Skip to comments."Personal Firewalls" are mostly snake-oil
Posted on 09/19/2001 7:22:26 AM PDT by Sir Gawain
A 'personal firewall' isn't a firewall. A firewall is a dedicated box with (usually) two or three ethernet ports running no services other than a firewall. My preferred configuration is an x86 box with a couple of tulip cards running FreeBSD or OpenBSD and ipf, though you can do OK with Linux and iptables too. You can run either on a $100 obsolete PC. (*BSD is better, but Linux is easier for a new user to configure).
Even the little hardware NAT boxes that you can get for sharing a DSL connection or cable modem are way better than any 'software firewall' (The NetGear RT311 and RT314 are extremely sophisticated and flexible NATs and start at less than $100 - they do full NATing, allow port forwarding and filtering to a protected network (NetGear Firewalls and NATs).
So... what does a 'personal firewall' actually do? Well, effectively it listens on all the ports on your system. This provides no real additional security over turning off the services that you don't use.
I'll repeat that - it provides no real additional security over turning off the services that you don't use. (Maybe it'll block trojans from phoning home, but A) if you've run a trojan your system is completely compromised and B) http://cyberpunks.org/display/356/article/).
What it does do is break standard network applications (such as traceroute) and, more importantly, if badly written it will claim normal background network traffic is some sort of attack, alarming the user for no good reason. I've never heard of a 'personal firewall' that isn't badly written in this way. That doesn't mean one doesn't exist.
Why do the authors do this? Two reasons, as far as I've been able to gather.
The first is that most of the people writing these applications know next to nothing about IP networking. They may be pretty good windows developers, but they have no idea what normal network traffic looks like. That should make you nervous about their ability to block any real malicious intent.
The second is more insidious... Why is an end user going to buy / register / upgrade their 'personal firewall'? They're not going to do so if they don't perceive any benefit from it. If it were a properly written application that just sat there, doing its job quietly in the background, users would forget it was there. But if it pops up warnings about 'attacks' all the time then it's clearly Doing Something. Most of those warnings are entirely frivolous - normal network traffic. And the remaining few... well... if the 'personal firewall' has protected your system from the supposed 'attack'... why do you care about it? You're safe from that supposed 'attack', right? So why pop up warnings and alerts? To make you feel you're getting a service from this program and so you'll pay for updates or 'Pro' versions.
The bottom line is this... If you care about your home network security a lot, and you're interested in it, spend the time to learn about networking and build yourself a standalone firewall.
If you don't want to spend that amount of energy on it, buy a standalone dedicated NAT or NAT+firewall box. I like the NetGear RT-311 and its siblings, but there're a bunch of others out there too. It'll sit there, do its job and never bother you again.
If you want to play with a piece of windows software that makes you click all over the place, there's always minesweeper.
If you'll feel safer sleeping at night knowing there's a 'personal firewall' running on your system, then install one. As long as you pay no attention to the "hack attacks" it reports it's better than nothing. A free one, ideally, as few of them are worth paying for. Turn off all the alerts and logging - you'll just waste your time (and, more importantly to me, my time and the time of other network administrators your complaints go to) increase your blood pressure and provide no benefit to you. If you really want to leave them turned on and see where traffic is coming from, feel free, but remember that most of the traffic you see is harmless, and that even if it isn't harmless it can't affect your system (if it could, it wouldn't be logged). Oh, and try not to waste admins time with frivolous complaints.
"But, but, but reporting these alerts to network administrators will help them catch crackers!"
Uhm, no. I know a whole bunch of network security and abuse staff. The response to any complaint with ZoneAlarm, BlackIce etc logfiles in it is to close the ticket, usually with an annotation like 'GWF' (Goober with Firewall). 99% of those reports are frivolous, about normal network traffic. In the remainder of cases there's nowhere near enough data in the logfiles to provide any idea of why the end user is upset. If you send frivolous complaints that just wastes the time of the staff receiving them and prevents them from handling real security issues. How do you tell if a complaint is frivolous? If the sender doesn't understand basic networking, it's almost certainly frivolous. If the sender is complaining based on 'personal firewall' logs, it's definitely frivolous.
The abuse desk staff I talk with hate users of 'personal firewalls' more than they hate spammers. That should tell you something about how useful your complaints will be.
"You're just a unix bigot and don't like Windows applications!"
I don't like Windows applications for networking, no, as Windows isn't very good at it in general (with a few exceptions - some of the kernel level networking code in NT4 and NT5 is extremely sophisticated). As for being a unix bigot... I'm a Microsoft Independent Software Vendor, subscribe to Microsoft Developers Network and in my spare time produce Windows Network Applications.
My dear brother and sister FReepers,
At this, of all times in my lifetime, I would like nothing more than to be able to read these threads and reply to them. I have much I would like to say.
BUT, I cannot!
Because I am trying hard to raise the finances needed to keep FreeRepublic up and running so that we can continue to share valuable information and respond to it.
I beg you, if you have not yet donated to FreeRepublic this quarter, do so now!
If you have already donated, THANK YOU VERY MUCH AND GOD BLESS YOU, please ping your friends, and FReep on...!
I realize you are giving to lots of Relief efforts and I encourage you to do so. But we need to help FR too. Where would we be right now without it?
If you have no money, please come and bump the Fundraiser Thread.
I would really like to reach our goal quickly so that I and the rest of the dedicated FReepers who are working the Fundraiser Threads can participate in what is undeniably the most important time in FreeRepublic's history.
Just because YOU say something, doesn't make it so.
Granted that a firewall appliance that stands alone between your computer and the network cable can be made less intrusive and possibly even more protective, ZoneAlarm appears to do a reasonable job, and so far it hasn't destabilized any of my systems at all.
Freedom, Wealth, and Peace,
Francis W. Porretto
Visit the Palace Of Reason: http://palaceofreason.com
ZA needs to put this disclaimer on the site before you DL. I get so many emails from friends that are freeking out after they install ZA because of all the IP blocks they are getting. I'm tired of explaining to each one.
Also Zone Alarm is good with NT but only if you use it 100% of the time. I got to where I turned it off every now and then, and it would shut down my internet connection. And I was told the same from many on NT newsgroups.
Yes, I di too because it looks at outgoing trafic as well as incoming. Coupled with my Netgear router, it works well.
If the people would click the link zonealarm provides, it is a very thorough and simple explanantion of what the port scans are. Personally, I don't worry about them, because if ZA logged it, then that means the attempt was un-successful. I have had two that piqued my interest as I stated above. The one from the "Investigaciones de y Internacionale" (I'm doing this from memory, so the exact name is probably a little diffrent from this) listed in Mexico city actually sent a little paranoid tremor through me. I can't figure out why a place like that was trying to scan me. Anyway, there's probably nothing to it, and this is probably just a fancy name for a data mining firm, bug I still wonder about it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.