Re: [fw-wiz] Firewalls Compared
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 06/22/04
- Previous message: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"
- In reply to: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
- Reply: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Ryan M. Ferris" <rferris@rmfdevelopment.com> Date: Tue, 22 Jun 2004 12:28:03 -0400 (EDT)
On Tue, 22 Jun 2004, Ryan M. Ferris wrote:
> Good comments on reviewing firewalls...However, at this point I am
> convinced that personal and home network firewalls and desktop anti-viral
> software for Windows are the most critical components of national if not corporate security.
I don't know that they're the "most critical," but they are critical,
hence www.personalfirewallday.org </plug>
> All of the most devastating attacks (worms, viruses, DOS, e-mail
> attachments, terrorist attacks) of the last 2 - 4 years leverage the mass
> of unguarded PCs. Traditional concepts of firewalling networks ultimately
> seemed useless and incomplete to guard against these type of attacks.
While the incidence of worms and DDoS attacks are high, the event costs
often pale in comparison to an insider abuse or critical intrusion.
Frequency of attack with a lower cost will surpass infrequent attacks with
a higher cost in many cases. Still, longer-term, and strategically,
intrusions and infrastructure compromise are much more worrisome than
local desktop disruption. DDoS can be taken care of with end-to-end QoS,
an evil we may eventually have to bite the bullet on, just like voice
networks had to bite the out-of-band signaling bullet.
> I don't know where I would find statistics on how many home or corporate
> broadband networks have hardware firewalls or personal firewalls. If I had to
> guess for home users...I would say less than 10% have hardware firewalls
> and less than 20% employ personal firewalls. Fewer would employ both
> together Most users I know just ride bareback against a cable modem or
Educate those users. Change their behavior. This is a time-local
problem, and with Comcast's recent moves and some prodding, we can make
the time period shrink significantly.
> DSL which is relatively amazing considering that GIAC trained
> professionals now are recommending that home users consider both hardware
> and software firewalls simultaneously. (See something like
> http://www.giac.org/practical/GSEC/Barbara_Kupiec_GSEC.pdf). Considering
> the number of intrusions that I see break throught my hardware firewall
> and get stopped by my personal firewall...I would say this is excellent if
> not underwhelming advice.
Hmm, I don't see anything "break through my hardware firewall," maybe the
issue is security policy? ;)
Here's the rub- in corporations, way less than half of firewalls are
configured to block the attacks that corporate firewalls are perfectly
capable of blocking. Now, let's say that means that ~75% of the people on
this list have their "protect the company, it's your job" stuff
misconfigured, poorly configured, or behind a policy that's way too
lenient- how exactly do we expect those folks' home networks to look?
> Amazingly, even as a professional I find all the application protection
> options of Zone Alarm Plus worth some serious study. I can't imagine most
> home users working their way through the when and how of granting (or not
> granting) generic host process access to an "open process".
> Other personal firewalls I have worked with approach the problem with
> greatly varying interfaces and functionality. Some are really quite
> disastrous to install or work with or just plain uninformative for the
> desk top.
>
> There are a few sites around that offer personal firewall reviews and
> comparisons...but they are cursory in nature. In truth, the personal
> firewall industry is unstandardized and rapidly evolving - a fascinating
> state given the probability that home firewalls with soon eclipse
> corporate firewalls as the most significant component of national computer
> security.
A handful of providers can solve the bulk of the home user attack
"problem" with relative ease, or we can make the users do it machine by
machine- but long-term they're not as much of an issue as corporate
networks are, IMO.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"
- In reply to: Ryan M. Ferris: "Re: [fw-wiz] Firewalls Compared"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
- Reply: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
