How Personal Firewalls Annoy Help Desk Technicians

Members of the ISP-Tech list discuss what happens when you give customers a personal firewall. How do you deal with someone whose firewall's alarms go off every time they download software?

[January 16, 2001]

On the ISP-Tech list in January, VB complained,

"Anyone out there besides me feel like the most dangerous thing you can hand your users is a personal firewall? I've had my third hysterical complaint this week demanding action against 'hackers' because these ding-dongs firewall well-known services' ports and then scream 'hacker' whenever someone touches them. What policy is everyone taking regarding this?"

A number of respondents agreed that personal firewalls are more trouble than they're worth:

[PJ recalled] "I had a guy last year have a fit about a thing that scanned my network and alerted me if there was a problem. He called wanting to know who was hacking him. I explained what it was, and he still did not get it. He thought I was trying to get into his computer. He quit and I am just fine with that. Let him drive someone else nuts. I hate the firewall things. They just make life more complicated."

[DE agree] "It's amusing the first time someone complains they were getting 'port-scanned' when they were trying to download software, but then it gets a little tedious. Perhaps these personal firewall packages should come with a sachet of clue, to be taken with morning coffee."

[JR added] "About every month I get an entire ream of printouts from a customer's firewall logs. I take them, smile, and file them in good ol' 'File 13.'"

Others shared their ideas regarding policy:

[BK proposed] "What about putting a 'blurb' on your site about personal firewalls, on what they can and cannot do, on 'false alarms,' on what is 'normal' activity, and on the importance of setting them up correctly?"

[JB explained] "You have to treat it on a case-by-case basis. The difficult part is determining intent. When I have a user that is intentionally port scanning, I hear from several people about it within a short time period. The originator receives one warning, and on the second occurrence the account is cut.

Users who complain of hacks must show the following: Date, Time, Time Zone, IP Address Origination, IP Address Destination, Ports Scanned, Start and Stop Duration, Log Files of Attempt."

[RL advised] "We're working on a security policy for our Acceptable Use Policy (AUP). One of the things we are trying to include is a statement about the Internet not being secure and how the customer takes their chances, so to speak. This is something she felt we needed to do some time ago. We had one [customer] generate a complaint with the State Attorney General's office over a port scan that was done to help a client with a connection problem. It just happened to run afoul of the personal firewall on this guy's computer and he told the AG's office we were trying to break into his 'highly sophisticated system.' The Internet is becoming a dangerous place for service providers."

—End