Personal firewall

In contrast to a classic network firewall , a personal firewall is not an independent network unit that filters the traffic between two networks. It only filters between the computer on which it is running and the network.

A disadvantage of this principle is that the firewall software itself can be attacked. The exploitation or circumvention of these can mean full access to the system to be protected. The vulnerability of the computer is shifted from its network operating system to its firewall where the firewall is active. Additional security against attacks arises from the fact that a firewall is less complex than an entire operating system - and therefore statistically contains fewer errors.

Another advantage of a personal firewall, in contrast to an external firewall, is to determine exactly which applications are involved in incoming and outgoing communication. In this way, application-specific filters are possible so that some programs can be allowed to transfer data and others not.

Firewall principle; unwanted data is filtered out (red), desired data (blue) arrives

Purpose and functionality

A personal firewall is installed on a computer connected to a network, a host , in order to protect it from attacks from the network.

The network can be the Internet or a local network of a company or a private household. The personal firewall is intended to control access to the computer from outside and can prevent this selectively in order to protect it from attacks by worms or crackers .

Another task is to detect and prevent the establishment of a connection to backdoors or communication from spyware . Such a "breakout" is, however, inherently difficult to prevent and not every firewall software works. In particular, techniques exist to open ports through firewalls, which are also used by instant messenger programs such as Skype .

Basic functions

Creating a packet filter rule with a graphical front end (Firestarter)

The main part of a personal firewall is a packet filter . This packet filter makes it possible to block incoming or outgoing data packets according to predefined rules . Filter criteria can be source and destination address, protocol , as well as source and destination port.

In contrast to external firewalls , a personal firewall has an application filter (application control) that can specifically exclude individual application programs from network communication. In addition, the application can flow into the rules for the aforementioned packet filter so that it can filter on an application-based basis. In this way, individual applications can be allowed a certain communication that is forbidden to others.

The personal firewall provides the user or administrator with a graphical front end for the configuration of packet and application filters.

More functions

Personal firewalls differ in terms of functionality through additional components.

Interactive dialogue from Fireflier

Most personal firewalls have a learning mode. The rules for packet filters and application filters are determined through interaction with the user. If the personal firewall registers data traffic for which no rule yet exists, this is reported to the user in a dialog box . He can then decide whether this connection should be allowed or blocked. The firewall can use the response to formulate a new rule that will be used in the future.

With a content filter, some personal firewalls can check the content of data packets and, for example, filter out ActiveX components, JavaScript or advertising banners from requested HTML pages. Content filters that specialize in web applications are known as "Web Shield" or " Web Application Firewall ". Filters for e-mail attachments are also often offered.

Some firewalls have an intrusion detection and defense system. In technical jargon, this is called the “ Intrusion Detection System ” (IDS) or “ Intrusion Prevention System ” (IPS). A distinction is made between network-based (NIDS) and host-based intrusion detection systems (HIDS). A NIDS examines the network traffic for known attack patterns and reports their occurrence. Malware often tries to bypass the filtering by the firewall. This could happen because the malware terminates the service of the personal firewall. One possible trick to bypass the personal firewall is to start a trustworthy program (for example the browser ) and use it to establish the connection. Attempts can also be made to change a trustworthy program or a library it uses, or to infiltrate such a program as an extension. A host- based intrusion detection system (HIDS) tries to detect such tricks and warns the user.

Another possible function is "sandboxing". A program running in a sandbox is denied access to certain system resources. This is to prevent a compromised application from causing damage to the operating system .

