From reading this newsgroup, there seem to be an incredible number of postings that basically say that no personal firewall should be used on a PC as they are all basically snake oil and don't really do much.
I am not sure if these responses are just from trolls that like to slag off everything, or whether there is truth behind it all.
This therefore leads to the following question.
If the personal firewalls like Kerio, Comodo, Zone Alarm, Online Armor etc are no good, then what should be used? Or are these guys saying that we should just stick with a normal router and the Windows Firewall? Or are we talking about a major investment in hardware?
This is a genuine question, not a 'light blue touch paper and stand back' goad.
It is going to depend on your OS and your home setup.
If you have no services which respond to inbound connections then the firewall is not needed. If running Micro$oft, we know there are a few open services. :) Therefore you need a firewall.
We know malware either disables the firewall or poke holes in the OS firewall. Therefore, it is better to have a router or dedicated hardware firewall as first line of defense.
If you have two or more M$ systems on the same network, then each system needs a firewall for protection from the other M$ system. :( Latest example, Conficker malware is now on version 3. It is even crawling into embedded OS devices. :(
formatting link
Except for dialup users, most people windup with a home router from their ISP. If it does Network Address Translation, then you have your hardware firewall, Assuming you have closed any pass through ports in the router.
Since the above became the norm, and/or everyone was putting in software firewalls, the crackers moved to getting access from inside the system. They do that by finding exploits in the software that plays/read files from the Internet (flash, pdf, gif, MP3, WMA, WMV, MP2,...).
Last time I looked there was a new piece of malware created about every 20 seconds. Some of that malware calls home. To help throttle that problem, software firewalls started blocking outbound connections. Windows Firewall does not block outbound connections.
When you get a firewall popup about some application wanting to get out you can start worrying/wondering if you have an infection or was it an official windows update. Even then you have no protection there if malware attaches it's self to an application you have already authorized outbound access. :(
General stats seem to indicate the Anti-Virus vendors will get you an update to find it about 6 weeks later. :-(
Not quite, they serve a purpose as long as you understand their limitations and their failings.
As an example, if you remove all Exceptions from the Windows Firewall on a XP computer, you can reasonably safely connect to a Wireless network at a public hot spot, same for a hotel. If you don't check your exceptions then you're most likely exposing something you were unaware of.
When I travel I take a small NAT router with me, using the connection in a hotel or at customers sites, to block inbound to my laptop. When I need wireless, I use the Win XP firewall, have no exceptions, and ensure that my computer is not offering any services I don't know about.
The problem is that most people don't have a clue and most people don't know about all of the exceptions enabled in the XP firewall or other firewalls if used.
So, if you're where you can use one, use a NAT router, at least, and if you're out and about, check your Win firewall exceptions FIRST and EACH TIME, then connect to the wireless.
Definitely use a NAT router. But in addition to that, ALL of the firewalls you mention are very good. Anyone claiming they are snakeoil is just ignorant. Some work better than others, depending upon your situation. At times, they can cause conflicts with other software. So try one for a couple weeks. If you don't have any new, unexplainable problems with your system, then stick with it.
Try this. Go to grc.com and run the ShieldsUp! service and download/run the leaktest. Note the results. Then install a software firewall and do the same. I'm sure you will find a significant difference.
Make sure you disable UPnP on it, though, or malware on a user's computer will still be able to poke holes in it. Also this doesn't affect tunneling stuff through other protocols.
HAHAHAHAHAHAHAHAHAHAHAHAHAHA!
- A system that doesn't have any open ports, because it doesn't have any services listening on the external interface, doesn't need a personal firewall to protect the system from direct inbound attacks.
- A system that is properly patched isn't vulnerable to attacks targeting the already patched bugs.
- Personal firewalls cannot protect services that are supposed to be accessible to begin with.
- When the user is working with admin privileges, personal firewalls can be disabled from the inside, even if they employ rootkit techniques.
- Malware should be prevented from being run in the first place, not from communicating outbound after it's already running. There are various measures helping to achieve the former, including, but not limited to: disabling autostart on removable media, using Software Restriction Policies, setting appropriate "execute" permissions, or running (up-to-date) AV software.
- The popups of personal firewalls are more confusing than anything else, because in order to understand these messages, the user would have to have a good understanding of both networking and Windows internals. Which is quite uncommon with the target group of personal firewalls.
- The logging of personal firewalls usually is laughable, since vital information is omitted.
On top of that, more often than not personal firewalls introduce additional vulnerabilities on the system they're supposed to protect:
- Automatic network shunning (default with various personal firewalls) can be abused by an attacker for a DoS attack.
- Some personal firewalls run interactive services with elevated privileges, making them susceptible to shatter attacks.
- Exploitable bugs in personal firewalls can be used to compromise the system. This has already happened ITW (W32/Witty.worm).
And you dare calling the critics of personal firewalls ignorant?
Anyone who claims they are snakeoil (i.e. They offer no added protection whatsoever) is ignorant. Of course there are valid criticisms. Are they perfect? No. Are they helpful as an additional layer of protection? For most people, yes.
Is it possible that they can include bugs that compromise a system? Yes. But you could say that about ANY piece of software. It's a red herring. If a person wanted to be totally locked down against any possible security vulnerabilities from bugs in software, he/she would have to remove every single piece of software from the computer, including the OS.
