Which Firewall?

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Archived from groups: comp.security.firewalls (More info?)

Graham wrote:
> Wolfgang is quite correct. Please a DOS 6.2 machine on the net
> with no services running and guess what ... no problems

What about the situation where the is a vulnerability in the OS itself?
In the TCP stack, or the kernel. It does happen, buffer overruns or
jumping into a stack loaded w/ opcodes (shell coding). Then there are
various DoS attacks that don't even attempt to gain entry, just to
render your system/network useless.

Then there are man-in-the-middle attacks on open, outgoing connections.
A firewall may or may not help in this situation tho.

Clearly there does not have to be a service open/active to be
vulnerable, and a firewall (one or more) can help to mitigate many of
the effects of these attacks.

bk
 
Archived from groups: comp.security.firewalls (More info?)

In article <10bsac28cmoo83@corp.supernews.com>, sean@snerts-r-us.org
says...
> -Sean Weintz

Usenet standards for Sig's is 4 lines - your sig is WAY longer than 4
lines. Please trim it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.firewalls (More info?)

In article <pan.2004.06.02.08.15.32.766527@removethis.thebayleys.com>,
graham@removethis.thebayleys.com says...
> Wolfgang is quite correct. Please a DOS 6.2 machine on the net
> with no services running and guess what ... no problems

And therein lies the flaw - any OS that connects to the internet and
provides users with any ability to do anything on the internet is going
to be open to flaws and security issues. There isn't a single installed
OS, with applications, that is completely free of security issues.

Now, with that being said, for your typical home users, a $40 router to
protect their investment and resources is about as cheap and fool-proof
as it gets.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.firewalls (More info?)

On 2 Jun 2004 03:49:32 -0700, Neil Mort wrote:

>I am interested to know which type of firewall is adequate for a home
>PC, I have been recommended to use either Norton Personal Firewall
>2004 or McAfee Personal Firewall, are these appropriate or can anybody
>recommend suitable alternatives.

I use ZoneAlarm Pro Ver 4.5.594.000 there is also a free version.
ZA Ver 5 has just been released and has received a mixed reception.
http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html
--

Chris Bee
 
Archived from groups: comp.security.firewalls (More info?)

Bumblebee wrote:
^^^^^^^^^

Who?

> I use ZoneAlarm Pro [...]

I don't. And you don't need either. But besides obtaining a real name you
need to read: http://www.ntsvcfg.de/ntsvcfg_eng.html

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
 
Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9kfbh$3o9$2@news.shlink.de...
> Bumblebee wrote:
> ^^^^^^^^^
>
> Who?
>
> > I use ZoneAlarm Pro [...]
>
> I don't. And you don't need either. But besides obtaining a real name you

Why do you think there is a problem with him using that name? Its not
unusual or wrong.
Anyone who posts to newsgroups with a real email address in their headers
gets all the spam they deserve.
 
Archived from groups: comp.security.firewalls (More info?)

On Wed, 02 Jun 2004 15:24:49 -0400, "T. Sean Weintz"
<sean@snerts-r-us.org> wrote:
>
>Can't go wrong with either soinicwall, watchguard or cisco PIX series.
>

Or, let me add, a ZyXEL ZyWALL, which is both Firewall and IPsec
ICSA-certified.

http://shopping.nowthor.com/0760559110178.html
 
Archived from groups: comp.security.firewalls (More info?)

On Wed, 02 Jun 2004 19:15:41 -0700, Purl Gurl <purlgurl@purlgurl.net> wrote:

>Chuck wrote:
<SNIP>

>> Windows is insecure
>
>Unix is insecure.
>Linux is insecure.
>BSD is insecure.
>MAC is insecure.

They're all insecure, because the internet infrastructure designed years ago is
insecure. Nobody then imagined how innovative the bad guys would be in using
the internet, and computers in general, to their advantage. So they can make
money from us.

And as soon as *nix et al gain market share, so will the spyware, viruses, and
other attacks on those systems.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
Archived from groups: comp.security.firewalls (More info?)

In article <40BE89CD.479A37AD@purlgurl.net>, purlgurl@purlgurl.net
says...
> You only enjoy that security you create and maintain. Even
> then, all bets are off, thanks to Murphy.

And the entire point in this thread is that Users = Murphy.

Another story form my recent past: While I was out of state installing a
network, my mother inlaw got a Dell (Good for her). I asked her to leave
it in the box until I got back (1 week). Her son (Mac user, 40+,
somewhat technical) installed the system directly on her Road Runner
cable connection.

