Personal Firewalls Mostly Useless, Says Mail & Guardian

hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."

Outbound Traffic?

[parasonic]

Yes, they may be ineffective in controlling outbound traffic. However, that's not the real point of a personal firewall.

Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories." I'll never forget the day that I left open an unpatched WinXP box after a fresh install. I watched all of the script kiddies and automated worms go at it from my passive OpenBSD monitoring box. That machine was hacked in under ten minutes just because I left it there, open to the Internet. So, useless? No.

If it's in it's already too late

[El Cubano]

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.

First, nothing is perfect. Second, if some nasty program/spyware/adware got in, then it's too late already. The best thing is to prevent them getting in to begin with. Besides, most people don't know the difference between what should and should not be allowed to have access. I do some tech support for friends and family and it really gets annoying after the fifteenth call, "Should I let FooBar21.exe access to the Internet?" I finally went with the policy of disabling any sort of outbound filtering in whatever firewall I setup for people I will be "supporting."

Simple

[The Cisco Kid]

A firewall is a *device* between a device that needs 'protection' (usually a Windows PC), and an Internet connection. Keyword *device*, as in a seperate physical piece of equipment. A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless. 'Software Firewall' is an oxymoron.

Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based. The simplest is a simple one-way NAT (outbound connections allowed, inbound connections impossible without a specific, intentional mapping). These of course only protect against active outside attacks, and not against trojan/virus emails or websites visited from the PC. The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.

Re:Told you so

[lightyear4]

Unfortunately, they also create a false sense of security. In my opinion, that is far, far worse.

Re:misleading headline

[iMaple]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)". And that is unpreventable if the user is always logged in as an admin and runs malicious executables (or programs with known security issues, like older versions of browsers). This would be an issue, if a non-admin user could disable the firewall (which I guess is not easy, since the article does not mention that). So there is no real problem with the personal firewall software.

The firewalls are still very useful in preventing attacks due to OS vulnerabilities (like the Windows RPC issues). Anyway that is the main aim of personal firewalls, and the article does not have anything about the effectiveness of the firewall for inbound traffic.

If you want a secure outbound firewall the best bet is to use a dedicated gateway machine with the firewall (I use my very old laptop with BSD on it as a gateway)

Purpose of a personal firewall

[Anonymous Coward]

The personal or desktop firewall is not supposed to be your first line of defense, it's supposed to be your last line of defense.

I recommend that people use both a hardware and software firewall, the hardware firewall protects you from the Internet in general. The software firewall protects you from the other computers on your local network.

But when it comes down to it, a firewall is as strong as it's weakest link, which is almost always the enduser. Running as admin while browsing, downloading software from untrusted sources, don't blame the firewall for user stupidity.

Result of Fundamental Flaw

[JBHarris]

A fundamental concept in computing now-a-days is that software designers attempt to do as much thinking for the end user as possible. This is a generally good thing, as the easier/more-intuitive software is to use, the more people will use it. That point aside, this can be a negative thing as it keeps users from needing to understand what they are actually doing. Using computers NEEDS at least a basic understanding of what's going on.

I don't mean everyone should study the TCP/IP stack and fully grasp ports and such, but seriously....you can't just show someone what a car does & explain the controls and then expect them to be able to drive properly & safely. It takes training & study.

The same is true with computers. I'm not suggesting an 'internet license' or anything, but I would recommend that high school core classes at least provide the basics of the underlying fundamentals of computing. Until someone understands what those firewalls are for, they will never reach a truly useful state.

Brad

Re:Blocking outbound connections silly

[lightyear4]

Or for preventing a compromised box from DOSing the rest of the world.

Re:misleading headline

[marrandy]

Talk about stating the obvious...this is the most useless article I have read in a long time.

1) Web browser and javascript bugs - nothing to do with hardware or software firewalls.

2) email issues, people going to bad sites etc. - nothing to do with hardware or software firewalls.

3) People should not run as administrator (or root) - wow, really.

4) People should stay up-to-date on patches - wow, totally amazingly obvious.

As you can't control people, they will always do these things. Good software firewalls show-up issues after they have made these mistakes, when rogue software tries to get out.

They also failed (or I missed it) to mention that software firewalls are good when you have multiple computers behind a hardware firewall - basically and infected computer will be blocked infecting other computers e.g. netbios etc.

Good computer security is a layered concept. From incoming hardware firewalls, IDS, software firewalls on individual computers, user training, security audits etc. I wish people and organizations writing articles would finally learn this. There is no 'magic' one solution.

How about configuring the software first?

[brunokummel]

I haven't found on TFA , but then again i read it on a rush because my boss was in the room, but i guess they performed the test the way most regular users use a personal firewall.
This means press install, press next, next, next,next, OK and done I have my own personal protection!
If you take the time to tune the software firewall, i'm pretty sure you would have much better results.

Re:Outbound Traffic?

