Is Firwall necessay? - Firewalls

This is a discussion on Is Firwall necessay? - Firewalls ; Is a software firewall such as Zone Alarm essential for added protection if I am already using the XP firewall, AVG antivirus (free) and have a wired router (D-link-524)? Will it offer me any additional protection? If so, is there ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 23

Thread: Is Firwall necessay?

  1. Is Firwall necessay?

    Is a software firewall such as Zone Alarm essential for added
    protection if I am already using the XP firewall, AVG antivirus (free)
    and have a wired router (D-link-524)? Will it offer me any additional
    protection? If so, is there a better free firewall than Zone alarm?

    Thanks.

  2. Re: Is Firwall necessay?

    In article <3c78r2hh7f4cksa4qpjnuugldbf36lm3v4@4ax.com>, ferrante276-
    ng@yahoo.com says...
    > Is a software firewall such as Zone Alarm essential for added
    > protection if I am already using the XP firewall, AVG antivirus (free)
    > and have a wired router (D-link-524)? Will it offer me any additional
    > protection? If so, is there a better free firewall than Zone alarm?


    Your primary means of protection from external sources would be the NAT
    Router, then properly secured computer/updates/security patches, then
    proper/quality Antivirus software. The windows firewall provides NO
    protection in your setting as long as you have the NAT Router, and it
    doesn't provide much protection when you run as an Administrator as most
    malware and most good applications can create exceptions in the rules
    that you never know about.

    ZA, as long as you understand it, and run as a limited user, then you
    could use it and feel reasonably secure. I use Tiny or ZAP on my laptops
    when we enter a unknown area, and we use them specifically for being
    able to see what is attempting to access our system as well as block
    what attempts to access them - but, we could configure them so that we
    didn't need a firewall, but that also imposed some limitations on the
    way we can use our systems.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  3. Re: Is Firwall necessay?


    "Dickie Peters" wrote in message
    news:3c78r2hh7f4cksa4qpjnuugldbf36lm3v4@4ax.com...
    > Is a software firewall such as Zone Alarm essential for added
    > protection if I am already using the XP firewall, AVG antivirus (free)
    > and have a wired router (D-link-524)? Will it offer me any additional
    > protection? If so, is there a better free firewall than Zone alarm?
    >
    > Thanks.



    Your router, AVG free and Mozilla Firefox are all you need.
    Zone Alarm and all other 'personal firewalls' are not fireewalls at all,
    they are all garbage!
    Visualize these two scenarios:

    -1
    You install ZA or some other similar crap, then you start your browser. Your
    'firewall' pops up a message asking you if you wish to allow the browser to
    access the internet and tells you a whole story about how dangerous that can
    be. You want to be safe and tell ZA to keep blocking it, but decide to keep
    your browser anyway because it has a cute icon.
    Then, you start your email client and you get another message asking you if
    you wish to allow it to access the net. You want to stay safe and tell ZA to
    keep blocking it, then you go to the nearest bookstore and buy all the books
    on telepathy, since you can't use electronic mail any more.
    You pop an audio cd in your drive and Windows Media Player tries to retrieve
    info on that cd to display it for you. But, ZA stops it. Then, you try to
    play an online game and ZA tells you it's not safe and you allow it to block
    the game.
    At the end of the day, after you allowed ZA to control you life, you ask
    yourself:
    Why the **** am I paying for internet access?

    -2
    You install ZA or some other similar crap, but this time you allow
    everything to access the internet, because you need to browse and
    communicate, etc...
    At the end of the day, you ask yourself:
    Why the **** did I install Zone Alarm?



  4. Re: Is Firwall necessay?

    Jack wrote:

    [why ZoneAlarm is crap]

    -3 It's broken, totally broken, just like any other PFW. Most recent case:
    Computer A had ZoneAlarm running. A could ping B, but B could not ping A.
    ZoneAlarm got deactivated, still didn't work. ZoneAlarm got uninstalled,
    everything worked fine.

