Gigabyte or Abit or Asus

Ed Light wrote:
"David Maynard" wrote

What I'm trying to figure out is if it really 'leaked' a port or if it's
simply that one was properly enabled and you just didn't realize it.


The online test said the port was visible, or something.

It was shields up or something like that.



That's a crap tester. There's no point in running two software firewalls
except to cause problems for the user. Buy a router with SPI and use
that as a hardware firewall if you really think you need the protection.

Ari

--
spammage trappage: replace fishies_ with yahoo

I'm going to die rather sooner than I'd like. I tried to protect my
neighbours from crime, and became the victim of it. Complications in
hospital following this resulted in a serious illness. I now need a bone
marrow transplant. Many people around the world are waiting for a marrow
transplant, too. Please volunteer to be a marrow donor:
http://www.abmdr.org.au/
http://www.marrow.org/

[f'ups set to alt.comp.periphs.mainboard.asus, exclusively]

On Tue, 22 Mar 2005 13:52:40 +0000 (UTC), in
alt.comp.periphs.mainboard.asus, "Scott"
wrote:

[snip]

"Nero" wrote in message
...
What the kinhell you runnin two firewalls for?
Why run SP2 firewall AND Norton??
Think you will be better protected?
That's like wearin a belt and suspenders


I'm running two firewalls for extra protection.
[snip]

You're kidding yourself.

First, these so-called "software firewalls" are ALL inherently flawed, by
simple virtue of the fact that they are running on the same system they
attempt to protect -- that is a functional oxymoron. A truism:

You can't block a port with software that runs on the same machine where
the attacks are aimed. That's like trying to stop bullets by shoving
Kevlar up your backside. By the time the bullet hits the Kevlar, the
damage has been done.
-- Morely 'Spam is theft' Dotes in NANAE, 13-AUG-2003

But beyond that, running TWO of them is just plain silly. If either
pseudo-firewall is intelligently designed and properly configured, then it
will by itself provide ALL the "protection" that any such pseudo-firewall is
capable of. And if it is *not* intelligently designed and properly
configured, then adding yet another grossly broken "firewall" isn't going to
buy you anything (except headaches, of course).

I like to be careful just incase someone cracks through one of them, at
least I'm protected that little bit more.

[snip]

No, you're not.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

Jay T. Blocksom wrote:
[f'ups set to alt.comp.periphs.mainboard.asus, exclusively]

On Tue, 22 Mar 2005 13:52:40 +0000 (UTC), in
alt.comp.periphs.mainboard.asus, "Scott"
wrote:

[snip]

"Nero" wrote in message
...
What the kinhell you runnin two firewalls for?
Why run SP2 firewall AND Norton??
Think you will be better protected?
That's like wearin a belt and suspenders


I'm running two firewalls for extra protection.
[snip]

You're kidding yourself.

Agreed. Never run 2 firewalls on one machine.

First, these so-called "software firewalls" are ALL inherently flawed, by
simple virtue of the fact that they are running on the same system they
attempt to protect -- that is a functional oxymoron. A truism:

You can't block a port with software that runs on the same machine where
the attacks are aimed. That's like trying to stop bullets by shoving
Kevlar up your backside. By the time the bullet hits the Kevlar, the
damage has been done.
-- Morely 'Spam is theft' Dotes in NANAE, 13-AUG-2003

I disagree. A software firewall is useful to block ports and hide
servers (services) on your machine from the outside world. If these
servers have a security flaw, then they could be exploited from outside,
and the software firewall will be able to protect you. It's also good
for blocking access to the internet from rogue software on your machine.

They can also hide you from people who port scan (poorly, but quickly),
by turning off ping etc. (Not that I think turning off ping is an
effective security measure).

Of course, they can't defend your machine from a DoS style attack, but
then a hardware firewall isn't going to help much more for the home user.

Ben
--
A7N8X FAQ: www.ben.pope.name/a7n8x_faq.html
Questions by email will likely be ignored, please use the newsgroups.
I'm not just a number. To many, I'm known as a String...

