Re: Almost no user really needs a firewall (was: [OT] Updates of Firefox and Mozilla)
From: Michael Pelletier (mjpelletier_at_mjpelletier.com)
Date: 03/29/05
- Next message: timnmd_at_hotmail.com: "pop up problems"
- Previous message: Michael Pelletier: "Re: More apparent M$ spyware"
- In reply to: Andreas Kohlbach: "Almost no user really needs a firewall (was: [OT] Updates of Firefox and Mozilla)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Mar 2005 23:55:32 -0800
Andreas Kohlbach wrote:
> Ian Rawlings wrote on 28. March 2005:
>>
>> On 2005-03-27, Andreas Kohlbach <ankman@email.com> wrote:
>>
>>> A desktop firewall does not really work. It gives you the feeling of
>>> fake security. And might things you don't want (block stuff you
>>> don't want), expands the code basis and so provides a bigger surface
>>> for attacks.
I disagree with that. True any type of REAL firewall requires configuration.
However, good security is not just one thing but many things put together.
Host based firewalls are just another piece.
>> A desktop firewall offers you far more control than stopping services
>> as I said in a previous post (e.g. allowing some addresses but not
>> others), while stopping services reduces your patching requirements it
>> also limits what you can do. One of the services that you have little
>> control over are the RPC services, if you stop those, important parts
>> of the Windows OS will no longer function, however it's important to
>> stop access to the RPC services. ISTR that you can use the dcom
>> configuration tool to help out with this, my memory fails me at this
>> point.
...another piece of the "puzzle". Always disable anything you do not need.
This is tricky because you may need it in the future...
>> Stopping services as a means of securing a system is fine in
>> restricted environments as I said in previous posts, but for a
>> computer where rich functionality is a requirement, e.g. a desktop,
>> it's not a practical option, especially for the majority of people who
>> have better things to be doing with their time.
"Better things to do with your time"??? Then, don't bitch when you get
infected...even better don't post and bitch...you were warned...
> The script I metioned does stop unnecessary services that no ports are
> listening, and you still have a full functioning computer.
Wait. If a service is running then the service IS LISTENING (they have to,
to accept incoming connections!). That is what services do...
>>> IMO you're better off without a desktop firewall. Shut down services
>>> and be up to date, don't use dangerous software like the Internet
>>> Explorer and outlook Express, and you should be fine.
Again, all of these make up a good strategy. Shutdown things you do not
need, keep up to date on patches run antivirus, run a host based firewall
or at least be behind one...Or witch to a UNIX and not deal with soooo many
problems that infest Winblows (just had to add that :-) )
>> For most users it's not an option
>
> Because they can't handle it. A firewall is additional code and so a
> potential security risk. If you are able to close all service you don't
> need you are more secure without a firewall. As long as the TCP stack
> itself is not vulnerable (seems it is with XP SP2).
This is circular argument. Then, by your arguments anti-spyware, anti virus
and security patches are "extra" code???? Maybe you are right but, I would
say NECESSARY "extra" code....
Secondly, let's face it. You can not shutdown everything. Microsoft insists
on using RPC/DOM in their code and you can not fully shut it down. This is
where a hostbased firewall comes into play.
> X'post + F'up comp.security.misc (don't wanna annoy MAME users here :-).
Michael
-- "Microsoft isn't evil, they just make really crappy operating systems." - Linus Torvald
- Next message: timnmd_at_hotmail.com: "pop up problems"
- Previous message: Michael Pelletier: "Re: More apparent M$ spyware"
- In reply to: Andreas Kohlbach: "Almost no user really needs a firewall (was: [OT] Updates of Firefox and Mozilla)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
