Are personal firewalls snake oil?

[Nowhere]

Since finally I'll be back to having my own computer always connected, I'm researching how the field of software which I didn't need for the past 2 years changed. That means also personal firewalls.
And...I've found some criticism.
For example on Wikipedia article and links from it:
http://www.samspade.org/d/firewalls.html
http://www.securityfocus.com/infocus/1840

Also:
http://www.fefe.de/pffaq/
http://www.iks-jena.de/mitarb/lutz/u...rewall.en.html

All this seems...pretty reasonable to me. Enough that I'm coming into conclusion that using anything other than firewall that's built in recent Windows versions (rather light and "non-bloated" software) seems much more pointless to me than it did up to this point (not that I didn't prefer Windows firewall already...just assumed that there is, perhaps, some 3rd party good one which I haven't tried)

PS. That said, this one sounds interesting...seems it's built on good foundations, light, not very bloated, and apparently with no direct commercial succes in mind...

[Nicram]

Using Core Force here on w2k without problem.
But it is bloated, eat many memory & can slow down slow computers :/

[Dr Mordrid]

Our Linksys has SPI which seems to take care of things, with help from antivirus & malware tools. All but the laptops are wired and the wireless only gets used an hour or two a day. Even then we threw the whole shebang into securing it, right down to turning off the wireless feature once everyone reports they're done with it.

[az]

I wouldn't say they are snake oil, but they're definitely not perfectly safe.

BTW: I'm only running the WinXP Firewall and scan for viruses every few months or so. The only problem I've had with this machine yet was with the Sasser worm, and that was back when I didn't update regularly (I now autoupdate). Having a secure browser and mail client and knowing what you're doing (which implies being a little careful) is actually the best protection you can have.

[Greebe]

Anyone can say personal firewalls are snakeoil, that is until they get hacked or do something that is on the fringe like run P2P software. What can be said is that regardless or not if you get messed up a personal firewall is a really good idea if not to block outgoing packets sent but to limit damage caused.

I have an Actiontec MI 424wr router w/enterprise level firewall built in and still run a software firewall. Outpost 3.51 (4.0 was just released this morning) and NOD32 AV along with Ewido 4.0, Spysweeper, Adaware and Spybot SD.

Ask Dilitante what happened to his system the otherday when connecting to a site he needed drivers from was compromised. It's like sex, you don't want to be unprotected, you're partner may have had a checkup 3 months ago, but forgot about that one night...

[Dilitante1]

DeluxeCommunication and PSGuard, and after 10+ "specialized" utils and many scans, i STILL have registry entries that cannot be removed.....

[Gurm]

"Software firewalls" are worse than useless.

They:

1. Confuse the end user.
2. Lull the end user into a false sense of security.
3. Suck up obscene amounts of system resources.
4. Impede actual work.
5. Are poorly written. (No exceptions - not even MS's!)
6. Don't provide any tangible benefit that couldn't be gained some other way - cheaper and more efficiently.

Let's address these in turn.

Confusing:
I lump confusing and annoying together here. I don't WANT you to ask me 100 times if a program that I'm legitimately running should be allowed. I don't even want you to ask me ONCE. And neither does anyone else. There's a VERY small segment of computer users that are savvy enough to know the answers to the endless prompts and yet novice enough to not be annoyed by them. Everyone else gets pissed off and confused. Worse, it's often unclear how to CHANGE your mind! Some examples:

"IEXPLORE.EXE is trying to access the Internet. This could be a security risk! Are you sure you want to let IEXPLORE.EXE send data to the Internet?"

Now you or I know this is Internet Explorer, and of COURSE we want it to go through. My mom freaks out and clicks "no". Then calls me and asks why she can't get web pages, and when I figure it out, she asks how to undo it. Which is NOT EASY depending on whose "firewall" you're using.

It's a proven fact that most people ignore pop-up windows, or just automatically click either "yes" or "no" without really reading them. So the fact that these so-called "firewalls" perpetually ask the end-user to decide what to allow is frustrating at best and harmful at worst.

False sense of security:
Every piece of "protection" software that doesn't DO anything useful... is actually harmful because it gives end-users an extra feeling of protection... that doesn't exist! I've seen plenty of end-users that are SHOCKED that their system is completely overrun with viruses and spyware. "We have a corporate firewall! With spyware and virus protection! How did this stuff get through?!?" Maybe it was when you surfed those onling gambling and porn sites... but that's just a hunch!

Resources:
The more "protection" a firewall offers, the more of your machines CPU time it needs. Even just blocking ports from inbound communication will suck up a couple % of the CPU and add some lag to your network numbers. Any additional functionality comes at a heavy cost. Traffic analysis, "Internet virus monitoring", etc... a few cpu % apiece. That crap adds up after a while. Antivirus software is heading this way, too. I love NOD32, but you HAVE to turn off "internet monitor (IMON)", or it'll suck the life out of your machine every time you surf the web.

Impediment:
I can't COUNT the number of times I've had to forcibly excise a "personal firewall" from someone's machine in order to get some piece of software working. The latest bane to my existence is personal firewalls that screw with VPN. We rely heavily on VPN to monitor customer sites, and virtually ALL personal firewalls - even MS's - don't let VPN traffic through without a big argument. Firewalls need to be updated CONSTANTLY in order to keep on top of the latest network software, but sadly they are not. Even when they are, there's so bloody much software out there that it's impossible to keep on top of all of it.

