[Dshield] "Personal Firewalls" are mostly snake-oil?

Gene Bradford geneb at columbus.rr.com
Tue Jul 23 17:55:50 GMT 2002

Peter, while i can't agree with everything you say, i respect your opinion and 
your right to express it.  

i happen to believe, however, that Zone Alarm is inheritantly flawed for just 
the reason you mention...rule free.  i like to know what's in my FW and what 
it's attempting to do.  thus the rule sets can be very precise and 
individually tailored to suit the enviornment and not just a generic "cure 
all" as ZA attempts to be.  

of course i'm using other tools in addition to ipchains.  the point here being 
that just a FW by itself won't stop the black hats.  i also use custom 
designed vulnerability assessment, intrusion detection and logging tools as 
well as the latest security updates that have thus far stopped the bad guys 
in their tracks.  but i'm not going to fool myself into believing they'll 
work forever.  someone with enough patience will ultimately succeed.  they 
always do.  this is my _hobby_ but to the script kiddies, it's their _life_ 
so a lot of wasted time is devoted towards these efforts.

unfortunately Steve Gibson has come under quite a few attacks from the very 
beginning of his "public" career.  while this isn't the place nor the forum 
to discuss those attacks nor the reasons behind them, i'd suggest you do a 
search on "steve gibson" and go to some of the listed sites.  while some are 
the typically rabid "he's no good" rants, some are quite informative and well 
worth the read.  (as born out by a gentleman who was Steve's supervisor on an 
early job.)

ok, i've wasted enough bandwidth for today.  thanks for listening.

