PDA

View Full Version : Are personal firewalls snake oil?



Nowhere
27th September 2006, 17:50
Since finally I'll be back to having my own computer always connected, I'm researching how the field of software which I didn't need for the past 2 years changed. That means also personal firewalls.
And...I've found some criticism.
For example on Wikipedia article (http://en.wikipedia.org/wiki/Personal_firewall) and links from it:
http://www.samspade.org/d/firewalls.html
http://www.securityfocus.com/infocus/1840

Also:
http://www.fefe.de/pffaq/
http://www.iks-jena.de/mitarb/lutz/usenet/Firewall.en.html

All this seems...pretty reasonable to me. Enough that I'm coming into conclusion that using anything other than firewall that's built in recent Windows versions (rather light and "non-bloated" software) seems much more pointless to me than it did up to this point (not that I didn't prefer Windows firewall already...just assumed that there is, perhaps, some 3rd party good one which I haven't tried)

PS. That said, this one (http://en.wikipedia.org/wiki/Core_force) sounds interesting...seems it's built on good foundations, light, not very bloated, and apparently with no direct commercial succes in mind...

Nicram
27th September 2006, 18:27
Using Core Force here on w2k without problem.
But it is bloated, eat many memory & can slow down slow computers :/

Dr Mordrid
28th September 2006, 01:33
Our Linksys has SPI which seems to take care of things, with help from antivirus & malware tools. All but the laptops are wired and the wireless only gets used an hour or two a day. Even then we threw the whole shebang into securing it, right down to turning off the wireless feature once everyone reports they're done with it.

az
28th September 2006, 01:51
I wouldn't say they are snake oil, but they're definitely not perfectly safe.

BTW: I'm only running the WinXP Firewall and scan for viruses every few months or so. The only problem I've had with this machine yet was with the Sasser worm, and that was back when I didn't update regularly (I now autoupdate). Having a secure browser and mail client and knowing what you're doing (which implies being a little careful) is actually the best protection you can have.

Greebe
28th September 2006, 05:58
Anyone can say personal firewalls are snakeoil, that is until they get hacked or do something that is on the fringe like run P2P software. What can be said is that regardless or not if you get messed up a personal firewall is a really good idea if not to block outgoing packets sent but to limit damage caused.

I have an Actiontec MI 424wr router w/enterprise level firewall built in and still run a software firewall. Outpost 3.51 (4.0 was just released this morning) and NOD32 AV along with Ewido 4.0, Spysweeper, Adaware and Spybot SD.

Ask Dilitante what happened to his system the otherday when connecting to a site he needed drivers from was compromised. It's like sex, you don't want to be unprotected, you're partner may have had a checkup 3 months ago, but forgot about that one night...

Dilitante1
28th September 2006, 06:54
DeluxeCommunication and PSGuard, and after 10+ "specialized" utils and many scans, i STILL have registry entries that cannot be removed..... :mad:

Gurm
28th September 2006, 07:54
"Software firewalls" are worse than useless.

They:

1. Confuse the end user.
2. Lull the end user into a false sense of security.
3. Suck up obscene amounts of system resources.
4. Impede actual work.
5. Are poorly written. (No exceptions - not even MS's!)
6. Don't provide any tangible benefit that couldn't be gained some other way - cheaper and more efficiently.

Let's address these in turn.

Confusing:
I lump confusing and annoying together here. I don't WANT you to ask me 100 times if a program that I'm legitimately running should be allowed. I don't even want you to ask me ONCE. And neither does anyone else. There's a VERY small segment of computer users that are savvy enough to know the answers to the endless prompts and yet novice enough to not be annoyed by them. Everyone else gets pissed off and confused. Worse, it's often unclear how to CHANGE your mind! Some examples:

"IEXPLORE.EXE is trying to access the Internet. This could be a security risk! Are you sure you want to let IEXPLORE.EXE send data to the Internet?"

Now you or I know this is Internet Explorer, and of COURSE we want it to go through. My mom freaks out and clicks "no". Then calls me and asks why she can't get web pages, and when I figure it out, she asks how to undo it. Which is NOT EASY depending on whose "firewall" you're using.

It's a proven fact that most people ignore pop-up windows, or just automatically click either "yes" or "no" without really reading them. So the fact that these so-called "firewalls" perpetually ask the end-user to decide what to allow is frustrating at best and harmful at worst.

False sense of security:
Every piece of "protection" software that doesn't DO anything useful... is actually harmful because it gives end-users an extra feeling of protection... that doesn't exist! I've seen plenty of end-users that are SHOCKED that their system is completely overrun with viruses and spyware. "We have a corporate firewall! With spyware and virus protection! How did this stuff get through?!?" Maybe it was when you surfed those onling gambling and porn sites... but that's just a hunch!

Resources:
The more "protection" a firewall offers, the more of your machines CPU time it needs. Even just blocking ports from inbound communication will suck up a couple % of the CPU and add some lag to your network numbers. Any additional functionality comes at a heavy cost. Traffic analysis, "Internet virus monitoring", etc... a few cpu % apiece. That crap adds up after a while. Antivirus software is heading this way, too. I love NOD32, but you HAVE to turn off "internet monitor (IMON)", or it'll suck the life out of your machine every time you surf the web.

