It was my understanding that a router gave a hardware firewall which
was a million times better than a software one and gave you more
protection.
I have a Belkin router, which like most other low end routers claims to
have two hardware firewalls, SPI and NAT I think.
So... why do I need a software firewall??
I have the free version of Kerio running.
>From running it, I realise that I definitely need it.
Otherwise, I will get loads and loads of incoming and outgoing traffic,
most from and to sources I've never heard of!
In that case, why have a hardware firewall?
I can kind of see why both are necessary in my own head... but I'd like
to hear what the experts have to say about it.
> It was my understanding that a router gave a hardware firewall which
> was a million times better than a software one and gave you more
> protection.
From external, network-based attacks this is true.
> I have a Belkin router, which like most other low end routers claims to
> have two hardware firewalls, SPI and NAT I think.
>
> So... why do I need a software firewall??
A software firewall can add something your network level firewall
cannot. It can interactively prompt you when new unknown programs on
your PC try to make outbound connections.
This can be helpful in tipping you off to drive-by installs of
software that shouldn't be on your machine, or alert you to software
that is phoning home that shouldn't be.
> In that case, why have a hardware firewall?
Because if your software firewall goes down (which it can), then
you're unprotected. Hardware devices are relatively non-complex and
are easier to secure, unlike a multipurpose computer.
> I can kind of see why both are necessary in my own head... but I'd like
> to hear what the experts have to say about it.
<om.newsgroup@gmail.com> wrote in message
news:1128037485.538651.316920@f14g2000cwb.googlegr oups.com...
> I can kind of see why both are necessary in my own head... but I'd like
> to hear what the experts have to say about it.
The nickel answer is that the hardware firewall does a nice job against
inbound connects, the software firewall makes it easier to manage outbound
connects. Kind of oversimplifies it, but there you have it.
om.newsgroup@gmail.com wrote:
> It was my understanding that a router gave a hardware firewall which
> was a million times better than a software one and gave you more
> protection.
Why should a ready made device, sold including a filtering software,
be better than a filtering software driven on your own box?
It can be better, if the included filtering software is better and better
configured. Or it can be worse, vice versa.
> I have a Belkin router, which like most other low end routers claims to
> have two hardware firewalls, SPI and NAT I think.
> So... why do I need a software firewall??
Do you need one?
> I can kind of see why both are necessary in my own head... but I'd like
> to hear what the experts have to say about it.
To what? To "Personal Firewall" software? ;-)
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Todd H. <comphelp@toddh.net> wrote:
> om.newsgroup@gmail.com writes:
> > It was my understanding that a router gave a hardware firewall which
> > was a million times better than a software one and gave you more
> > protection.
> From external, network-based attacks this is true.
No.
> A software firewall can add something your network level firewall
> cannot. It can interactively prompt you when new unknown programs on
> your PC try to make outbound connections.
This is counterproductive.
> This can be helpful in tipping you off to drive-by installs of
> software that shouldn't be on your machine, or alert you to software
> that is phoning home that shouldn't be.
Only seldomly this will be helpful.
> > In that case, why have a hardware firewall?
> Because if your software firewall goes down (which it can), then
> you're unprotected.
No. The OP asked comparing with his filtering router.
> Hardware devices are relatively non-complex and
> are easier to secure, unlike a multipurpose computer.
This is just nonsense.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
xpyttl <xpyttl_NOSPAM@earthling.net> wrote:
> > I can kind of see why both are necessary in my own head... but I'd like
> > to hear what the experts have to say about it.
> The nickel answer is that the hardware firewall does a nice job against
> inbound connects, the software firewall makes it easier to manage outbound
> connects. Kind of oversimplifies it, but there you have it.
*sigh* - the "nickel answer" is totally wrong. Outgoing TCP sockets can be
filtered by every of the filtering solutions (if they're implementing this
feature), and also a "Personal Firewall" cannot guarantee that the software
running on the "protected" PC is not "phoning home". As a matter of fact,
they only guarantee that for software, which want's to be controlled.
