[Dshield] Firewalls, real and make-believe

Evans, TJ tjevans at kpmg.com
Wed Sep 4 16:11:23 GMT 2002


This may not be on topic; but that has never stopped me before - 
	As soon as you think you are secure you have already lost the game.


Now, a little on topic ... 
(in fact, a topic that has been covered many times on many different lists:)
	There is a very key distinction that must be made when talking about
different types of firewalls, and what you define a type of firewall as
being/doing.  Just by saying a "software firewall" does not require that it
be a "personal firewall", and "personal firewall" typically includes other
functionality that is beyond the scope of just firewalling.

	Some (most?) hardware firewalls are for inbound traffic filtering
only; but also typically provide NAT/NAT Overload(PAT) functionality,
possibly server as VPN termination points, etc.

	Most people, when saying software firewalls, really mean personal
firewalls; i.e. - reside on the machine they are protecting and ideally
perform things like application executable integrity checking, inbound +
outbound filtering, local logging, possibly email filtering, etc.  
(Although some have corporate versions that centralize the management /
logging as well )

	However - some software firewalls are just that - software that
performs many of the same functions as a "traditional" firewall; typically
these add more features such as application-level proxies, bi-directional
filtering to the normal FW functions and prettier configuration
menus/reports.  Usually with tradeoffs, of course - they reside on an OS and
are therefore dependent on it, they run on non-special-purpose hardware
(which is actually both a benefit and a drawback :)), there throughput is
limited by those two factors, etc.



Did I list every possible feature - no.
	There are more than a few vendor's whose website will be happy to
provide this for you :)

Is this meant to imply that I prefer HW over SW over Personal - no.
	Each has it's place, and the current-ideal (IMHO) is to have all 3,
as well as an up-to-date AntiVirus package on a machine that has also been
hardened and follows good 'secure computing policies' and is also used only
by trusted, security-aware users ... hey, I can dream can't I?

((the "Real Ideal" would be to not need any of these defenses ... but we
will just not think about that for now))



... as always, my thoughts are representative of my thoughts and my thoughts
alone, and reflect nothing but my thoughts.
Thanks!
TJ


-----Original Message-----
From: Raven [mailto:raven at earthlights.net] 
Sent: Tuesday, September 03, 2002 10:14 PM
To: list at dshield.org
Subject: Re[2]: [Dshield] Firewalls, real and make-believe

Hello Roger,

Wednesday, September 04, 2002, 2:22:30 AM, you wrote:


R> Bruce wrote:
R> "Yes, exactly. So no software-only product can be a true firewall."

R> This may be one of many ways of demonstrating software-only firewalls:

R> http://keir.net/firehole.html

Well, I downloaded firewall.exe, ran it and, although it was vaguely
ingenious in trying to use various Internet programs such as BFTP
Server, mIRC, Internet Explorer, Dialer200, etc, in trying to make
it's connection, I am well and truly pleased to say that ZoneAlarm pro
alerted me to *every* attempt. And that was even with my secondary
firewall disabled.

-- 
Regards,
Jim

raven at earthlights.net
on Wednesday, 4 September 2002 at 14:11

************************************************************
The information contained in this email is confidential and may be legally
privileged. If the
reader of this message is not the intended recipient you are hereby notified
that any use,
dissemination, distribution, or reproduction of this message is prohibited.
If you have received
this message in error please notify the sender and delete all copies of this
message including
any attachments it may contain. 
************************************************************

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************




More information about the list mailing list