antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
1 edit |  Are Consumer-Grade Firewalls Really Secure?
FYI. I am somehow bothered by this article. »www.ecommercetimes.com/perl/story/32578.html
Consumers shouldn't trust entry-level firewall hardware and software, Paul Henry, vice president at CyberGuard, told TechNewsWorld. Both, he said, are incomplete security solutions. |
|
StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium
join:2003-02-08
Clinton, MA | My router kept the Blaster worm away from me... ZAPro kept the blaster worm away from my laptop in the office network.
--
I'm Mad With Power! |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| Digression
After we rip this one to shreds, can we go back and do »www.ecommercetimes.com/perl/story/32466.html ?
(This is a digression, so I'd appreciate it if others tagged to antdude's original posting, just to keep the two issues separate.)
--
Regards, Joseph V. Morris |
|
robtoo
R.J.T.
Premium
join:2003-10-13
United Kingd
| reply to antdude
Re: Are Consumer-Grade Firewalls Really Secure?
quote:
"... NAT boxes show closed ports, but they don't prevent outbound connections through ports 80 or 25." A real firewall, he suggested, should deny all outbound access unless explicitly allowed.
Anyone seriously proposing restricting outbound port 80 on a general-purpose home-firewall for end-users is very clearly grasping at straws to support his case.
aside: I used to manage a bunch of CyberGuard firewalls -- quite how their "locked down" build still had tetris on it is something I never got a good answer to. |
|
reaver221
join:2003-05-08
Cincinnati, OH | reply to antdude
So ... this guy is saying that SOHO NAT boxes should be built on an explicit allow (deny all by default) model?
That just won't work. Your average Joe simply won't be able to get his Internet connection to work. |
|
flw
Security Is Like An Onion, It Has Layers
Premium
join:2004-01-04
 ·Verizon Online DSL
| said by reaver221  :
That just won't work. Your average Joe simply won't be able to get his Internet connection to work.
So your assertion is to set the default values to the lowest common denominator as a solution? |
|
gt7697c
Premium
join:2001-02-16
The Hive | No, I am suggesting to set them to the lowest Secure value. That way it will protect someone right out of the box.
HTH.:)
--
Just my 2 bits. |
|
reaver221
join:2003-05-08
Cincinnati, OH
| reply to flw
said by flw :
said by reaver221 :
That just won't work. Your average Joe simply won't be able to get his Internet connection to work.
So your assertion is to set the default values to the lowest common denominator as a solution?
Yes. Like I said, the average home user doesn't want anything to do with configuring outbound traffic rules - in fact, they most likely don't even know anything about 'ports.'
For the most part, home users don't need outbound packet filtering. It can be useful in a highly secure corporate environment, or coupled with application layer filtering on each client machine (software firewall), but I just don't see how the average user is going to benefit from such a feature at the gateway.
If someone needs a real firewall appliance (SPI, fully editable rules, explicit allow), there are plenty of appliances out there that do just that. A huge portion of the broadband gateway/router/NAT box market wants simplicity. |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
|  reply to antdude
Antdude,
I find this an excellent article for discussion. And, before I start tearing it apart, I'd like to make some preliminary comments about my initial reactions.
First, I'm not sure whether I'm offended more by the author of the article, Jack M. Germain, characterizations or those of his sources, and specifically Paul Henry, vice president at CyberGuard, as indicated in the leader to the article.
At any rate, I'm reading this article on the same day that I just received CERT Advisory CA-2004-01 "Multiple H.323 Message Vulnerabilities". The first thought that comes to my mind is that journalists for (or authors of) commercial security solutions should NOT be throwing bricks at end-user consumers as long as they themselves live in glass houses. Who's going to eat the big one with these multiple H.323 vulnerabilities? Simple, the commercial security product vendors and the corporations and government entities that rely on them for a variety of services (very few end-users do).
There's an even more pertinent quote (with relevance to the article in particular) in a Dashiell Hammett story, but I'm unable to lay my hands on it at the moment.
That said, I shall start working through the article in some detail in subsequent posts.
--
Regards, Joseph V. Morris |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25 | jvmorris: Thanks. That is why I posted in here to share after I read that.
--
-- Ant @ The Ant Farm: »antfarm.ma.cx |
|
dp
Go Steelers
Premium,MVM
join:2000-12-08
Greensburg, PA
·Verizon Online DSL
| reply to antdude
the general consensus among network security experts is that consumers are not protected if they rely solely on router hardware devices and software firewalls. Is this really the general consensus? I'm quite happy with the performance of my 'barely adequate' router and firewall.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to antdude
Antdude,
Natch.
Well, I found the Hammett quotation:
quote:
I was reading a sign high on the wall behind the bar:
ONLY GENUINE PRE-WAR AMERICAN
AND BRITISH WHISKEYS SERVED HERE
I was trying to count how many lies could be found in those nine words, and had reached four, with promise of more, when ...
(That's in his story "The Golden Horseshoe", for those who may be wondering.)
And that pretty aptly sums up the way I would characterize this article. Moving on . . .
--
Regards, Joseph V. Morris |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| Okay, let's start at the beginning and proceed until we come to the end. . . .
quote:
. . . the general consensus among network security experts is that consumers are not protected if they rely solely on router hardware devices and software firewalls . . .
And this is news to . . . who? We say this here (repeatedly); indeed, it's in the FAQs for the Security Forum. I know that Symantec talks about layered defenses (it's almost become boilerplate) in response to every identified threat; and Symantec is hardly alone.
Oh, wait, . . . I think I've figured it out! Germain is talking about the marketing hype on the websites that one will find for every consumer-oriented vendor. I have one question: Did Germain bother to compare the marketing hype there with the marketing hype on the commercially-oriented vendors? I don't think so. It's all much of a muchness. You either fall for this crap (in either situation) or you don't. (And don't for a minute think that IT specialists working for corporations/ISPs/OEMs are any less gullible than the poor clueless end-user.) I also note that Germain fails to identify any vendor-independent site that specifically says to consumers that all their problems will be solved if they use either a NAT router and/or software firewalls? Did I miss something. I don't think so.
Next quotation:
quote:
Consumer-grade network-address translation boxes are barely adequate for home users, according to Sigmund Fidyke, product and program manager for WatchGuard's SOHO line. These devices, he said, are geared more toward the home user with low traffic and limited online exposure.
This is where the Hammett quotation starts to come into play.
What would Fidyke expect them to be geared toward other than what he's just said? Does it make any difference? (Where's jdong when I need him?  ) Does Fidyke really have no conception of just how quickly an unprotected Win XP Home box exposed to the Internet is likely to be compromised? Does it matter then, whether one is online for five minutes, five hours, or five days? Once you've been OWNed, you've been OWNed! What about this does Fidyke not understand? This is an authoritative statement of . . . what?
Umm, second, are commercial-grade NAT routers any better? I don't think so. A basic NAT router is a basic NAT router, end of discussion. As for the Watchguard vulnerability to the newly announced H.323 multiple vulnerabilities from CERT, what do we find?
quote:
WatchGuard
No statement is currently available from the vendor regarding this vulnerability.
This is supposed to be reassuring? Are they or are they not vulnerable? This guy is telling me as a consumer end-user how to secure my Internet connection?
--
Regards, Joseph V. Morris |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| reply to antdude
Pish-posh...this might as well be an investigative report on quantum physics written by Martha Stewart: "The general consensus among quantum physicists is that Newton was a retard".
A classical attempt at FUD with one exception - the "industry consensus" fails to recommend a viable alternative and I'll be damned if I see any point to that article...Ohhh...wait a minute...this statement holds true: "People just don't have a clue". Pretty evident conclusion - if you ask me - but I'm not sure if this refers to the article's author+participants or the "consumer-grade" people.
rgds |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| Ya know, it's people like you that take all the fun out of my structured deconstructions of crap like this!
I'm sitting here writing a book and you make the same point in six lines!
I was beginning to look for the recommendation and I'll be damned if I can see anything that goes even as far as what one could routinely receive here. Maybe we should call up Germain and ask if he'd like to talk to some people who really know what they're talking about?
--
Regards, Joseph V. Morris |
|
BurntCricket
Gotta Do What Ya Gotta Do
Premium
join:2000-09-02
Here
clubs: | reply to antdude
Without reading the article sounds to me like more of the "Doesn't matter what you use unless you use our stuff you are not secure >> order on line now"
--
Everything is relative and subjective. |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| reply to jvmorris
said by jvmorris :
Maybe we should call up Germain and ask if he'd like to talk to some people who really know what they're talking about?
Negative. It would go against the principles of media: sensationalism at any price.
I re-read the article and I have decided on the message it tries to pass on:
"Throughout the security industry, vendors dupe customers"
The dude making the remark is a vendor ain't he?  
Man...this article is a keeper by all means! Priceless!
rgds. |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| Never had a worry, a plain old NAT router kept blaster and sobig away, never even a peep from my software firewall with an always on broadband connection. However, I will be upgrading to a true hardware firewall soon, as I'm not paranoid and they are out to get me.
--
TheJoker |
|
bewale
Killemall
Premium
join:2000-08-08
Royal Oak, MI
clubs:
4 edits | reply to antdude
The author needs get a dose of reality... and balance cost/effort vs. true risk.
1) The average PC owner/user can barely figure out how to plug a keyboard and mouse in, power the PC on and use IE. The author now expects that these same people now know how to implement a commercial firewall correctly? How to write dynamic rules, let alone 'simple' static packet filtering rules? Come on, get real.
2) Cost. Yea, I can hear it now. "Sorry Mrs. Jones. You need to buy a $5,000 Checkpoint NG on Nokia firewall appliance and then hire a Security/Firewall Admin to come configure your network.".... all so she can play Euchre online? so she can access her p0rn w/o getting hacked?
Sorry for the sarcasm. The author has a point in that people, even home users, need to have layered security defences. AV, personal Firewalls, packet filters, NAT, etc. all provide those layers.
Oh, I also get a chuckle on the reference to 'software firewalls'. Can anyone name a true, hardware-only firewall? Sorry, they don't exist. Sure, there are firmware appliances, but that is still software.
There's also a lot to be said of simplicity when looking for security. You give the best firewall to the average PC user, and you're going to have a disaster. Way, way too complex. I'd feel much safer w/ my parents having a copy of Zone Alarm, and AV software and BB router w/ NAT... than I would handing them a $10k unconfigured Checkpoint box. There's no way they'd be able to configure it correctly.
Lastly, I love the references on how he likes the 'deny all by default' personal firewalls. Take a guess what the average PC user does when they get those popups asking to permit/deny. Answer: The same thing they do to the "I Accept" button on Software License Agreements, The same thing they do on Web popups. They almost always , by human nature, trust the connection and allow it.. w/o even giving it a second's thought. People are 95% of the security problem... then there is M$.
End of Rant. $0.02 |
|
reaver221
join:2003-05-08
Cincinnati, OH
| said by bewale :
Can anyone name a true, hardware-only firewall?
»contacteast.com/product/group.as···_id=4311 |
|
