Which Firewall?

[Mike]

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9mtuv$fk2$2@news.shlink.de...
> Mike wrote:
>
> > I have and they are still full of dangerous, unhelpful and unusable
advice
> > for the newbie asking the original question.
>
> Well, the times when I got angry about trolls like you that believe their
> claims to be a proof have long gone. So may I kindly ask you to give
> technical reasons for for claims?

<sigh> OK

Original question:
"I am interested to know which type of firewall is adequate for a home
PC, I have been recommended to use either Norton Personal Firewall
2004 or McAfee Personal Firewall, are these appropriate or can anybody
recommend suitable alternatives."

It is obvious to even the most simple minded person that the OP is not
worldly wise in the ways of computers but at least has the good sense to
recognise that he may need to protect himself from the Internet.

Your responses:
"Simply configure your system properly and you don't need any suspisious
third party so called 'firewall' software."

This reply is condesending and rude. The OP could not possible even achieve
the basics required to achive the protection that something like Zone Alarm
could offer. If your advice is followed it is unhelpful as they remain open
to the world.

FACT: Zone alarm is good. Good enough for one of the planet's leading
Firewall vendors to supply it with their VPN client software. I'm talking
about Watchguard here. You know, the people who fund development of
IPTABLES?


"Unneccessary, as long as the sytem does not offer any services."
You are assuming they are running an NT based system. Your advice is
dangerous because the user needs to know what services to shutdown. FACT:
Stopping the wrong services could stop them from ever starting up their
computer again. Your advice is dangerous in the hands of a novice.

"One thing prevents them all: a secure configuration of the OS and a skilled
user."

I couldn't agree more. Fortunately I live in the real world and not the
fantasy land you live in so I know that this will never happen. Example:- If
everybody learnt to drive a car to the same degree of skill as a Police
driver, there would be less accidents. But we know that isn't going to
happen just the same as every user is not going to become an expert on
configuring their systems securely. FACT.


I am not a troll and it should be patently obvious from all the other
messages posted by other readers that your advice is at the very least
suspect.


One day when you are all growed up and have been at the customer facing end
of support for 20 years you might understand what others are trying to tell
you.

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9mtn5$fk2$1@news.shlink.de...
> Mike wrote:
>
> > Yet......... Its just a matter of time.
>
> Hardly any difference to the time that Leythos needed. And I needed far
less
> code.

Apologies but you missed my point. What I was trying to say was that it is
only a matter of time before the user or a helpful "friend" comes along and
restarts a service. The system is then compromised - instantly. bang goes
your 'secure' system.

Despite what you do and what you tell them, they _will_ log in as
Administrator to do everyday tasks.

If you leave the security in the hands of the user, the system _will_ be
compromised. Everyday I visit client sites. On all but the most secure, I
could walk up to any person at random and ask them their network password
and they would tell me.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <c9ndnu$n28$1@thorium.cix.co.uk>, nospam@notherematey.com
says...
> Everyday I visit client sites. On all but the most secure, I
> could walk up to any person at random and ask them their network password
> and they would tell me.

You know, it's funny that you mention that - when I auto-gen passwords
for clients (10 characters, letters/numbers, upper/lower case) they get
a real annoyed look until I tell them that they can change them when
they want. I've set the rules on the networks for 8 characters,
upper/lower, number/letter, and remember the last 3 passwords - change
every 60 days)... They still don't like that. What's even funnier is
that they get annoyed when I tell them I don't know their new password
and that I try not to know anyone's password.

We have a email server in the DMZ at one clients location - not part of
any domain/network. It's isolated so that the trusted network users must
always enter user/password to get email using Outlook (Exchange 2000). I
don't let them change their passwords on that system - auto-gen, changed
by me every 90 days. Since that server also acts as a small static web
server I don't take any chances with it. It's not funny to have to
explain to a user that you have one users name and a password to log in
to the network and the same user name and a different password to get
email, but they've never had a system compromised and have a LOT of
users across the company.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 03 Jun 2004 11:15:12 GMT, Leythos wrote:
> In article <slrncbtp53.1hu.eirik@kain.mi.uib.no>, eirik@mi.uib.no
> says...
> > The point he is trying to make is that while adding a NAT device might
> > cure the symptom of a vulnerable system (by adding more code,
> > statistically introducing more bugs, to solve the problem caused by
> > too much code in the first place), it does not solve the real problem
> > which is insecure systems. Securing those systems will be a much
> > better solution, and what we all should be advocating unless we have
> > another agenda than to make the Internet a more secure place. At
> > least that is how I interpret it.
>
> That's the point we're all trying to make - securing the systems is the
> best method. Problem is that the systems are NOT secured BEFORE the
> connect to the internet in most users worlds. NAT is the first part of
> the solution, it gives the users a chance to run updates/patches BEFORE
> they get hacked and while they (if they even know about it) learn to
> secure their machines (which most will never learn about).
>
> NAT devices don't introduce any "bugs" into the system

They just might do. How can you be so sure that they can't?
These devices commonly run services like a small web server,
dhcp and maybe even some proxy services. Lots of things that
potentially could have remote vulnerabilities even if they are
not _supposed_ to be available to the internet. How many home
users would be alert enough to install firmware updates? How
many vendors are actually releasing firmware updates? I'm sure
there are some, but nevertheless introducing additional devices
_could_ introduce new vulnerabilities.

