[Dshield] "Personal Firewalls" are mostly snake-oil?

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Wed Jul 24 17:15:53 GMT 2002

Gene, et al.

I apology that I did not express myself clearly enough, if I raised a
question whether ZAPro is rule free or not.

In my experience I do not regard ZAPro as "rule free". Would you like to
expand on what "rule free" would mean in regard to ZAPro? What kind of
rules can not be set in your knowledge or experience?

I am a novice what comes to Internet protocols. Therefore I value the
following in ZAPro. The product (GUI + on-line help providing several
links to helpful and useful sources of information) helps the user in
what most of us seem to consider the most challenging: in promoting USER
EDUCATION/AWARENESS. The innovative product interface educates the user
gradually (but sometimes by big steps) by guiding the user in everyday
usage of the product and providing him/her with the information needed
to tailor the software firewall to meet the user's evolving requirements
for safe (i.e., less hazardous) connecting to the Internet.

It would appear - even though we no doubt fall into two different
categories: you as an expert and myself as an amateur - that we strive
to focus on things that promote same basics:

1) We both set (custom) rules for what we do not want to take place or
want to allow regarding traffic to and from the Internet to and from our
2) We both use vulnerability analysis. My approach is modest: I use
Microsoft Baseline Security Analyzer by Shavlik Technologies on a
regular basis (plus additionally explicitly check for latest security
updates and Hotfixes using among other things Windows 2000 Professional
and Office XP Professional Product Update Web page applications + latest
security issues, vulnerability and patch information lists). I have
tried to use Microsoft Network Security Hotfix Checker (Hfnetchk.exe)
Tool also, but my understanding is that the current version does not
support the nationalized versions of W2K Pro. Besides to my
understanding the product is at least partially integrated into MBSA. I
log all but two things in system, application and security logs and of
course analyze that information.

3) As for [N]IDS - I plan to evaluate the product(s) that I have so far
found the most interesting from my viewpoint:

a) "PureSecure(tm)" and/or
b) "PureSecure(tm) Personal Edition for Unix and Windows" both from
Demarc Software at http://www.demarc.com/
c) WinPcap driver 2.3 (prerequisite to the above)
d) Snort Network IDS Engine 

Downloads: "PureSecure Personal Edition for Unix and Windows" and
"PureSecure Professional Evaluation for Unix and Windows" at

[Related] Other Software Downloads (Snort Network IDS Engine + Snort
Network IDS Engine DB Patch, etc.) at

4) I try to educate myself by glancing an eye over useful Web pages
(e.g. searchSecurity, TechRepublic, SANS Institute, The Center for
Internet Security (CIS), Wilders.org security advisors, Stratvantage
Consulting, Gibson Research Corporation, Sam Spade.org,  National Cyber
Secure Alliance, TechNet and Microsoft's other relevant Web pages).

5) We would also seem to share the same view that keeping up with
security is an ongoing process. What is done is unfortunately almost
always reactive from the collective viewpoint. Often a breach of
security is discovered by exploitation by malicious activity and only
then patched. From the individuals' viewpoint patching one's own system
before something has happened at the individual users installations it
can be interpreted as active (as it should be).

Everyone of course judges from one's own perspective. I do not consider
any of the input to this issue as wasting bandwidth. It would not leave
scale (left) for some real waste of bandwidth if such a thing exists.
However, I admire those blessed with the talent of pruning and an
excellent sense of humour.

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Gene Bradford
Sent: Tuesday, July 23, 2002 8:56 PM
To: list at dshield.org
Subject: Re: [Dshield] "Personal Firewalls" are mostly snake-oil?

