[Dshield] "Personal Firewalls" are mostly snake-oil"

fkamp@attbi.com fkamp at attbi.com
Mon Jul 22 16:29:42 GMT 2002

This post is a priceless example of those in support of firewalls
squaring off against those who have doubts about firewalls (among other
things).  That is why I quoted it in its entirety.

Both positions seem to be based on the premise that firewalls prevent
fires.  Not so.  Good firewalls only contain fires.  That is true with
software firewalls as well as the brick and mortar type.

Users who need a GUI and autoinstall software to be computer 'literate'
will always suffer the largest security risks regardless of the software
or operating systems being used. Often the largest risk to security is
monitoring software purposely installed by the vendors autoinstall which
ususally occurs without the users knowledge.

Users would do well to heed the premise that in order to use a device
(software) without risking security, one has to be smarter than the
device (software) one is trying to use.

The majority of the software out there prevents users from attaining
that degree of smartness.  Why even the people who develop that software
are not smarter than the stuff they are selling.  Look at all the
patches and revisions that are silently made available to users who
finally discover that something is not right.

The fact that most users are not capable of achieving the degree of
sophistication required to become 'smarter' than the software, will
never justify current levels of non-disclosure by software vendors. 

This appears to be true regardless of operating system or vendor. Heated
comparisons of Linux and Windows conducted by cult members of their
respective groups are not merely the pot calling the kettle black.  It
is more a case of the pot calling the pot black.

If a computer is being used for purposes that demand the highest
possible degree of security, don't connect that machine to the network
or the internet. You might also try refusing to 'accept candy' from

Frank Kamp

Stephane Grobety wrote:
> JS> The biggest issue is simply that "home users" are most often running
> JS> Window$, often running services that they are utterly unaware of (the
> JS> home Win 2K user running IIS without knowing it; viz: the ongoing
> JS> Code Red and Nimda epidemic continues almost unabated, one *year*
> JS> later..), and most "personal firewalls" follow the Window$ model of
> JS> hiding unpleasant details that require reading and thinking and
> JS> decision-making from the hapless consumer.
> Now, you're being completely unfaire here. First, you can't expect the
> Joe Average to learn about IP services and the like. Home users are
> NOT specialists and, while most of them have enough sense to read and
> follow simple manuals, there is simply too much to know before you can
> configure a firewal properly.
> The windows programs do a good enough job in that respect: they close
> every listening port and also stop outgoing connections except for a
> few critical services (DNS mostly). Now, this might not be good
> enough, perhapse the best would have been simply to close incomming
> ports, but it is enough to protect home users from the likes of Code
> red, wich is all you can expect from such a software.
> JS> The biggest problem is that, just as with the Window$ model itself,
> JS> "personal firewalls" lock you into the same upgrade nose-ring that the
> JS> anti-virus companies are inflicting upon users: unless you keep up
> JS> with a relentless cycle of updates and latest-version purchases,
> JS> you're soon going to be SOL as new exploits come out.
> Ok tell me: waht is "the window$ model" you seem so critical about ?
> JS> BTW: my "personal firewall"?
> JS> A home-built, single purpose firewall/router: an ASUS P55TP4N mobo
> JS> running a Pentium 150mhz, 96Mb RAM; running Linux 2.2.14-5.0; ipchains
> JS> 1.3.9; snort 1.8.7 build 128; p0f 1.8.2; and Psionic's PortSentry and
> JS> LogCheck.
> Costing many times more than a software, requiring knowldege of an OS
> than no home user will ever touch or upgrade. You are exactly like the
> mechanic that changes the breaks on his car for bigger ones while
> looking down on "mundane" who can't do the same, taxing them of "not
> being aware of the basic of security".
> If the problem was that simple, there wouldn't BE a problem: Buggy and
> unpatched software is a problem. Bad configuration (and that often
> comes from much too complex to configure and maintain system) is even
> worse.Are "personal" firewall good enoght to keep a planned attack at
> bay ? probably not.
> But the point is that it's not because a solution is not "the best" or
> a perfect one that it's "snake oil". Personal FW DO have an effect.
> They DO keep the random scan down and more often than not, they do
> succeed in protecting the user from some of his/her mistakes (like
> not knowing that IIS is running on his/her machine or turning on file
> sharing and giving "guest" full acess to a share).

More information about the list mailing list