[Techtalk] Personal firewalls: helpful?

R. Daneel Olivaw linuxchix at r-daneel.com
Mon Jun 6 21:34:35 EST 2005


Hi there,

After reading Kathryn's answer, I see there is some confusion around, so
I wanted to get bit more precision.

> I've heard of Windows users running personal firewalls (i.e.,
> implemented in software).

As already pointed out, a firewall is a function.
If implemented as circuitry in a hardware device, it may not be
considered as 'software'. However, nowadays, firewalls, enclosed into a
hardware device (cisco/zyxel/d-link/whateverbrand-router) are just
software components for specific hardware (they call it firmware).
This just means that a 'personal' firewall, is basically just the same
thing as a 'ordinary' firewall, but not totally.

> I don't have to worry about that because I don't run Windows,

This assertion is false. ANY computer connected to a public network (ie.
the internet) has to get protection from illegal access. It mainly
prevents attackers to enter your system using flaws in server software
you may run unconsciously. For instance, if you're running the (Very
Very bad) wu-ftp server daemon, you may expose your system to
intrusions, even if you didn't want to run a ftp server. As well, if you
one day activated the ssh server daemon, but never want to connect to
your machine from outside, you may expose your machine to a
vulnerability in this software. Same applies to http (ie. Apache)
servers etc. Flaws always exist, it's just a matter of time to be
exposed. Agreed is that, linux (especially when up-to-date) doesn't open
too many unneded services to your internet connection.
So : YES not runnig windows prevents a huge amount of attacks to happen
(ever read the apache logs, finding people trying to run ..\..\..\cmd ?)
but : NO running linux does not totally insulate your computer from
people trying to misuse other's computers.

> but I do wonder whether these personal firewalls do any good.
> Obviously they're not as good as a dedicated machine, but I assume
> they still provide some protection.

Again, do not mix up :
there are 'personal' firewalls, and there are 'ordinary' firewalls.

A firewall does just what Katheryn said : opening, closing, rejecting or
silently dropping incoming connections. Even if you happen do run apache
on port 80 for personal use (and it opening itself automatically to the
whole wild world of internet) your firewall should be denying connection
on port 80 (and 143 for https, but that's a detail). The firewall will
also detect malformed packets, denying connection to a normally open
port but coming with a wrong packet setup. I will restrict to
firewalling, and not step into IDS (Intrusion Detection System) because
it is a too high extension to the firewalling principles.
Now, to the 'personal' firewall.
A firewall does not only prevent people from connecting in, to your
machine, it also may prevent a malicious program to connecto from your
computer to somewhere else. Windows user know that a lot : some viruses
try to send themselves by e-mail to remote addresses harvested on the
machine itself. Therefore, to not alert the user and not get caught
by the isp's smtp (mail) gateway they try to send out mail directly to
remote servers (on port 25, happens to be the smtp port). So you may
want to block outgoing mail to any machine on port 25. But !!! you need
to permit your real e-mail program to do it, or at least, to get in
touch with the isp's smtp gateway. For that purpose, 'personal'
firewalls can determine which program is allowed to connect to/from what
host.
Now, what's the difference at home, on my linux box ?
Linux provides software for firewall setup : name-it iptables.
This is a 'ordinary' firewall. It has no ability to know which program
is trying to listen to incoming connection, nor wich one is trying to
connect out. (If I remember well, some kernel tweaking permits such
joyful things, but it's not a standard).
If you have a firewall device, or connect through a firewalled gateway
computer, you may have firewalling, but as the firewalling is done
remotely, there is no way to know what program is trying to conenct out.
Personal firewalls, instead, can do such a finetuned job. I find it
interesting, yet, ... a bit useless. It just permits to monitor your
computer, to allow programs individually to access the network.
Practically, users get nagged, and allow close to anything trying to
connect out and in, and check the 'remember that rule' buton so they
will never be warned again about it. It looks smart, as there is a good
'learning' curve, for the personal firewall, but ... again, I'm unsure
about the real efficiency of it, unless someone really aware of things
creates the appropriate rules.

> Does anyone know what kind of attacks personal firewalls protect
> against (and what kind of attacks they don't)?

Well, as mentionned above, what they do 'more' than 'ordinary'
firewalls, is monitoring program by program network access.
They do not and cannot prevent more attacks than an ordinary firewall
would. They may warn a user about some program trying to listen on port
12345 (rings a bell for anyone ?) to listen to incoming connections from
it's creator to take over the machine. But as far as an 'attack' is
concerned, they do nothing more, nothing less than an 'ordinary'
firewall, may it be a local or remote one.
And as I said, 'intelligent' attack detection and protection is done
with an IDS (Intrusion Detection System), wich is an extension to the
firewall (even a statefull one).

I hope I wasn't too far in the explanation, as computer network security
is a vast subject ...

Bye,

R. Daneel Olivaw,
The Human Robot Inside.


More information about the Techtalk mailing list