The implementations of "Personal Firewalls" I saw are even very bad -
usually, they're a untrustworthy peace of crap rather than a reliable
filtering software.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
"Volker Birk" <bumens@dingens.org> wrote in message
news:433ce341@news.uni-ulm.de...
> *sigh* - the "nickel answer" is totally wrong. Outgoing TCP sockets can be
> filtered by every of the filtering solutions (if they're implementing this
What the software firewall brings to the table is the ability to limit
outgoing connects to specific PROGRAMS. This is not something the hardware
firewall can provide. Realistically, the hardware firewall only forces me
to open some ports, unless I'm never going to connect to the net. Most
worms take advantage of this and really like to use port 80. What the
software firewall allows me to do is close port 80 except for Firefox, for
example. Sure, I could block outgoing port 80 at the hardware firewall, but
then I'd have to give up browsing the web.
I did not mean to imply that the software firewall should be used instead of
a hardware firewall. The hardware firewall is a LOT more important than the
software firewall. But the software firewall adds some granularity to the
control the hardware firewall provides.
Sadly, probably 99% of the Internet connected PCs that have any protection
at all only have software protection, which as you point out, it totally
inadequate.
Todd H. <comphelp@toddh.net> wrote:
> Leythos <void@nowhere.lan> writes:
> > You are off base again VB.
> VB appears to be a troll. Or someone holding an extremely minority
> view in security.
Or an unusual view, but which is based on fact.
So I'm waiting for your arguments. Because you're assuming, that I'm maybe
a troll, I'm assuming, you have very good arguments why I should be wrong.
I'm waiting on your point of view. Let's start a discussion!
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
xpyttl <xpyttl_NOSPAM@earthling.net> wrote:
> What the software firewall brings to the table is the ability to limit
> outgoing connects to specific PROGRAMS.
But this does not help at all.
> This is not something the hardware
> firewall can provide.
Yes.
> I did not mean to imply that the software firewall should be used instead of
> a hardware firewall. The hardware firewall is a LOT more important than the
> software firewall.
I cannot see that, too. Why do you think, this should be true?
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
> Todd H. <comphelp@toddh.net> wrote:
> > Leythos <void@nowhere.lan> writes:
> > > You are off base again VB.
> > VB appears to be a troll. Or someone holding an extremely minority
> > view in security.
>
> Or an unusual view, but which is based on fact.
>
> So I'm waiting for your arguments. Because you're assuming, that I'm maybe
> a troll, I'm assuming, you have very good arguments why I should be wrong.
You're assuming that such a discussion trips my cost/benefit
threshold and might actually be productive.
Todd H. <comphelp@toddh.net> wrote:
> > So I'm waiting for your arguments. Because you're assuming, that I'm maybe
> > a troll, I'm assuming, you have very good arguments why I should be wrong.
> You're assuming that such a discussion trips my cost/benefit
> threshold and might actually be productive.
If you don't offer arguments, then I'm assuming, that maybe you don't
have any.
> > I'm waiting on your point of view.
> Enjoy!
I do, thank you!
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> > > VB appears to be a troll. Or someone holding an extremely minority
> > > view in security.
> > Or an unusual view, but which is based on fact.
> VB, your statements in this thread are mostly wrong. When considering a
> PFW there are reasons to have them
OK, "Leythos", I will move you out of my killfile again. New game.
> When considering a PFW there are reasons to have them
Please explain, what reasons you mean exactly.
> and in the right hands/solution they
> are very effective.
We both know, that the target of "Personal Firewalls" are home users,
which usually know nothing about computer technology. Do we agree here?
If you don't want to talk about this group of people, please explain,
whom do you mean with "in the right hands/solution".
> At the same time, everyone should have a barrier
> device which protects their network resources even when not employing a
> PFW.