Poorly Written:
They're all poorly written. Every last one. Don't get me started on Norton and McAfee. But even the "best in class" personal firewall software is bad. You're essentially writing an intermediary stack to overlay the TCP/IP stack. It had better be BULLETPROOF, with code so tight that no bugs will ever be found. But... it's not. It's average software. Period. And "average software" has no business monkeying with your TCP/IP.

No Tangible Benefit:[
You can still be hacked. The popular software firewalls have their vulnerabilities posted on hacking websites daily. Because they're on your machine, they're vulnerable. They're NOT a real firewall, and nobody should think they are.

And they cost money! You pay $25, $50, or more for these useless pieces of trash.

Want to keep your system "safe"? Get a cable router with NAT. You'll never get hacked from external sources.

Of course now someone will argue that your cable router doesn't protect you from malicious code sending packets OUTBOUND. But you know what? If you're so hopelessly out of touch that you don't know what's installed on your machine sending packets outbound... maybe you ought to be operating in XP limited user mode, hmm? No let instally programs for you! Stop surfing porn and pirate websites, use FireFox instead of IE6, and you're FINE.

And before you say that NAT isn't safe... I have challenged average users REPEATEDLY to find some vulnerability to NAT, and nobody can. Once you tell me a REAL, PUBLISHED, FEASIBLE vulnerability to NAT (bet you can't), you'll then need to demonstrate that Zone Alarm stops it... which it won't.

Uninstall that garbage. Your machine will be happier.

[Gurm]

Anyone can say personal firewalls are snakeoil,

that is until they get hacked

Can't get hacked if you're behind NAT.

or do something that is on the fringe like run P2P software.

I'm trying to figure out what "running P2P software" has to do with getting damaging stuff onto your computer. Unless you mean Kazaa, and unless you're the kind of person that just double-clicks those downloaded .exe's blindly.

What can be said is that regardless or not if you get messed up a personal firewall is a really good idea if not to block outgoing packets sent but to limit damage caused.

Bzzt! Thanks for playing, but you're way off base! I have yet to see anyone actually be PROTECTED by a "personal firewall". Seen lots of them screw up, but never seen anyone successfully mitigate a serious attack. When Blaster came out, the software firewalls didn't help now DID they?

I have an Actiontec MI 424wr router w/enterprise level firewall built in and still run a software firewall.

Then you're wasting your CPU time. Hey, it's your money.

Outpost 3.51 (4.0 was just released this morning) and NOD32 AV along with Ewido 4.0, Spysweeper, Adaware and Spybot SD.

God, I hope you don't leave those all running in the background? I can't even leave Spy Sweeper running in the background anymore, it's just too intrusive. Lags the machine up. NOD32 I tolerate, but even that I can feel the lag a little. *sigh*

Ask Dilitante what happened to his system the otherday when connecting to a site he needed drivers from was compromised. It's like sex, you don't want to be unprotected, you're partner may have had a checkup 3 months ago, but forgot about that one night...

Really? Was he using IE, I'm guessing?

[az]

There is one thing a personal firewall should be good for: Blocking IEXPLORE.EXE. But since a PF runs on your system anyway, it can get disabled by malicious software like any other piece of software can.

Use a router, use a secure browser and mailer and don't be stupid - the last part is really hard for most people, not because they're stupid but because they don't know enough about computers. But all of us here at MURC should really be able to do it.

[The PIT]

My own view is that they're fairly useless and just eat up resources.

As for been hacked behind NAT I'm sure you can if you're careless enougth.

Most users using P2P do download stuff blindley even "so called experts" get tempted at times. If you don't believe me sit in our University Workshops cleaning Student machines you'll see how dumb most of them are.

I run Nod32 and Windows firewall being a Dreytek router.

Spysweeper and Spyware Doctor are my main Anti Spyware programs which I run manually.

It's very very rare that something sneaks through.

The best way is too practise safe hex.

[Byock]

Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

[Greebe]

Now, now, children. Let's play nicely. Greebe, consider yourself warned. No more personal attacks on the public forum. If somone offends you please contact an admin and we will deal with it. -Jammrock

[The PIT]

Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

Dunno if the linksys has got a firewall but if it does out of interest how much slips through???

[ND66]

....and unless you're the kind of person that just double-clicks those downloaded .exe's blindly.

For an average user it's easer then you think.

By default (I think), the “hide known file extensions” option in Windows is ON. All you have to do is see a file with a name: “anything.jpg.exe”
And by default the .exe is not visible….. figure out the rest.


.

[Taz]

Can't get hacked if you're behind NAT.

NAT offers some protection but only some, port forwarding and sticking a PC in the DMZ circumvents it. It also doesn't protect your from connections initiated from your LAN i.e. if your PC has a trojan or similar. Most routers and Windows XP's own firewall also make the assumption that all traffic initiated from the LAN is safe. At least with a software firewall you'd know if something was trying to get out. It's not full proof but it does add another layer of protection