Re: Why do I need a software firewall?

From: Volker Birk (
Date: 10/04/05

Date: 4 Oct 2005 22:59:36 +0200

E. <> wrote:
> > This will not work, if one does not understand how to make it impossible
> > for things to happen, because one is understanding exactly how things work,
> > but only how to buy products and believe in advertizing.
> Layering, or defense in depth has been standard mantra for quite some time.

Yes, a mantra. This hits the point.

> > Then you can have "layers and layers and layers" of such "security",
> > and everything will be as unsecure as ever.
> What is your understanding of the concept of layers? A daisy-chain of
> routers?

No. And I'd prefer the term of Zones, as i stated already.

> Take a simple email borne virus as the threat vector. What could stop it
> penetrating? Anti virus software, policy removing certain attachment
> types, banned encoding types and generic spam blocking techniques.
> 4 layers of security just for email viruses. Even a brand new,
> undetectable, compressed virus would be stopped in it's tracks.

And sometimes not. Unfortunately.

> I know what he means by 'real' firewall, and his definition is correct.

So perhaps you may explain, what this should be?

> The term 'firewall' has been used by manufacturers to flog NAT devices
> and this definition has become the meaning for most people.

A firewall is a single point for controlling any traffic between two
zones in a zone plan.

An alternative definition you'll find in RFC 2979.

Please explain, what a "real firewall" is.

There are no "true" or "wrong" definitions BTW - there is the freedom
of definition.

> Reallistically, for a
> personal firewall to be effective, allow/disallow of anything should be
> controlled by a central policy under the eye of an experienced admin,
> and the user should have no control at all.

Yes. I'd agree with that. I'd say "host based packet filter" and not
"Personal Firewall", but I think we both mean the same here.

> Also if the firewall
> compnent is compromised it should shut down communications as it exits.
> I am yet to see a PF that does this.

Usually such a behaviour can be easily abused for DoS attacks.


If class libraries are compared to animals, MFC is the slime-warts toad.