Stateful inspection: the properties of outgoing data packets are saved in a status table. Incoming data packets are compared with this

A computer that communicates on the Internet has usually established several connections at the same time. For example, when a website is called up on the Internet by the browser, the name service is always also consulted beforehand to resolve the IP address . The same applies to sending or retrieving emails. Such a connection in turn consists of several individual data packets that are exchanged bidirectionally. A packet filter that masters stateful inspection (state-controlled or dynamic packet filtering) can let a data packet through according to the criterion whether this is part of an already existing connection - that is, the response to a previously permitted data packet. It is said that the filtering is controlled by the state (existing or non-existing) of the connection. This is where the term "state-controlled packet filtering" comes from. One of several ways to implement this function is that the packet filter, if it allows an outgoing data packet to pass according to the rule specified by the user, generates a new rule that also allows a packet that has the properties of an expected response . Since this rule is not rigidly specified, but is generated dynamically by the packet filter, it is also referred to as "dynamic packet filtering".

Log shown by Firestarter : The computer with the IP address 10.0.0.140 tried to access port 80. These connection attempts were blocked by the packet filter and answered with an error message.

An important function is the logging of the procedure of the packet filter in a " log file " (short: log). This makes it possible to detect errors in the network configuration.

Some personal firewalls offer a stealth mode (from stealth "stealth"). In this mode, requests to unused ports are rejected without an answer. In such a case, an answer would normally be given that the computer can be reached but the port is not in use. The lack of a response is intended to make it more difficult for the attacker to gather information about the system. This practice is known as " security through obscurity ".

Many personal firewalls independently check whether the manufacturer has made a more up-to-date version of the firewall software available on the network, and download and install it if necessary. This automatic system ensures that the firewall software is updated promptly if it is affected by security gaps.

A remote maintenance access can for the administration of a personal firewall on a terminal in the network by the network administrator serve.

Differentiation from the firewall

A general distinction is made between two types of firewalls based on their topology :

The generic term "firewall" refers to both, strictly speaking, even without additional (network or personnel), especially in the professional environment mostly former type is meant.

However, there is no general terminology on the subject beyond that . Terms are used inconsistently and sometimes inconsistently.

Hardware firewall, gateway firewall, firewall gateway or firewall for short : It is located between different computer networks and restricts access between these networks

In the second edition of a classic on the subject firewall "Personal Firewall" is entitled to protection of an individual computer using the packet filter ipchains described ( Ref : Cheswick 2004, p 266). This personal firewall is separated there from the gateway firewall. The latter is located as an interface between two computer networks and is called “firewall” in the rest of the book. A personal firewall, on the other hand, is installed on the host to be protected .

Manufacturers often give their packet filter software or their configuration tools the name "Firewall". Examples are the Windows firewall , the SuSE firewall or the IPFirewall (ipfw) from FreeBSD . In manuals for personal firewalls and computer magazines , the terms firewall and personal firewall are often used synonymously. The terms hardware firewall and software firewall have become commonplace for home users. Hardware firewall refers to an external device, software firewall is a synonym for personal firewall.

Many network administrators reject this designation: software also runs on an external router . Instead of a hardware and software firewall, a distinction should be made between routers with a packet filter function and host-based packet filters (HBPF). In the opinion of many network administrators, none of the above products would do justice to the name firewall. A firewall is a carefully planned and constantly maintained system for separating network areas. “A firewall is a concept” , they say, “and not software that you can simply install” . The implementation of such a firewall concept - the (physical) firewall - is site-specific and rarely consists of a single component.

Personal firewall as a protective measure

Personal firewalls often form part of the protection of private PCs with Internet access. Their use is recommended by Microsoft and many specialist magazines , among others . Since the beginning of 2006, Microsoft's TechNet Magazine and the c't have also pointed out that a PFW as protection against attacks from the inside only helps against pests that make no effort to hide.

The Federal Office for Information Security (BSI) recommends private individuals to use a personal firewall. According to the IT-Grundschutz catalogs , personal firewalls could be useful as a supplement to a central firewall in the corporate or government network . However, the office warns against relying on a PFW as the sole protective measure. More important are, according to the BSI virus and spyware scanners regular data backup (Backup), soon Update (Engl. Update ) the software used by public knowledge of a security breach , the safest possible configuration of the web browser , email client and operating system and generally a more cautious approach with the Internet.

