R: [Dshield] "Personal Firewalls" are mostly snake-oil?

Johannes Ullrich jullrich at sans.org
Wed Jul 24 17:14:16 GMT 2002

Ok. To inject the original question:

"Are Personal Firewalls mostly snake-oil" ?

My quick answer:

No. Personal Firewalls are a perfectly good method for an
home user to add an extra layer of protection to a stand
alone system.

While there are better firewalls, they are harder to administer
or more expensive. No firewall provides protection against the
administrator of the firewall. And any firewall should be seen
as just one layer in the overall 'defense concept' (do I have
to say "defense in depth"...)

Which personal firewall is best? I don't know. But I recommend
that you just try one of the free once and see how well it works
for you. Don't expect too much in terms of outbound protection.
There have been countless posts to about as many mailing lists
about how to trick an firewall into allowing outbound connections.
In particular for a desktop system, outbound control is more of
an illusion than reality. But all personal firewalls I checked
lately do a reasonable job with that and defeat 90% of the trojans.

There are 'concept trojans' that use covert channels via email or
by attaching themselve to internet explorer to request certain
URLs. But I have yet to see any of this in wide circulation. Most
of the malware I see just opens a straight connection to some
random IRC server.

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

More information about the list mailing list