What do folks think of this ????

Discussion in 'other firewalls' started by Kalkriese, Jul 4, 2005.

Thread Status:
Not open for further replies.
  1. Kalkriese

    Kalkriese Registered Member

    Joined:
    Feb 23, 2005
    Posts:
    25
    I found this on the Sam Spade site, I thought I'd post it to see what others think about it. Personally I think it's kind of spurious, in spite of whatever "qualifications" the writer alludes to in his piece.
    What do you think o_O

    Check it out:

    "Personal Firewalls" are mostly snake-oil

    A 'personal firewall' isn't a firewall. A firewall is a dedicated box with (usually) two or three ethernet ports running no services other than a firewall. My preferred configuration is an x86 box with a couple of tulip cards running FreeBSD or OpenBSD and ipf, though you can do OK with Linux and iptables too. You can run either on a $100 obsolete PC. (*BSD is better, but Linux is easier for a new user to configure).

    Even the little hardware NAT boxes that you can get for sharing a DSL connection or cable modem are way better than any 'software firewall' (The NetGear RT311 and RT314 are extremely sophisticated and flexible NATs and start at less than $100 - they do full NATing, allow port forwarding and filtering to a protected network (NetGear Firewalls and NATs).

    So... what does a 'personal firewall' actually do? Well, effectively it listens on all the ports on your system. This provides no real additional security over turning off the services that you don't use.

    I'll repeat that - it provides no real additional security over turning off the services that you don't use. (Maybe it'll block trojans from phoning home, but A) if you've run a trojan your system is completely compromised and B) http://cyberpunks.org/display/356/article/).

    What it does do is break standard network applications (such as traceroute) and, more importantly, if badly written it will claim normal background network traffic is some sort of attack, alarming the user for no good reason. I've never heard of a 'personal firewall' that isn't badly written in this way. That doesn't mean one doesn't exist.

    Why do the authors do this? Two reasons, as far as I've been able to gather.

    The first is that most of the people writing these applications know next to nothing about IP networking. They may be pretty good windows developers, but they have no idea what normal network traffic looks like. That should make you nervous about their ability to block any real malicious intent.

    The second is more insidious... Why is an end user going to buy / register / upgrade their 'personal firewall'? They're not going to do so if they don't perceive any benefit from it. If it were a properly written application that just sat there, doing its job quietly in the background, users would forget it was there. But if it pops up warnings about 'attacks' all the time then it's clearly Doing Something. Most of those warnings are entirely frivolous - normal network traffic. And the remaining few... well... if the 'personal firewall' has protected your system from the supposed 'attack'... why do you care about it? You're safe from that supposed 'attack', right? So why pop up warnings and alerts? To make you feel you're getting a service from this program and so you'll pay for updates or 'Pro' versions.

    The bottom line is this... If you care about your home network security a lot, and you're interested in it, spend the time to learn about networking and build yourself a standalone firewall.

    If you don't want to spend that amount of energy on it, buy a standalone dedicated NAT or NAT+firewall box. I like the NetGear RT-311 and its siblings, but there're a bunch of others out there too. It'll sit there, do its job and never bother you again.

    If you want to play with a piece of windows software that makes you click all over the place, there's always minesweeper.

    If you'll feel safer sleeping at night knowing there's a 'personal firewall' running on your system, then install one. As long as you pay no attention to the "hack attacks" it reports it's better than nothing. A free one, ideally, as few of them are worth paying for. Turn off all the alerts and logging - you'll just waste your time (and, more importantly to me, my time and the time of other network administrators your complaints go to) increase your blood pressure and provide no benefit to you. If you really want to leave them turned on and see where traffic is coming from, feel free, but remember that most of the traffic you see is harmless, and that even if it isn't harmless it can't affect your system (if it could, it wouldn't be logged). Oh, and try not to waste admins time with frivolous complaints.

    "But, but, but reporting these alerts to network administrators will help them catch crackers!"

    Uhm, no. I know a whole bunch of network security and abuse staff. The response to any complaint with ZoneAlarm, BlackIce etc logfiles in it is to close the ticket, usually with an annotation like 'GWF' (Goober with Firewall). 99% of those reports are frivolous, about normal network traffic. In the remainder of cases there's nowhere near enough data in the logfiles to provide any idea of why the end user is upset. If you send frivolous complaints that just wastes the time of the staff receiving them and prevents them from handling real security issues. How do you tell if a complaint is frivolous? If the sender doesn't understand basic networking, it's almost certainly frivolous. If the sender is complaining based on 'personal firewall' logs, it's definitely frivolous.

    The abuse desk staff I talk with hate users of 'personal firewalls' more than they hate spammers. That should tell you something about how useful your complaints will be.

    "You're just a unix bigot and don't like Windows applications!"

    I don't like Windows applications for networking, no, as Windows isn't very good at it in general (with a few exceptions - some of the kernel level networking code in NT4 and NT5 is extremely sophisticated). As for being a unix bigot... I'm a Microsoft Independent Software Vendor, subscribe to Microsoft Developers Network and in my spare time produce Windows Network Applications.
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Last edited: Jul 4, 2005
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Most people who have taken the time to research firewalls have probably read this and similar articles, and the links that CrazyM posts. The topic has been and probably will continue to be discussed ad infinitum et ad nauseum. My favorite offshoot is the "router vs firewall." Those who tout the power of the mighty router probably are still trying to figure out how a lowly firewall blocked a UDP datagram sent to port 1026 that the router let pass:

    Unsolicited UDP gets by NAT?