  5. Re: Is Firwall necessay?


    "Sebastian Gottschalk" wrote in message
    news:51lrggF1kkmecU1@mid.dfncis.de...
    > Jack wrote:
    >
    > [why ZoneAlarm is crap]
    >
    > -3 It's broken, totally broken, just like any other PFW. Most recent case:
    > Computer A had ZoneAlarm running. A could ping B, but B could not ping A.
    > ZoneAlarm got deactivated, still didn't work. ZoneAlarm got uninstalled,
    > everything worked fine.


    That wasn't so bad, I have recently tested close to 100 different pfw's,
    looking for one that blocks outside intruders, not me. Some of them screwed
    up my settings and left them screwed up even after uninstall. Luckily, I
    wouldn't test any crappy software without a fresh Ghost image.
    The only software firewall that does what it should do, detect an attack and
    give you the option to block the offending IP, was Black Ice. It's a shame
    it crashed my email server every five minutes.
    I got a better router in the meantime and I'm happy.



  6. Re: Is Firwall necessay?

    Jack wrote:

    > The only software firewall that does what it should do, detect an attack and
    > give you the option to block the offending IP,


    Blocking the offending is a wonderful idea to shoot yourself in the foot.

    > was Black Ice.


    Bad memories coming up... wan't this the software where ISS demonstarted
    how RegExps should not be used?

    > I got a better router in the meantime and I'm happy.


    Whaout about some serious HPBF implementation for Windows like Wipfw, InJoy
    Firewall or the Windows Firewall? Or what about not using any packet filter
    at all?

  7. Re: Is Firwall necessay?

    "Sebastian Gottschalk" wrote in message
    news:51or4eF1lc5h4U1@mid.dfncis.de...
    > Whaout about some serious HPBF implementation for Windows like Wipfw,

    InJoy
    > Firewall or the Windows Firewall? Or what about not using any packet

    filter
    > at all?


    As cheap firewalls go, I'm fond of the Kerio Enterprise firewall, which
    seems to give you a Checkpoint style rule interface and about 40% of the
    capability of Checkpoint, but at about 1/8th the price. Around $350 /
    computer, wish it were less.

    Agreed that the ZoneAlarms of the world are so anxious to be cute, and so
    targeted at not stopping the truly stupid user, that they are nearly
    completely worthless to anyone who understands networking.

    --
    Will




  8. Re: Is Firwall necessay?

    Will wrote:
    > "Sebastian Gottschalk" wrote in message
    > news:51or4eF1lc5h4U1@mid.dfncis.de...
    >> Whaout about some serious HPBF implementation for Windows like Wipfw,

    > InJoy
    >> Firewall or the Windows Firewall? Or what about not using any packet

    > filter
    >> at all?

    >
    > As cheap firewalls go, I'm fond of the Kerio Enterprise firewall, which
    > seems to give you a Checkpoint style rule interface and about 40% of the
    > capability of Checkpoint, but at about 1/8th the price. Around $350 /
    > computer, wish it were less.
    >
    > Agreed that the ZoneAlarms of the world are so anxious to be cute, and so
    > targeted at not stopping the truly stupid user, that they are nearly
    > completely worthless to anyone who understands networking.


    If you had been following the ramblings of Sebastian, you'd know that,
    in his eyes, there are *NO* effective software firewalls.

    LQTM

    --
    Notan

  9. Re: Is Firwall necessay?

    Will wrote:

    > "Sebastian Gottschalk" wrote in message
    > news:51or4eF1lc5h4U1@mid.dfncis.de...
    >> Whaout about some serious HPBF implementation for Windows like Wipfw,

    > InJoy
    >> Firewall or the Windows Firewall? Or what about not using any packet

    > filter
    >> at all?

    >
    > As cheap firewalls go, I'm fond of the Kerio Enterprise firewall,


    Yeah, that thing even got an ICSA evaluation. Eh... did you ever read the
    evaluation report they're so proud of? Seems like this thing is horribly
    insecure and very vulnerable to DoS, thus after many bugfixes hardly
    passed the evaluation at all.

    > which seems to give you a Checkpoint style rule interface


    and a horrible ruleset expressiveness.

    > and about 40% of the capability of Checkpoint, but at about 1/8th the
    > price. Around $350 / computer, wish it were less.


