Archived from groups: comp.security.firewalls (
More info?)
Leythos said in
news:MPG.1b40efbb96542ae398a67b@news-server.columbus.rr.com:
> In article <H-ydne5BMd9LiErd4p2dnA@comcast.com>, reply2newsgroup@see-
> sig4email.invalid says...
>> Leythos said in
>> news:MPG.1b40da6a4fe624c298a67a@news-server.columbus.rr.com:
>>> In article <J4mdnZ9qBojllkrd4p2dnA@comcast.com>,
>>> reply-to-newsgroup@to- email.use-Reply.obey-signature.invalid
>>> says...
>>>>
>>>> Well, firewalls won't protect you from viruses in communications
>>>> that YOU establish. Obviously if you can browse the Internet then
>>>> you have an outbound hole punched in your firewalls to permit that
>>>> connection. That means you can also do downloads. Same for
>>>> e-mails. Do you have anti-virus software (and does it auto-update
>>>> several times per week and maybe once, or more, per day)? Do you
>>>> periodically scan for spyware (which is not detected by anti-virus
>>>> products)?
>>>
>>> You've got your definition of Firewall and NAT devices mixed up.
>>> Firewalls can protect you while you are making a connection to a
>>> site <snip>
>>
>> When did *I* ever mention NAT (network address translation)? I don't
>
> You indicated that the outbound would be unfiltered - this only
> happens in the NAT router type devices, not firewalls. (at least I
> think that you typed something like that).
I can filter outbound connections using URL filtering using something
like a proxy, say PC Magazine's CookieCop, which is obviously not a
firewall and also obviously nothing to do with NAT. Not having any
firewall software or hardware and no router, and just connecting the NIC
directly to the cable modem, also would not filter outbound traffic and
obviously NAT isn't even used in this scenario. Filtering
outbound/inbound traffic, or the lack of it, has nothing to do with NAT.
Network Address Translation has to do with wrapping another envelope
around your traffic from one host when it connects to the Internet so
the target host's response can be unwrapped and then sent to the correct
internal host on your network. To your ISP and to the target host, only
one host is generating outbound traffic (your NAT device) and that is
the host to which any response traffic gets sent (and then it gets
unwrapped to redirect to the correct internal host). NAT by itself does
no filtering. It hides the structure of your intranetwork. As such, it
provides some protection against hacking attempts. It does nothing to
control the content of your traffic - in or out. See
http://snipurl.com/78us. Actually you and I may be in vehement
agreement that NAT does no filtering but have simply stated it
differently.
Lacking the detection of unauthorized outbound connections is not just a
property of NAT routers. Windows XP's firewall doesn't check nor
restrict outbound connections, even from spyware, but is still
considered a firewall. Neither does BlackIce block outbound
connections. Not restricting outbound connections (which are not
initiated by permitted inbound connections) does not disqualify a
product as a firewall. I'm pretty sure every firewall product could be
configured to permit fully unrestricted and unfiltered outbound traffic.
A firewall in a router won't know what application generated that
traffic. The advantage of using a software firewall on a host is that
it can track which applications are authorized to have Internet access
and which do not. With a local firewall program, you can define rules
for your applications. On the router, you can't, so the rules on the
router will not be based on applications but rather on what types of
traffic is permitted and from where. The DI-604 does permit you to
define rules based on host (MAC or IP), traffic type (protocol), and
destination (LAN and/or WAN). While these same rules can be defined in
your software firewall (and usually are), they are the only types you
can define on the separate router host (because the applications aren't
running there). So not having application rules (for Internet access)
does not disqualify a firewall built into a router as a firewall.
The other fallacy (for software firewalls) is that checking the program
wanting outbound connections is authorized (by the user via prompt or
using automatic rules for known applications) will really provide much
security. This is not as protective as many would think. Once a user
permits, say, IE to have outbound connections then other programs can
use IE's libraries to also make those outbound connections. They hide
behind IE and since you authorized IE to have outbound connections then
you also authorize any program that can use IE to have outbound
connections. Norton's firewall has a couple of added features under its
Firewall tab options that let you know what initiated IE, or any
authorized program, to make a connection:
- Check access settings for external modules that programs use to
connect to the Internet.
