[Dshield] "Personal Firewalls" are mostly snake-oil?

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Tue Jul 23 20:26:11 GMT 2002


Keith, Jens, John S., Richard, Stephane, Russell, Johannes, Frank, John
H., David, “Mrcorp”, Michael, Erik, “ddrass”, Gene, Francesco, Mark, et
al.
 
Thank you for the interesting opinions served “on and off the subject”
via this forum.
 
In this e-mail I will
 
1)      comment some opinions and ask questions in the hope of getting
constructive answers
2)      present my solution for consideration
3)      provide excerpt of independent research by a third party
4)      list an alternative hardware solution for consideration
5)      try to response the original issue by Keith (the answer being
also all over this email)
 
 
[1] COMMENT(S) AND QUESTIONS
 
To Keith: Thank you for initiating an interesting series of e-mailings
and interesting opinions. Please find my response to you at the very end
of this message.
 
To Johannes: [“Sure, I would like nothing more than every home user
taking plenty of SANS courses and getting GIAC certified. But I have no
illusions that this will not happen.”]
 
I suppose the word “not” is excessive in your last sentence. Perhaps
your subconscious took control when writing that down expressing your
sincere, inner wish.
 
You make excellent recommendations contributing to safe computing. I
could not agree more. Please consider adding “malicious code detection
and removal tool” to the list of requirements. In today’s reality it
should be business as usual. By “malicious code detection and removal
tool” I mean a tool that not only detects and removes malicious code
residing on disk files but also stops malicious code from execution.
 
To Frank: [The majority of the software out there prevents users from
attaining that degree of smartness.  Why even the people who develop
that software are not smarter than the stuff they are selling.  Look at
all the patches and revisions that are silently made available to users
who finally discover that something is not right.] I find this as a
rough generalization. It’s a false claim in all respects regarding my
case.
 
To Jens: I agree on all but one thing, i.e. [But: Firewalls do NOT
protect from remotely exploitable bugs in your software. So, if you have
(for example) a vulnerable IIS, a remote attacker can still gain access
to your system, and possibly compromise it despite your firewall.]
 
On workstations a software firewall will
1) Prevent remotely exploitable bugs from entering your system - unless
you allow them to do so
2) Stops remotely exploitable bugs from “calling home”.
As for IIS, please consider other alternatives, i.e. safer products.
Also bear in mind “Defense in Depth”. You need several layers of defense
protecting you from different threats but the several layers should
preferably overlap.
 
To John H.: [...unfortunately these are largely the same users who have
been conditioned to click [OK] to get the damned distracting dialog box
off the screen without reading and thinking about what it's asking. This
may greatly hamper the effectiveness of personal firewalls on the
Windows platform - they detect unsafe traffic, but the user tells them
to permit the traffic just to get them to shut up.]
 
What would your recommendation be instead?
 
To Russell: [To answer the original poster (Kevin G?) who inadvertently
kicked up this dust storm, no, Zone Alarm isn't a waste of your time per
se, but it probably isn't what most have been led to believe it is
either.  Take a gander at http://grc.com/dos/grcdos.htm towards the end,
where the author discusses behavior of a pair of personal firewalls with
regard to a SubSeven trojan.  One FW detects connection attempts and
asks the user if it's ok to accept the connection.  Better than nothing,
but once you hit OK like
Joe-no-know user, the bad guy is in.  The other FW let it through carte
blanche.  The URL is kind of old and may be out of date, but you'll get
the implicit point:  the only perspective that matters on a firewall
product is one that is well-thought-out and well-informed.]
 
1) This is an interesting interpretation of Steve Gibson’s research and
testimonial.
2) Do not let malicious code in. If malicious code gets in, detect and
destroy it.
 
To: “ddrass” – Another add-on product to consider: VisualZone from
Visualize Software. It’s Freeware but recommendable.
[If you're looking for better protection, look for a hardware solution
that offers "stateful packet inspection". A cheap but decent product is
SonicWall. I use the XPRS2. Cheap but good.]
 
