White Paper I did on Computer Security and what you should do to protect yourself:
My recommendation as a computer security analyst and consultant is to look at the 3 main security concerns that face the average home computer user:
Viruses Spyware Hackers
I work with many computer users with a varying degree of security knowledge and skill. The first thing I always check for when helping someone troubleshoot is whether they have secured themselves from the 3 basic threats listed above.
If you are interested, you can see some of the solutions I have used, but generally I use a combination of tools to ensure multiple layers of protection - and better yet, some are free!
(The importance of Securing Your Home Computer White Paper here:
A 'personal firewall' isn't a firewall. A firewall is a dedicated box with (usually) two or three ethernet ports running no services other than a firewall. My preferred configuration is an x86 box with a couple of tulip cards running FreeBSD or OpenBSD and ipf, though you can do OK with Linux and iptables too. You can run either on a $100 obsolete PC. (*BSD is better, but Linux is easier for a new user to configure).
Even the little hardware NAT boxes that you can get for sharing a DSL connection or cable modem are way better than any 'software firewall' (The NetGear RT311 and RT314 are extremely sophisticated and flexible NATs and start at less than $100 - they do full NATing, allow port forwarding and filtering to a protected network (NetGear Firewalls and NATs).
So... what does a 'personal firewall' actually do? Well, effectively it listens on all the ports on your system. This provides no real additional security over turning off the services that you don't use.
I'll repeat that - it provides no real additional security over turning off the services that you don't use. (Maybe it'll block trojans from phoning home, but A) if you've run a trojan your system is completely compromised and B)
What it does do is break standard network applications (such as traceroute) and, more importantly, if badly written it will claim normal background network traffic is some sort of attack, alarming the user for no good reason. I've never heard of a 'personal firewall' that isn't badly written in this way. That doesn't mean one doesn't exist.
Why do the authors do this? Two reasons, as far as I've been able to gather.
The first is that most of the people writing these applications know next to nothing about IP networking. They may be pretty good windows developers, but they have no idea what normal network traffic looks like. That should make you nervous about their ability to block any real malicious intent.
The second is more insidious... Why is an end user going to buy / register / upgrade their 'personal firewall'? They're not going to do so if they don't perceive any benefit from it. If it were a properly written application that just sat there, doing its job quietly in the background, users would forget it was there. But if it pops up warnings about 'attacks' all the time then it's clearly Doing Something. Most of those warnings are entirely frivolous - normal network traffic. And the remaining few... well... if the 'personal firewall' has protected your system from the supposed 'attack'... why do you care about it? You're safe from that supposed 'attack', right? So why pop up warnings and alerts? To make you feel you're getting a service from this program and so you'll pay for updates or 'Pro' versions.
The bottom line is this... If you care about your home network security a lot, and you're interested in it, spend the time to learn about networking and build yourself a standalone firewall.
If you don't want to spend that amount of energy on it, buy a standalone dedicated NAT or NAT+firewall box. I like the NetGear RT-311 and its siblings, but there're a bunch of others out there too. It'll sit there, do its job and never bother you again.
If you want to play with a piece of windows software that makes you click all over the place, there's always minesweeper.
If you'll feel safer sleeping at night knowing there's a 'personal firewall' running on your system, then install one. As long as you pay no attention to the "hack attacks" it reports it's better than nothing. A free one, ideally, as few of them are worth paying for. Turn off all the alerts and logging - you'll just waste your time (and, more importantly to me, my time and the time of other network administrators your complaints go to) increase your blood pressure and provide no benefit to you. If you really want to leave them turned on and see where traffic is coming from, feel free, but remember that most of the traffic you see is harmless, and that even if it isn't harmless it can't affect your system (if it could, it wouldn't be logged). Oh, and try not to waste admins time with frivolous complaints.
"But, but, but reporting these alerts to network administrators will help them catch crackers!"
Uhm, no. I know a whole bunch of network security and abuse staff. The response to any complaint with ZoneAlarm, BlackIce etc logfiles in it is to close the ticket, usually with an annotation like 'GWF' (Goober with Firewall). 99% of those reports are frivolous, about normal network traffic. In the remainder of cases there's nowhere near enough data in the logfiles to provide any idea of why the end user is upset. If you send frivolous complaints that just wastes the time of the staff receiving them and prevents them from handling real security issues. How do you tell if a complaint is frivolous? If the sender doesn't understand basic networking, it's almost certainly frivolous. If the sender is complaining based on 'personal firewall' logs, it's definitely frivolous.
The abuse desk staff I talk with hate users of 'personal firewalls' more than they hate spammers. That should tell you something about how useful your complaints will be.
"You're just a unix bigot and don't like Windows applications!"
I don't like Windows applications for networking, no, as Windows isn't very good at it in general (with a few exceptions - some of the kernel level networking code in NT4 and NT5 is extremely sophisticated). As for being a unix bigot... I'm a Microsoft Independent Software Vendor, subscribe to Microsoft Developers Network and in my spare time produce Windows Network Applications.
I appreciate everyone's feedback but clearly I haven't been asked any qualifying questions about the kinds of people I'm dealing with, other business services I offer, nor are you recognizing the fact that there are a lot of people who just aren't computer security experts.
Of course there are loads and loads of ways to be uber secure and prevent all but a nuclear bomb from going off in your box but some of the feedback sounds a bit like a flame to me. It makes me wonder what happens to someone that comes in here that isn't a security expert and asks questions for help, not for gain in personal ego.