take care....gene

On Tuesday 23 July 2002 08:26 pm, Peter Stendahl-Juvonen wrote:
> Keith, Jens, John S., Richard, Stephane, Russell, Johannes, Frank, John
> H., David, “Mrcorp”, Michael, Erik, “ddrass”, Gene, Francesco, Mark, et
> al.
> Thank you for the interesting opinions served “on and off the subject”
> via this forum.
> In this e-mail I will
> 1)      comment some opinions and ask questions in the hope of getting
> constructive answers
> 2)      present my solution for consideration
> 3)      provide excerpt of independent research by a third party
> 4)      list an alternative hardware solution for consideration
> 5)      try to response the original issue by Keith (the answer being
> also all over this email)
> To Keith: Thank you for initiating an interesting series of e-mailings
> and interesting opinions. Please find my response to you at the very end
> of this message.
> To Johannes: [“Sure, I would like nothing more than every home user
> taking plenty of SANS courses and getting GIAC certified. But I have no
> illusions that this will not happen.”]
> I suppose the word “not” is excessive in your last sentence. Perhaps
> your subconscious took control when writing that down expressing your
> sincere, inner wish.
> You make excellent recommendations contributing to safe computing. I
> could not agree more. Please consider adding “malicious code detection
> and removal tool” to the list of requirements. In today’s reality it
> should be business as usual. By “malicious code detection and removal
> tool” I mean a tool that not only detects and removes malicious code
> residing on disk files but also stops malicious code from execution.
> To Frank: [The majority of the software out there prevents users from
> attaining that degree of smartness.  Why even the people who develop
> that software are not smarter than the stuff they are selling.  Look at
> all the patches and revisions that are silently made available to users
> who finally discover that something is not right.] I find this as a
> rough generalization. It’s a false claim in all respects regarding my
> case.
> To Jens: I agree on all but one thing, i.e. [But: Firewalls do NOT
> protect from remotely exploitable bugs in your software. So, if you have
> (for example) a vulnerable IIS, a remote attacker can still gain access
> to your system, and possibly compromise it despite your firewall.]
> On workstations a software firewall will
> 1) Prevent remotely exploitable bugs from entering your system - unless
> you allow them to do so
> 2) Stops remotely exploitable bugs from “calling home”.
> As for IIS, please consider other alternatives, i.e. safer products.
> Also bear in mind “Defense in Depth”. You need several layers of defense
> protecting you from different threats but the several layers should
> preferably overlap.
> To John H.: [...unfortunately these are largely the same users who have
> been conditioned to click [OK] to get the damned distracting dialog box
> off the screen without reading and thinking about what it's asking. This
> may greatly hamper the effectiveness of personal firewalls on the
> Windows platform - they detect unsafe traffic, but the user tells them
> to permit the traffic just to get them to shut up.]
> What would your recommendation be instead?
> To Russell: [To answer the original poster (Kevin G?) who inadvertently
> kicked up this dust storm, no, Zone Alarm isn't a waste of your time per
> se, but it probably isn't what most have been led to believe it is
> either.  Take a gander at http://grc.com/dos/grcdos.htm towards the end,
> where the author discusses behavior of a pair of personal firewalls with
> regard to a SubSeven trojan.  One FW detects connection attempts and
> asks the user if it's ok to accept the connection.  Better than nothing,
> but once you hit OK like
> Joe-no-know user, the bad guy is in.  The other FW let it through carte
> blanche.  The URL is kind of old and may be out of date, but you'll get
> the implicit point:  the only perspective that matters on a firewall
> product is one that is well-thought-out and well-informed.]
> 1) This is an interesting interpretation of Steve Gibson’s research and
> testimonial.
> 2) Do not let malicious code in. If malicious code gets in, detect and
> destroy it.
> To: “ddrass” – Another add-on product to consider: VisualZone from
> Visualize Software. It’s Freeware but recommendable.
> [If you're looking for better protection, look for a hardware solution
> that offers "stateful packet inspection". A cheap but decent product is
> SonicWall. I use the XPRS2. Cheap but good.]
> Whom are you recommending this box that costs 1,795 $ and is replaced by
> the current product “Sonic WALL PRO 100”?
> To Gene: [Now here's where _I_ beg to differ.  I'm currently running a
> 486 DX2/80 system with 32 megs of RAM and a 2.4 Gig HDD as my
> firewall/NAT machine.  The OS is Red Hat 6.2 which cost me nothing but
> the time to d/l it and burn it to CD.  The cost of the machine was
> exactly nothing since it was given to me.  Total cost thus far: 40 cents
> for the CD's.  I don't know about you but I sure can't purchase Norton's
> Personal Firewall for 40 cents.  Nor can I purchase Zone Alarm Pro for
> that price.  Nor any other piece of commercial firewall software.]
> You can get the best “free” software firewall, i.e. ZoneAlarm(r)
> [standard, non-Pro version] for 40 cents less. You also save in your
