[Dshield] "Personal Firewalls" are mostly snake-oil

Micheal Patterson micheal at cancercare.net
Mon Jul 22 18:25:23 GMT 2002

----- Original Message -----
From: "Young, David" <dyoung at intecs.com>
To: <list at dshield.org>
Sent: Monday, July 22, 2002 12:19 PM
Subject: Re: [Dshield] "Personal Firewalls" are mostly snake-oil

> >> JS> The biggest problem is that, just as with the Window$ model itself,
> >> JS> "personal firewalls" lock you into the same upgrade nose-ring that
> the
> >> JS> anti-virus companies are inflicting upon users: unless you keep up
> >> JS> with a relentless cycle of updates and latest-version purchases,
> >> JS> you're soon going to be SOL as new exploits come out.
> >>
> >> Ok tell me: waht is "the window$ model" you seem so critical about ?
> >The "Window$ model" (or more correctly the Micro$oft model) is a
> >neverending cycle of upgrades and patches and service packs that are
> >necessary to keep a security system up-to-date.
> As opposed to that clean, straightforward, uncomplicated model used by the
> Baskin-Robbins 33 flavors of Linux?  From my chair, this is a MUCH larger
> issue than what O/S is running. Life is hard. Maintaining security on ANY
> system that's connected to the net, open source or otherwise, is tedious,
> time-consuming and RISKY. I anticipate some will argue that running
> O/S's requires by nature a greater level of expertise. I would ask those
> individuals to examine how they GOT that expertise. It's not like there's
> background process running that pops up after the nth iteration of
> config and tells the user "You're now smart enough to connect to the
> Internet". My point: Arrogance and self-delusion are not strictly limited
> Micro$oft users. The scope is significantly larger. I submit it's time for
> the camps to declare the "mine's better" argument resolved.
> Regards,
> David

David, that and the fact that some people don't need the power of a
Checkpoint, PIX, *Nix (ipfilter, ipfw,etc) but simply want a small, easy to
run package that doesn't have to be stateful just to keep the general public
out of most of their sockets. What I'm seeing here is that there is a vast
difference in what people consider to actually be a firewall software
package. Basic terms, it's a buffer zone between the internal system/lan to
the external wan. Nothing more, nothing less. The depth and strength of that
buffer depends on what the end user/admin wants it to be.


Micheal Patterson
Network Administration
Cancer Care Network

More information about the list mailing list