Peter, while i can't agree with everything you say, i respect your
opinion and 
your right to express it.  

i happen to believe, however, that Zone Alarm is inheritantly flawed for
the reason you mention...rule free.  i like to know what's in my FW and
it's attempting to do.  thus the rule sets can be very precise and 
individually tailored to suit the enviornment and not just a generic
all" as ZA attempts to be.  

of course i'm using other tools in addition to ipchains.  the point here
that just a FW by itself won't stop the black hats.  i also use custom 
designed vulnerability assessment, intrusion detection and logging tools
well as the latest security updates that have thus far stopped the bad
in their tracks.  but i'm not going to fool myself into believing
work forever.  someone with enough patience will ultimately succeed.
always do.  this is my _hobby_ but to the script kiddies, it's their
so a lot of wasted time is devoted towards these efforts.

unfortunately Steve Gibson has come under quite a few attacks from the
beginning of his "public" career.  while this isn't the place nor the
to discuss those attacks nor the reasons behind them, i'd suggest you do
search on "steve gibson" and go to some of the listed sites.  while some
the typically rabid "he's no good" rants, some are quite informative and
worth the read.  (as born out by a gentleman who was Steve's supervisor
on an 
early job.)

ok, i've wasted enough bandwidth for today.  thanks for listening.

take care....gene

On Tuesday 23 July 2002 08:26 pm, Peter Stendahl-Juvonen wrote:
> Keith, Jens, John S., Richard, Stephane, Russell, Johannes, Frank,
> H., David, “Mrcorp”, Michael, Erik, “ddrass”, Gene, Francesco, Mark,
> al.
> Thank you for the interesting opinions served “on and off the subject”
> via this forum.
> In this e-mail I will
> 1)      comment some opinions and ask questions in the hope of getting
> constructive answers
> 2)      present my solution for consideration
> 3)      provide excerpt of independent research by a third party
> 4)      list an alternative hardware solution for consideration
> 5)      try to response the original issue by Keith (the answer being
> also all over this email)
> To Keith: Thank you for initiating an interesting series of e-mailings
> and interesting opinions. Please find my response to you at the very
> of this message.
> To Johannes: [“Sure, I would like nothing more than every home user
> taking plenty of SANS courses and getting GIAC certified. But I have
> illusions that this will not happen.”]
> I suppose the word “not” is excessive in your last sentence. Perhaps
> your subconscious took control when writing that down expressing your
> sincere, inner wish.
> You make excellent recommendations contributing to safe computing. I
> could not agree more. Please consider adding “malicious code detection
> and removal tool” to the list of requirements. In today’s reality it
> should be business as usual. By “malicious code detection and removal
> tool” I mean a tool that not only detects and removes malicious code
> residing on disk files but also stops malicious code from execution.
> To Frank: [The majority of the software out there prevents users from
> attaining that degree of smartness.  Why even the people who develop
> that software are not smarter than the stuff they are selling.  Look
> all the patches and revisions that are silently made available to
> who finally discover that something is not right.] I find this as a
> rough generalization. It’s a false claim in all respects regarding my
> case.
> To Jens: I agree on all but one thing, i.e. [But: Firewalls do NOT
> protect from remotely exploitable bugs in your software. So, if you
> (for example) a vulnerable IIS, a remote attacker can still gain
> to your system, and possibly compromise it despite your firewall.]
> On workstations a software firewall will
> 1) Prevent remotely exploitable bugs from entering your system -
> you allow them to do so
> 2) Stops remotely exploitable bugs from “calling home”.
> As for IIS, please consider other alternatives, i.e. safer products.
> Also bear in mind “Defense in Depth”. You need several layers of
> protecting you from different threats but the several layers should
> preferably overlap.
> To John H.: [...unfortunately these are largely the same users who
> been conditioned to click [OK] to get the damned distracting dialog
> off the screen without reading and thinking about what it's asking.
> may greatly hamper the effectiveness of personal firewalls on the