In the one weeks time I was gone her machine was infected with 380+
different spyware apps, and more than 40 virus's/trojans. Needless to
say, they didn't do anything other than turn it on, get through the
basic startup config, and start using it. This is your classic user,
your classic level of users on home systems.

Had they installed the Linksys router they would have been a LOT better
off and I would not have had to wipe/reinstall from scratch. I installed
XP Prof, NAV 2004, Spybot Search & Destroy, set the "Internet" zone to
"HIGH" and the Trusted Zone to medium, then showed her how to add
trusted sites to the trusted zone. I also installed her Office XP and
Outlook XP. She's been running for a couple months now and not one
problem.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> Purl Gurl wrote:

(snipped)

> > You only enjoy that security you create and maintain. Even
> > then, all bets are off, thanks to Murphy.

> And the entire point in this thread is that Users = Murphy.

"Little pink houses for you and me."


> In the one weeks time I was gone her machine was infected with 380+
> different spyware apps, and more than 40 virus's/trojans.

That's all? She was lucky.


> Had they installed the Linksys router

Isn't it amazing how much security is added by a router?

We use a programmable Linksys for our servers and are
very pleased, exceptionally pleased. Nothing like
forwarding jerks to La La Land.

Yes, the real problem is us, the Murphy people. Most of
our problems are not based in ignorance nor in being naive.

Most of our problems, here and out there, are based upon
our good nature, based upon our trusting nature. Almost
all of us are decent respectful people who treat others
well, and inherently view others as decent moral people.

In walks the internet and the world wide web, just a short
couple of decades back. Our internet is safe haven for those
who would do all of us harm. No need to exemplify this, we
all know of the extreme dangers presented by the net.

Our "Murphy" is being good and decent people, perhaps even
endearingly innocent. This prides almost all of us.


Purl Gurl
 
Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

> Leythos wrote:
> > Purl Gurl wrote:

(snipped)

> > In the one weeks time I was gone her machine was infected with 380+
> > different spyware apps, and more than 40 virus's/trojans.

> That's all? She was lucky.

For those readers interesting in statistical graphs, you may
visit our family server here,

http://www.purlgurl.net/attacks.html/

On that page you will discover nice graphical charts of actual
attacks on our server, all serious and currently averaging
forty to fifty per day. This is not quite an accurate picture,
for two reasons. The first is obvious; our graphs group and
display only the top percentage attacks. Results for May 25
well displays another reason for our graphs not being accurate.

If you look at our last graph, you will note on May 25 the
number of attacks spiked to over two-hundred per day, which
is realistic. As a test of our firmware firewall, on May 25
I set our external firewall to not firewall at all, set it
to be a simple transparent gateway, then noted how many "hacks"
were passed through without our firmware firewall. This afforded
a good test and affirms our firewall works well.

Our logging system only logs those hacks which pass through
our external firewall, so our graphical charts are truly
well below what is really happening.

Keep in mind, these are only those hack attempts coming
in on our static ip address. For a true picture, consider
how many "internet connections" are out there, at any
given moment. All connections suffer hack attempts, all.

For June 1, yesterday, you will note a slight increase in
problems. This is a result of a group of sociopathic types
over in the comp.lang.perl.misc newsgroup, being frustrated
by our sudden rotation and randomizing our security measures.
A select few of those people are very well known personae
within the Perl Community and a couple from Apache Dot Org,
one even runs a dot gov site offering services to a certain
state government, secure services. Here he is trying to
harass our family, in a very childish manner.

I should take down his dot gov site, except local mapping
for his dot gov site includes the Department of Justice,
who are people to fear; you do NOT mess with Uncle Sam.

So, for the "newbies" out there reading this article, never
dismiss a need for security. You are in danger.

If you cannot access our site, do not take this personally.
You may, however, blame this on some of the hateful people
over in comp.lang.perl.misc newsgroup. I have relaxed our
security features for tonight so most can access and view.

Yes, I clearly hold a grudge and am clearly grinding an axe,
as you will should you suffer the same, as did Leythos'
wife's mother, another innocent victim of the net.


Purl Gurl
 
Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

> Purl Gurl wrote:
> > Leythos wrote:
> > > Purl Gurl wrote:

(snipped)

> For those readers interesting in statistical graphs, you may
> visit our family server here,

> http://www.purlgurl.net/attacks.html/

> On that page you will discover nice graphical charts of actual
> attacks on our server,

To add some offbeat interest for this newsgroup, previously
in another article, I write of randomizing security methods
to prevent profiling of security systems.

