Re: Clueless newbie to firewalls (sygate) seeks info

From: DevilsPGD (ihatespam_at_crazyhat.net)
Date: 04/28/05


Date: Thu, 28 Apr 2005 15:15:53 -0600

In message <WKudnT8F-vEtguzfRVnyrA@pipex.net> Mike
<honey@michaelmoyse.co.uk> wrote:

>DevilsPGD wrote:
>> In message <cu6ce.13066$dh.9573@tornado.ohiordc.rr.com> Leythos
>> <void@nowhere.lan> wrote:
>>
>>
>>>On Thu, 28 Apr 2005 06:08:25 -0600, DevilsPGD wrote:
>>>
>>>>In message <uvednfQfKLSHW-3fRVnyhQ@pipex.net> Mike
>>>><honey@michaelmoyse.co.uk> wrote:
>>>>
>>>>
>>>>>FYIS.org/estore wrote:
>>>>>
>>>>>>Seeking reference material (URL) that might help to explain incoming
>>>>>>hits like the one below.
>>>>>>What is all this stuff being sent to me?
>>>>>
>>>>>Another prime example of why software firewalls are useless
>>>>
>>>>How would a hardware firewall have done any better?
>>>
>>>Because a hardware firewall would block it before it even reaches the
>>>internal network, which eliminates any configuration errors that a user
>>>might make in their Personal Firewall Application - this would apply for
>>>those NAT Routers too (which are NOT firewalls).
>>
>>
>> Yes, and doing so still wouldn't allow the DHCP renew (if that is what
>> is being blocked) to complete successfully.
>>
>> While I agree about hardware vs software firewalls, this is not a prime
>> example. At most this is an example of how poorly written most software
>
>How would you explain such deeply technical information to a completly
>clueless and disinterested user?
>
>> firewalls are, and how difficult to use most hardware firewalls are
>> (meaning that an end user doesn't interact with them directly, or when
>> they do, the end user doesn't try to understand)
>>
>>
>
>Bottom line is userland is the wrong place for a firewall.
>
>
>Generally speaking a hardware firewall would either (a) be installed by
>someone who has a clue or (b) have a default configuration that makes
>some sort of sense.
>
>This is what a software firewall looks like to average Joe user:-
>
>WARNING! A doodle flanger has grapoppled!
>
>Do you want me to jangerfap the doodle flanger, discombooble the
>grapoppler or nurdle the keekwop?
>
>Of course if the user makes one choice, something will stop working, if
>they make another, they may expose their machine.
>
>A hardware firewall on the other hand does this:-

Sure, but that's a design implementation not a hardware vs software
issue. It wouldn't be challenging to make a software firewall that
shuts the hell up about doodle flangers.

While it would be slightly more difficult in terms of implementation,
you could easily make a hardware firewall that notifies the user (either
via software on the PC, or by email)

That isn't the primary reason to avoid a software firewall, at least not
in my books. Rather, the reason is that many of them are poorly
implemented, either not fully stateful (as evidenced the by the number
of users reporting their firewall is blocking traffic which turns out to
not only be legitimate, but sessions that weren't interrupted in any
way), or simply that it's too late -- If there is a bug either in the
firewall itself, or in the OS' IP stack, the system can still be
compromised.

If my firewall gets compromised, that's all the attacker has gained --
Access to my firewall. They have not gained privileged access to my
machines yet, and may well not be able to do so from the firewall.

-- 
UNIX Sex
{look;find;talk;grep;touch;finger;find;flex;unzip;mount;workbone;
fsck;yes;gasp;fsck;yes;eject;umount;makeclean;zip;split;done;exit}