I am curious about how everyone feels about firewalls. I am hoping that
there isn't anyone who thinks they are not needed, but to what extent and
what kind is certain to cause much debate. I realize this is not a security
forum, but in as much as anyone working in networking could reasonably be
asked about firewalls in general I don't think its to far off topic.

My feeling is that internal firewalls, that is firewalls which opperate on
the machine they are attempting to protect, are less than adequate in almost
any situation. There are to many attacks which rely on specific weaknesses
of the OS which would allow access to a computer before the firewall
software ever had a chance to intercept a single byte. Should an internal
firewall fail/be disabled by the user, the attacker has achieved their full
objective, they are in your primary information repository and more than
likely have full control.

External hardware firewalls are a far better next step in protection, they
are generally simple to setup, require little or no maintenance and if they
fail any would be hacker is still isolated from your network by at least one
more segment. On the downside most are not upgradable should
vulnerabilities be discovered. Very few offer DMZ support for webservers or
other devices, and filtering options which allow control over things like
pop-ups or unwelcome sites are extremely limited. As a matter of fact, some
of these firewalls offer little more than DHCP and NAT as protection.

As you might expect my favorite solution is the external software firewall.
Obviously software can't operate without the hardware, this catagory applies
to hardware and software solutions that are updateable and upgradeable, like
the Cisco Pix firewall. These firewalls comonly offer full feature sets
including DHCP, NAT, VPN, DMZ support, ip based filtering on both sides of
the firewall, SNMP reporting, and logging of attacks, ports in use, and
more. If you don't have a bunch of money to throw down for one of these
firewalls you can try IPCOP.org a free linux based firewall which runs on
almost any X86 machine. It formats and installs itself easily and shouldn't
be a problem for anyone with A+ & Network+ certifications.

Report this post to a moderator

I'm not a big fan of software firewalls, as they tend to get 'buggy' and
mess-up peoples connections oneway or another. Hardware firewalls are the
way to go...but I'm not too sure how you figure that few routers offer
features like DMZ or other filtering options. I think most home/small
office routers (i.e. linksys, dlink...etc), offer many of these features at
a fraction the price of a high-end network routers. It all depends on what
you need, or how important the data/connection is. In someone's home, a
little router is the way to go - an office with 100+ clients, well, maybe
something a little beefier....The average home user isn't aware of ports or
application security, and most likely never will. You have to build to
suit.

"Howard Phillips" <Howard.Phillips@removethis.cosmic.com> wrote in message
news:_03L9.27816$VA5.2935071@news1.news.adelphia.net...
> I am curious about how everyone feels about firewalls. I am hoping that
> there isn't anyone who thinks they are not needed, but to what extent and
> what kind is certain to cause much debate. I realize this is not a
security
> forum, but in as much as anyone working in networking could reasonably be
> asked about firewalls in general I don't think its to far off topic.
>
> My feeling is that internal firewalls, that is firewalls which opperate on
> the machine they are attempting to protect, are less than adequate in
almost
> any situation. There are to many attacks which rely on specific
weaknesses
> of the OS which would allow access to a computer before the firewall
> software ever had a chance to intercept a single byte. Should an internal
> firewall fail/be disabled by the user, the attacker has achieved their
full
> objective, they are in your primary information repository and more than
> likely have full control.
>
> External hardware firewalls are a far better next step in protection, they
> are generally simple to setup, require little or no maintenance and if
they
> fail any would be hacker is still isolated from your network by at least
one
> more segment. On the downside most are not upgradable should
> vulnerabilities be discovered. Very few offer DMZ support for webservers
or
> other devices, and filtering options which allow control over things like
> pop-ups or unwelcome sites are extremely limited. As a matter of fact,
some
> of these firewalls offer little more than DHCP and NAT as protection.
>
> As you might expect my favorite solution is the external software
firewall.
> Obviously software can't operate without the hardware, this catagory
applies
> to hardware and software solutions that are updateable and upgradeable,
like
> the Cisco Pix firewall. These firewalls comonly offer full feature sets
> including DHCP, NAT, VPN, DMZ support, ip based filtering on both sides of
> the firewall, SNMP reporting, and logging of attacks, ports in use, and
> more. If you don't have a bunch of money to throw down for one of these
> firewalls you can try IPCOP.org a free linux based firewall which runs on
> almost any X86 machine. It formats and installs itself easily and
shouldn't
> be a problem for anyone with A+ & Network+ certifications.
>
>

Report this post to a moderator