Impediment:
I can't COUNT the number of times I've had to forcibly excise a "personal firewall" from someone's machine in order to get some piece of software working. The latest bane to my existence is personal firewalls that screw with VPN. We rely heavily on VPN to monitor customer sites, and virtually ALL personal firewalls - even MS's - don't let VPN traffic through without a big argument. Firewalls need to be updated CONSTANTLY in order to keep on top of the latest network software, but sadly they are not. Even when they are, there's so bloody much software out there that it's impossible to keep on top of all of it.

Poorly Written:
They're all poorly written. Every last one. Don't get me started on Norton and McAfee. But even the "best in class" personal firewall software is bad. You're essentially writing an intermediary stack to overlay the TCP/IP stack. It had better be BULLETPROOF, with code so tight that no bugs will ever be found. But... it's not. It's average software. Period. And "average software" has no business monkeying with your TCP/IP.

No Tangible Benefit:[
You can still be hacked. The popular software firewalls have their vulnerabilities posted on hacking websites daily. Because they're on your machine, they're vulnerable. They're NOT a real firewall, and nobody should think they are.

And they cost money! You pay $25, $50, or more for these useless pieces of trash.

Want to keep your system "safe"? Get a cable router with NAT. You'll never get hacked from external sources.

Of course now someone will argue that your cable router doesn't protect you from malicious code sending packets OUTBOUND. But you know what? If you're so hopelessly out of touch that you don't know what's installed on your machine sending packets outbound... maybe you ought to be operating in XP limited user mode, hmm? No let instally programs for you! Stop surfing porn and pirate websites, use FireFox instead of IE6, and you're FINE.

And before you say that NAT isn't safe... I have challenged average users REPEATEDLY to find some vulnerability to NAT, and nobody can. Once you tell me a REAL, PUBLISHED, FEASIBLE vulnerability to NAT (bet you can't), you'll then need to demonstrate that Zone Alarm stops it... which it won't.

Uninstall that garbage. Your machine will be happier.

Gurm
28th September 2006, 08:00
Anyone can say personal firewalls are snakeoil,


that is until they get hacked

Can't get hacked if you're behind NAT.


or do something that is on the fringe like run P2P software.

I'm trying to figure out what "running P2P software" has to do with getting damaging stuff onto your computer. Unless you mean Kazaa, and unless you're the kind of person that just double-clicks those downloaded .exe's blindly.


What can be said is that regardless or not if you get messed up a personal firewall is a really good idea if not to block outgoing packets sent but to limit damage caused.

Bzzt! Thanks for playing, but you're way off base! I have yet to see anyone actually be PROTECTED by a "personal firewall". Seen lots of them screw up, but never seen anyone successfully mitigate a serious attack. When Blaster came out, the software firewalls didn't help now DID they?


I have an Actiontec MI 424wr router w/enterprise level firewall built in and still run a software firewall.

Then you're wasting your CPU time. Hey, it's your money.


Outpost 3.51 (4.0 was just released this morning) and NOD32 AV along with Ewido 4.0, Spysweeper, Adaware and Spybot SD.

God, I hope you don't leave those all running in the background? I can't even leave Spy Sweeper running in the background anymore, it's just too intrusive. Lags the machine up. NOD32 I tolerate, but even that I can feel the lag a little. *sigh*


Ask Dilitante what happened to his system the otherday when connecting to a site he needed drivers from was compromised. It's like sex, you don't want to be unprotected, you're partner may have had a checkup 3 months ago, but forgot about that one night...

Really? Was he using IE, I'm guessing?

az
28th September 2006, 09:17
There is one thing a personal firewall should be good for: Blocking IEXPLORE.EXE. But since a PF runs on your system anyway, it can get disabled by malicious software like any other piece of software can.

Use a router, use a secure browser and mailer and don't be stupid - the last part is really hard for most people, not because they're stupid but because they don't know enough about computers. But all of us here at MURC should really be able to do it.

The PIT
28th September 2006, 09:42
My own view is that they're fairly useless and just eat up resources.

As for been hacked behind NAT I'm sure you can if you're careless enougth.

Most users using P2P do download stuff blindley even "so called experts" get tempted at times. If you don't believe me sit in our University Workshops cleaning Student machines you'll see how dumb most of them are.

I run Nod32 and Windows firewall being a Dreytek router.

Spysweeper and Spyware Doctor are my main Anti Spyware programs which I run manually.

It's very very rare that something sneaks through.

The best way is too practise safe hex.

Byock
28th September 2006, 09:49
Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

:)

Greebe
28th September 2006, 10:21
Now, now, children. Let's play nicely. Greebe, consider yourself warned. No more personal attacks on the public forum. If somone offends you please contact an admin and we will deal with it. -Jammrock

The PIT
28th September 2006, 10:41
Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

:)

Dunno if the linksys has got a firewall but if it does out of interest how much slips through???

ND66
28th September 2006, 10:41
....and unless you're the kind of person that just double-clicks those downloaded .exe's blindly.