    And Wipfw is for free. Now, what's your point? If you're not going to
    build a routing firewall but merely want a host-based packet filter, I'd
    say that Kerio Enterprise is total overkill.

    > Agreed that the ZoneAlarms of the world are so anxious to be cute, and so
    > targeted at not stopping the truly stupid user, that they are nearly
    > completely worthless to anyone who understands networking.


    Full ACK. Just the lack to refer to TCP flags or the captures TCP session
    states should make that obvious. One must be really totally clueless to
    get along without such prerequisites.

  10. Re: Is Firwall necessay?

    "Sebastian Gottschalk" wrote in message
    news:520r9pF1lj97qU1@mid.dfncis.de...
    > > which seems to give you a Checkpoint style rule interface

    >
    > and a horrible ruleset expressiveness.


    Which routing firewalls do you like that have a GUI configuration interface
    and cost under $900?


    > > and about 40% of the capability of Checkpoint, but at about 1/8th the
    > > price. Around $350 / computer, wish it were less.

    >
    > And Wipfw is for free. Now, what's your point? If you're not going to
    > build a routing firewall but merely want a host-based packet filter, I'd
    > say that Kerio Enterprise is total overkill.


    I would always want a firewall to have some level of stateful inspection.
    Packet filters that don't even attempt to see who started the connection are
    pretty easy to defeat.

    For my own use, I prefer routing firewalls since I tend to use virtual
    machines a lot and those get put on separate subnets behind my computer.

    I'm certainly not bragging that Kerio Enterprise is the best routing
    firewall. It's just good value for the buck, for protecting workstations
    or low end applications behind a main firewall. I certainly do see a lot
    of room for improvement, and I'm certainly open to suggestions about what is
    better, without spending Checkpoint or ISA prices.

    --
    Will



  11. Re: Is Firwall necessay?

    Will wrote:

    > "Sebastian Gottschalk" wrote in message
    > news:520r9pF1lj97qU1@mid.dfncis.de...
    >>> which seems to give you a Checkpoint style rule interface

    >>
    >> and a horrible ruleset expressiveness.

    >
    > Which routing firewalls do you like that have a GUI configuration interface
    > and cost under $900?


    I would not build any firewall upon Windows. Anyway, judging from your
    description you wanted a host-based packet filter.

    >>> and about 40% of the capability of Checkpoint, but at about 1/8th the
    >>> price. Around $350 / computer, wish it were less.

    >>
    >> And Wipfw is for free. Now, what's your point? If you're not going to
    >> build a routing firewall but merely want a host-based packet filter, I'd
    >> say that Kerio Enterprise is total overkill.

    >
    > I would always want a firewall to have some level of stateful inspection.


    As Wipfw has.

    > Packet filters that don't even attempt to see who started the connection are
    > pretty easy to defeat.


    Nonsense. What difference should it made, except adding more potentially
    vulnerable code?

    > For my own use, I prefer routing firewalls since I tend to use virtual
    > machines a lot and those get put on separate subnets behind my computer.


    This sound even more nonsensical, since this both wouldn't provide any
    protection and can't even work.

  12. Re: Is Firwall necessay?

    In article , westes-
    usc@noemail.nospam says...
    > "Sebastian Gottschalk" wrote in message
    > news:520r9pF1lj97qU1@mid.dfncis.de...
    > > > which seems to give you a Checkpoint style rule interface

    > >
    > > and a horrible ruleset expressiveness.

    >
    > Which routing firewalls do you like that have a GUI configuration interface
    > and cost under $900?


    I see that SG didn't answer your question when he replied, he is really
    good at ignoring questions and Side-Stepping them.

    In the under $400 market, I would pick a DFL-700 device.

    In the under $900 market, I would pick a WatchGuard X55e (about $920)
    and then a X20e for a small shop (20 users, about $600).


    --

    spam999free@rrohio.com
    remove 999 in order to email me

  13. Re: Is Firwall necessay?

    On Sat, 27 Jan 2007 22:15:49 -0800, "Will"
    wrote:

    >"Sebastian Gottschalk" wrote in message
    >news:520r9pF1lj97qU1@mid.dfncis.de...
    >> > which seems to give you a Checkpoint style rule interface

    >>
    >> and a horrible ruleset expressiveness.