Laughable, there is no fully valid points in your post.
A system is always vulnerable to ICMP DOS unless the firewall is instructed to ignore and ignore ICMP packets.
There is always zero days vulnerability. Having a firewall can help to prevent these vulnerability, since most vulnerability assumed a vanilla system.
Personal firewalls should not be used for web server in the first place.
That is true even for hardware firewall, and it is true for any kind of protection. Even a moderately security conscious people would not be as foolish to run as Administrator nowadays.
HAHAHAHAHAHAHAHAHAHA!!
What a laugh... I'm sure in your unfirewalled system there is a worm that is currently contacting home, and you are CLUELESS about its existence because your firewall didn't tell you (OOOOPSS I forgot you don't have firewall).
Fully updated antivirus? Do you think a "fully updated antivirus" stand a chance to zero day vulnerability? A firewall has a much better chance against zero days since it does not rely on signatures.
I doubt that. If there is a program named autorun.exe trying to get access to Internet, I'm sure anyone moderately computer literate will be suspicious.
How is no logging compared to some logging?
Which is better than compromised system. Anyway, most personal firewall can selectively block the attacker's IP address without blocking the whole network.
Better than an unfirewalled system, which can be easily turned to a zombie without any effort to do shattering.
A worm can only target a very small and specific set of firewall. In the case of Witty worm, it can only break through ISS firewall, it won't be able to break my Comodo's firewall or my Kerio's firewall. By adding diversity, it makes it harder for worm to have widespread impact. By having uniform configuration (i.e. all no firewall) it is only a matter of time before the worm makes the next hops.
And you dare calling yourself know anything about security?
I think this sums it up rather well for Windows firewalls:
"Instead of reducing the number of network-aware services, a personal firewall is an additional service that consumes system resources and can also be the target of an attack as exemplified by the Witty worm.
If the system has been compromised by malware, spyware or similar software these programs can also manipulate the firewall because both are running on the same system. It may be possible to bypass or even completely shut down software firewalls in such a manner.
The high number of alerts generated by such applications can possibly desensitize users to alerts by warning the user of actions that may not be malicious (e.g. ICMP requests).
Software firewalls that interface with the operating system at the kernel mode level may potentially cause instability and/or introduce security flaws and other software bugs."
Witty worms only targets specific firewall from specific vendor, not something to be bothered.
Yeah, it is possible but for such thing to happen the malware has to bring a payload to disable it. That means the malware writer must write codes to bypass all firewall in existence. That means the malware writer must be a real genius to know how to bypass all firewall.
That is actually fine. Each system would have different security flaws, which means there is no single malware that could disable them all.
Following your logic, instead of securing the systems we use, fill them with vulnerable software of various flavors in order to confuse malware writers.....
You don't know what you're talking about. Bypassing all firewalls have been done already by normally skilled programmers with the necessary understanding of windows.
How exactly do you think today's malware writers who write malware for money are spending their time?
Correction: They are competent enough to realize and honest enough to admit that their system does not provide the base for reliable outbound filtering.
All the links you point to are from Microsoft itself. I'm not comfortable putting 100% faith in what they have to say. The holes and flaws in their OS is what has allowed the security issues to become so significant today. And the arguments I read are always filled with "might", "could", "possibly" and things like that.
If you don't want to use a software firewall, fine. Many people find them useful. To call them "snakeoil" is to imply that they do absolutely nothing. And that just isn't true.
Maybe to you. Or maybe I just understand that it is just as important to understand the limitations of the user. It's ridiculous to expect that a typical Windows user (or Mac, for that matter) will even attempt to set up a VPN, edit the registry, disable services, etc.
That's understandable. I see no reason why software firewall vendors should be more trustworthy, though.
Windows is exactly as secure as what makes sense from a business perspective. If you can't deal with that, feel free to use something else.
BTW, flaws don't disappear by adding stuff to them. They only disappear by getting fixed.
"Find" is the key word.
Wrong. Snake oil implies that the product provides value that isn't real. PFW's *do* provide value - otherwise people wouldn't buy them. The question is whether the value is based on technical reasons or on more emotional stuff.
If you don't trust Microsoft (particularly their technical department) this far, you should stop running their operating system. Period. Ken Thompson explains in "Reflections on Trusting Trust" [1] why that is.
Actually the Windows Firewall has had less bugs (or "holes and flaws", as you put it) than any personal firewall in the market.
It's an exaggeration, meant to open the eyes of those who still blindly trust in personal firewalls to protect them from all evil.
| - The popups of personal firewalls are more confusing than anything | else, because in order to understand these messages, the user would | have to have a good understanding of both networking and Windows | internals. Which is quite uncommon with the target group of personal | firewalls.
for no reason.
Normal users do not understand what the popups (or logs) of personal firewalls tell them. And things are even worse when it comes to IPC between program windows. And yet they're expected to make a decision based on information that is a) insufficient and b) not understood in the first place. How sensible is that?
Registry changes can be placed in .reg files, which anyone can inspect. And for services there are [1,2], both open source, so anyone can inspect the source or as a trusted person to do so.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.