Personal Firewalls Mostly Useless, Says Mail & Guardian
Discuss… 
A quote for you all to read…
Why home firewall software is a leaky ■■■■Dirk Averesch | Hoexter, Germany
25 June 2006 09:00
A chain is only as strong as its weakest link. That’s doubly true when it comes to protecting computers that are connected to the internet. Anyone who thinks that a virtual firewall is enough to protect a PC from the dangers of the internet – such as hacker attacks and unwanted contact with damaging programs – is making a mistake.
That level of safety requires a combination of several protective measures. Firewall software for home use is not much more than a leaky ■■■■.
“It’s dangerous to view a firewall as some sort of PC airbag,” warns Professor Stefan Wolf, who teaches applied computer sciences at the Polytechnic University of Lippe and Hoexter, Germany.
The so-called personal firewall programs commonly used with home PCs are not comparable to the powerful firewalls used in companies or public organisations.
Those organisations can afford special computers assigned exclusively to guarding the PCs in the network. A home computer must attempt to maintain its own firewall while performing its normal functions.
A recent test in the Munich-based computer magazine PC Professionell showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.
Many firewalls were even quickly switched off within the simulation. In the most serious cases, damaging software was able to circumvent the firewall in sending sensitive data, from personal surfing histories to passwords and credit-card numbers, to the hacker.
Browsers are particularly susceptible, since they are inherently allowed to make a connection with the internet.
“If the attacker takes advantage of errors in the browser, then the best firewall won’t help at all,” says Wolf. Getting proper protection from personal firewall programs requires that programmers know the ins and outs of all ports between the operating system and browser and be able to work absolutely error-free.
Surfers are better advised to take more achievable steps, such as keeping their operating system, browser and other programs constantly up to date. This is because software makers, like hackers, are usually spurred to action only in reaction to published security gaps, Wolf says. This is why anti-virus software armed with the most current virus signatures is the crucial last-gap defence on any computer.
“Desktop firewalls, as they are also called, are practically extraneous, presuming that you adhere to the basic rules of safe surfing,” is the word at the German Federal Agency for Security in Information Technology (BSI) in Bonn.
IT security cannot be achieved through individual pieces of software, but rather must be constructed through the interplay of various factors.
This means first and foremost preventing viruses and damaging software from getting on the computer in the first place. “Surfing habits are hence important for security,” says Wolf. Most dangers emerge through surfing and downloads from questionable websites.
“The primary gateway into the browser is JavaScript,” Wolf explains. Users should deactivate the program language in their browser, or use browser extensions to define which web sites are to be trusted to execute JavaScript.
“It’s not convenient, but it is much safer,” he says.
Proper e-mail handling is another important preventative measure beyond the reach of firewalls. “Attached files should be scanned by a virus program prior to opening, and you should think twice before clicking unfamiliar links,” Wolf warns.
For reasons of convenience, many users simply use the default administrator account for daily PC use. Yet this can allow a virus to gain full control of the computer, magnifying the potential for major damages by a successful attack.
“John Q Public doesn’t need administrator rights and should log in as such only when installing software,” says Wolf.
The worst thing that can happen to a computer user is the loss of personal data. This is because tainted systems can be reinstalled at any time, but deleted data is usually gone forever.
Backups are the safe way to go, Wolf recommends. “All important data should be regularly burned to CD or stored on a USB stick,” Wolf says.
Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP, reports PC Professionell.
The configuration of a personal firewall is usually more than most users can handle anyway. To understand the system’s warning, the user must understand the meaning of IP addresses, host and client names as well as ports, the BSI reports.
Most lay users instead use the comfortable auto configuration settings offered by personal firewalls. This lets the software follow its own ideas about which data packets can pass through the virtual wall and which are to be filtered out.
According to the BSI, this can quickly lead to “security critical misconfigurations”. Filter rules should hand set to allow only absolutely necessary access from the computer to the internet.
