Re: Why do I need a software firewall?
From: Todd H. (comphelp_at_toddh.net)
Date: 01 Oct 2005 08:10:03 -0500
Volker Birk <email@example.com> writes:
> Todd H. <firstname.lastname@example.org> wrote:
> > When I wrote "relatively non-complex" that was intended to imply
> > "versus a general purpose computer." This is hardly a contentious
> > statement.
> May I recite the context again, in which you wrote that? This is from
> your posting to the OP:
> | > It was my understanding that a router gave a hardware firewall which
> | > was a million times better than a software one and gave you more
> | > protection.
> | From external, network-based attacks this is true.
> This is just NOT true. If a PC is not offering any servers to the
> Internet (and we're talking about home users here), and the IP-Stack has
> no bugs in implementing Layer 2-4, then it secure against any network-
> based attacks. It's not possible for a "hardware firewall" to make it
> more secure than secure against network-based attacks.
Okay, I see the nit you're picking. I'll agree that if nothing is
responding at a given instance it doesn't matter whether it's a
hardare device or software firewall swallowing up the packets, so one
is no better than the other.... at that instant.
So, I agree that spending time with host based configuration on every
device in the home can achieve the same security posture at a given
instant, but what your arguments are ignoring is the value of defense
But...the difference is in terms of the likelihood of "what if the
software firewall crashes, is diabled by nefarious software run on the
machine, or (the most likely case) is disabled by the user at the
direction of every tom dick and harry level 1 support technician that
wants to fire a shotgun in the dark trying to debug some mysterious
> Usually, it is very easy to stop any servers on your Windows box - just
> use Torsten's script on ntsvcfg.de or use www.dingens.org.
You vasty overestimate the average user's patience for this sort of
configuration. This requires user intervention and is simply something
folks won't do, and can manage to screw up.
Just because it's possible to implement host based security doesn't
mean it's the best general recommendation because a vast majority of
the computer using population is not interested enough in actually
performing configuration beyond plugging it in.
> Or use Windows XP SP2 with actual patches in the default
> configuration; it is NOT vulnerable to any network based attack
> because the Windows- Firewall is switched on by default. A hardware
> device will not make it more secure than secure against
> network-based attacks.
True... but... what percentage of general users are using Windows XP
SP2? Not all--still lots of prior stuff running around out there.
Second, it will only be true until that support techniciant at the
cable modem company is trying to help the user with a connection
problem and then very early in the process has them turn off windows
> | > In that case, why have a hardware firewall?
> | Because if your software firewall goes down (which it can), then
> | you're unprotected.
> Yes, and if you switch off the "hardware firewall" and plug in your
> PC into the net directly (which you can), then you're unprotected.
I think you might agree that it's a lot easier/more likely for a user
to make 2 clicks to disable windows firewall (at the direction of a
tech support monkey), or for malware to disable it than it is for a
user to get back behind their PC and recable things.
> This is just nonsense. Why should one do that? Why should the user
> make the "software firewall" "go down"?
Nonsense? Ever observed a typical user on the phone with a tech
support agent for even the simplest networking problem? One of the
first things the support technician has them do is disable any
software firewalls to eliminate the possibility that they're
> It is as simple as buying a Macintosh and not having such problems
> at all.
I agree with this as well.
> It is as simple as having Windows XP SP2 on the computer in the default
If they have it. And only until they call for tech support of
tomorrows windows exploit turns off the firewall as one of its first
> Quite contrary to what you're saying, the usual SOHO router device is
> difficult to secure for a home user. This is, because NAT is not designed
> as a security techology.
The world is well aware that NAT doesn't provide security in and of
itself... but here's the newsflash: most of the devices if not all
also include SPI firewalls enabled by default in addition to the
obscuring of NAT. And nearly all require no configuration at all.
You plug the thing in and every machine behind it becomes a lot less
vulnerable to network based attacks. For a whopping $60.
> To make such a router secure, you have to configure it for
> filtering, too. Esspecially, you have to filter out any packet,
> which seems to come from inside, but arrives the outside network
> interface. And even more, many stateful inspection implementations
> i.e. for FTP are very unsecure.
How many of the general users I'm talking about here are running ftp
servers at home?
-- Todd H. http://www.toddh.net/