Archived from groups: comp.security.firewalls (
More info?)
In article <DEKpc.262962$e17.237907@twister.nyroc.rr.com>,
vogt@spamcop.net says...
> Leythos schrieb:
> >>>Yes, outgoing firewall protection is not a cure all, but is a helpful extra
> >>>layer of protection. Layered protection is wise. I provide other helpful
> >>>(certainly the "paranoids" among us would like even more) recommedations at
> >>>http://www.mccune.cc/WindowsXP.htm
> >>
> >>Well all commercial firewalls with that outgoing functions are very
> >>complex, not easy to configure, have bugs, vulnerablilties and exploits
> >>itself, with little added value that is not really necessary and can be
> >>circumvented. What is the "extra layer of protection" to the "extra
> >>layer of insecurity"? (That's one of the important lessons learned in
> >>security service design and security evaluations: simple effective
> >>measures are always better than highly complex stuff that nobody really
> >>understands and that only add more problems...)
> >
> >
> > Spoken like someone that doesn't understand security or networks.
>
> That is exactly what I could say about you. ;-) I know security and
> networks for many years, from theory and practice.
>
> > Commercial firewall devices are no more complex than any other
> > programmable device, and in some cases are less complex than personal
> > firewall software. In most cases, a properly configured firewall can
> > stop the spread of many of todays worms, even from infected machines
> > protected behind the firewall. If you don't have outbound protection you
> > only have a small part of the security that most people should have.
>
> I never talked about commercial firewall devices! Most end-user
> firewalls aren't that complex either and already do a terrific job for
> inbound protection. I also never claimed that a properly configured
> firewall does not protect you from incoming worms.
>
> But if you rely on a personal firewall running on a infected computer to
> protect you from a work than the results are as arbitrary as they could
> be: you don't know what happens. Any worm running on your computer can
> easily reconfigure the firewall the same way you can do and there are
> many ways to circumvent a personal firewall for the outgoing traffic.
> And even worse: most users don't know what to do with all the outgoing
> warnings and basically allow any traffic for any program that pops up a
> message (one reason for example why after a while most Internet
> Explorers run with "Allow all" instead of the standard auto config:
> there was a website the user wanted to see on port 7828 and the annoying
> messages just kept popping up until the allow all (which normal user
> does take the time to configure a rule through a 8(?) step dialog like
> NIS does??))
>
> Relying on a security mechanism to work on a compromised system is an
> extremely unsecure thing to do. Hackers know that. Script kiddie have
> toolkits that help them doing it. It's not hard. The moment you have a
> compromised machine you have to fix it and it is no good saying: it is
> not a problem because I have this firewall with outgoing protection...
>
> And the complexity of the software introduces new bugs and exploits as
> we have seen this month with Symantec NIS. And all these configuration
> options that users can easily play around with and all these pop-ups
> that require user interaction make it hard to configure it properly...
>
> The thing you have to fight is the infection not to suppress the
> symptoms of a disease...
I don't like personal firewall applications myself, I'm for an appliance
for everyone. Even a simple NAT router (not a firewall device in my
book) is a start.
For most users there are two ways they are going to get infected:
1) Worm finds a hole in the OS/Application and installs something
2) Email message with attachment that contains a worm/virus
In the first example, a NAT router would prevent a worm from reaching
their machines.
In the second example, AV software, while still reactionary, would
eliminate most of those - so would a properly patched MS Office system.
The third one, a malicious web site can be fixed by running in HIGH
SECURITY mode with IE and disabling all scripting. This method breaks
normal web sites, but if you set the TRUSTED Zone to MEDIUM and add your
trusted sites to it, you can easily train IE to work for your daily
needs while still having a secure experience.
As for personal firewall appliances, there are many SOHO units in the
$300~$500 price range, but most people won't purchase one in that cost
range. Even a simple router with NAT, at $40, is to much for most. The
personal firewalls, free ones, don't really offer that much protection
since they users never take the time to learn what they are "allow"ing
when they click allow - kind of makes the point of having a firewall
mute.
The simplest method would be to enable XP Firewall and sit behind a
simple router with NAT.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)