[Dshield] it totally figures

Johannes Ullrich jullrich at euclidian.com
Mon Aug 26 02:08:01 GMT 2002

> "Some of the messages are just too cryptic."
> 4) For clarification:
>      a) Would you, please be kind enough to give, e.g. five examples of
> messages that are challenging to comprehend for the average user?

dont have a windows box in front of me right now (at 30k ft somewhere
between Boston and Dallas). But I remember messages like:
'The program krnl386.exe attempts to contact Should this
be allowed' .
 1 - What is 'krnl386.exe' ?
 2 - what is it trying to send / receive?

> "A common result is that after a while, people just get use to click 
> 'permit' ..."
>      a) What statistically reliable source does this information come
> from?

mostly observing relatives and friends. Also based on my own use of 
personal firewalls. 'all open' refers mostly to outbound connections,
which are in particular tricky to filter.

>      b) Or is it merely an opinion? 
not a statistically valid sample.

> "... and end up with an open box after all."
>      a) "Open box" in what sense?

see above. Of course, one important note is that they are usually not worse
off then without firewall. 

>      c) In my experience the fundamentals of a good firewall [be it
> software or hardware implemented] is the following:
>           i. It blocks by default all traffic.
>           ii. Only explicitly allowed traffic [or traffic type] is let
> thru.

The challenge is to explain to the user if traffic (inbound or outbound)
is 'harmless' or 'harmfull'. Very hard problem. You could almost say that
if the firewall could figure out what category a given packet falls into,
it would not require any user interaction but could make the 'block'
decision by itself.

One issue about 'deny by default': It is sometimes not desirable to do this
as it may interfere with critical business functions. Good security has to
support 'business rules' and in some cases accept reasonable risks... But
this is more of a philosophical issue. 'deny by default' is for sure the
safe and easy default setting, as the manufacturer of a mass market
product can not predict local business rules.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list