- When one program launches another, check Internet access settings for
each program.
I only use the second option. Enabling both options can make using your
computer rather tedious with all the prompts and having to investigate
each module that is trying to get a connection (and which may be getting
that connection through another module). Without these options, if you
have previously authorized IE to make connections then you won't get
another prompt for it when something other than IE is really initiating
the connection. However, with these options, if another program runs
IE, like the Help and Support feature, then you will get prompted that
an unauthorized program A is trying to use authorized program B to make
an Internet connection. Go to http://tooleaky.zensoft.com/ and run the
test program to show you that authorizing IE will also authorize any
program that uses IE to make a connection (after the test, I found that
I had to kill the tooleaky process since it didn't unload by itself).
While Norton has these options, I doubt many of its users actually
employ them, and I suspect some other firewall products do not these
features. Again, these additional features enhances a firewall's
function but the lack of them do not disqualify a product as a firewall.
<snip>
>> By the way, the DI-604 mentioned does have a built-in firewall
>> besides the NAT function. It doesn't replace using anti-virus and
>> anti-spyware products on your desktop hosts or on a gateway host and
>> the number of firewall rules and URL filters is limited but it is
>> still very useful (and more so than the Windows XP included
>> firewall). A discussion of the DI-604 and many other NAT routers
>> does include both NAT and firewall topics because many provide both
>> functions.
>
> The DI-604 does not have a "built-in firewall" it has a couple
> features found in most firewall systems. NAT, MAC filtering, IP
> Filtering, URL Filtering, Domain Blocking do not make it a firewall,
> they make it a very nice NAT router with some good features.
> Reference:
http://www.dlink.com/products/resource.asp?pid=62&rid=303
The lack of stateful packet inspection (SPI) provides additional
protection for the firewall that incorporates this feature. The lack of
this feature does not disqualify a product from being a firewall
program. Note that "intrusion detection" is a behavioral analysis check
usually based on algorithms to detect methods for known hack attempts.
IP spoofing is eliminated by SPI while port scans are eliminated by
intrusion detection.
> This one is a lot closer to a firewall than the DI-604:
>
http://www.dlink.com/products/?pid=66
> Spec's at:
>
http://www.dlink.com/products/resource.asp?pid=66&rid=316
>
> The DI-604 is just a router that provides NAT and some additional
> features found in any firewall, but it is not a firewall. This is
> about the same as any other router on the market, mostly marketing
> hype.
So then YOU provide what is the minimal definition of a firewall. What
features the top-notch, multi-hundreds of dollars firewall products
possess do not define a firewall because then only the most fantastic
and all-encompassing product produced later could then be called a
firewall and every product that used to be called a firewall can no
longer be called a firewall. An 8086 chip is still a CPU although we're
using P4's today.
Fact is, the definition of what is a firewall is very loose. BlackIce's
web page say it is a firewall but in their defensive correspondence they
claim is isn't exactly a firewall but more a behavioral analysis program
(i.e., intrusion detector); see http://grc.com/lt/bidresponse.htm.
Windows XP's firewall has SPI. Is the lack of SPI enough to disqualify
a firewall from being a firewall? I see articles like
http://www.fact-index.com/s/st/stateful_firewall.html where it says SPI
is a feature of more advanced firewalls, but that means less advanced
firewalls without SPI were still deemed firewalls (see
http://www.fact-index.com/s/st/stateless_firewall.html for a definition
of stateless *firewalls*). If you read the link for the definition of a
firewall, all it mentions is that it is a means of enforcing policy in
regards to traffic, and rules are used. The DI-604 has rules. I think
you are adding way too many of the features of newer firewalls used to
enhance and extend security beyond what qualifies as a basic firewall.
Yes, the DFL-300 has a better firewall than does the DI-604, but this
does NOT mean the DI-604 has no firewall. Just because 200-pound
watermelons exist does not mean all the 20-pound watermelons are no
longer watermelons.
> Now you know why I brought up the difference between NAT devices and
> Firewalls.
I wonder how long ago we lost Roy, the OP. ;->
--
____________________________________________________________
*** Post replies to newsgroup. Share with others.
*** Email domain = ".com" *AND* append "=NEWS=" to Subject.
____________________________________________________________