Re: Firewalls and Wireless Routers

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: JW (JustPostYourReply_at_ToThisNewsgroup.pls)
Date: 01/01/05 

Date: Sat, 01 Jan 2005 14:26:36 GMT

p.s.
i really appreciate the detail with which you responded, because i learned
some stuff i didn't know before. i don't know if any personal firewall has
"ever saved anyone that was already using a NAT box", but i know it
certainly is conceivable, as stated by AV-Test experts in the following
excerpt :

"Consider the Bagle worm, which hides its identity by injecting itself into
the Windows Explorer application. When AV-Test infected a system with this
worm, the McAfee, Norton, Sygate, and ZoneAlarm firewalls asked "Do you want
to allow Windows Explorer to access the Internet ?" Attentive users might
wonder why the app was spontaneously trying to access the Internet, but
others might simply click the OK button without considering the
implications."

"To avoid such problems, you might opt for a port-filtering firewall of the
type included in the Windows XP operating system or a port- and
packet-filtering firewall like the one in Trend Micro's PC-cillin Internet
Security 2004 suite. Packet-filtering firewalls monitor data passing to and
from the computer and look for known vulnerabilities or suspicious behavior.
For example, they can block attempts to access backdoor ports that e-mail
worms may have opened to receive instructions from remote hackers."

Now, if this happened with a program that already had permission from the
Hardware firewall to access the internet (e.g. an Email program, browser,
music player, IM/chat program, etc.), then the Hardware firewall would not
question this breach of security, and allow outbound communication
privileges for the infected program. this would still be true regardless of
whether or not the buyer of the new router decided he wanted to learn all
the port requirements of all the programs that need internet access, and
learn how to write rules for access permissions, which most often does not
happen.

i think we both agree that software and hardware firewalls have both similar
and different strengths and weaknesses, which makes them both essential
elements of a Multi-layered protection plan for home PCs. together, they
make a stronger defense; separately, they are more vulnerable. for other
readers, this discussion is only about average home PC users, and does not
apply to industrial strength network security for corporations. the excerpt
was taken from a PC World article found at
http://www.pcworld.com/reviews/article/0,aid,115939,pg,2,00.asp

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1c3ff7b9f0a0cd9c989dbe@news-server.columbus.rr.com...
In article <P8mBd.53003$uM5.11644@bgtnsc05-news.ops.worldnet.att.net>,
JustPostYourReply@ToThisNewsgroup.pls says...
> My point is that the added benefit of a superb Software firewall (despite
> the obvious possibility of misuse) is that it does something that the
> hardware firewall does Not do. Specifically, the Software firewall has
> the
> capability to stop and ask you, "Is this right ?" but the Hardware
> firewall
> does not have this capability.

Without additional resources a firewall appliance has no clue what
applications are running on your computer. The way you work around that
issue is by understanding what the internal computers actually need
externally in order to work. As an example, I have an email server in my
home, this means that only the email server needs external SMTP access,
the internal computers don't need it - so I have a firewall rule that
permits only the mail server to use SMTP outbound (and Inbound). This
keeps rogue SMTP apps from sending mail directly from the workstations
to the public.

The same is true for many services when using a REAL firewall appliance,
you understand what systems need what level of access and provide them
only that level. As an example, in my home, we have a BUNCH of computers
and with the exception of two of them, all run through a HTTP rule that
does not permit ActiveX or scripting content to reach the internal
computers. The same with web content filtering - those same machines
have 13 of 14 categories blocked. There are two HTTP rules in my
firewall, one for the group systems (and all unknowns) and one for two
development systems and authenticated users in the approved list.

With some IDS systems, they monitor the PC and can communicate with the
firewall in real time - if the IDS detects a rouge app it will shut-down
the PC and also enter a block in the firewall for it.

So, while firewall appliances in general don't have a clue about the
apps on your PC, they do know what ports your PC wants to use and a
proper security method would be to setup a network where rogue apps
can't get out past the firewall.

Now, your typical home user router (with NAT) can also protect your
network, although no where near as good as a Firewall appliance. A NAT
box can often be setup to block outbound traffic to "destination" ports
so that things like PORTS 135~139,445,1433,1434 never make it past the
router. If you had an internal mails server, just a relay, you might be
able to block outbound SMTP traffic from all but that relay server (but
most users don't buy a router of that quality).

I have never seen a personal firewall save anyone that was already using
a NAT box. 

-- 
-- 
spamfree999@rrohio.com
(Remove 999 to reply to me)
Quantcast