Physical firewall???

[kpaz21]

I know that this has probably been asked many times before, but i'm still going to ask it again...
My friend heard somethign about, the only way to "really" protect your computer is to have physical firewall. now i know they exsist, but what i dont know is if they really do cost 4 grand and if they really are the only "real" way to protect your computer. so, is it better to have a software firewall or a physical firewall? i guess that is the real question. I guess there is still a lil doubt in me that there really are physical firewalls, so if you could confirm that too, that would be great!

thanks for your help all!

[catch]

"Physical Firewall" like "Hardware Firewall" are incorrect terminology, the proper term is "Dedicated Firewall" that is a system that does nothing but act as a firewall. Frequently these run on minimalistic systems with operating systems not seen beyond this niche if not specifically created for it.

Basically all firewalls are software. (with the possible exception of some very targeted/research projects)

A firewall is not the only "real" way to protect a system, in fact a good number of high security systems run no firewall at all. Heck all my systems run without firewalls.

catch

[kpaz21]

So what do you suggest is the best way or protecting your system if your not going to use a firewall? thx for your hel

[corndog420]

Ways to protect your box vary with OS.

Assuming that you have Win XP, there are a number of services that you an disable, such as printer and file sharing, that can increase your level of security. A thorough list of these services, and different guidelines for those that you can safely disable can be found on BlackViper's services page.

In my case, when I'm running XP, I have minimal servics running, with NetBIOS, UPNP, file/print sharing all disabled. I have a dedicated hardware firewall with my router, and am running ZoneAlarm Pro as a software firewall, which helps protect others from junk that might come out of my PC if its infected by a trojan or the like.

Additional security measures include creating strong passwords (a combination of letters, numbers, and unique symbols), Anti-Virus software, and running programs like AdAware, or Spybot S&D to remove ad and spyware.

If I come across any other resources for locking down an XP box, I'll post them here. I know that I have .docs on my box that address the issue, but I have to find them.

Corn

[The3ntropy]

physical firewall = master lock pad lock on server room door

[kpaz21]

posted Today 05:17 PM
(post #5)

physical firewall = master lock pad lock on server room door

-what does that mean? i'm new at all this, that is why i'm trying to learn as much as i can...i really appreciate all your help!

[corndog420]

physical firewall = master lock pad lock on server room door

-what does that mean? i'm new at all this, that is why i'm trying to learn as much as i can...i really appreciate all your help!

What he means is that a "physical firewall" would be simply placing a large lock on the door where your server is hosted, keeping people from walking into the room.

[locorev]

I'm going to go a bit out on a limb and say that what your friend was talking about is what is being sold as a hardware firewall, of a sort that is built into many routers. Netgear and Syslink are 2 that I know of offhand and they are configurable to some extent to help block garbage from your computer. There is some added security advantage to using one in that a router will "buffer" your computer by chaining 2 IP addresses (1 for the comp and 1 for the router). I realize that I'm putting this a bit simplistically but this is the way I understand it. Needless to say, you should take anything you're told and double check it by doing a bit of research. That's why I've given you the 2 manufacturers names above. ABSOLUTELY, DON'T RELY TOTALLY ON WHAT SOMEONE TELLS YOU! Check things out for yourself. Good luck.
L

[kpaz21]

thanks for your help all! you have done a great job, and i knew you would. that is why i came to yall!

thx again!

[j3r]

A dedicated firewall is neither necessary to achieve good security, nor is its mere presence sufficient to achieve good security. However, having a dedicated firewall can help you improve the security of a network.

A dedicated firewall gives you an opportunity to improve your security in several ways:

Central audit/control point
This is the most popular reason that people use dedicated firewalls. It's much easier to keep all your security and access controls in one place. If you have a large network, it's inevitable that someone is going to have a highly unsecured machine. Having a dedicated firewall between that machine and the "bad guys" means that machine might not be immediately compromised. Unfortunately, this kind of thinking gets people in trouble. First of all, you probably want to let some traffic in. Having a super-cool firewall means little if your web server allows perfectly innocuous-looking requests to take control of the machine. Secondly, people tend to assume that the bad guys are all on the outside of the firewall. This ignores trojans, disgruntled employees, modems inside the firewall, virus infected floppy disks, etc. Lastly, this approach has limited applicability if your firewall is not secure. In response to IT manager's over-reliance on firewalls, many security experts tend to downplay their utility. This is just as foolish as treating them as magic bullets, for the reasons below.

Defense in depth
If you're running a network of Linux and Windows machines, for example, you can increase you security by putting them behind an OpenBSD - based firewall. This can mean that, in some cases, an attacker will have to break into 2 systems in order to compromise a system that you are trying to protect. Let's say that your Linux boxes have a built-in firewall, and you're using it. Now say that there's a vulnerability in that firewall that allows an attacker to bypass it. If that vulnerability does not exist in the dedicated firewall, then the attacker cannot exploit the Linux vulnerability.

Dedicated firewall can be more secure than other machines
One advantage of having a dedicated firewall is just that: it is a dedicated firewall. It doesn't need to have a web server, or allow ssh, or anything of the sort. It can just sit there in a locked room with a keyboard and monitor. Some firewalls don't even need an IP address. This makes them much more resistant to attack than other servers, which have this pesky habit of interacting with remote users. Many firewalls allow remote administration. This makes them more convenient, but less secure.

So, if all the machines on your network are perfectly secure, there's no reason to have a firewall. Alternately, if your firewall is perfectly secure, and your machines are perfectly protected against back channels and subversive users, there's no reason to have them be secure. However, out here in the non-theoretical world, you really should have both.