Re: Why do I need a software firewall?

From: Todd H. (
Date: 10/01/05

  • Next message: E.: "Re: Why do I need a software firewall?"
    Date: 01 Oct 2005 08:10:03 -0500

    Volker Birk <> writes:
    > Todd H. <> wrote:
    > > When I wrote "relatively non-complex" that was intended to imply
    > > "versus a general purpose computer." This is hardly a contentious
    > > statement.
    > May I recite the context again, in which you wrote that? This is from
    > your posting to the OP:
    > | > It was my understanding that a router gave a hardware firewall which
    > | > was a million times better than a software one and gave you more
    > | > protection.
    > | From external, network-based attacks this is true.
    > This is just NOT true. If a PC is not offering any servers to the
    > Internet (and we're talking about home users here), and the IP-Stack has
    > no bugs in implementing Layer 2-4, then it secure against any network-
    > based attacks. It's not possible for a "hardware firewall" to make it
    > more secure than secure against network-based attacks.

    Okay, I see the nit you're picking. I'll agree that if nothing is
    responding at a given instance it doesn't matter whether it's a
    hardare device or software firewall swallowing up the packets, so one
    is no better than the other.... at that instant.

    So, I agree that spending time with host based configuration on every
    device in the home can achieve the same security posture at a given
    instant, but what your arguments are ignoring is the value of defense
    in depth.

    But...the difference is in terms of the likelihood of "what if the
    software firewall crashes, is diabled by nefarious software run on the
    machine, or (the most likely case) is disabled by the user at the
    direction of every tom dick and harry level 1 support technician that
    wants to fire a shotgun in the dark trying to debug some mysterious

    > Usually, it is very easy to stop any servers on your Windows box - just
    > use Torsten's script on or use

    You vasty overestimate the average user's patience for this sort of
    configuration. This requires user intervention and is simply something
    folks won't do, and can manage to screw up.

    Just because it's possible to implement host based security doesn't
    mean it's the best general recommendation because a vast majority of
    the computer using population is not interested enough in actually
    performing configuration beyond plugging it in.

    > Or use Windows XP SP2 with actual patches in the default
    > configuration; it is NOT vulnerable to any network based attack
    > because the Windows- Firewall is switched on by default. A hardware
    > device will not make it more secure than secure against
    > network-based attacks.

    True... but... what percentage of general users are using Windows XP
    SP2? Not all--still lots of prior stuff running around out there.
    Second, it will only be true until that support techniciant at the
    cable modem company is trying to help the user with a connection
    problem and then very early in the process has them turn off windows

    > | > In that case, why have a hardware firewall?
    > | Because if your software firewall goes down (which it can), then
    > | you're unprotected.
    > Yes, and if you switch off the "hardware firewall" and plug in your
    > PC into the net directly (which you can), then you're unprotected.

    I think you might agree that it's a lot easier/more likely for a user
    to make 2 clicks to disable windows firewall (at the direction of a
    tech support monkey), or for malware to disable it than it is for a
    user to get back behind their PC and recable things.

    > This is just nonsense. Why should one do that? Why should the user
    > make the "software firewall" "go down"?

    Nonsense? Ever observed a typical user on the phone with a tech
    support agent for even the simplest networking problem? One of the
    first things the support technician has them do is disable any
    software firewalls to eliminate the possibility that they're

    > It is as simple as buying a Macintosh and not having such problems
    > at all.

    I agree with this as well.

    > It is as simple as having Windows XP SP2 on the computer in the default
    > configuration.

    If they have it. And only until they call for tech support of
    tomorrows windows exploit turns off the firewall as one of its first

    > Quite contrary to what you're saying, the usual SOHO router device is
    > difficult to secure for a home user. This is, because NAT is not designed
    > as a security techology.

    The world is well aware that NAT doesn't provide security in and of
    itself... but here's the newsflash: most of the devices if not all
    also include SPI firewalls enabled by default in addition to the
    obscuring of NAT. And nearly all require no configuration at all.
    You plug the thing in and every machine behind it becomes a lot less
    vulnerable to network based attacks. For a whopping $60.

    > To make such a router secure, you have to configure it for
    > filtering, too. Esspecially, you have to filter out any packet,
    > which seems to come from inside, but arrives the outside network
    > interface. And even more, many stateful inspection implementations
    > i.e. for FTP are very unsecure.

    How many of the general users I'm talking about here are running ftp
    servers at home?

    Todd H.

  • Next message: E.: "Re: Why do I need a software firewall?"

    Relevant Pages

    • Re: SBS R2 ISA2004 Dark Arts
      ... ISA in SBS as intended or you'll get into trouble. ... I have to get the back firewall configuration to work with the ... network in the rules/policies. ...
    • Re: wireless and router; security issue
      ... issues like yours (and allow configuration with AD group policy). ... and the filesharing service of my network connection. ... The firewall I have is McAfee firewall 7.x, ...
    • Re: SBS R2 ISA2004 Dark Arts
      ... Right now the front firewall is not an ISA ... NIC-2 faces the internal "Live" network. ... I have to get the back firewall configuration to work with the ...
    • Unexpected client authentication popup when using IE and Web Proxy
      ... Firewall is configured with an access rule that allows all outbound traffic ... from entire Internal Network to External Network for "All Users". ... one "Integrated Authentication" and the "Require all users to authenticate" ... configuration to use the web proxy. ...
    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...