Re: firewall opinions
From: JW (JustPostYourReply_at_ToThisNewsGroup.pls)
Date: 02/21/05
- Next message: Thomas Lutz: "Re: problems with serial port..."
- Previous message: Colin Barnhorst: "Re: Nominations still being accepted for the MSMVPHOS!"
- In reply to:(deleted message) Leythos: "Re: firewall opinions"
- Next in thread: Van: "Re: firewall opinions"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Feb 2005 20:14:20 GMT
thanks again for your contribution. the experiences you convey here are
very valuable. with No disrespect, i must disagree with a couple of
your points.
it is Not really the router that protects the 40+ residents after 6
months of use. it is Not a gun on the wall that protects a home owner.
it is the experience and preparation and training of the gun owner.
in this case, it is years of Leythos' experience planted into the
device, and your ongoing monitoring that protects the 40+ residents.
the fact remains that 99.99% of average PC users in the world will never
attain (and have no desire to attain) that zenith of knowledge about the
ideal router configuration.
you also might be confusing LeakTest with some other tool like
ShieldsUp. the purpose of LeakTest is Not to test various ports (e.g.
80,25,110, etc.) for outbound capability. and although the results are
scary, it is not a tactic by a snake-oil salesman (per another posting).
the Real purpose of LeakTest is to test whether or not a firewall
would Stop to ask a user for approval, whenever a legitimate program
(e.g. IExplore.exe) attempts access through a legitimate port (e.g. 80).
if not, then any Trojan (or script easily written by a kid) that
renames an evil program to masquerade as the legitimate program, has
easily provided the evil program with unfettered access to a world full
of infections. this remains a weakness that hardware routers are
inherently clueless to prevent.
on the other hand, if a PC user did not launch program ABC, and out of
the blue, suddenly ZoneAlarm asks "Do want to allow program ABC to
access the internet ?", then the user will probably say "Where did this
come from ? I did not initiate this ?" now, if the user blindly
approves this nonsense, it is the user's fault, not ZoneAlarm. but at
least the user had a chance to stop it, which a hardware router would
Never have provided, because hardware routers do Not even stop to ask
about Approved programs going through Approved ports.
finally, there will always be instances where we cannot protect users
from their own ignorance when using Hardware routers, not just software
routers. the fact is that users of ZoneAlarm do not need to spend hours
reading or posting questions here in order to learn all the ports and
tweaks needed to properly configure it for use with Messenger. they
simply check Ask on the line labeled Messenger, and ZoneAlarm takes care
of knowing all the ports and tweaks.
on the other hand, i see angry users every day coming to the Messenger
newsgroup, asking what are all the ports used by Messenger, so they can
open ALL of those ports on their router, because they are so angry that
they cannot get Messenger to work with their new router. considering
the fact that the number of people who come asking for help are
outnumbered by the people who Never come asking, that reduces a huge
number of hardware routers to useless piles of metal. this is clearly a
case where ZoneAlarm would help 99.99% of average PC users in the world.
does this remove the benefit of having a hardware device ? of course
not. i have never and will never say that. i have always said that for
99.99% of average PC users in the world, multiple layers of defense are
better than one device very good at one specialty. software and
hardware firewalls have many features in common, but clearly each can do
some things that the other cannot. because a hardware router cannot be
turned off by a Trojan, a hardware router is an important addition to a
total multi-layer defense strategy.
always a pleasure conversing with you. i do believe you realize i am
only talking about 99.99% of average PC users in the world, not that
fraction of 1% -- the expert users in the world who have attained the
zenith of knowledge about ideal router configurations.
Leythos wrote:
> On Mon, 21 Feb 2005 04:18:34 +0000, JW wrote:
>
>>thanks again Leythos. always good to hear from you, since you are
>>always a valuable contributor. no dispute or disagreement with anything
>>you said. what is unfortunate is that 99.99% of the average PC users in
>>the world will never read anything that you or i write here.
>
>
> Yea, it's really to bad that not only will they never read it, but they
> will never understand that there are serious security problems with their
> default configured machines. Even worse, once they do get compromised the
> first time, they won't learn anything from it, and their repaired machine
> will still not be secured.