Whom are you recommending this box that costs 1,795 $ and is replaced by
the current product “Sonic WALL PRO 100”?
 
To Gene: [Now here's where _I_ beg to differ.  I'm currently running a
486 DX2/80 system with 32 megs of RAM and a 2.4 Gig HDD as my
firewall/NAT machine.  The OS is Red Hat 6.2 which cost me nothing but
the time to d/l it and burn it to CD.  The cost of the machine was
exactly nothing since it was given to me.  Total cost thus far: 40 cents
for the CD's.  I don't know about you but I sure can't purchase Norton's
Personal Firewall for 40 cents.  Nor can I purchase Zone Alarm Pro for
that price.  Nor any other piece of commercial firewall software.]
 
You can get the best “free” software firewall, i.e. ZoneAlarm(r)
[standard, non-Pro version] for 40 cents less. You also save in your
electricity bill this way in addition that it is hence greener.
 
To Mark: [Well I did a practical test .......  I installed Tiny Personal
Firewall on my girlfriends win2k machine, explained what the options
meant and why you should use em. Now she aint dumb, but after a couple
of days of listening to occasionally outraged howls I checked the
configuration.....  essentially it was "allow all from any to any". When
I asked her why, she said "it was just too annoying having to decide
from which machine to which and sometimes you had to allow any and
sometimes not so it was just easier......."
 
Until the default installs and actual practices of these products get
smarter they will remain at best, of limited use. 
 
p.s this aint a windows issue..... I have seen the same phenomena on
unix based firewalls as well.] 
 
It would be interesting to read why you chose Tiny Personal Firewall
instead of, e.g. ZoneAlarm(r)?
 
Please see what Steve Gibson has to say about the subject (also in wider
context further below):
 
“
 If you consider yourself more "technically oriented" that you would
enjoy messing around with firewall rules, ports, protocols, etc. (as I
do), TPFW might be the best choice for you. But if you just want
top-grade protection without making a career of it, and if you're
running a single-processor machine, ZoneAlarm's rule-free system is
probably the better choice for you.”
 
To Francesco: [The debate besides the P.F. should also cover another
aspect I haven't -yet- seen here:
who is willing to include in his laptop's carrying bag the smallest
Cisco/Checkpoint/anyone else's firewall?
Assuming that such PCs  may also need to be protected in order to avoid
intrusion and whatever else when they are on the road or at home (but
not behind a FW) what is suggested here to use? Is nothing better than a
P.F.? is any other hardware device available better than a P.F. for a
mobile user? Who's willing to let tens of millions of users let alone
without a P.F. but possibly connecting back to a corporate (or
university) network sometimes?]
 
Excellent point.
 
For the time being I would suggest relying on a software firewall, e.g.
ZoneAlarm(r) or ZoneAlarm(r) Pro from Zone Labs, Inc. I anticipate that
in the future we will see integrated [optional] hardware firewalls for
both laptops and desktops/mini towers.
 
 
[2] MY EXPERIENCE AND SOLUTION
 
I have not personally had the opportunity to do thorough testing on
Hardware Firewall solutions vs. Personal Software Firewalls. However,
thorough testing of Personal SW Firewalls has been conducted by at least
one competent and independent third party, i.e. by Steve Gibson, Gibson
Research Corporation. I made my personal choice of solution some nine
months ago based on the research performed by the meritorious Steve
Gibson.
 
Since the challenge that I faced at that time was to protect a
standalone personal computer only, I came to the conclusion that a
personal software firewall is the most applicable solution for the
evident points brought up by Steve Gibson’s research on the subject.
 
So I started with the flagship of free software firewalls, downloaded
and installed Zone Labs, Inc.’s ZoneAlarm(r) – the free of charge
version of the product for internal use, home computing. Everyone
involved was pleased with the solution. The price performance ratio of
the solution was excellent.
 