> Windows platform - they detect unsafe traffic, but the user tells them
> to permit the traffic just to get them to shut up.]
> What would your recommendation be instead?
> To Russell: [To answer the original poster (Kevin G?) who
> kicked up this dust storm, no, Zone Alarm isn't a waste of your time
> se, but it probably isn't what most have been led to believe it is
> either.  Take a gander at http://grc.com/dos/grcdos.htm towards the
> where the author discusses behavior of a pair of personal firewalls
> regard to a SubSeven trojan.  One FW detects connection attempts and
> asks the user if it's ok to accept the connection.  Better than
> but once you hit OK like
> Joe-no-know user, the bad guy is in.  The other FW let it through
> blanche.  The URL is kind of old and may be out of date, but you'll
> the implicit point:  the only perspective that matters on a firewall
> product is one that is well-thought-out and well-informed.]
> 1) This is an interesting interpretation of Steve Gibson’s research
> testimonial.
> 2) Do not let malicious code in. If malicious code gets in, detect and
> destroy it.
> To: “ddrass” – Another add-on product to consider: VisualZone from
> Visualize Software. It’s Freeware but recommendable.
> [If you're looking for better protection, look for a hardware solution
> that offers "stateful packet inspection". A cheap but decent product
> SonicWall. I use the XPRS2. Cheap but good.]
> Whom are you recommending this box that costs 1,795 $ and is replaced
> the current product “Sonic WALL PRO 100”?
> To Gene: [Now here's where _I_ beg to differ.  I'm currently running a
> 486 DX2/80 system with 32 megs of RAM and a 2.4 Gig HDD as my
> firewall/NAT machine.  The OS is Red Hat 6.2 which cost me nothing but
> the time to d/l it and burn it to CD.  The cost of the machine was
> exactly nothing since it was given to me.  Total cost thus far: 40
> for the CD's.  I don't know about you but I sure can't purchase
> Personal Firewall for 40 cents.  Nor can I purchase Zone Alarm Pro for
> that price.  Nor any other piece of commercial firewall software.]
> You can get the best “free” software firewall, i.e. ZoneAlarm(r)
> [standard, non-Pro version] for 40 cents less. You also save in your
> electricity bill this way in addition that it is hence greener.
> To Mark: [Well I did a practical test .......  I installed Tiny
> Firewall on my girlfriends win2k machine, explained what the options
> meant and why you should use em. Now she aint dumb, but after a couple
> of days of listening to occasionally outraged howls I checked the
> configuration.....  essentially it was "allow all from any to any".
> I asked her why, she said "it was just too annoying having to decide
> from which machine to which and sometimes you had to allow any and
> sometimes not so it was just easier......."
> Until the default installs and actual practices of these products get
> smarter they will remain at best, of limited use.
> p.s this aint a windows issue..... I have seen the same phenomena on
> unix based firewalls as well.]
> It would be interesting to read why you chose Tiny Personal Firewall
> instead of, e.g. ZoneAlarm(r)?
> Please see what Steve Gibson has to say about the subject (also in
> context further below):
> If you consider yourself more "technically oriented" that you would
> enjoy messing around with firewall rules, ports, protocols, etc. (as I
> do), TPFW might be the best choice for you. But if you just want
> top-grade protection without making a career of it, and if you're
> running a single-processor machine, ZoneAlarm's rule-free system is
> probably the better choice for you.”
> To Francesco: [The debate besides the P.F. should also cover another
> aspect I haven't -yet- seen here:
> who is willing to include in his laptop's carrying bag the smallest
> Cisco/Checkpoint/anyone else's firewall?
> Assuming that such PCs  may also need to be protected in order to
> intrusion and whatever else when they are on the road or at home (but
> not behind a FW) what is suggested here to use? Is nothing better than
> P.F.? is any other hardware device available better than a P.F. for a
> mobile user? Who's willing to let tens of millions of users let alone
> without a P.F. but possibly connecting back to a corporate (or
> university) network sometimes?]
> Excellent point.
> For the time being I would suggest relying on a software firewall,
> ZoneAlarm(r) or ZoneAlarm(r) Pro from Zone Labs, Inc. I anticipate
> in the future we will see integrated [optional] hardware firewalls for
> both laptops and desktops/mini towers.