For an average user it's easer then you think.

By default (I think), the “hide known file extensions” option in Windows is ON. All you have to do is see a file with a name: “anything.jpg.exe”
And by default the .exe is not visible….. figure out the rest.


.

Taz
28th September 2006, 13:02
Can't get hacked if you're behind NAT.

NAT offers some protection but only some, port forwarding and sticking a PC in the DMZ circumvents it. It also doesn't protect your from connections initiated from your LAN i.e. if your PC has a trojan or similar. Most routers and Windows XP's own firewall also make the assumption that all traffic initiated from the LAN is safe. At least with a software firewall you'd know if something was trying to get out. It's not full proof but it does add another layer of protection :)

Gurm
28th September 2006, 18:18
Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

:)
Better yet - NAT and a hardware firewall TOGETHER!

(Says me, while running a Symantec firewall until such time as I can scrounge up a Sonicwall...)

Gurm
28th September 2006, 18:20
NAT offers some protection but only some, port forwarding and sticking a PC in the DMZ circumvents it. It also doesn't protect your from connections initiated from your LAN i.e. if your PC has a trojan or similar. Most routers and Windows XP's own firewall also make the assumption that all traffic initiated from the LAN is safe. At least with a software firewall you'd know if something was trying to get out. It's not full proof but it does add another layer of protection :)
Sure, but at what cost? You're duplicating work. You have an anti-virus program to make sure you don't get a Trojan... so why inconvenience yourself and burden your CPU further?

Define "only some" protection? Only open the ports you're using. *shrug*

Gurm
28th September 2006, 18:21
Now, now, children. Let's play nicely. Gurm, consider yourself warned. No more personal attacks on the public forum. If somone offends you please contact an admin and we will deal with it. -Jammrock

Gurm
28th September 2006, 18:23
My own view is that they're fairly useless and just eat up resources.

Thank you.


As for been hacked behind NAT I'm sure you can if you're careless enougth.

Absolutely. Most people behind NAT just open port after port after port. People pick on UPnP, but honestly I love having a firewall that goes "oh yes Mr. Bitcomet, I can open that listening port for you no problem" and "oh, you're closing? Ok, I'll close that port now thanks!"


Most users using P2P do download stuff blindley even "so called experts" get tempted at times. If you don't believe me sit in our University Workshops cleaning Student machines you'll see how dumb most of them are.

No doubt. But we're talking about MURC caliber people here, right? For MURCers there's no point to running something that sucks that much life out of your system in order to protect you from yourself...

Wombat
29th September 2006, 00:37
Software firewalls are pretty useless. IMO, they're only good for one thing: Telling you when something is trying to phone home (like WGA, or Sony's crap, or whatever). Otherwise, they're not going to help you. Shut down unnecessary services, don't use IE(using IE is like sharing needles. Eventually, you're going to catch something), don't use Outlook unless it's very controlled, and use a real firewall to block any vulnerable ports. NAT helps, AV software helps, software firewalls don't.

az
29th September 2006, 02:37
If using IE is like sharing needles, is using a secure browser being addicted to heroin, but having clean equipment?

Gurm
29th September 2006, 10:03
If using IE is like sharing needles, is using a secure browser being addicted to heroin, but having clean equipment?
Methadone.

az
29th September 2006, 11:21
No, that'd be using the 'net with a porn filter.

Taz
29th September 2006, 11:37
No doubt. But we're talking about MURC caliber people here, right? For MURCers there's no point to running something that sucks that much life out of your system in order to protect you from yourself...

In which case none of us here need to use anti-virus programs either as we're not going to open attachments on strange emails, download dubious programs or visit dodgy websites :p

az
29th September 2006, 12:46
That's actually correct. If you stick your stick in sombody elses port though, you should use virus protection. You never know where they surf or if their last virus scan is still accurate.

Helevitia
29th September 2006, 13:44
Folks, nobody is truly secure. You can minimize problems by keeping everything up to date but their will always be a new way to circumvent a PC/network/router/switch/whatever...

There are new features out on the router/switch side(enterprise, ISP level) that will allow you to stop almost anything including zero day attacks. NBAR(Network Based Application Recognition) and FPM(Flexible Packet Matching) are two features that will help stop these kinds of problems at the ISP level and prevent the nastiest of problems coming to your PC. These features will help keep things to a minimum. I'm not sure these features will ever reach an end-user switch/router but I'm sure a simpler version may come into play.

FPM: http://www.cisco.com/en/US/products/ps6723/products_ios_protocol_group_home.html

NBAR: http://www.cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html

Nowhere
21st April 2007, 14:05
Small follow-up/how it went:
For half a year I'm online, behind NAT in huge Uni network. Initially I used firewall integrated with Windows. However during a short experiment I noticed BT was faster without it, so decided to try...for few months I don't have any firewall. And Windows is completelly clean (yes, nevermind that it doesn't act suspiciously, I check it from time to time). So probably NAT is enough... (anyway, in this network of perhaps few hundred machines, quite a lot is infected/unpatched) ...at least when it comes to fully patched Windows 2003.