Re: three solutions for one Linux box

From: Ansgar -59cobalt- Wiechers <usenet-2007@xxxxxxxxxxxxxxxx>
Date: Mon, 3 Sep 2007 15:18:00 +0200 (CEST)

john toynbee <john.toynbee@xxxxxxxxx> wrote:

in your opinion, for one client Linux box, with always-on ADSL (dynamic
address), is more safe:

1) only software firewall

2) software firewall + hardware firewall integrated in an ADSL router
(Netgear, etc, etc.) with never updated firmware

3)software firewall + a firewall Linux distro (IPCop, Devil-Linux, etc.
etc), always updated, in an old computer

Define "safe". From which threats should your solution protect you?

Assuming you want protection from attacks against open ports:

- Solution 1 is safe, as long as its ruleset isn't b0rken and the
software firewall doesn't have known vulnerabilities (i.e. keep it
up-to-date).
- Solution 2 is safe, as long as its ruleset isn't b0rken and the
software firewall doesn't have known vulnerabilities (i.e. keep it
up-to-date). The router might be an additional line of defense, but
outdated firmware effectively prevents that, because it's likely to
contain exploitable bugs.
- Solution 3 is safe, as long as its ruleset isn't b0rken and the
software firewall doesn't have known vulnerabilities (i.e. keep it
up-to-date). The router is an additional line of defense as long as
its ruleset isn't b0rken and it doesn't have any known vulnerabilites
(i.e. keep it up-to-date).

Besides, there's no such thing as a "hardware firewall". That kind of
firewall is also implemented in software, only it runs on a dedicated
operating system (which hopefully has fewer lines of code and thus fewer
bugs than a general purpose operating system) on dedicated hardware
(which is likely to consume less power than "normal" PC hardware).

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.

References:
- three solutions for one Linux box
  - From: john toynbee

Prev by Date: Re: using nmap to scan firewall
Next by Date: Re: Outpost i VISTA
Previous by thread: three solutions for one Linux box
Next by thread: Re: three solutions for one Linux box
Index(es):
- Date
- Thread

Relevant Pages

Re: hardware vs software security
... >a hardware firewall cannot be better than a software firewall on your pc, ... A NAT router, OTOH, totally blocks it. ... I hate spam - PLEASE get rid of the spam before emailing me! ...
(alt.computer.security)
Re: Questions re WEP encryption
... router would be better. ... If her machine catches a worm or spyware, the software firewall ... the hardware firewall has other features that are ... I frequently sell and install wireless router to users that do ...
(alt.internet.wireless)
Re: port status
... >Does this mean that my computer is safe without any software firewall? ... >I did not set up the router myself, I got it from my ISP, configured and ... The router protects you against most external threats, ...
(comp.security.firewalls)
Re: Router - additional firewall
... > Many people consider it a good idea to have a software firewall on each ... > computer as well as a hardware firewall on the router. ... > engage in dubious practices, do not run a wireless network, and keep all ...
(sci.med.transcription)
Re: DSL question re security....
... Its safe to leave it on and connected. ... I have been using DSL for over 5 ... All you need is software firewall, ... > hacking since there will be no browser activity OR would that not afford ...
(microsoft.public.windowsxp.general)