Page 1 of 2 1 2 LastLast
Results 1 to 15 of 27

Thread: Are personal firewalls snake oil?

  1. #1
    Super MURCer Nowhere's Avatar
    Join Date
    Jun 2002
    Location
    At the edge
    Posts
    5,161

    Default Are personal firewalls snake oil?

    Since finally I'll be back to having my own computer always connected, I'm researching how the field of software which I didn't need for the past 2 years changed. That means also personal firewalls.
    And...I've found some criticism.
    For example on Wikipedia article and links from it:
    http://www.samspade.org/d/firewalls.html
    http://www.securityfocus.com/infocus/1840

    Also:
    http://www.fefe.de/pffaq/
    http://www.iks-jena.de/mitarb/lutz/u...rewall.en.html

    All this seems...pretty reasonable to me. Enough that I'm coming into conclusion that using anything other than firewall that's built in recent Windows versions (rather light and "non-bloated" software) seems much more pointless to me than it did up to this point (not that I didn't prefer Windows firewall already...just assumed that there is, perhaps, some 3rd party good one which I haven't tried)

    PS. That said, this one sounds interesting...seems it's built on good foundations, light, not very bloated, and apparently with no direct commercial succes in mind...

  2. #2

    Default

    Using Core Force here on w2k without problem.
    But it is bloated, eat many memory & can slow down slow computers :/
    A CRAY is the only computer that runs an endless loop in just 4 hours...

  3. #3
    Moderator Dr Mordrid's Avatar
    Join Date
    Apr 2001
    Location
    Westland, MI
    Posts
    25,610

    Default

    Our Linksys has SPI which seems to take care of things, with help from antivirus & malware tools. All but the laptops are wired and the wireless only gets used an hour or two a day. Even then we threw the whole shebang into securing it, right down to turning off the wireless feature once everyone reports they're done with it.
    Dr. Mordrid
    ----------------------------
    An elephant is a mouse built to government specifications.

    I carry a gun because I can't throw a rock 1,250 fps

  4. #4
    Moderator az's Avatar
    Join Date
    Feb 2001
    Location
    Berlin, Germany
    Posts
    10,122

    Default

    I wouldn't say they are snake oil, but they're definitely not perfectly safe.

    BTW: I'm only running the WinXP Firewall and scan for viruses every few months or so. The only problem I've had with this machine yet was with the Sasser worm, and that was back when I didn't update regularly (I now autoupdate). Having a secure browser and mail client and knowing what you're doing (which implies being a little careful) is actually the best protection you can have.

  5. #5
    Super MURCer Greebe's Avatar
    Join Date
    Aug 1999
    Location
    Bradenton, Florida
    Posts
    8,650

    Default

    Anyone can say personal firewalls are snakeoil, that is until they get hacked or do something that is on the fringe like run P2P software. What can be said is that regardless or not if you get messed up a personal firewall is a really good idea if not to block outgoing packets sent but to limit damage caused.

    I have an Actiontec MI 424wr router w/enterprise level firewall built in and still run a software firewall. Outpost 3.51 (4.0 was just released this morning) and NOD32 AV along with Ewido 4.0, Spysweeper, Adaware and Spybot SD.

    Ask Dilitante what happened to his system the otherday when connecting to a site he needed drivers from was compromised. It's like sex, you don't want to be unprotected, you're partner may have had a checkup 3 months ago, but forgot about that one night...

  6. #6
    Administrator Dilitante1's Avatar
    Join Date
    Aug 1999
    Location
    nh,usa
    Posts
    1,917

    Default

    DeluxeCommunication and PSGuard, and after 10+ "specialized" utils and many scans, i STILL have registry entries that cannot be removed.....

  7. #7
    MS Fanboy Gurm's Avatar
    Join Date
    Aug 1999
    Location
    Where can you see lions?
    Posts
    11,713

    Default

    "Software firewalls" are worse than useless.

    They:

    1. Confuse the end user.
    2. Lull the end user into a false sense of security.
    3. Suck up obscene amounts of system resources.
    4. Impede actual work.
    5. Are poorly written. (No exceptions - not even MS's!)
    6. Don't provide any tangible benefit that couldn't be gained some other way - cheaper and more efficiently.

    Let's address these in turn.

    Confusing:
    I lump confusing and annoying together here. I don't WANT you to ask me 100 times if a program that I'm legitimately running should be allowed. I don't even want you to ask me ONCE. And neither does anyone else. There's a VERY small segment of computer users that are savvy enough to know the answers to the endless prompts and yet novice enough to not be annoyed by them. Everyone else gets pissed off and confused. Worse, it's often unclear how to CHANGE your mind! Some examples:

    "IEXPLORE.EXE is trying to access the Internet. This could be a security risk! Are you sure you want to let IEXPLORE.EXE send data to the Internet?"

