Personal Firewalls Mostly Useless, Says Mail & Guardian

hweimer writes "More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic. An article in the Mail & Guardian online mentions a test that 'showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.' Simple PoCs are available, too."

misleading headline

[macadamia_harold]

More and more security researchs come to the conclusion that personal firewalls are ineffective in controlling outbound traffic.

The article's about personal software firewalls, not personal hardware firewalls. Furthermore, the fact that personal software firewalls are useless and buggy is not really a new discovery. [google.com]

Re:misleading headline

[iMaple]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)". And that is unpreventable if the user is always logged in as an admin and runs malicious executables (or programs with known security issues, like older versions of browsers). This would be an issue, if a non-admin user could disable the firewall (which I guess is not easy, since the article does not mention that). So there is no real problem with the personal firewall software.

The firewalls are still very useful in preventing attacks due to OS vulnerabilities (like the Windows RPC issues). Anyway that is the main aim of personal firewalls, and the article does not have anything about the effectiveness of the firewall for inbound traffic.

If you want a secure outbound firewall the best bet is to use a dedicated gateway machine with the firewall (I use my very old laptop with BSD on it as a gateway)

Re:misleading headline

[Just Some Guy]

Yes, I agree. The title should say " Personal (software) Firewalls Mostly Useless (for out bound traffic)".

Actually, you to end with forgot ", On Windows". As you probably already know, you can set a BSD system's "securelevel" such that firewall rules, both in kernel and on disk, can't be altered without a reboot. You could hypothetically write a program that patches a BSD machine's boot sequence with one that unprotects the firewall configuration, alters it, changes the backup file so that the user won't get an email notification later on that details the differences, then resumes normal operation - all while hoping that the user or administrator doesn't notice the spontaneous reboot - but there aren't too many of those running around today.

Re:misleading headline

[Pieroxy]

I use my very old laptop with BSD on it as a gateway
For a few bucks, you could buy a small linksys dedicated box. That box - in addition of doing the job fine - pumps up less power than a laptop will ever do even in their lowest consumption settings. In a few month, the cost of the Linksys box will be recouped on the electric bill. And it is smaller and heats up less.

My view on the problem at least.

Re:

[Just Some Guy]

For a few bucks, you could buy a small linksys dedicated box.

The one major problem is that he'd no longer be running BSD. It's not trivial to migrate a working firewall config from one OS to the other, as I painfully re-learned when I replaced my FreeBSD host with a WRT54G. It's more or less equivalent featurewise, but the setup is completely different. I particularly missed the PF (BSD firewall) configuration, which is as close as such things can get to being considered beautiful.

Re:

[$1uck]

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD (though I'd like to look at it). The more complicated my home network gets, the more I want to put something between the modem and the router. I would love to be able to monitor inbound/outbound traffic block certain sites etc. I can do some of that with the router, or firewall

Re:IP Tables

[mpapet]

Linux has IP Tables which is very good for the job. Is it as good as BSD? I would argue less time consuming if you already run Linux, but it's not the same.

Notes: I believe for stateful packet inspection, the kernel needs ip_conntrack and a few other things in it. Most distro kernels have this but it's worth double checking. From there, it's learning the IP tables syntax which isn't hard after going through one of the many examples out there. Once you get logging going, check out intrusion prevention systems!

http://www.google.com/search?hs=3PG&hl=en&lr=&clie nt=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q= iptables&btnG=Search [google.com]

Re:

[msobkow]

openSuSE 10.1 actually makes it sickeningly easy to configure a firewall, subnet masquerading, DNS merging, and port forwarding. It took less than an two hours to get it all working (including dial-up and DHCP network alteration of the DNS forwarding.) IIRC it took almost two days to get it working with RedHat 5.2.

I realize it's not a fair comparison, as there is over 5 years of dev work in between the two, but the point is you don't need much knowledge, just a spare dual-nic box that'll run one of the

BSD firewall tutorial (was Re:misleading headline)

[badger.foo]

The manuscript at http://www.bgnett.no/~peter/pf/ [bgnett.no] is for a half day tutorial in setting up OpenBSD's PF firewall (also available on FreeBSD, NetBSD and DragonFlyBSD).

The response I get (yes, I'm the guy who wrote the tutorial) is that people find it quite useful.

The fact that it includes a few tips on how to give spammers a hard time helps too I guess.

Re:misleading headline

[value_added]

Can you help someone out by pointing me towards a link to a good site that show's how to set something like that up? I've got a bit of experience with linux and solaris, but mostly use windows. I don't have any experience using BSD ...

I'll offer a suggestion. Install FreeBSD on any old computer with two NICs. You'll find the installation as easy as any Linux system, the routine maintenance probably easier, and the documentation [freebsd.org] far superiour.

Sit down to read the pf FAQ [openbsd.org] on OpenBSD's site. It's well written and comprehensive so read from the first page to the last page. Make some coffee and then read it again.

# cd /usr/ports/shells/bash && make install
# echo 'pf_enable="YES"' >> /etc/rc.conf
# echo 'pf_rules="/etc/pf.conf"' >> etc/rc.conf

Edit /etc/pf.conf using the home user scenario provided at the end of the 'pf FAQ'. Reboot and you're good to go.

You'll find pf far less verbose than iptables, ipfw, etc., and easier to learn and to use for that reason among others. There's also lots of additional tools available for pf that will help as well.

$ cd /usr/ports && make search name=pf | less

Google for all the rest.

