Archived from groups: alt.comp.periphs.mainboard.asus (More info?)
Jay T. Blocksom wrote:
> On Tue, 29 Mar 2005 22:59:27 +0100, in <alt.comp.periphs.mainboard.asus>, Ben
> Pope <benpope81@_REMOVE_gmail.com> wrote:
> >
> > A software firewall can prevent the outside world from seeing the
> > services running on your machine.
> >
> [snip]
>
> Not in the scenario you later described. Read on...
>
> > Such as?
> [snip]
>
> The so-called "software firewall" program itself, for starters -- and
> therefore, all of the user space available to that program (which, in the case
> of many if not most WinBoxen, is the whole machine).
I'd rather trust a software firewall designed with security in mind,
than the collection of MS services running on my machine. The servers I
run are not from MS at all.
> So, in addition to the vulnerabilities inherent in that "software firewall"
> (cf.: <http://cert.uni-stuttgart.de/archive/bugtraq/2003/08/msg00056.html>,
> <http://groups.google.co.uk/groups?selm=8d76ec03.0312071745.29f02d01@posting.google.com>,
> <http://groups.google.co.uk/groups?selm=xp8Ab.31103%249O5.22721@fed1read06>,
> <http://groups.google.co.uk/groups?selm=Jumsb.3342%24Tc2.25745@newsfep4-glfd.server.ntli.net>,
> <http://groups.google.co.uk/groups?selm=630e418f.0312061738.716afa6d@posting.google.com>,
> <http://www.kb.cert.org/vuls/id/634414>,
> <http://www.kb.cert.org/vuls/id/682110>,
> <http://www.kb.cert.org/vuls/id/637318>,
> <http://samspade.org/d/persfire.html>, <http://samspade.org/d/firewalls.html>,
> etc.), you basically expose ALL of Windows, with its chronic legion of slowly-
> or never-patched vulnerabilities (cf.
> <http://secunia.com/advisories/14512/print/>,
> <http://secunia.com/advisories/12670/print/>,
> <http://secunia.com/advisories/11482/print/>,
> <http://www.techweb.com/article/printableArticle.jhtml;jsessionid=Q2AODUYJJKUOIQSNDBGCKH0CJUMEKJVN?articleID=59200229&site_section=700028>,
> <http://www.internetweek.com/shared/printableArticle.jhtml?articleID=19205530>,
> <http://secunia.com/advisories/10589/print/>,
> <http://www.elixir.com.au/news/default.cfm?nav_id=2&id=40>, etc.) DIRECTLY to
> the 'net.
Too many links, you put me off reading any. The first were over a year
old. OK, so things have problems, it's hardly suprising. One of the
links pointed out that users don;t change the password on routers, so
the attacker could do what they like. This is exactly the problem -
many users don't know how to configure things like hardware firewalls
(or indeed software ones). You're not gonna fix that.
> Hence, this is pretty much the definition of "defeating the purpose".
>
> Or, if it will make it any clearer to you, look at it from the other way
> around: With any so-called "software firewall", you are in effect running
> your general-purpose OS (typically Windows -- eeek!) *and* all of your
> application programs *on* your firewall machine, which is directly
> antithetical to proper security procedures: Rule #1 is to NEVER enable any
> unnecessary processes or services, *especially* on a device which faces the
> outside world.
Understood, but a software fiewall is better than nothing. Good enough
for most people. If an attacker gains access to the letter somebody
wrote to their mum, or a school report it's not the end of the world.
Of course I would not recommend running only a software firewall on a
machine that houses all the accounts systems for a bank.
> > Obviously there eis some contact with the outside world... but
> > you HAVE to do that in order to effectively do many of the things a user
> > wants to do.
> [snip]
>
> Not true, at least not as stated. Your web-server scenario below is an
> atypical exception; but even that need not engender the degree of exposure you
> presume.
They don't need to open a socket on a given port?
> > Unless you are saying that a forwarded port from a
> > hardware router offers more protection somehow...
> >
> [snip]
>
> Of course -- at least presuming that "hardware router" is properly configured.
> I'm not saying that it necessarily provides complete isolation (again, see
> your "web server" scenario below); but it's definitely both another step
> further removed from "the wild" *and* offers an opportunity to be selective
> (think SPI) about what gets forwarded back and forth.
SPI is only the preserve of hardware firewalls?
> > I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
> > accessable to the outside world.
> [snip]
>
> Which is not the case for the typical user, who does NOT need to run public
> servers.
Think P2P, IM file transfers etc.
> But even assuming that scenario, those public servers should be on a
> separate interface (sometimes called a "DMZ" or "Orange interface"), where
> they are both isolated from your "protected" network (sometimes called the
> "Green interface"), and where ONLY the traffic necessary for that service is
> permitted through.
