[Dshield] "Personal Firewalls" are mostly snake-oil?

John Hardin johnh at aproposretail.com
Tue Jul 23 21:57:09 GMT 2002

On Tue, 2002-07-23 at 13:26, Peter Stendahl-Juvonen wrote:
> On workstations a software firewall will
> 1) Prevent remotely exploitable bugs from entering your system - unless
> you allow them to do so

erm, no. A firewall is solely an network access control device. "Is this
communications permitted?" based on port & protocol, and (in the Windows
world) what program is on the local end of the communication. In the
traditional model, and in all of the PFW tools, it does nothing about
the *content* of that communication.

The desire to characterize a given communication as "hostile" or
"malicious" vs. "benign" is where the true difficulty lies. A firewall
lets you make broad decisions in this vein (e.g. "any traffic destined
to port 31337 is hostile") but discerning between normal HTTP traffic
and an HTTP-based attack (especially where you aren't signature-based
and are attempting to detect never-before-seen attacks) is tough.

If you can create a tool that will do that analysis and reliably
characterize the communications, you'll be stinkin' rich. A/V and IDS
software are our current attempts to do this, with varying degrees of
success. I think Finjan (?) provides a tool that tries to do this just
for IIS and HTTP requests.

> To John H.: [...unfortunately these are largely the same users who have
> been conditioned to click [OK] to get the damned distracting dialog box
> off the screen without reading and thinking about what it's asking. This
> may greatly hamper the effectiveness of personal firewalls on the
> Windows platform - they detect unsafe traffic, but the user tells them
> to permit the traffic just to get them to shut up.]
> What would your recommendation be instead?

As long as the computer itself cannot distinguish reliably between
malicious and benign communications it *must* appeal to the user for
direction, either up front (in the form of a configuration file) or
interactively (a "do you want to let this program communicate?" dialog).

I don't know if there is a good alternative. If you're not asking at the
time the traffic occurs, you're asking later. In either case, for a PFW,
you're probably asking complex questions of someone who does not want to
be bothered by them (viz the example posted earlier).

It's possible that this could be handled by a "configuration
subscription" service, where valid "benign" programs are registered and
are permitted to communicate. This would probably allow you to cover 90%
of the cases without bothering the user, but requires the user trust the
service. There could also be configuration "sets" - some people might
want to trust spyware, others not.

Centralized reference material would be useful. If the application pops
up a "do you want to allow in traffic to port X?" or "do you want to let
program Y communicate with the Internet?" there should be a way to hit a
button and get a detailed explanation of what the traffic/program is
about so that they can make an informed decision - but then, this won't
help with users who want their security to be invisible and don't want
to be bothered about the details.

> [One FW detects connection attempts and
> asks the user if it's ok to accept the connection.  Better than nothing,
> but once you hit OK like Joe-no-know user, the bad guy is in. ]

See the above discussion. The problem is with users who don't want to
(or can't) learn about the details.

And computers are damned near infinitely complex...

> 2) Do not let malicious code in. If malicious code gets in, detect and
> destroy it.

The $64M question: how?
> You can get the best “free” software firewall, i.e. ZoneAlarm(r)
> [standard, non-Pro version] for 40 cents less. You also save in your
> electricity bill this way in addition that it is hence greener.

But ZA is hugely less configurable (if you know what you're doing) than
a Linux or BSD firewall.
> To Mark: [Well I did a practical test .......  I installed Tiny Personal
> Firewall on my girlfriends win2k machine, explained what the options
> meant and why you should use em. Now she aint dumb, but after a couple
> of days of listening to occasionally outraged howls I checked the
> configuration.....  essentially it was "allow all from any to any". When
> I asked her why, she said "it was just too annoying having to decide
> from which machine to which and sometimes you had to allow any and
> sometimes not so it was just easier......."
> Until the default installs and actual practices of these products get
> smarter they will remain at best, of limited use. 
> p.s this aint a windows issue..... I have seen the same phenomena on
> unix based firewalls as well.] 
> It would be interesting to read why you chose Tiny Personal Firewall
> instead of, e.g. ZoneAlarm(r)?

And it would be interesting to do a comparison as to which lasted longer
before being completely disabled... :) THAT's the metric that Gibson

> If you consider yourself more "technically oriented" that you would
> enjoy messing around with firewall rules, ports, protocols, etc. (as I
> do), TPFW might be the best choice for you. But if you just want
> top-grade protection without making a career of it, and if you're
> running a single-processor machine, ZoneAlarm's rule-free system is
> probably the better choice for you.”

It still asks questions, though, so it's still possible for the user to
shoot themselves in the foot.
> To Francesco: [The debate besides the P.F. should also cover another
> aspect I haven't -yet- seen here:
> who is willing to include in his laptop's carrying bag the smallest
> Cisco/Checkpoint/anyone else's firewall?
> For the time being I would suggest relying on a software firewall, e.g.
> ZoneAlarm(r) or ZoneAlarm(r) Pro from Zone Labs, Inc. I anticipate that
> in the future we will see integrated [optional] hardware firewalls for
> both laptops and desktops/mini towers.

There is currently shipping a fully-configurable Linux-on-a-PCI-card
firewall/NIC. I don't think anybody has done anything similar as a
PCMCIA network card or modem.

Sheesh. Is this getting out of hand yet?

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
 304 days until The Matrix Reloaded

More information about the list mailing list