A final comment. Using this approach gives you a secure firewall with all the unixy goodness you'd expect, not to mention logging, SSH, NTP synchronisation, etc that you may want to use as well. And earning the right to sneer at everyone using those plastic Linksys NAT boxes doesn't hurt.

Re:

[Dan Farina]

Except that the Linksys (Broadcom based, really) NAT boxes consume less power and can perform all of the above in similar. Keep in mind that these devices have a 200mhz ARM processor and 16 MB of RAM, and so are better than many computers that at one time ran BSD, consume less power, and have smaller footprint.

If you insist on having more storage to install programs, one can always use a network mount.

In any case, there's nothing to sneer at about these little devices.

Re:

[sleep-doc]

An old laptop running linux can be a terrific gateway, set up by someone with the appropriate knowledge base and experience. Set up by someone without those skills, it's a zombie-in-waiting.

Question

[geeber]

So if I have a hardware firewall in my router is a software firewall useful as a last ditch defense? Or is it nothing more than an annoyance and resource hog?

Re:Question

[legoburner]

Although they do not provide much benefit, it can sometimes be worth it, especially if you have a wireless network behind your firewall. One rogue worm-ridden computer on your wireless network and bad things can happen to all your machines. Having a software firewall will be consume resources and might annoy you from time to time, but will reduce the chance of infection from common worms. You should never presume your internal network is secure unless you can completely verify every last bit that comes in to it.

Re:Question

[SCHecklerX]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things. For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

For a skilled user (which these aren't marketed to anyway), there is value in anlyzing what your software is trying to open outbound connections to, if you tell your PFW to alert you. In the hands of a skilled user, this is good information and the PFW is a good tool to analyze what software you may want to ditch or restrict. Again, this isn't the demographic most PFW vendors market to. You can't use a tool like this without a basic knowledge of how TCP/IP works. Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

Re:Question

[99BottlesOfBeerInMyF]

Software firewalls 'solve' the same problem as antivirus software. They attempt to disallow stupid users from doing stupid things.

I disagree. Software firewalls on Windows attempt (and usually fail) to add granularity of control for end users.

For the most part, if people don't install unknown/untrusted software on their PCs, and use safer alternatives for online stuff (gaim, firefox, sylpheed vs. aol's own messenger, MSIE, Outlook) along with practicing safe online computing in general, personal firewalls add the same value as antivirus software. None.

This depends a whole lot upon your definition of "trusted." In any case, this is just another example of tools being designed without taking users into account. For most users the point of a computer is to run software they want. They don't know what software is secure and I'd argue no one does as everyone has to trust others. I don't know if Firefox has a backdoor that will be enabled next week. I haven't audited all the code. I doubt you have either. Whether it is Firefox, some shareware, an executable some friend sent via IM, of just something the user thought was data but the extension was hidden on, users who don't run untrusted data are missing a huge portion of the functionality they want from their computer. More important yet, they expect that functionality. It is not that they are stupid, they just have reasonable expectations that are not being met.

For example, most users never want any programs except their e-mail client to be able to read their e-mail address book. I mean what kind of stupid machine would let "nekkid_pics.jpg(.exe)" read my friends e-mail addresses and send a whole bunch of e-mail to them without asking me first? Who wants their computer to do that? And yet, almost all modern OS's just let any old program or program disguised as data to absolutely anything they want without asking the user or even informing them. That is what is stupid.

Then again, maybe that should be required knowledge for any user who connects their computer to the Internet. We need licenses to show we are competent enough to drive cars, and this is the "Information Superhighway" after all.

If I drive poorly, a bunch of kids could get run down and killed by a ton of metal. If I run random executables someone might get spam e-mail. Perhaps you see how the negative consequences of the former warrant licensing while the latter almost certainly does not?

The real problems are twofold. One, computers are very poorly designed and don't behave as users expect. Two, when computers don't meet people's fairly reasonable expectations and instead are hijacked by spammers, people like you blame the users instead of the crappy OS's. Fix the software first, then if the problem persists you can blame the users.

Re:

[SCHecklerX]

The concepts involved (port/protocol/subnet/hostname/client/server, etc) have not changed since I have been playing starting around 1994. Yes, it will change when IPV6 is adopted, but we ALL have some learning to do when that occurs.

Re:misleading headline

[marrandy]

Talk about stating the obvious...this is the most useless article I have read in a long time.

1) Web browser and javascript bugs - nothing to do with hardware or software firewalls.

2) email issues, people going to bad sites etc. - nothing to do with hardware or software firewalls.

3) People should not run as administrator (or root) - wow, really.

4) People should stay up-to-date on patches - wow, totally amazingly obvious.

As you can't control people, they will always do these things. Good software firewalls show-up issues after they have made these mistakes, when rogue software tries to get out.

They also failed (or I missed it) to mention that software firewalls are good when you have multiple computers behind a hardware firewall - basically and infected computer will be blocked infecting other computers e.g. netbios etc.

Good computer security is a layered concept. From incoming hardware firewalls, IDS, software firewalls on individual computers, user training, security audits etc. I wish people and organizations writing articles would finally learn this. There is no 'magic' one solution.

Re:misleading headline

[bytesex]

Software firewalls on the machine itself can do something hardware firewalls can't; it can check to see that the outbound traffic is coming from a trusted application running as an actually logged on user. Without this option, a firewall must assume that all traffic with a destination port 80 or 443 (or 25 or whatever) will be legit, allowing all sorts of malware to pretend to browse while doing their actual nasty stuff. On windows, a firewall could even check whether the app in question has a window open, which creates an extra check (this visible application is making network connections).