    Now you or I know this is Internet Explorer, and of COURSE we want it to go through. My mom freaks out and clicks "no". Then calls me and asks why she can't get web pages, and when I figure it out, she asks how to undo it. Which is NOT EASY depending on whose "firewall" you're using.

    It's a proven fact that most people ignore pop-up windows, or just automatically click either "yes" or "no" without really reading them. So the fact that these so-called "firewalls" perpetually ask the end-user to decide what to allow is frustrating at best and harmful at worst.

    False sense of security:
    Every piece of "protection" software that doesn't DO anything useful... is actually harmful because it gives end-users an extra feeling of protection... that doesn't exist! I've seen plenty of end-users that are SHOCKED that their system is completely overrun with viruses and spyware. "We have a corporate firewall! With spyware and virus protection! How did this stuff get through?!?" Maybe it was when you surfed those onling gambling and porn sites... but that's just a hunch!

    Resources:
    The more "protection" a firewall offers, the more of your machines CPU time it needs. Even just blocking ports from inbound communication will suck up a couple % of the CPU and add some lag to your network numbers. Any additional functionality comes at a heavy cost. Traffic analysis, "Internet virus monitoring", etc... a few cpu % apiece. That crap adds up after a while. Antivirus software is heading this way, too. I love NOD32, but you HAVE to turn off "internet monitor (IMON)", or it'll suck the life out of your machine every time you surf the web.

    Impediment:
    I can't COUNT the number of times I've had to forcibly excise a "personal firewall" from someone's machine in order to get some piece of software working. The latest bane to my existence is personal firewalls that screw with VPN. We rely heavily on VPN to monitor customer sites, and virtually ALL personal firewalls - even MS's - don't let VPN traffic through without a big argument. Firewalls need to be updated CONSTANTLY in order to keep on top of the latest network software, but sadly they are not. Even when they are, there's so bloody much software out there that it's impossible to keep on top of all of it.

    Poorly Written:
    They're all poorly written. Every last one. Don't get me started on Norton and McAfee. But even the "best in class" personal firewall software is bad. You're essentially writing an intermediary stack to overlay the TCP/IP stack. It had better be BULLETPROOF, with code so tight that no bugs will ever be found. But... it's not. It's average software. Period. And "average software" has no business monkeying with your TCP/IP.

    No Tangible Benefit:[
    You can still be hacked. The popular software firewalls have their vulnerabilities posted on hacking websites daily. Because they're on your machine, they're vulnerable. They're NOT a real firewall, and nobody should think they are.

    And they cost money! You pay $25, $50, or more for these useless pieces of trash.

    Want to keep your system "safe"? Get a cable router with NAT. You'll never get hacked from external sources.

    Of course now someone will argue that your cable router doesn't protect you from malicious code sending packets OUTBOUND. But you know what? If you're so hopelessly out of touch that you don't know what's installed on your machine sending packets outbound... maybe you ought to be operating in XP limited user mode, hmm? No let instally programs for you! Stop surfing porn and pirate websites, use FireFox instead of IE6, and you're FINE.

    And before you say that NAT isn't safe... I have challenged average users REPEATEDLY to find some vulnerability to NAT, and nobody can. Once you tell me a REAL, PUBLISHED, FEASIBLE vulnerability to NAT (bet you can't), you'll then need to demonstrate that Zone Alarm stops it... which it won't.

    Uninstall that garbage. Your machine will be happier.
    The Internet - where men are men, women are men, and teenage girls are FBI agents!

    I'm the least you could do
    If only life were as easy as you
    I'm the least you could do, oh yeah
    If only life were as easy as you
    I would still get screwed

  8. #8
    MS Fanboy Gurm's Avatar
    Join Date
    Aug 1999
    Location
    Where can you see lions?
    Posts
    11,713

    Default

    Quote Originally Posted by Greebe
    Anyone can say personal firewalls are snakeoil,
    that is until they get hacked
    Can't get hacked if you're behind NAT.

    or do something that is on the fringe like run P2P software.
    I'm trying to figure out what "running P2P software" has to do with getting damaging stuff onto your computer. Unless you mean Kazaa, and unless you're the kind of person that just double-clicks those downloaded .exe's blindly.

    What can be said is that regardless or not if you get messed up a personal firewall is a really good idea if not to block outgoing packets sent but to limit damage caused.
    Bzzt! Thanks for playing, but you're way off base! I have yet to see anyone actually be PROTECTED by a "personal firewall". Seen lots of them screw up, but never seen anyone successfully mitigate a serious attack. When Blaster came out, the software firewalls didn't help now DID they?

    I have an Actiontec MI 424wr router w/enterprise level firewall built in and still run a software firewall.
    Then you're wasting your CPU time. Hey, it's your money.

