Personal Firewalls Mostly Useless, Says Mail & Guardian 303
hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."
misleading headline (Score:5, Informative)
The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery. [google.com]
Re:Outbound Traffic? (Score:2, Informative)
You could have put that OpenBSD box inline as a firewall (pf is cool) and still done monitoring. Then your XP box would have been safe.
ZoneAlarm? (Score:5, Informative)
Little Snitch (Score:2, Informative)
But I would swear by a nifty little app (for mac), Little Snitch [obdev.at] which does seem to block both outgoing and incoming traffic perfectly.
Re:Blocking outbound connections silly (Score:2, Informative)
Blocking outbound traffic has been very useful for spanking people who think running Kazaa/eMule/BitTorrent/etc. at work is a good idea. Or for blocking access to outgoing SMTP so users have to use the corporate mail box, etc..
Little Snitch for Mac OS X (Score:4, Informative)
Bad article, no donut (Score:4, Informative)
The article expounds on the dangers of Javascript, but fails to mention ActiveX. I suspect the author had heard about "scripting" being a security hole and assumed incorrectly that the other person was talking about Javascript. JS is inconsequential compared to ActiveX when it comes to actual risk.
Additionally, when it claims that AV software essentially supersedes any firewall in terms of protection, it fails to consider the security nightmares in Windows. Specifically, through the trust relationships, you can modify registry settings and execute code on computers without your viral code ever touching the disk on the machine by doing it remotely from another computer. Because memory scanning is essentially ineffective, modern AV programs cannot effectively protect against this, which is why most security companies suggest combining AV with a Firewall. Plus, there are regular buffer overflow exploits that have the same effect: Code running without touching the disk. Where do they come from? Over the wire. Code Red and Nimda are good examples of attacks that were stopped by even the most basic firewalls. Safe browsing had no effect whatsoever on whether a user was infected.
Finally, the article fails to take into consideration the thought that goes into the automatic rule creation most firewalls come with now. Developers understand that users demand convenience and security, and work to find a good match of both. To this effect, most modern desktop firewalls will use signature based rules (so that a malicious program has to do more than just be named after a trusted program) to create a basic rule that allows that program outbound access. The ports are not being just "left open" willy nilly, they are connected to known programs and watched. Some firewall programs even watch for threadjacking malware that would inject itself directly into trusted programs, that gives even more protection.
The author of the article should reevaluate his or her knowledge of internet security. It is likely that the increasing ease of use has been interpreted as a drop in protection, but this is not the case. A secure system is one that uses a heterogeneous mix of disk and network protection.
Which Six? (Score:4, Informative)
Re:If it's in it's already too late (Score:4, Informative)
Sure it takes more time, but the only real reason I even use a firewall is to keep winamp and media player from phoning home.
No kidding... I've found them useless in practice (Score:4, Informative)
The problem is that this trains users to ignore the prompts and habitually click "allow" or "deny" (usually because they find out the hard way that stuff breaks when they click "deny"). The result is far worse than if there were no attempts to control outbound access, because most of these firewalls (Zonealarm in particular) use similar techniques for *inbound* traffic too... they will prompt the user when a program opens a listening port, and if they hit "allow" will enable global inbound traffic to that port, creating a hole that otherwise wouldn't have been there.
This happens regularly in practice- I've seen it over and over again with my small business consulting clients. Although technically an outbound software firewall with program control could be a good last-ditch effort to block malware that has managed to get installed and running, on a practical basis they cause more problems than they solve.
-R
Re:Question (Score:5, Informative)
Virtual firewalls on virtual machines (Score:2, Informative)
Software Tested & Results???? (Score:1, Informative)
Now I was one of the original beta testers for Zone Alarm and while it isn't perfect by any means, it's still about the only useful one I've seen and I continue using it today and recomending it as being fairly effective at what it does. It's at least better then the joke MS includes called Windows Firewall, which doesn't even have any outbound control unlike ZoneAlarm, which is what I mainly use it for and no I'm not a windows user as I'm currently running KDE-3.5.2 on Gentoo with 2.6.17 vanilla-series kernel (default tree), instead it's to ease the load I have in supporting the other computers in the household that still run Windows as yet.
Re:Which software? (Score:5, Informative)
_Kaspersky Internet Security 6
_Trend Micro PC-Cillin 14 Internet Security
_Symantec Norton Internet Security 2006
_Zonelabs Zonealarm Internet Security 2006
_McAfee Internet Security Suite 2006
_Computer Associates eTrust Internet Security Suite r2
_Panda Platinum Internet Security 2006
_Softwin Bitdefender 9 Internet Security
This is all I could find from the german site PC Progressionell
Winpooch (Score:4, Informative)
It's not gonna save me from a worm itself, but it will tell me when I have a worm or rootkit making outbound connections.
And it allows me to use ClamWin to do on access scanning, tells me whenever an application tries to change the registry or system files, and provides a simple method to determine most of the potentially damaging processes running on my machine.
Best of all it's opensource.
Re:misleading headline (Score:5, Informative)
For a few bucks, you could buy a small linksys dedicated box. That box - in addition of doing the job fine - pumps up less power than a laptop will ever do even in their lowest consumption settings. In a few month, the cost of the Linksys box will be recouped on the electric bill. And it is smaller and heats up less.
My view on the problem at least.
Re:misleading headline (Score:2, Informative)
Re:IP Tables (Score:4, Informative)
Notes: I believe for stateful packet inspection, the kernel needs ip_conntrack and a few other things in it. Most distro kernels have this but it's worth double checking. From there, it's learning the IP tables syntax which isn't hard after going through one of the many examples out there. Once you get logging going, check out intrusion prevention systems!
http://www.google.com/search?hs=3PG&hl=en&lr=&cli
BSD firewall tutorial (was Re:misleading headline) (Score:5, Informative)
The response I get (yes, I'm the guy who wrote the tutorial) is that people find it quite useful.
The fact that it includes a few tips on how to give spammers a hard time helps too I guess.
Re:Little Snitch (Score:2, Informative)
Re:misleading headline (Score:4, Informative)
I'll offer a suggestion. Install FreeBSD on any old computer with two NICs. You'll find the installation as easy as any Linux system, the routine maintenance probably easier, and the documentation [freebsd.org] far superiour.
Sit down to read the pf FAQ [openbsd.org] on OpenBSD's site. It's well written and comprehensive so read from the first page to the last page. Make some coffee and then read it again.
# cd
# echo 'pf_enable="YES"' >>
# echo 'pf_rules="/etc/pf.conf"' >> etc/rc.conf
Edit
You'll find pf far less verbose than iptables, ipfw, etc., and easier to learn and to use for that reason among others. There's also lots of additional tools available for pf that will help as well.
$ cd
Google for all the rest.
A final comment. Using this approach gives you a secure firewall with all the unixy goodness you'd expect, not to mention logging, SSH, NTP synchronisation, etc that you may want to use as well. And earning the right to sneer at everyone using those plastic Linksys NAT boxes doesn't hurt.