Re:

[creepynut]

Now, I didn't RTFA, but it seems the whole point it is trying to make is that software firewalls AREN'T doing just that.

From the summary:
Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.'

.

Re:

[morgan_greywolf]

Right. But they aren't effective in that measure. Joe Sixpack gets a dialog box that says "Application IEXPLORE.exe is attempting to access the Internet" a few thousand times and he just checks "Allow" or, worse "Always Allow" enough times, he doesn't notice when the box says "Application I_pwn_j00.exe is attempting to access the Internet" so, again, he clicks "Always Allow" just like he's always done. Or, he doesn't know what I_pwn_j00.exe is, but that's what he needs to click in order to continue, so th

[OT] Re:Link to "printable" version of stories!

[Maïdjeurtam]

If slashdot, digg and friends were to link to printable versions, how long would it take for those sites either to remove the print version or to put their ads there?

Told you so

[growse]

Well, that's what happens when you try and introduce a complex topic like network security into the consumer market, and subsequently fail at that task. They (the software manufacturers) fail not only in raising a suitable amount of awareness (if every single computer on the planet was behind a firewall, how many worms/malware would this stop?), but they also fail to do the job properly (not blocking outbound traffic) for those who do install their software.

Re:Told you so

[lightyear4]

Unfortunately, they also create a false sense of security. In my opinion, that is far, far worse.

Blocking outbound connections silly

[EsbenMoseHansen]

Blocking outbound connection from a computer is pretty silly initiative in any case. Firewalls are for blocking inbound connections and for enforcing policies between networks (e.g, between the home network and the internet). Only in the latter case does blocking outbound traffic matter, and only as a last ditch "woops, I forgot to restrict this service so now I'm broadcasting sensitive information to the world!" sort of thing. It certainly doesn't hinder worms and their ilk much. And don't get me started o

Re:

[grub]

Blocking outbound traffic has been very useful for spanking people who think running Kazaa/eMule/BitTorrent/etc. at work is a good idea. Or for blocking access to outgoing SMTP so users have to use the corporate mail box, etc..

Re:

[lightyear4]

Or for preventing a compromised box from DOSing the rest of the world.

Re:

[EsbenMoseHansen]

Or for preventing a compromised box from DOSing the rest of the world.

For stopping, sure. But for the initial wave, wouldn't a DDOS just use a commmon, open port like 80 or 443? Here I am assuming a external firewall, as a software firewall on the rooted (!) box itself is presumably disabled.

Re:

[EsbenMoseHansen]

Blocking outbound traffic has been very useful for spanking people who think running Kazaa/eMule/BitTorrent/etc. at work is a good idea. Or for blocking access to outgoing SMTP so users have to use the corporate mail box, etc..

Firstly, that is negotiating traffic between networks (here, the office LAN and it's internet connection. I'd be a bit surprised if it works, but maybe it takes out some of the more stupid employees. For my money, just saying "please don't do that" seems to be a better idea in this

Re:

[EsbenMoseHansen]

Besides the good old network-2-network firewalls, there are the "Personal" firewalls regulate which application are allowed to connect. Those are what the article are talking about. If you do not agree with the terminology, I can understand, but I think that rabbit is rather out of the box.

And using proxies is just about the only way if you want to only have one type of traffic, provided that the inside people have no conspirators (including themselves) outside the firewall. If they do, you have lost whate

Re:

[arminw]

.... It certainly doesn't hinder worms and their ilk much. And don't get me started on that silly checksumming of applications....

Mac OSX has an interesting feature that should at least alert a user that something fishy is happening. Any executable trying to run the very first time, triggers a dialog that asks the user if that should be allowed. It adds the warning that the program could be malicious. Then the smart users may cancel the starting of that program.

Re:

[budgenator]

Blocking outbound connection from a computer is pretty silly initiative in any case
What's trying to get out is usualy more important to me than what's trying to get in because it gives clues as to what has gotten in and what's not programs aren't behaving like they work for me instead of somebody else.

"Why home firewall software is a leaky dyke"

[Anonymous Coward]

As a lesbian, I must protest to this offensive and disparaging comment.

Re:

[ArsenneLupin]

You forgot to add closeted, anonymous cowardess, you! ;-)

Re:

[voice_of_all_reason]

Cowardess? Sounds like a new D&D class.

can she cast magic missile?

Re:

[ArsenneLupin]

Yet the fact that she has boobies makes nerds in basements around the world drop their swords and wet their pants. To summarize, she's invincible.

Not really. That's where the gay nerd comes into play, hehe ;-)

Outbound Traffic?

[parasonic]

Yes, they may be ineffective in controlling outbound traffic. However, that's not the real point of a personal firewall.

Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories." I'll never forget the day that I left open an unpatched WinXP box after a fresh install. I watched all of the script kiddies and automated worms go at it from my passive OpenBSD monitoring box. That machine was hacked in under ten minutes just because I left it there, open to the Internet. So, useless? No.

Re:

[grub]

You could have put that OpenBSD box inline as a firewall (pf is cool) and still done monitoring. Then your XP box would have been safe.

Re:

[A beautiful mind]

I think he was trying to perform an experiment.

Re:

[grub]

Oh bah... Colour me "stupid" today. :)

Re:

[hweimer]

Without a personal firewall, users have a huge issue with inbound traffic when it comes to security, especially in the Windows "territories."