    Like all security products, users will weigh the advantages of having or not having a firewall. For example, the article states:

    Many home users I knew in the Win9x days never used a firewall (including myself). It was pretty basic to shut off ports within Windows. But with Win2K, the problem became magnified; and while there may be valid reasons for disabling certain Services, with a firewall set up to give permission for certain ports and block everything else, connecting out to the internet doesn’t have to be the sole reason for turning off a Service.

    Another related topic was mentioned in one of the threads CrazyM posted:

    ----------------
    Many of the PSFs are now becoming security suites; and IDS is one of the new functionalities that are now being picked up. We could even talk about that: Should firewalls (whatever flavor) incorporate IDS, anti-Trojan software, anti-virus software, 'sandboxing', registry monitoring, file authentication? Or should these functionalities rely in separate utilities (possibly from different vendors inasmuch as they rely on different technical skills in many instnces).
    ----------------

    For example, my firewall was supposed to flunk a majority of a set of so-called firewall leaktests, yet I passed all but two - not because of the firewall, but because of other security measures in place.

    For those like myself who favor letting the firewall be a firewall, ie, packet filtering, great interest remains in the future of such projects as the "Kerio 2x-like open source project." But that’s for another discussion.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    Hi Rich,

    Would you care to elaborate on what other security measures you have in place? I'd like to know - I'm always looking to increase my security in cost effective ways - and also were the firewall leaktests the ones from http://www.firewallleaktester.com ?

    Tx,

    -- Tom
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Mine (not recommended for everyone) is pretty cost effective :cool:

    1) Awareness and alertness [free]

    2) Various tweaks to the system [free]

    3) Kerio 2.1.5 firewall [home edition is free]

    4) Anti-Executable [licensed user - $24.95]

    5) Deep Freeze [licensed user - $24.95]


    Yes.

    I ran those tests several times under different conditions to test several things.

    1. First time, I passed all of the tests :cool: because downloading the programs was blocked as unauthorized executables. My point here was that these tests (they are just trojans) in order to run must download with my permission.

    2. Then, I permitted them to download so I could run them to test other security measures. Most tests would have passed just because IE is blocked on my system. So, to be fair, I permitted IE to run. I failed the DNS test and I think two others - I can’t remember - the ones with several parts. The others passed because Anti-Executable blocked the unpacking/loading of a dll. These are the so-called dll injection tests which many firewalls (including Kerio 2) fail. I demonstrated this in another thread, where I showed how products like Anti-Executable and Process Guard (which prevents the specific hook from loading) take care of these exploits before they reach the firewall.

    My point is that the firewall is being called upon to do things it was not designed to do. The quote in my earlier post here from one of the articles CrazyM listed about firewalls becoming security suites, highlights the dilemma in the firewall industry. Many companies will feel left in the lurch by the competition if they don’t offer an all-in-one product.

    If users 1) really evaluate their computing habits, and 2) think through carefully what’s involved for a trojan or worm to execute, then you plan your security measures accordingly around your perceived threat.

    I submit that the firewall can be left to do it's original job, and various other security measures will take care of the other stuff.

    That’s it.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    yes Rich, this can be achieved like this. and at the end you got something to do :) talking about therapy in some cases :D
     
  7. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Rich,

    Very astute observations. Plus the fact that not everyone has the latest and greatest hardware to run 5 to 10 security related programs or the knowledge to use them and still do some work on their computer. After all, this is what computers are for. Yes, you do need security programs, but at what cost.

    Regards,

    Jaws
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Rich, you sound like a prime candidate for CHX-I. Have you tried it?
     
  9. Arup

    Arup Guest

    And CHX-I is free too........works on its own or with other firewalls pretty nicely too.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Kerodo,

    No, but I read with interest your thread on Kerio 2 and CHX from a few months ago. The issue that stood out was fragmented packets. One result of that was ICMP type 3 to random addresses.

    I notice that BZ was not able to replicate the ICMP 3 issue. I follow BZ's suggestion to block outbound ICMP 3 in Kerio, so I would never be worried about it.

    As for the fragmented packet issue itself - well, there are two sides to this, and I’m with those who don’t perceive it as much of a threat.

    Not being one to needlessly tinker with programs unless absolutely necessary, I wasn’t persuaded to try CHX.

    Regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Jul 8, 2005
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Rich - The fragmented packet problem is truly real, even though BZ and some others were not able to detect it themselves. Others found it to be true. I believe the only reason I ran into it was because the Messenger spammers were fragmenting packets to port 1026/1027 for almost a year, and they were hitting me with these regularly. This has since stopped though (recently), so if I were running Kerio 2 now, I'd never know there was any problem.

    I have to agree with BZ and others though, that it's not much of a threat. On my system, the worse thing that happened was a few UDP packets got thru to closed ports. That will never hurt anything. I see no great reason not to use Kerio 2.

    CHX-I is truly a great piece of work though. If you like Kerio, you would also like CHX-I I think. It lacks the typical outbound app control that Kerio has, but if you have other programs watching executables like you mention, then that may be all that's needed with CHX.

    Sometime when you get the urge to try something new, definitely give it a try. :)
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, will do :cool:

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Hi Arup - Yep, CHX-I works fine with almost any other firewall. And the amazing thing is, as you say, it's free. Couldn't be better... :)
     
Loading...
Thread Status:
Not open for further replies.