Re: Home firewall/NAT appliances - summary

[Christopher Hicks <chicks () chicks net>]

On Thu, 17 Jul 2003, Dave Piscitello wrote:
> I won't start a thread about this, I'm sure we've endured
> enough "security vs. ease of installation" discussions.

Tastes great.  Less filling.

> If you want to take this up with me, do so offline and save
> maillist electrons.

Oh, sorry.

> Some folks responded with experience from personal firewall software.
> Several of these do indeed block all outbound applications by default
> and some interact with the user on a per application basis to customize
> a policy. I'm not convinced every home user responds knowledgeably to
> "notarookit.exe wants to connect to the internet, is this OK?", but at
> least it's not wide open.

I've installed virus/personal firewall software from a couple of different 
vendors and here's what I found:

- it wasn't worth doing except on the machines of the PEBCAK issue 
generators.  Those people /definitely/ have no idea what should be 
installed, allowed to connect to the internet, or how to find their way 
out of a small paper bag....but anyway, the corrollary is also true: the 
power users found it a pain and superfulous because they "knew how to not 
click on the wrong &*^*& thing in the first place."

- the amount of information provided to decide whether to allow a
connection or not is rather limited and you will often be confronted with
this shortage.  Every piece of wintray garbage these days seems to want to
connect to the Internet.  If you've never seen how much your box talks to
the net "on your behalf" hook one of these things up and let it annoy you
for a full day.  (But not a Monday.)

- the majority of software we found when we looked (about a year ago) was
configured in this really annoying fashion.  While I'm sure software could
be configured to quietly "prevent what we know is bad and otherwise stay
out of the way", that's a lot of work and if it doesn't come that way out 
of the box, or more easily doable that hand-configuring a firewall it's 
not going to be useful for most IT folks.

- other solutions seem to have solved most of the problems the personal
firewall software was aimed at preventing.  Personal firewall hardware has 
become quite cheap (~$100) and painless.  This takes care of half of the 
problem because things can't get in that aren't brought in.  (You know 
what I mean.)  Virus scanning on the mail server and e-mail proggies that 
don't suck down web images (at least as an option) have wiped out the big 
wins that the personal firewall software people had to start with.

Disclaimer: I don't have any financial or other interest in seeing these 
guys fail.

So, I'm wondering what I'm missing.  Is there some point to this stuff
this year?  Has personal firewall software gottena any better?  Really,
does anyone have any glowing stories of these products making their lives
more pleasant?

-- 
</chris>

The death of democracy is not likely to be an assassination from ambush. It
will be a slow extinction from apathy, indifference, and undernourishment.
-Robert Maynard Hutchins, educator (1899-1977)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards