Long term readers of this blog will know that I am keen on personal security from the computer perspective and also that I am keen on windows users installing personal firewalls. My friends will tell you how often my eyes roll when they ask me to fix their unprotected machines.
First I guess, a definition of personal is required here. By this I simply mean it is a software based firewall that sits on the same machine it is intending to protect. So I’m not talking standalone stuff like Smoothwall or Firestarter (both *nix based and free) and neither am I talking about the big boys of Corporate security such as Checkpoint, Cisco PIXes, Cyberguards, well the list does go on.
I hear often and long about all you need is a router and an anti-virus application (maybe an anti-malware scanner) but you should never need more than Windows provides and certainly you shouldn’t need a firewall beyond stealthing your open internet ports. Well I disagree and I will continue to do so whilst Windows maintains its inherently buggy approach to security. Beyond this I hear the so called experts say that so long as we are careful never to install or click on anything untoward then we don’t need a personal firewall.
Bull.
So long as we all remain human, then we all remain susceptible to malware or buggy software. Take me for example – in >25 years in IT I have never so much as had a virus or any other form of malware attack my PC until recently and I am very careful about what I do and don’t do.
However, I can’t legislate for my children (or my wife) who will click on ill chosen adverts by web masters – and so recently I ended up with Vundo on my system. Whilst I can’t (well I can but won’t) control my children’s clicking behaviour to the nth degree, what I have drilled into them is that if a popup appears they come and get me or stop what they are doing and wait for me or phone me [parenting 101 tip: I always have time for my children]. So whilst my system got this trojan I wasn’t susceptible to the spying activities of it because my personal firewall detected the outbound activity and threw up the alert. It then took me best part of a day on and off to remove the horrible thing, but at least it didn’t leak anything.
So, to the point then. I’m pleased to see that a favourite of mine, Comodo (and one I recommend) software firewall is still getting good comments from Scott Finnie over on his blog along with Online Armor <sic> from TallEmu.
The other point here is that my firewall prevented outbound activity from Vundo until I had responded (or advised the family) to the firewall popups. A nice feature of every personal firewall I’ve used is that it effectively blocks all communications to a site until the popup is answered.
What’s your take?
Do you use personal firewalls on your windows PC and if so which one?
Personal firewalls are too confusing for non-technical people, in my experience. It's the whole pop-up thing, I think. I don't recommend them.
I recommend:
- OpenDNS set up on a DD-WRT router (for categorically blocking sites)
- Firefox as the primary browser and the Adblock Plus add-on (you can't click on an evil ad if it isn't there)
- NOD32 Anti-virus (running the Symantec complete uninstaller is one of my favorite things)
- Automatic Windows Updates turned on
OK – so I like your thinking.
But let's face it, which is more technical. Getting folks to instal, use and understand DD-WRT and change their DNS settings (along with understanding why ads, etc have disappeared) or teaching them how to respond intelligently to a firewall popup?
For my time it's going to be a personal firewall and time to educate them. Even with your setup the nasties are still going to get in and one of the big strengths of a PF is that they help to stop the ubiquitous outbound scattergun talk that every PC does.
Finally, I've never been an advocate of having WindowsUpdate turned on and set to do its thing – I've seen too many problems to be fixed afterwards because of it. But in essence yes it should be used.
The key here, I think, in your approach and mine is education. I just think mine's easier.
I'm certainly not advocating walking someone through setting up DD-WRT and OpenDNS, that's for sure. I would do that part up front.
Yeah, I don't know about your way being easier. Don't you feel like the firewall pop-ups become annoying after a while — you know — familiarity breeds contempt? Like the Vista User Access Control? Most people that I help would be calling me with every firewall alert they get.
Thanks but I'll take the more passive-aggressive approach and catch some of that stuff upstream.
It's a lot like spam filtering isn't it? Wouldn't you rather have an appliance scan and classify and file your spam before you get it, rather than marking each email as good or spam, one by one?
Maybe that's an oversimplification on my part.
I do take your point – but when I can assist someone over the phone then that is always a plus.
As to popups – I totally agree. They were the death of PF's. I used to like Jetico until one of my friends nick-named it "Jetico Fearwall" because he never knew quite when a popup would appear. :)
But then I have a PC running Bitdefender 2010 Internet Firewall and it hardly ever gives me a popup that I need to respond too. PF's have moved on from where they were.
Maybe I'll address these issues in another post sometime.