[Dshield] "Personal Firewalls" are mostly snake-oil"

Johannes Ullrich jullrich at sans.org
Mon Jul 22 16:31:06 GMT 2002

Let me dive into the (shark) pool here ;-)

I think personal firewalls are useful and necessary for home
users. They do provide a decent extra layer of security.
However, they are not a magic bullet. 

Personal firewalls are most effective, if safe computing
rules are applied as well. In my opinion, these rules are:

- don't install software from untrusted software.
- don't enable any services, and if you know how to, disable
  any unneeded services.
- use a virus scanner.
- keep your software up to date.
- don't click on e-mail attachments.

I think these rules (and a personal firewall) will enable a
home user to stay secure and provide sufficent depth to allow
for the failure of one of the components. They should also be
easy enough to obey.

For a home user, it is most important to keep it simple.
A badly configured enterprise class firewall is worse than
a personal firewall in default configuration. Sure, a personal
firewall is not necessary if you obey the other rules, but
it is required to provide the necessary depth as it is all to
easy for one of the other components to fail.

Sure, I would like nothing more than every home user taking
plenty of SANS courses and getting GIAC certified. But I have
no illusions that this will not happen. I also believe strongly
that the only way to convince users to follow basic security
practices is to make them understand that security enables them
to use the Internet securely. It does not prevent them from
getting work done efficiently.

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020722/66b5e9c2/attachment.bin

More information about the list mailing list