Do you think there are less bugs in the web servers used in
these appliances than in Apache? Maybe they share the same
codebase? If the vendor writes their own server, how many
consultants audit the code? Would unlikely bugs surface as
fast as in open source projects? And how long from discovery
until patch?

I'm beeing a bit elaborate on this because I think it is
important to consider whether the security precautions we implement
might actually introduce new vulnerabilities (and how to avoid
hem).


- Eirik
--
New and exciting signature!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <slrncbuk11.set.eirik@kain.mi.uib.no>, eirik@mi.uib.no
says...
> On Thu, 03 Jun 2004 11:15:12 GMT, Leythos wrote:
> > In article <slrncbtp53.1hu.eirik@kain.mi.uib.no>, eirik@mi.uib.no
> > says...
> > > The point he is trying to make is that while adding a NAT device might
> > > cure the symptom of a vulnerable system (by adding more code,
> > > statistically introducing more bugs, to solve the problem caused by
> > > too much code in the first place), it does not solve the real problem
> > > which is insecure systems. Securing those systems will be a much
> > > better solution, and what we all should be advocating unless we have
> > > another agenda than to make the Internet a more secure place. At
> > > least that is how I interpret it.
> >
> > That's the point we're all trying to make - securing the systems is the
> > best method. Problem is that the systems are NOT secured BEFORE the
> > connect to the internet in most users worlds. NAT is the first part of
> > the solution, it gives the users a chance to run updates/patches BEFORE
> > they get hacked and while they (if they even know about it) learn to
> > secure their machines (which most will never learn about).
> >
> > NAT devices don't introduce any "bugs" into the system
>
> They just might do. How can you be so sure that they can't?

A second device, a NAT router, can not introduce ANYTHING in to my
computer that effects it's operation. Meaning that installing a router
is not going to cause MS Office, XP Professional, etc.. to be impacted.

> These devices commonly run services like a small web server,
> dhcp and maybe even some proxy services. Lots of things that
> potentially could have remote vulnerabilities even if they are
> not _supposed_ to be available to the internet. How many home

These devices, if there were any holes, would be uncovered as quickly as
security updates and patches put in place. Most of these devices undergo
testing against it before they ever hit the market. You also need to
understand that these units are only running a subset of what is
available to servers and are less likely to have holes because of it.

> users would be alert enough to install firmware updates? How
> many vendors are actually releasing firmware updates? I'm sure
> there are some, but nevertheless introducing additional devices
> _could_ introduce new vulnerabilities.

I've owned a BEFSR41 NAT/Router since they came on to the market, there
have been at last 30 updates since that time. Each update improved some
feature or added features. I can't think of any of the updates that were
needed in order to block inbound intrusions.

> Do you think there are less bugs in the web servers used in
> these appliances than in Apache? Maybe they share the same
> codebase? If the vendor writes their own server, how many

I think there are many times less holes in the micro interfaces as they
are not true servers, they are applications that respond to HTTP
requests.

> consultants audit the code? Would unlikely bugs surface as
> fast as in open source projects? And how long from discovery
> until patch?

A hole is patches within days of discovery - even quicker than in the OS
community as the vendor has a lot riding on it. There are very few
updates related to security, most of them are to fix problems with
features, to add features, etc...

> I'm beeing a bit elaborate on this because I think it is
> important to consider whether the security precautions we implement
> might actually introduce new vulnerabilities (and how to avoid
> hem).

If you want to consider "NEW" then consider that any personal firewall,
operating system (even open source), etc... that you INSTALL on a PC is
open to MANY configuration, exploit, etc.. issues that you are not aware
of. There are any number of things that a user can do wrong when setting
up a PC, personal firewall, etc.... There is almost nothing that they
can do wrong when installing a NAT router.

I would stack my WatchGuard Firebox II or III up against any Open Source
solution any day, or even a Check Point FW1 solution against a Open
Source solution. In fact, I would stack an appliance up against a PC
running software in almost every case.

