Throw in the massive diversity of software configurations, plus divergences in available hardware resources, which can alter dramatically from machine to machine, and a ‘one shoe fits all’ solution becomes the impossible dream. I’ve seen lists of installed security software which defy belief, they have included so many products I often wonder how these people ever managed to avoid conflicts and retain enough leftover resources to continue their normal day to day computering (spell checker informs me that “computering” is not a proper word – well it should be :)).
These user submitted lists often include an outbound firewall, and I have no problem with that. I’m sure an outbound firewall can be beneficial in certain situations. But, given normal circumstances, where a home user is utilizing sufficient inbound protection including connecting to the internet through a quality router, I can’t help wondering if the negatives don’t often outweigh any positives.
Not that Online Amor didn’t issue warnings, there were plenty of them, it’s just that they were always for known/safe processes – so much for the ‘learning’ process. I lost count of how many times I informed Online Armor that Avast was a ‘trusted’ application – it made not a scrap of difference, every time Avast attempted to connect and download updates up popped Online Armor’s security warning.
This is one of my main concerns with these firewalls – they are not designed to distinguish between legitimate and malicious processes, so the vast majority of ‘warnings’ emanate from benign sources and any decision making is then largely down to the end user. That may be fine for most savvy users, but what about the legions of novice and less experienced users out there who don’t have the necessary acumen to identify and assess flagged activity, especially based on the often meager details provided by the firewall. Because of frequent false positives, the general lack of definitive information, plus related difficulties involved with identification and evaluation, many users just end up ignoring the warnings altogether… which, of course, then renders the outbound firewall completely ineffective. And please don’t tell that activating a firewall’s HIPS component will afford extra protection. In my experience, that merely creates a massive increase in the numbers of disruptions and only serves to exacerbate the situation.
Ask anyone who has been fixing errant machines over a long period of time, whether it be professional or on a part time basis for family or friends – third party firewalls will often present more problems than they prevent. One of the most common issues I have had to deal with is when the less experienced user has answered a firewall’s prompt incorrectly, denying a perfectly legitimate/safe process access.
I’m a great believer in prevention over remediation. In my opinion, if an outbound firewall does in fact detect something malicious then it is indicative of a weakness in the inbound defenses. Admittedly, an outbound firewall will generally prevent some types of malware from phoning home and possibly intensifying any damage but isn’t it better to prevent the initial infection in the first place rather than have to deal with it after the fact?
I realize a lot of people will disagree with this assessment, as is their prerogative. I am certainly no expert and have never professed to be – I can only tell it the way I see it. Rather than relying on something which only delivers after a machine has already been infected, I would prefer to see users focus their attention on strengthening preventative measures – in my opinion, with sufficient inbound protection, including a cautious attitude and quality router, an outbound firewall is redundant.
What do you think?