> I have not personally had the opportunity to do thorough testing on
> Hardware Firewall solutions vs. Personal Software Firewalls. However,
> thorough testing of Personal SW Firewalls has been conducted by at
> one competent and independent third party, i.e. by Steve Gibson,
> Research Corporation. I made my personal choice of solution some nine
> months ago based on the research performed by the meritorious Steve
> Gibson.
> Since the challenge that I faced at that time was to protect a
> standalone personal computer only, I came to the conclusion that a
> personal software firewall is the most applicable solution for the
> evident points brought up by Steve Gibson’s research on the subject.
> So I started with the flagship of free software firewalls, downloaded
> and installed Zone Labs, Inc.’s ZoneAlarm(r) – the free of charge
> version of the product for internal use, home computing. Everyone
> involved was pleased with the solution. The price performance ratio of
> the solution was excellent.
> However, the product was only used for about one month for the
> reasons. I wanted to strengthen the protection as well as increase
> control and was prepared to pay for it. Knowing that version three was
> about to be announced, and that it would most likely have an impact on
> the price of the non-free version of the product, I decided to make my
> move in December, 2001 for the 29.95 $ price - two bundled products
> offer (ZoneAlarm(r) Pro and another product). Now I use the current
> version 3.0.133, and have another 162 days left of product support
> service included in original price as well as including possible new
> releases. ZAPro 3.0 costs today some 50 $, but can be acquired for
> I am happy with this solution. Naturally I do not rely on this
> firewall flagship product solely but follow what was originally
> documented as a “Defense in Depth” method (in the Art of War by
> Machiavelli, 1494-1527) I would suppose. For evident reasons I won’t
> into the details of my all [other] defenses - not even quantifying the
> number of them. What can be said though: At the moment I rely on two
> other flagship products as well for viral and other malicious code
> detection and removal.
> In ZAPro I value the easy-of-use interface, robust three engine
> stealth mode operation (for both the Internet and the so called
> Network), and component level access control for outgoing traffic (on
> *.acm, *.cnv, *.cpl, *.dll, *.drv, *.ftl, *.ocx, *.qtx, 
 level). In
> experience configurability and setup match and even exceed individual
> needs and all requirements. (With the exception of dual processor
> support that ZAPro lacks.)
> Having glanced an eye over the following again I would still go for
> same solution. When I want to have more than one computer connected to
> the Internet I will most likely invest additionally in products like,
> e.g. D-Link Express EtherNetwork 4-port Ethernet Broadband Router
> [DI-604] or equivalent at that time.
> Acknowledging the fact that we seldom if ever change our opinions,
> please find below citations on
> “Internet Connection Security for Windows Users” by Steve Gibson,
> Research Corporation
> [http://grc.com/lt/scoreboard.htm], and other quotations of documents
> Web pages referred by him.
> Personal Firewall Scoreboard
> The following information has been gathered by the combined effort of
> many terrific contributors to the grc.leaktest newsgroup. If you have
> experience with other personal software firewalls we hope you will
> your experiences, or if your findings are different from those shown
> below, please come over to the grc.leaktest newsgroup and add your
> voice!
> Security is a constantly moving target and a never ending challenge.
> Therefore, the following results are expected to be accurate only for
> the first version 1.0 of LeakTest. In other words, the following
> firewalls are "Leak-Proof" ONLY relative to their behavior with
> 1.0 of LeakTest. When version 2.0 is created it is likely that these
> results will change.
> Firewall Considerations, versions, etc.
> McAfee Firewall v 2.15+ — Update to get version 2.15 or later
> Sygate Personal FW (FREE) v 4.0+ — FREE for personal use!
> Symantec / Norton  v 2.55+ — LiveUpdate to get version 2.55
> Tiny Personal FW (FREE) v 2.0.7+ — FREE for personal use!
> ZoneAlarm (FREE) Never Leaked
> ZoneAlarm Pro Never Leaked
> Tiny Personal Firewall — A terrific FREE Firewall: For some reason I
> unable to get TPFW to work on my main dual-processor Windows 2000
> workstation. I wanted to use it since it is fully multi-processor
