It seems every firewall is slagged as snake oil. So how should it be done?
Martin C
postings that basically say that no personal firewall should be used on a PC
as they are all basically snake oil and don't really do much.
I am not sure if these responses are just from trolls that like to slag off
everything, or whether there is truth behind it all.
This therefore leads to the following question.
If the personal firewalls like Kerio, Comodo, Zone Alarm, Online Armor etc
are no good, then what should be used? Or are these guys saying that we
should just stick with a normal router and the Windows Firewall? Or are we
talking about a major investment in hardware?
This is a genuine question, not a 'light blue touch paper and stand back'
goad.
TIA
Martin.
Bit Twister
> From reading this newsgroup, there seem to be an incredible number of
> postings that basically say that no personal firewall should be used on a PC
> as they are all basically snake oil and don't really do much.
>
>
> If the personal firewalls like Kerio, Comodo, Zone Alarm, Online Armor etc
> are no good, then what should be used? Or are these guys saying that we
> should just stick with a normal router and the Windows Firewall? Or are we
> talking about a major investment in hardware?
It is going to depend on your OS and your home setup.
If you have no services which respond to inbound connections then the
firewall is not needed. If running Micro$oft, we know there are a few
open services. :)
Therefore you need a firewall.
We know malware either disables the firewall or poke holes in the OS firewall.
Therefore, it is better to have a router or dedicated hardware
firewall as first line of defense.
If you have two or more M$ systems on the same network, then each system
needs a firewall for protection from the other M$ system. :(
Latest example, Conficker malware is now on version 3.
It is even crawling into embedded OS devices. :(
http://isc.sans.org/diary.html?storyid=5752
Except for dialup users, most people windup with a home router from their ISP.
If it does Network Address Translation, then you have your hardware
firewall, Assuming you have closed any pass through ports in the router.
Since the above became the norm, and/or everyone was putting in
software firewalls, the crackers moved to getting access from inside
the system. They do that by finding exploits in the software that
plays/read files from the Internet (flash, pdf, gif, MP3, WMA, WMV, MP2,...).
Last time I looked there was a new piece of malware created about
every 20 seconds. Some of that malware calls home.
To help throttle that problem, software firewalls started blocking
outbound connections. Windows Firewall does not block outbound connections.
When you get a firewall popup about some application wanting to get
out you can start worrying/wondering if you have an infection or was
it an official windows update. Even then you have no protection there
if malware attaches it's self to an application you have already
authorized outbound access. :(
General stats seem to indicate the Anti-Virus vendors will get you an
update to find it about 6 weeks later. :-(
Check out what is currently running around
http://www.commtouch.com/Site/ResearchLab/VirusLab/recent_activity.asp
Rick
news:49ba16d9$1...@glkas0286.greenlnk.net:
> From reading this newsgroup, there seem to be an incredible number of
> postings that basically say that no personal firewall should be used
> on a PC as they are all basically snake oil and don't really do much.
Personal firewalls are one of those things that people love to argue back
and forth. Both sides have some validity to their views so the argument
goes on ad infinitum. Sort of like asking "which auto brand is better,
Ford, Chevy or Chrysler?"
> This therefore leads to the following question.
>
> If the personal firewalls like Kerio, Comodo, Zone Alarm, Online Armor
> etc are no good, then what should be used? Or are these guys saying
> that we should just stick with a normal router and the Windows
> Firewall? Or are we talking about a major investment in hardware?
IMHO - Security cannot be guaranteed by any single thing or even any
combination of things, whether they be hardware, software or both. That's
what makes it difficult for many people. They come in here or other
newsgroups/forums and ask whether "this product" or "that software" will
keep them safe. More often than not, someone will jump in and give you
their recommendation and someone else will jump in and tell you that
recommendation isn't effective.
For what little it is worth, here are my recommendations for home users
with moderate needs for security:
#1) use an NAT router. while these are NOT the same as a real firewall,
they do tend to block a number of avenues of attack. Make sure you change
any default passwords that the router uses to control access to its
configuration menus and turn off UPnP unless you really need it (the vast
majority of home users will not need it).
#2) make sure you have all available Windows security updates installed,
including IE7 if you use Internet Explorer as a browser (you might want to
consider using a different browser such as Firefox).
#3) make sure you have the latest updates for Java, Acrobat Reader, Firefox
(if you use it) and Flash since they are popular avenues of attack. Be
aware that when Java updates are installed, the older versions are not
removed. Unless you have a real need for the older versions, it is usually
best to remove them and only run the latest version.
#4) run a decent quality antivirus program with background scanning. For
home users on a tight budget and with modest security needs, the free AV
software from Antivir (has an annoying nag screen), Avast (the one I
usually recommend for home users) or AVG are available. For a reasonable
(IMHO) cost, Antivir, NOD32, or Kaspersky are good choices for an AV
program (the latest version of Norton may move into that category but I
haven't seen any good reviews of its effectiveness yet). For what it's
worth, I'm not fond of "Internet Security Suites" regardless of the
manufacturer. I find them to mostly be bloated hogs that really drag down
system performance without adding much in the way of real security. Use the
built-in Windows firewall instead.
#5) use a dedicated antimalware program as a "second opinion" security
scanner just in case. Since no single AV scanner is 100% effective, it is a
good idea to run one of these on occasion. I tend to recommend the free
version of either SuperAntispyware or Malware Byte's AntiMalware for home
users on a tight budget. They have to be run manually but that should be
sufficient. The for-pay versions of those programs offer real-time scanning
for those who don't want to deal with remembering to run the manual scans.
#6) if you use Outlook Express, Outlook or one of their derivatives (such
as Incredimail) for your email, I recommend turning off the preview pane.
#7) consider additional software/configuration changes such as:
- running services
http://www.blackviper.com/WinXP/servicecfg.htm)
- autoplay/autorun
http://antivirus.about.com/od/securitytips/ht/autorun.htm
- codecs
http://community.winsupersite.com/blogs/paul/archive/2007/10/15/finding-a-
good-and-safe-codec-package.aspx
Of course, nothing can guarantee security. Regardless of how well the
system is set up an imaginative idiot can always find a way to circumvent
things. Using the above guidelines and keeping in mind the maxim of "it it
sounds too good to be true it probably is" will go a long way towards
keeping you trouble-free. Avoiding risky behavior also goes without saying.
Those who cruise a lot of porn sites and/or those who do a lot of file
sharing without knowing exactly what they are doing tend to be the ones who
get into trouble the most.
Just my 2 cents worth.....
--
Rick Simon rsi...@cris.com
Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
Leythos
says...
> From reading this newsgroup, there seem to be an incredible number of
> postings that basically say that no personal firewall should be used on a PC
> as they are all basically snake oil and don't really do much.
>
Not quite, they serve a purpose as long as you understand their
limitations and their failings.
As an example, if you remove all Exceptions from the Windows Firewall on
a XP computer, you can reasonably safely connect to a Wireless network
at a public hot spot, same for a hotel. If you don't check your
exceptions then you're most likely exposing something you were unaware
of.
