Re: Opinions on the following articles?
From: James Grant (nospam_at_nospam.com)
Date: 06/27/03
- Next message: Leo: "Re: browsing the web privately - how??"
- Previous message: Barry Margolin: "Re: raw 0 0 0.0.0.0:6 0.0.0.0:* 7"
- In reply to: Zarggg: "Opinions on the following articles?"
- Next in thread: Lecter: "Re: Opinions on the following articles?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Jun 2003 17:42:10 GMT
Back in 1997, ConSeal PC Firewall was the first true personal firewall
because it was the first to intercept all traffic at the NDIS layer.
Others like Nuke Nabber and McAfee Firewall were user-mode and even
AtGuard started as a filter for TCP and UDP only. BlackICE, SyGate
and ZoneAlarm came later.
Back then, a personal firewall was clearly of use because there were
DoS attacks that exploited weaknesses in Windows 95 and NT, such as
"nestea" - a fragment attack that crashed your computer, "LAND" - it
made your system try to connect to itself and it hung, and there
were ICMP nukes that got people kicked out of their IRC chat group.
Patches have fixed the bugs and personal firewall vendors made the
mistake of thinking their products were suited to protecting users
from internal threats as well as external ones. I say it was a
mistake because LeakTest caught most with their pants down and it
was just a prototype, showing what could be done. Personal firewall
vendors took weeks or months to address the growing list of
prototype trojans that could circumvent personal firewalls. Now
they proudly boast how they defend people against these things.
I don't buy it.
The key reason why personal firewalls are unsuited to protecting
users from trojans (internal threats in general) is the slow
response of vendors to these threats. (This is where I agree with
the Sam Spade website.) Look at how long it takes anti-virus
vendors to put out an update when a new virus comes out. It is
measured in minutes or hours. Compare that to how long it has
taken personal firewall vendors to put out updates that address
new trojans (or trojan prototypes): days, weeks, months.
Back when I was working on ConSeal PC Firewall for Signal 9, I
used to poo poo BlackICE saying its security value steadily
declined without updates (which is fair) but true personal
firewalls maintained their value. History proved me wrong.
The update model for BlackICE was its strength. Look at this
from a comparison of BlackICE and ZoneAlarm:
http://cws.internet.com/reviews/lannet-zonealarm5.html
"BlackICE allows you to download an update file that you can
run as a patch for the main executable, whereas ZoneAlarm
requires you to download the complete application and reinstall
over the existing setup."
While the reviewer minimizes the impact of the re-install, it clearly
means you've got downtime.
Getting back to Sam Spade and the cyberpunks article, the point they
make about trojans is fair. There are what I call "dumb" trojans that
don't try to circumvent personal firewalls etc., and you can block
them fine. It's the "smart" trojans that attack the firewall,
corrupting the settings, setting them so they don't run. These are
the ones that require immediate updates, just like with A/V, or your
personal firewall is a sitting duck. Without A/V or "anti-trojan"
software, you get a "smart" trojan and you will be "completely
compromised".
James Grant
- Next message: Leo: "Re: browsing the web privately - how??"
- Previous message: Barry Margolin: "Re: raw 0 0 0.0.0.0:6 0.0.0.0:* 7"
- In reply to: Zarggg: "Opinions on the following articles?"
- Next in thread: Lecter: "Re: Opinions on the following articles?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