Yes. Here we agree. Everybody, who is offering servers in the network,
should stop that or filter them i.e. with the Windows-Firewall.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
> Todd H. <comphelp@toddh.net> wrote:
> > > So I'm waiting for your arguments. Because you're assuming, that I'm maybe
> > > a troll, I'm assuming, you have very good arguments why I should be wrong.
> > You're assuming that such a discussion trips my cost/benefit
> > threshold and might actually be productive.
>
> If you don't offer arguments, then I'm assuming, that maybe you don't
> have any.
I'm convinced...you really ARE a troll. LOL.
If anyone needs convincing on how software based and hardware based
firewalls complement each other to provide better protection than
either one tool alone, I'm not sure I can help them.
Todd H. <comphelp@toddh.net> wrote:
> Volker Birk <bumens@dingens.org> writes:
> > Todd H. <comphelp@toddh.net> wrote:
> > > > So I'm waiting for your arguments. Because you're assuming, that I'm maybe
> > > > a troll, I'm assuming, you have very good arguments why I should be wrong.
> > > You're assuming that such a discussion trips my cost/benefit
> > > threshold and might actually be productive.
> > If you don't offer arguments, then I'm assuming, that maybe you don't
> > have any.
> I'm convinced...you really ARE a troll. LOL.
Who is offending people without any arguments, is losing the discussion.
> If anyone needs convincing on how software based and hardware based
> firewalls complement each other to provide better protection than
> either one tool alone, I'm not sure I can help them.
I'm shure, you cannot help, too.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> In article <433ce24d@news.uni-ulm.de>, bumens@dingens.org says...
> > Todd H. <comphelp@toddh.net> wrote:
> > > om.newsgroup@gmail.com writes:
> > > > It was my understanding that a router gave a hardware firewall which
> > > > was a million times better than a software one and gave you more
> > > > protection.
> > > From external, network-based attacks this is true.
> > No.
> VB, most times I don't respect your opinions, and this is another one of
> them. A barrier appliances is always a better option than a personal
> firewall application running on a PC that is also used by the person
> seeking protection when they are also able to manage that personal
> firewall solution.
If you want to, I can explain, why I'm right, until any technical detail
you want to.
Can you explain your position in a technical way, too? I'm waiting for
your arguments, I'm really looking forward to them.
> If you look at the overwhelming majority of PFW solution users, they are
> mostly the ignorant masses or the ones that don't want to spend $50 to
> protect their network/system. They are also the ones that don't fully
> understand their network, security, or the alerts that pop-up from the
> PFW - and they are also the ones running as a local admin.
Yes, this is true.
> > > A software firewall can add something your network level firewall
> > > cannot. It can interactively prompt you when new unknown programs on
> > > your PC try to make outbound connections.
> > This is counterproductive.
> No, it's not counter productive, it's much like IDS for outbound.
It's counterproductive because your paragraph before last is true.
If a "Personal Firewall" is used as an IDS from people who know what
to do with it, usually they're only useless, because many of them are
so badly implemented. I learned here in this discussion, for example,
that i.e. Sygate can be used as Port Monitor very well. Of course,
this has nothing to do with security, and Sybase is even counterproductive
as a security tool compared with the Windows-Firewall, but it seems
to be a good Port Monitor, hearing what people say here.
Maybe, an host-based IDS could work, why not? But most people already
have some, which work very well: Virus Scanners. They don't need any
"Personal Firewall" for that case.
> > > Hardware devices are relatively non-complex and
> > > are easier to secure, unlike a multipurpose computer.
> > This is just nonsense.
> It's nonsense to think that a PFW will protect a user that is not fully
> aware of how to use/operate it, aware of security threats and the OS in
> general, and it's nonsense to think that a simple NAT device - which
> requires no configuration for Cable connections is not simple to install
> and gain protection from. Even if you have to set one up for DSL, it's
> still designed to be installed by a kid and be up and running in
> minutes.
