Gigabyte or Abit or Asus

[Jay T. Blocksom]

Jay T. Blocksom wrote: [snip]

The so-called "software firewall" program itself, for starters -- and
therefore, all of the user space available to that program (which, in the
case of many if not most WinBoxen, is the whole machine).

I'd rather trust a software firewall designed with security in mind,
than the collection of MS services running on my machine.

[snip]

Where did I imply that you should "trust" MS-ware? That is in fact the polar
opposite of my long-standing position. And what does it have to do with the
advisability of a proper outboard ("hardware") firewall or bastion host?

The servers I run are not from MS at all.

[snip]

Good for you. But that's irrelevant to the point under discussion.

So, in addition to the vulnerabilities inherent in that "software
firewall" (cf.: [snip]
etc.), you basically expose ALL of Windows, with its chronic legion of
slowly- or never-patched vulnerabilities (cf. [snip]
DIRECTLY to the 'net.

Too many links, you put me off reading any.

[snip]

Well then, you're denying yourself a lot of useful (perhaps "important")
information. But that's hardly a refutation of my point.

The first were over a year old.

[snip]

This is not a new problem; nor were proper security procedures and principles
invented yesterday.

OK, so things have problems, it's hardly suprising. One of the
links pointed out that users don;t change the password on routers, so
the attacker could do what they like. This is exactly the problem -
many users don't know how to configure things like hardware firewalls
(or indeed software ones). You're not gonna fix that.

[snip]

Yes, in all likelihood, there will always be the "Clueless And Proud Of It"
brigade. And there will therefore always be a swarm of carpetbagger-class
vendors pandering to them (MS being on one hand just the largest and most
visible offender, and on the other hand far more culpable than the rest
because they did so much to create and expand that CAPOI brigade). But that
does not in any way validate the carpetbaggers' claims for their snake oil, or
the decision of the rubes to buy into it.

Understood, but a software fiewall is better than nothing.

[snip]

I never said it wasn't -- tho' I'm strongly tempted to, due in part to the
false sense of security so many users derive from them.

Good enough for most people.

[snip]

"'Better' is the enemy of 'good enough'."

I don't know who first said that, but it applies here to a "T".

First, given all the purely technical problems with "software firewalls", I
disagree that they can *ever* be "good enough". But beyond that, now that
proper ouboard/hardware firewalls are so economically feasible (which was not
the case just a couple of years ago), there's simply no good reason to settle
for "(not really) good enough".

If an attacker gains access to the letter somebody
wrote to their mum, or a school report it's not the end of the world.

[snip]

Oh, puh-leeze! Not that Old Wive's Tale again!

By FAR the biggest "target" is not the user's letters to Mom, school reports,
Brownie recipes, or even their bank records and credit card info (as juicy as
those last two might seem, especially to clueless ad-copy writers cum
"journalists" -- but I digress). *THE* asset overwhelmingly most sought after
(and successfully stolen) by the crackers and malware propagators is the home-
or SOHO- user's PC itself -- or rather, the *use* of that PC along with it's
(usually "consumer broadband") internet connection. This is *why* most of the
worms, viruses, trojans, browser hijackers, etc., spawned over the past two
years or so even exist in the first place: They are specifically designed to
surreptitiously plant software on the target system which will subsequently
allow the abusers to control that system for their own nefarious purposes
(typically spamming, DDoS attacks, and the further propagation of the
malware). We have on our hands *today* a "Zombie Army" of *millions* of
trojaned PCs hung off "cable modem" and DSL lines, spewing spam and other crap
24/7, for *precisely* this reason.

Of course I would not recommend running only a software firewall on a
machine that houses all the accounts systems for a bank.

[snip]

Well, Duh. That sort of system/network isn't even under discussion here; so
your comparison to it is at best a disingenuous straw man argument. (And as a
side note, the security measures routinely taken by any competently
designed/administered banking network make ALL of the things we're discussing
here look like the feeble child's play efforts they are, in the grander scheme
of things. Such networks are designed _from_the_ground_up_ to be secure; and
for the most part they do not even connect to the general internet. In
effect, it's a whole different world from the one we're discussing.)

They don't need to open a socket on a given port?

[snip]

Not directly to the outside world, they don't (think NAT/PAT).

SPI is only the preserve of hardware firewalls?

[snip]

No, but that misses the point. I was simply trying to illustrate that the
"firewall" does not need intimate knowledge of what applications you are
running on your local workstation in order to do its job. (In fact, in at
least some ways it's better off without that "knowledge".)

I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world.

[snip]

Which is not the case for the typical user, who does NOT need to run
public servers.