When I travel I take a small NAT router with me, using the connection in
a hotel or at customers sites, to block inbound to my laptop. When I
need wireless, I use the Win XP firewall, have no exceptions, and ensure
that my computer is not offering any services I don't know about.
The problem is that most people don't have a clue and most people don't
know about all of the exceptions enabled in the XP firewall or other
firewalls if used.
So, if you're where you can use one, use a NAT router, at least, and if
you're out and about, check your Win firewall exceptions FIRST and EACH
TIME, then connect to the wireless.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Geoff Smith
Definitely use a NAT router. But in addition to that, ALL of the
firewalls you mention are very good. Anyone claiming they are snakeoil
is just ignorant. Some work better than others, depending upon your
situation. At times, they can cause conflicts with other software. So
try one for a couple weeks. If you don't have any new, unexplainable
problems with your system, then stick with it.
Try this. Go to grc.com and run the ShieldsUp! service and download/run
the leaktest. Note the results. Then install a software firewall and do
the same. I'm sure you will find a significant difference.
Ansgar -59cobalt- Wiechers
> Definitely use a NAT router.
Make sure you disable UPnP on it, though, or malware on a user's
computer will still be able to poke holes in it. Also this doesn't
affect tunneling stuff through other protocols.
> But in addition to that, ALL of the firewalls you mention are very
> good. Anyone claiming they are snakeoil is just ignorant.
HAHAHAHAHAHAHAHAHAHAHAHAHAHA!
- A system that doesn't have any open ports, because it doesn't have any
services listening on the external interface, doesn't need a personal
firewall to protect the system from direct inbound attacks.
- A system that is properly patched isn't vulnerable to attacks
targeting the already patched bugs.
- Personal firewalls cannot protect services that are supposed to be
accessible to begin with.
- When the user is working with admin privileges, personal firewalls can
be disabled from the inside, even if they employ rootkit techniques.
- Malware should be prevented from being run in the first place, not
from communicating outbound after it's already running. There are
various measures helping to achieve the former, including, but not
limited to: disabling autostart on removable media, using Software
Restriction Policies, setting appropriate "execute" permissions, or
running (up-to-date) AV software.
- The popups of personal firewalls are more confusing than anything
else, because in order to understand these messages, the user would
have to have a good understanding of both networking and Windows
internals. Which is quite uncommon with the target group of personal
firewalls.
- The logging of personal firewalls usually is laughable, since vital
information is omitted.
On top of that, more often than not personal firewalls introduce
additional vulnerabilities on the system they're supposed to protect:
- Automatic network shunning (default with various personal firewalls)
can be abused by an attacker for a DoS attack.
- Some personal firewalls run interactive services with elevated
privileges, making them susceptible to shatter attacks.
- Exploitable bugs in personal firewalls can be used to compromise the
system. This has already happened ITW (W32/Witty.worm).
And you dare calling the critics of personal firewalls ignorant?
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Geoff Smith
says...
Anyone who claims they are snakeoil (i.e. They offer no added protection
whatsoever) is ignorant. Of course there are valid criticisms. Are they
perfect? No. Are they helpful as an additional layer of protection? For
most people, yes.
Is it possible that they can include bugs that compromise a system? Yes.
But you could say that about ANY piece of software. It's a red herring.
If a person wanted to be totally locked down against any possible
security vulnerabilities from bugs in software, he/she would have to
remove every single piece of software from the computer, including the
OS.
Lie Ryan
> #2) make sure you have all available Windows security updates installed,
> including IE7 if you use Internet Explorer as a browser (you might want to
> consider using a different browser such as Firefox).
I'd rather change that to:
#2) make sure you have all available Windows security updates installed,
including IE7, even though you don't use Internet Explorer as a
browser. It is not recommended to use IE as your daily browser. As long
as IE doesn't close one of its most outstanding bug: "Remove ActiveX
support" I would not consider it for any purpose.
Lie Ryan
> Geoff Smith <geof...@yahoo.com> wrote:
>> Definitely use a NAT router.
>
> Make sure you disable UPnP on it, though, or malware on a user's
> computer will still be able to poke holes in it. Also this doesn't
> affect tunneling stuff through other protocols.
>
>> But in addition to that, ALL of the firewalls you mention are very
>> good. Anyone claiming they are snakeoil is just ignorant.
>
> HAHAHAHAHAHAHAHAHAHAHAHAHAHA!
Laughable, there is no fully valid points in your post.
>
> - A system that doesn't have any open ports, because it doesn't have any
> services listening on the external interface, doesn't need a personal
> firewall to protect the system from direct inbound attacks.
A system is always vulnerable to ICMP DOS unless the firewall is
instructed to ignore and ignore ICMP packets.
> - A system that is properly patched isn't vulnerable to attacks
> targeting the already patched bugs.
There is always zero days vulnerability. Having a firewall can help to
prevent these vulnerability, since most vulnerability assumed a vanilla
system.
> - Personal firewalls cannot protect services that are supposed to be
> accessible to begin with.
Personal firewalls should not be used for web server in the first place.
> - When the user is working with admin privileges, personal firewalls can
> be disabled from the inside, even if they employ rootkit techniques.
That is true even for hardware firewall, and it is true for any kind of
protection. Even a moderately security conscious people would not be as
foolish to run as Administrator nowadays.
> - Malware should be prevented from being run in the first place, not
> from communicating outbound after it's already running. There are
> various measures helping to achieve the former, including, but not
> limited to: disabling autostart on removable media, using Software
> Restriction Policies, setting appropriate "execute" permissions, or
> running (up-to-date) AV software.
HAHAHAHAHAHAHAHAHAHA!!
What a laugh... I'm sure in your unfirewalled system there is a worm
that is currently contacting home, and you are CLUELESS about its
existence because your firewall didn't tell you (OOOOPSS I forgot you
don't have firewall).
Fully updated antivirus? Do you think a "fully updated antivirus" stand
a chance to zero day vulnerability? A firewall has a much better chance
against zero days since it does not rely on signatures.
> - The popups of personal firewalls are more confusing than anything
> else, because in order to understand these messages, the user would
> have to have a good understanding of both networking and Windows
> internals. Which is quite uncommon with the target group of personal
> firewalls.
I doubt that. If there is a program named autorun.exe trying to get
access to Internet, I'm sure anyone moderately computer literate will be
suspicious.
> - The logging of personal firewalls usually is laughable, since vital
> information is omitted.
How is no logging compared to some logging?
> On top of that, more often than not personal firewalls introduce
> additional vulnerabilities on the system they're supposed to protect:
>
> - Automatic network shunning (default with various personal firewalls)
> can be abused by an attacker for a DoS attack.
Which is better than compromised system. Anyway, most personal firewall
can selectively block the attacker's IP address without blocking the
whole network.
> - Some personal firewalls run interactive services with elevated
> privileges, making them susceptible to shatter attacks.