For our last chart, bottom chart, you can "see" results of
a program which randomizes responses to selected events.

Look directly aboves dates May 28, May 29 on through to
May 31 date, literally directly above those dates on
the graph. You are actually looking at effects of our
security rotation. Then comes June 1 which reflects a
serious increase in attempts, by cooperative actions
by many. This increase is a graph of their frustration
and of attempting new methods; they are trying to figure
out what the Hades is going on.

This is nice. Randomizing manipulates them into trying
different techniques, which are logged and reviewed;
they afford me an ability to collect data, on them.

I write "they" and do claim a cooperative effort.

A short partial snippet of data collected,

ShowLetter?MsgId=6432_6633_3451_1052_65_0_17113_-1_0&YY=26695&inc=25

A mistake made there, a big mistake. Those involved in a cooperative
effort to harass our family, provided me with just the data I needed
to black hat an email account and extract evidence of just such; an
overt cooperative effort by a select group I know well.

Now they know with their routinely monitoring newsgroups for
my postings. Will they make this type of mistake again? Yes.

Perhaps, in time, I will submit my data to law enforcement,
as I have done in the past to some of them. Most embarrassing
for some to have a detective knock upon their front door or
to phone you and ask questions which heighten anxiety.

Previously I wrote of Murphy. He does not always work against
those of us, almost all of us, who are good and decent people.
Quite the opposite, Murphy more often works against those who
are less than good and decent; Bad Karma.

Again, security is that which you create and maintain. Security
is not purely software based; it is more often based upon your
personal ability to think like a fox.


Purl Gurl
 
Archived from groups: comp.security.firewalls (More info?)

On Wed, 02 Jun 2004 13:57:37 +0200, Wolfgang Kueter wrote:

>Bumblebee wrote:
>^^^^^^^^^
>
>Who?

Bumblebee <chris_bee@privacy.invalid>

>> I use ZoneAlarm Pro [...]
>
>I don't. And you don't need either. But besides obtaining a real name you
>need to read: http://www.ntsvcfg.de/ntsvcfg_eng.html

I don't need to read the above link and you're welcome to disagree
with me. I gave what I believed to be good advice to another person
who was asking about firewalls. Using a firewall certainly won't cause
any damage whereas being without a firewall *could* result in damage.

Advising someone *not* to use a firewall borders on being malicious
advice IMHO. Not that it's any of your business Wolfgang but I did use
my real name, Chris Bee. I acquired the nickname "Bumblebee" over 50
years ago, virtually on the first day I started going to Kindergarten
prior to attending Primary School.
--

Chris Bee
 
Archived from groups: comp.security.firewalls (More info?)

"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrncbs5ik.e38.jh@churrasco.bofh.de...
> Hi,
>
> Leythos <void@nowhere.com> wrote:
> >> non-affected system (i.e. Knoppix or Unix/Linux):
> > It clearly stats not to connect the computer to the internet until
> > "Downloading" the patch - how are home users going to do that?
>
> Knoppix is an excellent piece of software, directly running from a cd.
> Have a look at it.

You are missing the point. How many home users will have Knoppix lying
about? And if they didn't, how would they download a copy without connecting
their only pc to the internet? And then, how many confronted with a non
Microsoft interface would know what to do to download the patch etc. etc.
etc.

The alternate is a NAT router and a quick trip to Windows update. Easy and
foolproof(ish)
 
Archived from groups: comp.security.firewalls (More info?)

On Wed, 2 Jun 2004 15:51:27 +0100, Mike wrote:

[snip]

> I'm not sure what you are trying to say...
>
> Is it "Organization: SHLINK Internet Service" and I should be impressed
> because you are from an ISP? If you are from an ISP you should know better.

I have a feeling you are deliberately misunderstanding what Wolfgang is
trying to communicate.

> Or is it "NNTP-Posting-Host: fw0.shlink.de" because you have hidden your ip
> address? Which resolves to :
>
> ;; ANSWER SECTION:
> fw0.shlink.de. 3600 IN A 212.60.1.4

Nothing hidden about that address? Or do you mean it is hidden
because it resolves to a DNS name? If so, I have successfully
hidden all my IP addresses :)

> telnet 212.60.1.4 25
> Trying 212.60.1.4...
> Connected to fw0.shlink.de (212.60.1.4).
> Escape character is '^]'.
> 220 fw0.shlink.de (RBL/SPF) ESMTP
>
> But wait! fw0? Could that be a firewall?? Firewall 0?? Nah! You couldn't
> possibly be advocating users not to use a firewall while using one
> yourself??
>
> If you don't advocate firewalls, what are you doing in this group?

