Re: Do I need a firewall?

Tech-Archive recommends: Fix windows errors by optimizing your registry


"Leythos" <void@xxxxxxxxxxx> wrote in message
news:CAg5e.421$8J5.297@xxxxxxxxxxxxxxxxxxxxxx
> On Thu, 07 Apr 2005 14:58:09 -0400, Al wrote:
>>
>> You missed the point. I did not say that a PSF (or any software) is
>> preferable. A hardware is better, but, by itself can be bypassed, and
>> the fault with thinking it is OK by itself it that, if something does
>> get past it, which is very possible, there is no alert, and the damage
>> is being done. At least with the addition of software, you can be
>> warned. In today's world, it isn't as simple as you say to simply say
>> hardware only is just fine..
>
> The problem is that people are confused with what a firewall appliance
> really is and what the SOHO/Home user marketing types are calling a
> firewall.
>
> If you have a decent firewall appliance you can prevent almost everything
> except permitted traffic - that means I can block MSN Messenger and Yahoo
> messenger while still allowing other HTTP traffic, or strip Active-X out
> of HTTP Sessions, force users to only visit sites with content
> definitions, block all outbound SMTP access, block all outbound DNS,
> etc... I can lock down the network, still provide real business use for
> it, and prevent compromised computers from doing external damage - at the
> same time I can detect those types of actions without any chance that the
> detection method will be disabled by the attack.
>
> With a PFW you don't really gain anything except a false sense of security
> - it's not hard for a user running as Root or Administrator to compromise
> their own computer and any services running on it, including their PFW,
> and they would be just as ignorant about it as they were when deciding to
> run as Root or Administrator.
>
> At least with an appliance you have the ability to protect the
> network/resources is a manner that a compromised machine can't disable.
>
> A good example of this is my home - I have a WatchGuard Firebox II with 4
> subnets behind it. My family network allows users to access filtered HTTP,
> filtered FTP, no email external to the home (we have our own email
> server) and that's about it. They can't bring anything inbound and nothing
> gets outbound that isn't also filtered, including email from the house
> server.
>
> In the case of a user and a simple NAT device like the Linksys/D-Link/NG,
> there is no filtering of transport methods, just inbound blocking or not.
>
> With a PFW you still don't have any real control, unless you don't use the
> computer that the PFW is running on - acting as a gateway. The first time
> you use the computer with the PFW, you can compromise it and render the
> PFW useless, leaving your network/systems fully exposed.
>
> --
> spam999free@xxxxxxxxxx
> remove 999 in order to email me
>

Let's disagree totally about your assertion that PSWs really serve no
purpose. Trust me, the setup you decribe in its detail, can be bypassed,
with no bells to tell you that a compromise has happened.In the meantime,
you're relying on your "wit" of the moment to kick in, to check for an
incident; it then may be too late. Regardless of what you say, getting an
alert at the first hint, is added security. DOS attacks happen a great deal
through systems setup just the way you describe. If what you say (as you
imply) is 100% secure, then why would there be a need for any of the PSWs,
and there never will be(or would have been recently) attracks on networks,
servers, etc..

By the way, my PSW, let's me control every aspect of programs not only
sending receiving, but actaullly having any ability to run as it makes a
connection, as it won;t run on my system, if not allowed. This way, I know
what I am trying to accomlished. Added security is never shortfall.


.

Quantcast