The use of personal firewalls met with criticism from the start in the de.comp.security newsgroup (today de.comp.security.firewall). Security gaps are caused by untrustworthy or faulty software or by improper configuration. It is the wrong way to address this security problem by adding additional software that can also be buggy or misconfigured. Personal firewalls would increase the complexity of the overall system and thus its attack surface.

The critical FAQ of the newsgroup de.comp.security.firewall allows personal firewalls that you can use their logs to learn more about the network traffic initiated by your own computer. A precise understanding of the processes requires knowledge of the Internet protocol family .

Protection against external attacks

External attacks are usually directed against programs that offer network services. In the home user sector, file and print services , RPC services, and messaging services are very common. Programs whose job it is to offer the service are called servers or peers . A server or peer requests a socket from the operating system in order to wait for requests from unknown computers in the network.

With some operating systems, such as Solaris or Windows NT , 2000 and XP, network services are already offered in the standard configuration on all network interfaces . As a result, computers with unpatched Windows 2000 and Windows XP up to SP1 operating systems fall victim to attacks on average just a few minutes after they have been connected to the Internet without being protected by a firewall. The computer is usually compromised before the security updates needed to prevent the attack can be downloaded. As of Windows XP SP2, such attacks are fended off by the integrated and standard active Windows firewall .

The packet filter of a personal firewall protects against the attacks described here by discarding all data packets from the Internet that are directed to the port on which the server is listening. Although the server is running and listening on a port, it cannot be reached from the Internet. The server cannot be attacked by other computers, but it cannot be used either.

Many attacks can be prevented without a firewall if the service that has a security gap is patched in good time. In the case of a zero-day attack , however, this is not possible. Another protection option is to fend off attacks through a restrictive network configuration by shutting down unused servers or tying them to a network interface that cannot be accessed from the Internet. A personal firewall can filter unwanted access to servers that the user cannot or do not want to terminate, or that he did not even notice that they were running.

Attacks against the TCP / IP software of the operating system itself are of much less importance. The ping of death is an example of such an attack. An external firewall that runs on its own operating system, which is independent of that of the computer to be protected, is advantageous for such attacks. Under certain circumstances, a host-based packet filter can also ward off attacks against the IP stack, namely when it already discards packets before they pass through the faulty part of the IP stack.

Personal firewalls are made up of software that can be buggy. Sometimes vulnerabilities in personal firewalls become known, which make it possible to attack systems to be protected via the network. In March 2004, versions of BlackICE and RealSecure that were not updated in time were victims of the Witty worm .

A disadvantage of the personal firewall compared to the gateway firewall (also called firewall for short ) and the use of bastion hosts is that the attacker already has full access to the system to be protected after a successful attack by the personal firewall software.

Protection against attacks from within

Malware often gets onto the computer via a buffer overflow in an application or as a Trojan horse . This is the user who has no idea of the harmfulness of the program executed . It is not one of the tasks of a personal firewall to protect against a Trojan horse from running. But it is supposed to expose or prevent the later communication of malicious software ("malware") that has reached the computer in this way.

Especially if the malware is executed with restricted user rights, a PFW can often prevent the malware from setting up a backdoor on the system. Experienced users can recognize an attempt to set up a backdoor from the log messages of the personal firewall. In most cases, however, it cannot be said with certainty whether the action thwarted by the personal firewall is the only function of the malware or whether further unnoticed manipulations were carried out on the operating system. In this case the system is considered to have been compromised . This can no longer be secured by a personal firewall.

Personal firewalls that control outbound connections, could in the past certain e-mail worms , have their own SMTP - client brought, prevent them from spreading. As a result, some e-mail worms try to shut down the personal firewall. Whether this succeeds depends heavily on the firewall software used.