Inbound traffic can be filtered using the OS-supplied firewall (yes, even under Windows). No need to buy questionable TCP/IP stack replacements.

Re:

[idontgno]

Inbound traffic can be filtered using the OS-supplied firewall (yes, even under Windows).

Most personal firewall products predate the awe-inspiring wonderfullness which is the Windows Firewall. And architecturally, 3rd party software firewalls are comparable to the "integrated" Windows one. (What, you think maybe Microsoft is giving their own firewall developers better hooks into the OS than 3rd-party developers have? While MS has that history, I think they're being too closely watched after numerous high-

Re:

[klingens]

Yes, those 3rd party firewall programs are useless since even Windows can now closes ports by default (with their so called "firewall") since XP SP2 2 years ago. Older Windows versions don't have this feature but aren't sold anymore to consumers either. And it's quite rare that consumers buy utility software like this for older PCs anyways. Even if they buy it, the fact that the firewall giving the protection and the firewalled system receiving it are one and the same is not exactly secure. Running under th

It lasted a whole 10 minutes?

[Moraelin]

I still remember the lone time I got virused, as it also was the lone time when I put a non-firewalled machine on the internet.

Basically the story is that I had managed to fry my home machine, didn't have a second computer at the time, but hey, looks like I got enough older parts for one (or a couple of them.) Stupidly enough, the firewall program (Sygate was my favourite at the time) was among the few things I had never backed up, but otherwise I could have a computer to play with in an hour or so.

Now I co

Re:

[InsaneGeek]

So your experiment expect people to not apply any Windows patches, but at the same time expect people to install a 3rd party personal firewall??? Is it just me in thinking that there is a very remote probability of this situation actually occuring?

Re:

[CastrTroy]

But you don't need a firewall for that. Simply putting it behind a router with no ports forwarded will pretty much ensure that the script kiddies and worms can't get in.

Re:

[TheGreek]

Simply putting it behind a router with no ports forwarded will pretty much ensure that the script kiddies and worms can't get in.

Until you download MAGIC PORN DIALER 2006.

Re:

[SCHecklerX]

This is why, when we were looking for PFW solutions, we settled on using the one built into XP SP2 and above.

Why?

Yeah, it'd be nice to stop the stupid user stuff with outbound attacks and such... but most of that threat is better mitigated through the use of malcode-analyzing proxies and other filtering systems (we quarantine email attachments, haven't had a 0-day in years, use centralized ad and malcode blocking for web browsers, etc).

The REAL threat that we could actually get benefit from using PFW softwa

If it's in it's already too late

[El Cubano]

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.

First, nothing is perfect. Second, if some nasty program/spyware/adware got in, then it's too late already. The best thing is to prevent them getting in to begin with. Besides, most people don't know the difference between what should and should not be allowed to have access. I do some tech support for friends and family and it really gets annoying after the fifteenth call, "Should I let FooBar21.exe access to the Internet?" I finally went with the policy of disabling any sort of outbound filtering in whatever firewall I setup for people I will be "supporting."

Re:If it's in it's already too late

[voice_of_all_reason]

You could also advise them to simply google the .exe file. Every time I've tried this, the first 10 results have always been a group of sites that detail exactly what it's from and a recommendation to allow it or not. Give a man a fish/teach a man to fish and all.

Sure it takes more time, but the only real reason I even use a firewall is to keep winamp and media player from phoning home.

Re:

[RockModeNick]

I did the same thing with my aunt who was always forwarding stupid warnings - I told her if she was REALLY genuinely concerned, she'd take the time to go to www.google.com and input the subject of the email, and see what came up, rather than just blindly forward anything that said to. I used to get 2 terrably dire warnings(tm) from her per month, now down to zero for the past 8 months.

Annoyance

[damaki]

Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that? You get hundred of warnings from obscure services trying to send unknown data to somewhere you do not want to know. Users are clueless about it, they will just check the box that say "shut up and hack by box" if it prevents further messages from appearing.

Re:

[eggoeater]

This is true for most lusers out there, but for geeks like us it's very handy.
I find it very interesting when I install some software and
my ZoneAlarm pops a window showing me it's trying to phone home.
(Adobe is the worst when it comes to this.)

Windows should be have a built-in white-list for outgoing network connections,
including a help link to a web page (or a wiki) showing what propram is sending what to where and why!

Re:

[robogun]

Zonealarm does it. Deny everything unless you KNOW it has to connect. Mail & browser for most people. It will only ask once per app. What's so hard about that?

Re:

[Tim C]

Personal firewalls do not block outbound connection because it is a pain in the ass to decide what can pass or not. I mean, did you ever try some windows firewall that allows that?

Yes, and I took the time to train/configure the firewall. Now it will warn me about a new app trying to make connections for the first time, but that's a rare enough occurence that it's no problem at all (and is of course entirely expected).

Users are clueless about it

Yes, most users are - but they generally don't care about outbou

Simple

[The Cisco Kid]

A firewall is a *device* between a device that needs 'protection' (usually a Windows PC), and an Internet connection. Keyword *device*, as in a seperate physical piece of equipment. A piece of software running *on* a Windows PC is as vulnerable as the underlying system it runs on. Eg, completely useless. 'Software Firewall' is an oxymoron.

Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based. The simplest is a simple one-way NAT (outbound connections allowed, inbound connections impossible without a specific, intentional mapping). These of course only protect against active outside attacks, and not against trojan/virus emails or websites visited from the PC. The most effective method of avoiding those is to avoid use of and remove (to the extent possible) all Microsoft email clients and web browsers from the PC.