> compatible and ZoneAlarm is not. It operated correctly under Windows
> 98SE on a test machine, but it didn't like something about my main
> dual-processor, dual-NIC, multi-IP, multi-display system. <<grin>>
> If Tiny's firewall works on your system, and if you so consider
> more "technically oriented" that you would enjoy messing around with
> firewall rules, ports, protocols, etc. (as I do), TPFW might be the
> choice for you. But if you just want top-grade protection without
> a career of it, and if you're running a single-processor machine,
> ZoneAlarm's rule-free system is probably the better choice for you.
> You can grab a copy of TPFW from CNET's Downloads site here:
> www.downloads.com, where Tiny Software suggests you go to grab your
> copy. If you read the comments being left by people it is clear that
> TPFW2 is working very well for the majority of sane posters. It is a
> nice and secure firewall.
> Firewall Considerations, versions, etc.
> PC-Viper v 3.1.6+ — Doesn't Leak, but seems "unfinished" (see below).
>  PC-Viper v 3.1.6 — In a class by itself: PC Viper has the distinction
> of being the first "fixed" firewall which initially failed the version
> 1.0 LeakTest. Just so we're clear: PC Viper version 3.1.6 passes all
> aspects of the v1.0 LeakTests. Although Source Velocity's current
> solution undeniably works, the current implementation has a few quirks
> and odd behaviors which bear noting:  All application connection
> attempts are initially immediately denied rather than being
> pending the receipt of the user's permission. As with the original
> Sygate solution, this may force the user to restart or re-initiate
> whatever work the denied connection was attempting to perform. Other
> personal firewalls are able to "pend" the application's access request
> while the user decides how to reply.
>  The version 3.1.6 user-interface apparently needs some updating,
> there is no visible provision (that I could find) for viewing the
> current set of "Internet enabled" applications. All other
> application-blocking firewalls allow the user to see and edit which
> applications have been granted and/or denied access.
>  And speaking of being denied access, the current version apparently
> does not record and store the user's application denial responses at
> all. This means that every time an application, that you want to deny
> Internet access, attempts to access the Internet, you'll be forced to
> reply "no" again and again.
> As a result of these implementation quirks, while I certainly want to
> acknowledge PC Viper's quick response to the application masquerading
> vulnerability, I hope that they intend to flesh out this "patch" into
> full-function solution sporting a complete user-interface.
> At the moment, PC-Viper falls short and I could not bring myself to
> group it in with the much more correctly working and "finished
> firewalls above.
> Firewall Trivial EXPLOITS Masquerade VULNERABLE
> AtGuard  None Known YES (in same directory)
> BlackICE Defender Doesn't block unknown Trojans, Viruses, or Spyware
> Conseal Desktop None Known YES (in any directory)
> Conseal PC FW No Provision to block Trojans, Viruses, or Spyware
> eSafe Desktop YES (stealth)  YES (in any directory)
> PrivateFirewall 2.0 None Known YES (in same directory)
> Lockdown 2000 No Provision to block Trojans, Viruses, or Spyware
>  WRQ has asked me to point out that AtGuard was discontinued in 1999.
> included it here for reference and comparison because so many people
> continuing to use this otherwise excellent firewall.
>  Aladdin's eSafe Desktop has an extremely worrisome characteristic: A
> simple variation in any application's Internet communications approach
> renders the firewall completely transparent and allows any malicious
> software to pass though this firewall and gain unrestricted access to
> the Internet. This can be easily demonstrated by activating LeakTest's
> "Stealth" mode.
> Also, when an application is "denied access" there is no provision for
> remembering that access should be blocked for that application. The
> will therefore be asked every time the application attempts to use the
> Internet.
>  Masquerade Vulnerability:
> Please see the previous page for a discussion and explanation of the
> executable file masquerading vulnerability suffered by many current
> firewalls.
>  Accuracy of these Findings:
> The information contained in the table and text above is believed to
> accurate and representative of the current release version of all
> products discussed. We will entertain any and all factual rebuttals
