Recurrent question

In 100% of the cases, where an outbound connection is harmless, the "Personal Firewall" will prevent it, because it can control applications, which don't prevent being controlled.

In exact 0% of the cases, where data is being transmitted by a dangerous malware, whose programmer does want to do harmful things, and the programmer is not an idiot and knows, that there are "Personal Firewalls" in the wild now, the "Personal Firewall" can prevent this communication.

There are some cases left in between, where the programmers are dumb (and therefore mostly harmless) or where the malware is from times, when no "Personal Firewalls" where known.

Yours, VB.

This is a very dangerous wrong assumption, you're telling us here.

You should not only have a look onto those ridiculous "mail worms", which your virus scanner is reporting, but onto malware, too, which is really dangerous, and is not widespread but represents a serious attack.

BTW: the Witty-Worm is an example for a widespread malware, which even uses "Personal Firewalls" to spread.

Yours, VB.

Funny, I've seen a PFW stop a virus with it's own SMTP engine as the virus was not permitted outbound access. Guess that proves you wrong again. I would not call a virus with it's own SMTP engine harmless.

And there are some cases where the person posting is also dumb, but not harmless, like you VB.

The particular malware was not sufficiently evil enough.

No.

The particular malware was not evil enough to try to attack or circumvent the PFW. Some malware does this (sometime successfully, sometimes not), some does not, Bugbear was quite successful in attacking or shutting down Personal Firewalls.

Wolfgang

Then we agree - it's a "Maybe" type situation. Some PFW software DOES work against most everything, some doesn't, and some depends strongly on the user to know what they are doing when they set it up and create rules.

I've not see a properly configured PFW solution, on a properly configured machine, with a user that has been explained the rules, be compromised inbound or outbound yet - but I can sure say that I've seen many a Windows XP Firewall user compromised, as well as many people that don't run PFW products.

I guess we read different authors. My quote was a direct pilferage of Terry Pratchett. Cheers, E.

I believe your example falls into the "programmers are dumb" category. Or, more likely, just lazy. They know that they will still get by most firewalls, because the users have already configured them to let smtp through so that they can send/recieve mail. The ones that didn't, they just don't care.

Just because you can find an example where the PFW works, doesn't mean there are lots of times when it won't. Counting on the PFW because it works sometimes, leaves you in a very precarious position.

-Russ.

There are many examples in both cases, got through, didn't get through. I disagree with the blanket statement that PFW do not stop outbound. If the statement had been that been conditioned with Some Outbound, or with improperly configured system, etc... then I would not have taken exception with it.

I personally never trust a single source solution, and never trust a Microsoft solution for security.

This is how I feel also. The stance that Volker and friends take is one that is much too black and white. They are saying that since 1 evil malware can get thru a personal firewall, then we should dump ALL personal firewalls and that they are completely useless. This is obviously silly and not true. Not to mention irresponsible.

Your breakout application is something that makes use of an OPEN Internet Explorer handle (the last time I looked) and is not a proof of concept for anything serious. As a matter of fact, it didn't work on my Windows XP system with the firewalls disabled even.

Silly and irresponsible is to tell the opposite.

I heard for months and years on d.c.s.* (the German sister groups of this news-group), that "Personal Firewalls" are preventing from "outbound connections" and "phoning home".

Of course, I told people, that this cannot be true. It cannot be true because of the existance of tunnelling as a concept. It cannot be true because of the architecture of Windows. Choose one of the both.

I never saw a "Personal Firewall" in action before. But this was obvious, it is obvious for every person, who is understanding security concepts in networking and/ or is knowing how Windows works.

And I heard: "if you never saw a Personal Firewall, you just don't have a clue of this topic - there is no proof that they're useless!!!1!!!111"

So I took a few minutes of my time and hacked

This code just ignores any "Personal Firewall".

I publicized it. And: exactly _NONE_ of the "Personal Firewalls" in the market at this point of time managed to prevent this communication.

I _never_ _saw_ a "Personal Firewall" in action before, I didn't own one or had one for writing this code or even for testing it, and it takes me a _few_ _minutes_ to take _every_ "Personal Firewall" for a ride with 27 lines of code?!

WTF you're thinking, a security system has to achieve? WTF you're thinking, _is_ a security system?

Perhaps you should think about it.

Yours, VB.

The thing is, every time you use a PFW product, you *are* in fact trusting a Microsoft solution for security. Such products can do *nothing* without riding on top of Microsoft code. Break the MS code (easy, frequent), and you have broken the PFW. You should really look at running linux instead if this is how you feel.