Better than an unfirewalled system, which can be easily turned to a
zombie without any effort to do shattering.
> - Exploitable bugs in personal firewalls can be used to compromise the
> system. This has already happened ITW (W32/Witty.worm).
A worm can only target a very small and specific set of firewall. In the
case of Witty worm, it can only break through ISS firewall, it won't be
able to break my Comodo's firewall or my Kerio's firewall. By adding
diversity, it makes it harder for worm to have widespread impact. By
having uniform configuration (i.e. all no firewall) it is only a matter
of time before the worm makes the next hops.
> And you dare calling the critics of personal firewalls ignorant?
And you dare calling yourself know anything about security?
Frank Merlott
You could get an old machine and use some linux distribution as a
firewall, but you will need to know what you are doing.
The best firewall is the one you build yourself and on its own
dedicated box.
IPCop is a great Linux Firewall if you have a spare computer to install
it. And your main computer can still run Windows or anything else you
like.
--
Privacylover: http://www.privacylover.com
Gary
"Instead of reducing the number of network-aware services, a personal
firewall is an additional service that consumes system resources and can
also be the target of an attack as exemplified by the Witty worm.
If the system has been compromised by malware, spyware or similar
software these programs can also manipulate the firewall because both
are running on the same system. It may be possible to bypass or even
completely shut down software firewalls in such a manner.
The high number of alerts generated by such applications can possibly
desensitize users to alerts by warning the user of actions that may not be
malicious (e.g. ICMP requests).
Software firewalls that interface with the operating system at the kernel
mode level may potentially cause instability and/or introduce security
flaws and other software bugs."
Kayman
Deconstructing Common Security Myths.
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Scroll down to:
"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."
Exploring the Windows Firewall.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theater—it’s a gimmick that only gives the
impression of improving your security without doing anything that actually
does improve your security."
Managing the Windows Vista Firewall
http://technet.microsoft.com/en-us/magazine/cc510323.aspx
*(read twice!)*
Kayman
Only for the ignorant. Ignorance is not a defensible position.
> Is it possible that they can include bugs that compromise a system? Yes.
> But you could say that about ANY piece of software. It's a red herring.
> If a person wanted to be totally locked down against any possible
> security vulnerabilities from bugs in software, he/she would have to
> remove every single piece of software from the computer, including the
> OS.
I agree entirely, a lot of people would be far safer with a sheet of paper
and a pencil, providing the pencil wasn't too sharp.
Lie Ryan
Of course it must be THE TRUTH, it is written by a Firewall vendor that
are not competent enough to provide two-way filtering.
Lie Ryan
> I think this sums it up rather well for Windows firewalls:
>
> "Instead of reducing the number of network-aware services, a personal
> firewall is an additional service that consumes system resources and can
> also be the target of an attack as exemplified by the Witty worm.
Witty worms only targets specific firewall from specific vendor, not
something to be bothered.
> If the system has been compromised by malware, spyware or similar
> software these programs can also manipulate the firewall because both
> are running on the same system. It may be possible to bypass or even
> completely shut down software firewalls in such a manner.
Yeah, it is possible but for such thing to happen the malware has to
bring a payload to disable it. That means the malware writer must write
codes to bypass all firewall in existence. That means the malware writer
must be a real genius to know how to bypass all firewall.
> The high number of alerts generated by such applications can possibly
> desensitize users to alerts by warning the user of actions that may not be
> malicious (e.g. ICMP requests).
>
> Software firewalls that interface with the operating system at the kernel
> mode level may potentially cause instability and/or introduce security
> flaws and other software bugs."
That is actually fine. Each system would have different security flaws,
which means there is no single malware that could disable them all.
Root Kit
>Gary wrote:
>> I think this sums it up rather well for Windows firewalls:
>>
>> "Instead of reducing the number of network-aware services, a personal
>> firewall is an additional service that consumes system resources and can
>> also be the target of an attack as exemplified by the Witty worm.
>
>Witty worms only targets specific firewall from specific vendor, not
>something to be bothered.
Following your logic, instead of securing the systems we use, fill
them with vulnerable software of various flavors in order to confuse
malware writers.....
>> If the system has been compromised by malware, spyware or similar
>> software these programs can also manipulate the firewall because both
>> are running on the same system. It may be possible to bypass or even
>> completely shut down software firewalls in such a manner.
>
>Yeah, it is possible but for such thing to happen the malware has to
>bring a payload to disable it. That means the malware writer must write
>codes to bypass all firewall in existence. That means the malware writer
>must be a real genius to know how to bypass all firewall.
You don't know what you're talking about. Bypassing all firewalls have
been done already by normally skilled programmers with the necessary
understanding of windows.
>> The high number of alerts generated by such applications can possibly
>> desensitize users to alerts by warning the user of actions that may not be
>> malicious (e.g. ICMP requests).
> >
>> Software firewalls that interface with the operating system at the kernel
>> mode level may potentially cause instability and/or introduce security
>> flaws and other software bugs."
>
>That is actually fine. Each system would have different security flaws,
>which means there is no single malware that could disable them all.
How exactly do you think today's malware writers who write malware for
money are spending their time?
Root Kit
<BitTw...@mouse-potato.com> wrote:
>If you have no services which respond to inbound connections then the
>firewall is not needed. If running Micro$oft, we know there are a few
>open services. :)
>Therefore you need a firewall.
Or the better option: shut them down. Why have potentially vulnerable
network services running if you don't need them?
>We know malware either disables the firewall or poke holes in the OS firewall.
>Therefore, it is better to have a router or dedicated hardware
>firewall as first line of defense.
>
>If you have two or more M$ systems on the same network, then each system
>needs a firewall for protection from the other M$ system. :(
>Latest example, Conficker malware is now on version 3.
You either need or don't need to provide network services to others in
the same network. A firewall is not the most obvious solution to that.
>When you get a firewall popup about some application wanting to get
>out you can start worrying/wondering if you have an infection or was
>it an official windows update.
The main security related issue here is that you actually expect to
get a pop-up.
Another issue is that the vast majority of warnings you get are false
positives which lowers your awareness.
>Even then you have no protection there
>if malware attaches it's self to an application you have already
>authorized outbound access. :(
>
>General stats seem to indicate the Anti-Virus vendors will get you an
>update to find it about 6 weeks later. :-(
Which is why your main focus should be to prevent unauthorized code to
run.
Root Kit
>Of course it must be THE TRUTH, it is written by a Firewall vendor that
>are not competent enough to provide two-way filtering.
Correction: They are competent enough to realize and honest enough to
admit that their system does not provide the base for reliable
outbound filtering.
G
nos...@operamail.com says...
All the links you point to are from Microsoft itself. I'm not
comfortable putting 100% faith in what they have to say. The holes and
flaws in their OS is what has allowed the security issues to become so
significant today. And the arguments I read are always filled with
"might", "could", "possibly" and things like that.
If you don't want to use a software firewall, fine. Many people find
them useful. To call them "snakeoil" is to imply that they do absolutely
nothing. And that just isn't true.