I thought the idea of a DMZ was to not restrict it?
> > If I sit behind a software firewall,
> [snip]
>
> But that's just it: You're NOT "behind" that so-called firewall; you're on
> it, in it, in front of it, and all around it -- all at the same time.
Whatever.
> > that only allows packets through on those two ports, then what is the
> > difference between that and forwarding those two ports from a hardware
> > router?
> [snip]
>
> You're assuming a perfect world.
Of course. And so are you - you seem to think hardware firewalls are
invulnerable. Obviously they are not, and neither is software, and
physical isolation is better. But for the average user, is it
necessary? No.
> The problem is not (so much) what happens when everything works as intended.
> The larger problem is what happens when UNintended things happen. And in the
> "software firewall" model, virtually any breach is by definition a
> catastrophic disaster, simply because so much "other stuff" instantly becomes
> available to the attacker.
>
> > My machine is exposed to the world, on those 2 ports...
> [snip]
>
> Your machine is exposed to the world, period. The limitation to "on those 2
> ports" is only valid in a very limited context.
Such as when the firewall is working? Well the same can be said for a
hardware firewall.
> > any
> > software vulnarabilty in my firewall (be it hardware or software
> > firewall) could pose a threat. As could any vulnerabilty in Apache or
> > Jetty.
> >
> [snip]
>
> That is correct. There is no such thing as a perfectly secure computer
> system.
>
> But the bigger problem is that, in the "software firewall" model, any
> vulnerability in ANY software running on that box can (and will) *also* pose a
> threat to the integrity of the firewall itself. In short, the whole thing is
> a house of cards.
You can't argue that software firewalls are a problem if they break.
Any firewall is a problem if it breaks.
I'm not saying that hardware firewalls are not better than software
ones. Most of the reasons you've given are "if the software firewall
doesn't work properly..." which is hardly a compelling argument.
Hardware firewalls are not perfect either.
The point is that a software firewall will, under most situations,
provide adequate security with minimal effort for a home user.
Ben
--
A7N8X FAQ: www.ben.pope.name/a7n8x_faq.html
Questions by email will likely be ignored, please use the newsgroups.
I'm not just a number. To many, I'm known as a String...
Jay T. Blocksom wrote:
> On Tue, 29 Mar 2005 22:59:27 +0100, in <alt.comp.periphs.mainboard.asus>, Ben
> Pope <benpope81@_REMOVE_gmail.com> wrote:
> >
> > A software firewall can prevent the outside world from seeing the
> > services running on your machine.
> >
> [snip]
>
> Not in the scenario you later described. Read on...
>
> > Such as?
> [snip]
>
> The so-called "software firewall" program itself, for starters -- and
> therefore, all of the user space available to that program (which, in the case
> of many if not most WinBoxen, is the whole machine).
I'd rather trust a software firewall designed with security in mind,
than the collection of MS services running on my machine. The servers I
run are not from MS at all.
> So, in addition to the vulnerabilities inherent in that "software firewall"
> (cf.: <http://cert.uni-stuttgart.de/archive/bugtraq/2003/08/msg00056.html>,
> <http://groups.google.co.uk/groups?selm=8d76ec03.0312071745.29f02d01@posting.google.com>,
> <http://groups.google.co.uk/groups?selm=xp8Ab.31103%249O5.22721@fed1read06>,
> <http://groups.google.co.uk/groups?selm=Jumsb.3342%24Tc2.25745@newsfep4-glfd.server.ntli.net>,
> <http://groups.google.co.uk/groups?selm=630e418f.0312061738.716afa6d@posting.google.com>,
> <http://www.kb.cert.org/vuls/id/634414>,
> <http://www.kb.cert.org/vuls/id/682110>,
> <http://www.kb.cert.org/vuls/id/637318>,
> <http://samspade.org/d/persfire.html>, <http://samspade.org/d/firewalls.html>,
> etc.), you basically expose ALL of Windows, with its chronic legion of slowly-
> or never-patched vulnerabilities (cf.
> <http://secunia.com/advisories/14512/print/>,
> <http://secunia.com/advisories/12670/print/>,
> <http://secunia.com/advisories/11482/print/>,
> <http://www.techweb.com/article/printableArticle.jhtml;jsessionid=Q2AODUYJJKUOIQSNDBGCKH0CJUMEKJVN?articleID=59200229&site_section=700028>,
> <http://www.internetweek.com/shared/printableArticle.jhtml?articleID=19205530>,
> <http://secunia.com/advisories/10589/print/>,
> <http://www.elixir.com.au/news/default.cfm?nav_id=2&id=40>, etc.) DIRECTLY to
> the 'net.