PFW's can stop *some* outbound activity in my opinion. So, even granting that's true, you simply must understand that when you're using them, you can

*easily* be victimized by code that does unauthorized outbound connections, even if it does stop some of them.

Simply locking your car doors in Harlem, might keep some of the thieves out if you leave your car there for a week. It really might. It stopped a guy from opening my car doors last week in a parking lot.

-Russ.

By this reasoning an anti-virus program would be completely useless because it can't stop all viral infections.

I can see your point though. There is a lot of code out there for defeating personal firewalls. But I think people use them for what they can do rather than what they can't do, because most of the time they do the job in hand. They are useful on laptops for example.

I think one of the best uses for a rules based personal firewall is to interactively teach users what is happening on their computers, and tell them when it is happening. If you delete all the default rules and start from scratch, you soon build up a picture of the ports in use on your system, and the processes that use them. I know this information can be gathered in other ways, but personal firewalls bring it all together and allow detailed logging.

Personal firewalls are popular. I think people will continue to use them no matter how insecure they are, or how many insecurities they add to the system, purely because they like them. Kerio 2.1.5 is a good example of that. It's easily bypassed using fragrouter, but some people don't seem to mind because it's unlikely to happen to them.

Ric

WARNING: Prolonged use of personal firewalls can lead to use of harder tools like Ethereal.

Yep, just because something isn't perfect 100% of the time doesn't mean it's useless. And true, personal firewalls are used by millions, and I doubt that will ever change..

Consider the source. I plonked that guy a long time ago. So have a lot of others.

Yea, he's about worthless - right after I said his "proof of concept" didn't work on properly configured computers he kill-filed me - funny he couldn't address his failures.

No. An Anti-Virus program is useful exactly the same way a SPAM filter is.

An Anti-Virus program DOES NOT PROTECT FROM EVERY VIRUS infection. But it does help to filter out the annoying trials of so many malwares, which are in the wild.

Protection against viruses only is achived by wise behaviour of PEBKAC (and not using Windows, but OSes, which have much fewer problems in this field).

So Anti-Virus programs can _help_ to prevent malware from running on your PC. So can firewalls.

But it's completely useless to try to prevent malware, which already is running, from doing what it wants to do, with the exception of concepts like capability based systems (which are designed to do this) and virtualization technics (which are designed to do this) or at least technics like BSD's jail or Linux' seccomp (which are designed to to this).

The latter technics (or something like that) are impossible with Windows, because of the fact, that Windows messages are a pushing IPC without any security system, and that all Windows applications are relying upon this.

Yes. And it's trivial to write it.

The opposite is true.

It is completely useless to teach somebody about technical aspects of what's going on, who is not able to understand even the basics.

A security system for end users has to do its job _invisible_ for the user, it has to _secure_ the user whatever he does, and the worst mistake is to depend on user's decisions.

All what I can (or must) read on c.s.* and d.c.s.* documents this: users even don't understand, that a "port" is not a "door" or a "harbour", but just a maintenance number. They don't understand, what a process is - of course they don't, because how should they? Without hearing about operating systems and the concepts of userland and kernelspace, and why implementing protection, and what is meant with "protection" here, how should they at all?

Without knowing about the TCP/IP protocol family, and knowledge about the BSD sockets API, how should anybody understand what's going on here?

Teaching users by alerting "The process svchost.exe tries to open port 53, do you want to allow this?" - IBTD.

Even an IT professional cannot answer this question correctly, and %USERNAME% cannot understand what's going on here at all.

Yes. This is the problem Microsoft brought to us by being so stupid to open sockets and even offer DCE RPC to the Internet with every home user's Windows box _before_ Windows XP SP2.

And since then, there is the Windows-Firewall. It is only the second best concept, because it's ridiculous and dumb from Microsoft not just to stop offering TCP servers and RPC to the complete world, but at least they're filtering away this afterwards.

So now "Personal Firewalls" are completely useless, even if one does not stop those TCP servers and DCE RPC manually.

And: they often are dangerous, too, because many of them open additional security leaks, you don't have with just stopping TCP servers and RCP or by using the Windows-Firewall.

I fear, you're right here.

Yours, VB.

"Personal Firewalls" aren't "not 100% perfect". They're completely useless because of being superseeded by the Windows-Firewall, but many of them are dangerous because of their security breaches, especially Symantec Norton, Outpost and Sygate. And they're very dangerous, because their "security" relies on user's decisions, which is a b0rken concept and a security breach itself, as with Zone Alarm, for example.

Yours, VB.

Hm... Again, Questor is soliloquizing.

VB.