Yes, and your point being? I claimed that hardware devices in general are
_not_ non-complex.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> In article <433d70bc@news.uni-ulm.de>, bumens@dingens.org says...
> > > I did not mean to imply that the software firewall should be used instead of
> > > a hardware firewall. The hardware firewall is a LOT more important than the
> > > software firewall.
> > I cannot see that, too. Why do you think, this should be true?
> The appliance blocks in/out when your PFW fails or is improperly
> configured, it's easy to maintain, which is not true of most PFW's.
Please explain, why an appliance for an home user is more important
than the Windows-Firewall. The Windows-Firewall is a software firewall
without any doubt, isn't it? And to configure it, the user has to do
_nothing_.
And it does not allow to attack the user out of the network with
network worms or by manual attacks against servers, right? So no
appliance is needed for any home user, who is using a single PC.
I agree with you, as you know already, that an appliance is a very
good idea for users with LANs.
I don't claim, that "Personal Firewalls" are makeing sense at all,
as you know.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Todd H. <comphelp@toddh.net> wrote:
> Volker Birk <bumens@dingens.org> writes:
> > Todd H. <comphelp@toddh.net> wrote:
> > > > So I'm waiting for your arguments. Because you're assuming, that I'm may
be
> > > > a troll, I'm assuming, you have very good arguments why I should be wron
g.
> > > You're assuming that such a discussion trips my cost/benefit
> > > threshold and might actually be productive.
> > If you don't offer arguments, then I'm assuming, that maybe you don't
> > have any.
> I'm convinced...you really ARE a troll. LOL.
Who is offending people without any arguments, is losing the discussion.
> If anyone needs convincing on how software based and hardware based
> firewalls complement each other to provide better protection than
> either one tool alone, I'm not sure I can help them.
I'm sure, you cannot help, too.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> > > When considering a PFW there are reasons to have them
> > Please explain, what reasons you mean exactly.
> Consider, outside of your limited scope/experience that you are using a
> laptop and go to a friends/clients and connect to their network - at
> that time you need to have a PFW running on your laptop in order to
> protect you from anything malicious on their networks - same is true
> when you visit a hot-spot or a hotel connection when away from the
> office/home.
Why not using Windows-Firewall or ICF or even www.dingens.org then?
Why not them, but a "Personal Firewall"?
> There are also times when you want to have a PFW telling you about
> actions of applications on your machine, not just ones it wants to
> block, but you might also want to know what applications are servicing
> connections - as I do when I'm testing systems.
Yes. For non-security reasons, we agree. Of course, you could use
TCPView or TDIMon also, but you could use i.e. Sygate, too, as I stated
already.
> Then there is the typical home user, they have a PC, internet access,
> but no router/NAT and have been compromised in the past - so the
> computer shop installed ZA on their system and they've been running
> clean for many moons now (I have personal experience in this area where
> ZA saved many residential users that were on dial-up and also using DSL
> or Cable connections).
Why not using Windows-Firewall or ICF or even www.dingens.org then?
Why not them, but a "Personal Firewall"?
> > If you don't want to talk about this group of people, please explain,
> > whom do you mean with "in the right hands/solution".
> I have been talking about the typical home users - they DO benefit from
> a PFW, but they don't benefit from ALL PFW products, some of them are
> just too complicated for home users and they misconfigure them.
What advantages has a "Personal Firewall" for a home user compared with
the Windows-Firewall in your opinion?
> > Yes. Here we agree. Everybody, who is offering servers in the network,
> > should stop that or filter them i.e. with the Windows-Firewall.
> NO, everyone that is offering servers in the network does NOT need to
> stop offering them.
Sorry, I was too imprecise - everyone, who is offering servers but doesn't
want to do that (or even does not know, that she/he is doing that).
> If they want them to be private (LAN only) they only
> need to implement the barrier device and the public can't reach them,
> which makes maintenance a lot easier.