Too many links, you put me off reading any. The first were over a year
old. OK, so things have problems, it's hardly suprising. One of the
links pointed out that users don;t change the password on routers, so
the attacker could do what they like. This is exactly the problem -
many users don't know how to configure things like hardware firewalls
(or indeed software ones). You're not gonna fix that.
> Hence, this is pretty much the definition of "defeating the purpose".
>
> Or, if it will make it any clearer to you, look at it from the other way
> around: With any so-called "software firewall", you are in effect running
> your general-purpose OS (typically Windows -- eeek!) *and* all of your
> application programs *on* your firewall machine, which is directly
> antithetical to proper security procedures: Rule #1 is to NEVER enable any
> unnecessary processes or services, *especially* on a device which faces the
> outside world.
Understood, but a software fiewall is better than nothing. Good enough
for most people. If an attacker gains access to the letter somebody
wrote to their mum, or a school report it's not the end of the world.
Of course I would not recommend running only a software firewall on a
machine that houses all the accounts systems for a bank.
> > Obviously there eis some contact with the outside world... but
> > you HAVE to do that in order to effectively do many of the things a user
> > wants to do.
> [snip]
>
> Not true, at least not as stated. Your web-server scenario below is an
> atypical exception; but even that need not engender the degree of exposure you
> presume.
They don't need to open a socket on a given port?
> > Unless you are saying that a forwarded port from a
> > hardware router offers more protection somehow...
> >
> [snip]
>
> Of course -- at least presuming that "hardware router" is properly configured.
> I'm not saying that it necessarily provides complete isolation (again, see
> your "web server" scenario below); but it's definitely both another step
> further removed from "the wild" *and* offers an opportunity to be selective
> (think SPI) about what gets forwarded back and forth.
SPI is only the preserve of hardware firewalls?
> > I want to run a webserver, 2 in fact. So I need ports 80 and 82 to be
> > accessable to the outside world.
> [snip]
>
> Which is not the case for the typical user, who does NOT need to run public
> servers.
Think P2P, IM file transfers etc.
> But even assuming that scenario, those public servers should be on a
> separate interface (sometimes called a "DMZ" or "Orange interface"), where
> they are both isolated from your "protected" network (sometimes called the
> "Green interface"), and where ONLY the traffic necessary for that service is
> permitted through.
I thought the idea of a DMZ was to not restrict it?
> > If I sit behind a software firewall,
> [snip]
>
> But that's just it: You're NOT "behind" that so-called firewall; you're on
> it, in it, in front of it, and all around it -- all at the same time.
Whatever.
> > that only allows packets through on those two ports, then what is the
> > difference between that and forwarding those two ports from a hardware
> > router?
> [snip]
>
> You're assuming a perfect world.
Of course. And so are you - you seem to think hardware firewalls are
invulnerable. Obviously they are not, and neither is software, and
physical isolation is better. But for the average user, is it
necessary? No.
> The problem is not (so much) what happens when everything works as intended.
> The larger problem is what happens when UNintended things happen. And in the
> "software firewall" model, virtually any breach is by definition a
> catastrophic disaster, simply because so much "other stuff" instantly becomes
> available to the attacker.
>
> > My machine is exposed to the world, on those 2 ports...
> [snip]
>
> Your machine is exposed to the world, period. The limitation to "on those 2
> ports" is only valid in a very limited context.
Such as when the firewall is working? Well the same can be said for a
hardware firewall.
> > any
> > software vulnarabilty in my firewall (be it hardware or software
> > firewall) could pose a threat. As could any vulnerabilty in Apache or
> > Jetty.
> >
> [snip]
>
> That is correct. There is no such thing as a perfectly secure computer
> system.
>
> But the bigger problem is that, in the "software firewall" model, any
> vulnerability in ANY software running on that box can (and will) *also* pose a
> threat to the integrity of the firewall itself. In short, the whole thing is
> a house of cards.
You can't argue that software firewalls are a problem if they break.
Any firewall is a problem if it breaks.
I'm not saying that hardware firewalls are not better than software
ones. Most of the reasons you've given are "if the software firewall
doesn't work properly..." which is hardly a compelling argument.
Hardware firewalls are not perfect either.
The point is that a software firewall will, under most situations,
provide adequate security with minimal effort for a home user.
Ben
--
A7N8X FAQ: www.ben.pope.name/a7n8x_faq.html
Questions by email will likely be ignored, please use the newsgroups.
I'm not just a number. To many, I'm known as a String...
Facebook
Twitter
Instagram