Mike's general stuff ~ Random

Recent article subjects: [Linux] [Hardware] [Browsers]

Software firewalls, providing a false sense of security

I personally believe that software firewalls (ie. firewall software that runs on a user's PC) are a bad idea, compounded by extremely poor implementations and lack of user education.  I also believe that for the average user, these factors combined make software firewalls a liability rather than an addition to home computer security.

Why are they a bad idea?

The function of a firewall is to block Inter/network traffic based on certain rules.  Those rules have to be decided by someone, and that someone cannot be the designer of the software, because of the hugely varying requirements of the average user.  Therefore the responsibility falls to the user.  The average user does not know how TCP/IP works at even a very basic level (I would regard "a very basic level" as something like "an Internet connection is made up of numbered ports, and specific port numbers are opened for Internet services to talk over"), and because firewall security is nothing like anti-virus security, where the AV software can be pretty much trusted to be correct when it says it has detected something nasty, whereas firewall security is all about suspicions, and that it is generally legitimate software which causes security issues, and far more subtle issues than the average rampaging virus, the user is fighting a battle when they don't even know the rules of the game.

Another problem is because of the constant "tug of war" between usability and security.  Firewalls that have been set up to be secure are restrictive, they don't allow any old and new piece of software to send and receive what it wants, and because software firewalls have to be user-configurable, they also have to make it reasonably easy to relax or restrict Internet security, at which point, the average user, not wishing to make their lives difficult are going to relax security to the point that the firewall is doing little or nothing.

Bad implementation?

Here are some examples.  ZoneAlarm kicks in if an application tries to talk to localhost (jargon busting for the average user: 'localhost' is the equivalent of talking on a house's internal intercomms system, as opposed to the external telephone line, the only way that it could ever be a security issue is if there was a huge security issue with the operating system's TCP/IP stack, in which case, chances are, the firewall software is screwed already).

Another example is McAfee Security Centre, which succeeds in making the host machine as unstable as if it had a virus on.   I have had two customers, one with an old machine with Windows 98 on it, the other with a brand new machine (Dell, bought that day), Windows XP box with McAfee Security Centre preinstalled with this problem, seemingly regardless of the software's configuration.

Another example is purely through how most software firewalls on Windows work - they pop up a message saying that a specific application is trying to talk on the Internet.  Considering that the average user just wants "stuff to work", and the executable is named something other than "Really Harmful Virus.exe", which do you think the user is going to click on, Yes or No?

Windows firewalls tend to try and do too much, for example, incorporating browser pop-up blockers, general program blockers (to stop programs from running at all, let alone talking on the Internet), intrusion detection systems.  Most experienced computer users know that programs which try to act as 'swiss army knives' end up performing lots of functions not as well as applications designed for a specific purpose.  Also, the more complicated a program is, the greater the risk that it contains bugs that are security issues.

One thing that many users don't understand is that the firewall software could have security issues in, which the host machine wouldn't have been vulnerable to unless the firewall software was running on it.

Lack of user education?

I have already described the average user's knowledge of how Internet communication works.  Firewalls are not pieces of software that can just be left to their own devices to help keep the host machine secure, and anti-virus software has only very recently become that way after being around for probably a decade or more.  The role of anti-virus software is very specific:   To look for specific portions of code to match its internal database of known viruses.  The role of a firewall is possibly either very restrictive or judgement-based, or a clever combination of both, because it is dealing with suspicions rather than clear examples of what is normal behaviour and what is not.

Lack of user education has been the achille's heel of computer security since computers started to go mainstream.  What is not needed know is for the picture to be made more complicated, and for users to start learning that they are responsible for their machine, and in order for that to be practically possible, they need to be taught some decent basic lessons about computer security.  Through my business I am attempting to achieve the latter, and I feel that I am succeeding due to the fact that, for example, none of my customers' machines have had a virus infection since my first appointment with them (so far at least :-)).  How on earth is the average user supposed to know how to use a firewall if they don't know what a firewall actually does?

Children learn about how to avoid potentially nasty situations through basic guidelines taught by their parents:  "Look both ways before crossing the street", "Don't talk to strangers", etc.  None of these guidelines definitely keep them from danger, and could sometimes potentially be overly restrictive.  Through similar guidelines for average users (I do not intend to be condescending to 'average users', I am only using this analogy in the sense that average users do not know the technical issues behind the computer equivalents to these situations, similar to how children do not understand that there are some people 'out there' who aren't nice people, in ways that we would rather not educate our children about), most security issues plaguing user's machines and the Internet today would fall dramatically. For example, what is the harm in not running an attachment (you're not sure about?  Or just all attachments?) until you have confirmed with the sender that they actually sent it?  What would be the harm in asking someone technically competent whether they consider a particular application is safe/decent to use?  Otherwise, some basic 'housekeeping' jobs, such as running Windows Update once a fortnight, and making sure the virus scanner is running and up-to-date once a fortnight?  After a user adheres to these guidlines, just how much use is a software firewall?

Bad concept of security?

There are practically two bad things a firewall can prevent:  Viruses and trojans on the host machine from wreaking havoc on the Internet, and vice versa.  Consider the former for a moment: If a virus/trojan has already been allowed to run successfully on the host machine, then surely (as far as the average user is concerned), the firewall is just "shutting the stable door after the horse has bolted"?  Considering the latter now, which is essentially an advantage, though if users are educated to keep their machines patched properly, and don't do stupid things like running every attachment that they get sent, or installing every application on the planet, this advantage becomes more and more insignificant.

mikeymike.org.uk