On Sun, 27 Mar 2005 12:07:53 +0100, in alt.comp.periphs.mainboard.asus, Ben
Pope wrote:

Jay T. Blocksom wrote:
[snip]

First, these so-called "software firewalls" are ALL inherently flawed, by
simple virtue of the fact that they are running on the same system they
attempt to protect -- that is a functional oxymoron. A truism:

You can't block a port with software that runs on the same machine
where the attacks are aimed. That's like trying to stop bullets by
shoving Kevlar up your backside. By the time the bullet hits the
Kevlar, the damage has been done.
-- Morely 'Spam is theft' Dotes in NANAE, 13-AUG-2003

I disagree. A software firewall is useful to block ports and hide
servers (services) on your machine from the outside world.
[snip]

No, it can't, for precisely the reasons already cited.

If your system is poorly configured and/or you do not exercise good control
over what software is permitted to be installed/run/etc., then it *might* be
useful as sort of a "nagging nanny" to ride herd on the (clearly incompetent)
user. But if the user is dumb enough to need that, why presume that he/she is
smart enough to benefit from it? And besides, this is also the epitome of the
"treat the symptom" approach, as opposed to excising the disease.

If these
servers have a security flaw, then they could be exploited from outside,
and the software firewall will be able to protect you.
[snip]

Wrong. For any "firewall" to be effective, it MUST stand *between* the threat
and the system being protected. So-called "software firewalls"
_by_definition_ expose at least part (usually, a large part) of the
"protected" system to the world.

It's also good
for blocking access to the internet from rogue software on your machine.

[snip]

See above cf. "nagging nanny".

Of course, they can't defend your machine from a DoS style attack, but
then a hardware firewall isn't going to help much more for the home user.

[snip]

You haven't seen my firewall's syslog output, have you?

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

Jay T. Blocksom wrote:
On Sun, 27 Mar 2005 12:07:53 +0100, in alt.comp.periphs.mainboard.asus, Ben
Pope wrote:

I disagree. A software firewall is useful to block ports and hide
servers (services) on your machine from the outside world.
[snip]

No, it can't, for precisely the reasons already cited.

If your system is poorly configured and/or you do not exercise good control
over what software is permitted to be installed/run/etc., then it *might* be
useful as sort of a "nagging nanny" to ride herd on the (clearly incompetent)
user. But if the user is dumb enough to need that, why presume that he/she is
smart enough to benefit from it? And besides, this is also the epitome of the
"treat the symptom" approach, as opposed to excising the disease.

You misunderstand what I wrote. To rephrase:

A software firewall can prevent the outside world from seeing the
services running on your machine.

If these
servers have a security flaw, then they could be exploited from outside,
and the software firewall will be able to protect you.
[snip]

Wrong. For any "firewall" to be effective, it MUST stand *between* the threat
and the system being protected. So-called "software firewalls"
_by_definition_ expose at least part (usually, a large part) of the
"protected" system to the world.

Such as? Obviously there eis some contact with the outside world... but
you HAVE to do that in order to effectively do many of the things a user
wants to do. Unless you are saying that a forwarded port from a
hardware router offers more protection somehow...

I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world. If I sit behind a software firewall,
that only allows packets through on those two ports, then what is the
difference between that and forwarding those two ports from a hardware
router? My machine is exposed to the world, on those 2 ports... any
software vulnarabilty in my firewall (be it hardware or software
firewall) could pose a threat. As could any vulnerabilty in Apache or
Jetty.

It's also good
for blocking access to the internet from rogue software on your machine.

[snip]

See above cf. "nagging nanny".

Indeed. But spyware etc. gets on the machine from time to time and
having my firewall ask me if I want the new process to access the
internet is pretty useful in determining that it exists, or that the
software I thought I was installing might be a bit dubious.

Of course, they can't defend your machine from a DoS style attack, but
then a hardware firewall isn't going to help much more for the home user.

[snip]

You haven't seen my firewall's syslog output, have you?

No, and you haven't told me why I would want to. Assuming that your
hardware firewall protects you from a DoS attack, how is that useful for
the average user who just wants to browse the internet? The connection
is down either way.

Ben
--
A7N8X FAQ: www.ben.pope.name/a7n8x_faq.html
Questions by email will likely be ignored, please use the newsgroups.
I'm not just a number. To many, I'm known as a String...