A technical problem is that there are numerous possibilities to bypass the filtering of outgoing connections: The packet filtering can be bypassed in the same way as with external packet filters via tunneled connections. Application control can be bypassed by using a program classified as trustworthy by the PFW to establish the connection. For example, the Chaos Computer Club Ulm demonstrated in a lecture on personal firewalls a method of calling up the browser and sending information to the outside that could not be recognized or prevented by any of the PFWs tested (see web links ).

Stealth mode

The IRC client Irssi has been waiting almost a minute for confirmation of its registration in the IRCnet . Possible reason: The IRC server is waiting for its identification request to be answered. However, this was rejected by a firewall.

The use of the stealth mode offered by some firewall products (see other functions ) is viewed critically. Contrary to the recommendations of the RFCs , the packet filter in stealth mode drops all requests without comment (DROP) instead of responding with ICMP control messages. Administrators have observed that computers that do not respond to pings are scanned comparatively less often and attacked less often. From a technical perspective the stealth mode, neither an attack can prevent a scanning TCP ports even if the router of the provider does not respond to pings with "Destination unreachable" says an attacker that the computer exists. A port scanner , the problem is that it (Engl. For questions referring to a timeout Timeout ) comes deal: He sends the requests in parallel and collects all the answers. If there is no response, the status of the corresponding port is displayed as "filtered". The port scan is slowed down, but not prevented.

Regular programs can be hampered by using stealth mode. This applies, for example, to Internet applications that use the authentication service (also called “auth-service” or “ident”). Some servers establish a connection to TCP port 113, the auth service of the client computer, as part of the login process . One speaks of an Ident request. This is used by administrators of multi-user systems to determine which user has used the service. Home users do not need the authentication service. However, if the Ident request is not reset, but instead, caused by the firewall, the request times out, this can lead to problems when logging into servers.

Ident request
The server's identification request is rejected by the PFW. The server waits for the timeout before continuing to establish the connection.	In a different computer configuration, the Ident request is answered by the firewall with TCP-RST. This avoids the problems

Some personal firewalls filter all incoming messages of the " Internet Control Message Protocol " (ICMP) in stealth mode . However, message type 3 “Destination Unreachable” in particular transports important error and control messages for intended Internet connections. This includes, for example, determining the maximum packet size (MTU for Maximum Transmission Unit) that can be transmitted over a network. If ICMP is filtered, it can lead to unexpected network problems. For example, if websites from Google Groups or eBay cannot be accessed while other websites are working fine, this indicates MTU problems.

In contrast to the first log file , the inquiries are discarded here unanswered . The client does not stop retrying the request.

Interestingly, the strategy of not answering incoming requests can lead to higher traffic . Many applications make the request again if they do not receive a response or an error message.

configuration

The protective effect that can be achieved with the help of a personal firewall depends to a large extent on its correct configuration.

The basic settings are often not suitable for the intended use. For example, remote maintenance access, as offered by Kerio 2 in the standard configuration, only represents an unnecessary risk when using the personal firewall on a single-user computer with Internet access.

Most, but by no means all, products block external access to the network services offered by the computer in the basic settings. With the Tiny Personal Firewall , this packet filter function does not have to be activated by the user until it is required.

The protective effect of a desktop firewall can be increased with the help of the separation of rights of the operating system. If a restricted user account is used to surf the Internet , malicious software that is run unintentionally also only runs with restricted rights and cannot manipulate the configuration of the personal firewall.

Firestarter was configured for outgoing data traffic according to a restrictive attitude.

When configuring a personal firewall, you can proceed according to various basic principles: "Anything that is not expressly prohibited is permitted " and "Anything that is not expressly permitted is prohibited" . The latter basic attitude is considered more secure, but is more difficult to configure.