Yes, for LANs we agree, too, as I stated already. A filtering device
before the gateway into the Internet is a very good idea.
> Windows PFW is a joke, it's a PITA and not worth the code it was written
> with.
Please explain, why you're thinking so. The Windows-Firewall is just
a configuration tool for the packet filtering implementation of the
Windows kernel. Why do you think, this is a bad idea?
> We disable it in every instance (at the service) on every machine
> we come across.
Why?
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> In article <433d99cd@news.uni-ulm.de>, bumens@dingens.org says...
> > > > > Hardware devices are relatively non-complex and
> > > > > are easier to secure, unlike a multipurpose computer.
> > > > This is just nonsense.
> > > It's nonsense to think that a PFW will protect a user that is not fully
> > > aware of how to use/operate it, aware of security threats and the OS in
> > > general, and it's nonsense to think that a simple NAT device - which
> > > requires no configuration for Cable connections is not simple to install
> > > and gain protection from. Even if you have to set one up for DSL, it's
> > > still designed to be installed by a kid and be up and running in
> > > minutes.
> > Yes, and your point being? I claimed that hardware devices in general are
> > _not_ non-complex.
> No, you said it was nonsense.
Yes, I said, that "Hardware devices are relatively non-complex and
are easier to secure, unlike a multipurpose computer" is nonsense,
because I know that in general hardware devices are _not_ non-complex.
Please read the above text again. I changed nothing.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> > Please explain, why an appliance for an home user is more important
^^^^^^^^^
> > than the Windows-Firewall. The Windows-Firewall is a software firewall
> > without any doubt, isn't it? And to configure it, the user has to do
> > _nothing_.
> The Windows firewall does not protect the Network, it only protects a
> single computer, only blocking inbound for the ports it was set to
> block, if properly setup.
We're talking about a home user here. Usually, the typical home user
has no LAN. If she/he has one, we both agree, that she/he should use
an appliance.
The Windows-Firewall is properly configured in Windows XP SP2 as default.
> Since the user is almost always running as an
> administrator there is a serious exposure there to compromise the
> firewall.
Good point. Of course, no user should work as administrator. It's
catastrophic, that Microsoft determines so many users to work as
administrator because of the disastrous misconfiguration, which is
default for many Windows products.
> The Windows firewall has not been certified, it's only a port
> blocker.
It works without problems. Just test it out.
> > And it does not allow to attack the user out of the network with
> > network worms or by manual attacks against servers, right? So no
> > appliance is needed for any home user, who is using a single PC.
> Wrong, the appliance is most important if the user has a single node or
> multiple nodes - it's blocking the connections BEFORE they reach the
> node. That means when the user misconfigured their PFW they don't have
> near the exposure since the NAT box is blocking most of what is coming
> at them.
And why not using the Windows-Firewall, if one has Windows XP?
It's properly configured by default.
If malware is already running on a box, then it's too late. Also an
appliance will not secure this box any more.
> You claim the Windows SP2 firewall is all that's needed - which is a
> sign that you don't have experience in the wild with users/compromised
> machines.
I'm claiming that for single hosts only. Beside that, you're wrong. I have
23 years of experience now with computers, 21 years of them with users.
And many, many incidents of compromized machines. Usually, before I come
the very first time ;-)
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Volker Birk <bumens@dingens.org> writes:
> Leythos <void@nowhere.lan> wrote:
> > In article <433d99cd@news.uni-ulm.de>, bumens@dingens.org says...
> > > > > > Hardware devices are relatively non-complex and
> > > > > > are easier to secure, unlike a multipurpose computer.
> > > > > This is just nonsense.
> > > > It's nonsense to think that a PFW will protect a user that is not fully
> > > > aware of how to use/operate it, aware of security threats and the OS in
> > > > general, and it's nonsense to think that a simple NAT device - which
> > > > requires no configuration for Cable connections is not simple to install
> > > > and gain protection from. Even if you have to set one up for DSL, it's
> > > > still designed to be installed by a kid and be up and running in
> > > > minutes.