On Tue, 29 Mar 2005 22:59:27 +0100, in alt.comp.periphs.mainboard.asus, Ben
Pope wrote:

Jay T. Blocksom wrote:
[snip]

If your system is poorly configured and/or you do not exercise good
control over what software is permitted to be installed/run/etc., then it
*might* be useful as sort of a "nagging nanny" to ride herd on the
(clearly incompetent) user. But if the user is dumb enough to need that,
why presume that he/she is smart enough to benefit from it? And besides,
this is also the epitome of the "treat the symptom" approach, as opposed
to excising the disease.

You misunderstand what I wrote. To rephrase:

A software firewall can prevent the outside world from seeing the
services running on your machine.

[snip]

Not in the scenario you later described. Read on...

If these
servers have a security flaw, then they could be exploited from
outside, and the software firewall will be able to protect you.
[snip]

Wrong. For any "firewall" to be effective, it MUST stand *between* the
threat and the system being protected. So-called "software firewalls"
_by_definition_ expose at least part (usually, a large part) of the
"protected" system to the world.

Such as?
[snip]

The so-called "software firewall" program itself, for starters -- and
therefore, all of the user space available to that program (which, in the case
of many if not most WinBoxen, is the whole machine).

So, in addition to the vulnerabilities inherent in that "software firewall"
(cf.: http://cert.uni-stuttgart.de/archive/bugtraq/2003/08/msg00056.html,
oogle.com,
http://groups.google.co.uk/groups?selm=xp8Ab.31103%249O5.22721@fed1read06,
,
oogle.com,
http://www.kb.cert.org/vuls/id/634414,
http://www.kb.cert.org/vuls/id/682110,
http://www.kb.cert.org/vuls/id/637318,
http://samspade.org/d/persfire.html, http://samspade.org/d/firewalls.html,
etc.), you basically expose ALL of Windows, with its chronic legion of slowly-
or never-patched vulnerabilities (cf.
http://secunia.com/advisories/14512/print/,
http://secunia.com/advisories/12670/print/,
http://secunia.com/advisories/11482/print/,
http://www.techweb.com/article/printableArticle.jhtml;jsessionid=Q2AODUYJJKUOIQSN DBGCKH0CJUMEKJVN?articleID=59200229&site_section=7 00028,
http://www.internetweek.com/shared/printableArticle.jhtml?articleID=19205530,
http://secunia.com/advisories/10589/print/,
http://www.elixir.com.au/news/default.cfm?nav_id=2&id=40, etc.) DIRECTLY to
the 'net.

Hence, this is pretty much the definition of "defeating the purpose".

Or, if it will make it any clearer to you, look at it from the other way
around: With any so-called "software firewall", you are in effect running
your general-purpose OS (typically Windows -- eeek!) *and* all of your
application programs *on* your firewall machine, which is directly
antithetical to proper security procedures: Rule #1 is to NEVER enable any
unnecessary processes or services, *especially* on a device which faces the
outside world.

Obviously there eis some contact with the outside world... but
you HAVE to do that in order to effectively do many of the things a user
wants to do.
[snip]

Not true, at least not as stated. Your web-server scenario below is an
atypical exception; but even that need not engender the degree of exposure you
presume.

Unless you are saying that a forwarded port from a
hardware router offers more protection somehow...

[snip]

Of course -- at least presuming that "hardware router" is properly configured.
I'm not saying that it necessarily provides complete isolation (again, see
your "web server" scenario below); but it's definitely both another step
further removed from "the wild" *and* offers an opportunity to be selective
(think SPI) about what gets forwarded back and forth.

I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world.
[snip]

Which is not the case for the typical user, who does NOT need to run public
servers. But even assuming that scenario, those public servers should be on a
separate interface (sometimes called a "DMZ" or "Orange interface"), where
they are both isolated from your "protected" network (sometimes called the
"Green interface"), and where ONLY the traffic necessary for that service is
permitted through.

If I sit behind a software firewall,
[snip]

But that's just it: You're NOT "behind" that so-called firewall; you're on
it, in it, in front of it, and all around it -- all at the same time.

that only allows packets through on those two ports, then what is the
difference between that and forwarding those two ports from a hardware
router?
[snip]

You're assuming a perfect world.

