[Dshield] "Personal Firewalls" are mostly snake-oil?

John Sage jsage at finchhaven.com
Wed Jul 24 16:58:28 GMT 2002


Russell et al:

Taking some responsibility for launching this interesting discussion:

> From: John Sage <jsage at finchhaven.com>
> Date: Sat, 20 Jul 2002 20:49:10 -070
<snip>
> In that context, yes, IMHO, "personal firewalls" are snake oil.
<snip>

let me return to the fray..

On Wed, Jul 24, 2002 at 07:58:12AM -0700, Russell Washington wrote:
> <snip snip snip snip snip>
>  
> I responded to Peter in private, since I felt like this thing was veering
> back into the realm of distraction.
>  
> But I have to point something out and ask a question.  Twice now this debate
> has been inflamed by someone who walked in and started pushing the virtues
> of ZA and its contemporaries as viable options, with the usual stance being
> that its good points somehow outweighed every single one of the concerns
> raised about the product.  This "outweighing" has not necessarily been
> explicitly stated, but it has been implicit in the "well what else would you
> use?" arguments that attempt to squelch the discussion by killing off the
> validity of any criticism.

Well, at ZDNet, Zone Alarm and Zone Alarm Pro show "user ratings" of
95% and 92%, respectively.

"Just because everybody does it, doesn't make it right"

..or the best. So Zone Labs has a good PR department, and a subset of
ZDNet readers buy into it, and/or in some undefined sense, a greater
number of people "voted" for these two products.

As far as this thread bringing out the Zone Alarm crowd, so what? As
any carny will tell you, you've got to expect that there'll be some
shills in the audience.

People need to believe in the choices they make...


> So my question is as follows:  What is the real debate about here?  Is it
> about:
>  
> - whether personal firewalls are useful in any form at all?

I would say that this was the real initial topic.

That topic was immediately poisoned by the pejorative "snake oil", and
the lack of any consistent definition of "personal" and "firewall"
both, but there you have it.

>From there, the debate touched upon several subtopics:

1) can a (purchased or free as in cost) consumer-oriented firewall do
any good if it hides complexity from the user, and demands nothing
from the consumer in terms of learning and thinking?

2) can a consumer-oriented firewall be truly useful if it operates as
a black box: the user knows nothing of its operation, and in fact
cannot learn anything of its operation as it is a closed-source
product (closed-source not only in terms of the source code for the
application itself, but also for any rules files and/or definition
files..)

3) can a consumer-oriented firewall be truly useful if it makes
unknown assumptions about what are "threats", and if it requires
active participation from the consumer to keep rules files updated?

4) can a consumer-oriented firewall be truly useful if it operates by
pop-ups that suddenly appear in front of what the consumer was
*really* doing at any given moment, to ask the consumer to respond to
crypic questions; see: point 1

My answer to all of these remains pretty much what it would have been
if someone had listed these points, initially:

No, no, no, and no

Because:

> The biggest issue is simply that "home users" are most often running
> Window$, often running services that they are utterly unaware of (the
> home Win 2K user running IIS without knowing it; viz: the ongoing
> Code Red and Nimda epidemic continues almost unabated, one *year*
> later..), and most "personal firewalls" follow the Window$ model of
> hiding unpleasant details that require reading and thinking and
> decision-making from the hapless consumer.

(Please excuse my use of the pejorative "Window$" :-/ )

> - whether personal firewalls are comparable to more traditional firewalls
> ("real" firewalls, according to some, myself included)?

Depite the popular bromide, you really can compare apples and oranges,
if you want.

But the comparison would show "personal firewalls" to be less
effective in almost any sense, see: points 1, 2, 3, 4, and my
"Because", above.


> - the inability to really lock down much of anything, with any product, in
> the context of an end-user whose priority of convenience destroys security
> whenever that user has the power to do so?

This too is a critical point IMHO.

If one was to create a definition of "personal firewall" that
definition would have to start out with the statement that "personal
firewalls" are consumer-oriented products, which, by implicit
definition, demand little to no understanding or thought to use.

"Personal firewalls" are consumer products.

Consume them.

Buy one, put it on, don't worry about a thing. After all, ZDNet said
it was the best.

(No: ZDNet didn't. It just received the greatest number of "votes")


> I say we pick a topic.  Or maybe we pick all of the topics and start some
> new threads.  At the rate this thing is going it's looking twistier than the
> roads on some auto ads I've seen recently.  But more to the point, every
> time this seems to start to die down someone kicks it back up and the
> meaningfulness of the thread is getting lost.
>  
> My two bits.

Big endian, or little endian?


- John
-- 
"Cowardly refusing to create an empty archive."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list