[Dshield] "Personal Firewalls" are mostly snake-oil?

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Wed Jul 24 00:21:13 GMT 2002

John, et al.

Please find my comment embedded next to your comment (below).
Best Wishes,

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of John Hardin
Sent: Wednesday, July 24, 2002 12:57 AM
To: DShield mailing list
Subject: Re: [Dshield] "Personal Firewalls" are mostly snake-oil?

On Tue, 2002-07-23 at 13:26, Peter Stendahl-Juvonen wrote:
> On workstations a software firewall will
> 1) Prevent remotely exploitable bugs from entering your system -
> you allow them to do so

erm, no. A firewall is solely an network access control device. "Is this
communications permitted?" based on port & protocol, and (in the Windows
world) what program is on the local end of the communication. In the
traditional model, and in all of the PFW tools, it does nothing about
the *content* of that communication.

*** Semantically we have an agreement on what you say (above). However,
do you think it is wrong to view the issue from this point? If you
intercept all traffic to and from all ports of the computer, does that
not keep the malicious code outside the computer (i.e., excluding
infection originated by other media, e.g. diskettes, CD-ROM, etc.)? All
inward and outbound traffic is stopped by default by ZA and ZAPro with
the exception of the Browser. Is it not usually the user who decides
where to connect and where not to? Same applies to email client sw, e.g.
Outlook As for email ZAPro intercepts and quarantines by default 46
different [executable] email attachment types. You can add [or delete]
attachment types to be quarantined by your own preferences. Can this be
more easily or more effectively achieved by a PFW? *** 

The desire to characterize a given communication as "hostile" or
"malicious" vs. "benign" is where the true difficulty lies. A firewall
lets you make broad decisions in this vein (e.g. "any traffic destined
to port 31337 is hostile") but discerning between normal HTTP traffic
and an HTTP-based attack (especially where you aren't signature-based
and are attempting to detect never-before-seen attacks) is tough.

If you can create a tool that will do that analysis and reliably
characterize the communications, you'll be stinkin' rich. A/V and IDS
software are our current attempts to do this, with varying degrees of
success. I think Finjan (?) provides a tool that tries to do this just
for IIS and HTTP requests.

*** Isn't, e.g. Demarc Software's PureSecure(tm) is aimed to do this as
well? They have a free for personal and non-profit use PureSecure(tm)
Personal Edition also. These alternatives are from my viewpoint
interesting enough for evaluation. ***

> To John H.: [...unfortunately these are largely the same users who
> been conditioned to click [OK] to get the damned distracting dialog
> off the screen without reading and thinking about what it's asking.
> may greatly hamper the effectiveness of personal firewalls on the
> Windows platform - they detect unsafe traffic, but the user tells them
> to permit the traffic just to get them to shut up.]
> What would your recommendation be instead?

As long as the computer itself cannot distinguish reliably between
malicious and benign communications it *must* appeal to the user for
direction, either up front (in the form of a configuration file) or
interactively (a "do you want to let this program communicate?" dialog).
*** That's what ZA and ZAPro do. ***

I don't know if there is a good alternative. If you're not asking at the
time the traffic occurs, you're asking later. In either case, for a PFW,
you're probably asking complex questions of someone who does not want to
be bothered by them (viz the example posted earlier).

It's possible that this could be handled by a "configuration
subscription" service, where valid "benign" programs are registered and
are permitted to communicate. This would probably allow you to cover 90%
of the cases without bothering the user, but requires the user trust the
service. There could also be configuration "sets" - some people might
want to trust spyware, others not.

Centralized reference material would be useful. If the application pops
up a "do you want to allow in traffic to port X?" or "do you want to let
program Y communicate with the Internet?" there should be a way to hit a
button and get a detailed explanation of what the traffic/program is
about so that they can make an informed decision *** This is what ZA and
ZAPro do. They also guide you to gain the information needed for
decision making. ***- but then, this won't
help with users who want their security to be invisible and don't want
to be bothered about the details.