The problem is not (so much) what happens when everything works as intended.
The larger problem is what happens when UNintended things happen. And in the
"software firewall" model, virtually any breach is by definition a
catastrophic disaster, simply because so much "other stuff" instantly becomes
available to the attacker.

My machine is exposed to the world, on those 2 ports...
[snip]

Your machine is exposed to the world, period. The limitation to "on those 2
ports" is only valid in a very limited context.

any
software vulnarabilty in my firewall (be it hardware or software
firewall) could pose a threat. As could any vulnerabilty in Apache or
Jetty.

[snip]

That is correct. There is no such thing as a perfectly secure computer
system.

But the bigger problem is that, in the "software firewall" model, any
vulnerability in ANY software running on that box can (and will) *also* pose a
threat to the integrity of the firewall itself. In short, the whole thing is
a house of cards.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

Jay T. Blocksom wrote:
On Tue, 29 Mar 2005 22:59:27 +0100, in alt.comp.periphs.mainboard.asus, Ben
Pope wrote:

A software firewall can prevent the outside world from seeing the
services running on your machine.

[snip]

Not in the scenario you later described. Read on...

Such as?
[snip]

The so-called "software firewall" program itself, for starters -- and
therefore, all of the user space available to that program (which, in the case
of many if not most WinBoxen, is the whole machine).

I'd rather trust a software firewall designed with security in mind,
than the collection of MS services running on my machine. The servers I
run are not from MS at all.

So, in addition to the vulnerabilities inherent in that "software firewall"
(cf.: http://cert.uni-stuttgart.de/archive/bugtraq/2003/08/msg00056.html,
oogle.com,
http://groups.google.co.uk/groups?selm=xp8Ab.31103%249O5.22721@fed1read06,
,
oogle.com,
http://www.kb.cert.org/vuls/id/634414,
http://www.kb.cert.org/vuls/id/682110,
http://www.kb.cert.org/vuls/id/637318,
http://samspade.org/d/persfire.html, http://samspade.org/d/firewalls.html,
etc.), you basically expose ALL of Windows, with its chronic legion of slowly-
or never-patched vulnerabilities (cf.
http://secunia.com/advisories/14512/print/,
http://secunia.com/advisories/12670/print/,
http://secunia.com/advisories/11482/print/,
http://www.techweb.com/article/printableArticle.jhtml;jsessionid=Q2AODUYJJKUOIQSN DBGCKH0CJUMEKJVN?articleID=59200229&site_section=7 00028,
http://www.internetweek.com/shared/printableArticle.jhtml?articleID=19205530,
http://secunia.com/advisories/10589/print/,
http://www.elixir.com.au/news/default.cfm?nav_id=2&id=40, etc.) DIRECTLY to
the 'net.

Too many links, you put me off reading any. The first were over a year
old. OK, so things have problems, it's hardly suprising. One of the
links pointed out that users don;t change the password on routers, so
the attacker could do what they like. This is exactly the problem -
many users don't know how to configure things like hardware firewalls
(or indeed software ones). You're not gonna fix that.

Hence, this is pretty much the definition of "defeating the purpose".

Or, if it will make it any clearer to you, look at it from the other way
around: With any so-called "software firewall", you are in effect running
your general-purpose OS (typically Windows -- eeek!) *and* all of your
application programs *on* your firewall machine, which is directly
antithetical to proper security procedures: Rule #1 is to NEVER enable any
unnecessary processes or services, *especially* on a device which faces the
outside world.

Understood, but a software fiewall is better than nothing. Good enough
for most people. If an attacker gains access to the letter somebody
wrote to their mum, or a school report it's not the end of the world.
Of course I would not recommend running only a software firewall on a
machine that houses all the accounts systems for a bank.

Obviously there eis some contact with the outside world... but
you HAVE to do that in order to effectively do many of the things a user
wants to do.
[snip]

Not true, at least not as stated. Your web-server scenario below is an
atypical exception; but even that need not engender the degree of exposure you
presume.

They don't need to open a socket on a given port?

Unless you are saying that a forwarded port from a
hardware router offers more protection somehow...

[snip]

Of course -- at least presuming that "hardware router" is properly configured.
I'm not saying that it necessarily provides complete isolation (again, see
your "web server" scenario below); but it's definitely both another step
further removed from "the wild" *and* offers an opportunity to be selective
(think SPI) about what gets forwarded back and forth.

