[Dshield] "Personal Firewalls" are mostly snake-oil"

Stephane Grobety security at admin.fulgan.com
Fri Jul 26 07:12:19 GMT 2002


>> Costing many times more than a software, requiring knowldege of an OS
>> than no home user will ever touch or upgrade. You are exactly like the
>> mechanic that changes the breaks on his car for bigger ones while
>> looking down on "mundane" who can't do the same, taxing them of "not
>> being aware of the basic of security".


GB> Now here's where _I_ beg to differ.  I'm currently running a 486 DX2/80 system 
GB> with 32 megs of RAM and a 2.4 Gig HDD as my firewall/NAT machine.  The OS is 
GB> Red Hat 6.2 which cost me nothing but the time to d/l it and burn it to CD.  
GB> The cost of the machine was exactly nothing since it was given to me.  Total 
GB> cost thus far: 40 cents for the CD's.  I don't know about you but I sure 
GB> can't purchase Norton's Personal Firewall for 40 cents.  Nor can I purchase 
GB> Zone Alarm Pro for that price.  Nor any other piece of commercial firewall 
GB> software.

I still don't agree: 1/ You already HAD that machine around. You might
have special recycling channels, but I really doubt any home user can
get that old stuff without spending a lot of time 2/ you don't count
your hability here. Hardware/software cost is not the only issue:
setup and maintenance is the most time consuming and error-prone task
and no home user could properly manitain such a machine.

GB> As for "...an OS that no home user will ever touch or upgrade..." obviously 
GB> you've either never used Linux or believe the M$ propoganda.

Oh please, get real. How long has it been since you actually met a
real home user ? Most can't even plug their machine properly... And
even the realtively good can't cope with the complexity of Linux.
Sure, if someone set their box up for them (or even, with luck and
some good distro, some will have the system running) but that's still
a long shot from having a useful machine. And when you start with
firewalling, it's simple MUCH too complex. And I'm not even starting
on the "patch that machine" issue...

GB>  Either way, 
GB> you're missing out on a lot of fun.  And I'm a typical home user who *does* 
GB> apply the needed patches and upgrades.  (With a _real_ OS you don't need to 
GB> spend half your life applying patches.)  >:)

Come back when you'll have more than a couple of servers to manage and
maybe you'll have a different opinion on how fun it is to
patch/maintain OS and applications.


GB> In closing, I'd also like to add that I've not been breached in the 
GB> approximately three years i've used my "home brew" firewall.  Not bad if you 
GB> ask me.

And you think yourself a typical home user ? Think again. Home user
don't find it fun to patch their OS. Home users d'on't find it fun to
have to follow half a dozen mainling lists and about the same number
of web site only to have a good chance not to miss a critical patch.
They don't want to have to know the inner working of TCP/IP and config
files.

They want (and, IMNSHO have a right to) systems that works with as
little hassle as possible and doesn't require them three years of
experience to get working in a relatively secure manner. And in that
respect, personal firewall, while not being the "best possible tool",
they are often good enough for the task.

As for the "not bad", I'll tell you another story: I have a server
that has been exposed directly to the net in a hosting center for 7
years now (actually, it has been two different machines). Since it
was single machine, not part of a network, it's only protection was a
"personal firewall" product. In all that time, there was only TWO
issues with this machine, both due to configuration errors (one
world writable FTP folder that became filled with folder and a breach
of an unused user forum). Not bad, I'd say...

Good luck,
Stephane

-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list