Think P2P, IM file transfers etc.

[snip]

I'd rather not. <~>

Those apps are *inherently* insecure, often in a very big way.

One of the fundamental precepts of maintaining a secure system is *not* doing
anything unnecessary which foreseeably might compromise security. You do not
*need* P2P or IM to transfer files; hence, they should not be used (at least
not for that purpose).

I thought the idea of a DMZ was to not restrict it?

[snip]

Then, apparently, you thought wrong.

The basic point of a DMZ is to allow *some* services to be provided to the
outside world more-or-less "on demand", while simultaneously not allowing
outside egress to your "protected" network. But the DMZ itself is still
protected to the degree possible, by blocking ALL other access (from the
outside world) to the machine(s) in the DMZ except for that which is
specifically needed for the service(s) being offered. Somewhat greater access
to the DMZ network is permitted from the "protected" network (a.k.a. "green
interface") for administrative purposes. Ideally (tho' not really
necessarily), you would have a separate DMZ (or "orange interface") for each
service provided, with a dedicated server in each of those DMZs to provide
ONLY that one service. So, for example, if you want to provide a web server,
your DMZ interface would allow traffic on port 80, and ONLY port 80, to be
forwarded to the server (which would presumably be at a completely different
IP address via NAT/PAT). Similarly, for a mail server, ONLY ports 25 and 110
(and/or maybe 143) would be let through. In typical practice (at least in
smaller installations), only one DMZ interface is used, and selective
port-forwarding is used to "steer" traffic to the correct server. In all
cases, the protected network is effectively isolated from the DMZ network,
except for the specific "pinholes" established to permit maintenance (and any
connections through these "pinholes" would all need to be initiated from the
protected interface anyway). This is because, while the DMZ network is still
"firewalled" to some (actually, quite a large) degree, it cannot be *as*
isolated as the truly protected private network, and still offer public
services.

If I sit behind a software firewall,

[snip]

But that's just it: You're NOT "behind" that so-called firewall; you're
on it, in it, in front of it, and all around it -- all at the same time.

Whatever.

[snip]

NO!!! *Not* "whatever"! That is the fundamental point that the "software
firewall" advocates keep missing/ignoring.

Of course. And so are you - you seem to think hardware firewalls are
invulnerable.

[snip]

I never said or implied that.

When properly implemented they are by virtue of their nature inherently *less*
vulnerable than so-called "software firewalls" can ever hope to be. But like
all man-made things, they are also by definition imperfect.

Obviously they are not, and neither is software, and
physical isolation is better.

[snip]

I'm glad you see that. But it's not just "physical" isolation. It is
*functional* isolation as well, which is really the larger point.

But for the average user, is it necessary? No.

[snip]

See above regarding Old Wive's Tales. The "average user" is precisely who
most desperately needs all the protection they can get.

The problem is not (so much) what happens when everything works as
intended. The larger problem is what happens when UNintended things
happen. And in the "software firewall" model, virtually any breach is by
definition a catastrophic disaster, simply because so much "other stuff"
instantly becomes available to the attacker.

My machine is exposed to the world, on those 2 ports...

[snip]

Your machine is exposed to the world, period. The limitation to "on
those 2 ports" is only valid in a very limited context.

Such as when the firewall is working? Well the same can be said for a
hardware firewall.

[snip]

No.

For starters, the "hardware" firewall is not running under Windows, as is (at
least typically) the case for a "software" firewall. That alone is a HUGE
difference, and not just because we're talking about Windows specifically
(tho' that certainly *should* be enough to send chills up your spine right
there).

The fact that a "software" firewall is by definition running under a
general-purpose OS, on a host that is also being used for all sorts of other
"stuff", means there are all sorts of other processes and services running
_on_the_firewall_device_. This is just plain BAD NEWS. Before the traffic
can even get to the "firewall", it has to go through multiple layers of that
general-purpose OS, with all those services loaded and running, and with only
the thinnest of tissue-paper shields between ALL of that and the potentially
dangerous traffic. This not only makes for a "bigger" potential disaster; it
also makes that disaster more likely to happen: It only takes one "minor"
vulnerability in that overly complex mess to permit an attacker to "bootstrap"
his way to more and more tools, each in turn making it easier to him to gain
still more access to the machine.

You can't argue that software firewalls are a problem if they break.
Any firewall is a problem if it breaks.

[snip]

Of course I can argue that, as I've just shown above. And I've also shown
that they're a problem because they're *easier* to break -- perhaps even when
no one is trying to break them.

The point is that a software firewall will, under most situations,
provide adequate security with minimal effort for a home user.

Ben

No, not even close to "adequate".

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.