Re: Why do I need a software firewall?

From: Volker Birk (
Date: 10/04/05

Date: 4 Oct 2005 22:59:36 +0200

E. <> wrote:
> > This will not work, if one does not understand how to make it impossible
> > for things to happen, because one is understanding exactly how things work,
> > but only how to buy products and believe in advertizing.
> Layering, or defense in depth has been standard mantra for quite some time.

Yes, a mantra. This hits the point.

> > Then you can have "layers and layers and layers" of such "security",
> > and everything will be as unsecure as ever.
> What is your understanding of the concept of layers? A daisy-chain of
> routers?

No. And I'd prefer the term of Zones, as i stated already.

> Take a simple email borne virus as the threat vector. What could stop it
> penetrating? Anti virus software, policy removing certain attachment
> types, banned encoding types and generic spam blocking techniques.
> 4 layers of security just for email viruses. Even a brand new,
> undetectable, compressed virus would be stopped in it's tracks.

And sometimes not. Unfortunately.

> I know what he means by 'real' firewall, and his definition is correct.

So perhaps you may explain, what this should be?

> The term 'firewall' has been used by manufacturers to flog NAT devices
> and this definition has become the meaning for most people.

A firewall is a single point for controlling any traffic between two
zones in a zone plan.

An alternative definition you'll find in RFC 2979.

Please explain, what a "real firewall" is.

There are no "true" or "wrong" definitions BTW - there is the freedom
of definition.

> Reallistically, for a
> personal firewall to be effective, allow/disallow of anything should be
> controlled by a central policy under the eye of an experienced admin,
> and the user should have no control at all.

Yes. I'd agree with that. I'd say "host based packet filter" and not
"Personal Firewall", but I think we both mean the same here.

> Also if the firewall
> compnent is compromised it should shut down communications as it exits.
> I am yet to see a PF that does this.

Usually such a behaviour can be easily abused for DoS attacks.


If class libraries are compared to animals, MFC is the slime-warts toad.

Relevant Pages

  • Re: Blocking Access to web-based email
    ... >>controlling what applications run on your nodes, ... > The alternative Charles proposes is a toy firewall on every node (that each ... > Hey, hey!!! ...
  • Re: Stop Firewall message
    ... In the dialog that pops up, click the bottom-left text about controlling the way it alerts you. ... SPAMCOP User ... I looked at the firewall section in the Control panel and there is no place to suppress this message. ... One of the things that is irritating is it looks similar to some scams that try to get you to press a button to start the process of infecting your machine such as Spyware Guard. ...
  • Re: [fw-wiz] Proxies, opensource and the general market: whats wrong with us?
    ... why a firewall doesn't do packet filtering or tcp session handling. ... controlling them in the same way an application uses, ... not part of the os functionality). ... Also, having more devices (e.g. separating a packet filter from a proxy, ...
  • Re: home networking trouble
    ... toobze typed: ... controlling the firewall) is keeping me from accessing it and I don't ... MS Antispyware doesn't do anything to your ...
  • RE: Personal Firewalls
    ... One I don't list out below which I like the best is Outpost Firewall by ... Network Ice ... The CyberArmor system is a personal firewall suite. ... In addition to protection from outside attacks, ...