However, the product was only used for about one month for the following
reasons. I wanted to strengthen the protection as well as increase
control and was prepared to pay for it. Knowing that version three was
about to be announced, and that it would most likely have an impact on
the price of the non-free version of the product, I decided to make my
move in December, 2001 for the 29.95 $ price - two bundled products
offer (ZoneAlarm(r) Pro and another product). Now I use the current
version 3.0.133, and have another 162 days left of product support
service included in original price as well as including possible new
releases. ZAPro 3.0 costs today some 50 $, but can be acquired for less.
 
I am happy with this solution. Naturally I do not rely on this software
firewall flagship product solely but follow what was originally
documented as a “Defense in Depth” method (in the Art of War by Niccolò
Machiavelli, 1494-1527) I would suppose. For evident reasons I won’t go
into the details of my all [other] defenses - not even quantifying the
number of them. What can be said though: At the moment I rely on two
other flagship products as well for viral and other malicious code
detection and removal.
 
In ZAPro I value the easy-of-use interface, robust three engine design,
stealth mode operation (for both the Internet and the so called Trusted
Network), and component level access control for outgoing traffic (on
*.acm, *.cnv, *.cpl, *.dll, *.drv, *.ftl, *.ocx, *.qtx, 
 level). In my
experience configurability and setup match and even exceed individual
needs and all requirements. (With the exception of dual processor
support that ZAPro lacks.)
 
Having glanced an eye over the following again I would still go for the
same solution. When I want to have more than one computer connected to
the Internet I will most likely invest additionally in products like,
e.g. D-Link Express EtherNetwork 4-port Ethernet Broadband Router
[DI-604] or equivalent at that time.
 
Acknowledging the fact that we seldom if ever change our opinions,
please find below citations on 
“Internet Connection Security for Windows Users” by Steve Gibson, Gibson
Research Corporation 
[http://grc.com/lt/scoreboard.htm], and other quotations of documents /
Web pages referred by him.
 
 
[3] EXCERPT OF INDEPENDENT RESEARCH BY A THIRD PARTY
 
(CITATION)
 
Personal Firewall Scoreboard
 
The following information has been gathered by the combined effort of
many terrific contributors to the grc.leaktest newsgroup. If you have
experience with other personal software firewalls we hope you will share
your experiences, or if your findings are different from those shown
below, please come over to the grc.leaktest newsgroup and add your
voice! 
Security is a constantly moving target and a never ending challenge.
Therefore, the following results are expected to be accurate only for
the first version 1.0 of LeakTest. In other words, the following
firewalls are "Leak-Proof" ONLY relative to their behavior with version
1.0 of LeakTest. When version 2.0 is created it is likely that these
results will change.
 
 
LEAK-PROOF  (SAFER)  PERSONAL FIREWALLS 
Firewall Considerations, versions, etc. 
McAfee Firewall v 2.15+ — Update to get version 2.15 or later 
Sygate Personal FW (FREE) v 4.0+ — FREE for personal use! 
Symantec / Norton  v 2.55+ — LiveUpdate to get version 2.55  
Tiny Personal FW (FREE) v 2.0.7+ — FREE for personal use!  
ZoneAlarm (FREE) Never Leaked 
ZoneAlarm Pro Never Leaked 
 
Tiny Personal Firewall — A terrific FREE Firewall: For some reason I was
unable to get TPFW to work on my main dual-processor Windows 2000
workstation. I wanted to use it since it is fully multi-processor
compatible and ZoneAlarm is not. It operated correctly under Windows
98SE on a test machine, but it didn't like something about my main
dual-processor, dual-NIC, multi-IP, multi-display system. <<grin>>
 
If Tiny's firewall works on your system, and if you so consider yourself
more "technically oriented" that you would enjoy messing around with
firewall rules, ports, protocols, etc. (as I do), TPFW might be the best
choice for you. But if you just want top-grade protection without making
a career of it, and if you're running a single-processor machine,
ZoneAlarm's rule-free system is probably the better choice for you.
 
