Re: It seems every firewall is slagged as snake oil. So how should it be done?

Ansgar -59cobalt- Wiechers wrote:
Geoff Smith <geoff915@xxxxxxxxx> wrote:
Definitely use a NAT router.

Make sure you disable UPnP on it, though, or malware on a user's
computer will still be able to poke holes in it. Also this doesn't
affect tunneling stuff through other protocols.

But in addition to that, ALL of the firewalls you mention are very
good. Anyone claiming they are snakeoil is just ignorant.


Laughable, there is no fully valid points in your post.

- A system that doesn't have any open ports, because it doesn't have any
services listening on the external interface, doesn't need a personal
firewall to protect the system from direct inbound attacks.

A system is always vulnerable to ICMP DOS unless the firewall is instructed to ignore and ignore ICMP packets.

- A system that is properly patched isn't vulnerable to attacks
targeting the already patched bugs.

There is always zero days vulnerability. Having a firewall can help to prevent these vulnerability, since most vulnerability assumed a vanilla system.

- Personal firewalls cannot protect services that are supposed to be
accessible to begin with.

Personal firewalls should not be used for web server in the first place.

- When the user is working with admin privileges, personal firewalls can
be disabled from the inside, even if they employ rootkit techniques.

That is true even for hardware firewall, and it is true for any kind of protection. Even a moderately security conscious people would not be as foolish to run as Administrator nowadays.

- Malware should be prevented from being run in the first place, not
from communicating outbound after it's already running. There are
various measures helping to achieve the former, including, but not
limited to: disabling autostart on removable media, using Software
Restriction Policies, setting appropriate "execute" permissions, or
running (up-to-date) AV software.


What a laugh... I'm sure in your unfirewalled system there is a worm that is currently contacting home, and you are CLUELESS about its existence because your firewall didn't tell you (OOOOPSS I forgot you don't have firewall).

Fully updated antivirus? Do you think a "fully updated antivirus" stand a chance to zero day vulnerability? A firewall has a much better chance against zero days since it does not rely on signatures.

- The popups of personal firewalls are more confusing than anything
else, because in order to understand these messages, the user would
have to have a good understanding of both networking and Windows
internals. Which is quite uncommon with the target group of personal

I doubt that. If there is a program named autorun.exe trying to get access to Internet, I'm sure anyone moderately computer literate will be suspicious.

- The logging of personal firewalls usually is laughable, since vital
information is omitted.

How is no logging compared to some logging?

On top of that, more often than not personal firewalls introduce
additional vulnerabilities on the system they're supposed to protect:

- Automatic network shunning (default with various personal firewalls)
can be abused by an attacker for a DoS attack.

Which is better than compromised system. Anyway, most personal firewall can selectively block the attacker's IP address without blocking the whole network.

- Some personal firewalls run interactive services with elevated
privileges, making them susceptible to shatter attacks.

Better than an unfirewalled system, which can be easily turned to a zombie without any effort to do shattering.

- Exploitable bugs in personal firewalls can be used to compromise the
system. This has already happened ITW (W32/Witty.worm).

A worm can only target a very small and specific set of firewall. In the case of Witty worm, it can only break through ISS firewall, it won't be able to break my Comodo's firewall or my Kerio's firewall. By adding diversity, it makes it harder for worm to have widespread impact. By having uniform configuration (i.e. all no firewall) it is only a matter of time before the worm makes the next hops.

And you dare calling the critics of personal firewalls ignorant?

And you dare calling yourself know anything about security?