> electricity bill this way in addition that it is hence greener.
> To Mark: [Well I did a practical test .......  I installed Tiny Personal
> Firewall on my girlfriends win2k machine, explained what the options
> meant and why you should use em. Now she aint dumb, but after a couple
> of days of listening to occasionally outraged howls I checked the
> configuration.....  essentially it was "allow all from any to any". When
> I asked her why, she said "it was just too annoying having to decide
> from which machine to which and sometimes you had to allow any and
> sometimes not so it was just easier......."
> Until the default installs and actual practices of these products get
> smarter they will remain at best, of limited use.
> p.s this aint a windows issue..... I have seen the same phenomena on
> unix based firewalls as well.]
> It would be interesting to read why you chose Tiny Personal Firewall
> instead of, e.g. ZoneAlarm(r)?
> Please see what Steve Gibson has to say about the subject (also in wider
> context further below):
> If you consider yourself more "technically oriented" that you would
> enjoy messing around with firewall rules, ports, protocols, etc. (as I
> do), TPFW might be the best choice for you. But if you just want
> top-grade protection without making a career of it, and if you're
> running a single-processor machine, ZoneAlarm's rule-free system is
> probably the better choice for you.”
> To Francesco: [The debate besides the P.F. should also cover another
> aspect I haven't -yet- seen here:
> who is willing to include in his laptop's carrying bag the smallest
> Cisco/Checkpoint/anyone else's firewall?
> Assuming that such PCs  may also need to be protected in order to avoid
> intrusion and whatever else when they are on the road or at home (but
> not behind a FW) what is suggested here to use? Is nothing better than a
> P.F.? is any other hardware device available better than a P.F. for a
> mobile user? Who's willing to let tens of millions of users let alone
> without a P.F. but possibly connecting back to a corporate (or
> university) network sometimes?]
> Excellent point.
> For the time being I would suggest relying on a software firewall, e.g.
> ZoneAlarm(r) or ZoneAlarm(r) Pro from Zone Labs, Inc. I anticipate that
> in the future we will see integrated [optional] hardware firewalls for
> both laptops and desktops/mini towers.
> I have not personally had the opportunity to do thorough testing on
> Hardware Firewall solutions vs. Personal Software Firewalls. However,
> thorough testing of Personal SW Firewalls has been conducted by at least
> one competent and independent third party, i.e. by Steve Gibson, Gibson
> Research Corporation. I made my personal choice of solution some nine
> months ago based on the research performed by the meritorious Steve
> Gibson.
> Since the challenge that I faced at that time was to protect a
> standalone personal computer only, I came to the conclusion that a
> personal software firewall is the most applicable solution for the
> evident points brought up by Steve Gibson’s research on the subject.
> So I started with the flagship of free software firewalls, downloaded
> and installed Zone Labs, Inc.’s ZoneAlarm(r) – the free of charge
> version of the product for internal use, home computing. Everyone
> involved was pleased with the solution. The price performance ratio of
> the solution was excellent.
> However, the product was only used for about one month for the following
> reasons. I wanted to strengthen the protection as well as increase
> control and was prepared to pay for it. Knowing that version three was
> about to be announced, and that it would most likely have an impact on
> the price of the non-free version of the product, I decided to make my
> move in December, 2001 for the 29.95 $ price - two bundled products
> offer (ZoneAlarm(r) Pro and another product). Now I use the current
> version 3.0.133, and have another 162 days left of product support
> service included in original price as well as including possible new
> releases. ZAPro 3.0 costs today some 50 $, but can be acquired for less.
> I am happy with this solution. Naturally I do not rely on this software
> firewall flagship product solely but follow what was originally
> documented as a “Defense in Depth” method (in the Art of War by Niccolò
> Machiavelli, 1494-1527) I would suppose. For evident reasons I won’t go
> into the details of my all [other] defenses - not even quantifying the
> number of them. What can be said though: At the moment I rely on two
> other flagship products as well for viral and other malicious code
> detection and removal.
> In ZAPro I value the easy-of-use interface, robust three engine design,
> stealth mode operation (for both the Internet and the so called Trusted
> Network), and component level access control for outgoing traffic (on
> *.acm, *.cnv, *.cpl, *.dll, *.drv, *.ftl, *.ocx, *.qtx, 
 level). In my
> experience configurability and setup match and even exceed individual
> needs and all requirements. (With the exception of dual processor
> support that ZAPro lacks.)
> Having glanced an eye over the following again I would still go for the
> same solution. When I want to have more than one computer connected to
> the Internet I will most likely invest additionally in products like,
> e.g. D-Link Express EtherNetwork 4-port Ethernet Broadband Router
> [DI-604] or equivalent at that time.
> Acknowledging the fact that we seldom if ever change our opinions,
