[Dshield] "Personal Firewalls" are mostly snake-oil"

John Sage jsage at finchhaven.com
Mon Jul 22 15:54:32 GMT 2002

Stephane, et al:

On Mon, Jul 22, 2002 at 07:17:09AM +0200, Stephane Grobety wrote:
> JS> The biggest issue is simply that "home users" are most often running
> JS> Window$, often running services that they are utterly unaware of (the
> JS> home Win 2K user running IIS without knowing it; viz: the ongoing
> JS> Code Red and Nimda epidemic continues almost unabated, one *year*
> JS> later..), and most "personal firewalls" follow the Window$ model of
> JS> hiding unpleasant details that require reading and thinking and
> JS> decision-making from the hapless consumer.
> Now, you're being completely unfaire here. First, you can't expect the
> Joe Average to learn about IP services and the like. Home users are
> NOT specialists and, while most of them have enough sense to read and
> follow simple manuals, there is simply too much to know before you can
> configure a firewal properly.

Again, the pandemic infestation of Code Red, Nimda, and Klez.* clearly
show that the Internet is a far more subtle and vulnerable medium than
many (most?) are aware of.

That, combined with the proliferation of always-on/relatively high
speed Internet connections for home users pretty much proves that all
of us are exposed to potential threats far beyond those which existed,
say, five years ago.

My point is not that I demand that "home users" learn how to
hand-configure a firewall properly, but simply that we must
acknowledge that commercial, mass-market "firewalls" give more of an
illusion of security than a reality.

This is particularly true the more time that passes after a home user
first installs a "personal firewall".

Face it: securing an always-on, high speed Internet connection takes
some actual study and labor, beyond just going down to CompUSA or
Frye's (sorry: inappropriately Americanized focus, but there you have
it..) and purchasing what just got a hot review in PC Magazine.

And face it: there probably should be a higher level of resposibility
demanded of people who connect an always-on/high speed computer to the

Not that that will ever happen..

> The windows programs do a good enough job in that respect: they close
> every listening port and also stop outgoing connections except for a
> few critical services (DNS mostly). Now, this might not be good
> enough, perhapse the best would have been simply to close incomming
> ports, but it is enough to protect home users from the likes of Code
> red, wich is all you can expect from such a software.
> JS> The biggest problem is that, just as with the Window$ model itself,
> JS> "personal firewalls" lock you into the same upgrade nose-ring that the
> JS> anti-virus companies are inflicting upon users: unless you keep up
> JS> with a relentless cycle of updates and latest-version purchases,
> JS> you're soon going to be SOL as new exploits come out.
> Ok tell me: waht is "the window$ model" you seem so critical about ?

The "Window$ model" (or more correctly the Micro$oft model) is a
neverending cycle of upgrades and patches and service packs that are
necessary to keep a security system up-to-date.

All this becomes so much work that I suspect the casual user stops
performing the upgrades, or never bothers in the first place.

Then we get such nightmares as "remote upgrades" and the like: your
computer is being alter without your knowledge, as an unconscious act
of faith on your part that someone somewhere knows what you need on
your computer and will go ahead and put it there, without your

(The EULA for one of these recent gems, from Micro$oft itself (no
surprise there..) actually states that it may disable other software
on your computer, legitimately purchased and installed or not, that
the upgrade feels is contradictory to it's own benefit.  See:


"You agree that in order to protect the integrity of content and
software protected by digital rights management ('Secure Content'),
Microsoft may provide security related updates to the OS Components
that will be automatically downloaded onto your computer. These
security related updates may disable your ability to copy and/or play
Secure Content and use other software on your computer. If we provide
such a security update, we will use reasonable efforts to post notices
on a web site explaining the update." )

This was packed into security updates for Window$ Media Player...

> JS> BTW: my "personal firewall"?
> JS> A home-built, single purpose firewall/router: an ASUS P55TP4N mobo
> JS> running a Pentium 150mhz, 96Mb RAM; running Linux 2.2.14-5.0; ipchains
> JS> 1.3.9; snort 1.8.7 build 128; p0f 1.8.2; and Psionic's PortSentry and
> JS> LogCheck.
> Costing many times more than a software, requiring knowldege of an OS
> than no home user will ever touch or upgrade. You are exactly like the
> mechanic that changes the breaks on his car for bigger ones while
> looking down on "mundane" who can't do the same, taxing them of "not
> being aware of the basic of security".

I don't really "look down" on home users so much as I become even more
uneasy, considering how little even *I* know :-/

As for "costing many times more than.." all five of the computers I
built and maintain probably cost little more all together than the
hardware and software that one typical home users spends his/her
hard-earned income on for one system.

> If the problem was that simple, there wouldn't BE a problem: Buggy and
> unpatched software is a problem. Bad configuration (and that often
> comes from much too complex to configure and maintain system) is even
> worse.Are "personal" firewall good enoght to keep a planned attack at
> bay ? probably not.
> But the point is that it's not because a solution is not "the best" or
> a perfect one that it's "snake oil". Personal FW DO have an effect.
> They DO keep the random scan down and more often than not, they do
> succeed in protecting the user from some of his/her mistakes (like
> not knowing that IIS is running on his/her machine or turning on file
> sharing and giving "guest" full acess to a share).
> Good luck,
> Stephanme

/* sigh */

I guess it's just mildly disturbing to think that the best approach to
Internet security is just to wall one's self off from all the
thousands who don't...

- John
"Obviously, we do not want to leave zombies around."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the list mailing list