    >
    >Which routing firewalls do you like that have a GUI configuration interface
    >and cost under $900?


    www.pfsense.com


    greg

    --
    "He's raising an unholy army of singing dinosaurs!"

  14. Re: Is Firwall necessay?

    On Sun, 28 Jan 2007 12:47:22 +0100, Sebastian Gottschalk
    wrote:


    >> Which routing firewalls do you like that have a GUI configuration interface
    >> and cost under $900?

    >
    >I would not build any firewall upon Windows.


    That's your problem.

    Security is a process, not a product,

    Those of us who work in the real world have deployed and supported FW1 on
    NT for the better part of a decade. (Not my 1st choice as a checkpoint
    platform, but that's a client decision, some sites do not tolerate Unix in
    any shape or form).

    Those of us who work in the real world have evaluated ISA 2k4/2k6 and found
    a lot in there to like.

    It usually takes MS about 3 attempts to get something approaching right &
    in the case of ISA 2k4/2k6 it's a very capable enterprise grade firewall
    solution.

    If MS did the right thing and made EMC an offer for rainwall/rainconnect
    they couldn't refuse , it would IMHO be a viable option for a multitier
    solution in any enterprise sized MS shop.





    greg

    --
    "He's raising an unholy army of singing dinosaurs!"

  15. Re: Is Firwall necessay?

    "Sebastian Gottschalk" wrote in message
    news:523gq8F1ml9pmU1@mid.dfncis.de...
    > > Packet filters that don't even attempt to see who started the connection

    are
    > > pretty easy to defeat.

    >
    > Nonsense. What difference should it made, except adding more potentially
    > vulnerable code?


    Let's say you want to create a firewall rule that allows the host behind the
    firewall to make DNS queries going to the Internet.

    A firewall that tracks who initiated the request and looks for the response
    to come within a certain time period would allow a rule that specifies the
    source host or network behind your firewall and the destination as the
    outside network, using DNS UDP 53. The firewall would reject UDP 53
    queries coming from the outside in unless the firewall's state table could
    match those packets to an appropriate outstanding request.

    To contrast, a stupid packet filter defines simple rules for for DNS queries
    that allow destination port 53/UDP out and source port 53/UDP in. If
    there is no internal state table that keeps track of queries that originate
    from your internal network, any intruder can bypass your firewall simply by
    using a source port of 53 and sending the data as a UDP packet. There are
    lots of routers and simple packet filtering firewalls that implement designs
    not much more sophisticated than that.


    > > For my own use, I prefer routing firewalls since I tend to use virtual
    > > machines a lot and those get put on separate subnets behind my computer.

    >
    > This sound even more nonsensical, since this both wouldn't provide any
    > protection and can't even work.


    Do you always have the habit of making assertions without submitting any
    form of evidence or reasoning? At very least try. You may not be able to
    control the fact that you are disagreeable to every idea, but you could at
    least try to make yourself effective in the process. Otherwise your posts
    all come across as just grumpy emotional displays, no factual information
    provided.

    It works just fine. You define virtual adapters that are private networks
    between the firewall host and the virtual computer. Routing is turned off
    on the box, and all traffic must pass through the routing firewall. The
    routing firewall sees the virtual adapter as it would any physical adapter,
    and you can construct host and network based rules, NAT rules, whatever,
    that use those virtual adapters. I've tested such firewalls with packet
    constructors like HPing3 and while they are not great they are a whole level
    beyond what host based packet filters like ZoneAlarm can do.

    It also works more securely than a host based packet filter. There are
    lots of published mechanisms for circumventing software based firewalls that
    run on the same OS as the application you are trying to constrain. You can
    circumvent a firewall that runs on the same host OS as your application by
    playing games with how the OS APIs are called, installing rootkits, etc, on
    the OS. If the software you are trying to constrain or publish out runs on
    a different OS on a virtual computer, and your firewall sees that traffic on
    the wire as it would a separate physical computer with a separate ethernet
    network, there is a lot less the application can do to bypass the firewall
    rules. If it is a virus it can malform packets, but most commercial
    applications don't do that. So there are just fewer tricks that can be
    used to circumvent the firewall.

