Thursday, August 24

Article Review: Why home firewall software is a leaky dike

Awhile back, MG.com posted an interesting article on home software firewalls . This article was also featured on Slashdot.org. To me there were a couple of points I wanted to blog about as some items just didn't add up. The point of the article was to warn readers that software based firewalls are not safe, even referencing the point that if using a router with "firewall functionality", then no software firewall is needed.

The article continues:
The configuration of a personal firewall is usually more than most users can handle anyway. To understand the system's warning, the user must understand the meaning of IP addresses, host and client names as well as ports, the BSI reports.
Huh? So the software firewall is too much, but the undefined hardware router / firewall management is suitable for most "lay" (a term used later in the article) users. And what about the idea of defense in depth?
Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP
So what kind of firewall functionality are we talking about here? Any example? How should we configure this firewall / router? We already identified that our reader is a lay person, so hardware is the way to go? While having a router is a plus, all it is going to do is block ports. Even packet filtering and stateful-inspection firewalls are not going to provide any more protection, and that is IF they have been configured properly.

Software firewalls are mentioned as "extraneous" as long as the user abides by the basic rules of web surfing. A couple of points here; first, no "rules" list was provided and second; what about other hacking related activities, such as scanning and enumeration with nmap? A software firewall wouldn't help with that? I know first hand it will. A quick look at nmap versus Windows firewall will tell you that. While on the quick topic of the Windows firewall (or any other for that matter), it will not block outbound traffic unless told to do so. This includes most of the magic "firewall routers" discussed in the article. The thought being, "if it originates from within, it must be ok", comes to mind (which is obviously not the case). This entire theme is skillfully discussed in the book, Extrusion Detection, by Richard Bejtlich (pronounced Bate-lik*).

Here we get into usability versus security. Many of the software vendors will not ship software that is not useable, even in the face of security. An exception to this thought - just today, a colleague told me about a new laptop that shipped with MacAfee security suite. Security was enabled and set to "paranoid" by default. The only problem was the machine could not reach the default gateway and the NIC would not come online. How many people would have disabled the entire suite to get online?

The author does get points for discussing the dangers of using administrator account(s) for anything other than installing software (or using fport!), scanning attachments, and proper patch management. Furthermore, end user awareness and surfing habits are covered, which is a nice to see.

Pats on the back are over. The author says JavaScript should be disabled, but fails to mention ActiveX ... hmm. Backups? Covered, but mentions nothing about offsite storage.
Backups are the safe way to go, Wolf recommends. "All important data should be regularly burned to CD or stored on a USB stick," Wolf says.
My problem with this article was the incomplete answers and misleading information. I meant not to criticize, but to discuss a noteworthy article.

Should you choose, you may read the full article here.

*update: The author of Extrusion Detection, Richard Bejtlich, was kind enough to correct my error. His last name is pronounced "Bate-lik", not "bay-lic" as previously noted. Even podcasts could not save me! Thank you Mr. Bejtlich.

2 comments:

Richard Bejtlich said...

Hi Stephen,

I'm glad you liked Extrusion Detection.

For what it's worth, my last name is pronounced "Bate-lik".

Thank you!

Stephen R. Moore said...

Mr. Bejtlich,
My apologies. I have corrected my post.

While I have your ear, do you have any new publications in the works? Maybe a print version of your TCP/IP Weapons School course material?

-Steve