Re:

[The Cisco Kid]

Correction - the most effective method, *if* one assumes the constraint that the PC must be running Windows. The *most* effective would be to simply not use Windows, but the driveling masses accept happily whatever crap the consumer OEM's spoonfeed them (via the consumer retail and online outlets), and it will be a long time before enough of them will be able to escape Microsoft's clutches.

Re:

[_Swank]

because it's completely impossible that someone might CHOOSE to use windows over linux. completely, undeniably, impossible.

*BZZZZZZT* wrong.

i CHOOSE to use windows. 90% of what i do on a daily basis could be done in either. with a decent amount of extra effort, i could probably get that last 10% working under linux. but in my opinion, linux just isn't there yet. xp, warts and all, allows me to be more productive. yes, i have a linux partition on my laptop (that doesn't get much use). and i have linu

Re:

[RockModeNick]

I have to agree on a certain level, I just keep up with my microsoft updates, and I've never had a virus I didn't put there on purpose to figure out how to remove it from a friend's machine before a fix was released. If you are intelligent enough to run *ix(have briefly) you are intelligent enough to never get a virus or any really nasty malware on a windows PC.

Re:

[Tim C]

The *most* effective would be to simply not use Windows, but the driveling masses accept happily whatever crap the consumer OEM's spoonfeed them

The funny thing is that just this last weekend, a friend of mine discovered that his home Linux server had been hacked. Someone managed to break in remotely and get root.

So while using something other than Windows makes you safer, it most definitely does not make you invulnerable.

Oh, and less of the "drivelling masses", thanks - some of us choose to use Windows for

A firewall is a *device*

[Curmudgeonlyoldbloke]

And where do you insert this "device" between your PC and the wireless router in the coffee shop or hotel romm in which you're sitting? Wave it around in mid-air or something?

Besides that, the most useful purpose of these things isn't against trojans that someone's running because they're an idiot, it's software such as media players insisting on phoning home (for example, the "Microsoft Windows Media Configuration Utility" connection attempt that occurs when WM9 tries to update itself).

Re:

[jimicus]

Amazing.

"Software Firewall" is an oxymoron......Not running Windows, but instead running either a proprietary platform or (preferred) something unix-based

What do you think a unix-based (or for that matter proprietary) firewall is based on - software.

If you mean "Running a firewall on the system you're supposed to be protecting" is a bad idea, I'd generally agree. But if you're most concerned about blocking incoming connections, that's less of an issue.

Ideally you'd never get any malicious (sp?) software on

ZoneAlarm?

[CyberZCat]

Did they test zonealarm? Because even with my best efforts to circumvent it (for testing), it's still able to block everything. Even as an Admin user, it's not possible to stop the service unless you "officially" exit the program. I've been using it for years, and I haven't once ever had a program that it didn't block (if I chose to block it). Even test software which was spesifically meant to try to find holes in personal firewalls. The new version does other handy things too, like keeping an eye on software which tries to monitor your keyboard/mouse (such as keyloggers) and giving you the option to block them from doing that. Very handy.

Re:

[voice_of_all_reason]

I'd certainly be interested in a way to shut it down manually as admin, if you know a way. If it ever bugs up and goes into "turtle mode", you're basically forced to do a reboot because it locks the internet and won't allow you to close it through task manager.

ZoneAlarm + broadband router = happiness

[WidescreenFreak]

Even though I'm behind a firewall, I use ZoneAlarm on all of my PCs so that I can catch what's communicating with the Internet and what's not. So far, it's done superbly well as far as I can tell.

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out? Well, whatever it is, it's none of their damned business. Check "Remember this setting", click "Deny", and done.

Every time a process tries to act like a server, ZA also notifies me of that as well. It's a bit of a pain when I fire up a game server for the first time and the pop-up balloon interferes with the screen (whoops), but again it just shows that it's at least doing what it's supposed to do.

ZoneAlarm has its share of issues, but it clearly goes with the attitude of "better safe than sorry". There have been some rare times where the program itself doesn't start, for whatever reason, but its service gets started. On those rare occasions I've noticed that the service, if it can't communicate with the control daemon, or whatever you want to call it, it just blocks all network access. It could have just allowed everything instead and there'd be no way of knowing if it's working or not. Personally, I'd rather have it block all access. Not only does that let me know that there's a problem, but it's certainly keeping the PC's network connection secure.

Using a hardware firewall for inbound and ZA for outbound connections makes perfect sense as far as I'm concerned. It's not trouble-free, but they've been getting better at its stability over the past several revisions from what I can tell.

Re:

[squoozer]

Media player is probably either doing some sort of licence check or an ID3 tag look up (or both).

Re:

[Tim C]

For example, every time I play a media file in Windows Media Player, it tries to connect to the Internet not once but twice - once when Media Player fires up and once again after it's fnished! Excuse me? Exactly what is Media Player trying to figure out?

Depending on your settings, it's probably opening a connection to the server to retrieve media info from (on startup) and reporting anonymous* usage data (on shut down). Both of these things can be switched off in the options settings. I don't guarantee that

Re:

[Jeff DeMaagd]

I had an occasional problem where the ZoneAlarm controller would not accept any clicks. I see a dialog box but eventually it does not allow me to click accept, deny or the check box to learn my setting. I end up killing it, uninstalling it and running Kerio Personal Firewall instead and that generally doesn't cause me any problems like that. It does block internet ads or site counter systems by default so some sites just don't work, but that's the extent of my issues with KPF.

Re:

[Jeff DeMaagd]

I forgot to mention that turning off ad blocking in KPF fixed the site blocking issue, there's a setting in the control panel.

Re:

[faloi]

Chances are, based on the text of the article, ZoneAlarm would've failed too. The title and description are a bit misleading. One of their tests, as an example, was to hack a way out through the browser. Since the browser already (typically) has rights to get on the wire, ZoneAlarm probably wouldn't flag it.

Personally, I think their tests are sort of flawed for showing holes in the firewall itself. I've used ZoneAlarm for a while and think it does a great job.

Which software?

[jtroutman]

I'm just curious, since the article doesn't mention it, but which firewalls were tested? I've look at the website for the magazine that did the testing, but my German is rather rusty and I can't seem to find the original article. The only one mentioned in the article is the Windows XP firewall.

Re:Which software?

[Lambticc]

_G Data InternetSecurity 2006 _F-Secure Internet Security 2006
_Kaspersky Internet Security 6
_Trend Micro PC-Cillin 14 Internet Security
_Symantec Norton Internet Security 2006
_Zonelabs Zonealarm Internet Security 2006
_McAfee Internet Security Suite 2006
_Computer Associates eTrust Internet Security Suite r2
_Panda Platinum Internet Security 2006
_Softwin Bitdefender 9 Internet Security

This is all I could find from the german site PC Progressionell ..meine Deutshe ist nicht so gut.

Purpose of a personal firewall

[Anonymous Coward]

The personal or desktop firewall is not supposed to be your first line of defense, it's supposed to be your last line of defense.

I recommend that people use both a hardware and software firewall, the hardware firewall protects you from the Internet in general. The software firewall protects you from the other computers on your local network.

But when it comes down to it, a firewall is as strong as it's weakest link, which is almost always the enduser. Running as admin while browsing, downloading software from untrusted sources, don't blame the firewall for user stupidity.

So sorry

[voice_of_all_reason]

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet

Yeah, what a drag that their software is not completely immaculate. Let us know when you code the world's first perfect application, sparky.

And how exactly does "not perfect" translate to "useless" again?

They just didn't have enough firewall.

[Colin Smith]

Most of the "secured" computers I've seen have 3, 4 or more firewalls installed and "working". If one firewall isn't stopping outbound connections, go install another one, you'll be twice as secure then.
 

Re:

[rcw-work]

I hereby vow to refer to personal software firewalls as "cowbell".

Little Snitch

[GeffDE]

The article (to my view) didn't mention any of the names of the programs, and I don't speak or read German, so I don't know how to find the names.

But I would swear by a nifty little app (for mac), Little Snitch [obdev.at] which does seem to block both outgoing and incoming traffic perfectly.

Little Snitch for Mac OS X

[toupsie]

Mac users don't think you are safe because you aren't running windows. It's amazing the number of Apps that "phone home". A great tool for Mac OS X egress filtering is Little Snitch [versiontracker.com]. It's cheap and easy to use.

Bad article, no donut

[Chairboy]

The article makes a number of critical errors that impact its credibility.

The article expounds on the dangers of Javascript, but fails to mention ActiveX. I suspect the author had heard about "scripting" being a security hole and assumed incorrectly that the other person was talking about Javascript. JS is inconsequential compared to ActiveX when it comes to actual risk.

Additionally, when it claims that AV software essentially supersedes any firewall in terms of protection, it fails to consider the security nightmares in Windows. Specifically, through the trust relationships, you can modify registry settings and execute code on computers without your viral code ever touching the disk on the machine by doing it remotely from another computer. Because memory scanning is essentially ineffective, modern AV programs cannot effectively protect against this, which is why most security companies suggest combining AV with a Firewall. Plus, there are regular buffer overflow exploits that have the same effect: Code running without touching the disk. Where do they come from? Over the wire. Code Red and Nimda are good examples of attacks that were stopped by even the most basic firewalls. Safe browsing had no effect whatsoever on whether a user was infected.

Finally, the article fails to take into consideration the thought that goes into the automatic rule creation most firewalls come with now. Developers understand that users demand convenience and security, and work to find a good match of both. To this effect, most modern desktop firewalls will use signature based rules (so that a malicious program has to do more than just be named after a trusted program) to create a basic rule that allows that program outbound access. The ports are not being just "left open" willy nilly, they are connected to known programs and watched. Some firewall programs even watch for threadjacking malware that would inject itself directly into trusted programs, that gives even more protection.

The author of the article should reevaluate his or her knowledge of internet security. It is likely that the increasing ease of use has been interpreted as a drop in protection, but this is not the case. A secure system is one that uses a heterogeneous mix of disk and network protection.

Result of Fundamental Flaw

[JBHarris]

A fundamental concept in computing now-a-days is that software designers attempt to do as much thinking for the end user as possible. This is a generally good thing, as the easier/more-intuitive software is to use, the more people will use it. That point aside, this can be a negative thing as it keeps users from needing to understand what they are actually doing. Using computers NEEDS at least a basic understanding of what's going on.

I don't mean everyone should study the TCP/IP stack and fully grasp ports and such, but seriously....you can't just show someone what a car does & explain the controls and then expect them to be able to drive properly & safely. It takes training & study.

The same is true with computers. I'm not suggesting an 'internet license' or anything, but I would recommend that high school core classes at least provide the basics of the underlying fundamentals of computing. Until someone understands what those firewalls are for, they will never reach a truly useful state.

