Thread: Why do I need a software firewall?
View Single Post
  #31 (permalink)  
Old 10-02-2005, 08:12 AM
Volker Birk
Guest
  
Posts: n/a
Default Re: Why do I need a software firewall?
Todd H. <comphelp@toddh.net> wrote:
> So, I agree that spending time with host based configuration on every
> device in the home can achieve the same security posture at a given
> instant, but what your arguments are ignoring is the value of defense
> in depth.

-v plz

> But...the difference is in terms of the likelihood of "what if the
> software firewall crashes, is diabled by nefarious software run on the
> machine, or (the most likely case) is disabled by the user at the
> direction of every tom dick and harry level 1 support technician that
> wants to fire a shotgun in the dark trying to debug some mysterious
> problem?

If the software firewall crashes, which I'm recommending, then you have a
kernel panic, which is called "blue screen" on Windows, because the
Windows-Firewall just configures the filtering software in Windows' kernel.

If malware already is running on the system, no protection is needed
any more, because then this machine has to flatten and rebuild anyway.
Also a hardware firewall cannot protect this machine any more.

If your support technician calls you to fool aroung, and you're doing
it, you're losing in any case. If users are fooling aroung, then nonsense
will happen, regardless of what you're trying to secure. This has nothing
to do with firewalls.

> > Usually, it is very easy to stop any servers on your Windows box - just
> > use Torsten's script on ntsvcfg.de or use www.dingens.org.
> You vasty overestimate the average user's patience for this sort of
> configuration. This requires user intervention and is simply something
> folks won't do, and can manage to screw up.

Hundreds of thousands of people are doing it already with these tools,
maybe millions.

> > Or use Windows XP SP2 with actual patches in the default
> > configuration; it is NOT vulnerable to any network based attack
> > because the Windows- Firewall is switched on by default. A hardware
> > device will not make it more secure than secure against
> > network-based attacks.
> True... but... what percentage of general users are using Windows XP
> SP2?

This is a problem, yes. And Microsoft is not solving it by making i.e.
a service pack for Windows 2000, which does the same for this OS.

Microsoft ist causing the security desaster, and afterwards they want
money from their customers to solve it again.

> > This is just nonsense. Why should one do that? Why should the user
> > make the "software firewall" "go down"?
> Nonsense? Ever observed a typical user on the phone with a tech
> support agent for even the simplest networking problem?

Yes. In spite of shit happening, it remains to be shit.

> One of the
> first things the support technician has them do is disable any
> software firewalls to eliminate the possibility that they're
> interfering.

I believe you, that many idiots are working as supporters - why not?
Many idiots are working as programmers, as admins, as politicians and
as clerks, so why not as supporters? :-/

But to what end will this discussion lead to? Securing the user against
himself/herself and against the dumb supporter will fail anyway.

> The world is well aware that NAT doesn't provide security in and of
> itself... but here's the newsflash: most of the devices if not all
> also include SPI firewalls enabled by default in addition to the
> obscuring of NAT. And nearly all require no configuration at all.
> You plug the thing in and every machine behind it becomes a lot less
> vulnerable to network based attacks. For a whopping $60.

The devices I saw all required extra filtering configuration to
filter out packets from outside with spoofed source addresses. And many
of the stateful inspection implementations of FTP are so bad, that
those boxes often leave vulnerable, what's behind.

What you're claiming here, gives me a new hope - perhaps the manufacturers
will learn at last.

Did you check that conscientiously, what you're telling here?

> > To make such a router secure, you have to configure it for
> > filtering, too. Esspecially, you have to filter out any packet,
> > which seems to come from inside, but arrives the outside network
> > interface. And even more, many stateful inspection implementations
> > i.e. for FTP are very unsecure.
> How many of the general users I'm talking about here are running ftp
> servers at home?

This is not the problem. I'm talking about the possibility to use FTP
clients, not servers.

Yours,
VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc

Reply With Quote