> please find below citations on
> “Internet Connection Security for Windows Users” by Steve Gibson, Gibson
> Research Corporation
> [http://grc.com/lt/scoreboard.htm], and other quotations of documents /
> Web pages referred by him.
> Personal Firewall Scoreboard
> The following information has been gathered by the combined effort of
> many terrific contributors to the grc.leaktest newsgroup. If you have
> experience with other personal software firewalls we hope you will share
> your experiences, or if your findings are different from those shown
> below, please come over to the grc.leaktest newsgroup and add your
> voice!
> Security is a constantly moving target and a never ending challenge.
> Therefore, the following results are expected to be accurate only for
> the first version 1.0 of LeakTest. In other words, the following
> firewalls are "Leak-Proof" ONLY relative to their behavior with version
> 1.0 of LeakTest. When version 2.0 is created it is likely that these
> results will change.
> Firewall Considerations, versions, etc.
> McAfee Firewall v 2.15+ — Update to get version 2.15 or later
> Sygate Personal FW (FREE) v 4.0+ — FREE for personal use!
> Symantec / Norton  v 2.55+ — LiveUpdate to get version 2.55
> Tiny Personal FW (FREE) v 2.0.7+ — FREE for personal use!
> ZoneAlarm (FREE) Never Leaked
> ZoneAlarm Pro Never Leaked
> Tiny Personal Firewall — A terrific FREE Firewall: For some reason I was
> unable to get TPFW to work on my main dual-processor Windows 2000
> workstation. I wanted to use it since it is fully multi-processor
> compatible and ZoneAlarm is not. It operated correctly under Windows
> 98SE on a test machine, but it didn't like something about my main
> dual-processor, dual-NIC, multi-IP, multi-display system. <<grin>>
> If Tiny's firewall works on your system, and if you so consider yourself
> more "technically oriented" that you would enjoy messing around with
> firewall rules, ports, protocols, etc. (as I do), TPFW might be the best
> choice for you. But if you just want top-grade protection without making
> a career of it, and if you're running a single-processor machine,
> ZoneAlarm's rule-free system is probably the better choice for you.
> You can grab a copy of TPFW from CNET's Downloads site here:
> www.downloads.com, where Tiny Software suggests you go to grab your free
> copy. If you read the comments being left by people it is clear that
> TPFW2 is working very well for the majority of sane posters. It is a
> nice and secure firewall.
> Firewall Considerations, versions, etc.
> PC-Viper v 3.1.6+ — Doesn't Leak, but seems "unfinished" (see below).
>  PC-Viper v 3.1.6 — In a class by itself: PC Viper has the distinction
> of being the first "fixed" firewall which initially failed the version
> 1.0 LeakTest. Just so we're clear: PC Viper version 3.1.6 passes all
> aspects of the v1.0 LeakTests. Although Source Velocity's current
> solution undeniably works, the current implementation has a few quirks
> and odd behaviors which bear noting:  All application connection
> attempts are initially immediately denied rather than being "suspended"
> pending the receipt of the user's permission. As with the original
> Sygate solution, this may force the user to restart or re-initiate
> whatever work the denied connection was attempting to perform. Other
> personal firewalls are able to "pend" the application's access request
> while the user decides how to reply.
>  The version 3.1.6 user-interface apparently needs some updating, since
> there is no visible provision (that I could find) for viewing the
> current set of "Internet enabled" applications. All other
> application-blocking firewalls allow the user to see and edit which
> applications have been granted and/or denied access.
>  And speaking of being denied access, the current version apparently
> does not record and store the user's application denial responses at
> all. This means that every time an application, that you want to deny
> Internet access, attempts to access the Internet, you'll be forced to
> reply "no" again and again.
> As a result of these implementation quirks, while I certainly want to
> acknowledge PC Viper's quick response to the application masquerading
> vulnerability, I hope that they intend to flesh out this "patch" into a
> full-function solution sporting a complete user-interface.
> At the moment, PC-Viper falls short and I could not bring myself to
> group it in with the much more correctly working and "finished feeling"
> firewalls above.
> Firewall Trivial EXPLOITS Masquerade VULNERABLE
> AtGuard  None Known YES (in same directory)
> BlackICE Defender Doesn't block unknown Trojans, Viruses, or Spyware
> Conseal Desktop None Known YES (in any directory)
> Conseal PC FW No Provision to block Trojans, Viruses, or Spyware
> eSafe Desktop YES (stealth)  YES (in any directory)
> PrivateFirewall 2.0 None Known YES (in same directory)
> Lockdown 2000 No Provision to block Trojans, Viruses, or Spyware
>  WRQ has asked me to point out that AtGuard was discontinued in 1999. I
> included it here for reference and comparison because so many people are
> continuing to use this otherwise excellent firewall.
>  Aladdin's eSafe Desktop has an extremely worrisome characteristic: A
> simple variation in any application's Internet communications approach
> renders the firewall completely transparent and allows any malicious
