Bruce Chambers wrote:
Traditionally, in my opinion, firewalls are "things" (either hardware or
software) that do stateful packet inspection and filtering. NO
inspection above L3.
Greetings --
WinXP's built-in ICF is _not_ designed to act as a compliment to
3rd party firewalls, and Microsoft actually recommends disabling it if
you use another software firewall, although a great many people have
reported no problems using ICF in conjunction with other products. My
position is that running two or more software firewalls simultaneously
is generally unnecessary and can _sometimes_ cause conflicts, possibly
negating the protection of both. In any event, having two firewalls
running simultaneously is most certainly an unnecessary drain on
system resources.
Now, if you use a so-called hardware firewall, which is most
likely just a router with NAT, it's still a good idea to use a 3rd
party software firewall.
This brings up a revelation I have, from 10 years experience in "the
field".
Generally, most people are incapable of "properly" configuring any
software firewall. I acknowledge that on a purely technical basis,
software "firewalling" might be just as good as hardware/router/NATing..
if you know what your machine is supposed to be (not) doing..
Know what the problem is? Most end-users are entirely incapable of
installing, configuring and maintaining a software firewall.. for their
"own" computing device.
So, I have to speak up and say that I think for most people that don't
know what they're doing, a "hardware" firewall is *MUCH* more likely to
provide reliable, adequate security than any "software" solution that
I've seen to date. (note the quotes, eh?)
Hardware devices will not flood their screens with "do you want to allow
this?" prompts ..
Like WinXP's firewall, NAT-capable routers
do nothing to protect the user from him/herself. Again -- and I
_cannot_ emphasize this enough -- almost all spyware and many Trojans
and worms are downloaded and installed deliberately (albeit
unknowingly) by the user. So a software firewall, such as Sygate or
ZoneAlarm, that can detect and warn the user of unauthorized out-going
traffic is an important element of protecting one's privacy and
security. Most antivirus applications do not scan for or protect you
from adware/spyware, because, after all, you've installed them
yourself, so you must want them there, right?
Agreed, you've got a valid point here -- knowing what outbound "stuff"
is valid is great. Unfortunately, if most users see a prompt asking
about "is outbound email to system a.b.c.d" okay..? They're going to
tell their software firewall it *IS* okay.. and then the problem is
then far from fixed...
Accurately defining what is "VALID" inbound or outbound traffic is what
*99%* of "net" users are incapable of doing.
So, blocking inbound ('nat' as ya call it -- stateful inspection as most
call it..) and using software that scans for "crap" is a more practical
solution, in my opinion.
I use both a router with NAT and Sygate Personal Firewall, even
though I generally know better than to install scumware. When it
comes to computer security and protecting my privacy, I prefer the old
"belt and suspenders" approach.
Bruce Chambers
Dear All: I think Bruce is describing the "security in depth" concept
here. What we (if I may be so bold to assume we agree) mean is: More
than one defense is better than any one.
At my clients I demand a nating $60 (at least) 'hardware' "firewall",
such as a linksys BEFSR-41, then a strong regimen of Windows Patching,
anti-virus software, "spywareblaster" and occasional cleanup via SpyBot
and/or Ad-Aware.
You can't do just "firewalling" and expect to be safe.
Yes, I used to support an 800+ seat network. Yes, with that kind of
budget and exposure, we spent more than $3000 for firewall and or
"intelligent" inspection gear.
The future is "intelligence" - which Bruce kind of skims around describing.
In short, get a $60 BEFSR-41 (available anywhere), teach yourself what
"stateful packet inspection" is and then re-consider software
firewalls.. and other tools.
best of wishes!
-- Scott.
--
====================================================
Scott Davis, 45 Dunfield Av, Unit 2117
Self-Employed Toronto, ON, Canada, M4S 2H4
Tech Consultant (416) 432-4334
====================================================
