Thread: Why do I need a software firewall?
View Single Post
  #25 (permalink)  
Old 10-01-2005, 07:58 AM
Volker Birk
Guest
  
Posts: n/a
Default Re: Why do I need a software firewall?
Todd H. <comphelp@toddh.net> wrote:
> When I wrote "relatively non-complex" that was intended to imply
> "versus a general purpose computer." This is hardly a contentious
> statement.

May I recite the context again, in which you wrote that? This is from
your posting to the OP:

| > It was my understanding that a router gave a hardware firewall which
| > was a million times better than a software one and gave you more
| > protection.
| From external, network-based attacks this is true.

This is just NOT true. If a PC is not offering any servers to the
Internet (and we're talking about home users here), and the IP-Stack has
no bugs in implementing Layer 2-4, then it secure against any network-
based attacks. It's not possible for a "hardware firewall" to make it
more secure than secure against network-based attacks.

Usually, it is very easy to stop any servers on your Windows box - just
use Torsten's script on ntsvcfg.de or use www.dingens.org.

Or use Windows XP SP2 with actual patches in the default configuration;
it is NOT vulnerable to any network based attack because the Windows-
Firewall is switched on by default. A hardware device will not make it
more secure than secure against network-based attacks.

| > In that case, why have a hardware firewall?
| Because if your software firewall goes down (which it can), then
| you're unprotected.

Yes, and if you switch off the "hardware firewall" and plug in your PC
into the net directly (which you can), then you're unprotected.

This is just nonsense. Why should one do that? Why should the user make
the "software firewall" "go down"?

| Hardware devices are relatively non-complex and
| are easier to secure, unlike a multipurpose computer.

This is not true in this context, as I stated above.

> If you feel that is nonsense, Volker, do you really feel a full Linux
> distro or a Windows box running a general purpose microprocessor is
> equally simple for a user to secure versus something like an embedded
> or ASIC based box like a Linksys BEFSR41 or SMC Barricade, both of
> which by default have no WAN-side ports listening save for perhaps
> ident?

For a user, it is only possible to secure a device, if he can click
onto a button, and the device then is secure against a specific attack
vector. What is behind this button, how complex it is, does not matter
at all.

This is all, an usual home user can do, behause she/he has no knowledge
at all about what's goin'on technically.

So securing a simple Windows box against network attacks is as simple as
klicking on "Single Computer" and pressing "OK" on www.dingens.org.

It is as simple as buying a Macintosh and not having such problems at all.

It is as simple as having Windows XP SP2 on the computer in the default
configuration.

BTW: because I'm developing embedded systems myself occupationally, I can
tell you, that many of those devices are not non-complex at all. But this
has nothing to do with users' view, of course.

And:

Quite contrary to what you're saying, the usual SOHO router device is
difficult to secure for a home user. This is, because NAT is not designed
as a security techology. To make such a router secure, you have to
configure it for filtering, too. Esspecially, you have to filter out any
packet, which seems to come from inside, but arrives the outside network
interface. And even more, many stateful inspection implementations i.e.
for FTP are very unsecure.

Of course, I'm not talking about securing the filtering device itself,
but the devices, which it should protect here. I'm doing this, because
we're discussing in that context.

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

Reply With Quote