[Dshield] "Personal Firewalls" are mostly snake-oil"

Stephane Grobety security at admin.fulgan.com
Mon Jul 22 05:17:09 GMT 2002


JS> The biggest issue is simply that "home users" are most often running
JS> Window$, often running services that they are utterly unaware of (the
JS> home Win 2K user running IIS without knowing it; viz: the ongoing
JS> Code Red and Nimda epidemic continues almost unabated, one *year*
JS> later..), and most "personal firewalls" follow the Window$ model of
JS> hiding unpleasant details that require reading and thinking and
JS> decision-making from the hapless consumer.

Now, you're being completely unfaire here. First, you can't expect the
Joe Average to learn about IP services and the like. Home users are
NOT specialists and, while most of them have enough sense to read and
follow simple manuals, there is simply too much to know before you can
configure a firewal properly.

The windows programs do a good enough job in that respect: they close
every listening port and also stop outgoing connections except for a
few critical services (DNS mostly). Now, this might not be good
enough, perhapse the best would have been simply to close incomming
ports, but it is enough to protect home users from the likes of Code
red, wich is all you can expect from such a software.

JS> The biggest problem is that, just as with the Window$ model itself,
JS> "personal firewalls" lock you into the same upgrade nose-ring that the
JS> anti-virus companies are inflicting upon users: unless you keep up
JS> with a relentless cycle of updates and latest-version purchases,
JS> you're soon going to be SOL as new exploits come out.

Ok tell me: waht is "the window$ model" you seem so critical about ?

JS> BTW: my "personal firewall"?

JS> A home-built, single purpose firewall/router: an ASUS P55TP4N mobo
JS> running a Pentium 150mhz, 96Mb RAM; running Linux 2.2.14-5.0; ipchains
JS> 1.3.9; snort 1.8.7 build 128; p0f 1.8.2; and Psionic's PortSentry and
JS> LogCheck.

Costing many times more than a software, requiring knowldege of an OS
than no home user will ever touch or upgrade. You are exactly like the
mechanic that changes the breaks on his car for bigger ones while
looking down on "mundane" who can't do the same, taxing them of "not
being aware of the basic of security".

If the problem was that simple, there wouldn't BE a problem: Buggy and
unpatched software is a problem. Bad configuration (and that often
comes from much too complex to configure and maintain system) is even
worse.Are "personal" firewall good enoght to keep a planned attack at
bay ? probably not.

But the point is that it's not because a solution is not "the best" or
a perfect one that it's "snake oil". Personal FW DO have an effect.
They DO keep the random scan down and more often than not, they do
succeed in protecting the user from some of his/her mistakes (like
not knowing that IIS is running on his/her machine or turning on file
sharing and giving "guest" full acess to a share).

Good luck,
Stephanme


-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list