> > > Yes, and your point being? I claimed that hardware devices in general are
> > > _not_ non-complex.
> > No, you said it was nonsense.
>
> Yes, I said, that "Hardware devices are relatively non-complex and
> are easier to secure, unlike a multipurpose computer" is nonsense,
> because I know that in general hardware devices are _not_ non-complex.
>
> Please read the above text again. I changed nothing.
Someone needs to figure out how to attribute quotes. Those are my
words the Great Volker has declared nonsense.
When I wrote "relatively non-complex" that was intended to imply
"versus a general purpose computer." This is hardly a contentious
statement.
If you feel that is nonsense, Volker, do you really feel a full Linux
distro or a Windows box running a general purpose microprocessor is
equally simple for a user to secure versus something like an embedded
or ASIC based box like a Linksys BEFSR41 or SMC Barricade, both of
which by default have no WAN-side ports listening save for perhaps
ident?
Or are you trying to make a debate out of the relatively obvious point
that "even though hardware appliances are less complex than a general
purpose computer (with its general purpose OS, peripherals and myriad
of listening services, hard disk), those little hardware firwalls are
still complex and intricate....versus something like my toaster."
> Maybe, an host-based IDS could work, why not? But most people already
> have some, which work very well: Virus Scanners. They don't need any
> "Personal Firewall" for that case.
PFW's are basically crap for end users. In order to configure one
properly you need to know what communications, on what port, from what
application and to where should be allowed. End users do not have this
knowledge. End users see something popup on screen, so the click to get
rid of it. "Allow sirc32.exe (the sircam virus) access to the internet
Y/N?"
The purpose of PFW's is this....
- to scare the user with meaningless alerts and make them paranoid
enough to buy the next version.
- to hog most of the system resources and make their machines run like crap.
- to give them yet more popup ?'s to ignore
- to break applications whenever the software is updated
- to give a false sense of security
- to provide a visible notification that it's all gone pear-shaped as
the PFW crashes and exits due to an infection which targets PFW's.
- to interfere with printer daemons (such as Canon or lexmark) and keep
them pesky haxors out of your print spooler by stopping the printer from
working <s******>
- to stop your local network from working
- to make sure you pay regular bills to support technicians who have to
come and fix the mess the PFW made, then come back again to re-fix it
after you ran an update, which stopped everything working. Again.
- to secure your machine by making it so slow and unuseable that you
don't bother actually using it.
- to prove there's a sucker born every minute
Tho it's not all bad. I some instances, such as dialup, direct DSL
connections a small, lightweight filter such as XP's FW or ZA is
mandatory to stop inbound worms.
> Yes, and your point being? I claimed that hardware devices in general are
> _not_ non-complex.
>
> Yours,
> VB.
From and end user perspective, hardware devices are non-complex. They
plug them in, make sure the lights come on, stick in the CD and run the
setup wizard. An end user can configure a nat router correctly, but has
basically no chance with PFW's.
Light and tight PFW's such as Outpost, XP's one and ZA are useful *if
you have a clue* what you really want it to do. NIS, MCAfee and Trend
are bloated crap. I do not know anyone with a clue that would allow one
of the latter products on their machines.
And none of them(personal security suites) do bugger-all in terms of
malware protection, despite claiming to.
E
Todd H. <comphelp@toddh.net> wrote:
> When I wrote "relatively non-complex" that was intended to imply
> "versus a general purpose computer." This is hardly a contentious
> statement.
May I recite the context again, in which you wrote that? This is from
your posting to the OP:
| > It was my understanding that a router gave a hardware firewall which
| > was a million times better than a software one and gave you more
| > protection.
| From external, network-based attacks this is true.
This is just NOT true. If a PC is not offering any servers to the
Internet (and we're talking about home users here), and the IP-Stack has
no bugs in implementing Layer 2-4, then it secure against any network-
based attacks. It's not possible for a "hardware firewall" to make it
more secure than secure against network-based attacks.