You can grab a copy of TPFW from CNET's Downloads site here:
www.downloads.com, where Tiny Software suggests you go to grab your free
copy. If you read the comments being left by people it is clear that
TPFW2 is working very well for the majority of sane posters. It is a
nice and secure firewall.
 
 
LEAK-PROOF  (BUT STRANGE)  FIREWALLS 
Firewall Considerations, versions, etc. 
PC-Viper v 3.1.6+ — Doesn't Leak, but seems "unfinished" (see below).  
 
LEAK-PROOF BUT STRANGE FIREWALL NOTES 
 
 PC-Viper v 3.1.6 — In a class by itself: PC Viper has the distinction
of being the first "fixed" firewall which initially failed the version
1.0 LeakTest. Just so we're clear: PC Viper version 3.1.6 passes all
aspects of the v1.0 LeakTests. Although Source Velocity's current
solution undeniably works, the current implementation has a few quirks
and odd behaviors which bear noting:  All application connection
attempts are initially immediately denied rather than being "suspended"
pending the receipt of the user's permission. As with the original
Sygate solution, this may force the user to restart or re-initiate
whatever work the denied connection was attempting to perform. Other
personal firewalls are able to "pend" the application's access request
while the user decides how to reply. 
 The version 3.1.6 user-interface apparently needs some updating, since
there is no visible provision (that I could find) for viewing the
current set of "Internet enabled" applications. All other
application-blocking firewalls allow the user to see and edit which
applications have been granted and/or denied access. 
 And speaking of being denied access, the current version apparently
does not record and store the user's application denial responses at
all. This means that every time an application, that you want to deny
Internet access, attempts to access the Internet, you'll be forced to
reply "no" again and again. 
 
As a result of these implementation quirks, while I certainly want to
acknowledge PC Viper's quick response to the application masquerading
vulnerability, I hope that they intend to flesh out this "patch" into a
full-function solution sporting a complete user-interface.
 
At the moment, PC-Viper falls short and I could not bring myself to
group it in with the much more correctly working and "finished feeling"
firewalls above. 
 
 
LEAKY  (UNSAFE)  PERSONAL FIREWALLS 
Firewall Trivial EXPLOITS Masquerade VULNERABLE 
AtGuard  None Known YES (in same directory) 
BlackICE Defender Doesn't block unknown Trojans, Viruses, or Spyware 
Conseal Desktop None Known YES (in any directory) 
Conseal PC FW No Provision to block Trojans, Viruses, or Spyware 
eSafe Desktop YES (stealth)  YES (in any directory) 
PrivateFirewall 2.0 None Known YES (in same directory) 
Lockdown 2000 No Provision to block Trojans, Viruses, or Spyware 
 
LEAKY  (UNSAFE)  FIREWALL NOTES 
 
 WRQ has asked me to point out that AtGuard was discontinued in 1999. I
included it here for reference and comparison because so many people are
continuing to use this otherwise excellent firewall. 
 Aladdin's eSafe Desktop has an extremely worrisome characteristic: A
simple variation in any application's Internet communications approach
renders the firewall completely transparent and allows any malicious
software to pass though this firewall and gain unrestricted access to
the Internet. This can be easily demonstrated by activating LeakTest's
"Stealth" mode.
 
Also, when an application is "denied access" there is no provision for
remembering that access should be blocked for that application. The user
will therefore be asked every time the application attempts to use the
Internet. 
 Masquerade Vulnerability:
Please see the previous page for a discussion and explanation of the
executable file masquerading vulnerability suffered by many current
firewalls. 
 Accuracy of these Findings:
The information contained in the table and text above is believed to be
accurate and representative of the current release version of all
products discussed. We will entertain any and all factual rebuttals and
will work to maintain this page so that it continues to accurately
reflect the current state of the personal firewall marketplace.
 
Hardware Firewalls/NAT Routers [http://grc.com/lt/hardware.htm]

External firewall and NAT router appliances (like our favorite Linksys
<http://www.linksys.com/products/product.asp?prid=20&grid=5> Broadband
EtherFast Cable/DSL Router) provide excellent "natural protection" from
external intrusion hacking. For systems where a NAT router makes sense
(i.e. multiple machines sharing a single Internet connection) we highly
recommend the use of a good NAT router. We prefer the Linksys due to its
stability, ease of use, and rapidly expanding feature-set in response to
marketplace demands.
 