    --
    Will



  16. Re: Is Firwall necessay?

    Greg Hennessy wrote:

    >>> Which routing firewalls do you like that have a GUI configuration interface
    >>> and cost under $900?

    >>
    >>I would not build any firewall upon Windows.

    >
    > That's your problem.
    >
    > Security is a process, not a product,
    >
    > Those of us who work in the real world have deployed and supported FW1 on
    > NT for the better part of a decade. (Not my 1st choice as a checkpoint
    > platform, but that's a client decision, some sites do not tolerate Unix in
    > any shape or form).


    And if you had real experience, you could build any type of firewall on any
    OS. And then, if no such stupid "no Unix" constraints are given,
    BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious
    reasons.

    And, depending on your company's policy, you should really consider not
    working for clients which demand firewalls on Windows, since it's not worth
    the risk.

    > Those of us who work in the real world have evaluated ISA 2k4/2k6 and found
    > a lot in there to like.
    >
    > It usually takes MS about 3 attempts to get something approaching right &
    > in the case of ISA 2k4/2k6 it's a very capable enterprise grade firewall
    > solution.


    ISA is pretty much based on the integration to proprietary Windows
    protocols that can't be easily handled by other firewall products or would
    require separate hosts (even if virtual).

  17. Re: Is Firwall necessay?

    Will wrote:

    > "Sebastian Gottschalk" wrote in message
    > news:523gq8F1ml9pmU1@mid.dfncis.de...
    >>> Packet filters that don't even attempt to see who started the connection

    ~~~ ~~~
    >>> are
    >>> pretty easy to defeat.

    >>
    >> Nonsense. What difference should it made, except adding more potentially
    >> vulnerable code?

    >
    > Let's say you want to create a firewall rule that allows the host behind the
    > firewall to make DNS queries going to the Internet.
    >
    > A firewall that tracks who initiated the request and looks for the response
    > to come within a certain time period would allow a rule that specifies the
    > source host or network behind your firewall and the destination as the
    > outside network, using DNS UDP 53. The firewall would reject UDP 53
    > queries coming from the outside in unless the firewall's state table could
    > match those packets to an appropriate outstanding request.
    >
    > To contrast, a stupid packet filter defines simple rules for for DNS queries
    > that allow destination port 53/UDP out and source port 53/UDP in.


    I just underlined where you got it wrong. Stateful filtering has nothing to
    do with identifying processes.

    > If there is no internal state table that keeps track of queries that originate
    > from your internal network, any intruder can bypass your firewall simply by
    > using a source port of 53 and sending the data as a UDP packet.


    And if there is, he can tunnel through DNS. Your point being?

    >>> For my own use, I prefer routing firewalls since I tend to use virtual
    >>> machines a lot and those get put on separate subnets behind my computer.

    >>
    >> This sound even more nonsensical, since this both wouldn't provide any
    >> protection and can't even work.

    >
    > Do you always have the habit of making assertions without submitting any
    > form of evidence or reasoning? At very least try.


    Fine:
    1. Virtual machines share the same physical interface.
    2. If you're using bridging, you're hosed.
    3a. If you're providing NAT throught the VM monitor, the firewall can't
    work since it doesn't know about the NAT states, or can't provide any
    security because you have to emulate that behaviour in an obviously
    insecure manner.
    3b. If you're providing NAT through the firewall, then the VMs won't get
    any connection.
    3c. If you're providing NAT through both mechanisms, you still have the
    problem of the tow mechanisms not knowing the states of each other, so
    you'll either get it insecure or non-working.

    I thought that this should be obvious to someone who claims to run a
    firewall and knows about NAT and virtual machines implementation.

    > It works just fine. You define virtual adapters that are private networks
    > between the firewall host and the virtual computer. Routing is turned off
    > on the box, and all traffic must pass through the routing firewall. The
    > routing firewall sees the virtual adapter as it would any physical adapter,
    > and you can construct host and network based rules, NAT rules, whatever,
    > that use those virtual adapters. I've tested such firewalls with packet
    > constructors like HPing3


    What about creating trivial scenarios which disprove your idea?