The rules should aslo be regularly inspected and non-necessary ports locked down. – Sapa-dpa
They should try CPF…
It is partially true. Most firewalls can’t prevent leaks. But CPF blocks them all. (:WIN)
ps. The professor don’t take in consideration that users need to control their programs too. How can they do it with no Personal Firewall? They should configure manually every single program. A novice user can’t do it by himself :
As others always say, layered security is the solution, is actually what is sort of suggested their.
Up-to-date OS
Maybe Disable un-needed services.
Run as restricted user
Use firewall software(Up-to-date)
Use antivirus software(Up-to-date)
Check and re-research firewalls regularly (i used to do this very often)
Overall, the guy has a point, even CPF on it’s own without the others i mentioned will leak like a sivv.
Cheers, rotty
There simply is no single silver bullet!
One interesting thing is: where the hell this professor gets his stats from? To my knowledge people think they are safe by simply downloading AV not firewall. but hey…
There are two issues here:
- need for layered security
- calling firewalls useless.
I agree with 1, totally disagree with 2.
The reason why i disagree with 2 is: There simply is no 100% security! Their point is wholly based on firewalls that leak. Obviously they haven’t tried CPF (:NRD)
Will there be new techniques to bypass firewalls? Of course there will be! Security is a game of cat and a mouse. Its about reacting fastest, building most proactive defenses etc. but at the end of the day there simply is no 100% security!!
This prof. must have a door in house, right! why does he have it? we all know it can broken, so whats the use? If he using a door to protect his home and writing this article claiming firewalls useless then I would say he is a hypocrite!
Melih
This prof. must have a door in house, right! why does he have it? we all know it can broken, so whats the use? If he using a door to protect his home and writing this article claiming firewalls useless then I would say he is a hypocrite!Melih
Yes you are right Melih. I would be surprised if he didn’t have a door (firewall)… and he probably locks it (block) too… when it smells bad at home, he will probably open (allow) a window (port) to let the fart (progam) out. He must then remember (rule) to close (block) the window, so nobody gets in (firewall)… ???
If the smell stays in the cloth of the sofa, he has to use his cloth-cleaning-machine (Antivirus-program)… :o
The best bet to protect you from everything, is getting a watchdog (SCOMODO™), they attack intruders and eat sh*t… (Scomodo™…?) ;D
Great analogy! (:CLP) (:CLP) (:CLP)
Dirk Averesch | Hoexter, Germany
25 June 2006 09:00
<------------------------------------------------------------------------------------------------------------------------->
A chain is only as strong as its weakest link. That’s doubly true when it comes to protecting computers that are connected to the internet. Anyone who thinks that a virtual firewall is enough to protect a PC from the dangers of the internet – such as hacker attacks and unwanted contact with damaging programs – is making a mistake.
<<<No the mistake is thinking most hackers would go through the trouble of hacking a typical user’s computer to begin with…unless they go through all the work to get a free copy of Comodo.exe ???They don’t have a hill of beans interest in most typical user computers. >>>>
That level of safety requires a combination of several protective measures. Firewall software for home use is not much more than a leaky ■■■■.
<<<<Obviously you haven’t shut off your firewall for a week and then seen what ■■■■ is on your computer… Dolt. >>>>>
“It’s dangerous to view a firewall as some sort of PC airbag,” warns Professor Stefan Wolf, who teaches applied computer sciences at the Polytechnic University of Lippe and Hoexter, Germany.
<<<>>>
The so-called personal firewall programs commonly used with home PCs are not comparable to the powerful firewalls used in companies or public organisations.
<<<<And why the hell should they be??? I don’t keep Corporate information on my wifes HP!! >>>>
Those organisations can afford special computers assigned exclusively to guarding the PCs in the network. A home computer must attempt to maintain its own firewall while performing its normal functions.
<<< So??? >>>>
A recent test in the Munich-based computer magazine PC Professionell showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.
