Personal Firewalls Mostly Useless, Says Mail & Guardian

hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."

misleading headline

[macadamia_harold]

More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.

The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery. [google.com]

Re:Outbound Traffic?

[grub]

You could have put that OpenBSD box inline as a firewall (pf is cool) and still done monitoring. Then your XP box would have been safe.

ZoneAlarm?

[CyberZCat]

Did they test zonealarm? Because even with my best efforts to circumvent it (for testing), it's still able to block everything. Even as an Admin user, it's not possible to stop the service unless you "officially" exit the program. I've been using it for years, and I haven't once ever had a program that it didn't block (if I chose to block it). Even test software which was spesifically meant to try to find holes in personal firewalls. The new version does other handy things too, like keeping an eye on software which tries to monitor your keyboard/mouse (such as keyloggers) and giving you the option to block them from doing that. Very handy.

Little Snitch

[GeffDE]

The article (to my view) didn't mention any of the names of the programs, and I don't speak or read German, so I don't know how to find the names.

But I would swear by a nifty little app (for mac), Little Snitch [obdev.at] which does seem to block both outgoing and incoming traffic perfectly.

Re:Blocking outbound connections silly

[grub]

Blocking outbound traffic has been very useful for spanking people who think running Kazaa/eMule/BitTorrent/etc. at work is a good idea. Or for blocking access to outgoing SMTP so users have to use the corporate mail box, etc..

Little Snitch for Mac OS X

[toupsie]

Mac users don't think you are safe because you aren't running windows. It's amazing the number of Apps that "phone home". A great tool for Mac OS X egress filtering is Little Snitch [versiontracker.com]. It's cheap and easy to use.

Bad article, no donut

[Chairboy]

The article makes a number of critical errors that impact its credibility.

The article expounds on the dangers of Javascript, but fails to mention ActiveX. I suspect the author had heard about "scripting" being a security hole and assumed incorrectly that the other person was talking about Javascript. JS is inconsequential compared to ActiveX when it comes to actual risk.

Additionally, when it claims that AV software essentially supersedes any firewall in terms of protection, it fails to consider the security nightmares in Windows. Specifically, through the trust relationships, you can modify registry settings and execute code on computers without your viral code ever touching the disk on the machine by doing it remotely from another computer. Because memory scanning is essentially ineffective, modern AV programs cannot effectively protect against this, which is why most security companies suggest combining AV with a Firewall. Plus, there are regular buffer overflow exploits that have the same effect: Code running without touching the disk. Where do they come from? Over the wire. Code Red and Nimda are good examples of attacks that were stopped by even the most basic firewalls. Safe browsing had no effect whatsoever on whether a user was infected.

Finally, the article fails to take into consideration the thought that goes into the automatic rule creation most firewalls come with now. Developers understand that users demand convenience and security, and work to find a good match of both. To this effect, most modern desktop firewalls will use signature based rules (so that a malicious program has to do more than just be named after a trusted program) to create a basic rule that allows that program outbound access. The ports are not being just "left open" willy nilly, they are connected to known programs and watched. Some firewall programs even watch for threadjacking malware that would inject itself directly into trusted programs, that gives even more protection.

The author of the article should reevaluate his or her knowledge of internet security. It is likely that the increasing ease of use has been interpreted as a drop in protection, but this is not the case. A secure system is one that uses a heterogeneous mix of disk and network protection.

Which Six?

[140Mandak262Jamuna]

Could not find the list of the six software tested. Dont know if Zone Alarm was tested and found to be defective too. But I would be surprised. Everytime I update FireFox, Zone Alarm knows that the exe file has changed and alerts me to renew permission for it to connect to the internet.

Re:If it's in it's already too late

[voice_of_all_reason]

You could also advise them to simply google the .exe file. Every time I've tried this, the first 10 results have always been a group of sites that detail exactly what it's from and a recommendation to allow it or not. Give a man a fish/teach a man to fish and all.

Sure it takes more time, but the only real reason I even use a firewall is to keep winamp and media player from phoning home.

No kidding... I've found them useless in practice

[RebornData]

The issue with most desktop software firewalls that attempt to control outbound connections is that they have no idea in advance what constitutes a valid program and what doesn't. So they ask the user, who in most cases is unable to answer the question. The only information typically provided is the executable name, and in many cases it's a generic one (like svchost.exe) that leaves even an experienced user without the ability to make an informed decision.

The problem is that this trains users to ignore the prompts and habitually click "allow" or "deny" (usually because they find out the hard way that stuff breaks when they click "deny"). The result is far worse than if there were no attempts to control outbound access, because most of these firewalls (Zonealarm in particular) use similar techniques for *inbound* traffic too... they will prompt the user when a program opens a listening port, and if they hit "allow" will enable global inbound traffic to that port, creating a hole that otherwise wouldn't have been there.

This happens regularly in practice- I've seen it over and over again with my small business consulting clients. Although technically an outbound software firewall with program control could be a good last-ditch effort to block malware that has managed to get installed and running, on a practical basis they cause more problems than they solve.

-R

Re:Question

[legoburner]

Although they do not provide much benefit, it can sometimes be worth it, especially if you have a wireless network behind your firewall. One rogue worm-ridden computer on your wireless network and bad things can happen to all your machines. Having a software firewall will be consume resources and might annoy you from time to time, but will reduce the chance of infection from common worms. You should never presume your internal network is secure unless you can completely verify every last bit that comes in to it.