SPI is only the preserve of hardware firewalls?

I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world.
[snip]

Which is not the case for the typical user, who does NOT need to run public
servers.

Think P2P, IM file transfers etc.

But even assuming that scenario, those public servers should be on a
separate interface (sometimes called a "DMZ" or "Orange interface"), where
they are both isolated from your "protected" network (sometimes called the
"Green interface"), and where ONLY the traffic necessary for that service is
permitted through.

I thought the idea of a DMZ was to not restrict it?

If I sit behind a software firewall,
[snip]

But that's just it: You're NOT "behind" that so-called firewall; you're on
it, in it, in front of it, and all around it -- all at the same time.

Whatever.

that only allows packets through on those two ports, then what is the
difference between that and forwarding those two ports from a hardware
router?
[snip]

You're assuming a perfect world.

Of course. And so are you - you seem to think hardware firewalls are
invulnerable. Obviously they are not, and neither is software, and
physical isolation is better. But for the average user, is it
necessary? No.

The problem is not (so much) what happens when everything works as intended.
The larger problem is what happens when UNintended things happen. And in the
"software firewall" model, virtually any breach is by definition a
catastrophic disaster, simply because so much "other stuff" instantly becomes
available to the attacker.

My machine is exposed to the world, on those 2 ports...
[snip]

Your machine is exposed to the world, period. The limitation to "on those 2
ports" is only valid in a very limited context.

Such as when the firewall is working? Well the same can be said for a
hardware firewall.

any
software vulnarabilty in my firewall (be it hardware or software
firewall) could pose a threat. As could any vulnerabilty in Apache or
Jetty.

[snip]

That is correct. There is no such thing as a perfectly secure computer
system.

But the bigger problem is that, in the "software firewall" model, any
vulnerability in ANY software running on that box can (and will) *also* pose a
threat to the integrity of the firewall itself. In short, the whole thing is
a house of cards.

You can't argue that software firewalls are a problem if they break.
Any firewall is a problem if it breaks.

I'm not saying that hardware firewalls are not better than software
ones. Most of the reasons you've given are "if the software firewall
doesn't work properly..." which is hardly a compelling argument.
Hardware firewalls are not perfect either.

The point is that a software firewall will, under most situations,
provide adequate security with minimal effort for a home user.

Ben
--
A7N8X FAQ: www.ben.pope.name/a7n8x_faq.html
Questions by email will likely be ignored, please use the newsgroups.
I'm not just a number. To many, I'm known as a String...

On Fri, 01 Apr 2005 21:06:04 +0100, in alt.comp.periphs.mainboard.asus, Ben
Pope wrote:

Jay T. Blocksom wrote:
[snip]

The so-called "software firewall" program itself, for starters -- and
therefore, all of the user space available to that program (which, in the
case of many if not most WinBoxen, is the whole machine).

I'd rather trust a software firewall designed with security in mind,
than the collection of MS services running on my machine.
[snip]

Where did I imply that you should "trust" MS-ware? That is in fact the polar
opposite of my long-standing position. And what does it have to do with the
advisability of a proper outboard ("hardware") firewall or bastion host?

The servers I run are not from MS at all.

[snip]

Good for you. But that's irrelevant to the point under discussion.

So, in addition to the vulnerabilities inherent in that "software
firewall" (cf.:
[snip]
etc.), you basically expose ALL of Windows, with its chronic legion of
slowly- or never-patched vulnerabilities (cf.
[snip]
DIRECTLY to the 'net.

Too many links, you put me off reading any.
[snip]

Well then, you're denying yourself a lot of useful (perhaps "important")
information. But that's hardly a refutation of my point.

The first were over a year old.
[snip]

This is not a new problem; nor were proper security procedures and principles
invented yesterday.

OK, so things have problems, it's hardly suprising. One of the
links pointed out that users don;t change the password on routers, so
the attacker could do what they like. This is exactly the problem -
many users don't know how to configure things like hardware firewalls
(or indeed software ones). You're not gonna fix that.

