The Coalition against Personal Firewalls

Go to

You will find a small program that you can use to "lock down" your computer. Yes, this site is the brainchild of Volker Birk. I think he has done an excellent service here.

You see, I don't disagree with the /message/ of the anti-PFW crowd. I'm just sick of the attitude.

I think what PFWs /attempt/ to do or /purport/ to do sounds good, but the basic premise has a fatal flaw. The idea behind the outgoing filtering and application control is that if a virus gets on your system, then at least you can stop it from transmitting personal data or infecting other machines on your network.

The problem is that PFWs are themselves programs and by their very nature they have to insinuate themselves pretty deeply into the guts of your machine. Since they're just programs written by human beings they inevitably have flaws. So what happens is that the PFW itself becomes a big target for hackers and writers of malware. If they can compromise the PFW -- and this has definitely happened -- then due to the intimate "hooks" that the PFW has into the operating system they are actually able to cause much more damage than if the PFW wasn't there at all.

First of all, I have not been reading this group for long, so I am not too familiar with the language of the "bad guys". But of course, there is no reason *not* to keep a decent language.

That said, the problem is that the bad guys *do* have some valid points about personal firewalls.

I would not go so far to say that they are useless, but unless You actually know what it does and how it works it will, by the average user, just be considered an obstacle. Why? Let's consider this: X wants to run this program, X's firewall wants X to consider whether it should be allowed to access the internet. X chooses no for safety reasons, X's program does not work. What does X do? - Stop using the program or change X's setting to "allow"?

And furhermore it *does* give You a false sense of security. The average user will believe: I have installed something called a firewall and some other security stuff, so I should be safe. Now let's go surfing the web, and let's try some of the funny games from the CD my son got me for free.

Security is about lowering the number of vulnerable vectors. Adding a PFW may lower some but will also add to it.

Security is about education. Any tool is just as good as the one who uses it and the computer is the most powerful and versatile tool ever invented. It is quite safe to own a car. But before You start driving You better learn the basics. Owning a PC and start "driving" on the internet is even more comlex.

Read my further comments to Rod Engelsmans post "between the lines" and have a nice day :-)

/B. Nice

Very true.

Because it is the easiest approach. Don't expect all these companies and organisations to launch international security awareness programs unless they get paid well :-)

Not nescessarily. But the writers awareness is a very positive thing.

True again.

Yup!

/B. Nice

Yes. Don't *open* them in the first place...

IF there is no programm running, that 'listens' to incoming requests THEN that port is calles 'closed'. And you do not need any 'gatekeeper' to 'close' that port.

Very simple, isn't it?

greetings, Holger

PS:

will help you!

It seems to be a very small vocal group causing such discord. This group wasn't always this way. It seems that they all have the same typing style, expressions, mannerisms, and demeanor. This means they probably are at least all from the same country. They may even know each other In Real Life ("Hey, come over to this group and back me up!"). Conspiracy theorists may even suggest that a couple of these nyms may just be one unhappy person having conversations with himself.

Personal firewalls are tools & the secret to getting good use out of a tool is how you use it. They have their place in a layered defense, but don't put all your eggs in the personal firewall basket.

Lastly, these guys in this coalition are more often than not spouting the line "Hey, PFWs are crap & if you can't see why I'm right you're a moron." They rarely offer in-depth explanations for their fanatical beliefs & never offer alternatives of what you should be doing instead.

Check Google Groups. Talk of personal firewalls was present & happily discussed in this newsgroup before someone sent in the clowns.

Bottom line is don't let them get you down.

Microsoft's firewall will only block incoming traffic. Third-party products are capable of blocking both incoming and outgoing traffic. This point alone shows that Microsoft's product is far inferior to third-party solutions as it's only doing half the job.

Not to mention that Microsoft's firewall will happily open any ports and allow in all traffic on any port that any program on your PC wants provided the program uses the UPnP protocol.

UPnP scares me more than any flaw/bug in any third-party personal firewall because UPnP was designed from the ground up to allow traffic behind the user's back without their knowledge. Microsoft doesn't even show any dialog boxes or balloon tips when UPnP does its thing.

Agreed...but the third-party apps are good for blocking some outbound connections, especially the ones where privacy is a concern rather than hacking/security.

Just throwing a NAT box between the cable modem & the PCs will be enough for the "Joe Averages" of the world who don't want to deal with the internet minutia.

Some even come with CDs that will change every setting needed on the PCs as well. Find a good sale with rebates & your NAT router may very well cost you less than what some of the eprsonal firewall software costs.

There's some people in this newsgroup who are long on yap and short on substance.

These people need to learn that "Coz I said so." is not a valid counter-argument.

But, hey...maybe the Intarweb works differently in Germany.

Blocking outgoing traffic simply cannot be done reliably as long as at least one program is allowed to communicate outbound (which has been demonstrated several times [1]) and is therefore not a security feature.