    Just like this:

    Virtual Machine A opens a TCP connection with src.ip=192.168.1.1
    src.port=3000 to dst.ip=12.34.56.78 dst.port=80. The NAT mechanism of the
    VM translates if to src.ip=192.168.100.1 src.port=1040. Then it gets passed
    through the routing firewall, which translates it to src.ip=78.56.34.21
    src.port=1040.

    The connection times out, VM A drops the connection and the VM NAT
    mechanism deassociates the NAT state.

    Not the physical host opens a connection with src.port=1040 and creates a
    connection to 12.34.56.78:80 as well.

    Now an answer to 78.56.34.21:1040 is received.

    Question: What should the routing firewall do?
    a) forward to the virtual interface of VM A
    b) forward to the program running on the physical host
    c) drop the packet

    Hint: Neither is right. From a security perspective, one would choose C,
    but then you'd have ****ed up the network. If you don't choose C, you're
    trivially getting insecure.

    I guess you be able to construct a similar scenario for the case of port
    forwarding being utilized.

    > and while they are not great they are a whole level
    > beyond what host based packet filters like ZoneAlarm can do.


    Anything is better than ZoneAlarm. Doesn't make your stupid application or
    serious software any more serious.

    > It also works more securely than a host based packet filter. There are
    > lots of published mechanisms for circumventing software based firewalls that
    > run on the same OS as the application you are trying to constrain. You can
    > circumvent a firewall that runs on the same host OS as your application by
    > playing games with how the OS APIs are called, installing rootkits, etc, on
    > the OS. If the software you are trying to constrain or publish out runs on
    > a different OS on a virtual computer, and your firewall sees that traffic on
    > the wire as it would a separate physical computer with a separate ethernet
    > network, there is a lot less the application can do to bypass the firewall
    > rules.


    They share on physical interface, and the host is supposed to be secured as
    well. That's why this often heard idea fails so blatantly.

    > If it is a virus it can malform packets, but most commercial
    > applications don't do that.


    Legitimate applications don't require any such control. That's exactly why
    they're legitimate.

    > So there are just fewer tricks that can be used to circumvent the firewall.


    Let's see... you're adding a VM, complex configuration and a non-working or
    trivially insecure setup... for the sake of... achieving nothing?

  18. Re: Is Firwall necessay?

    On Mon, 29 Jan 2007 12:25:38 +0100, Sebastian Gottschalk
    wrote:


    >> Security is a process, not a product,
    >>
    >> Those of us who work in the real world have deployed and supported FW1 on
    >> NT for the better part of a decade. (Not my 1st choice as a checkpoint
    >> platform, but that's a client decision, some sites do not tolerate Unix in
    >> any shape or form).

    >
    >And if you had real experience, you could build any type of firewall on any
    >OS. And then, if no such stupid "no Unix" constraints are given,


    Only someone who has no clue regarding operational risk could make such a
    ridiculous statement.


    >BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious
    >reasons.


    Don't teach your grandmother how to suck eggs.

    Show me a 'free' solution which can dynamically filter soap/xml/rpc *and*
    doesn't require command line hackery to manage.

    Show me the netfilter/pf solution that can dynamically fixup and sanitise a
    huge range of application protocols other than basic FTP.

    Again you have demonstrated a lack of real world experience, client
    requirements extend far beyond mere L3 packet filtering.


    >And, depending on your company's policy, you should really consider not
    >working for clients which demand firewalls on Windows, since it's not worth
    >the risk.


    Considering that you have singularly failed to quantify that 'risk' in
    anything resembling terms other than emoting hearsay, I'll treat your
    advice with the due consideration it deserves.


    >> Those of us who work in the real world have evaluated ISA 2k4/2k6 and found
    >> a lot in there to like.
    >>
    >> It usually takes MS about 3 attempts to get something approaching right &
    >> in the case of ISA 2k4/2k6 it's a very capable enterprise grade firewall
    >> solution.

    >
    >ISA is pretty much based on the integration to proprietary Windows
    >protocols that can't be easily handled by other firewall products or would
    >require separate hosts (even if virtual).