Brad

Which Six?

[140Mandak262Jamuna]

Could not find the list of the six software tested. Dont know if Zone Alarm was tested and found to be defective too. But I would be surprised. Everytime I update FireFox, Zone Alarm knows that the exe file has changed and alerts me to renew permission for it to connect to the internet.

No kidding... I've found them useless in practice

[RebornData]

The issue with most desktop software firewalls that attempt to control outbound connections is that they have no idea in advance what constitutes a valid program and what doesn't. So they ask the user, who in most cases is unable to answer the question. The only information typically provided is the executable name, and in many cases it's a generic one (like svchost.exe) that leaves even an experienced user without the ability to make an informed decision.

The problem is that this trains users to ignore the prompts and habitually click "allow" or "deny" (usually because they find out the hard way that stuff breaks when they click "deny"). The result is far worse than if there were no attempts to control outbound access, because most of these firewalls (Zonealarm in particular) use similar techniques for *inbound* traffic too... they will prompt the user when a program opens a listening port, and if they hit "allow" will enable global inbound traffic to that port, creating a hole that otherwise wouldn't have been there.

This happens regularly in practice- I've seen it over and over again with my small business consulting clients. Although technically an outbound software firewall with program control could be a good last-ditch effort to block malware that has managed to get installed and running, on a practical basis they cause more problems than they solve.

-R

Duh

[The MAZZTer]

Once malware is running on your PC you should assume it can do ANYTHING it wants, including disabing firewalls/antivirus, etc.

Heck, Windows Firewall has an API to allow programs to add themselves as exceptions (probably because if it didn't programmers would just use 100 different non-forward compatible methods to do it).

How about configuring the software first?

[brunokummel]

I haven't found on TFA , but then again i read it on a rush because my boss was in the room, but i guess they performed the test the way most regular users use a personal firewall.
This means press install, press next, next, next,next, OK and done I have my own personal protection!
If you take the time to tune the software firewall, i'm pretty sure you would have much better results.

And spam filters are not 100% effective...

[jbarr]

...and anti-virus scanners are not 100% effective. Given the continual cat-and-mouse game played by the white hats and the black hats, short of removing a PC completely from a network, there's little to completely, 100% guarantee security.

That said, many of the software personal firewalls ARE actually quite good. The people using them just need to understand the potential ramifications. Education of basic Internet security combined with good Web browsing and file handling practices can go a whole lot farthe

Virtual firewalls on virtual machines

[plankrwf]

Some of the problems with 'virtual firewalls' can be solved through real firewalls on ... virtual machines (i.e. Sieve at http://sievefirewall.sourceforge.net/ [sourceforge.net] or at http://www.vmware.com/vmtn/appliances/directory/24 5 [vmware.com])

If I want to block all outbound traffic

[Perl-Pusher]

I could always disconnect! That is the #1 problem with personal firewalls. If your computers is making connections you don't want, your problem is not the ability to make a connection. It's the program that is making those connections. If you have a problem with spyware / malware, do us all a favor and disconnect. A firewall is meant to be between your PC and the Internet, not on your PC. Personal firewalls aren't really firewalls, they are more like patches in a pool or tank, an attempt to fix something br

Winpooch

[jhfry]

This is why I run winpooch http://winpooch.free.fr/ [winpooch.free.fr]. It's not a firewall, but it does allow me to monitor my outgoing connections, and apply rules to them. For example, I can have it prompt me for every outbound, just announce when an outbound connection is established, or allow all outbound. Same thing with inbound. More complex rule sets are allowed as well.

It's not gonna save me from a worm itself, but it will tell me when I have a worm or rootkit making outbound connections.

And it allows me to use ClamWin to do on access scanning, tells me whenever an application tries to change the registry or system files, and provides a simple method to determine most of the potentially damaging processes running on my machine.

Best of all it's opensource.

Marketing

[Dachannien]

The problem isn't that personal firewalls are useless. Rather, they are being marketed for a purpose they are not equipped to perform properly.

I use a personal software firewall on all my Windows machines for two reasons: one, to prevent worms and such from getting a foothold on my machine, and two, to prevent phoning home of "non-malicious" software that has no real reason to be connecting out. I've run a bunch of programs over the years that attempt to connect to some remote machine for some unknown pu

Personal firewalls quite useful

[MobyDisk]

There are ways around personal firewalls, therefore personal firewalls are useless.

So says an article linked by an article linked by an article that I can't really read. Pardon me if I am not convinced.

I'm quite content with the personal firewall I have. It stops lots of outbound connections from applications that like to phone home. If there is an app on my system that searches for IE windows and uses them to surrepticiously send data out -- I'm already f*d. Fortunately, my firewall blocks IE so I'm not vulnerable to that one. (It could use Firefox though).

All of them?

[Penguinisto]

...guess they didn't test iptables or ipfilter (shrug).

/P

Biggest problem with personal firewalls

[totallygeek]

Okay, we are talking about Windows users: they will simply click 'Yes' to anything that pops up on the screen.

Better than nothing

[embracethenerdwithin]

I never assumed my software firewall was some amazing thing that kept me 100% safe. But I would still never want to surf without one. I don't care if it only protects against some attacks, it's definately better than none. I would rather be protected from a little than nothing.

My view has always been using a combination of things that help is th ebest idea. Using a router that has a hardware firewall + a software firewall + antivirue + a secure browser(firefox) is a decent way to keep safe. This won't stop everything, but it's better than surfing around with no protection. Also add not doing stupid things to that equation for maximum protection.