Usually, it is very easy to stop any servers on your Windows box - just
use Torsten's script on ntsvcfg.de or use www.dingens.org.
Or use Windows XP SP2 with actual patches in the default configuration;
it is NOT vulnerable to any network based attack because the Windows-
Firewall is switched on by default. A hardware device will not make it
more secure than secure against network-based attacks.
| > In that case, why have a hardware firewall?
| Because if your software firewall goes down (which it can), then
| you're unprotected.
Yes, and if you switch off the "hardware firewall" and plug in your PC
into the net directly (which you can), then you're unprotected.
This is just nonsense. Why should one do that? Why should the user make
the "software firewall" "go down"?
| Hardware devices are relatively non-complex and
| are easier to secure, unlike a multipurpose computer.
This is not true in this context, as I stated above.
> If you feel that is nonsense, Volker, do you really feel a full Linux
> distro or a Windows box running a general purpose microprocessor is
> equally simple for a user to secure versus something like an embedded
> or ASIC based box like a Linksys BEFSR41 or SMC Barricade, both of
> which by default have no WAN-side ports listening save for perhaps
> ident?
For a user, it is only possible to secure a device, if he can click
onto a button, and the device then is secure against a specific attack
vector. What is behind this button, how complex it is, does not matter
at all.
This is all, an usual home user can do, behause she/he has no knowledge
at all about what's goin'on technically.
So securing a simple Windows box against network attacks is as simple as
klicking on "Single Computer" and pressing "OK" on www.dingens.org.
It is as simple as buying a Macintosh and not having such problems at all.
It is as simple as having Windows XP SP2 on the computer in the default
configuration.
BTW: because I'm developing embedded systems myself occupationally, I can
tell you, that many of those devices are not non-complex at all. But this
has nothing to do with users' view, of course.
And:
Quite contrary to what you're saying, the usual SOHO router device is
difficult to secure for a home user. This is, because NAT is not designed
as a security techology. To make such a router secure, you have to
configure it for filtering, too. Esspecially, you have to filter out any
packet, which seems to come from inside, but arrives the outside network
interface. And even more, many stateful inspection implementations i.e.
for FTP are very unsecure.
Of course, I'm not talking about securing the filtering device itself,
but the devices, which it should protect here. I'm doing this, because
we're discussing in that context.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
E. <bellyup@the.bar> wrote:
> An end user can configure a nat router correctly
Unfortunately, you're not right in this point for most routers I saw.
They're needing extra filtering configuration, and most of them don't
support this in the default configuration, so the user has to configure
and to know, what she/he is doing. :-/
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> And I have been paid for computer expertise since the mid 70's, and have
> NO compromised computers/nodes in our history.
If you're telling the truth from your point of view, I'm sure, that you
just didn't realize, what was going on.
I don't believe, that a person, who is working in our industry, can avoid
to face one single compromized system. Even if you're doing everything
perfect all the time (and I don't believe, that persons may exist, who are
doing no mistakes or errors at all), then you'll see compromized systems
as a result of PEBKAC and social engineering.
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Leythos <void@nowhere.lan> wrote:
> So, I'll stick with what
> I'm sure of, and I'm sure that SP2 firewall is not something I will
> trust.
May I ask you to offer _one_ _single_ technical argument for this point
of view now at last?
Yours, VB.
--
MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor
einer Atombome. (MAC filtering is protecting against "hackers" like newsprint
is protecting against a nuclear bomb)
- Christian Forler in de.comp.security.misc
Volker Birk <bumens@dingens.org> writes:
> Todd H. <comphelp@toddh.net> wrote:
> > When I wrote "relatively non-complex" that was intended to imply
> > "versus a general purpose computer." This is hardly a contentious
> > statement.