Root Kit
wrote:
>Anyone who claims they are snakeoil (i.e. They offer no added protection
>whatsoever) is ignorant. Of course there are valid criticisms. Are they
>perfect? No. Are they helpful as an additional layer of protection? For
>most people, yes.
You sound just like a marketing guy being hit by technical facts.
G
b__...@hotmail.com says...
Maybe to you. Or maybe I just understand that it is just as important to
understand the limitations of the user. It's ridiculous to expect that a
typical Windows user (or Mac, for that matter) will even attempt to set
up a VPN, edit the registry, disable services, etc.
Root Kit
>All the links you point to are from Microsoft itself. I'm not
>comfortable putting 100% faith in what they have to say.
That's understandable. I see no reason why software firewall vendors
should be more trustworthy, though.
>flaws in their OS is what has allowed the security issues to become so
>significant today.
Windows is exactly as secure as what makes sense from a business
perspective. If you can't deal with that, feel free to use something
else.
BTW, flaws don't disappear by adding stuff to them. They only
disappear by getting fixed.
>If you don't want to use a software firewall, fine. Many people find
>them useful.
"Find" is the key word.
> To call them "snakeoil" is to imply that they do absolutely
>nothing.
Wrong. Snake oil implies that the product provides value that isn't
real. PFW's *do* provide value - otherwise people wouldn't buy them.
The question is whether the value is based on technical reasons or on
more emotional stuff.
Ansgar -59cobalt- Wiechers
> All the links you point to are from Microsoft itself. I'm not
> comfortable putting 100% faith in what they have to say.
If you don't trust Microsoft (particularly their technical department)
this far, you should stop running their operating system. Period. Ken
Thompson explains in "Reflections on Trusting Trust" [1] why that is.
> The holes and flaws in their OS is what has allowed the security
> issues to become so significant today. And the arguments I read are
> always filled with "might", "could", "possibly" and things like that.
Actually the Windows Firewall has had less bugs (or "holes and flaws",
as you put it) than any personal firewall in the market.
> If you don't want to use a software firewall, fine. Many people find
> them useful. To call them "snakeoil" is to imply that they do
> absolutely nothing. And that just isn't true.
It's an exaggeration, meant to open the eyes of those who still blindly
trust in personal firewalls to protect them from all evil.
[1] http://cm.bell-labs.com/who/ken/trust.html
Ansgar -59cobalt- Wiechers
> b__...@hotmail.com says...
>> On Fri, 13 Mar 2009 15:52:40 +0200, Geoff Smith <geof...@yahoo.com> wrote:
>>> Anyone who claims they are snakeoil (i.e. They offer no added
>>> protection whatsoever) is ignorant. Of course there are valid
>>> criticisms. Are they perfect? No. Are they helpful as an additional
>>> layer of protection? For most people, yes.
>>
>> You sound just like a marketing guy being hit by technical facts.
>
> Maybe to you. Or maybe I just understand that it is just as important
> to understand the limitations of the user.
IBTD. I didn't write
| - The popups of personal firewalls are more confusing than anything
| else, because in order to understand these messages, the user would
| have to have a good understanding of both networking and Windows
| internals. Which is quite uncommon with the target group of personal
| firewalls.
for no reason.
Normal users do not understand what the popups (or logs) of personal
firewalls tell them. And things are even worse when it comes to IPC
between program windows. And yet they're expected to make a decision
based on information that is a) insufficient and b) not understood in
the first place. How sensible is that?
> It's ridiculous to expect that a typical Windows user (or Mac, for
> that matter) will even attempt to set up a VPN, edit the registry,
> disable services, etc.
Registry changes can be placed in .reg files, which anyone can inspect.
And for services there are [1,2], both open source, so anyone can
inspect the source or as a trusted person to do so.
[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
[2] http://www.dingens.org/index.html.en
Volker Birk
> If the personal firewalls like Kerio, Comodo, Zone Alarm, Online Armor etc
> are no good, then what should be used?
http://www.ntsvcfg.de/ntsvcfg_eng.html
If there is enough request, I will update http://www.dingens.org (as a
matter of fact, it's outdated now, don't use it with modern Windows XP
or Windows Vista boxes).
Yours,
VB.
--
Bitte beachten Sie auch die Rückseite dieses Schreibens!
Volker Birk
> If you have no services which respond to inbound connections then the
> firewall is not needed. If running Micro$oft, we know there are a few
> open services. :)
> Therefore you need a firewall.
Or better shut down these network services, and you don't.
> We know malware either disables the firewall or poke holes in the OS firewall.
> Therefore, it is better to have a router or dedicated hardware
> firewall as first line of defense.
Many attacks are just ignoring all your firewalls if you don't know how
FTP helpers work, for example.
Volker Birk
> Personal firewalls are one of those things that people love to argue back
> and forth. Both sides have some validity to their views so the argument
> goes on ad infinitum. Sort of like asking "which auto brand is better,
> Ford, Chevy or Chrysler?"
You just don't understand.
> Just my 2 cents worth.....
After hyperinflation ;-)
Volker Birk
A good advice.
Volker Birk
>> Exploring the Windows Firewall.
>> http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
>> "Outbound protection is security theater—it’s a gimmick that only gives the
>> impression of improving your security without doing anything that actually
>> does improve your security."
>> Managing the Windows Vista Firewall
>> http://technet.microsoft.com/en-us/magazine/cc510323.aspx
>> *(read twice!)*
> Of course it must be THE TRUTH, it is written by a Firewall vendor that
> are not competent enough to provide two-way filtering.
If you're not trusing Microsoft, better don't use their systems.
Volker Birk
> All the links you point to are from Microsoft itself. I'm not
> comfortable putting 100% faith in what they have to say.
But you're trusting in GRC. How freaky ;-) If you don't trust Microsoft,
better don't use their systems. No "patch" or "tool" will be able to fix
the design flaws of a system.
> If you don't want to use a software firewall, fine. Many people find
> them useful. To call them "snakeoil" is to imply that they do absolutely
> nothing. And that just isn't true.
I agree. They're endangering your PC seriously, so they're far from
doing nothing.
Volker Birk
> Windows is exactly as secure as what makes sense from a business
> perspective.
I don't think so, unfortunately.
Volker Birk
> Are they helpful as an additional layer of protection? For
> most people, yes.
You're misunderstanding the military strategy of defense in depth. To
make a line of defense does not mean "taking masures which are commonly
useless against the enemy, but offer additional attack vectors for
them".
"Multi layer security" is advertizing nonsense of people who want you to
misunderstand that, because they want you to buy their products, which
most commonly are useless up to dangerous.
> Is it possible that they can include bugs that compromise a system? Yes.
> But you could say that about ANY piece of software.
And that is the reason, why you should REMOVE software and SWITCH OFF
software instead of adding even more to make your system more secure.
Volker Birk
>> Exploring the Windows Firewall.
