This BBC-TV video, in 6 minutes, shows very plainly how dangerous the internet is today.
It won't show anybody here anything new, but if you have friends or family that don't read here regularly, it's worth sharing with them. And with anyone who questions the necessity of having a firewall, as in "I only have a dialup connection..." etc.
It omits only 1 detail - which relates specifically to the example shown - but other than that, IMHO, it is relevant, current, and very brief.
A perimeter defense is a necessity. But protecting yourself within your LAN is a good idea too. Protecting yourself with just a perimeter firewall is a security policy from 5 years ago. Times have changed, and the bad guys have found new exploits. Layered security is a must.
Lots of software has programming design mistakes, that can be exploited by the bad guys. You should protect yourself, even with software that you trust.
Every operating system, if improperly configured, will have security holes. Not just Windows.
Layered security, properly applied, includes updating the CKI (Chair To Keyboard Interface).
And it includes not posting your email address openly, which will get you more unwanted email, than wanted email. Learn to munge your email address properly, to keep yourself a bit safer when posting to open forums. Protect yourself and the rest of the internet - read this article.
Well any application improperly installed, configured, or maintained, is going to be a problem. But not having a security component, just because you fear you might not know how to use it, is like not having a car because you fear getting into an accident. How many folks don't have a car solely because they fear getting into an accident?
The term CKI is imaginary. The need for a properly educated computer user is not.
Not really. It shows how dangerous unpatched Windows is.
I wouldn't let them see it. If I did then they'd insist on installing unnecessary personal firewall software that they wouldn't be able to use and would be calling me every other day about whether or not somewindowsapp.exe should be allowed to connect.
I'd have already set them up with an external box or modem with built in NAT and configured them as a user not an administrator. And a few other things.
Jason
Unnecessary? I think this is not correct. Everyone should use a personal firewall. It's defense at the application level which in my view is critical! Much progress has been made in firewalls which will help the user to make the correct decision as to weather they should leave an application access to external networks. If your client/friend is that important then you will take 5 mins to explain how they can figure out what they should and shouldn't allow access.
Regards, Ian Kenefick
In article , Chuck wrote: :A perimeter defense is a necessity. But protecting yourself within your LAN is :a good idea too. Protecting yourself with just a perimeter firewall is a :security policy from 5 years ago. Times have changed, and the bad guys have :found new exploits. Layered security is a must.
Protecting yourself with a "personal firewall" can be worse than not doing so. My experiences with application level firewalls have been fairly discouraging -- if even I can't figure out how to get them configured the way I want, then my users haven't a hope. But the user that puts in a "personal firewall" and then thinks themselves safe is going to relax their precautions, and often is going to get a very "rude awakening" (except they'll just think the virus/trojan exploited something new, when the truth is their firewall let through something very old.)
Also, I don't seem to have come across any application-level firewalls for Unix systems. When the resolver lib detects that the name I requested is not in cache, I'm unclear on some software that -I- am running is going to interface with the name server daemon to determine whether it is allowed to contact certain IP addresses on my behalf...
20 years ago, the Apollo unix-like operating system ("Domain"??) allowed a Unique ID for each executable, and ACLs for each file could specify which programs were allowed to access them in various modes (e.g., this *one* program is allowed to write to the accounting database). That doesn't seem to have caught on. [On the other hand, considering that Internet Explorer is "part of the operating system", there wouldn't be a seperate UUID for it anyhow...]
This is not a solution. But a good step forward :)
I don't know. Ask those infected with viruses? See your last point :-D
I disagree. Lots of successful worms don't exploit known win32 vulnerabilities.
ha ha. I do agree with you here :-D
Regards, Ian Kenefick
But no-one (except the people who read this group) knows how to configure one. And even if they do you can't have software (personal firewall) defending against software (malware) on the same computer, especially not if it all runs at the same privilege level. That will just result in a competition which will be won by the malware. The cleverest coder will win.
If I thought I'd need to defend myself against the behaviour of an application then I wouldn't allow it to be installed or run to begin with.
No, I wouldn't bother in a home user situation. It would go in one ear and out the other. As for a business situation, well, just think about it. Mr collegeleaver with his qualification in English Literature has just joined the poetry department. During his first week he gets one day of training in how to use the personal firewall on his PC. Or maybe he doesn't. If he doesn't then why didn't he need it?
Jason
Why not a simple resolution without adding more unstable and exploitable code to your system?
