[Dshield] "Personal Firewalls" are mostly snake-oil

Russell Washington russ.washington at vaultsentry.com
Mon Jul 22 18:14:11 GMT 2002

On that note, whether Linux, M$, CheckPoint, NetScreen, Cisco, or some other
firewall-ish-thing, I have yet to see one that doesn't have to evolve and
change in order to deal with security threats (usually more often than any
actual patches or upgrades are released).  The only real difference I see is
that when the product is "user-friendly" you are usually boxed into a
vulnerability until a patch is released, as opposed to being able to get
into the danged thing and do something about it yourself.  That issue,
however, is a separate discussion.

>From that same standpoint, since we're talking about firewalls rather than
OSes, the M$ vs Linux vs CP/M stuff is tangential to the convo, methinks...
even if worthy of discussion elsewhere (heh).  Within the FW discussion, I
think that the described arrogance and self-delusion (in this case, of the
average end user with respect to security products and concerns) are the
real issues that sit in the middle of what the experienced/learned security
crew has to say about products like Zone Alarm when in the hands of those
who it's actually marketed to.

Something about the inevitability of failure when trying to solve "people
problems" via technological solutions is dancing in my head. :)

To answer the original poster (Kevin G?) who inadvertently kicked up this
dust storm, no, Zone Alarm isn't a waste of your time per se, but it
probably isn't what most have been led to believe it is either.  Take a
gander at http://grc.com/dos/grcdos.htm towards the end, where the author
discusses behavior of a pair of personal firewalls with regard to a SubSeven
trojan.  One FW detects connection attempts and asks the user if it's ok to
accept the connection.  Better than nothing, but once you hit OK like
Joe-no-know user, the bad guy is in.  The other FW let it through carte
blanche.  The URL is kind of old and may be out of date, but you'll get the
implicit point:  the only perspective that matters on a firewall product is
one that is well-thought-out and well-informed.

-----Original Message-----
From: Young, David [mailto:dyoung at intecs.com] 
Sent: Monday, July 22, 2002 10:20 AM
To: list at dshield.org
Subject: Re: [Dshield] "Personal Firewalls" are mostly snake-oil

>> JS> The biggest problem is that, just as with the Window$ model 
>> JS> itself, "personal firewalls" lock you into the same upgrade 
>> JS> nose-ring that
>> JS> anti-virus companies are inflicting upon users: unless you keep 
>> JS> up with a relentless cycle of updates and latest-version 
>> JS> purchases, you're soon going to be SOL as new exploits come out.
>> Ok tell me: waht is "the window$ model" you seem so critical about ?

>The "Window$ model" (or more correctly the Micro$oft model) is a 
>neverending cycle of upgrades and patches and service packs that are 
>necessary to keep a security system up-to-date.

As opposed to that clean, straightforward, uncomplicated model used by the
Baskin-Robbins 33 flavors of Linux?  From my chair, this is a MUCH larger
issue than what O/S is running. Life is hard. Maintaining security on ANY
system that's connected to the net, open source or otherwise, is tedious,
time-consuming and RISKY. I anticipate some will argue that running certain
O/S's requires by nature a greater level of expertise. I would ask those
individuals to examine how they GOT that expertise. It's not like there's a
background process running that pops up after the nth iteration of IPChains
config and tells the user "You're now smart enough to connect to the
Internet". My point: Arrogance and self-delusion are not strictly limited to
Micro$oft users. The scope is significantly larger. I submit it's time for
the camps to declare the "mine's better" argument resolved.  


Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list