Re: Potetial Outpost Conflicts?
From: James Taylor (james_n_taylor@yahoo.com)
Date: 01/17/03
- Previous message: Marc Cuypers: "Re[2]: Internet Cafe"
- In reply to: Colin Rous: "Potetial Outpost Conflicts?"
- Next in thread: alaskan@telusplanet.net: "Re: Potetial Outpost Conflicts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Jan 2003 16:15:19 -0800 (PST) From: James Taylor <james_n_taylor@yahoo.com> To: security-basics@securityfocus.com
Hello Colin,
Forgive me, but I'm not too sure why you want to run either
2 firewalls or 2 anti-virus engines on the same machine for
than matter. I think that there may be too much of a focus
on the technology/paranoia and less on the cost/time of
administration, doubling the number of possible application
vulnerabilities and causing undue processing. Having double
the precautions does not give you double the protection.
I'm fairly sure that, although viruses are in the
frontline, most computer problems still come from genuine
bugs in code. Do you patch as often as you download
updates?
2 A/V's - OK - on separate machines in a network, i.e. the
SMTP mail based AV from one company, and the client &
server based A/V from another - if your budget can stretch
to that. Each has a chance to examining the files - so one
vendor may pick up 99% of all viruses and another 99.3% (in
tests according to blah blah PC mag), and they both release
updates regularly, or as soon as a major virus/worm is
released. But on the same machine, no, surely this would
create undue overhead whilst each engine examines the
files/attachments, but, yes, there is less chance of a
problem as they are examining files as a single entity, and
a slightly higher chance of one finding a virus that the
other will miss. I would use one, from a leading vendor,
and update regularly (home machine no more than once a
week, in a business env, once a day).
2 Firewalls - this is different because you are dealing
with a stream of TCP/IP packets that must be handled in a
stream, it cannot be split and passed onto the application
twice. The firewall is taking the packets off the wire from
x.x.x.x location on the Internet, checking what
service/application protocol they are (e.g.
HTTP/FTP/SMTP/POP/TELNET), if it matches the filter/policy,
will then pass that onto the respective 'allowed'
application. On outgoing requests, the TCP port and
application will have to be permitted, so the firewall will
keep state, manage the communication from your machine,
through it, to the external destination, and manage the
return packets, ensuring they are delivered back to the
same application. The firewall will most likely be acting
as an application 'inspecting' proxy firewall, masking your
internal network/machine/application/services, and possibly
NAT'ing in a network environment - i.e. masking the real IP
address, and setting up a proxy on separate IP and, for
want of a better word, 'service' ports i.e. Above 1024.
Normally these service ports are assigned randomly, so with
2 firewalls on the same machine, one stream would come in,
be split (if it actually worked), assigned a random source
port and passed to the 'allowed' application. Would the
application receive 2 streams, or how would it handle it. I
have no I idea, but I'm sure it would not be expecting it,
and that would most likely cause trouble. Let's say one
firewall allows HTTP, and the other does not. What will
happen when a HTTP TCP packet arrives at your machine? Will
one allow and one reject? Which one will decide first?
IMHO, take the time to install one, make sure you only run
the applications/services you want/know about, and the
corresponding ports/services, then shut down the rest.
Learn the firewall inside out – know your policy, and
google for vulnerabilities for that
firewall/OS/Applications you run, and make sure your
machine is patched to the latest release (after testing in
a non=production environment of course....). I have not
gone into specific application protocol vulnerabilities
i.e. HTTP, or TCP/IP Denial of Service/packet issues
(unlikely that a personal firewall would handle these), but
that's another story.
Take Care Out There, and good luck.
James Taylor not quite a CISSP, MIEE, CNE, ASE.
--- Colin Rous <crous@sympatico.ca> wrote:
> G'day, all,
>
> I currently run two firewalls (Sygate and Tiny). I wanted
> to replace one
> with Outpost to see if Outpost is as good as people tell
> me it is. Agnitum
> warns you not to run more than one firewall, so I
> disconnected from the
> 'net, shut down both my firewalls and started the Outpost
> install. The
> install process noticed the existence of the other
> non-running firewalls on
> the sytem and gave me the following message:
>
> "You will most likely have the following problems if you
> decide to run more
> then one firewall on your computer:
>
> - Blue screen fatal errors, system freezing or sudden
> system reboots.
> - All access will be allowed for every application.
> Nothing will be blocked.
> - Every application will be blocked and you will be
> unable to connect to
> any web site.
> - Your computer system will be unable to boot up.
> - Every other error imaginable!"
>
> First, these claimed potential problems strike me as
> being somewhat
> over-the-top. Second, I run two AV programs (security in
> depth, and all
> that), one of which warns of dire consequences from
> running more than one
> AV program. In fact, I have no problems whatsoever; they
> don't even trip
> over each other's signature files. Neither do I get any
> conflicts between
> my current two firewalls or problems from running two. (I
> pass all GRC,
> Sygate and other tests with either or both.)
>
> So my question is: Has anyone experimented with running
> Outpost with
> another firewall? If so, what was your experience? If
> not, can anyone think
> of anything to justify Agnitum's claims? Is this just a
> problem of
> Outpost's? (No other firewall I know of issues such a
> warning.) Or is this
> just a marketing claim to encourage usage of Outpost and
> only Outpost? (My
> OS, BTW, is 98.)
>
> Cheers,
> Colin
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
- Next message: Jason Burzenski: "RE: Internet Cafe"
- Previous message: Marc Cuypers: "Re[2]: Internet Cafe"
- In reply to: Colin Rous: "Potetial Outpost Conflicts?"
- Next in thread: alaskan@telusplanet.net: "Re: Potetial Outpost Conflicts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