[grub]

Oh bah... Colour me "stupid" today. :)

Re:misleading headline

[bytesex]

Software firewalls on the machine itself can do something hardware firewalls can't; it can check to see that the outbound traffic is coming from a trusted application running as an actually logged on user. Without this option, a firewall must assume that all traffic with a destination port 80 or 443 (or 25 or whatever) will be legit, allowing all sorts of malware to pretend to browse while doing their actual nasty stuff. On windows, a firewall could even check whether the app in question has a window open, which creates an extra check (this visible application is making network connections).

ZoneAlarm + broadband router = happiness

[WidescreenFreak]

Even though I'm behind a firewall, I use ZoneAlarm on all of my PCs so that I can catch what's communicating with the Internet and what's not. So far, it's done superbly well as far as I can tell.

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out? Well, whatever it is, it's none of their damned business. Check "Remember this setting", click "Deny", and done.

Every time a process tries to act like a server, ZA also notifies me of that as well. It's a bit of a pain when I fire up a game server for the first time and the pop-up balloon interferes with the screen (whoops), but again it just shows that it's at least doing what it's supposed to do.

ZoneAlarm has its share of issues, but it clearly goes with the attitude of "better safe than sorry". There have been some rare times where the program itself doesn't start, for whatever reason, but its service gets started. On those rare occasions I've noticed that the service, if it can't communicate with the control daemon, or whatever you want to call it, it just blocks all network access. It could have just allowed everything instead and there'd be no way of knowing if it's working or not. Personally, I'd rather have it block all access. Not only does that let me know that there's a problem, but it's certainly keeping the PC's network connection secure.

Using a hardware firewall for inbound and ZA for outbound connections makes perfect sense as far as I'm concerned. It's not trouble-free, but they've been getting better at its stability over the past several revisions from what I can tell.

A firewall is a *device*

[Curmudgeonlyoldbloke]

And where do you insert this "device" between your PC and the wireless router in the coffee shop or hotel romm in which you're sitting? Wave it around in mid-air or something?

Besides that, the most useful purpose of these things isn't against trojans that someone's running because they're an idiot, it's software such as media players insisting on phoning home (for example, the "Microsoft Windows Media Configuration Utility" connection attempt that occurs when WM9 tries to update itself).

Re:misleading headline

[Just Some Guy]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)".

Actually, you to end with forgot ", On Windows". As you probably already know, you can set a BSD system's "securelevel" such that firewall rules, both in kernel and on disk, can't be altered without a reboot. You could hypothetically write a program that patches a BSD machine's boot sequence with one that unprotects the firewall configuration, alters it, changes the backup file so that the user won't get an email notification later on that details the differences, then resumes normal operation - all while hoping that the user or administrator doesn't notice the spontaneous reboot - but there aren't too many of those running around today.

Better than nothing

[embracethenerdwithin]

I never assumed my software firewall was some amazing thing that kept me 100% safe. But I would still never want to surf without one. I don't care if it only protects against some attacks, it's definately better than none. I would rather be protected from a little than nothing.

My view has always been using a combination of things that help is th ebest idea. Using a router that has a hardware firewall + a software firewall + antivirue + a secure browser(firefox) is a decent way to keep safe. This won't stop everything, but it's better than surfing around with no protection. Also add not doing stupid things to that equation for maximum protection.

Re:misleading headline

[$1uck]

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD (though I'd like to look at it). The more complicated my home network gets, the more I want to put something between the modem and the router. I would love to be able to monitor inbound/outbound traffic block certain sites etc. I can do some of that with the router, or firewalls on individual machines. I'm sure I can find several sites on google, but if you've had a good experience with a particular tutorial please share it with me.

Re:misleading headline

[morgan_greywolf]

Right. But they aren't effective in that measure. Joe Sixpack gets a dialog box that says "Application IEXPLORE.exe is attempting to access the Internet" a few thousand times and he just checks "Allow" or, worse "Always Allow" enough times, he doesn't notice when the box says "Application I_pwn_j00.exe is attempting to access the Internet" so, again, he clicks "Always Allow" just like he's always done. Or, he doesn't know what I_pwn_j00.exe is, but that's what he needs to click in order to continue, so that's what he does.

Plus, as the article states, most of these software firewalls allow stuff to get through without popping anything up, and some malware can even bypass the software firewall, as shown in the PoC.

IOW, personal firewalls are not only bad because stuff can get through, either through ignorance, buggy firewall software, or through crafty malware that gets past it, but they're also dangerous in that they create a false sense of security.

The best ways to truly avoid malware are to not download untrusted/unknown software, to use alternatives that are more secure (Firefox vs. IE, gaim vs AIM, Thunderbird vs. Outlook, etc.), to disable macros Microsoft Office, and to run good antivirus and anti-malware applications. Alternatively, one could use a platform that is less susceptible to malware, such as Mac OS X, Linux, or *BSD.

