Personal Firewalls Mostly Useless, Says Mail & Guardian 303
hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."
Outbound Traffic? (Score:5, Insightful)
Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories." I'll never forget the day that I left open an unpatched WinXP box after a fresh install. I watched all of the script kiddies and automated worms go at it from my passive OpenBSD monitoring box. That machine was hacked in under ten minutes just because I left it there, open to the Internet. So, useless? No.
If it's in it's already too late (Score:5, Insightful)
Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.
First, nothing is perfect. Second, if some nasty program/spyware/adware got in, then it's too late already. The best thing is to prevent them getting in to begin with. Besides, most people don't know the difference between what should and should not be allowed to have access. I do some tech support for friends and family and it really gets annoying after the fifteenth call, "Should I let FooBar21.exe access to the Internet?" I finally went with the policy of disabling any sort of outbound filtering in whatever firewall I setup for people I will be "supporting."
Simple (Score:5, Insightful)
Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based. The simplest is a simple one-way NAT (outbound connections allowed, inbound connections impossible without a specific, intentional mapping). These of course only protect against active outside attacks, and not against trojan/virus emails or websites visited from the PC. The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.
Re:Told you so (Score:4, Insightful)
Re:misleading headline (Score:5, Insightful)
The firewalls are still very useful in preventing attacks due to OS vulnerabilities (like the Windows RPC issues). Anyway that is the main aim of personal firewalls, and the article does not have anything about the effectiveness of the firewall for inbound traffic.
If you want a secure outbound firewall the best bet is to use a dedicated gateway machine with the firewall (I use my very old laptop with BSD on it as a gateway)
Purpose of a personal firewall (Score:5, Insightful)
I recommend that people use both a hardware and software firewall, the hardware firewall protects you from the Internet in general. The software firewall protects you from the other computers on your local network.
But when it comes down to it, a firewall is as strong as it's weakest link, which is almost always the enduser. Running as admin while browsing, downloading software from untrusted sources, don't blame the firewall for user stupidity.
Result of Fundamental Flaw (Score:3, Insightful)
I don't mean everyone should study the TCP/IP stack and fully grasp ports and such, but seriously....you can't just show someone what a car does & explain the controls and then expect them to be able to drive properly & safely. It takes training & study.
The same is true with computers. I'm not suggesting an 'internet license' or anything, but I would recommend that high school core classes at least provide the basics of the underlying fundamentals of computing. Until someone understands what those firewalls are for, they will never reach a truly useful state.
Brad
Re:Blocking outbound connections silly (Score:3, Insightful)
Re:misleading headline (Score:5, Insightful)
1) Web browser and javascript bugs - nothing to do with hardware or software firewalls.
2) email issues, people going to bad sites etc. - nothing to do with hardware or software firewalls.
3) People should not run as administrator (or root) - wow, really.
4) People should stay up-to-date on patches - wow, totally amazingly obvious.
As you can't control people, they will always do these things. Good software firewalls show-up issues after they have made these mistakes, when rogue software tries to get out.
They also failed (or I missed it) to mention that software firewalls are good when you have multiple computers behind a hardware firewall - basically and infected computer will be blocked infecting other computers e.g. netbios etc.
Good computer security is a layered concept. From incoming hardware firewalls, IDS, software firewalls on individual computers, user training, security audits etc. I wish people and organizations writing articles would finally learn this. There is no 'magic' one solution.
How about configuring the software first? (Score:3, Insightful)
This means press install, press next, next, next,next, OK and done I have my own personal protection!
If you take the time to tune the software firewall, i'm pretty sure you would have much better results.
Re:Outbound Traffic? (Score:2, Insightful)
Re:misleading headline (Score:5, Insightful)
ZoneAlarm + broadband router = happiness (Score:5, Insightful)
For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out? Well, whatever it is, it's none of their damned business. Check "Remember this setting", click "Deny", and done.
Every time a process tries to act like a server, ZA also notifies me of that as well. It's a bit of a pain when I fire up a game server for the first time and the pop-up balloon interferes with the screen (whoops), but again it just shows that it's at least doing what it's supposed to do.
ZoneAlarm has its share of issues, but it clearly goes with the attitude of "better safe than sorry". There have been some rare times where the program itself doesn't start, for whatever reason, but its service gets started. On those rare occasions I've noticed that the service, if it can't communicate with the control daemon, or whatever you want to call it, it just blocks all network access. It could have just allowed everything instead and there'd be no way of knowing if it's working or not. Personally, I'd rather have it block all access. Not only does that let me know that there's a problem, but it's certainly keeping the PC's network connection secure.
Using a hardware firewall for inbound and ZA for outbound connections makes perfect sense as far as I'm concerned. It's not trouble-free, but they've been getting better at its stability over the past several revisions from what I can tell.
A firewall is a *device* (Score:5, Insightful)
Besides that, the most useful purpose of these things isn't against trojans that someone's running because they're an idiot, it's software such as media players insisting on phoning home (for example, the "Microsoft Windows Media Configuration Utility" connection attempt that occurs when WM9 tries to update itself).