For home users, the idea of a plug/forget device is an important step,
there is little impact and little that can go wrong. If they purchase a
D-Link or Linksys it's painless and works perfectly for the design. This
simple appliance, combined with "quality" anti-virus software would
prevent more problems than any other solution you can come up with.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[mailMan]

Archived from groups: comp.security.firewalls (More info?)

Well Leythos, we all know how much you trust dedicated devices. Besides the
recent Cisco messes (undocumented factory-fixed back-door password) and the
Linksys problem (active remote management despite its being disabled) I
wonder how many more such incidents do you need before you reconsider?

An appliance is nothing but a computer with limited functionality. This may
make it faster (like the Cisco fast packet pass) or possibly more secure
(less code to audit), but there are no guarantees. Blind trust in the
manufacturer's quality control is not the way to go if you want security.

References:

Cisco back-door:
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,92015,00.html

Cisco bug:
http://www.alcrypto.co.uk/cisco/

Linksys problem:
http://seclists.org/lists/bugtraq/2004/May/0329.html
http://www.internetnews.com/infra/article.php/3362321

For your information: I have developed such appliances myself.
--
Mailman

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <40bfb7c5_5@127.0.0.1>, mailman@anonymous.org says...
> Well Leythos, we all know how much you trust dedicated devices. Besides the
> recent Cisco messes (undocumented factory-fixed back-door password) and the
> Linksys problem (active remote management despite its being disabled) I
> wonder how many more such incidents do you need before you reconsider?

Well, you pointed to CISCO and a Linksys Wireless device - I don't use
CISCO products and neither would most home users. As for the Linksys
device, this is not something we've talked about - I DO NOT SUGGEST
WIRELESS as something that can be dropped in and secure, in fact, it's
not secure in the default config.

> An appliance is nothing but a computer with limited functionality. This may

Actually, it's a device running a minimal (in some cases) OS or
application in a non-OS base, that has a specific function - not at all
like a limited function PC. Not even close to a secure PC.

> make it faster (like the Cisco fast packet pass) or possibly more secure
> (less code to audit), but there are no guarantees. Blind trust in the
> manufacturer's quality control is not the way to go if you want security.

Blind trust is always a bad thing, and I never advocate it. I test every
unit that we recommend, even have most of them on hand in our testing
lab for times like this.

> References:
>
> Cisco back-door:
> http://www.computerworld.com/securitytopics/security/holes/story/0,10801,92015,00.html
>
> Cisco bug:
> http://www.alcrypto.co.uk/cisco/

Both widely documented, but I never install CISCO units in anything - to
hard for a non-cisco person to manage. Not cheap, features cost extra,
etc...

> Linksys problem:
> http://seclists.org/lists/bugtraq/2004/May/0329.html
> http://www.internetnews.com/infra/article.php/3362321

Only impacts the wireless units and not the standard NAT wired units.

> For your information: I have developed such appliances myself.

I'm glad, then you should clearly understand how easy it is to install
them for non-technical users, that wireless is NOT something that home
users should be comfortable with, and that this is just the FIRST layer
in protection - the first layer is where it starts.

You should also understand that non-technical types (your typical home
user) is not going to update their machine not going to stop services
that are not needed, not going to update their AV software, not going to
do anything that requires them to edit/configure the computer. They will
install a device, that requires no setup, that can prevent their machine
from being accessed directly from the net once the learn about such
devices.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 03 Jun 2004 23:56:53 GMT, Leythos <void@nowhere.com> wrote:

>In article <40bfb7c5_5@127.0.0.1>, mailman@anonymous.org says...
>> Well Leythos, we all know how much you trust dedicated devices. Besides the
>> recent Cisco messes (undocumented factory-fixed back-door password) and the
>> Linksys problem (active remote management despite its being disabled) I
>> wonder how many more such incidents do you need before you reconsider?
>
>Well, you pointed to CISCO and a Linksys Wireless device - I don't use
>CISCO products and neither would most home users. As for the Linksys
>device, this is not something we've talked about - I DO NOT SUGGEST
>WIRELESS as something that can be dropped in and secure, in fact, it's
>not secure in the default config.

