Re: Why do I need a software firewall?
From: Volker Birk (bumens_at_dingens.org)
Date: 4 Oct 2005 22:59:36 +0200
E. <firstname.lastname@example.org> wrote:
> > This will not work, if one does not understand how to make it impossible
> > for things to happen, because one is understanding exactly how things work,
> > but only how to buy products and believe in advertizing.
> Layering, or defense in depth has been standard mantra for quite some time.
Yes, a mantra. This hits the point.
> > Then you can have "layers and layers and layers" of such "security",
> > and everything will be as unsecure as ever.
> What is your understanding of the concept of layers? A daisy-chain of
No. And I'd prefer the term of Zones, as i stated already.
> Take a simple email borne virus as the threat vector. What could stop it
> penetrating? Anti virus software, policy removing certain attachment
> types, banned encoding types and generic spam blocking techniques.
> 4 layers of security just for email viruses. Even a brand new,
> undetectable, compressed virus would be stopped in it's tracks.
And sometimes not. Unfortunately.
> I know what he means by 'real' firewall, and his definition is correct.
So perhaps you may explain, what this should be?
> The term 'firewall' has been used by manufacturers to flog NAT devices
> and this definition has become the meaning for most people.
A firewall is a single point for controlling any traffic between two
zones in a zone plan.
An alternative definition you'll find in RFC 2979.
Please explain, what a "real firewall" is.
There are no "true" or "wrong" definitions BTW - there is the freedom
> Reallistically, for a
> personal firewall to be effective, allow/disallow of anything should be
> controlled by a central policy under the eye of an experienced admin,
> and the user should have no control at all.
Yes. I'd agree with that. I'd say "host based packet filter" and not
"Personal Firewall", but I think we both mean the same here.
> Also if the firewall
> compnent is compromised it should shut down communications as it exits.
> I am yet to see a PF that does this.
Usually such a behaviour can be easily abused for DoS attacks.
-- If class libraries are compared to animals, MFC is the slime-warts toad.