This group is for discussion, not advocating. Try reading Wolfgangs
posts again.

The point he is trying to make is that while adding a NAT device might
cure the symptom of a vulnerable system (by adding more code,
statistically introducing more bugs, to solve the problem caused by
too much code in the first place), it does not solve the real problem
which is insecure systems. Securing those systems will be a much
better solution, and what we all should be advocating unless we have
another agenda than to make the Internet a more secure place. At
least that is how I interpret it.

Firewall vendors/resellers will not necessarily tell you this, because
their agenda is making money.

I really dislike the 'add a NAT device' "solution", but with a) todays
wide-spread use of insecure operating systems and default settings,
even if the new versions are much better than previous ones the old
ones are still widely used in production environments and homes, b)
the complexity of operating systems with which even computer science
graduates struggle, and c) most peoples belief that computers are easy
to use and maintain compared to other technical equipment (you probably
wouldn't service your brand new car yourself, or even your TV unless
you have a special interest or knowledge), I can see the need for an
immidiate way of treating those symptoms. But the long term goal
should still be securing the _systems_. If you disagree, I really
hope you don't work in this industry.

> Your methods may well be correct and acceptable to you, but in the context
> of the original poster who started by asking wether he needed a firewall and
> was by inference a newbie, telling him to dig into the guts of his operating
> system without even finding out what OS he had is; bad, wrong, stupid,
> irresponsible and unhelpful.

IIRC the URL to the hints on how to configure Windows securely was
mentioned, but I must admit I did not follow entire thread. However,
that does not invalidate my comments to the above.

When people are interested enough to ask if they really do need a
firewall, the correct answer in my not so humble opinion is "it
depends", followed by a more in-depth explanation preferably contained
in a FAQ. The 'newbie' is free to stop reading, or ask more
questions if it is too much/little information.

(and I don't expect anyone to be impressed by the "university of .."
in my headers - it has nothing to do with my opinions here, I'm just
an ex-employee)


- Eirik
--
New and exciting signature!
 
Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> In the one weeks time I was gone her machine was infected with 380+
> different spyware apps, and more than 40 virus's/trojans.

'It was infected' sounds like hat this didn't require end user interaction.
I doubt that.

> Needless to
> say, they didn't do anything other than turn it on, get through the
> basic startup config, and start using it.

Does 'using a system' include 'installation of malware'?

> This is your classic user,
> your classic level of users on home systems.

Most filtering devices placed in front of a box do not prevent installing
malware by the user himself.

> Had they installed the Linksys router they would have been a LOT better
> off and I would not have had to wipe/reinstall from scratch.

You would since the router does not prevent the installation of malware.

> I installed XP Prof, NAV 2004, Spybot Search & Destroy, set the "Internet"
zone to
> "HIGH" and the Trusted Zone to medium, then showed her how to add
> trusted sites to the trusted zone. I also installed her Office XP and
> Outlook XP. She's been running for a couple months now and not one
> problem.

Well, some time ago I reinstalled an infected win2000 workstation of a quite
unskilled user. I patched the installation, switched off all services, set
user and access rights strict using good passwords, configured IE properly,
told the user that he must not log in as adminsitrator unless for
maintainance tasks. No problems with the machine.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
 
Archived from groups: comp.security.firewalls (More info?)

Bob Kryger wrote:

> What about the situation where the is a vulnerability in the OS itself?
> In the TCP stack, or the kernel.

OK, that is a valid argument but it refers to any filtering device as well.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
 
Archived from groups: comp.security.firewalls (More info?)

Wolfgang Kueter wrote:
> Bob Kryger wrote:
>
>
>>What about the situation where the is a vulnerability in the OS itself?
>>In the TCP stack, or the kernel.
>
>
> OK, that is a valid argument but it refers to any filtering device as well.

Exactly, and that lead to the security concept of 'defense-in-depth'

[from another post]
The principle for doing so is sound and ancient, defense-in-depth. If
you were to have only a single line of defense then once it is
compromised so are your assets. Two or more levels of defense,
preferably of different technologies will provide additional levels of
protection. On my home systems I run a hardware firewall AND different
software firewalls on different systems.