<<<How else will you establish a connection for your browsers etc…??? What attempts specifically??? Every test I used concluded Comodo did!!>>>
Many firewalls were even quickly switched off within the simulation. In the most serious cases, damaging software was able to circumvent the firewall in sending sensitive data, from personal surfing histories to passwords and credit-card numbers, to the hacker.
<<<What hacker?? where?? What was the security level on the firewall?? Was the person using passwords etc…while on the internet already???>>>
Browsers are particularly susceptible, since they are inherently allowed to make a connection with the internet.
<<<I’m sorry but that is a dumbass statement if I ever heard one! What is the purpose of a browser?? To connect !! >>>
“If the attacker takes advantage of errors in the browser, then the best firewall won’t help at all,” says Wolf. Getting proper protection from personal firewall programs requires that programmers know the ins and outs of all ports between the operating system and browser and be able to work absolutely error-free.
<<<UMMM how about pegging responsibility to the BROWSER creators!!! See Melih, Comodo needs to create a SAFE browser, lololllll 
<----kidding>>>
Surfers are better advised to take more achievable steps, such as keeping their operating system, browser and other programs constantly up to date. This is because software makers, like hackers, are usually spurred to action only in reaction to published security gaps, Wolf says. This is why anti-virus software armed with the most current virus signatures is the crucial last-gap defence on any computer.
<<<Oh really?? Then how do so many get through still?? Why not say Anti virus isn’t up to the task either and causes the same issues as it does, specifically with NORTON.>>>
“Desktop firewalls, as they are also called, are practically extraneous, presuming that you adhere to the basic rules of safe surfing,” is the word at the German Federal Agency for Security in Information Technology (BSI) in Bonn.
<<<There is no such thing as SAFE SURFING!! SAFER maybe. Basic rules??? For a billion people??? >>>
IT security cannot be achieved through individual pieces of software, but rather must be constructed through the interplay of various factors.
<<<No Sh*t sherlock! >>>
This means first and foremost preventing viruses and damaging software from getting on the computer in the first place. “Surfing habits are hence important for security,” says Wolf. Most dangers emerge through surfing and downloads from questionable websites.
<<<I am getting sleeeepppppyyy here ! He must live in the state of the obvious.>>>
“The primary gateway into the browser is JavaScript,” Wolf explains. Users should deactivate the program language in their browser, or use browser extensions to define which web sites are to be trusted to execute JavaScript.
<<>>
“It’s not convenient, but it is much safer,” he says.
<<>>>
Proper e-mail handling is another important preventative measure beyond the reach of firewalls. “Attached files should be scanned by a virus program prior to opening, and you should think twice before clicking unfamiliar links,” Wolf warns.
For reasons of convenience, many users simply use the default administrator account for daily PC use. Yet this can allow a virus to gain full control of the computer, magnifying the potential for major damages by a successful attack.
“John Q Public doesn’t need administrator rights and should log in as such only when installing software,” says Wolf.
The worst thing that can happen to a computer user is the loss of personal data. This is because tainted systems can be reinstalled at any time, but deleted data is usually gone forever.
Backups are the safe way to go, Wolf recommends. “All important data should be regularly burned to CD or stored on a USB stick,” Wolf says.
<<<Let me just sum up the last few sentences, why is this a firewall issue?? What about other apps taking responsiblility for thier part in security huh??? (:AGY)>>>>
Users who still prefer a firewall should first check whether they are using a router with firewall functionality. If so, then no firewall is needed, including the one build in to Windows XP, reports PC Professionell.
<<<<Yes well, I have a router and it couldn’t pass gas, it failed many tests and Comodo firewall made up for that, so chew on that little bit>>>
The configuration of a personal firewall is usually more than most users can handle anyway. To understand the system’s warning, the user must understand the meaning of IP addresses, host and client names as well as ports, the BSI reports.
<<<<My goodness!! Terrible should anyone gain knowledge about such things which takes an average user about an hour to understand the basics! Let’s just do everything for everyone so noone has to learn!>>>>
Most lay users instead use the comfortable auto configuration settings offered by personal firewalls. This lets the software follow its own ideas about which data packets can pass through the virtual wall and which are to be filtered out.