> will work to maintain this page so that it continues to accurately
> reflect the current state of the personal firewall marketplace.
> Hardware Firewalls/NAT Routers [http://grc.com/lt/hardware.htm]
> External firewall and NAT router appliances (like our favorite Linksys
> <http://www.linksys.com/products/product.asp?prid=20&grid=5> Broadband
> EtherFast Cable/DSL Router) provide excellent "natural protection"
> external intrusion hacking. For systems where a NAT router makes sense
> (i.e. multiple machines sharing a single Internet connection) we
> recommend the use of a good NAT router. We prefer the Linksys due to
> stability, ease of use, and rapidly expanding feature-set in response
> marketplace demands.
> However, no hardware of any sort, running outside of a computer, can
> possibly provide comprehensive protection against the very real
> from the internal extrusion of your personal and private information.
> The access rights of INDIVIDUAL applications can ONLY
> be managed and controlled through the action of some
> form of "agent" able to watch from INSIDE the computer.
> The HOT setup . . .
> My specific recommendations are, of course, subject to
> change and reconsideration in this highly dynamic Internet security
> market. However, today — as for the past six months — there is no
> and more secure solution than running a single, external,
> <http://www.linksys.com/products/product.asp?prid=20&grid=5> Linksys
> router — providing redundant external intrusion protection — coupled
> with copies of the FREE ZoneAlarm firewall — providing the PC
> most comprehensive internal extrusion management.
> (Note: The money you save by running the free ZoneAlarm firewall
> on multiple computers more than pays for a Linksys router!)
> We note that this solution does not offer the additional features of
> parental control, advertising, and cookie blocking offered by, for
> example, Symantec's NIS product line, but Symantec's solutions are not
> free, and they all currently fail to provide comprehensive internal
> extrusion protection.
> D-Link Express EtherNetwork 4-port Ethernet Broadband Router
>  Author: Joseph Moran
>  Review Date: 7/17/2002
> [http://www.practicallynetworked.com/review.asp?pid=470]
> Summary
> The D-Link DI-604 packs a lot of features into its diminutive chassis.
> It would have a lot going for it even at twice its price, but at less
> than $50, it's practically a no-brainer. I doubt you could find a more
> complete residential broadband router even if you were willing to
> more, but really, why should you?
> Unless you need major integrated features that the DI-604 lacks, (like
> print server, modem backup, or wireless LAN) you won't need to look
> further than this D-Link router.
> Recommended by Smitty
> [http://www.practicallynetworked.com/opinions/index.asp?pid=470]
> on 7/21/2002
> BOTTOM LINE: A lot of features for the price.
> REALITY vs. EXPECTATIONS: much better than I expected.
> DETAILS: I have been using WinRoute as my router for 2 years now. i
> decided to start looking for a full featured router that wasn't too
> expensive. I picked this di-604 up at Best Buy for 19.99,
> This router has a lot more feature than it should for the price. My
> complaint is the switch is a little slow compared to my Linksys. Had
> turn off the VPN, it was lowering my RWIN to 8192 which was causing
> slow internet access. GREAT PRODUCT!
> Finally To Keith: Congratulations for acquiring the flagship product
> all software firewalls on the market. It gives you significant means
> strengthen the protection of your system.
> However, to improve your overall safety I would recommend at least
> another two flagship products. Please consider Symantec’s “Norton
> AntiVirus(tm) 2002” and “PestPatrol” from PestPatrol, Inc for the
> protection against viral and other types of malicious code.
> These three solutions together meet minimum requirements according to
> standard.
> As for O/S and file system my recommendation would be: Microsoft(r)
> Windows(r) 2000 Professional and NTFS assuming them to be suitable for
> your platform.
> This way you have a reliable, stable, robust operating system and a
> file system empowering powerful features plus the minimum of defense
> systems.
> Best Wishes,
> Peter Stendahl-Juvonen
> The best defense is attack! Attack people with your peace, with your
> love, with your silence, with your joy - that's the best defense, and
> that is a great service to the humanity too. -Osho Rajneesh

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list