Basically one line of defense is not enough. You assertion of a well run
system, may be considered, one good line of defense. It is, but its not
sufficient, in today's Internet, especially for newbies. Like it or not,
we sometimes have to be pragmatic.

bk
 
Archived from groups: comp.security.firewalls (More info?)

"Eirik Seim" <eirik@mi.uib.no> wrote in message
news:slrncbtp53.1hu.eirik@kain.mi.uib.no...
> On Wed, 2 Jun 2004 15:51:27 +0100, Mike wrote:
>
> [snip]
>
> > I'm not sure what you are trying to say...
> >
> > Is it "Organization: SHLINK Internet Service" and I should be impressed
> > because you are from an ISP? If you are from an ISP you should know
better.
>
> I have a feeling you are deliberately misunderstanding what Wolfgang is
> trying to communicate.

Enlighten me because it has passed right over my head without even parting
my hair.

> > Or is it "NNTP-Posting-Host: fw0.shlink.de" because you have hidden
your ip
> > address? Which resolves to :
> >
> > ;; ANSWER SECTION:
> > fw0.shlink.de. 3600 IN A 212.60.1.4
>
> Nothing hidden about that address? Or do you mean it is hidden
> because it resolves to a DNS name? If so, I have successfully
> hidden all my IP addresses :)

>
> > telnet 212.60.1.4 25
> > Trying 212.60.1.4...
> > Connected to fw0.shlink.de (212.60.1.4).
> > Escape character is '^]'.
> > 220 fw0.shlink.de (RBL/SPF) ESMTP
> >
> > But wait! fw0? Could that be a firewall?? Firewall 0?? Nah! You
couldn't
> > possibly be advocating users not to use a firewall while using one
> > yourself??
> >
> > If you don't advocate firewalls, what are you doing in this group?
>
> This group is for discussion, not advocating. Try reading Wolfgangs
> posts again.

I have and they are still full of dangerous, unhelpful and unusable advice
for the newbie asking the original question.
 
Archived from groups: comp.security.firewalls (More info?)

In article <c9mm69$ek0$1@news.shlink.de>, wolfgang@shconnect.de says...
> Well, some time ago I reinstalled an infected win2000 workstation of a quite
> unskilled user. I patched the installation, switched off all services, set
> user and access rights strict using good passwords, configured IE properly,
> told the user that he must not log in as adminsitrator unless for
> maintainance tasks. No problems with the machine.

WG, don't get me wrong, I know how to secure a Windows 2000/XP machine
and what services to allow, but, for most home users it's not going to
help.

By the time a home user gets fully booted up for the first time, they
already have the ethernet connection connected to the PC. Since they
don't have the instructions on how to secure it, they browse around the
internet looking for instructions - provided they even know they need to
secure it - and find various answers. About 10 minutes later their
system, if Windows XP tells them they have updates to install and they
do (after about 4 reboots from service pack installs), they have a
machine that is reasonably patched - total estimated time online before
being patched 1 hour. Now, they remembered that they didn't secure their
machine, so they start searching again, find a couple malicious sites,
get nice things installed since they look like links to the information
they wanted (but were really scripts). Since they didn't update their
Anti-Virus software it doesn't detect the web scripts and the trojans
make it in. After about an hour they find enough information to stop
some services - total time online 2 hours now.....

During their 2 hours, provided they even know that they need to secure
their machine, they've been subjected to any number of hacks/exploits
and have a compromised box.

Now, do the same thing with them sitting behind a NAT router. Sure, the
malicious sites are not prevented, but the inbound traffic during the
first hour that they are doing updates is. Who knows, they may find the
answers without hitting a malicious site and during that second hour the
NAT router will still be protecting them. Also, after reading enough,
they call Dell and ask about AV products, the learn that they have to
register McCrappy before it will update, they do and get the updates -
still not hacked and now all updates are in place.

Now, lets take the typical user - gets PC, connects to internet
directly, doesn't do anything to secure machine. We know this type, it's
their machine that keeps probing our machines to "reach out an touch
us".

Now take the typical user - get a PC, connects to the router, doesn't do
anything, plays around, oops - sees the Windows Update ICON flashing
ignores it. At least this machine is protected from being attacked by
unknown systems/users. Sure, the PC can be compromised by the user, but
it's more likely to be compromised if the user is connected directly.

If ISP's would just enable NAT by default on their cable/dsl modems most
users would have a fighting chance while they get updates/patched.