<<<so??>>>
According to the BSI, this can quickly lead to “security critical misconfigurations”. Filter rules should hand set to allow only absolutely necessary access from the computer to the internet.
<<>
The rules should aslo be regularly inspected and non-necessary ports locked down. – Sapa-dpa
<<>>
I am sorry , but this truly p*sses me off! Taking basic common sense , other security problems with other applications, etc…and trying to apply it all to firewall issues…If anyone that knows anything about firewalls, securities, etc…should be able to see that 3\4 of this is a load of bulls##t, and truly has 97% of garbage that cannot be blamed on a firewall anyway!! All that was done here was this…and I will break this down…
<< Used Firewall as topic, brought up all sorts of security issues , mostly which don’t pertain directly to a firewall, and frosted the whole scenario to make a firewall look bad.>>
Is this crackpot getting paid? I wish I could for stating OBVIOUS issues and swirling them to blame one subject. If you don’t believe me, take out the first couple of lines, make it Browsers instead, then the article applies nicely, or AV as well. Oh man, this ticks me off!! That’s right, (:AGY)
I am even ready to make ammends with Scomodo to handle the situaton!! 
Cheers,
Paul (:AGY)
I have been modifying this as I go, if a bit too straight forward i will have no objections to deletion, but it is complete BULL.
HAAAAA you killled SCOMODO!!! (:CLP) (:CLP) (:CLP) (:CLP)
Cheers,
Paul
???
Ok, you fixed it. It was scattered, dismantled. Darn. Anyway, boy did that guy’s statements tick me off. I never saw such a bunch of hooey. What he suggests is totally rediculous and in fact if we had to do all of it manually for what, 65 thousand ports, wow what fun that would be. While one fact remains, you can’t block everything, a firewall does it’s job for what it’s suppose to do, at least Comodo’s does.
Cheers,
Paul
Yeh, i put him back together… ;D
I agree with you. People are already complaining about a few popups… Setting all ports manually… geee…
That guy just haven’t tried CPF…
He was saying that SCOMODO can protect you, that he will be your guard and eat all of the intruders (:CLP)
Yes! That’s right.
I edited the post so he might understand… ;D ;D ;D
Statement 1: Personal Firewalls are useless : Use Windows firewall or the corporate firewall
Statement 2: All of the personal firewalls tested failed SOME of the test programs: Rely on windows firewall or corporate firewall (which are guaranteed to fail ALL of the test programs. They are even unaware of them).
Statement 3: Harden OS + Stay up to date : Dont use a personal firewall while doing so, you dont need one( The test programs used against those personal firewalls will fail with these good security practises?).
If you do take this article serious and read it to the end, i am sure you can find more ■■■■■■ statements.
Good point. Unfortunately I worry about others who don’t know better taking this seriously more so than me. As much as I would like to think that any current pre certified customers I aquired would take my word, when something is published they may in fact think twice about my hounding them on security. This worries me more than anything. What’s this world coming to egemen? How can something like this even get put out there? It should have been sent to the recycle bin upon writing.
My mother in law is behind this, I know it!
Cheers,
Paul
LOL! Those guys are in usenet forums as well. Busy with making everyone crazy.
I hope they come to Comodo forum… (:AGY)
Guys, you are missing the point!
The interesting part about slashdot articles are the discussions!
Ignore the article and see what the people there have to say about the subject.
I have the vaunted hardware firewall built into my router. It will do nothing to stop outgoing traffic initiated by malware that I accidentally introduce into my computer via email or downloads. If I install a keylogger or one of the Banker viruses, all my personal data - financial, vital statistics, identity etc are at risk. If, somehow, a zero-day virus is not picked up by my antivirus software, I am hoping that the firewall will prevent an unidentified program from sending information out! Naturally, a purely malicious and destructive virus can destroy my system, but stopping that is not the job of the firewall. Ignoring the threat of unauthorized outgoing connections is just stupid.