Re:misleading headline (Score:5, Insightful)
Actually, you to end with forgot ", On Windows". As you probably already know, you can set a BSD system's "securelevel" such that firewall rules, both in kernel and on disk, can't be altered without a reboot. You could hypothetically write a program that patches a BSD machine's boot sequence with one that unprotects the firewall configuration, alters it, changes the backup file so that the user won't get an email notification later on that details the differences, then resumes normal operation - all while hoping that the user or administrator doesn't notice the spontaneous reboot - but there aren't too many of those running around today.
Better than nothing (Score:4, Insightful)
My view has always been using a combination of things that help is th ebest idea. Using a router that has a hardware firewall + a software firewall + antivirue + a secure browser(firefox) is a decent way to keep safe. This won't stop everything, but it's better than surfing around with no protection. Also add not doing stupid things to that equation for maximum protection.
Re:misleading headline (Score:3, Insightful)
Re:misleading headline (Score:3, Insightful)
Plus, as the article states, most of these software firewalls allow stuff to get through without popping anything up, and some malware can even bypass the software firewall, as shown in the PoC.
IOW, personal firewalls are not only bad because stuff can get through, either through ignorance, buggy firewall software, or through crafty malware that gets past it, but they're also dangerous in that they create a false sense of security.
The best ways to truly avoid malware are to not download untrusted/unknown software, to use alternatives that are more secure (Firefox vs. IE, gaim vs AIM, Thunderbird vs. Outlook, etc.), to disable macros Microsoft Office, and to run good antivirus and anti-malware applications. Alternatively, one could use a platform that is less susceptible to malware, such as Mac OS X, Linux, or *BSD.
Re:Question (Score:3, Insightful)
Re:Question (Score:4, Insightful)
Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things.
I disagree. Software firewalls on Windows attempt (and usually fail) to add granularity of control for end users.
For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.
This depends a whole lot upon your definition of "trusted." In any case, this is just another example of tools being designed without taking users into account. For most users the point of a computer is to run software they want. They don't know what software is secure and I'd argue no one does as everyone has to trust others. I don't know if Firefox has a backdoor that will be enabled next week. I haven't audited all the code. I doubt you have either. Whether it is Firefox, some shareware, an executable some friend sent via IM, of just something the user thought was data but the extension was hidden on, users who don't run untrusted data are missing a huge portion of the functionality they want from their computer. More important yet, they expect that functionality. It is not that they are stupid, they just have reasonable expectations that are not being met.
For example, most users never want any programs except their e-mail client to be able to read their e-mail address book. I mean what kind of stupid machine would let "nekkid_pics.jpg(.exe)" read my friends e-mail addresses and send a whole bunch of e-mail to them without asking me first? Who wants their computer to do that? And yet, almost all modern OS's just let any old program or program disguised as data to absolutely anything they want without asking the user or even informing them. That is what is stupid.
Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.
If I drive poorly, a bunch of kids could get run down and killed by a ton of metal. If I run random executables someone might get spam e-mail. Perhaps you see how the negative consequences of the former warrant licensing while the latter almost certainly does not?
The real problems are twofold. One, computers are very poorly designed and don't behave as users expect. Two, when computers don't meet people's fairly reasonable expectations and instead are hijacked by spammers, people like you blame the users instead of the crappy OS's. Fix the software first, then if the problem persists you can blame the users.
Re:misleading headline (Score:3, Insightful)
The one major problem is that he'd no longer be running BSD. It's not trivial to migrate a working firewall config from one OS to the other, as I painfully re-learned when I replaced my FreeBSD host with a WRT54G. It's more or less equivalent featurewise, but the setup is completely different. I particularly missed the PF (BSD firewall) configuration, which is as close as such things can get to being considered beautiful.
Incomplete is not always "useless" (Score:3, Insightful)
Mass-produced malware is usually not built for pride of workmanship. It is commercial software built to make money and is not a fraction better than it needs to be.
The right question to ask about effectiveness is what fraction of the spyware in circulation will be controlled by Zone Alarm and its kin. We accept a detection rate of 50-80% from antispyware programs. The threshold for a program like Zone Alarm should be higher because it has to be worth the hassles it causes, of course.
Those hassles are probably inevitable. If you try to control outgoing traffic you are trying to add a feature that should have been in the OS, namely a new permissions system. Turf wars with the OS and destabilization due to hooking deep APIs are certain to happen. Historically if you attempted to touch the Windows network stack (PGPNet, for example, and the Freedom software forced me into a wipe and reinstall) you broke it.
Outbound traffic controls are harder to subvert but less effective if you do them outside the client machine. How can a separate firewall box know whether a port is being opened by BitTorrent or by CoolWebSearch?
Re:misleading headline (Score:3, Insightful)
If you insist on having more storage to install programs, one can always use a network mount.
In any case, there's nothing to sneer at about these little devices.
Idiotic article. Blame your tools. (Score:3, Insightful)
Yes, software firewalls have their problems. Yes, they do require some knowledge to use correctly (as does almost all software!)
Personally I use a hardware firewall for incoming, a software firewall for inbound, I do run as admin because Windows just isn't designed to be run well from an unprivlleged account. I use antivirus too though I do switch it off if my computer's going to be doing something CPU or disk intensive AND I'm not doing anything I consider risky.
Furthermore you can't test 6 bits of firewall software and extrapolate that they're all garbage from the sample.