> software to pass though this firewall and gain unrestricted access to
> the Internet. This can be easily demonstrated by activating LeakTest's
> "Stealth" mode.
> Also, when an application is "denied access" there is no provision for
> remembering that access should be blocked for that application. The user
> will therefore be asked every time the application attempts to use the
> Internet.
>  Masquerade Vulnerability:
> Please see the previous page for a discussion and explanation of the
> executable file masquerading vulnerability suffered by many current
> firewalls.
>  Accuracy of these Findings:
> The information contained in the table and text above is believed to be
> accurate and representative of the current release version of all
> products discussed. We will entertain any and all factual rebuttals and
> will work to maintain this page so that it continues to accurately
> reflect the current state of the personal firewall marketplace.
> Hardware Firewalls/NAT Routers [http://grc.com/lt/hardware.htm]
> External firewall and NAT router appliances (like our favorite Linksys
> <http://www.linksys.com/products/product.asp?prid=20&grid=5> Broadband
> EtherFast Cable/DSL Router) provide excellent "natural protection" from
> external intrusion hacking. For systems where a NAT router makes sense
> (i.e. multiple machines sharing a single Internet connection) we highly
> recommend the use of a good NAT router. We prefer the Linksys due to its
> stability, ease of use, and rapidly expanding feature-set in response to
> marketplace demands.
> However, no hardware of any sort, running outside of a computer, can
> possibly provide comprehensive protection against the very real dangers
> from the internal extrusion of your personal and private information.
> The access rights of INDIVIDUAL applications can ONLY
> be managed and controlled through the action of some
> form of "agent" able to watch from INSIDE the computer.
> The HOT setup . . .
> My specific recommendations are, of course, subject to moment-to-moment
> change and reconsideration in this highly dynamic Internet security
> market. However, today — as for the past six months — there is no better
> and more secure solution than running a single, external,
> <http://www.linksys.com/products/product.asp?prid=20&grid=5> Linksys NAT
> router — providing redundant external intrusion protection — coupled
> with copies of the FREE ZoneAlarm firewall — providing the PC industry's
> most comprehensive internal extrusion management.
> (Note: The money you save by running the free ZoneAlarm firewall
> on multiple computers more than pays for a Linksys router!)
> We note that this solution does not offer the additional features of
> parental control, advertising, and cookie blocking offered by, for
> example, Symantec's NIS product line, but Symantec's solutions are not
> free, and they all currently fail to provide comprehensive internal
> extrusion protection.
> D-Link Express EtherNetwork 4-port Ethernet Broadband Router
>  Author: Joseph Moran
>  Review Date: 7/17/2002
> [http://www.practicallynetworked.com/review.asp?pid=470]
> Summary
> The D-Link DI-604 packs a lot of features into its diminutive chassis.
> It would have a lot going for it even at twice its price, but at less
> than $50, it's practically a no-brainer. I doubt you could find a more
> complete residential broadband router even if you were willing to spend
> more, but really, why should you?
> Unless you need major integrated features that the DI-604 lacks, (like a
> print server, modem backup, or wireless LAN) you won't need to look much
> further than this D-Link router.
> Recommended by Smitty
> [http://www.practicallynetworked.com/opinions/index.asp?pid=470]
> on 7/21/2002
> BOTTOM LINE: A lot of features for the price.
> REALITY vs. EXPECTATIONS: much better than I expected.
> DETAILS: I have been using WinRoute as my router for 2 years now. i
> decided to start looking for a full featured router that wasn't too
> expensive. I picked this di-604 up at Best Buy for 19.99, unbelievable.
> This router has a lot more feature than it should for the price. My only
> complaint is the switch is a little slow compared to my Linksys. Had to
> turn off the VPN, it was lowering my RWIN to 8192 which was causing very
> slow internet access. GREAT PRODUCT!
> Finally To Keith: Congratulations for acquiring the flagship product of
> all software firewalls on the market. It gives you significant means to
> strengthen the protection of your system.
> However, to improve your overall safety I would recommend at least
> another two flagship products. Please consider Symantec’s “Norton
> AntiVirus(tm) 2002” and “PestPatrol” from PestPatrol, Inc for the
> protection against viral and other types of malicious code.
> These three solutions together meet minimum requirements according to my
> standard.
> As for O/S and file system my recommendation would be: Microsoft(r)
> Windows(r) 2000 Professional and NTFS assuming them to be suitable for
> your platform.
> This way you have a reliable, stable, robust operating system and a safe
> file system empowering powerful features plus the minimum of defense
> systems.
> Best Wishes,
> Peter Stendahl-Juvonen
> The best defense is attack! Attack people with your peace, with your
> love, with your silence, with your joy - that's the best defense, and
> that is a great service to the humanity too. -Osho Rajneesh

More information about the list mailing list