    Outpost 3.51 (4.0 was just released this morning) and NOD32 AV along with Ewido 4.0, Spysweeper, Adaware and Spybot SD.
    God, I hope you don't leave those all running in the background? I can't even leave Spy Sweeper running in the background anymore, it's just too intrusive. Lags the machine up. NOD32 I tolerate, but even that I can feel the lag a little. *sigh*

    Ask Dilitante what happened to his system the otherday when connecting to a site he needed drivers from was compromised. It's like sex, you don't want to be unprotected, you're partner may have had a checkup 3 months ago, but forgot about that one night...
    Really? Was he using IE, I'm guessing?
    Last edited by Gurm; 29th September 2006 at 09:03.
    The Internet - where men are men, women are men, and teenage girls are FBI agents!

    I'm the least you could do
    If only life were as easy as you
    I'm the least you could do, oh yeah
    If only life were as easy as you
    I would still get screwed

  9. #9
    Moderator az's Avatar
    Join Date
    Feb 2001
    Location
    Berlin, Germany
    Posts
    10,122

    Default

    There is one thing a personal firewall should be good for: Blocking IEXPLORE.EXE. But since a PF runs on your system anyway, it can get disabled by malicious software like any other piece of software can.

    Use a router, use a secure browser and mailer and don't be stupid - the last part is really hard for most people, not because they're stupid but because they don't know enough about computers. But all of us here at MURC should really be able to do it.

  10. #10

    Default

    My own view is that they're fairly useless and just eat up resources.

    As for been hacked behind NAT I'm sure you can if you're careless enougth.

    Most users using P2P do download stuff blindley even "so called experts" get tempted at times. If you don't believe me sit in our University Workshops cleaning Student machines you'll see how dumb most of them are.

    I run Nod32 and Windows firewall being a Dreytek router.

    Spysweeper and Spyware Doctor are my main Anti Spyware programs which I run manually.

    It's very very rare that something sneaks through.

    The best way is too practise safe hex.
    Chief Lemon Buyer no more Linux sucks but not as much
    Weather nut and sad git.

    My Weather Page

  11. #11
    Super MURCer Byock's Avatar
    Join Date
    Jul 2000
    Location
    No idea....
    Posts
    2,741

    Default

    Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

    "I dream of a better world where chickens can cross the road without having their motives questioned."

  12. #12
    Super MURCer Greebe's Avatar
    Join Date
    Aug 1999
    Location
    Bradenton, Florida
    Posts
    8,650

    Default

    Now, now, children. Let's play nicely. Greebe, consider yourself warned. No more personal attacks on the public forum. If somone offends you please contact an admin and we will deal with it. -Jammrock
    Last edited by Jammrock; 29th September 2006 at 07:26.
    "Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind." -- Dr. Seuss

    "Always do good. It will gratify some and astonish the rest." ~Mark Twain

  13. #13

    Default

    Quote Originally Posted by Byock
    Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

    Dunno if the linksys has got a firewall but if it does out of interest how much slips through???
    Chief Lemon Buyer no more Linux sucks but not as much
    Weather nut and sad git.

    My Weather Page

  14. #14
    Super MURCer
    Join Date
    Jan 2006
    Location
    Windy City
    Posts
    2,168

    Default

    Quote Originally Posted by Gurm
    ....and unless you're the kind of person that just double-clicks those downloaded .exe's blindly.
    For an average user it's easer then you think.

    By default (I think), the “hide known file extensions” option in Windows is ON. All you have to do is see a file with a name: “anything.jpg.exe”
    And by default the .exe is not visible….. figure out the rest.


    .
    Last edited by ND66; 28th September 2006 at 09:45.
    Diplomacy, it's a way of saying “nice doggie”, until you find a rock!

  15. #15
    Super MURCer Taz's Avatar
    Join Date
    Nov 1999
    Location
    East Malling, Kent, UK
    Posts
    1,417

    Default

    Quote Originally Posted by Gurm
    Can't get hacked if you're behind NAT.
    NAT offers some protection but only some, port forwarding and sticking a PC in the DMZ circumvents it. It also doesn't protect your from connections initiated from your LAN i.e. if your PC has a trojan or similar. Most routers and Windows XP's own firewall also make the assumption that all traffic initiated from the LAN is safe. At least with a software firewall you'd know if something was trying to get out. It's not full proof but it does add another layer of protection
    When you own your own business you only have to work half a day. You can do anything you want with the other twelve hours.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Snake oil and Autism
    By TransformX in forum The Lounge
    Replies: 6
    Last Post: 15th July 2010, 13:39
  2. Real deal or Snake Oil?
    By Helevitia in forum The Lounge
    Replies: 8
    Last Post: 12th May 2006, 22:33
  3. Firewalls, firewalls...which ones to use?
    By oceaneer in forum General Hardware/Software
    Replies: 15
    Last Post: 30th November 2004, 08:32
  4. Napster and firewalls, why can't we just get along?
    By uberlad in forum General Hardware/Software
    Replies: 3
    Last Post: 10th December 2000, 16:30
  5. Personnel Firewalls
    By The PIT in forum The Soap Box
    Replies: 12
    Last Post: 3rd May 2000, 13:19

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •