Forwarded from: Mike Fratto <mfrattoat_private> > > Techniques for defeating the outbound data filters in popular personal > > firewalls such as Zone Alarm and Norton Personal Firewall have been > > independently posted on the Web by several researchers. > >This, however, is complete and utter bullshit. > >You can _never_ restrict outgoing traffic in a meaningful way, i.e. >you can never lock a box down in a way so that an evil attacker could >not leak supposedly secret information out, except if you don't allow >any data to flow out at all. Define "meaningful". :) You can raise the difficulty of getting a trojan to work properly on desktop with a firewall by specifying path constraints, but once your desktop is compromised then it's game over. More to the point, no system is totally secure nor can any system be made to be totally secure. The best you can hope for is to make the attack so difficult that the cost of success is higher than the value of the goods sought. >Instead of explaining to the illiterate users of this snake oil >software the risks they are exposing themselves to, this article dumbs >them down even more. It is very sad that this drivel is published at >all, and then forwarded to a respected mailing list as this, but it is >even sadder that apparently noone except me considers this >nauseatingly stupid, bordering on criminal. Please, let's not insult people more. The firewall vendors are selling these personal firewalls as security devices and part of the marketing, the differentiators, is that personal firewalls provide access control to network connections are more secure than firewalls that simply filter traffic. The public is being sold a half truth and shouldn't they be made aware of it? No system is totally secure, but knowing both the features and limitations of a security product lets you implement the proper controls while making you aware of the limitations of the products you are using. A personal firewall that restricts network connections to applications is more difficult to defeat than one that doesn't. Apply a desktop virus scanner and keep the signatures updated it gets harder still. Install applications as administrator but run them at "User" level and it gets more difficult to defeat. Yes, there are ways to defeat the security controls, but the cost (difficulty) is higher. Show me any useful system that can not be defeated and I will eat my hat. mike ___________________ Mike Fratto Senior Technology Editor Network Computing 001 Machinery Hall Syracuse University Syracuse, NY 13244 ___________________ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 06:22:46 PST