    Oh puhleeze. Enough with the bull**** already, you clearly do *not* know
    about the commercial products under discussion.



    greg




    --
    "He's raising an unholy army of singing dinosaurs!"

  19. Re: Is Firwall necessay?

    Greg Hennessy wrote:

    >>And if you had real experience, you could build any type of firewall on any
    >>OS. And then, if no such stupid "no Unix" constraints are given,

    >
    > Only someone who has no clue regarding operational risk could make such a
    > ridiculous statement.


    What are you referring to? Calling the constraint stupid? Well, it
    certainly is. And has nothing to do with operational risk, for obvious
    reasons.

    >>BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious
    >>reasons.

    >
    > Don't teach your grandmother how to suck eggs.
    >
    > Show me a 'free' solution which can dynamically filter soap/xml/rpc *and*
    > doesn't require command line hackery to manage.


    This "command line hackery" as you call it is exactly why you can utilize a
    wide variety of management tools, including graphical ones. Just show me
    one "non-free" solution that could compare to the management of large
    networks with ShoreWall.

    > Show me the netfilter/pf solution that can dynamically fixup and sanitise a
    > huge range of application protocols other than basic FTP.


    Well, netfilter. I just looked at the list... weeh, more than 900 helper
    modules for netfilter. Including one for such nasty stuff like H.323 which
    you can find no-where else.

    > Again you have demonstrated a lack of real world experience, client
    > requirements extend far beyond mere L3 packet filtering.


    I never claimed anything in this way. But well, as you may understand, most
    L7 protocol filtering is done using proxy firewalls.

    >>And, depending on your company's policy, you should really consider not
    >>working for clients which demand firewalls on Windows, since it's not worth
    >>the risk.

    >
    > Considering that you have singularly failed to quantify that 'risk' in
    > anything resembling terms other than emoting hearsay, I'll treat your
    > advice with the due consideration it deserves.


    sizeof(Windows_installation_stripped_down) = 300 MB+
    sizeof(Linux_from_a_scratch+netfilter) = 1 MB

    I rest my case. You really don't understand how much overkill and
    complexity a Windows installation provides, and how hard it is to properly
    secure it just on its own.

    >>> Those of us who work in the real world have evaluated ISA 2k4/2k6 and found
    >>> a lot in there to like.
    >>>
    >>> It usually takes MS about 3 attempts to get something approaching right &
    >>> in the case of ISA 2k4/2k6 it's a very capable enterprise grade firewall
    >>> solution.

    >>
    >>ISA is pretty much based on the integration to proprietary Windows
    >>protocols that can't be easily handled by other firewall products or would
    >>require separate hosts (even if virtual).

    >
    > Oh puhleeze. Enough with the bull**** already, you clearly do *not* know
    > about the commercial products under discussion.


    I do. If you really need something like ISA, then ISA is great. But better
    don't create such an unnecessary need.

  20. Re: Is Firwall necessay?

    On Mon, 29 Jan 2007 18:44:51 +0100, Sebastian Gottschalk
    wrote:

    >Greg Hennessy wrote:
    >
    >>>And if you had real experience, you could build any type of firewall on any
    >>>OS. And then, if no such stupid "no Unix" constraints are given,

    >>
    >> Only someone who has no clue regarding operational risk could make such a
    >> ridiculous statement.

    >
    >What are you referring to? Calling the constraint stupid? Well, it
    >certainly is.


    Oh puhleeze, peddle the old time religion somewhere else.

    >And has nothing to do with operational risk, for obvious
    >reasons.


    With respect, you dont know what the term means. From an operational risk
    perspective it is far preferable for an organisation to manage something it
    knows how to do properly than to attempt to manage something it knows
    little or nothing about. The potential risk of loss is a lot smaller.

    >
    >>>BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious
    >>>reasons.

    >>
    >> Don't teach your grandmother how to suck eggs.
    >>
    >> Show me a 'free' solution which can dynamically filter soap/xml/rpc *and*
    >> doesn't require command line hackery to manage.

    >
    >This "command line hackery" as you call it is exactly why you can utilize a
    >wide variety of management tools, including graphical ones.