>
> May I recite the context again, in which you wrote that? This is from
> your posting to the OP:
>
> | > It was my understanding that a router gave a hardware firewall which
> | > was a million times better than a software one and gave you more
> | > protection.
> | From external, network-based attacks this is true.
>
> This is just NOT true. If a PC is not offering any servers to the
> Internet (and we're talking about home users here), and the IP-Stack has
> no bugs in implementing Layer 2-4, then it secure against any network-
> based attacks. It's not possible for a "hardware firewall" to make it
> more secure than secure against network-based attacks.
Okay, I see the nit you're picking. I'll agree that if nothing is
responding at a given instance it doesn't matter whether it's a
hardare device or software firewall swallowing up the packets, so one
is no better than the other.... at that instant.
So, I agree that spending time with host based configuration on every
device in the home can achieve the same security posture at a given
instant, but what your arguments are ignoring is the value of defense
in depth.
But...the difference is in terms of the likelihood of "what if the
software firewall crashes, is diabled by nefarious software run on the
machine, or (the most likely case) is disabled by the user at the
direction of every tom dick and harry level 1 support technician that
wants to fire a shotgun in the dark trying to debug some mysterious
problem?
> Usually, it is very easy to stop any servers on your Windows box - just
> use Torsten's script on ntsvcfg.de or use www.dingens.org.
You vasty overestimate the average user's patience for this sort of
configuration. This requires user intervention and is simply something
folks won't do, and can manage to screw up.
Just because it's possible to implement host based security doesn't
mean it's the best general recommendation because a vast majority of
the computer using population is not interested enough in actually
performing configuration beyond plugging it in.
> Or use Windows XP SP2 with actual patches in the default
> configuration; it is NOT vulnerable to any network based attack
> because the Windows- Firewall is switched on by default. A hardware
> device will not make it more secure than secure against
> network-based attacks.
True... but... what percentage of general users are using Windows XP
SP2? Not all--still lots of prior stuff running around out there.
Second, it will only be true until that support techniciant at the
cable modem company is trying to help the user with a connection
problem and then very early in the process has them turn off windows
firewall.
> | > In that case, why have a hardware firewall?
> | Because if your software firewall goes down (which it can), then
> | you're unprotected.
>
> Yes, and if you switch off the "hardware firewall" and plug in your
> PC into the net directly (which you can), then you're unprotected.
I think you might agree that it's a lot easier/more likely for a user
to make 2 clicks to disable windows firewall (at the direction of a
tech support monkey), or for malware to disable it than it is for a
user to get back behind their PC and recable things.
> This is just nonsense. Why should one do that? Why should the user
> make the "software firewall" "go down"?
Nonsense? Ever observed a typical user on the phone with a tech
support agent for even the simplest networking problem? One of the
first things the support technician has them do is disable any
software firewalls to eliminate the possibility that they're
interfering.
> It is as simple as buying a Macintosh and not having such problems
> at all.
I agree with this as well.
> It is as simple as having Windows XP SP2 on the computer in the default
> configuration.
If they have it. And only until they call for tech support of
tomorrows windows exploit turns off the firewall as one of its first
steps.
> Quite contrary to what you're saying, the usual SOHO router device is
> difficult to secure for a home user. This is, because NAT is not designed
> as a security techology.
The world is well aware that NAT doesn't provide security in and of
itself... but here's the newsflash: most of the devices if not all
also include SPI firewalls enabled by default in addition to the
obscuring of NAT. And nearly all require no configuration at all.
You plug the thing in and every machine behind it becomes a lot less
vulnerable to network based attacks. For a whopping $60.
> To make such a router secure, you have to configure it for
> filtering, too. Esspecially, you have to filter out any packet,
> which seems to come from inside, but arrives the outside network
> interface. And even more, many stateful inspection implementations
> i.e. for FTP are very unsecure.
How many of the general users I'm talking about here are running ftp
servers at home?
Why do I need a software firewall? 
Linear Mode