For inexperienced users, it is often confusing to ask for a rule for unknown processes . Some of these processes are part of the operating system and are necessary for Internet connections. When defining the rules according to the last-mentioned basic attitude, as few processes as possible are initially released. If the software then no longer works as expected, the log can be searched for blocked connections in order to release the process belonging to the disabled software. In the case of unknown processes, it is advisable to research further information in order to clarify what this process belongs to.

Examples of personal firewall software

Windows

In contrast to Windows 98 , Windows NT-based systems from NT 4.0 onwards have on-board options for packet filtering. On the one hand, IPsec is a possibility for rule-based packet filtering, on the other hand, filters for incoming connections to certain ports can be defined in the properties of the network connection.

The Internet Connection Firewall (ICF) is supplied with Windows XP up to and including Service Pack 1 . It can be activated for individual network interfaces and checks incoming data packets to see whether they have been requested beforehand. In the standard configuration, the ICF is not activated for all network interfaces. As a result, many Windows XP computers that were not patched in time fell victim to the Blaster and Sasser worms.

With Service Pack 2 for Windows XP, the functionality of the firewall has been expanded and it has been renamed Windows Firewall . It is automatically activated when installing Service Pack 2 or when installing Windows from a data carrier with integrated ( slipstreamed ) Service Pack 2. The Windows firewall does not control connections directed outwards under Windows XP.

As of Windows Vista , the function of the firewall has been expanded again: It can filter outgoing connections. In addition, the IPsec guidelines, which were previously independent of the Windows firewall, have been integrated and it has remote maintenance access.

Alternative personal firewalls for Windows

• Agnitum Outpost Firewall
• Ashampoo Firewall
• Bitdefender Security Firewall
• CA Host Based Intrusion Prevention System (formerly " Tiny Personal Firewall ")
• Comodo Firewall Pro ( Freeware )
• F-Secure Internet Security
• GhostWall ( Freeware )
• Glasswire ( Freeware )
• Jetico Personal Firewall
• Kaspersky Internet Security
• Norman Personal Firewall
• Norton Personal Firewall
• Sophos Client Firewall
• Sunbelt Personal Firewall (formerly "Kerio Personal Firewall")
• ZoneAlarm

Open source software for Windows

While the software for Linux discussed here is open-source and mostly free software, Windows closed-source programs from commercial providers dominate. However, some open source projects for Windows have also emerged:

The iSafer Winsock Firewall , a Winsock -based personal firewall, is under the GNU General Public License (GPL). PeerGuardian is also licensed under the GPL. PeerGuardian was developed with the aim of blocking spyware in peer-to-peer programs. Version 1 was programmed in Visual Basic - unusual for firewall software. PeerGuardian 2 is written in C and C ++ and has also been ported to Unix-like operating systems . The packet filter-based personal firewall NetDefender is also open source .

The usual UNIX approach of assembling a personal firewall from individual components is also possible under Windows. Pure packet filter software also exists for Windows: WIPFW is a port of the FreeBSD IPFW for Windows. PktFilter , a product of the French IT security company "Hervé Schauer Consultants", is available under the BSD license and uses a syntax that is similar to IPFilter.

Linux and other Unixoid operating systems

A computer on which Unix or a Unix derivative is used as the operating system can also be protected by a host-based packet filter. Many functions typical of personal firewalls can be achieved with software available for UNIX.

The Systrace program can control system calls .

The graphical rule generator Firewall Builder (Fwbuilder) runs on several operating systems and supports various packet filters. Although Firewall Builder is primarily intended for professional use, instructions ( Howtos ) exist for setting up a personal firewall using this program. Syslog is usually used for logging under Unix-like operating systems . Most syslog implementations can communicate via Unix domain sockets if they create local log files. A popular intrusion detection system is Snort . Applications susceptible to compromise can be locked in a sandbox using chroot or jails . Application control is possible using Mandatory Access Control (MAC). Implementations are, for example, SELinux , Trusted Solaris and Systrace . Systrace is part of NetBSD , OpenBSD and OpenDarwin . It has been ported to Linux and Mac OS X. The web cache proxy Squid in conjunction with SquidGuard or DansGuardian can be used as a content filter .