Virtual firewalls on virtual machines

[plankrwf]

Some of the problems with 'virtual firewalls' can be solved through real firewalls on ... virtual machines (i.e. Sieve at http://sievefirewall.sourceforge.net/ [sourceforge.net] or at http://www.vmware.com/vmtn/appliances/directory/24 5 [vmware.com])

Software Tested & Results????

[Anonymous Coward]

Sorry to say that this article was about as useful as a RubberBand Band. Now if they'd identified the tested apps along with version of Windows, I'd be more willing to even consider the article to be informative but no, they make so many claims about personal software firewalls not being effective in some cases. What Cases and what worms/trojans/malware was able to bypass them or what firewalls were able to be bypassed?

Now I was one of the original beta testers for Zone Alarm and while it isn't perfect by any means, it's still about the only useful one I've seen and I continue using it today and recomending it as being fairly effective at what it does. It's at least better then the joke MS includes called Windows Firewall, which doesn't even have any outbound control unlike ZoneAlarm, which is what I mainly use it for and no I'm not a windows user as I'm currently running KDE-3.5.2 on Gentoo with 2.6.17 vanilla-series kernel (default tree), instead it's to ease the load I have in supporting the other computers in the household that still run Windows as yet.

Re:Which software?

[Lambticc]

_G Data InternetSecurity 2006 _F-Secure Internet Security 2006
_Kaspersky Internet Security 6
_Trend Micro PC-Cillin 14 Internet Security
_Symantec Norton Internet Security 2006
_Zonelabs Zonealarm Internet Security 2006
_McAfee Internet Security Suite 2006
_Computer Associates eTrust Internet Security Suite r2
_Panda Platinum Internet Security 2006
_Softwin Bitdefender 9 Internet Security

This is all I could find from the german site PC Progressionell ..meine Deutshe ist nicht so gut.

Winpooch

[jhfry]

This is why I run winpooch http://winpooch.free.fr/ [winpooch.free.fr]. It's not a firewall, but it does allow me to monitor my outgoing connections, and apply rules to them. For example, I can have it prompt me for every outbound, just announce when an outbound connection is established, or allow all outbound. Same thing with inbound. More complex rule sets are allowed as well.

It's not gonna save me from a worm itself, but it will tell me when I have a worm or rootkit making outbound connections.

And it allows me to use ClamWin to do on access scanning, tells me whenever an application tries to change the registry or system files, and provides a simple method to determine most of the potentially damaging processes running on my machine.

Best of all it's opensource.

Re:misleading headline

[Pieroxy]

I use my very old laptop with BSD on it as a gateway
For a few bucks, you could buy a small linksys dedicated box. That box - in addition of doing the job fine - pumps up less power than a laptop will ever do even in their lowest consumption settings. In a few month, the cost of the Linksys box will be recouped on the electric bill. And it is smaller and heats up less.

My view on the problem at least.

Re:misleading headline

[sleep-doc]

An old laptop running linux can be a terrific gateway, set up by someone with the appropriate knowledge base and experience. Set up by someone without those skills, it's a zombie-in-waiting.

Re:IP Tables

[mpapet]

Linux has IP Tables which is very good for the job. Is it as good as BSD? I would argue less time consuming if you already run Linux, but it's not the same.

Notes: I believe for stateful packet inspection, the kernel needs ip_conntrack and a few other things in it. Most distro kernels have this but it's worth double checking. From there, it's learning the IP tables syntax which isn't hard after going through one of the many examples out there. Once you get logging going, check out intrusion prevention systems!

http://www.google.com/search?hs=3PG&hl=en&lr=&clie nt=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q= iptables&btnG=Search [google.com]

BSD firewall tutorial (was Re:misleading headline)

[badger.foo]

The manuscript at http://www.bgnett.no/~peter/pf/ [bgnett.no] is for a half day tutorial in setting up OpenBSD's PF firewall (also available on FreeBSD, NetBSD and DragonFlyBSD).

The response I get (yes, I'm the guy who wrote the tutorial) is that people find it quite useful.

The fact that it includes a few tips on how to give spammers a hard time helps too I guess.

Re:Little Snitch

[Steve Ballmer's Fat]

I would second the notion that Little Snitch is fantastic! However, it should be pointed out that Snitch does NOT block incoming traffic, and it is not intended to.

Re:misleading headline

[value_added]

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD ...

I'll offer a suggestion. Install FreeBSD on any old computer with two NICs. You'll find the installation as easy as any Linux system, the routine maintenance probably easier, and the documentation [freebsd.org] far superiour.

Sit down to read the pf FAQ [openbsd.org] on OpenBSD's site. It's well written and comprehensive so read from the first page to the last page. Make some coffee and then read it again.

# cd /usr/ports/shells/bash && make install
# echo 'pf_enable="YES"' >> /etc/rc.conf
# echo 'pf_rules="/etc/pf.conf"' >> etc/rc.conf

Edit /etc/pf.conf using the home user scenario provided at the end of the 'pf FAQ'. Reboot and you're good to go.

You'll find pf far less verbose than iptables, ipfw, etc., and easier to learn and to use for that reason among others. There's also lots of additional tools available for pf that will help as well.

$ cd /usr/ports && make search name=pf | less

Google for all the rest.

A final comment. Using this approach gives you a secure firewall with all the unixy goodness you'd expect, not to mention logging, SSH, NTP synchronisation, etc that you may want to use as well. And earning the right to sneer at everyone using those plastic Linksys NAT boxes doesn't hurt.