Personal Firewalls "are snakeoil"

dod · 11-08-2003 4:02pm #1

Interesting Article

http://www.samspade.org/d/firewalls.html

Any thoughts on the point the author is making? Personally I don't know enough about the detail of these things

Sleipnir · 11-08-2003 4:18pm

well it's better to have a dedicated box like one of the Sofaware boxes. It's not usually a great idea to run run your apps etc etc from the same box your firewall is on. If you're natted behind a dedicated firewall, you're pretty safe.

corkie · 11-08-2003 4:55pm

The articale is not very informative, the short curlies of it is.

That 'Software Firewalls' are not as good as 'Hardware Firewalls'.

For general home internet use, a good software firewall like the free zonealarm version, should meet most peoples requirements.

In saying that, this 'software firewall' is only as good as the users understanding of what it actually does. See this link for more info
on securing your home pc: https://grc.com/x/ne.dll?bh0bkyd2

From that link their is intensive and funny FAQ on securing your home PC.

Regards,
J.

drjolt · 12-08-2003 12:59pm

Originally posted by dod
Any thoughts on the point the author is making? Personally I don't know enough about the detail of these things

It's plain wrong in some parts, wildly innacurate in others, and hopelessly confused in the remainder.

jrrt · 13-08-2003 2:37pm

Originally posted by drjolt
It's plain wrong in some parts, wildly innacurate in others, and hopelessly confused in the remainder.

Where?

It makes some good points, Personal Firewalls gained popularity mainly because of the fact they stopped trojans phoning home, by only allowing certain applications to access the 'net, and asking you when a new app tried to access the net. This has been defeated a long time ago and I'd be surprised if Trojans that are released now dont all slip past the firewall. So now all they do is alert you to incoming traffic, if you have no services enabled then incoming traffic shouldnt bother you. Having said that. they ARE good simply for the fact that end users install them and find that a lot easier than disabling the various Windows Services. (But should people pay money for this???)

I dont use one anyway.

drjolt · 13-08-2003 2:44pm

Originally posted by jrrt
Where?

In the article. Sorry if that bit wasn't clear.

This has been defeated a long time ago

No it hasn't. Some personal firewalls have had bugs. All software does, and firewall software is no different. There hasn't been a magic bullet which has defeated firewalls in general, as you seem to suggest.

and I'd be surprised if Trojans that are released now dont all slip past the firewall.

"The" firewall? Is there just one? You seem even more confused than the author of the article in question.

Lemming · 13-08-2003 2:58pm

"You're just a unix bigot ... "

That quote summed up that entire article concisely. I read the opening paragraph and had the guy written off as a total f*cknut prat.

That said, I like *NIX too, but not everyone is an OpenBSD user with 20 boxes and umpteen powerpoints and network connections in their bedroom .....
(not that I'm saying *BSD users have 20 boxes etc,. in their bedrooms but you get the point)

He makes a couple of points, but the rest of the article is just total "I'm on my soap box" crap. His attitude is one of total self-servance. "Don't bother me with your complaints". Crap. If you're an admin, then it's your job to deal with administrating the system. User complaints come part and parcel and if you don't want that, then get out of the f*cking kitchen .....

jrrt · 13-08-2003 3:01pm

There is a VERY EASY GENERIC way to get past any Personal Firewall that only allows certain process's to access the 'net. Obviosuly this is not a magic bullet that defeats all firewalls, thats not what I was suggesting, It does however defeat a large part of all the Personal Firewalls on the market today.

VirtualAllocEx/CreateRemoteThread are your friend ya know.

See http://www.avet.com.pl/pipermail/bugdev/2003-February/002319.html for an example.

Its commong knowledge anyway, plus the fact that if theres malicious code on your machine trying to get on the net it WILL be able to, either by disabling your firewall or by a more elegant solution.

dahamsta · 13-08-2003 4:06pm

Originally posted by drjolt
In the article. Sorry if that bit wasn't clear.

I think what the poster was trying to say was: Are you going to support your assertion, or just assume that we're all going to agree with you on spec?

Originally posted by Lemming
That said, I like *NIX too, but not everyone is an OpenBSD user with 20 boxes and umpteen powerpoints and network connections in their bedroom .....

One box (cheap or free), one powerpoint, one network connection (crossover cable will do).

I don't know enough about personal firewalls to decide whether they're effective or not, but I do know that I tried a couple and they didn't last very long, which is usually a pretty good sign that I think the software is crap, intrusive or hogging my valuable resources.

On the other hand I have an eight year old Dell here that would ordinarily be tossed on a skip or holding a door open, but instead it's sitting there blocking the tossers and drones from getting near my systems and not a peep out of it. I don't even think about it any more, which is usually a pretty good sign that it's working well for me...

adam

Lemming · 13-08-2003 4:19pm

Originally posted by dahamsta

One box (cheap or free), one powerpoint, one network connection (crossover cable will do).

You know what I was pointing at Dahamsta

Not everyone has the luxury of additional machines, cheap or no. And certainly not your average family with a PC and a broadband connection. Should they be denied because some muppet who thinks he's gods gift to computing says "don't bother me with your 'frivilous' complaints"? Also not many people know any other O/S other than windows and yet he's expecting them to suddenly master *NIX and respective firewall tools?

I don't know enough about personal firewalls to decide whether they're effective or not, but I do know that I tried a couple and they didn't last very long, which is usually a pretty good sign that I think the software is crap, intrusive or hogging my valuable resources.