However, no hardware of any sort, running outside of a computer, can
possibly provide comprehensive protection against the very real dangers
from the internal extrusion of your personal and private information. 
 
The access rights of INDIVIDUAL applications can ONLY
be managed and controlled through the action of some
form of "agent" able to watch from INSIDE the computer.
 
The HOT setup . . .
My specific recommendations are, of course, subject to moment-to-moment
change and reconsideration in this highly dynamic Internet security
market. However, today — as for the past six months — there is no better
and more secure solution than running a single, external,
<http://www.linksys.com/products/product.asp?prid=20&grid=5> Linksys NAT
router — providing redundant external intrusion protection — coupled
with copies of the FREE ZoneAlarm firewall — providing the PC industry's
most comprehensive internal extrusion management.


(Note: The money you save by running the free ZoneAlarm firewall
on multiple computers more than pays for a Linksys router!)

We note that this solution does not offer the additional features of
parental control, advertising, and cookie blocking offered by, for
example, Symantec's NIS product line, but Symantec's solutions are not
free, and they all currently fail to provide comprehensive internal
extrusion protection.
 
(END OF STEVE GIBSON QUOTE)
  
 
[4] ALTERNATIVE HARDWARE SOLUTION FOR CONSIDERATION
 
(ANOTHER TWO QUOTES)
 
D-Link Express EtherNetwork 4-port Ethernet Broadband Router
 Author: Joseph Moran
 Review Date: 7/17/2002
[http://www.practicallynetworked.com/review.asp?pid=470]
 
Summary
The D-Link DI-604 packs a lot of features into its diminutive chassis.
It would have a lot going for it even at twice its price, but at less
than $50, it's practically a no-brainer. I doubt you could find a more
complete residential broadband router even if you were willing to spend
more, but really, why should you? 
 
Unless you need major integrated features that the DI-604 lacks, (like a
print server, modem backup, or wireless LAN) you won't need to look much
further than this D-Link router.
 
Recommended by Smitty
[http://www.practicallynetworked.com/opinions/index.asp?pid=470]
on 7/21/2002 
BOTTOM LINE: A lot of features for the price.
REALITY vs. EXPECTATIONS: much better than I expected.
DETAILS: I have been using WinRoute as my router for 2 years now. i
decided to start looking for a full featured router that wasn't too
expensive. I picked this di-604 up at Best Buy for 19.99, unbelievable.
This router has a lot more feature than it should for the price. My only
complaint is the switch is a little slow compared to my Linksys. Had to
turn off the VPN, it was lowering my RWIN to 8192 which was causing very
slow internet access. GREAT PRODUCT!  
 
(END OF QUOTES)
 
 
[5] RESPONSE TO KEITH
 
Finally To Keith: Congratulations for acquiring the flagship product of
all software firewalls on the market. It gives you significant means to
strengthen the protection of your system.
 
However, to improve your overall safety I would recommend at least
another two flagship products. Please consider Symantec’s “Norton
AntiVirus(tm) 2002” and “PestPatrol” from PestPatrol, Inc for the
protection against viral and other types of malicious code.
 
These three solutions together meet minimum requirements according to my
standard.
 
As for O/S and file system my recommendation would be: Microsoft(r)
Windows(r) 2000 Professional and NTFS assuming them to be suitable for
your platform.
 
This way you have a reliable, stable, robust operating system and a safe
file system empowering powerful features plus the minimum of defense
systems.
 
Best Wishes,
Peter Stendahl-Juvonen
 
 
The best defense is attack! Attack people with your peace, with your
love, with your silence, with your joy - that's the best defense, and
that is a great service to the humanity too. -Osho Rajneesh
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020723/509b4818/attachment.htm


More information about the list mailing list