Re:Question

[SCHecklerX]

The concepts involved (port/protocol/subnet/hostname/client/server, etc) have not changed since I have been playing starting around 1994. Yes, it will change when IPV6 is adopted, but we ALL have some learning to do when that occurs.

Re:Question

[99BottlesOfBeerInMyF]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things.

I disagree. Software firewalls on Windows attempt (and usually fail) to add granularity of control for end users.

For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

This depends a whole lot upon your definition of "trusted." In any case, this is just another example of tools being designed without taking users into account. For most users the point of a computer is to run software they want. They don't know what software is secure and I'd argue no one does as everyone has to trust others. I don't know if Firefox has a backdoor that will be enabled next week. I haven't audited all the code. I doubt you have either. Whether it is Firefox, some shareware, an executable some friend sent via IM, of just something the user thought was data but the extension was hidden on, users who don't run untrusted data are missing a huge portion of the functionality they want from their computer. More important yet, they expect that functionality. It is not that they are stupid, they just have reasonable expectations that are not being met.

For example, most users never want any programs except their e-mail client to be able to read their e-mail address book. I mean what kind of stupid machine would let "nekkid_pics.jpg(.exe)" read my friends e-mail addresses and send a whole bunch of e-mail to them without asking me first? Who wants their computer to do that? And yet, almost all modern OS's just let any old program or program disguised as data to absolutely anything they want without asking the user or even informing them. That is what is stupid.

Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

If I drive poorly, a bunch of kids could get run down and killed by a ton of metal. If I run random executables someone might get spam e-mail. Perhaps you see how the negative consequences of the former warrant licensing while the latter almost certainly does not?

The real problems are twofold. One, computers are very poorly designed and don't behave as users expect. Two, when computers don't meet people's fairly reasonable expectations and instead are hijacked by spammers, people like you blame the users instead of the crappy OS's. Fix the software first, then if the problem persists you can blame the users.

Re:misleading headline

[Just Some Guy]

For a few bucks, you could buy a small linksys dedicated box.

The one major problem is that he'd no longer be running BSD. It's not trivial to migrate a working firewall config from one OS to the other, as I painfully re-learned when I replaced my FreeBSD host with a WRT54G. It's more or less equivalent featurewise, but the setup is completely different. I particularly missed the PF (BSD firewall) configuration, which is as close as such things can get to being considered beautiful.

Incomplete is not always "useless"

[Beryllium Sphere(tm)]

An incomplete defense is useless in a chess game because your opponent will attack via the hole you left and you'll lose. If you're defending against ego-driven attackers or attackers who target you personally then it's appropriate to try for a security posture with no holes in it.

Mass-produced malware is usually not built for pride of workmanship. It is commercial software built to make money and is not a fraction better than it needs to be.

The right question to ask about effectiveness is what fraction of the spyware in circulation will be controlled by Zone Alarm and its kin. We accept a detection rate of 50-80% from antispyware programs. The threshold for a program like Zone Alarm should be higher because it has to be worth the hassles it causes, of course.

Those hassles are probably inevitable. If you try to control outgoing traffic you are trying to add a feature that should have been in the OS, namely a new permissions system. Turf wars with the OS and destabilization due to hooking deep APIs are certain to happen. Historically if you attempted to touch the Windows network stack (PGPNet, for example, and the Freedom software forced me into a wipe and reinstall) you broke it.

Outbound traffic controls are harder to subvert but less effective if you do them outside the client machine. How can a separate firewall box know whether a port is being opened by BitTorrent or by CoolWebSearch?

Re:misleading headline

[Dan Farina]

Except that the Linksys (Broadcom based, really) NAT boxes consume less power and can perform all of the above in similar. Keep in mind that these devices have a 200mhz ARM processor and 16 MB of RAM, and so are better than many computers that at one time ran BSD, consume less power, and have smaller footprint.

If you insist on having more storage to install programs, one can always use a network mount.

In any case, there's nothing to sneer at about these little devices.

Idiotic article. Blame your tools.

[syousef]

This article basically says personal firewalls are useless because there are things they can't prevent. Recently I've seen someone argue antivirus software is useless because they aren't 100% accurate and won't catch all your virii. Okay well I have some screwdrivers at home. I want to put together a cupboard this evening. I'll only need the phillips head. Should I throw out the flathead since it won't do all my work for me? Moronic.

Yes, software firewalls have their problems. Yes, they do require some knowledge to use correctly (as does almost all software!)

Personally I use a hardware firewall for incoming, a software firewall for inbound, I do run as admin because Windows just isn't designed to be run well from an unprivlleged account. I use antivirus too though I do switch it off if my computer's going to be doing something CPU or disk intensive AND I'm not doing anything I consider risky.

Furthermore you can't test 6 bits of firewall software and extrapolate that they're all garbage from the sample.