I've not used them either, but the impression I seem to get is either use hardware or don't use a firewall at all. TBH, that's a rather narrow view. He's right in that users need to understand the software they're running, to prevent a false sense of security though. Your average user getting a NAT box still has to learn how to configure it. SO what he's ranting on about is a bit of a red-herring since it all comes down to a single point. Does the end user understand what they're doing? Software or hardware, it wont matter a flying pigs a*se if they don't.

On the other hand I have an eight year old Dell here that would ordinarily be tossed on a skip or holding a door open, but instead it's sitting there blocking the tossers and drones from getting near my systems and not a peep out of it. I don't even think about it any more, which is usually a pretty good sign that it's working well for me...

I have an ancient (p200mx) doing my firewall duties.

dahamsta · 13-08-2003 5:16pm

Originally posted by Lemming
Not everyone has the luxury of additional machines, cheap or no.

Well, I'd say that if it's cheap, or again even free, it's not a luxury. I picked up the Gateway (sorry, it's a Gateway, the Dell is my server) for €200 but it's a relatively new machine (450MHZ/256MB RAM/20GB HDD). I imagine that if someone posted on the Wanted forum looking for something as old as your yoke they'd pick one up for the same or less than BlackICE or similar.

I take your point about setting it up though, it's not trivial -- I got someone to set mine up for me in fact, because I don't know much about OpenBSD and pf. But we all know someone that could do that, right? If not, they're hanging around with the wrong people.

adam

drjolt · 14-08-2003 10:25am

Originally posted by dahamsta
I think what the poster was trying to say was: Are you going to support your assertion, or just assume that we're all going to agree with you on spec?

You're going to have to do your own homework.

dahamsta · 14-08-2003 11:08am

Originally posted by drjolt
You're going to have to do your own homework.

Nah, I'll just file your comment under "unsupported" and ignore it.

Sleipnir · 14-08-2003 11:16am

many of the personal firewalls had this problem;
HTTP traffic, regardless of what is in the data itself, it allowed back through the firewall as long as a request for it has been made by the client.
In the data is a virus, often a trojan. Trojan executes on the client and attempts to shut down the firewall BEFORE trying to go out on whatever port. When the FW is shutdown, the trojan can then do whatever the hell it wants.
You don't get this with a hardware appliance.
Also, with people buying a cheap system and then loading a personal firewall appliance, you still have to install SP's, patches etc. If you have Win2k on that machine, and win2k on your client behind it, it still suffers from all the security holes of that OS!
If you have a hardware box that does not run a windows OS, there are none of these holes to worry about.
Plus, sombody mentioned 200 euro to buy an additional machine, why not just buy a small hardware firewall for the same price?

Lemming · 14-08-2003 11:41am

Originally posted by Kananga

You don't get this with a hardware appliance.

And this hardware appliance comes magically configured to YOUR needs?

Moot point. The whole arguement the guy in the article makes is a red-herring. At the end of the day a user still needs to know how to configure their software/hardware to do exactly what they want.

_Most_ people (and that's not you or me or anyone who has a notion about networking) will be more comfortable dealing with "their" machine rather than fumbling around with extra bits n'pieces and cables n'stuff and then screaming when they can't get anything working.

And besides, which sounds better? A half-way configured software firewall or a 200 euro default-install hardware firewall (which is part of a network hub or a DSL-router)?

dahamsta · 14-08-2003 12:13pm

Looks like we've found a market Lemming. You organise the boxes and I'll talk to my OpenBSD guy.

adam

Sleipnir · 15-08-2003 9:36am

that may be so but I install these things pretty regularly and they are a piece of cake to set up; stupid-proof web-based interface with a wizard. Up and running in less than 5.
The cabling is easier than a stereo's. One cable from DSL router to external interface on box, one cable to to each computer on the internal side. Set up the External IP (which can be DHCP), internal is DHCP. That's it.
Most people I meet don't want to have to do anything with their firewall and with these you really don't need to. With something like ZoneAlarm or one of those, you have all the
"an application is trying to get out on the net....." crap, plus (if you were on a small corporate network) users can just shut them down, or uninstall them!
Better to have a firewall at the gateway rather than at each node, dunno how NAT would work for a firewall on the same node either (do zonealarm type firewalls NAT?)
A "halfway configured" firewall might as not be there.

dahamsta · 16-08-2003 5:11pm

I'm guessing you're talking about an appliance Kananga, which is obviously easy to configure because they're built precisely for that task. However they're gonna cost you a couple/few hundred euros, whereas the Linux or BSD on an old x86 box route should cost €0-100 max. The problem is the expertise required to set up the x86 box. That being said, I think a reasonably clueful user could set up an OpenBSD box in a half-hour with a decent HOWTO. Dunno if there's one out there though.

adam

Sleipnir · 18-08-2003 10:16am

you're dead right Dahmasta, and that would probably be a better firewall for people who have an idea of what they're doing.
I'm just saying that, for most clueless people, who just use their computer for email, games and word processing, a box they can just plug into & forget about would be better for them, you can get them for about €200.
If I was an installer who set this up for offices around Dublin say, I would much rather get my 300 euro to install this box for the e.g. home user and forget about it, rather than get €200 and spend half a day setting up a linux box, and then have them ringing me constantly when they screw it up.
It would be interesting to see one setup on BSD though, I would like to see that.

Personal Firewalls "are snakeoil"

Comments