On 7 Sep 2003 21:33:45 -0700, in <alt.privacy.spyware>, yosponge@yahoo.com
(sponge) wrote:
>
[snip]
>
> I have not tried the Vigor, but it is not a firewall; it is a router.
[snip]

Actually, it's both, sort of. While, from what I've seen, its firewall
features are somewhat weak as compared to some of the "better" HW firewalls,
they aren't exactly nonexistant either.

> Big difference. All NAT routers do is translate your public IP address
> to some other one for your internal network. The oversimplified theory
> is, it's more difficult to hack the hosts behind the firewall since
> they are at different IP addresses than the router proper.
[snip]

That's true, as far as it goes; but it describes (as you put it) "NAT
routers", *not* firewalls. A firewall *is* a router, pretty much by
definition; but a router is not (necessarily) a firewall.

> Even if you got a router with a built-in firewall, I CAN tell you
> that, unless you are planning on laying down several thousand dollars,
> the "consumer grade" so-called firewalls will give so-so protection,
> at best.
[snip]

That would depend near-completely on your definition of "so-so". Would I
trust a $200 firewall as the sole means of defending my network from the
full resources of the Black Helicopter crowd, were I dumb enough to do
something to get them *that* interested in me? Of course not. But it would
still do a FAR better job of this than ANY so-called "software firewall",
especially if the latter is running under ANY flavor of Windows.

> As far as inbound protection against scans, netBIOS hacks,
> and so on, they do a good job. Some even offer VPN.
[snip]

Correct -- at least when they are properly configured.

> As far as
> protecting you against threats already on your own system (which is
> extremely common, and the subject of this group), hardware firewalls
> like Netgear, Linksys, and so on are next to useless.
[snip]

But then, so are "software firewalls" -- and to the extent that any of the
popular packages offer ancillary features which *do* do anything about these
"internal threats", they are acting as something else besides a "firewall".

> However, because a hardware firewall cannot tell what applications are
> connecting to the net, nor validate any subcomponents, it has no way
> of controlling malicious programs from contacting the net.
[snip]

This is simply not true. The means *is* there, but it needs to be applied
intelligently. For example, if you don't want your users connecting to
"website X", you can very easily block all access (on ALL ports, if desired)
to that website's IP address(es).

But more to the point, you are misstating what a firewall's function in life
is supposed to be -- a firewall is NOT a "net nanny", second-guessing the
user as if they were a child. If (you think) you need that function, then
go get software or hardware that will provide it; but don't make the mistake
of thinking that what you're buying is a "firewall" -- it's not. Better
yet, stop doing stupid/risky things with your computer.

> At least, a
> software firewall has some, even though it is possible to kill or
> bypass the firewall.
[snip]

BINGO!

You've just (finally) stumbled upon *the* reason that the term "software
firewall" (at least in the context of your typical stand-alone WinBox) is an
oxymoron.

It is axiomatic that for a firewall to be effective, it MUST stand *between*
the perceived threat and the the system/network it is attempting to protect.
A "software firewall" running on the same box it is trying to "protect"
*cannot* meet that fundamental criterium.

> Of course, then you need to use other protections.
[snip]

Like, for example, a *real* (i.e., "hardware") firewall. <~>

> Never trust one tool. Use several tools and techniques.
>
[snip]

Can't argue with *that* fundamental truth. ;-)

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -