The Coalition against Personal Firewalls

The fact that someone cannot hack your machine (whether that is true or not) today does not mean that one of the products you're using will have an exploit developed or discovered tomorrow, if your defenses are not sufficiently layered and/or appropriately concieved.

-Russ.

Excellent post Rod. I've been using a Kerio PF for years and have never had any problem.

Critic n. A pers> Is there a newsgroup or other forum where a non-expert can get useful

The list is moderated and trolling is not tolerated. That's why we keep Usenet around; for entertainment of the O'Reilly Factor or Jerry Springer variety. The signal to noise ratio on fw-wiz is much improved over this group (and most of Usenet). But you don't even have to subscribe. You can read through the past nine years of archives if you're so inclined.

-Gary

Rod Engelsman wrote: ["Personal Firewalls"]

Because there never was one single person who was able to give a _technical_ argument, why this should be wrong. Beside the usual "I'm an expert and it is!!1!!1", "I'm using it for years now without any problem!!1!!11", "It is secure, because all say, that it is secure!!11!!1"

Against this stands for example a simple PoC code of mine, which simply ignored every "Personal Firewall" on the market and phoned home.

You can download the source code and think yourself.

I'm trying to do so.

Yours, VB.

You don't need to fear port scans. They're not intrusions.

This is the way your "Personal Firewall" fools you - it's showing "attacks" where no attacks are.

This is not the problem. The threat is, that They[tm] want to have your PC in their botnet as a zombie. ;-) Really, people are building up botnets to do the real bad things, capturing PCs of Windows users.

If you don't want your PC being part of this, just stop offering services to the net. You can do this by using Torsten's gread script, or you can do this buy using a packet filter, for example the Windows-Firewall.

Is this constructive enough? If you're asking concrete questions, maybe I can help in a more concrete way.

Yours, VB.

Yes. Stop offering services, and you don't need to filter communication to them. Or just use the Windows-Firewall.

Clearer. Easier. Lightweight. Without the drawbacks and extra security problems the "Personal Firewalls" bring with them.

Did you already notice, that there is documentation about Microsoft's products, which you can use to learn what those products are doing and how to configure?

Why aren't you configuring the non-malware application then not to do so, if you don't want this?

To the Internet? Yes.

Yours, VB.

Every tested "Personal Firewall" failed to do so reliably.

This is wrong then.

Please prove that. It's wrong AFAICS.

Yours, VB.

Hm... something's going wrong ;-)

Yours, VB.

Yes. Yes. If you're not offering services or just using the Windows-Firewall.

Try it. BTW: Port scans are no attacks.

Yours, VB.

Unfortunately this is only something like a fairy tale.

Yours, VB.

Thank you! But it's a little bit outdated now - for Windows XP, SP2 and the Windows-Firewall is enough. For older versions of Windows one can use it, though. But: the real good work is Torsten's. I just made a simple "point and click tool" out of his script.

Yours, VB.

Maybe this will be a surprise for you, but most of the people here understand the concept of a PoC, and many of them tried out and confirmed. The press wrote about my PoC, tested it and found out that it works, and

added it to their testing suite:

Only "Leythos" and you seem to try to ignore that.

Yours, VB.

Hm... nice try ;-)

No, sorry, you're wrong. AFAIK Sebastian is a student at the TU Dresden:

Unfortunately, I don't know him more closely. Unfortunately, because beside his sometimes rude manners here in the net he seems to be a clever guy.

Ansgar Wiechers is an IT engineer (and an excellent one, I must say), working here in Bad Waldsee.

Well, Ansgar has a very direct, straight way, some people think to be too rude, also in real life ;-) But if you know Ansgar a little bit closer, you learn to know that he can be a great friend.

Usually, we don't talk about security things, but about our daily work, though.

I hope, that sometimes you will be right. My aversion to these tools comes from the fact, that not only every provider seems to do advertizing with provisions they cannot fulfill, but the "Personal Firewalls" I saw here in the tests where so flawed and poorly designed, that I really don't understand why someone wants to use them. This is the list we tested:

• Kerio Personal Firewall 4.1.2 * Norman Personal Firewall 1.42 * Agnitum Outpost Firewall Pro 2.5 * Sygate Personal Firewall Pro 5.5 * Tiny Firewall 6.0 * Zone Labs ZoneAlarm Pro 5.5 * Symantec Norton Personal Firewall 2005

Only Kerio was just useless if you have the Windows-Firewall or are not offering services, all others added extra security holes to the PC they should protect :-/

This is just not true, at least for what I'm writing.

Yours, VB.

And you've ignored people that stated your POC failed on their computers with PFW installed.

Port scans are systems looking for machines with exposed services - they are a good way to see where things are starting from. In general, our firewalls are setup to block any IP that "port scans" our networks, then, when we review the logs, we generally enter the IP or network into our permanent block lists.

Port scans are a warning sign and are not ethical traffic.

It's not surprise, it's just that you fail to understand that it didn't work at all on 6 machines I tested. How can you prove that something proves a PFW doesn't work when your POC is flawed?

Where can I get this? I'd like to try it.

Joe

What does it mean? Volker's PoC failed on some computers, it successed on others, so it's still possible to circumvent these PFWs. This will be true until the PoC failes on *all* computers it would be tested.

Wolfgang

Volker, one thing you need not apologize for is your contributions to challenging conventional wisdom about Internet security. These types of debates have had their day in the Anti-virus news groups, as well. There are still those who believe that AV utilities are a solution, rather than a tool. Real security is the responsibility of the human being, not some software utility.