*** Isn't, e.g. Demarc Software's PureSecure(tm) is aimed to do this as
well? They have a free for personal and non-profit use PureSecure(tm)
Personal Edition also. These alternatives are from my viewpoint
interesting enough for evaluation. ***

> [One FW detects connection attempts and
> asks the user if it's ok to accept the connection.  Better than
> but once you hit OK like Joe-no-know user, the bad guy is in. ]

See the above discussion. The problem is with users who don't want to
(or can't) learn about the details.

*** Users can be educated gradually if the solution is innovative
enough. According to my experience ZA and ZAPro are innovative products
with innovative GUIs. ***

And computers are damned near infinitely complex...

> 2) Do not let malicious code in. If malicious code gets in, detect and
> destroy it.

The $64M question: how?

*** If "how" refers to "Do not let malicious code in." I still suggest
ZAPro gives fairly good protection here. If "how" refers to "If
malicious code gets in, detect and destroy it." I still suggest that
Norton AntiVirus 2002 and PestPatrol deal with most cases of malicious
code. Remember I am talking about workstation(s) here. ***
> You can get the best "free" software firewall, i.e. ZoneAlarm(r)
> [standard, non-Pro version] for 40 cents less. You also save in your
> electricity bill this way in addition that it is hence greener.

But ZA is hugely less configurable (if you know what you're doing) than
a Linux or BSD firewall.

*** I agree. Therefore I chose ZAPro. Do you think there is a big
difference in configurability and/or usability between ZAPro vs. a Linux
or BSD firewall? What would the main difference(s) be? ***
> To Mark: [Well I did a practical test .......  I installed Tiny
> Firewall on my girlfriends win2k machine, explained what the options
> meant and why you should use em. Now she aint dumb, but after a couple
> of days of listening to occasionally outraged howls I checked the
> configuration.....  essentially it was "allow all from any to any".
> I asked her why, she said "it was just too annoying having to decide
> from which machine to which and sometimes you had to allow any and
> sometimes not so it was just easier......."
> Until the default installs and actual practices of these products get
> smarter they will remain at best, of limited use. 
> p.s this aint a windows issue..... I have seen the same phenomena on
> unix based firewalls as well.] 
> It would be interesting to read why you chose Tiny Personal Firewall
> instead of, e.g. ZoneAlarm(r)?

And it would be interesting to do a comparison as to which lasted longer
before being completely disabled... :) THAT's the metric that Gibson

*** Do you know of some thorough testing that would be of interest? Or
is this only allusion? What was meant with my question was this: Did you
regard the person "testing" the software firewall as technically
oriented or not? Contingent upon the answer to this question you made a
proper choice or not. ***

> ". If you consider yourself more "technically oriented" that you would
> enjoy messing around with firewall rules, ports, protocols, etc. (as I
> do), TPFW might be the best choice for you. But if you just want
> top-grade protection without making a career of it, and if you're
> running a single-processor machine, ZoneAlarm's rule-free system is
> probably the better choice for you."

It still asks questions, though, so it's still possible for the user to
shoot themselves in the foot.

*** Questions can be formulated in several ways. So can guidance to the
right answer be given as well! As I see it Zone Labs, Inc. has hit the
sweet spot with both ZA and ZAPro. The products are ease-of-use but also
powerful at the same time. It is not just marketing strategy, which is
admirable as well. ***
> To Francesco: [The debate besides the P.F. should also cover another
> aspect I haven't -yet- seen here:
> who is willing to include in his laptop's carrying bag the smallest
> Cisco/Checkpoint/anyone else's firewall?
> For the time being I would suggest relying on a software firewall,
> ZoneAlarm(r) or ZoneAlarm(r) Pro from Zone Labs, Inc. I anticipate
> in the future we will see integrated [optional] hardware firewalls for
> both laptops and desktops/mini towers.

There is currently shipping a fully-configurable Linux-on-a-PCI-card
firewall/NIC. I don't think anybody has done anything similar as a
PCMCIA network card or modem.

*** We will witness significant development here. ***

Sheesh. Is this getting out of hand yet?

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
 304 days until The Matrix Reloaded

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list