You stick with your services method, I'll stick with my NAT / AV (as
well as other) methods and we'll see if you can say that you've never
had a machine under your control that's been compromised in 20+ years.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9mm69$ek0$1@news.shlink.de...
> Leythos wrote:
>
> > In the one weeks time I was gone her machine was infected with 380+
> > different spyware apps, and more than 40 virus's/trojans.
>
> 'It was infected' sounds like hat this didn't require end user
interaction.
> I doubt that.
>
> > Needless to
> > say, they didn't do anything other than turn it on, get through the
> > basic startup config, and start using it.
>
> Does 'using a system' include 'installation of malware'?
>
> > This is your classic user,
> > your classic level of users on home systems.
>
> Most filtering devices placed in front of a box do not prevent installing
> malware by the user himself.
>
> > Had they installed the Linksys router they would have been a LOT better
> > off and I would not have had to wipe/reinstall from scratch.
>
> You would since the router does not prevent the installation of malware.
>
> > I installed XP Prof, NAV 2004, Spybot Search & Destroy, set the
"Internet"
> zone to
> > "HIGH" and the Trusted Zone to medium, then showed her how to add
> > trusted sites to the trusted zone. I also installed her Office XP and
> > Outlook XP. She's been running for a couple months now and not one
> > problem.
>
> Well, some time ago I reinstalled an infected win2000 workstation of a
quite
> unskilled user. I patched the installation, switched off all services, set
> user and access rights strict using good passwords, configured IE
properly,
> told the user that he must not log in as adminsitrator unless for
> maintainance tasks. No problems with the machine.

Yet......... Its just a matter of time.
 
Archived from groups: comp.security.firewalls (More info?)

In article <slrncbtp53.1hu.eirik@kain.mi.uib.no>, eirik@mi.uib.no
says...
> The point he is trying to make is that while adding a NAT device might
> cure the symptom of a vulnerable system (by adding more code,
> statistically introducing more bugs, to solve the problem caused by
> too much code in the first place), it does not solve the real problem
> which is insecure systems. Securing those systems will be a much
> better solution, and what we all should be advocating unless we have
> another agenda than to make the Internet a more secure place. At
> least that is how I interpret it.

That's the point we're all trying to make - securing the systems is the
best method. Problem is that the systems are NOT secured BEFORE the
connect to the internet in most users worlds. NAT is the first part of
the solution, it gives the users a chance to run updates/patches BEFORE
they get hacked and while they (if they even know about it) learn to
secure their machines (which most will never learn about).

NAT devices don't introduce any "bugs" into the system - sure, they play
heck with IRC DCC's and some peer-to-peer apps, but most people don't
need to move files that way anyway. Most home users don't know about IRC
or P2P apps, and by the time they do, they are compromised anyway.

What you have to consider is the ORDER in which things happen - New PC,
connect to net, infected, too late, reinstall, infected, too late....
Buys router/NAT, reinstall, updates, av's, doing good now, searches on
how to secure IE and Outlook, runs well for a while, searches on how to
secure PC, does some things... Runs well for long time.... New Virus,
opens email attachment (av software and Outlook won't let them open it),
still running good....


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
Archived from groups: comp.security.firewalls (More info?)

Mike wrote:

> Yet......... Its just a matter of time.

Hardly any difference to the time that Leythos needed. And I needed far less
code.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
 
Archived from groups: comp.security.firewalls (More info?)

Mike wrote:

> I have and they are still full of dangerous, unhelpful and unusable advice
> for the newbie asking the original question.

Well, the times when I got angry about trolls like you that believe their
claims to be a proof have long gone. So may I kindly ask you to give
technical reasons for for claims?

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
 
Archived from groups: comp.security.firewalls (More info?)

In article <c9mtuv$fk2$2@news.shlink.de>, wolfgang@shconnect.de says...
> Mike wrote:
>
> > I have and they are still full of dangerous, unhelpful and unusable advice
> > for the newbie asking the original question.
>
> Well, the times when I got angry about trolls like you that believe their
> claims to be a proof have long gone. So may I kindly ask you to give
> technical reasons for for claims?

WG, I know you didn't ask me, but, the problem with your advice is that
it was in response to a question to what appears to be a slightly above
average typical home users and did not include specifics related to his
OS.

Without providing specifics to secure a users OS/apps, your advice
leaves their machine fully open to compromise since there is no clear
way for the machine to be secured. At least with NAT and AV software
they have hope that it will be more secure than leaving some services
exposed or even worse, finding some previously unknown hole in the OS
that lets someone take over their system.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)