Just stop offering (unnecessary) network services to the internet.
If you don't trust a software, why did you install it?
If the Windows standard installations wouldn't offer half a dozen (for home installations) unnecessary network services, we would have a lot less spam and virus/worm-mailings.
And people shouldn't click on every colorful icon, which happens to be longer than half a microsecond under their cursor...
You are misunderstanding the purpose of a personal firewall. It's not the letting stuff through - they do a pretty good job stopping that with little or no configuration. It's the stopping stuff getting out which is good. It gives the user control over network connections.
[snip]You cannot compare UNIX and Windows - this rant is completly off topic.
Regards, Ian Kenefick
:>themselves safe is going to relax their precautions, and often is :>going to get a very "rude awakening" (except they'll just think the :>virus/trojan exploited something new, when the truth is their firewall :>let through something very old.)
:You are misunderstanding the purpose of a personal firewall. It's not :the letting stuff through - they do a pretty good job stopping that :with little or no configuration. It's the stopping stuff getting out :which is good. It gives the user control over network connections.
No, you are misunderstanding what I'm saying. I'm saying that the "personal firewalls" I have seen are largely a bunch kizlode at stopping anything, incoming or outgoing. How do I know that my Windows system isn't busy sending mass email? I don't -- because the personal firewall doesn't even notice. How do I know that my Windows system isn't letting in packets without my knowing it? I don't -- because I can prove that it's letting them in despite my having told it to reject EVERYTHING.
Fails to block incoming, fails to block outgoing: that adds up to a completely false sense of security.
:>Also, I don't seem to have come across any application-level firewalls for :>Unix systems.
:You cannot compare UNIX and Windows - this rant is completly off :topic.
The poster I was responding to did not qualify by operating system in stating the necessity for a personal firewall.
No need to delete my email address, Chuck: with over 20,000 copies of it on the 'net, only the most incompetant of spammers would miss harvesting it even if it were never posted again.
:>Protecting yourself with a "personal firewall" can be worse than :>not doing so. My experiences with application level firewalls have :>been fairly discouraging -- if even I can't figure out how to get :>them configured the way I want, then my users haven't a hope.
:Well any application improperly installed, configured, or maintained, is going :to be a problem.
There was nothing "improper" about the way I installed, configured, or maintained the personal firewalls I tried: the ones I have tried plain didn't work, even when told to reject -everything-. Remove all the default rules, put in one that says deny all, and very little got stopped.
:But not having a security component, just because you fear you :might not know how to use it, is like not having a car because you fear getting :into an accident. How many folks don't have a car solely because they fear :getting into an accident?
There was a good article in roughly December 2004 in one of the magazines I read (probably Harper's), in which the author visited a professional testing track and tried out three or four kinds of vehicles -- includng an economy car, a SUV, and a high-performance sports car. The most responsive of the vehicles was the sports car -- but after driving the sports car, the author found that he was taking turns and allowing distances according to the capabilities of the sports car. The SUV was big and heavy -- people feel *safe* in the SUV, because there is so much metal around to protect them. And which car had the lowest accident rate? Answer: the economy car -- because people driving an economy -know- they don't have sharp handling or big steel around them, so the people in the economy cars drive most carefully. The accident rate in SUVs is *way* higher than in economy cars. The user, having installed a system they feel safe with, fails to take reasonable precautions, whereas the user who feels insecure is more cautious and so has many fewer incidents.
Have you not heard not heard the saying, "The only thing worse than not installing a firewall is installing one -- and then not monitoring it." ?
It happens over and over again: firewalls get installed, people feel safe, people get lax about security, people don't even notice they've been broken into... after all, "The firewall stops attacks, so it isn't worth checking for them." I fear that the majority of "personal firewall" users are likely to fall into this trap.
Way wrong.
What's the user group most users are members of right out of the standard installation cause nothing works right when running windows as a standard user? Right, Administrator...
So, what chance does a "personal firewall" have, when my sweet bugging worm is getting executed with (the same) administrators privilege?
Right: Zip. If myself kills it via task manager, the worm via process id or name, or just clicks the "allow"-button faster than my eye, it gets out. And thats the script kiddie way.
Tunneling via an already privileged application is much sneakier ... IE as an example. Or it does funny DNS tunneling....
The CCC (Chaos Computer Club) had made a good presentation just about this topic: pity it is in german.