Trivial to Bypass

[ThinkFr33ly]

I always get a kick out of people who set their firewall to prompt on every attempt to access the net, especially when they're running as admin on their boxes.

Even without the user running as admin, it's fairly easy to create a program to bypass outgoing firewalls. Basically the trick is it piggypack your communications over an existing application that's trusted.

Nearly everybody is going to trust IE (or Firefox, or whatever browser) to access the network. All you have to do is figure out a way to use that program to do your communications for you.

I once wrote a proof of concept app (in VB no less!) that used IE to do exactly this. I setup a simple piece of server software that accepted requests via HTTP GETs and returned the response as base64 encoded text in an HTML body. When my app needed to access remote data I just used IE to request that data from the server and then base64 decoded it. I could have also done something like have the server software act as a proxy so I could request any remote data I wanted, even if it wasn't hosted by my server. It was trivial.

The best part was that *every* major outgoing firewall failed to detect this attempt, despite that fact they claim to be able to tell when one application is using another to piggyback communications. Perhaps it was the way the COM interface worked, I'm not sure... but it never failed and never prompted me to allow it to happen.

ISP's hate firewalls

[phorm]

I love how, whenever I go to my grandparents to fix their computer (after they've dealt with their ISP's tech support) the ethernet cable is always running straight to the PC and bypassing the router. It's hard enough to get average Joe to understand the usefulness of a hardware routing/firewall device, but when the ISP is actively having them bypass it I can see a software firewall being somewhat useful at times.

Incomplete is not always "useless"

[Beryllium Sphere(tm)]

An incomplete defense is useless in a chess game because your opponent will attack via the hole you left and you'll lose. If you're defending against ego-driven attackers or attackers who target you personally then it's appropriate to try for a security posture with no holes in it.

Mass-produced malware is usually not built for pride of workmanship. It is commercial software built to make money and is not a fraction better than it needs to be.

The right question to ask about effectiveness is what fraction of the spyware in circulation will be controlled by Zone Alarm and its kin. We accept a detection rate of 50-80% from antispyware programs. The threshold for a program like Zone Alarm should be higher because it has to be worth the hassles it causes, of course.

Those hassles are probably inevitable. If you try to control outgoing traffic you are trying to add a feature that should have been in the OS, namely a new permissions system. Turf wars with the OS and destabilization due to hooking deep APIs are certain to happen. Historically if you attempted to touch the Windows network stack (PGPNet, for example, and the Freedom software forced me into a wipe and reinstall) you broke it.

Outbound traffic controls are harder to subvert but less effective if you do them outside the client machine. How can a separate firewall box know whether a port is being opened by BitTorrent or by CoolWebSearch?

Idiotic article. Blame your tools.

[syousef]

This article basically says personal firewalls are useless because there are things they can't prevent. Recently I've seen someone argue antivirus software is useless because they aren't 100% accurate and won't catch all your virii. Okay well I have some screwdrivers at home. I want to put together a cupboard this evening. I'll only need the phillips head. Should I throw out the flathead since it won't do all my work for me? Moronic.

Yes, software firewalls have their problems. Yes, they do require some knowledge to use correctly (as does almost all software!)

Personally I use a hardware firewall for incoming, a software firewall for inbound, I do run as admin because Windows just isn't designed to be run well from an unprivlleged account. I use antivirus too though I do switch it off if my computer's going to be doing something CPU or disk intensive AND I'm not doing anything I consider risky.

Furthermore you can't test 6 bits of firewall software and extrapolate that they're all garbage from the sample.

Re:

[Akaihiryuu]

I used to work tech support for Verizon DSL (ick) and we saw problems with this all the time. People would have Mcafee installed and it would spontaneously decide to deny IE outbound access. (Now, customers using IE is a whole separate can of worms, but I don't feel like writing a novel so I won't go into that here...I "fixed" many computers by removing the IE shortcut from the desktop and installing Firefox.) The Mcafee issue happened frequently enough that I doubt it was something that the user misconf

Re:

[Penguinisto]

"Defeat that, muthafugga!"

Sure - just run this little, umm, 'booster' script:

--
!#/bin/sh
cat /dev/null > /etc/ipf.conf
ipf -Fa -f /etc/ipf.conf
wall "pwn3d!"
--

(...point is, if something bad is already in there, and it has the right perms, no firewall is going to save you. None.)

/P

Re:misleading headline

[dgatwood]

It also makes dynamic loading and unloading of device drivers impossible, which is why it doesn't make any sense for desktop system. Security can only be achieved through properly granting permission, not through outright avoiding granting permission. A scheme that is too restrictive will simply get turned off or worked around by the end users, and thus is not particularly useful, and indeed may actually be harmful to security because of developers making security assumptions that are no longer valid in such a situation.

Want to really improve security? Create multiple separate privilege sets in the kernel instead of a single "root". Make different executables setuid to a user with privilege sets that allow certain operations. Your kernel extension loader has sufficient privileges to load a kernel extension, but still can't write directly to kernel memory or listen on low numbered ports or access raw devices or bypass filesystem permissions. Your software that requires the ability to listen on low numbered ports doesn't get permission to bypass filesystem permissions or load kernel extensions. And so on.

Don't get me wrong, it's perfectly okay to have a "root" user, but no executable should ever be setuid root in such a scheme, and that root user should only be used for very limited administrative tasks.