This particular vulnerability is present in the Linksys BEF series
(wired) routers as well:

http://secunia.com/advisories/11754/

Jim
jaZzzbeatty@jimZzzbeatty.us
(Wake me up)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <iajvb0d1tbv0mnusphvpl2qc8955gs599n@4ax.com>,
spammenot@spam.org says...
> On Thu, 03 Jun 2004 23:56:53 GMT, Leythos <void@nowhere.com> wrote:
>
> >In article <40bfb7c5_5@127.0.0.1>, mailman@anonymous.org says...
> >> Well Leythos, we all know how much you trust dedicated devices. Besides the
> >> recent Cisco messes (undocumented factory-fixed back-door password) and the
> >> Linksys problem (active remote management despite its being disabled) I
> >> wonder how many more such incidents do you need before you reconsider?
> >
> >Well, you pointed to CISCO and a Linksys Wireless device - I don't use
> >CISCO products and neither would most home users. As for the Linksys
> >device, this is not something we've talked about - I DO NOT SUGGEST
> >WIRELESS as something that can be dropped in and secure, in fact, it's
> >not secure in the default config.
>
> This particular vulnerability is present in the Linksys BEF series
> (wired) routers as well:
>
> http://secunia.com/advisories/11754/

The issue has been reported in the following products:
* Linksys WRT54G (firmware release 2.02.7)
* Linksys BEFSR41 ver.3

Looks like only a very small part of the units - BEFSR41 are impacted.
The version 3 units are problematic and I don't use them anyway.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Bob Kryger wrote:


> Basically one line of defense is not enough. You assertion of a well run
> system, may be considered, one good line of defense. It is, but its not
> sufficient, in today's Internet, especially for newbies. Like it or not,
> we sometimes have to be pragmatic.

I have no problem with several lines of defense, far from it. But a _proper_
setup of several lines of defense is not a single NAT device. A proper
setup of defense in depth is a usually a combination of one or more packet
filters and and at least one Application-Level-Gateway. Everything well
maintained by skilled staff, logs scanned regularely etc.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c9pkgm$tna$1@news.shlink.de...

> filters and and at least one Application-Level-Gateway. Everything well
> maintained by skilled staff, logs scanned regularely etc.

Which rules out most of the home user market which is where we came in🙂

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Mike wrote:

>
> "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
> news:c9pkgm$tna$1@news.shlink.de...
>
>> filters and and at least one Application-Level-Gateway. Everything well
>> maintained by skilled staff, logs scanned regularely etc.
>
> Which rules out most of the home user market which is where we came in🙂

I know. Therefore it is IMNSHO more or less useless to tell home users about
defense-in-depth. The only effect that has is that they get confused.
THerefore I said: If complexitity is the problem, making a setup more
complex is not the solution. It only confuses unskilled people.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Fri, 04 Jun 2004 21:51:42 +0200, Wolfgang Kueter
<wolfgang@shconnect.de> wrote:
>
>I know. Therefore it is IMNSHO more or less useless to tell home users about
>defense-in-depth. The only effect that has is that they get confused.
>THerefore I said: If complexitity is the problem, making a setup more
>complex is not the solution. It only confuses unskilled people.
>

Since when is connection a few cables a more complex solution?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Fri, 04 Jun 2004 20:26:01 GMT, shopping.nowthor.com spoketh

>On Fri, 04 Jun 2004 21:51:42 +0200, Wolfgang Kueter
><wolfgang@shconnect.de> wrote:
>>
>>I know. Therefore it is IMNSHO more or less useless to tell home users about
>>defense-in-depth. The only effect that has is that they get confused.
>>THerefore I said: If complexitity is the problem, making a setup more
>>complex is not the solution. It only confuses unskilled people.
>>
>
>Since when is connection a few cables a more complex solution?

There's more to "defense in depth" than just putting something in front
of your computer.

I understand where Wolfgang is coming from, but I think he
underestimates the computer-illiteracy of the common computer user. In a
best case scenario, the user would know enough about the computer OS to
know how to secure it properly. Unfortunately, the vast majority of
computer users are morons (with respect to computers), and the best way
to have them secure their computer is to throw some software on it
and/or put a router/firewall in front of it. It's not an ideal solution,
but considering the average computer skills of the average computer
user, that's as good as it's going to get.



Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <3u72c0p5t8rihht3bddkle5jqg1v4hf9ho@4ax.com>,
badnews@hansenonline.net says...
> Unfortunately, the vast majority of
> computer users are morons (with respect to computers), and the best way
> to have them secure their computer is to throw some software on it
> and/or put a router/firewall in front of it. It's not an ideal solution,
> but considering the average computer skills of the average computer
> user, that's as good as it's going to get.

I think that's what we've been trying to tell him all along.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b2afbe1e615a9c298a5eb@news-server.columbus.rr.com...
> In article <3u72c0p5t8rihht3bddkle5jqg1v4hf9ho@4ax.com>,
> badnews@hansenonline.net says...
> > Unfortunately, the vast majority of
> > computer users are morons (with respect to computers), and the best way
> > to have them secure their computer is to throw some software on it
> > and/or put a router/firewall in front of it. It's not an ideal solution,
> > but considering the average computer skills of the average computer
> > user, that's as good as it's going to get.
>
> I think that's what we've been trying to tell him all along.

he likes to quote:-
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

But I think he should change it to:

"There is none so blind as those who will not see"