>> http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
>> "Outbound protection is security theater—it’s a gimmick that only gives the
>> impression of improving your security without doing anything that actually
>> does improve your security."
>> Managing the Windows Vista Firewall
>> http://technet.microsoft.com/en-us/magazine/cc510323.aspx
>> *(read twice!)*
> Of course it must be THE TRUTH, it is written by a Firewall vendor that
> are not competent enough to provide two-way filtering.
If you're not trust in Microsoft, better don't use their systems.
Volker Birk
>> Exploring the Windows Firewall.
>> http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
>> "Outbound protection is security theater—it’s a gimmick that only gives the
>> impression of improving your security without doing anything that actually
>> does improve your security."
>> Managing the Windows Vista Firewall
>> http://technet.microsoft.com/en-us/magazine/cc510323.aspx
>> *(read twice!)*
> Of course it must be THE TRUTH, it is written by a Firewall vendor that
> are not competent enough to provide two-way filtering.
If you're not trusting in Microsoft, better don't use their systems.
Ansgar -59cobalt- Wiechers
> Geoff Smith <geof...@yahoo.com> wrote:
>> Are they helpful as an additional layer of protection? For most
>> people, yes.
>
> You're misunderstanding the military strategy of defense in depth. To
> make a line of defense does not mean "taking masures which are
> commonly useless against the enemy, but offer additional attack
> vectors for them".
>
> "Multi layer security" is advertizing nonsense of people who want you
> to misunderstand that, because they want you to buy their products,
> which most commonly are useless up to dangerous.
Actually, no (or at least: not necessarily). It can be quite useful to
have more than one line of defense. However, you need to be aware of the
fact that it will increase the complexity of your system. You need
knowledge and expreience to be able to handle it, otherwise you might
create openings by mistake.
In addition to that your layers must be independent from each other. For
instance, running two virus scanners on the same system is still just a
single layer of defense. It may also create additional problems (e.g.
the scanners interfering with each other, increased chance of an
exploitable vulnerability in at least one of them, etc.).
However, in general it's better to have less complexity (makes it easier
to handle the system and avoid mistakes), even if that means having just
a single layer of defense for any given attack scenario.
Rick
news:gpga8d...@news.in-ulm.de:
> Rick <rsi...@cris.com> wrote:
>> Personal firewalls are one of those things that people love to argue
>> back and forth. Both sides have some validity to their views so the
>> argument goes on ad infinitum. Sort of like asking "which auto brand
>> is better, Ford, Chevy or Chrysler?"
>
> You just don't understand.
Incorrect. I simply don't agree with you and your friends on the "extreme
anti-s/w firewall" side, nor the "GRC-ites" on the "extreme pro-s/w
firewall" side. There are pros and cons to running s/w based "firewalls".
IMHO - whether the overall result falls on the pro side or the con side
depends on a number of factors, including the knowledge/abilities of the
end user.
To maintain that every system should be hardened properly and should not
run a s/w based firewall is to ignore the fact that doing so is beyond
the abilities of a great many users. While it's very true in an "ivory
tower" sense, it is also the equivalent of tilting at windmills when it
comes to addressing the problems of the real world. Continuing to insist
that these novices have to learn how to do it "your way" smacks of
arrogance and disdain for those who are less knowledgeable than you.
While that may not be your intent, that IS the way you tend to come
across.
Likewise, to think that a software based firewall provides any large
amount of security is foolish. It is simply too easy to get around and
completely ignores the fact that such software can introduce other
problems of their own. Continuing to insist that such firewalls are a
crucial component of computer security shows a lack of in-depth knowledge
of the inherent problems of computer network security. They have their
uses, but those uses are far more limited and less effective than many
end users realize. A great many people have bought into a lot of the
marketing hype surrounding these "firewalls".
Now... I'll take my 2 cents back and bow out of your "discussion". I
wouldn't want to interfere with your endless argument...
--
Rick Simon rsi...@cris.com
Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
Volker Birk
> There are pros and cons to running s/w based "firewalls".
Just tell me one single sensible pro argument. I'm waiting for that for
years now in this "discussion".
All I'm reading is incompetent nonsense. And for all what I can see,
this is one of the main reasons of the security desaster of Microsoft
Windows PCs we all are facing today.
> IMHO - whether the overall result falls on the pro side or the con side
> depends on a number of factors, including the knowledge/abilities of the
> end user.
For the end user, the most stupid concept I ever heard of is that of
popup windows where /he/ has to make the decisions which are relevant for
his own security.
The person who should be protected, is imposed to take over the
responsibility for all technical decisions of protection.
This is the concept of /every/ "Personal Firewall" I ever saw, any of
them seem to implement this totally ridiculous b0rken concept together
with the absurd "outbound filtering" idea.
To be clear: absurd is the idea to let malware run on your computer, and
then try to filter away its communication.
> To maintain that every system should be hardened properly and should not
> run a s/w based firewall is to ignore the fact that doing so is beyond
> the abilities of a great many users.
This is why I'm saying, that Microsoft should deliver hardened systems,
of course. The catastrophic spread of botnets is their fault.
This really is layered security.
> While that may not be your intent, that IS the way you tend to come
> across.
I really don't care.
Usually, people don't want to hear the facts. Of course, it's much
easier for them /not/ to switch systems, and of course, they /want/ to
hear, that security can be bought in boxes. It would make their life
much easier as it is, if this would be true, so they want to believe
that.
And we all have to filter away all that Spam from millions of zombies,
because of this. And all of the many companies who are blackmailed by
DDoS racketeers have to pay and to hush up their vulnerability.
Or what do /you/ think, why are millions of Windows PCs zombies and part
of botnets?
Volker Birk
> Volker Birk <bum...@dingens.org> wrote:
>> Geoff Smith <geof...@yahoo.com> wrote:
>>> Are they helpful as an additional layer of protection? For most
>>> people, yes.
>> You're misunderstanding the military strategy of defense in depth. To
>> make a line of defense does not mean "taking masures which are
>> commonly useless against the enemy, but offer additional attack
>> vectors for them".
>> "Multi layer security" is advertizing nonsense of people who want you
>> to misunderstand that, because they want you to buy their products,
>> which most commonly are useless up to dangerous.
> Actually, no (or at least: not necessarily). It can be quite useful to
> have more than one line of defense.
I already tried to demarkate "multy layer security" from "defense in
depth". The former is a common advertizing bosh commonly used by people
who want other people to buy their useless (or even dangerous) products,
the latter is a military strategy.
I never met people who were trying to sell me "multi layer security",
who are knowing what they're talking about.
Commonly, it is an excuse to "your system is insecure": "Yes, but this
is only one layer, and there are many of them".
CJ
: them useful. To call them "snakeoil" is to imply that they do absolutely
: nothing. And that just isn't true.
Many have found them useful. Some years ago malware/virus was released on
the internet. It was the software firewalls that stopped the malware/virus
from spreading. It was not the anti-virus software, or anti-adware, or even
the anti-spyware software that protected these boxes. It was only the
software firewalls that caught, and stopped the malware/virus. It was also
just a few of your firewalls that did the protecting.