    You haven't answered the question.

    Show me the free out of the box pf/ipfw/netfilter solution which can filter
    soap, xml & rpc. Pointing to an unsupportable netfilter hack someone has
    posted on sourceforge doesnt cut the mustard in an enterprise environment.
    > Just show me
    >one "non-free" solution that could compare to the management of large
    >networks with ShoreWall.


    BWAHAHAHA! Oh Jesus wept... Shorewall .... Look do yourself a favour, I'll
    give you some hints Cisco Security Manager, Checkpoint Provider-1,
    Netscreen Security Manager just to name 3. Your lack of knowledge on the
    topic is just too embarrasing for words.

    >> Show me the netfilter/pf solution that can dynamically fixup and sanitise a
    >> huge range of application protocols other than basic FTP.

    >
    >Well, netfilter. I just looked at the list... weeh, more than 900 helper
    >modules for netfilter.


    You dont comprehend the change management constraints which enterprises
    operate under.

    The notion that risk management in any large organsiation would even
    contemplate permitting the roll of out netfilter 'helper' modules across a
    global network to selectively filter SOAP & RPC is hilarious.

    Never mind rolling out hacks which run application layer filtering in
    kernel space.

    > Including one for such nasty stuff like H.323 which
    >you can find no-where else.


    Oh gawd. Open your eyes puhleeze. Crisco, Checkpoint and Netscreen can and
    do fixup 323 and other voip protocols.

    >> Again you have demonstrated a lack of real world experience, client
    >> requirements extend far beyond mere L3 packet filtering.

    >
    >I never claimed anything in this way.


    Of course you did, you insisted

    "BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious
    reasons."

    without having any idea of what the client requirements were.

    >But well, as you may understand, most
    >L7 protocol filtering is done using proxy firewalls.


    Again you make authoritiative claims without having a clue of the real
    world capabilities of the products in the market place. In the real world,
    there are 3 main players, Crisco, Juniper and & Checkpoint. They all
    provide L7 filtering in various forms.

    The notion that

    "*most* L7 protocol filtering is done using proxy firewalls"

    is arrant nonsense.

    >
    >>>And, depending on your company's policy, you should really consider not
    >>>working for clients which demand firewalls on Windows, since it's not worth
    >>>the risk.

    >>
    >> Considering that you have singularly failed to quantify that 'risk' in
    >> anything resembling terms other than emoting hearsay, I'll treat your
    >> advice with the due consideration it deserves.

    >
    >sizeof(Windows_installation_stripped_down) = 300 MB+
    >sizeof(Linux_from_a_scratch+netfilter) = 1 MB
    >
    >I rest my case.


    ridiculously irrelevant. Show me a 1 meg LFS floppy disk with support for
    say OSPF, BGP, sparse PIM which can dynamically route several hundred
    market data feeds delivered though trunks running into a Cat 6509.

    > You really don't understand how much overkill and
    >complexity a Windows installation provides, and how hard it is to properly
    >secure it just on its own.


    By that reasoning the same fallacious 'point' would apply to Splat Pro or
    Solaris.

    Windows Server is *not* hard to secure. Whether you choose to believe that
    is not my problem.

    >>>> Those of us who work in the real world have evaluated ISA 2k4/2k6 and found
    >>>> a lot in there to like.
    >>>>
    >>>> It usually takes MS about 3 attempts to get something approaching right &
    >>>> in the case of ISA 2k4/2k6 it's a very capable enterprise grade firewall
    >>>> solution.
    >>>
    >>>ISA is pretty much based on the integration to proprietary Windows
    >>>protocols that can't be easily handled by other firewall products or would
    >>>require separate hosts (even if virtual).

    >>
    >> Oh puhleeze. Enough with the bull**** already, you clearly do *not* know
    >> about the commercial products under discussion.

    >
    >I do.


    You dont, it's painfully obvious that your exposure to anything other than
    soho solutions to security infrastructure delivery is extremely limited.


    greg


    --
    "He's raising an unholy army of singing dinosaurs!"

+ Reply to Thread
Page 1 of 2 1 2 LastLast