[snip]

Yes, in all likelihood, there will always be the "Clueless And Proud Of It"
brigade. And there will therefore always be a swarm of carpetbagger-class
vendors pandering to them (MS being on one hand just the largest and most
visible offender, and on the other hand far more culpable than the rest
because they did so much to create and expand that CAPOI brigade). But that
does not in any way validate the carpetbaggers' claims for their snake oil, or
the decision of the rubes to buy into it.

Or, if it will make it any clearer to you, look at it from the other way
around: With any so-called "software firewall", you are in effect
running your general-purpose OS (typically Windows -- eeek!) *and* all of
your application programs *on* your firewall machine, which is directly
antithetical to proper security procedures: Rule #1 is to NEVER enable
any unnecessary processes or services, *especially* on a device which
faces the outside world.

Understood, but a software fiewall is better than nothing.
[snip]

I never said it wasn't -- tho' I'm strongly tempted to, due in part to the
false sense of security so many users derive from them.

Good enough for most people.
[snip]

"'Better' is the enemy of 'good enough'."

I don't know who first said that, but it applies here to a "T".

First, given all the purely technical problems with "software firewalls", I
disagree that they can *ever* be "good enough". But beyond that, now that
proper ouboard/hardware firewalls are so economically feasible (which was not
the case just a couple of years ago), there's simply no good reason to settle
for "(not really) good enough".

If an attacker gains access to the letter somebody
wrote to their mum, or a school report it's not the end of the world.
[snip]

Oh, puh-leeze! Not that Old Wive's Tale again!

By FAR the biggest "target" is not the user's letters to Mom, school reports,
Brownie recipes, or even their bank records and credit card info (as juicy as
those last two might seem, especially to clueless ad-copy writers cum
"journalists" -- but I digress). *THE* asset overwhelmingly most sought after
(and successfully stolen) by the crackers and malware propagators is the home-
or SOHO- user's PC itself -- or rather, the *use* of that PC along with it's
(usually "consumer broadband") internet connection. This is *why* most of the
worms, viruses, trojans, browser hijackers, etc., spawned over the past two
years or so even exist in the first place: They are specifically designed to
surreptitiously plant software on the target system which will subsequently
allow the abusers to control that system for their own nefarious purposes
(typically spamming, DDoS attacks, and the further propagation of the
malware). We have on our hands *today* a "Zombie Army" of *millions* of
trojaned PCs hung off "cable modem" and DSL lines, spewing spam and other crap
24/7, for *precisely* this reason.

Of course I would not recommend running only a software firewall on a
machine that houses all the accounts systems for a bank.

[snip]

Well, Duh. That sort of system/network isn't even under discussion here; so
your comparison to it is at best a disingenuous straw man argument. (And as a
side note, the security measures routinely taken by any competently
designed/administered banking network make ALL of the things we're discussing
here look like the feeble child's play efforts they are, in the grander scheme
of things. Such networks are designed _from_the_ground_up_ to be secure; and
for the most part they do not even connect to the general internet. In
effect, it's a whole different world from the one we're discussing.)

Not true, at least not as stated. Your web-server scenario below is an
atypical exception; but even that need not engender the degree of
exposure you presume.

They don't need to open a socket on a given port?

[snip]

Not directly to the outside world, they don't (think NAT/PAT).

SPI is only the preserve of hardware firewalls?

[snip]

No, but that misses the point. I was simply trying to illustrate that the
"firewall" does not need intimate knowledge of what applications you are
running on your local workstation in order to do its job. (In fact, in at
least some ways it's better off without that "knowledge".)

I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
accessable to the outside world.
[snip]

Which is not the case for the typical user, who does NOT need to run
public servers.

Think P2P, IM file transfers etc.

[snip]

I'd rather not. ~

Those apps are *inherently* insecure, often in a very big way.

One of the fundamental precepts of maintaining a secure system is *not* doing
anything unnecessary which foreseeably might compromise security. You do not
*need* P2P or IM to transfer files; hence, they should not be used (at least
not for that purpose).

But even assuming that scenario, those public servers should be on a
separate interface (sometimes called a "DMZ" or "Orange interface"),
where they are both isolated from your "protected" network (sometimes
called the "Green interface"), and where ONLY the traffic necessary for
that service is permitted through.

I thought the idea of a DMZ was to not restrict it?

[snip]

Then, apparently, you thought wrong.

