Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]

["Mary Landesman" <mlande () bellsouth net>]

Interpretation is subjective, but I have always interpreted the Sam Spade
rant to be directed at the alerting many of these PFWs do, vs. the actual
effectiveness. In fact, his point seems to be to get a hardware-based
firewall. This isn't an option for the "Annie's" of this world. Properly
used, a PFW provides excellent adjunct protection and, I believe, is a
must-have. In fact, even when hardware-based firewalls are available, a
properly configured PFW can prevent the scenario played out over and over
again with Blaster - laptops piggybacking the infection past the perimeter
defenses (i.e., hand-carried in through the front door) and then wreaking
havoc once inside. Had these enterprises also employed PFWs, that would not
have occurred. (Of course, there are many reasons a PFW in the enterprise
could be problematic and I do recognize that - but this isn't the focus of
the discussion).

NO solution is immune from user-error. Thus, folks who want to help out
their friends and neighbors (and the Internet as a whole), should not just
recommend a PFW, but take the time to show the person how to use it
properly. And, yes, part of that should involve disabling alerting where
prudent and taking a few moments to configure the appropriate trusted apps.
Doing this will ensure the best chance (though never 100%) of a PFW working
properly and effectively on "Annie's" computer.

I use a NAT+firewall for my home network. But I also use a PFW. Why? It's
great policy management. If I turn on a system my son also uses, I can keep
his chat and other superfluous apps from connecting while I do whatever it
is I need.

In the Sam Spade article, it is clear he is frustrated with user inquiries
into why something is alerting or what something in the log means. And his
frustration is completely understandable. However, I think it is disservice
to somehow interpret his frustration as an argument that PFWs are bad ideas.
For many, they provide the best means of protection accessible to a
particular breed of user. And, as such, their use should be encouraged. With
proper training, of course.

And yes, some malware can disable it. This is a fairly common tactic with
some email worms. But that simply underscores the need to educate users
about email - it is not, IMO, an indictment of PFWs nor is it a reason to
not use one. Using your house analogy, that would be like telling someone
not to bother locking their front door, because an intruder could come in
through the back and unlock the front one... Better to learn to lock both
doors, use the peephole, etc.

Regards,
Mary Landesman
Antivirus About.com Guide
http://antivirus.about.com

----- Original Message ----- 
From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
To: <full-disclosure () lists netsys com>
Sent: Thursday, January 15, 2004 7:55 AM
Subject: Re: [Full-disclosure] UTTER HORSESHIT: [was January 15 is Personal
Firewall Day, help the cause]


"http-equiv () excite com" <1 () malware com>:
> We hereby reject this utter horseshit unreservedly.

Agreed - when it's intended to "protect" aunt Annie's Xmas present.

It just makes NO SENSE to have PC's listening on lots of ports, by
default on any interface, and then add a PFW to prevent anyone from
accessing them.

(much like building a wall in front of your house because your doors
and Windows(TM) have broken locks).

In particular because most Annie's have no clue what IP is, and
undesired egress traffic easily bypasses PFW's (if the malware hasn't
shut down the darn thing right away).

Classic PFW = Snake Oil: http://www.samspade.org/d/firewalls.html

If Annie's weren't members of Administrators, and members of
Administrators would not have access to apps like IE and OE, and
WindowsUpdate would not require admin privs to download, and there
wouldn't be so many privesc sploitz, and the FS and registry would
have much tighter perms by default, PFW's *would* make sense - for
blocking undesired egress traffic.

That is, provided that the PFW reliably starts before net I/O is
possible, runs in "Safe Mode With Networking", and is not crowded
with bugs itself.

Cheers,
Erik


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html