CJ
: > depends on a number of factors, including the knowledge/abilities of the
: > end user.
Yes and 100% of them were not born with a silver mouse in hand. But they
are suppose to know how to harden their boxes.
(shrugs)
:
: For the end user, the most stupid concept I ever heard of is that of
: popup windows where /he/ has to make the decisions which are relevant for
: his own security.
:
: The person who should be protected, is imposed to take over the
: responsibility for all technical decisions of protection.
And you better know what you are doing because if you don't you could have
several back doors open. Plus, the first time a new user logs on to the
net, they are suppose to already know which of the security websites are
legit, and have valuable information, and which are bogus. Thus they are
still suppose to have been born with that silver mouse in hand.
:
: This is why I'm saying, that Microsoft should deliver hardened systems,
: of course. The catastrophic spread of botnets is their fault.
Didn't Microsoft want to harden down Vista and the anti software vendors,
and firewall vendors cried foul?
: Usually, people don't want to hear the facts. Of course, it's much
: easier for them /not/ to switch systems, and of course, they /want/ to
: hear, that security can be bought in boxes. It would make their life
: much easier as it is, if this would be true, so they want to believe
: that.
But this is not the users fault. As it stands buying a computer, and
setting up the computer for use in a secure environment takes many hours,
instead of minutes. Deciding on the right way to secure, and protect a box
is getting more frustraiting. Far more to consider when securing today,
than it was even five years ago.
CJ
: Maybe to you. Or maybe I just understand that it is just as important to
: understand the limitations of the user. It's ridiculous to expect that a
: typical Windows user (or Mac, for that matter) will even attempt to set
: up a VPN, edit the registry, disable services, etc.
But ...but they were born with that silver mouse in hand! I mean everyone
knows this stuff from day one of logging onto the Internet!
/sarcasm
Volker Birk
> Many have found them useful. Some years ago malware/virus was released on
> the internet. It was the software firewalls that stopped the malware/virus
> from spreading. It was not the anti-virus software, or anti-adware, or even
> the anti-spyware software that protected these boxes. It was only the
> software firewalls that caught, and stopped the malware/virus. It was also
> just a few of your firewalls that did the protecting.
Nice fairy tale.
DevilsPGD
<BitTw...@mouse-potato.com> was claimed to have wrote:
>If you have no services which respond to inbound connections then the
>firewall is not needed. If running Micro$oft, we know there are a few
>open services. :)
>Therefore you need a firewall.
Luckily, if you've installed a Windows OS or service pack released in
the last four and a half years, you've got a firewall turned on be
default that blocks all listening services.
Volker Birk
> Luckily, if you've installed a Windows OS or service pack released in
> the last four and a half years, you've got a firewall turned on be
> default that blocks all listening services.
And like most firewalls, also this one (the Windows firewall) can be
fooled easily i.e. with simulated FTP code.
Volker Birk
> Are they helpful as an additional layer of protection? For
> most people, yes.
You're misunderstanding the military strategy of defense in depth. To
make a line of defense does not mean "taking measures which are commonly
useless against the enemy, but offer additional attack vectors for
them".
"Multi layer security" is advertizing nonsense of people who want you to
misunderstand that, because they want you to buy their products, which
most commonly are useless up to dangerous.
> Is it possible that they can include bugs that compromise a system? Yes.
> But you could say that about ANY piece of software.
And that is the reason, why you should REMOVE software and SWITCH OFF
software instead of adding even more to make your system more secure.
Yours,
G
Goodbye all. Enjoy arguing among yourselves. Good luck with your
crusade.
Ansgar -59cobalt- Wiechers
Pray tell, what mysterious malware/virus might that have been?
DevilsPGD
<bum...@dingens.org> was claimed to have wrote:
>DevilsPGD <Death...@crazyhat.net> wrote:
>> Luckily, if you've installed a Windows OS or service pack released in
>> the last four and a half years, you've got a firewall turned on be
>> default that blocks all listening services.
>
>And like most firewalls, also this one (the Windows firewall) can be
>fooled easily i.e. with simulated FTP code.
Fooled by an application running locally? Sure. Or the local
application could just do whatever malicious thing it wants anyway.
Root Kit
wrote:
>Many have found them useful. Some years ago malware/virus was released on
>the internet. It was the software firewalls that stopped the malware/virus
>from spreading. It was not the anti-virus software, or anti-adware, or even
>the anti-spyware software that protected these boxes. It was only the
>software firewalls that caught, and stopped the malware/virus. It was also
>just a few of your firewalls that did the protecting.
Got any reliable sources to back that up?
Volker Birk
> In message <gph5r6...@news.in-ulm.de> Volker Birk
> <bum...@dingens.org> was claimed to have wrote:
>>DevilsPGD <Death...@crazyhat.net> wrote:
>>> Luckily, if you've installed a Windows OS or service pack released in
>>> the last four and a half years, you've got a firewall turned on be
>>> default that blocks all listening services.
>>And like most firewalls, also this one (the Windows firewall) can be
>>fooled easily i.e. with simulated FTP code.
> Fooled by an application running locally? Sure.
"Local" applications like Flash content on a website.
> Or the local
> application could just do whatever malicious thing it wants anyway.
No.
Root Kit
wrote:
Another sales man just jumped in to support his colleague.
Volker Birk
>> > Is it possible that they can include bugs that compromise a system? Yes.
>> > But you could say that about ANY piece of software.
>> And that is the reason, why you should REMOVE software and SWITCH OFF
>> software instead of adding even more to make your system more secure.
> crusade.
"I'm running out of factual arguments, so I'm switching to ad hominem
arguments now. To prevent me from being argued any more (perhaps someone
notices the trick with ad hominem) I'm announcing that I will ignore the
response."
Root Kit
>Maybe to you. Or maybe I just understand that it is just as important to
>understand the limitations of the user. It's ridiculous to expect that a
>typical Windows user (or Mac, for that matter) will even attempt to set
>up a VPN, edit the registry, disable services, etc.
It's equally ridiculous to expect a so called typical windows user to
be able to correctly deal with a PFW (if that was even possible).
Mr. Average shouldn't have to deal with technical stuff at that level.
If he doesn't understand how to properly configure his machine, he
should get help from someone who understands. I know how to drive my
car. But I don't know much about what goes on under the hood - which
is why I take it to the local garage now and then.
Windows firewall requires zero configuration (which is about the
maximum you can expect from Mr. Average) in order to get started.
Root Kit
>Goodbye all. Enjoy arguing among yourselves. Good luck with your
>crusade.
Nice way of letting us know that you've run out of arguments.
CJ
"Root Kit" <b__...@hotmail.com> wrote in message
news:n28pr491hj9l8stqi...@4ax.com...
: On Sat, 14 Mar 2009 18:56:54 GMT, "CJ" :
:Got any reliable sources to back that up?
It use to be on the ZA forum. I tried to find it, and could not find it.
There is a chance I am slightly off a tad. It could of been a vulnerability
with the Windows OS, and the firewalls blocked it from the time it was
discovered. Maybe I should of looked further before stating that. Sorry
folks. I will continue to look for it though. But so far I have not found
it.
Ansgar -59cobalt- Wiechers
> "Root Kit" <b__...@hotmail.com> wrote:
>> Got any reliable sources to back that up?
>
> It use to be on the ZA forum. I tried to find it, and could not find
> it. There is a chance I am slightly off a tad. It could of been a
> vulnerability with the Windows OS, and the firewalls blocked it from
> the time it was discovered.
You're probably talking about W32/Blaster [1], which is a worm not a
virus. It exploited a vulnerability in Windows' RPC service. However,
aside from filtering access to the service with a firewall, the attack
would have been thwarted as well by:
- installing the patch to actually fix the vulnerability, which was
released a month before [2,3].
- configuring the system to not run the service on the external
interface in the first place [4].
> Maybe I should of looked further before stating that.
Yes, you should.
[1] http://en.wikipedia.org/wiki/Blaster_(computer_worm)
[2] http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
[3] http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
[4] http://www.ntsvcfg.de/ntsvcfg_eng.html
Ansgar -59cobalt- Wiechers
> Windows firewall requires zero configuration (which is about the
> maximum you can expect from Mr. Average) in order to get started.
Unfortunately it still could use some fine tuning here and there,
though. Like, disallowing UPnP (IIRC that's allowed by default), and
allowing some ICMP types.
goarilla
wow your folklore is really technical, our urban myths usually include some
very odd usages of mammal cadavres.
Moe Trin
<RrTul.620$cW....@newsreading01.news.tds.net>, CJ wrote:
>And you better know what you are doing because if you don't you could
>have several back doors open. Plus, the first time a new user logs on
>to the net, they are suppose to already know which of the security
>websites are legit, and have valuable information, and which are bogus.
Have the initial O/S install set the firewall to only allow connections
to the "legitimate" website until the computer has been completely
brought up-to-date, and then let that website alter the firewall to
permit "normal" use.
Require that the company/individual who _delivers_ the computer to the
end-user update it completely when the system is delivered, not after.
>Thus they are still suppose to have been born with that silver mouse
>in hand.
You know - you are making a good case for not allowing the clueless to
have access to a computer until they learn how to use one safely.
Unfortunately, you'd loose because it would make things harder for
those who think they have a natural legal _right_ to be st00pid.
>: This is why I'm saying, that Microsoft should deliver hardened
>: systems, of course. The catastrophic spread of botnets is their
>: fault.
>
>Didn't Microsoft want to harden down Vista and the anti software
>vendors, and firewall vendors cried foul?
Please cite _ANY_ creditable source for that fairy-tale statement.
Old guy
Root Kit
<usene...@planetcobalt.net> wrote:
>Root Kit <b__...@hotmail.com> wrote:
>> Windows firewall requires zero configuration (which is about the
>> maximum you can expect from Mr. Average) in order to get started.
>
>Unfortunately it still could use some fine tuning here and there,
>though. Like, disallowing UPnP (IIRC that's allowed by default), and
>allowing some ICMP types.
Sure. But that's a little beyond the point.
John
"Rick" <rsi...@cris.com> wrote in message
news:Xns9BCD46B3D4...@74.209.136.99...
> "Martin C" <mar...@invalid.com> wrote in
> news:49ba16d9$1...@glkas0286.greenlnk.net:
>>
>> From reading this newsgroup, there seem to be an incredible number of
>> postings that basically say that no personal firewall should be used
>> on a PC as they are all basically snake oil and don't really do much.
>
>
> Personal firewalls are one of those things that people love to argue back
> and forth. Both sides have some validity to their views so the argument
> goes on ad infinitum. Sort of like asking "which auto brand is better,
> Ford, Chevy or Chrysler?"
>
>
Ansgar -59cobalt- Wiechers
> Ansgar -59cobalt- Wiechers wrote:
>> - A system that doesn't have any open ports, because it doesn't have
>> any services listening on the external interface, doesn't need a
>> personal firewall to protect the system from direct inbound
>> attacks.
>
> A system is always vulnerable to ICMP DOS unless the firewall is
> instructed to ignore and ignore ICMP packets.
DoS by ICMP usually is an ICMP flood, which means that the attacker is
sending so many ICMP packets that they consume the entire bandwidth of
your uplink. Dropping ICMP packets on the receiving side doesn't change
anything at all about that.
>> - A system that is properly patched isn't vulnerable to attacks
>> targeting the already patched bugs.
>
> There is always zero days vulnerability. Having a firewall can help to
> prevent these vulnerability, since most vulnerability assumed a
> vanilla system.
Nonsense. If you need the service to be accessible, the firewall cannot
protect it, because blocking access would obviously make the service
inaccessible. And if you don't need the service to be accessible: why
are you running it in the first place? A service that isn't running
cannot be exploitet, no matter how many zero-day vulnerabilities it
might have.
>> - Personal firewalls cannot protect services that are supposed to be
>> accessible to begin with.
>
> Personal firewalls should not be used for web server in the first
> place.
Ummm... outside of your private reality there are a lot more services
than just HTTP. Which people may or may not need to access depending on
their current situation.
>> - When the user is working with admin privileges, personal firewalls
>> can be disabled from the inside, even if they employ rootkit
>> techniques.
>
> That is true even for hardware firewall, and it is true for any kind
> of protection. Even a moderately security conscious people would not
> be as foolish to run as Administrator nowadays.
Pray tell how you think you can disable a firewall running on a separate
device (provided it's configured properly, i.e. UPnP disabled, no
default password, firmware up-to-date, etc.).
>> - Malware should be prevented from being run in the first place, not
>> from communicating outbound after it's already running. There are
>> various measures helping to achieve the former, including, but not
>> limited to: disabling autostart on removable media, using Software
>> Restriction Policies, setting appropriate "execute" permissions, or
>> running (up-to-date) AV software.
>
> HAHAHAHAHAHAHAHAHAHA!!
>
> What a laugh... I'm sure in your unfirewalled system there is a worm
> that is currently contacting home, and you are CLUELESS about its
> existence because your firewall didn't tell you (OOOOPSS I forgot you
> don't have firewall).
a) Just because I'm not using a personal firewall doesn't mean I'm not
using a firewall.
b) Since I'm normally logged in with a normal user account, and I also
know how to use Process Explorer, netstat, TCPView, Port Reporter,
Wireshark and a variety of other tools, I'm pretty certain that my
system is not currently infected.
> Fully updated antivirus? Do you think a "fully updated antivirus"
> stand a chance to zero day vulnerability? A firewall has a much better
> chance against zero days since it does not rely on signatures.
No, it doesn't. Because in the case of a service that doesn't need to be
accessible, you're better off shutting it down than just trying to block
access with a packet filter. And in any other case the system is already
hosed when the firewall detects the compromisation.