Linux

Linux includes the packet filter Netfilter . The console-based standard front end for this is called iptables . Programs such as KMyFirewall and Guarddog for KDE and Firestarter for the Gnome desktop are available as a graphical front end for iptables . Firestarter is clear and easy to use, but still allows extensive setting options, such as filtering certain ICMP types or rejecting packets with an error message. Users can write modules themselves to expand the program. Many Linux distributions bring their own tools for setting up the packet filter: The SuSE firewall, for example, is a collection of scripts for iptables . It can be set up with the graphical installation and configuration tool YaST (Yet another Setup Tool).

Application-based filtering was possible with iptables using the Owner Match module . The command

 /sbin/iptables -A OUTPUT -m owner -cmd-owner ssh -j ACCEPT

only allows external connection with the ssh program . The module became part of the official Linux kernel from kernel version 2.4.20 . In the kernel version 2.6.14 it was removed from the kernel due to problems on symmetrical multiprocessor systems . An alternative to Owner Match is NuFW .

The MAC implementations RSBAC , SELinux , AppArmor and grsecurity offer more extensive application control .

The TuxGuardian personal firewall is based on the Linux Security Modules (LSM) of the Linux kernel 2.6. TuxGuardian allows application control and can interact with the user via dialog windows.

Fireflier is also a personal firewall that can be configured interactively in detail and also allows application control combined with IP addresses and ports. It provides a client program for both KDE and GNOME. With the interface, individual iptables rules can be set, including stateful inspection .

A personal firewall with a graphical user interface is also included in the commercial and largely proprietary Linux security software DesktopSecure from Panda Security .

FreeBSD

A configuration script for the FreeBSD IPFirewall is edited with the text editor Vim .

With the rc.firewall script, FreeBSD provides a ready-made rule set for the IPFirewall (ipfw) packet filter . To protect a single-user computer with Internet access, the rc.firewall script can be called with the "client" option. The operating system user manual contains sample configurations for the host-based use of the packet filter alternatives IPFilter (ipf) and pf . Users who prefer configuration tools with a graphical user interface will find a few programs in the ports : The Qt firewall (qtfw) is a front end for the IP firewall .

The TrustedBSD project deals with the implementation of MAC under FreeBSD .

Mac OS X

Mac OS X also includes the IPFirewall (ipfw) packet filter. Well-known graphical front ends for this packet filter under OS X are the shareware programs Firewalk from Pliris LLC, Flying Buttress from Brian Hill, which was available under the name BrickHouse before version 1.4 , and the open source program WaterRoof . The operating system versions 10.2 (Jaguar) to 10.4 (Tiger) contain a graphic front end for ipfw in the operating system.

Mac OS X 10.5 (Leopard), which was released on October 26, 2007, introduced the Application Firewall . As the name suggests, it filters application-based, whereby the applications are recognized using digital signatures . The main task of the application firewall is to control incoming connections to the computer on which it is running. According to Apple , application-based filtering is intended to make configuration easier for the user, since it does not require any knowledge of the ports and protocols used by the application. The application firewall has a graphical user interface; on the other hand, since version 10.5 of the operating system, the ipfw can only be configured via the command line or with the help of graphical frontends from other manufacturers.

In articles from October 29th and November 8th 2007, Heise-Online criticized the fact that the application firewall is not active in the basic settings of the operating system and that in Mac OS X 10.5 there are exceptions for programs in the setting "Block all incoming connections" that run with root privileges. For example, the Samba server (nmbd), mdnsresponder and the time server ( ntpd ) could be reached from outside despite an active application firewall.

In response to the criticism, in the update to 10.5.1 published on November 15, 2007, the setting “Block all incoming connections” was renamed to “Only allow essential services”. In addition, the number of exceptions has been reduced. For example, after the update, access to Samba is blocked by the application firewall if it is active. The update also eliminated problems with the Internet telephony software Skype and the computer game World of Warcraft . Under Mac OS X 10.5, both programs could no longer be started if they had been signed by the Application Firewall beforehand.

The commercial program Little Snitch specializes in the application-based filtering of outgoing connections - the function that ipfw does not offer. Little Snitch can be configured interactively via dialog windows. These windows appear and inform the user when an application establishes a connection (e.g. to the Internet). (see learning mode )

literature

• William R. Cheswick, Steve M. Bellovin, Aviel D. Rubin: Firewalls and Internet Security . Addison-Wesley, Munich 2004, ISBN 3-8273-2117-4
• Lisa Yeo: Personal Firewalls for Administrators and Remote Users . Prentice Hall PTR, New Jersey 2003, ISBN 0-13-046222-5
• Zwicky, Cooper, Chapman: Setting up Internet Firewalls . O'Reilly, Cologne 2001, ISBN 3-89721-169-6

Web links

• BSI via personal firewalls
• Vulnerabilities in personal firewalls
• Personal Firewall Ruleset Instructions
• de.comp.security.firewall FAQ
• Leak tests and reviews of personal firewalls (English)
• Lecture by CCC Ulm on personal firewalls (video and audio recording, slides, source code, documentation)

Individual evidence

1. ↑ Dirk Knop: Surfing without regrets? in c't Magazin , 2, 2006, p. 166
2. ↑ heise.de
3. ↑ Jesper Johansson, Steve Riley: Deconstructing Common Security Myths In: TechNet Magazine May / June 2006
4. ↑ Jürgen Schmidt: ZoneAlarm im Kreuzfeuer on Heise online , January 24, 2006
5. ↑ Jürgen Schmidt: The spy who came from within. Why personal firewalls fail as a detective . In: c't , 2006, issue 17 ( Memento of October 16, 2007 in the Internet Archive ), pp. 108-110, August 7, 2006
6. ^ Daniel Bachfeld: Protection against viruses under Windows Answers to the most frequently asked questions ( Memento of October 16, 2007 in the Internet Archive ) . In: c't , 2006, issue 18, p. 196
7. ↑ BSI for citizens : BSI - Firewall (embedded video). Federal Office for Information Security , archived from the original on October 15, 2014 ; Retrieved December 19, 2014 . 
8. ↑ ^{a b} M 5.91 Use of personal firewalls for Internet PCs. In: IT-Grundschutz Catalogs . Federal Office for Information Security , archived from the original on November 10, 2012 ; accessed on December 2, 2010 (status 11th supplementary delivery). 
9. ↑ Personal Firewall. How much security does a personal firewall offer me? Federal Office for Information Security , accessed on December 2, 2010 . 
10. ↑ BSI for citizens : Technical protective measures. (No longer available online.) Federal Office for Information Security , formerly the original ; Retrieved December 2, 2010 .  ( Page no longer available , search in web archives )  Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Toter Link / www.bsi-fuer-buerger.de    
11. ↑ Felix von Leitner: Personal Firewall Security FAQ (accessed August 4, 2009)
12. ↑ Lutz Donnerhacke: de.comp.security.firewall FAQ ; Question: How can I see what is happening on my interface / network?
13. ↑ Jürgen Schmidt: The five-minute rumor on www.heise.de on August 17, 2008 (visited December 29, 2008)
14. ↑ Information on the program firewall. Mac OS X 10.5, 10.6. In: support.apple.com . Apple , June 29, 2010, accessed December 2, 2010 . 
15. ↑ Jürgen Schmidt: Holes in the firewall of Mac OS X Leopard In: heise online October 29, 2007
16. ↑ Jürgen Schmidt: Apple documents the function and gaps in the Leopard firewall In: heise online November 8, 2007

This version was added to the list of articles worth reading on August 1, 2006 .