UPnP can (and should) be disabled. It's not needed in virtually any case anyway.

[1] cu 59cobalt

I'm not Sebastian. Take an actual look at my comments before judging them.

cu

59cobalt

It can be, though it has gotten better over the last years. Regmon [1] and Filemon [2] from Sysinternals greatly help making stuff work without admin privileges and without having to resort to runas. I put together a small HOWTO [3] in case someone is unfamiliar with the use of these tools.

That's the best you can do. However, working with reduced privileges helps greatly here.

There's always the option to set the proxy for IE to 127.0.0.1:9 and allow the sites you need IE for as exceptions. If you configure these settings statically and don't work as administrator, malware won't be able to change it back, even if it gets executed somehow.

Yes. The problem is not the share itself, but the services needed for accessing it. NetBIOS and DirectSMB both depend on RPC, which is the service that was attacked by the Blaster worm.

[1] cu 59cobalt

Blocking incoming is at least a great step forward. By claiming Microsoft does only half the job You seem to have the answer to what the full job is :-) My point is this: Security level is a balance between security and convenience. How do You think average users would react if they started using their new computer and before they even got access to the internet they would have to answer a lot of more or less technical questions about allowing or denying programs access to the internet?

In my opinion MS has provided a firewall solution that makes sense in terms of the balance I mentioned before. And by the way, blocking incoming and allowing outgoing traffic is the standard ruleset for most router/firewall devices out there. If You want a higher level of security feel free to add further security stuff.

Rule: Don't run programs You don't trust.

Most programs do something behind their users back.

And most people actually demands something that "just works". And the IT industry is just trying to find a decent way to bridge the gap between that demand and a reasonable level of security.

Of course not, because that would be annoying to the majority of users.

And one last thing: If You are concerned about security in the first place You should not even be running a firewall on the machine You use for other things.

/B. Nice

Thank you Rod. This is the most outstanding post that I have read in this newsgroup in years. Casey

ZZY, in the "privacy community" there is a security concern about copies of the encrypted/decripted message files being written to the harddrive. Effectiveness of wiping is questionable. Most email clients save these files.

JBMail v3.2 (free) used along with pgp/gpg Current Window saves no POP or SMTP files to disk. You might want to try it.

I also agree that some defense is better than none, as long as one understands what the "some" consists of, and takes measures against the rest.

-Russ.

I'm not sure what "coalition" we're talking about.

But in any case, I defy ANY of them to hack my machine with the protection I've got.

Come on guys, you can see the headers on this post! Hack away!!

Kyle

snipped-for-privacy@moria.mines wrote in news: snipped-for-privacy@4ax.com:

Thanks. But I'm not concerned with email privacy, only a few sensitive files on my machine. And my only concern there is if the machine were to be stolen. It's of course a very real danger with a laptop, but it could happen even with the home machine. The chances are very good that a thief wouldn't have the technical prowess to dig the information from an old disk cache or the like, especially if he didn't have any reason to believe anything interesting was there. But the more sensitive the information, the stronger the security that's called for. It's hard to find out how well the various security applications clean up after themselves. I suppose I could do a decryption/encryption, then search the entire drive with a hex editor for a string in the decrypted file. That at least would tell me if an application consistently leaves sensitive stuff behind. (Once when I did that for a PDA encryption application I found that it simply deleted the original file -- the entire original unencrypted file was completely intact on the SD card!)

When you decrypt a file with something like PGP, it creates a real file on the drive, which you've got to remember to wipe when finished viewing it. I don't know if Cryptainer actually makes an unencrypted file on the disk, but if it does, at least it automatically wipes it when you close the program. But it looks like XP can put copies of any file elsewhere on the drive, which aren't necessarily wiped when the original is. It's of course possible to make an application that opens a decrypted file only in memory, but that could end up on the drive in the virtual memory cache. So I don't yet know what's the most secure. For now I'll have to hope that a thief is in the dark at least as much as I am, which is probably a pretty good bet.

Sorry, this is off the topic of firewalls. Is there a newsgroup or forum where this sort of thing is discussed? Discussed, that is, at this level rather than by experts who inflate their egos by posting responses obviously incomprehensible to the unwashed masses -- of which I'm a member.

Ansgar -59cobalt- Wiechers wrote in

Is Remote Procedure Call (RPC) necessary for 'net access?

This is not entirely true. You can still have a process on a computer that is bound to a port and that port still be in the fictional state of "CLOSED". However, that does not mean that a remote entity may access this port. i.e. local network processes, UNIX domain sockets, etc...

Also, it is normally advisable to still secure "CLOSED" ports. A "CLOSED" port still can be queried to elicit a response. For instance, the IP stack for your operating system may release particular information that could be utilized to determine your stack version, and possibly your operating system type and version. From rfc 793:

If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means.

But for the most part your explanation applies globally without fault. Just thought I would clear that up. ;)