>> - The popups of personal firewalls are more confusing than anything
>> else, because in order to understand these messages, the user would
>> have to have a good understanding of both networking and Windows
>> internals. Which is quite uncommon with the target group of
>> personal firewalls.
>
> I doubt that.
You can doubt that as much as you like. It doesn't change anything about
the fact.
> If there is a program named autorun.exe trying to get access to
> Internet, I'm sure anyone moderately computer literate will be
> suspicious.
Do you believe he'll get suspicious when a program named iexplorer.exe
or iexp1ore.exe or ssvchost.exe is trying to access the Internet?
Really?
>> - The logging of personal firewalls usually is laughable, since vital
>> information is omitted.
>
> How is no logging compared to some logging?
It's neither worse nor better. Insufficient logging is just the same as
no logging at all: it doesn't help, because you still lack vital
information.
>> On top of that, more often than not personal firewalls introduce
>> additional vulnerabilities on the system they're supposed to protect:
>>
>> - Automatic network shunning (default with various personal
>> firewalls) can be abused by an attacker for a DoS attack.
>
> Which is better than compromised system. Anyway, most personal
> firewall can selectively block the attacker's IP address without
> blocking the whole network.
Yeah. Especially when the attacker spoofs the IP addresses of your ISP's
name servers (or those of the root name servers). Right. Did you even
understand what I'm talking about?
>> - Some personal firewalls run interactive services with elevated
>> privileges, making them susceptible to shatter attacks.
>
> Better than an unfirewalled system, which can be easily turned to a
> zombie without any effort to do shattering.
I call bullshit. How do you plan to turn a system into a zombie, when it
doesn't have any publicly accessible services, and the users are working
with normal user accounts?
>> - Exploitable bugs in personal firewalls can be used to compromise
>> the system. This has already happened ITW (W32/Witty.worm).
>
> A worm can only target a very small and specific set of firewall. In
> the case of Witty worm, it can only break through ISS firewall, it
> won't be able to break my Comodo's firewall or my Kerio's firewall. By
> adding diversity, it makes it harder for worm to have widespread
> impact. By having uniform configuration (i.e. all no firewall) it is
> only a matter of time before the worm makes the next hops.
*sigh*
You didn't understand the problem at all, did you? Those systems were
infected *because* they were running a personal firewall. Had they not
been running a personal firewall but instead had their unneeded services
disabled, they would not have been affected by this attack (more
precisely: not only this attack, but any attack of this kind) at all.
>> And you dare calling the critics of personal firewalls ignorant?
>
> And you dare calling yourself know anything about security?
A great deal more than you, obviously. Plus, I have at least some
understanding of networking concepts.
DevilsPGD
<usene...@planetcobalt.net> was claimed to have wrote:
>Lie Ryan <lie....@gmail.com> wrote:
>> Ansgar -59cobalt- Wiechers wrote:
>>> - A system that doesn't have any open ports, because it doesn't have
>>> any services listening on the external interface, doesn't need a
>>> personal firewall to protect the system from direct inbound
>>> attacks.
>>
>> A system is always vulnerable to ICMP DOS unless the firewall is
>> instructed to ignore and ignore ICMP packets.
>
>DoS by ICMP usually is an ICMP flood, which means that the attacker is
>sending so many ICMP packets that they consume the entire bandwidth of
>your uplink. Dropping ICMP packets on the receiving side doesn't change
>anything at all about that.
There is one large exception: A target with asymmetric bandwidth.
If you're attacking a user on a typical consumer grade connection,
they'll probably have far more downstream then upstream.
If a user is on a 10Mb/1Mb connection, all you need to do is throw a
little over 1Mb/s in IMCP echo requests their way to make their
connection annoyingly slow, and any more then 4Mb/s or so will probably
cause a decent percentage of their outbound ACKs to get dropped due to
their bandwidth being used processing ICMP echo replies.
Now if the target is smart, they'll hopefully rate limit or otherwise
deprioritize ICMP echo handling, and it's honestly been a long time
since I screwed around with this technique, but having been the
recipient of their type of attack, it can be effective in at least some
cases.
DevilsPGD
<lie....@gmail.com> was claimed to have wrote:
>Ansgar -59cobalt- Wiechers wrote:
>> - A system that doesn't have any open ports, because it doesn't have any
>> services listening on the external interface, doesn't need a personal
>> firewall to protect the system from direct inbound attacks.
>
>A system is always vulnerable to ICMP DOS unless the firewall is
>instructed to ignore and ignore ICMP packets.
You do know that ICMP does a heck of a lot more then echo
request/responses, much of which you probably want, at least if you
enjoy reliable connectivity.
Volker Birk
I don't have the impression that he understands.
Ansgar -59cobalt- Wiechers
Although true, this isn't that much of an exception, IMHO. As you said
yourself, decent firewalls can handle ping-floods from few sources by
rate-limiting the responses, and a distributed ping-flood usually can
exhaust 10 Mb/s just as easily as a 1 Mb/s.
DevilsPGD
A DDoS attack is quite different then DoS attack though, and really is a
different ballpark, both technologically and in terms of the
sophistication needed to launch an attack. In other words, a echo
request attack is script kiddie 101, a true flood takes a bit more
effort (unless I missed a botnet firesale online)
My 10/1 cable modem can easily use this type of attack to take down a
user on a 2Mb/256Kb level of service with a pure DoS -- In other words,
this type of attack means all I need is for my upstream to exceed the
victim's upstream, rather then a traditional flood which would require
my upstream to exceed the victim's downstream.
If I don't care about spoofing my IP, I could do it from the Windows
command prompt by launching the right number of ping.exe sessions with
some carefully tuned packet sizes.
"Decent firewalls" != "The cheapest NAT box at Best Buy" (in other
words, I don't believe most people have a "decent firewall")
Let me also say that I personally believe anyone advocating disabling
ICMP is flat out ignorant and unqualified to dispense advice, and anyone
advocating discarding echo requests in the name of security probably has
a similar misunderstanding.
As someone with more then a passing interest in both security and
DoS/DDoS prevention/survival, I consider it important to understand the
risks.
DevilsPGD
<bum...@dingens.org> was claimed to have wrote:
>DevilsPGD <Death...@crazyhat.net> wrote:
>> In message <Uuvul.28396$cu.1...@news-server.bigpond.net.au> Lie Ryan
>> <lie....@gmail.com> was claimed to have wrote:
>>>A system is always vulnerable to ICMP DOS unless the firewall is
>>>instructed to ignore and ignore ICMP packets.
>> You do know that ICMP does a heck of a lot more then echo
>> request/responses, much of which you probably want, at least if you
>> enjoy reliable connectivity.
>
>I don't have the impression that he understands.
Me neither, which is why I asked. If I thought he did understood and
proceeded to dispense such poor advice anyway, I'd be assuming he has
malicious intent, attempting to mislead other ignorant users rather then
just being ignorant himself.
There is no crime or shame in ignorance, only in wilfully remaining
ignorant.