Re: A firewall won't stop this one
From: Colonel Flagg (colonel_flagg_at_NOSOUPFORJ00internetwarzone.org)
Date: 11/03/03
- Next message: -=Be4U=-: "Re: It is not the *IN* thing to do."
- Previous message: Me: "Re: It is not the *IN* thing to do."
- In reply to: Volker Birk: "Re: A firewall won't stop this one"
- Next in thread: Volker Birk: "Re: A firewall won't stop this one"
- Reply: Volker Birk: "Re: A firewall won't stop this one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Nov 2003 11:21:46 -0500
In article <bo5d28$933$00$1@news.t-online.com>, bumens@dingens.org
says...
> dkg_ctc <dontknowguilt@hotmail.com> wrote:
> > Without going into the details of how flawed the reasoning of the
> > author of that page is, that page refers specifically to
> > software firewalls...are you suggesting that hardware firewalls
> > prevent you from connecting to localhost?
>
> That is a misunderstanding.
>
> The problem are the so called "Personal Firewalls".
>
> A firewall is the concept to define all traffic between two
> security zones on one single point of communication.
>
> To implement a firewall you can use just hard wired hardware,
> or a computing system like an implementation of von Neumann's machine
> as you find it i.e. in a PC.
>
> But to have a firewall, you need a security concept which contains
> a zone plan.
>
> What you're talking about is filtering software.
>
> "Personal Firewalls" often try to implement host based packet filters
> and some kind of "sandboxing". Both things they're implementing bad.
>
> Most of the products which are selled as "Personal Firewalls" are
> implementing packet filtering in user space by modifying the DLL
> which contains the WinSock implementation. Also the sandboxing is
> very bad, because for sandboxing processes you're needing virtual
> machines, and no "Personal Firewall" I know implements virtual
> machines.
>
> Even the "Personal Firewalls", which are using the kernel functions
> of Windows for packet filtering, are doing that very bad - they're
> offering user interface for unprivileged users on a windowing
> system where IPC is offered by pushing and without any authentication
> at all.
>
> But even if "Personal Firewalls" would be implemented better, they
> would not work for the jobs they're offered by only implementing
> packet filtering as a filter function, because communication can
> proceed easy also in other network layers than 3/4.
>
> Of course no filtering system at all can be perfect in theory.
>
> VB.
>
I disagree. Security comes in layers and is built by those that know how
to build it. Security cannot come "in a box" from some software vendor
and be implemented "on the fly" by a clueless end-user. *If* a proper
software firewall is used in conjunction with hardware solutions, IDS
Systems and properly configured routers, the software firewall will
effectively block malicious code. On the other hand, the misleading
marketing tactics of various "zoned" software firewalls and IDS packages
leave the end-user open to various exploits.
-- Colonel Flagg http://www.internetwarzone.org/ Privacy at a click: http://www.cotse.net Q: How many Bill Gates does it take to change a lightbulb? A: None, he just defines Darkness? as the new industry standard..." "...I see stupid people."
- Next message: -=Be4U=-: "Re: It is not the *IN* thing to do."
- Previous message: Me: "Re: It is not the *IN* thing to do."
- In reply to: Volker Birk: "Re: A firewall won't stop this one"
- Next in thread: Volker Birk: "Re: A firewall won't stop this one"
- Reply: Volker Birk: "Re: A firewall won't stop this one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
