of malware to pretend to browse while doing their actual nasty stuff. On windows, a firewall could even check whether the app in question has a window open, which creates an extra check (this visible application is making network connections).

Re:misleading headline

[Just+Some+Guy]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)".

Actually, you to end with forgot ", On Windows". As you probably already know, you can set a BSD system's "securelevel" such that firewall rules, both in kernel and on disk, can't be altered without a reboot. You could hypothetically write a program that patches a BSD machine's boot sequence with one that unprotects the firewall configuration, alters it, changes the backup file so that the user won't get an email notification later on that details the differences, then resumes normal operation - all while hoping that the user or administrator doesn't notice the spontaneous reboot - but there aren't too many of those running around today.

Re:misleading headline

[Pieroxy]

I use my very old laptop with BSD on it as a gateway
For a few bucks, you could buy a small linksys dedicated box. That box - in addition of doing the job fine - pumps up less power than a laptop will ever do even in their lowest consumption settings. In a few month, the cost of the Linksys box will be recouped on the electric bill. And it is smaller and heats up less.

My view on the problem at least.

Re:misleading headline

[dgatwood]

It also makes dynamic loading and unloading of device drivers impossible, which is why it doesn't make any sense for desktop system. Security can only be achieved through properly granting permission, not through outright avoiding granting permission. A scheme that is too restrictive will simply get turned off or worked around by the end users, and thus is not particularly useful, and indeed may actually be harmful to security because of developers making security assumptions that are no longer valid in such a situation.

Want to really improve security? Create multiple separate privilege sets in the kernel instead of a single "root". Make different executables setuid to a user with privilege sets that allow certain operations. Your kernel extension loader has sufficient privileges to load a kernel extension, but still can't write directly to kernel memory or listen on low numbered ports or access raw devices or bypass filesystem permissions. Your software that requires the ability to listen on low numbered ports doesn't get permission to bypass filesystem permissions or load kernel extensions. And so on.

Don't get me wrong, it's perfectly okay to have a "root" user, but no executable should ever be setuid root in such a scheme, and that root user should only be used for very limited administrative tasks.

Told you so

[growse]

Well, that's what happens when you try and introduce a complex topic like network security into the consumer market, and subsequently fail at that task. They (the software manufacturers) fail not only in raising a suitable amount of awareness (if every single computer on the planet was behind a firewall, how many worms/malware would this stop?), but they also fail to do the job properly (not blocking outbound traffic) for those who do install their software.

"Why home firewall software is a leaky dyke"

As a lesbian, I must protest to this offensive and disparaging comment.

Outbound Traffic?

[parasonic]

Yes, they may be ineffective in controlling outbound traffic. However, that's not the real point of a personal firewall.

Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories." I'll never forget the day that I left open an unpatched WinXP box after a fresh install. I watched all of the script kiddies and automated worms go at it from my passive OpenBSD monitoring box. That machine was hacked in under ten minutes just because I left it there, open to the Internet. So, useless? No.

If it's in it's already too late

[El+Cubano]

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.

First, nothing is perfect. Second, if some nasty program/spyware/adware got in, then it's too late already. The best thing is to prevent them getting in to begin with. Besides, most people don't know the difference between what should and should not be allowed to have access. I do some tech support for friends and family and it really gets annoying after the fifteenth call, "Should I let FooBar21.exe access to the Internet?" I finally went with the policy of disabling any sort of outbound filtering in whatever firewall I setup for people I will be "supporting."

Annoyance

[damaki]

Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that? You get hundred of warnings from obscure services trying to send unknown data to somewhere you do not want to know. Users are clueless about it, they will just check the box that say "shut up and hack by box" if it prevents further messages from appearing.

Simple

[The+Cisco+Kid]

A firewall is a *device* between a device that needs 'protection' (usually a Windows PC), and an Internet connection. Keyword *device*, as in a seperate physical piece of equipment. A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless. 'Software Firewall' is an oxymoron.

Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based. The simplest is a simple one-way NAT (outbound connections allowed, inbound connections impossible without a specific, intentional mapping). These of course only protect against active outside attacks, and not against trojan/virus emails or websites visited from the PC. The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.

ZoneAlarm?

[CyberZCat]

Did they test zonealarm? Because even with my best efforts to circumvent it (for testing), it's still able to block everything. Even as an Admin user, it's not possible to stop the service unless you "officially" exit the program. I've been using it for years, and I haven't once ever had a program that it didn't block (if I chose to block it). Even test software which was spesifically meant to try to find holes in personal firewalls. The new version does other handy things too, like keeping an eye on software which tries to monitor your keyboard/mouse (such as keyloggers) and giving you the option to block them from doing that. Very handy.

Purpose of a personal firewall

The personal or desktop firewall is not supposed to be your first line of defense, it's supposed to be your last line of defense.

I recommend that people use both a hardware and software firewall, the hardware firewall protects you from the Internet in general. The software firewall protects you from the other computers on your local network.

But when it comes down to it, a firewall is as strong as it's weakest link, which is almost always the enduser. Running as admin while browsing, downloading software from untrusted sources, don't blame the firewall for user stupidity.

