As a non-techie I am confused. Whilst lurking in this and related groups I see a debate that goes on as to whether there is any point in using PFWs, in particular to monitor outgoing traffic. Some say it's essential (as do most magazines, and of course all companies marketing such products) and others say that they are so easily circumvented that it's a waste of time - and if I understand correctly, some even say that they actually open up further vulnerabilities.
So, what may be a naive question - is there any point in using a PFW to at least stop badly written nasties from kiddy vandals who haven't learned yet how to do it properly?
I hope I understood your post right, here is my best answer.
You can never have a 100% effective firewall/filter, you can only do risk mitigation. The more risk mitigation the safer you are. If that means putting layers of security between you and the rest of the world thats fine. One of those layers might as well be a PFW/Packet filter.
Of course there is always a risk with *any* in-line device that it could be exploited by sending a particular packet through it. This has happened in the past. I remember it happened with Snort and something similar happened to the BSD PFW (IPFW)
Another way of mitigation is offering less that actually can be attacked.
If there's no service listening and the port just says "closed" in tests, nobody can exploit it unless the whole IP stack is broken. IF the IP stack is broken, however, no personal firewall on top of the IP stack can protect you.
The best protection is a) to use a router with NAT and port filtering, and b) to disable all unnecessary services on your machine.
A layered security approach is always preferred. Disabling those unnecessary services is key in some Linux distributions (I think Debian comes default with a lot of the inet.d stuff turned on, I use Gentoo myself) and especially in Windows.
However, these days in Windows putting yourself behind a router with NAT just won't cut it. A lot of the most recent attacks on Windows have been client side not remote (WMF). I think you will see a lot more of that happening as Windows cleans up its act and secures itself as much as it can on the network side, people will try to exploit the local applications more.
Get yourself a FW packet filtering router that meets the specs below in the link.
formatting link
And you can get something like Walwatcher (free) and review the logs.
I use a personal FW on the laptop while on the road and it's supplemented by IPsec. I have a PFW that doesn't have the snake-oil crap in it and turn off the one snake-oil crap that it does have in it -- Application Control.
For the laptop on the road, I go where I am supposed to go and that's to the O/S and close holes and shutdown services I don't need.
While at home and the machines are sitting behind the FW appliance, I don't use any PFW(s) on the machines, which would be the same if I was using a packet filtering FW router that could stop inbound and outbound.
formatting link
The key to me is using common sense and not clicking on unknown links at websites or in emails, don't accept unknown emails don't let them reach the machine, secure the O/S as much as possible, go look for yourself as to what's running or happening on the machine by using tools like Process Explorer, Active Ports, and review router or FW appliance logs for dubious connections to remote WAN IP(s).
If the NAT router couldn't stop outbound, the I would a PFW to supplement it. The rest of the snake-oil crap is PFW(s) is basically worthless IMHO and can be defeated so don't lean on it like a crutch.
There are clear proofs for such vulnerabilities. There are clear proofs how to circumvent easily.
Yes, "Personal Firewalls" can stop software from communicating outside, which lets itself being controlled, or which just is written dumbly. This is possible.
But this has nothing to do with security at all.
A security feature has to lead into a situation, where a system is safe from the event, that a specific attack vector can be used. Then, and only then you can say, the security feature leads into the situation, that you're secure against this attack vector.
It is not possible to be safe from everything wrong which could happen, though. But it is possible to close single attack vectors. And it should be done.
Why it is so important to think in this context about computer systems, and not to think about things like camouflage, which help but don't guarantee for protection, I tried to explain in
And this has nothing to do with "there is a security hole, but everything has exploits". Beside there is proven software, which can be 100% correct compared to a given specification, there is a big difference between design flaws and holes or exploits.
There is a big difference, if something works in theory, and the implementation has a bug or an exploit which has to be fixed, or if something cannot work already in theory or has a design flaw.
The design of Microsoft Windows is including a security system. But for this security system, the Desktop is the borderline. Microsoft themselves are documenting, that one better not should try to ignore this fact. So one can control applications only, when no application can communicate outside, which is on the Desktop - that means, no application, which opens a window.
As a result of this, this means, that you may not use a web-browser, if you want to prevent a second application from communicating outside.
This is what I showed in my proof-of-concept code here:
formatting link
I'm just using Windows messages to let the web-browser do, what the application, which should be controlled, may not do directly. At the time, when I publicized these few lines, there was no single "Personal Firewall", which could prevent this. They all failed. And this was no surprise.
Now Zone Labs made a huge effort to implement a security system for Windows messages. They invented a technology to add to Windows what is missing, so they can control Windows messages with Zone Alarm Pro.
But this is a useless effort. It is completely useless, because simulating an attacker, I just had no look onto their work, but completely ignored it, because Windows messages are just one of many ways to communicate between applications, and most of them have no security system at all in Windows.
As the next step, I chose COM. With this technology, you can communicate without any problems, and I wrote this one:
formatting link
I just asked Explorer by communicating using COM with ActiveDesktop to do the work for me. And just like with the Windows messages example, it works with the actual Zone Alarm Pro without any problems.
So as a matter of fact, no single "Personal Firewall" can prevent from applications which want to communicate to the outside world, if there is a single application, which may, like your web-browser or Explorer. This just is not possible on Microsoft Windows.
Of course, it is not a security hole at all, if you cannot do this. It is much more sensible to prevent malware from being installed and running on your machine, than to try to control malware in a way, what the security system of the operating system does not allow.
And, it is even counterproductive, what the "Personal Firewalls" are doing here, because a "Personal Firewall" should not ask a normal user if she/he wants to allow "ACROREAD.EXE" to access a website - they should open no popups at all here, because it is a very good idea for the common user to have automatic updates in Acrobat, so the exploits there and in may other programs can be fixed quickly from time to time.
So popups are counterproductive, because they're requesting the user to take responsibility for decisions of protection. But the user should not protect, she/he should be protected.
I think the best you can hope for in using a 'personal firewall' is that it may or may not alert you to something going on or trying to dial out. If that is useful to you, then fine, otherwise most of them are just buggy problematic wastes of time. I have tried them all and believe me, they all have problems. Right now I just use a cheap NAT router with an AV and that's it.
Operating System and patch level, if you're running XP make sure it's sp2 and fully patched, turning on AutoUpdate is the easiest way to keep it current. Use the built in Windows Firewall. If you're concerned, turn on the logging and look at the c:\windows\pfirewall.log.
Numbers of users and their level. Do you have kids? Do they logon as a user or as an administrator? Users can't install too many programs or modify the os too much. Kids tend to click on anything that says "install this to play this game" online, keep them as users.
Run an antispyware program. Microsoft's AntiSpyWare is free and it works very well
Run an antivirus application, a good free one is AVG
Another post in this list had a link to some suggestions:
formatting link
In it there is a list of services recommended to disable. Are there other guidelines on disabling services? Is there a "best" site for learning what all those services are? It's tough to know whether a service is "necessary" if you don't even know what the hell it is. The problem I have had is trying to find a site that gives good information without trying so hard to sell me something that I can't use the info. (Makes me suspect the quality of the info too.)
Black Viper's site used to be pretty interesting, but it's down or under construction at the moment. Here is a link however to most of the info that used to be there. This might be helpful to you:
The only useful tool out of the "PFW class" to collect experience in networking is IMO the old Kerio Version 2.1.5. Much better tools are those from sysinternals and sniffers like ethereal. There is a top 75s list of tools at insecure.org.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.