firewall

[floris]

i've been reading smething about a hardware firewall on this group. doesn't
norton or mcafee firewall cover it?
is a vigor 2200 router a proper 'hardware firewall'?

--
Floris

[Data64]

"floris" <nospam@no.spam> wrote in
news:bj43ku$p1f$1@news-reader4.wanadoo.fr:

> i've been reading smething about a hardware firewall on this group.
> doesn't norton or mcafee firewall cover it?
> is a vigor 2200 router a proper 'hardware firewall'?
>

This totally depends on what you want to use it for. Something for home use
might not be appropriate if you want it for a small office, etc.

If you are asking for home use, then maybe people were referring to
consumer router-NATing firewalls like LinkSys, DLink, Netgear, etc.

data64

[Jay T. Blocksom]

On Wed, 3 Sep 2003 09:02:08 +0200, in <alt.privacy.spyware>, "floris"
<nospam@no.spam> wrote:
>
> i've been reading smething about a hardware firewall on this group.
> doesn't norton or mcafee firewall cover it?
[snip]

No. Fundamentally IMPOSSIBLE, especially in the context of Windows (which
is inherently insecure).

To paraphrase someone else, "Relying on a so-called 'software firewall' to
protect your system from the various threats it WILL be exposed to as soon
as you connect it to the Internet is like trying to protect your body from
gunfire by shoving Kevlar up your backside -- by the time the bullet hits
the Kevlar, the damage is already done."

For a wordier and more detailed explanation of essentially this same
concept, see:

<http://runet2000i.rutgers.edu/docs/lanfirewalls-main.html>


> is a vigor 2200 router a proper 'hardware firewall'?

Well, drop out the word "proper", and I won't argue too vehemently with
calling it a "firewall", even tho' it's only minimally so, really. It
offers NAT, which helps; but that is *not* the end-all and be-all of
firewall functionality, despite some folks' misconceptions to that effect.

I take it you're asking because this is the piece of gear you've got? If
so, that's OK -- it may not be "The Best" firewall extant; but far more
important than that is you learning to use it properly.

OTOH, if you're *shopping* for a firewall, then be sure to take a look at
these, before making a decision:

<http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm>
<http://www.dlink.com/products/?pid=141>
<http://www.netgear.com/products/prod_details.asp?prodID=157&view=>

HTH.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[sponge]

On Wed, 3 Sep 2003 09:02:08 +0200, "floris" <nospam@no.spam> wrote:

>i've been reading smething about a hardware firewall on this group.
doesn't
>norton or mcafee firewall cover it?
>is a vigor 2200 router a proper 'hardware firewall'?
>
>--
>Floris

I have not tried the Vigor, but it is not a firewall; it is a router.
Big difference. All NAT routers do is translate your public IP address
to some other one for your internal network. The oversimplified theory
is, it's more difficult to hack the hosts behind the firewall since
they are at different IP addresses than the router proper.
Even if you got a router with a built-in firewall, I CAN tell you
that, unless you are planning on laying down several thousand dollars,
the "consumer grade" so-called firewalls will give so-so protection,
at best. As far as inbound protection against scans, netBIOS hacks,
and so on, they do a good job. Some even offer VPN. As far as
protecting you against threats already on your own system (which is
extremely common, and the subject of this group), hardware firewalls
like Netgear, Linksys, and so on are next to useless. A software 'wall
will give much better protection (and external IP filter, which those
don't), although they do take a bit of tweaking. Software 'walls will
also protect you better against DNS hijacking.
If you have a spare machine and don't mind a little tinkering, you can
build up a decent hardware firewall using IPcop or Smoothwall.
However, because a hardware firewall cannot tell what applications are
connecting to the net, nor validate any subcomponents, it has no way
of controlling malicious programs from contacting the net. At least, a
software firewall has some, even though it is possible to kill or
bypass the firewall. Of course, then you need to use other
protections.
Bottom line is, a hardware firewall is good at some things, not good
at others. It can help enhance security, but it isn't a replacement
for a software firewall and other techniques. Never trust one tool.
Use several tools and techniques.

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge

[Jay T. Blocksom]

On 7 Sep 2003 21:33:45 -0700, in <alt.privacy.spyware>, yosponge@yahoo.com
(sponge) wrote:
>
[snip]
>
> I have not tried the Vigor, but it is not a firewall; it is a router.
[snip]

Actually, it's both, sort of. While, from what I've seen, its firewall
features are somewhat weak as compared to some of the "better" HW firewalls,
they aren't exactly nonexistant either.

> Big difference. All NAT routers do is translate your public IP address
> to some other one for your internal network. The oversimplified theory
> is, it's more difficult to hack the hosts behind the firewall since
> they are at different IP addresses than the router proper.
[snip]

That's true, as far as it goes; but it describes (as you put it) "NAT
routers", *not* firewalls. A firewall *is* a router, pretty much by
definition; but a router is not (necessarily) a firewall.

> Even if you got a router with a built-in firewall, I CAN tell you
> that, unless you are planning on laying down several thousand dollars,
> the "consumer grade" so-called firewalls will give so-so protection,
> at best.
[snip]

That would depend near-completely on your definition of "so-so". Would I
trust a $200 firewall as the sole means of defending my network from the
full resources of the Black Helicopter crowd, were I dumb enough to do
something to get them *that* interested in me? Of course not. But it would
still do a FAR better job of this than ANY so-called "software firewall",
especially if the latter is running under ANY flavor of Windows.

> As far as inbound protection against scans, netBIOS hacks,
> and so on, they do a good job. Some even offer VPN.
[snip]

Correct -- at least when they are properly configured.

> As far as
> protecting you against threats already on your own system (which is
> extremely common, and the subject of this group), hardware firewalls
> like Netgear, Linksys, and so on are next to useless.
[snip]

But then, so are "software firewalls" -- and to the extent that any of the
popular packages offer ancillary features which *do* do anything about these
"internal threats", they are acting as something else besides a "firewall".

> However, because a hardware firewall cannot tell what applications are
> connecting to the net, nor validate any subcomponents, it has no way
> of controlling malicious programs from contacting the net.
[snip]

This is simply not true. The means *is* there, but it needs to be applied
intelligently. For example, if you don't want your users connecting to
"website X", you can very easily block all access (on ALL ports, if desired)
to that website's IP address(es).

But more to the point, you are misstating what a firewall's function in life
is supposed to be -- a firewall is NOT a "net nanny", second-guessing the
user as if they were a child. If (you think) you need that function, then
go get software or hardware that will provide it; but don't make the mistake
of thinking that what you're buying is a "firewall" -- it's not. Better
yet, stop doing stupid/risky things with your computer.

> At least, a
> software firewall has some, even though it is possible to kill or
> bypass the firewall.
[snip]

BINGO!

You've just (finally) stumbled upon *the* reason that the term "software
firewall" (at least in the context of your typical stand-alone WinBox) is an
oxymoron.

It is axiomatic that for a firewall to be effective, it MUST stand *between*
the perceived threat and the the system/network it is attempting to protect.
A "software firewall" running on the same box it is trying to "protect"
*cannot* meet that fundamental criterium.

> Of course, then you need to use other protections.
[snip]

Like, for example, a *real* (i.e., "hardware") firewall. <~>

> Never trust one tool. Use several tools and techniques.
>
[snip]

Can't argue with *that* fundamental truth. ;-)

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -