Firewalls = Double-Edged Sword?

[KorpDeath]

Originally posted here by nihil
I don't quite agree,

The way I see it, a simple firewall set to "high" security with known trusted programs identified, will keep out a lot of subnet scanning scripts and the like. These are massively more numerous that firewall vulnerability exploits. A lot of them will warn you if there is an update, so that should not be a real isssue.

An AV, on the other hand, MUST be kept up to date, or it pretty soon becomes virtually useless. There are not that many "old" viruses left in the wild, and they tend to be relatively short lived compared to years ago when people used a lot of floppies. Once again, most of them will automatically update.

My main problem with out of date AV is it can start to give false positives if you are not keeping it up to date, but are updating and adding other software. As the actual item is not a virus, it cannot be cleaned, and the default setting is usually to delete the file...........not good

Cheers

I still have my AV scan for virii that are two years old, doesn't yours, if not, then I know what to attack you with. Old viruses still exist in the wild. My only analogy would be tuberculosis. Not that scary but if you aren't willing to diagnose it, it can be deadly.

[KorpDeath]

Originally posted here by slick8790
However, a condom used incorrectly also gives a false sense of security, so without you knowing your partner might get "rooted" . An example would be ZoneAlarm. IIRC, you can configure it to let everything in . also, the exploits are a good point. not that i agree with that idea. personally, i run a small home network, with a firmware firewall in my router. i haven't had an attack so far (notice "attack", not "attack attempt )


slick

Split hairs all you like my point is still valid. Some protection is better than no protection at all. I'm sorry but you can't argue against that.

[Tiger Shark]

A condom incorrectly used is better than no condom at all.

Not if you stretch it over your piano rather than your organ....

Which is one of the problems.... (Catch... SIT!!!!!). Nothing out there in the commercial/home user realm is unbreakable, (just like when you get married she's going to try to change you..... It's a fact of Wife.....).

Exploits, other than zero day, only work for the following reasons:-

1. Unpatched systems
2. Incorrectly configured systems or services
3. Lazy, overworked or incompetent admins, (professional or home)
4. Simple mistakes
5. Pure dumb luck

So is a firewall a "double edged sword".... Well, looking at the above it's clear that it depends how it's used..... Just like the user that tells you that their 3 year old computer came with NAV so they are protected..... and you ask when did you update the virus definitions and they say "You have to do that?????" Same applies to the firewall.... If you don't look to see if there are updates _regularly_, they there is a high probability that you will end up vulnerable.

I don't see this stuff as too difficult..... people check their doors are locked before they go to bed.... I, frankly, don't really see the difference except for the "understanding the risk" factor.... If you don't understand that there are sleazy bastiges out there in the dark of night looking to take your stereo you will probably be dumb enough to leave your doors open.... when you either learn by experience or are educated by the experience of others then you might start checking to see if the most insidious way people can "get into your house" undetected is really locked before you go to bed.....

It's an education thing... as usual..... and, unfortunately, there are many that are uneducable... or simply don't care... It'll never happen to them.....

A firewall - or any security device - including guns etc. - when used and maintained properly work correctly.... If they are abused or ignored they may fail you when they are needed most....

Double edged sword..... No.... The edge is _very_ single.... if it is used and maintained.

[nihil]

I still have my AV scan for virii that are two years old, doesn't yours, if not, then I know what to attack you with. Old viruses still exist in the wild. My only analogy would be tuberculosis. Not that scary but if you aren't willing to diagnose it, it can be deadly.

Yes, that's OK...........by definition an AV will contain the signatures for viruses from the year dot. But they won't catch the most common ones which are relatively new, unless you regularly update. The other point is that you are not only updating the signatures, you also update the scanning engine and heuristics. This should help to reduce false positives and certainly give you far better protection.

It is interesting that you mention tuberculosis, another name for this was "consumption" I have actually had to fix a machine where a very out of date AV product was actually consuming the system from within. Its default settings were to background scan if idle for 60 minutes and delete uncleanable files.

Then along came the year 2000.........................it saw the strange dates on files, but was not, itself Y2K compliant..............so it thought that they were infected and tried to clean them...........but it couldn't............so it deleted them. Not a good idea

My point, therefore is that by their very nature, AVs are designed and intended to be updated. Firewalls on the other hand do not rely on signature or pattern files, and whilst it is a good idea to keep them up to date it is not so critical.

As for virus detection, its a bit like automobiles they lose their value very rapidly and then level off with a small residual value? But that is very small compared to the value of a new one, and there is an increasing risk of breakdown?

Cheers

[darkes]

Well, it all depends on who is using a firewall.

For your average home user, it is likely to do far more good than harm, even if it is free software firewall. Sure, free products like Kerio have massive holes, as was reported months ago, but even so, they are better than nothing, and will improve the security of your average PC regardless.

Any free software firewall will at least control which programs you allow to access the net, and block the obvious open ports for incoming port scans.

A hardware firewall is obviously better, but does cost extra $$$

[chsh]

Short answer: ANY software used by any user has the potential to do more harm than good. I could point out the NUMEROUS vulnerabilities in a default Win2K, WinME, or WinXP install, various linuxes, BSDs, etc.. If the user using the software doesn't keep it up to date, and thus is vulnerable, that falls on the user -- regardless of whether it's Win2K/XP, Linux, or a software firewall. All software left un-updated represents a security risk. The other issue is that patches in the past have been known to undo other patches.

The vulnerabilities in Kerio are a good example of a con of personal firewalls, however, I believe in general the firewalls are an improvement in terms of security over not having one. Consider that as long as you keep a firewall up to date it can protect your other services, so from a user perspective, I can see it being effective as keeping ONE piece of software patched is less work than keeping potentially dozens of pieces of software patched. Do I think that's an ideal solution? Of course not. You have to consider the tradeoffs though, users are lazy, I'd rather they have one piece of up to date software capable of defending other pieces of software, than no up to date software at all.

[THEJRC]

he he.... and here we have a nifty argument (I want in)

1st of all... NAT/PAT is NOT a firewall, it is simply well... address translation, if traffic isnt forwarded it isnt forwarded... this doesnt necessarily protect.

On the other note, whether it's a vendor solution (prebuilt hardware or software firewall) or a homebrew solution (IPtables, whatever) if it aint updated constantly, and proactively maintained it does in fact become a vulnerability. On the other note, most people sadly open up everything with the idea that they might need it, or rather than nail down specifics (which takes effort) they generalize rules... this is probably the worst problem.

If I had a dollar for every firewall with SQL, SSH, or telnet ports open to the world I'd be rich, if the network admins were to lock those rules down to only the IP's that needed access, they probably wouldnt have to spend sunday nights rebuilding compromised machines as well.

In essence, it's not the firewall or antivirus, or solution that causes the problem, it's the lack of user training and administrator experience that causes the problem. When was the last time you tested your backups???

[VExDX0JlZXI=]

Some protection is always better than none. But many user's do not update with patches or definitions and do indeed suffer from the false sense of security just having the original, unpatched or updated, product installed. If you stay with the condom analogy it is like you buy a fresh new condom, carry it in you wallet for a year, then ask "duh... How could she be pregnant?, I used a condom" when the condom you used failed. Quick tip (many of you probably already know about) to check your firewalls go to Shields Up at http://www.grc.com/ for a free test. Many other useful downloads for computer security on the site as well.

[chsh]

Originally posted here by VExDX0JlZXI=
Quick tip (many of you probably already know about) to check your firewalls go to Shields Up at http://www.grc.com/ for a free test. Many other useful downloads for computer security on the site as well.

I'm sorry, but I used to hang out on the GRC newsgroups, and to be quite frank, anyone who believes that security through obscurity will work in the long run is deluding themselves. The ShieldsUP test at GRC offers nothing more than a haphazard sense of false security.
Here's a report on my firewall's security:

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

It reported all ports as closed, except for 25, 135-139, and 445, which my ISP filters out. Even if they were "stealthed", there are some rather trivial ways of determining if a system is there and online.

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Again with security through obscurity.

Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server.

So it's a good thing that my system ignored ICMP. Not quite sure how this is a security issue, but okay.

The failings of this test:
- It ONLY tests ICMP Type 8
- It does not properly test UDP ports, there are numerous trojans that use UDP ports exclusively. During the scan I noted UDP scans only on common UDP services, even though I had opted to scan of the first 1056 ports.
- It overhypes 'stealthiness' as a security feature and protective measure

[darkes]

Originally posted here by THEJRC

In essence, it's not the firewall or antivirus, or solution that causes the problem, it's the lack of user training and administrator experience that causes the problem. When was the last time you tested your backups???

Yes, agree with you completely, but what are you supposed to do for the average home/small business user, who isn't interested ???

I deal with a few of these on both a professional and a personal basis, and just put something in place, on the grounds that setup correctly it is far better that nothing.

As it happens, I tested the backups at the site I worked at today