They just didn't have enough firewall.

[Colin+Smith]

Most of the "secured" computers I've seen have 3, 4 or more firewalls installed and "working". If one firewall isn't stopping outbound connections, go install another one, you'll be twice as secure then.

Re:Question

[legoburner]

Although they do not provide much benefit, it can sometimes be worth it, especially if you have a wireless network behind your firewall. One rogue worm-ridden computer on your wireless network and bad things can happen to all your machines. Having a software firewall will be consume resources and might annoy you from time to time, but will reduce the chance of infection from common worms. You should never presume your internal network is secure unless you can completely verify every last bit that comes in to it.

ZoneAlarm + broadband router = happiness

[WidescreenFreak]

Even though I'm behind a firewall, I use ZoneAlarm on all of my PCs so that I can catch what's communicating with the Internet and what's not. So far, it's done superbly well as far as I can tell.

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out? Well, whatever it is, it's none of their damned business. Check "Remember this setting", click "Deny", and done.

Every time a process tries to act like a server, ZA also notifies me of that as well. It's a bit of a pain when I fire up a game server for the first time and the pop-up balloon interferes with the screen (whoops), but again it just shows that it's at least doing what it's supposed to do.

ZoneAlarm has its share of issues, but it clearly goes with the attitude of "better safe than sorry". There have been some rare times where the program itself doesn't start, for whatever reason, but its service gets started. On those rare occasions I've noticed that the service, if it can't communicate with the control daemon, or whatever you want to call it, it just blocks all network access. It could have just allowed everything instead and there'd be no way of knowing if it's working or not. Personally, I'd rather have it block all access. Not only does that let me know that there's a problem, but it's certainly keeping the PC's network connection secure.

Using a hardware firewall for inbound and ZA for outbound connections makes perfect sense as far as I'm concerned. It's not trouble-free, but they've been getting better at its stability over the past several revisions from what I can tell.

Re:Which software?

[Lambticc]

_G Data InternetSecurity 2006 _F-Secure Internet Security 2006
_Kaspersky Internet Security 6
_Trend Micro PC-Cillin 14 Internet Security
_Symantec Norton Internet Security 2006
_Zonelabs Zonealarm Internet Security 2006
_McAfee Internet Security Suite 2006
_Computer Associates eTrust Internet Security Suite r2
_Panda Platinum Internet Security 2006
_Softwin Bitdefender 9 Internet Security

This is all I could find from the german site PC Progressionell ..meine Deutshe ist nicht so gut.

[OT] Re:Link to "printable" version of stories!

[Ma�djeurtam]

If slashdot, digg and friends were to link to printable versions, how long would it take for those sites either to remove the print version or to put their ads there?

A firewall is a *device*

[Curmudgeonlyoldbloke]

And where do you insert this "device" between your PC and the wireless router in the coffee shop or hotel romm in which you're sitting? Wave it around in mid-air or something?

Besides that, the most useful purpose of these things isn't against trojans that someone's running because they're an idiot, it's software such as media players insisting on phoning home (for example, the "Microsoft Windows Media Configuration Utility" connection attempt that occurs when WM9 tries to update itself).

Re:Question

[SCHecklerX]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things. For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

For a skilled user (which these aren't marketed to anyway), there is value in anlyzing what your software is trying to open outbound connections to, if you tell your PFW to alert you. In the hands of a skilled user, this is good information and the PFW is a good tool to analyze what software you may want to ditch or restrict. Again, this isn't the demographic most PFW vendors market to. You can't use a tool like this without a basic knowledge of how TCP/IP works. Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

Better than nothing

[embracethenerdwithin]

I never assumed my software firewall was some amazing thing that kept me 100% safe. But I would still never want to surf without one. I don't care if it only protects against some attacks, it's definately better than none. I would rather be protected from a little than nothing.

My view has always been using a combination of things that help is th ebest idea. Using a router that has a hardware firewall + a software firewall + antivirue + a secure browser(firefox) is a decent way to keep safe. This won't stop everything, but it's better than surfing around with no protection. Also add not doing stupid things to that equation for maximum protection.

Re:IP Tables

[mpapet]

Linux has IP Tables which is very good for the job. Is it as good as BSD? I would argue less time consuming if you already run Linux, but it's not the same.

Notes: I believe for stateful packet inspection, the kernel needs ip_conntrack and a few other things in it. Most distro kernels have this but it's worth double checking. From there, it's learning the IP tables syntax which isn't hard after going through one of the many examples out there. Once you get logging going, check out intrusion prevention systems!

http://www.google.com/search?hs=3PG&hl=en&lr=&clie nt=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q= iptables&btnG=Search

BSD firewall tutorial (was Re:misleading headline)

[badger.foo]

The manuscript at http://www.bgnett.no/~peter/pf/ is for a half day tutorial in setting up OpenBSD's PF firewall (also available on FreeBSD, NetBSD and DragonFlyBSD).

The response I get (yes, I'm the guy who wrote the tutorial) is that people find it quite useful.

The fact that it includes a few tips on how to give spammers a hard time helps too I guess.