Re: [ISN] Re: Personal Firewalls Spring Security Leaks - Update

From: InfoSec News (isnat_private)
Date: Tue Dec 04 2001 - 00:33:12 PST

  • Next message: InfoSec News: "[ISN] College student refutes charges he is high-level hacker"

    Forwarded from: Mike Fratto <mfrattoat_private>
    
    > > Techniques for defeating the outbound data filters in popular personal
    > > firewalls such as Zone Alarm and Norton Personal Firewall have been
    > > independently posted on the Web by several researchers.
    >
    >This, however, is complete and utter bullshit.
    >
    >You can _never_ restrict outgoing traffic in a meaningful way, i.e.
    >you can never lock a box down in a way so that an evil attacker could
    >not leak supposedly secret information out, except if you don't allow
    >any data to flow out at all.
    
    Define "meaningful".  :)
    
    You can raise the difficulty of getting a trojan to work properly on
    desktop with a firewall by specifying path constraints, but once your
    desktop is compromised then it's game over.
    
    More to the point, no system is totally secure nor can any system be
    made to be totally secure. The best you can hope for is to make the
    attack so difficult that the cost of success is higher than the value
    of the goods sought.
    
    >Instead of explaining to the illiterate users of this snake oil
    >software the risks they are exposing themselves to, this article dumbs
    >them down even more.  It is very sad that this drivel is published at
    >all, and then forwarded to a respected mailing list as this, but it is
    >even sadder that apparently noone except me considers this
    >nauseatingly stupid, bordering on criminal.
    
    Please, let's not insult people more. The firewall vendors are selling
    these personal firewalls as security devices and part of the
    marketing, the differentiators, is that personal firewalls provide
    access control to network connections are more secure than firewalls
    that simply filter traffic. The public is being sold a half truth and
    shouldn't they be made aware of it? No system is totally secure, but
    knowing both the features and limitations of a security product lets
    you implement the proper controls while making you aware of the
    limitations of the products you are using. A personal firewall that
    restricts network connections to applications is more difficult to
    defeat than one that doesn't. Apply a desktop virus scanner and keep
    the signatures updated it gets harder still. Install applications as
    administrator but run them at "User" level and it gets more difficult
    to defeat. Yes, there are ways to defeat the security controls, but
    the cost (difficulty) is higher.
    
    Show me any useful system that can not be defeated and I will eat my hat.
    
    mike
    
    
    
    ___________________
    
    Mike Fratto
    Senior Technology Editor
    Network Computing
    001 Machinery Hall
    Syracuse University
    Syracuse, NY  13244
    ___________________
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 06:22:46 PST