The basic point of a DMZ is to allow *some* services to be provided to the
outside world more-or-less "on demand", while simultaneously not allowing
outside egress to your "protected" network. But the DMZ itself is still
protected to the degree possible, by blocking ALL other access (from the
outside world) to the machine(s) in the DMZ except for that which is
specifically needed for the service(s) being offered. Somewhat greater access
to the DMZ network is permitted from the "protected" network (a.k.a. "green
interface") for administrative purposes. Ideally (tho' not really
necessarily), you would have a separate DMZ (or "orange interface") for each
service provided, with a dedicated server in each of those DMZs to provide
ONLY that one service. So, for example, if you want to provide a web server,
your DMZ interface would allow traffic on port 80, and ONLY port 80, to be
forwarded to the server (which would presumably be at a completely different
IP address via NAT/PAT). Similarly, for a mail server, ONLY ports 25 and 110
(and/or maybe 143) would be let through. In typical practice (at least in
smaller installations), only one DMZ interface is used, and selective
port-forwarding is used to "steer" traffic to the correct server. In all
cases, the protected network is effectively isolated from the DMZ network,
except for the specific "pinholes" established to permit maintenance (and any
connections through these "pinholes" would all need to be initiated from the
protected interface anyway). This is because, while the DMZ network is still
"firewalled" to some (actually, quite a large) degree, it cannot be *as*
isolated as the truly protected private network, and still offer public
services.

If I sit behind a software firewall,
[snip]

But that's just it: You're NOT "behind" that so-called firewall; you're
on it, in it, in front of it, and all around it -- all at the same time.

Whatever.

[snip]

NO!!! *Not* "whatever"! That is the fundamental point that the "software
firewall" advocates keep missing/ignoring.

You're assuming a perfect world.

Of course. And so are you - you seem to think hardware firewalls are
invulnerable.
[snip]

I never said or implied that.

When properly implemented they are by virtue of their nature inherently *less*
vulnerable than so-called "software firewalls" can ever hope to be. But like
all man-made things, they are also by definition imperfect.

Obviously they are not, and neither is software, and
physical isolation is better.
[snip]

I'm glad you see that. But it's not just "physical" isolation. It is
*functional* isolation as well, which is really the larger point.

But for the average user, is it necessary? No.

[snip]

See above regarding Old Wive's Tales. The "average user" is precisely who
most desperately needs all the protection they can get.

The problem is not (so much) what happens when everything works as
intended. The larger problem is what happens when UNintended things
happen. And in the "software firewall" model, virtually any breach is by
definition a catastrophic disaster, simply because so much "other stuff"
instantly becomes available to the attacker.

My machine is exposed to the world, on those 2 ports...
[snip]

Your machine is exposed to the world, period. The limitation to "on
those 2 ports" is only valid in a very limited context.

Such as when the firewall is working? Well the same can be said for a
hardware firewall.

[snip]

No.

For starters, the "hardware" firewall is not running under Windows, as is (at
least typically) the case for a "software" firewall. That alone is a HUGE
difference, and not just because we're talking about Windows specifically
(tho' that certainly *should* be enough to send chills up your spine right
there).

The fact that a "software" firewall is by definition running under a
general-purpose OS, on a host that is also being used for all sorts of other
"stuff", means there are all sorts of other processes and services running
_on_the_firewall_device_. This is just plain BAD NEWS. Before the traffic
can even get to the "firewall", it has to go through multiple layers of that
general-purpose OS, with all those services loaded and running, and with only
the thinnest of tissue-paper shields between ALL of that and the potentially
dangerous traffic. This not only makes for a "bigger" potential disaster; it
also makes that disaster more likely to happen: It only takes one "minor"
vulnerability in that overly complex mess to permit an attacker to "bootstrap"
his way to more and more tools, each in turn making it easier to him to gain
still more access to the machine.

You can't argue that software firewalls are a problem if they break.
Any firewall is a problem if it breaks.

[snip]

Of course I can argue that, as I've just shown above. And I've also shown
that they're a problem because they're *easier* to break -- perhaps even when
no one is trying to break them.

The point is that a software firewall will, under most situations,
provide adequate security with minimal effort for a home user.

Ben

No, not even close to "adequate".

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.