>
>
>>99.99% of the average PC users in the world will acquire something for
>>PC security (whether it is hardware or software), and do little more
>>than plug it in and walk away, like a microwave oven. they have no
>>desire to spend hours reading instructions about how to tweak and
>>configure the firewall (hardware or software) to stop every conceivable
>> intruder/intrusion. that's why the best hardware firewall in the
>>world will always be less than adequate in the hands of 99.99% of
>>average PC users in the world. this is exactly why 99.99% of average
>>users in the world need Both a software and a hardware firewall.
>
>
> Let me give you an example of a Sorority that we manage. When they
> residents started this year, only one was a returning resident, all the
> others were new residents. The ones that came from the Dorms at the Univ
> to the house were the most infected of all of them. The next worst were
> the ones that had been living in apartments with other students - with one
> exception, two of them had been sharing an internet connection in a house
> where they had a simple Linksys router - they had spyware but not serious
> problems.
>
> As part of our overall solution we installed a Linksys BEFSX41 router (NAT
> box) between the ISP's DSL modem and their 48 port switch for the house.
> We also installed a Windows 2000 Server running IIS (to allow remote
> access to the router logs) and WallWatcher, and VNC on a non-default port
> and with a nasty password.
>
> With this configuration, and with the residents using email from the Univ,
> they have all managed to remain virus free, spyware free, and safe without
> using any personal firewalls. How do I know, I can see it in the router
> logs. It was funny, I noticed the traffic go from 8mb per day to around
> 30mb once and tracked it back to a resident that had installed Kazza,
> which is a violation of the AUP, and it took a simple BLOCK of her IP in
> the router to stop it, and then a call to get her to remove it, and it was
> all resolved again.
>
> Oh, we installed AVG and FireFox for all sysetms, and AVG has been updated
> to AVG7. Any machine that was running McCrappy (McCaffy) had it replaced
> with AVG or Norton AV (if they could afford NAV).
>
> Now, one other thing, I block outbound 135,136,137,138,139,445, 1433/1434,
> 1026,1027 to those destination ports. The only inbound is the IIS (and
> it's locked down and requires a user/password) and the VNC on non-default
> port.
>
> So, with almost 6 months of running time and 40+ residents, I would hazard
> a guess that the router is able to do about 99% of the protection they
> need.
>
>
>>as if the above were not convincing enough, hardware firewalls are
>>inherently clueless to stop the vulnerability described by Gibson
>>Research Corp in their LeakTest documentation at www.grc.com. This
>>leaves over 99% of average PC users in the world vulnerable, who go
>>surfing the "wild wild web" logged in with Administrator privileges.
>
>
> Actually, LeakTest a scare tactic, a good one, but a scare tactic - much
> like vendors calling routers with NAT firewalls (which they are not). A
> real firewall should be configured to block most of what leaktest will
> attempt - about the only outbound traffic that should be exposed is 25,
> 80, 110, 443, 53 for people that use external mail servers and SOHO
> devices or cheap routers.
>
> It should also be noted that a personal firewall application running on
> your typical users computer won't protect them either as most of them will
> permit an application to access the internet without even knowing what
> that application is or is doing.
>
>
>>Does the fault lie with the uneducated user? Of course. this is
>>precisely why over 99% of average PC users in the world need Both a
>>hardware and a software firewall.
>
>
> Sure, it likes with the User, but, like sheep, there are simple things
> that ISP's can do to protect them. Almost every ISP's cable/dsl modem has
> the ability to provide NAT and block unsolicited inbound traffic - if they
> would just install them in this mode as default it would eliminate a lot
> of issues with users computers. Allowing a user, without question, to
> request that NAT be disabled would be necessary too.
>
> I guess what we have to figure out is how a user that can't be protected
> by a hardware appliance is going to be protected from their own ignorance
> when running a PFW - since they are more likely to get compromised by
> misconfiguring the PFW I don't know where to begin with them.
>
>
>>farewell for now. as always, it is has been a benefit and pleasure to
>>cross paths with you again. i always see something new or different,
>>when i hear back from you. have a nice weekend.
>
>
> It's been great chatting with you too - look forward to your reply. Have a
> great week.
>
- Next message: Thomas Lutz: "Re: problems with serial port..."
- Previous message: Colin Barnhorst: "Re: Nominations still being accepted for the MSMVPHOS!"
- In reply to:(deleted message) Leythos: "Re: firewall opinions"
- Next in thread: Van: "Re: firewall opinions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
