[Dshield] "Personal Firewalls" are mostly snake-oil?

John Hardin johnh at aproposretail.com
Wed Jul 24 00:50:04 GMT 2002


On Tue, 2002-07-23 at 17:21, Peter Stendahl-Juvonen wrote:
> All
> inward and outbound traffic is stopped by default by ZA and ZAPro with
> the exception of the Browser.

So an attack on your browser wouldn't be stopped by the firewall.

> Is it not usually the user who decides
> where to connect and where not to?

Not necessarily, given that browsers are scriptable.

> Same applies to email client sw, e.g.
> Outlook As for email ZAPro intercepts and quarantines by default 46
> different [executable] email attachment types. You can add [or delete]
> attachment types to be quarantined by your own preferences. Can this be
> more easily or more effectively achieved by a PFW? *** 

Here the line is blurring. I would not characterize mail attachment
filtering as the province of a firewall, so that aspect of ZA was not
considered. ZA (to me) sounds like firewall + mail filter. Norton is
realtime AV + mailfilter.

That's just my internalized definition of the term "firewall".
 
> *** Isn't, e.g. Demarc Software's PureSecure(tm) is aimed to do this as
> well? They have a free for personal and non-profit use PureSecure(tm)
> Personal Edition also. These alternatives are from my viewpoint
> interesting enough for evaluation. ***

Maybe. I haven't heard of this. Can you give a URL so that we can take a
look?

> As long as the computer itself cannot distinguish reliably between
> malicious and benign communications it *must* appeal to the user for
> direction, either up front (in the form of a configuration file) or
> interactively (a "do you want to let this program communicate?" dialog).
> *** That's what ZA and ZAPro do. ***

And that's where the problem is. Asking the user a question is where the
weakness is, and if the PFW bombards the user with questions, it will
eventually be turned off.
 
> The $64M question: how?
> 
> *** If "how" refers to "Do not let malicious code in." I still suggest
> ZAPro gives fairly good protection here. If "how" refers to "If
> malicious code gets in, detect and destroy it." I still suggest that
> Norton AntiVirus 2002 and PestPatrol deal with most cases of malicious
> code. Remember I am talking about workstation(s) here. ***

Actually I was thinking of how to detect malicious code without
depending on a signature.

The layered, multitool model is currently the best we can do: firewall
to control network access, mail filter to control attachments and
scripting attacks on the mail client, antivirus to control programs.
   
> *** I agree. Therefore I chose ZAPro. Do you think there is a big
> difference in configurability and/or usability between ZAPro vs. a Linux
> or BSD firewall? What would the main difference(s) be? ***

I gotta admit I've never seen ZApro. I have messed about with ZAfree and
do recommend ZA* to anybody who asks, but most of my time is spent with
Linux.
   
> *** Do you know of some thorough testing that would be of interest? Or
> is this only allusion? What was meant with my question was this: Did you
> regard the person "testing" the software firewall as technically
> oriented or not? Contingent upon the answer to this question you made a
> proper choice or not. ***

I was mostly being humorous. One metric would be "how annoying is the
software in use?"  The lower the score, the better.
 
> It still asks questions, though, so it's still possible for the user to
> shoot themselves in the foot.
> 
> *** Questions can be formulated in several ways. So can guidance to the
> right answer be given as well! As I see it Zone Labs, Inc. has hit the
> sweet spot with both ZA and ZAPro. The products are ease-of-use but also
> powerful at the same time. It is not just marketing strategy, which is
> admirable as well. ***

And in the mass consumer market, this is critical.

G'night all.

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
 304 days until The Matrix Reloaded




More information about the list mailing list