Even a good host based packet filter (HBPF) [like the windows firewall or the old tiny and kerio personal firewalls] can't stop something sneaky tunneling via something else.
You're right: they exploit PEBKAC. But the /others/ exploit old known stuff in RPC, DCOM, IE, LSASS,....
User education is (or should be) one of the first things in security concepts... pity, most user seem not able to remember more than two week long how to shutdown their pc .... (ok, most calls often concern stuff like "how do i change the paper tray in my printer driver?", but again, they call on a regular basis...*sigh*)
Sometimes i'm really proud of me, for hammering my mother and she remembering it: "if it's in $unknown_language and/or has an unwanted/unexpected mail attachment: either ask me or delete it anyway"
Andreas
I delete the email address, when replying to any article where the poster openly exposes it to the internet. If not for you, for the clueless newbies who don't know that exposing an email address to the internet is not a good idea.
The clueless newbies are the ones who will be vulnerable to the worm of the month that arrives in their Inbox shortly afterwards, and to the CKI exploit that's involved, and will soon provide yet another owned computer in the latest botnet. And help raise the spam level yet another notch.
I'm sure that you install, configure, and maintain everything properly, Walter. You're claiming that other folks shouldn't have personal firewalls because they might not install, configure, or maintain everything properly.
It's called layered security, and it's part of risk management. You layer your security to minimise the overall risk that you take. One component of layered security is awareness, and you're right in that it's an essential component.
You have to promote awareness in a positive way. If you're going to tell folks not to put a personal firewall on their computer, because they might not use it properly, you should probably go to Walmart, and tell Walmart not to sell computers because their customers might not use them properly.
I'd bet we would both like to see a mandatory training and certification process for new computer users. But that won't happen. So do your part, and educate everybody you can in your own way. And fix their systems when they fsck them up.
And contrary to your OP Andreas firewalls block traffic attempting to exploit vulnerabilities which exisit in these with the exception of IE.
Regards, Ian Kenefick
Unsolicited sending of SMTP traffic usually causes an alert on a 'Good' personal firewall.
Sygate, Zone Alarm, Kerio, Norton, McAfee, F-Secure out of the box will stop this before asking your permission.
Ok, if you say so. When I tell my firewall to block everything it does.I also can prove this.
I agree. This is your PC without a personal firewall.
Win9x/ME, 2K/XP :-)
Regards, Ian Kenefick
Thats completly untrue.
Depends on the malware and the firewall. No fact here at all.
You don't need to. What about automatic network worm attempting to download a payload?
Subjective. Depends on who is interested in their security. Most of the people I deal with *are* interested and do take an interest.
Like with any aspect of the job if it is a priority as security should be then you should be able to communicate it - security policies and instruction on the use of a personal firewall to staff.
Regards, Ian Kenefick
This is my experience with most home users and non-technical office travelers too. Malware can control any Personal Firewall Application running on a computer/laptop, they are almost not worth using as they give a user a false sense of protection.
Let me put it another way then. Most people who install personal firewall software do so because other people (including BBC web sites) tell them to. They don't do it because they have any clue what the software they are installing actually does. They don't do it because they want to control what the computer connects to. They don't even know what a connection is in the TCP/IP sense.
You've never come across a user who had a personal firewall shut down by malware then? I have. And the user didn't even know it had happened. Perhaps you've never compiled and tested any of the example code out there which shows how easy it is to make an outbound connection without a personal firewall noticing anything. It's difficult to get more factual than that.
Is this the worm described on that BBC web site? Why didn't they advise using an external box to reject inbound connection requests? A suitable box costs very little. Why didn't they mention the version of Windows XP used? Why didn't they mention Windows Update? Why didn't they mention whether they were logged in as an administrator or a user? Why do they endlessly repeat the same old "install a personal firewall and anti-virus software"? Anti-virus software is almost as useless as personal firewall software. The last virus I came across was due to a 12 year old with an XP administrator level account using msn messenger. AVG noticed it TWO DAYS AFTER the computer had been started in safe mode and hijackthis used to cut it out of the hosts file and the registry.
Most of the people I deal with don't even know that taking an interest would be a good idea. They expected the computer and broadband modem setup to work properly out of the box. No-one told them they needed an engineering qualification to have any chance of keeping their bank details private.
Expecting staff in an organisation of any size to be able to use and configure personal firewall software on their PCs is a laughable idea in my opinion.
Jason
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.