I copied the Feature section from ZA's site as to save time in trying to write up what they've already done.
There are a lot of people out there who are completely open to the most basic security breaches. This is a first place to start.
The simple fact that pop-up queues exist is because the application cannot distinguish between legit traffic and illigitiment traffic. The application (Zone Alarm in this case) asks users on the fly whether to allow inbound and outbound traffic. I agree the descriptions and aid to a user could be improved here since half the time they don't know which button to click "allow / deny." ZoneAlarm Internet Security Suite does a good job because it handles spyware, viruses, and software firewall as a single solution. To get someone up and running and a first line of defense, this is what I recommend. Again, it works well for many of my customer's needs.
The problem is there is not a straight forward setup for most users to get as secure as many of you people trolling the security forums are privy to.
This simple explanation is to get people started. What I have outlined does the job for someone on a budget and not knowing all the ins and outs of hardware firewalls and other security means.
If you've got constructive feedback on additional security measures one can employ, then by all means list them.
Please keep in mind the following when coming up with ideas:
Many of my clients are just getting familiar with the internet for the first time, and might even be using a new computer online for the first time.
Many of my clients do not want to spend a lot of money.
Maintenance of systems usually gets outsourced to a computer consultant
- not a cheap endeavour - more hardware can equate to more maintenance.
Time. How long does it take to setup a relatively secure home network? How long does it take an amateur? You'd be foolish to assume everyone has, or even wants, to spend any time at all on setting up a strong network at home, save the fact that if they don't, they'll probably get hosed, which is why I'm often consulting in the first place.
Think of people who don't spend a lot of time thinking about computers at all, much less security.
Again, I would appreciate any feedback that is constructive about ways to improve the process, additional steps, or effort for helping people be more secure all around.
Sebastian, between the swearing and the oversimplified tidbits of security steps, is it safe to assume that you are a technical guy, and not a business guy?
It works great here on these forums for security people, but if any of my clients read what you listed, they'd ask you to articular your thoughts more clearly.
The very fact that ZA DOES alert you to inbound traffic and a user can choose to deny access, does the job at the outset. The problem is not necessarily the software, but the education of end users on what is safe and what isn't safe.
I'm done with this post as any further replies will probably invoke further flames.
*Articulate (Jee maybe I shouldn't work them either :)
and also, I think the focus just on the firewall part and not to mention the anti spyware and antivirus in the ZAISS 06' is also misleading - to say that its all crap isn't a correct assessment, since both of those functions are also beneficial to the average user.
I'll do some more research on this topic around Personal Software firewalls and will push for some of the more robust hardware solutions as well as education.
I just think that we can discuss these thing without getting so overboard.
We have 30 some home users that we support because their business are also clients of ours - we don't normally support home users.
Most of those "home" users had compromised machines before we got involved. We installed ZAP on every one of them, without a NAT router (they didn't want to purchase one in most cases), and they've run for more than 1 to 3 years without any compromise.
The thing that all the PFW haters seem to forget, and I'm not a fan of PFW solutions either, is that they can and do work in many cases. While I can claim that one line of Ford Trucks will explode due to flawed gas tank design, the fact is that many Ford Truck drivers with that flawed design will never have a problem - the same is true for PFW products. While they are not perfect, while they don't protect the terminally stupid, for a user that has a little sense, they do a great service, and a better job than Windows SP2 Firewall.
Why only then? Any serious firewall concept involves host security. Your security should never fail just because the firewall went down.
Beside that most NAT boxes don't do a proper job denying unrelated inbound traffic.
This won't help against IE, OE, WMP, MS Office, certain IM messengers, mIRC, Skype, ... - better also make sure not use such defective software as well.
I don't recommend this one either, as the bundled Symantec garbage will mess up your computer. What about DriveImage or TrueImage? Or what about dd | diff | gzip for the very simple (and therefore pretty reliable) way? What about file-based incremental backups?
Huh? It should find some irrelevant changed settings and some irrelevent misc. stuff as well. ;-D
What about host-based intrusion detection? Just that for competent users the effect will be pretty negligible.
?&q=buy+befsr41results will vary by area but the nat box is cheaper here. Ok there's a free version of ZA but it doesn't seem to be well advertised on their site for some reason.
I've yet to come across a home user who could give a correct explanation of what the configuration settings in ZA do. This doesn't mean the user is stupid. It looks like we agree that personal firewalls are not perfect, so they won't protect the user every time. In my view this makes them dangerous because I find many home users seem to feel that they are safe when they've got a personal firewall installed, even if they have no idea what it does or how to use it. I prefer to give home users a security checklist which they will be able to cope with instead of one which requires knowledge of what an outbound connection is and how to tell which outbound connection should be stopped and which should be permitted. Malware infestation usually shows itself in other ways and a check with
is likely to reveal far more than a personal firewall can.
And do cost more than disabling unnecessary services and limit connectivity. What a hassle. Sorry, but do you think fuzzing around with port forwarding to get some thinks working is quite useful for clueless people? Soon they'll stumble across someone telling them to put their host into the DMZ, effectively negating any security benefit from the box.
I find that clueless people think the Internet consists of browsing and email, so there is no need for port forwarding.
I also find that most home users are incapable of disabling unnecessary services, even if it's possible to get a download which does it for them. Most home users don't know what a service is; never mind how to disable one or why it should be disabled.