the nessessity of a firewall? - Page 3
Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 47

Thread: the nessessity of a firewall?

  1. #21
    I'm sorry but if you depend on microsoft to keep IE secure with their rate of patches to discovered exploits you are suffering from "ostrich syndrome"
    I trust them yes. Development cycles is not the God of security, nor is their current list of exploits. This was a very anti MS comment towards IE, and it almost disheartens me, especially with a direct insult. I trust IE and MS enough that I support their products, beta test their software, and have never once in my entire use of windows been cracked. IE's security patches are protecting the users that are not already securing it by hand via the settings. I would rather you not reply to this, as this is my own opinion I just stated, and would rather this not turn into an opinion flame war over MS. You stated yours, I stated mine, please let it die here.

  2. #22
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Zonealarm, port sentry, etc etc... tried it, been there.. done that.. lost a lot of processing time and bandwidth. Of course, once again this comes down to personal opinion and how good an admin is with their system. If you know anyway I can not sarafice so much bandwidth, then I will more than happily take on your point of "it can't hurt". And thanks for adding so much to this conversation, as it has made me recheck my own policies of using the computer as well as become enlightened to a few things I never thought of.
    Actually, it comes down to how you setup your network. You are basing your judgements solely on host based firewalls (and free ones at that). You might want to look at having another computer offer firewall services (an old, cheap Pentium to offer iptables or the BSD firewall -- whose name escapes me) or invest in a simple hardware router/firewall. You'll see almost no degradation in speed.

    Remember that a host based firewall becomes another application on your system so it shouldn't be surprising that it slows down (I won't get into my person issues with MS and how they run their systems). The same can be found when you run AV software and it slows down at boot.

    In this case, the reality is you get what you pay for. Free firewalls are ok for the masses I suppose but if you need to get fancy and effect, you will pay a little more (e.g., hardware firewall)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #23
    Member
    Join Date
    May 2002
    Posts
    68
    I trust them yes. Development cycles is not the God of security, nor is their current list of exploits. This was a very anti MS comment towards IE
    You misunderstand me. I am not a MS basher, I have no loyalty to any OS, I use windows on some of my computers, I do not imply that Windows is neccessarily secure/insecure, that is debateable, I'm simply refering to the fact that IE is the most targeted and publicized browser on the market.


    You stated yours, I stated mine, please let it die here.
    Agreed.

  4. #24
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Pooh:

    You have fallen into the trap that many of us here do. You find this stuff all rather easy and understandable yet you pitched the original question against home users. Home users are not capable of comprehending what it is you are talking about. You said yourself that your Granny would slap your wrist for mentioning disabled ports. The reason she would slap your wrist is that she has no clue whatsoever what a port is.

    If you think about it, you and I and many others here know an awful lot about a very complicated subject. Joe Public and his wife Josephine know nothing of this. They know even less about the way things can be exploited. So off they go to Best Buy with thier annual Xmas bonus check and buy themselves the latest, greatest box on the shelf. The instructions are all pretty clear - color coded plugs for color coded sockets and power that baby up. Bingo, they are on the Internet..... "Isn't this sooooo kewl Joe......"

    Little do they know they have their "front door" wide open. The problem really is not that they are unaware that thier front door is open but that they even have a front door at all. So Pooh comes wandering by and tells them they should probably stop all their services to close their ports..... What kind of reaction do you think you are going to get? I'll tell you - because I get the same look from any ten of my 650 users on any day - It's kind of a glassy eyed, tearful, glazed over kind of look that is clearly telling you that while they nod sagely so as not to appear to be a complete idiot they have not one clue about what you are talking about.....

    ..... That's why home users should have firewalls..... period.

    I think what you would be better off arguing is "should competent network administrators save themselves the cost of a firewall by properly closing their ports on their home machines"?

    My answer to that is: I am a network admin. I have 4 computers at home and I want them networked. If I close all the ports then I can't network them the way I want to. So, to allow me to network my systems the way I want to I use a firewall to keep the unwashed masses away from my network.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #25
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447
    One comment I would like to make is that alot of virii are not discovered until they are wild and infecting computers - this is very much the same for exploits. You could have all ports locked down, have your browser and any other client securred with the most recent patches but someone may discover a new way round these things and you may fall victim before it is widley known to exsist.

    Some exploits are discovered before going wild but not all - you state that a firewall could be seen as a crutch for admins but then again so could security updates!

    A firewall is not 100% secure - then again neither is locking everything down by hand so why not combine both? I use outpost personnal firewall on an adsl connection and have never noticed in reduction in speed. So to me this is not an issue.

    Basically what am trying to say is that there maybe an undocumented exploit for IE which at the time of going wild has no fix leaving you vunerable.....but if you have a firewall it may stop you from becoming vunerable.

    On the opposite side of the coin there maybe an exploit for your firewall but as you ahve your computer locked down as well you are not vunerable.

    By using both the wannabe attacker would need to exploit both making it twice as difficult for them
    to you get what I mean??

    v_Ln

  6. #26
    Junior Member
    Join Date
    Dec 2003
    Posts
    12
    In my dealings with home users - most of them savvy enough to know what a computer is and what it does, however, they do not understand, or want to understand the concept of security; other than they want it in order to to use their computer on the Internet and not get taken advantage of, or minimize the chances of that happening.

    To that end, a tiered approach to security, like what MsM explained earlier is essential. One of those tiers includes firewalls. My overall methodology for home users would go with the most secure, yet easy to use and allows them the freedom to actually enjoy the computer.

    My mother-in-law put it to me this way when I was explaining the concept of security. She stopped me in middle-sentence and said "...that's great, but I just want to be able to push the big lit up button and go, the rest of this is a pain to even hear about." And after talking to a few other people along those same lines, they had the same opinion - they wanted to just go.

    In short - for the everyday user - firewalls are essential. Hardware and/or software.

    Great topic.

  7. #27
    I still find myself shaking my head and disagreeing with a lot of what people are saying here. Not that I don't respect their seperate opinions, but that in my entire history of windows I've dodged everything that came my way on both unix based and windows based distros. Not just from actual updates, but because as a home admin I keep my eye on everything all the time. I research, I double check, triple check, and still stand firm. In the process (started all the way back in win 95) I have learned invaluable amounts of how security exists on an OS level, and am well aware that some exploits just exist, period. However, I must be doing something undocumented because despite myself being targeted many times for hacking attempts, I've yet to have them penetrate me, or come close.

    An admin with an iron grip on his OS and actual experience with the inner workings of it's security is able to overcome all of those viruses, attacks, holes, and never see them trouble him.

    But yes, I do agree that a typical user needs one. We can't expect everyone to devote their life to computers, and thus a home firewall is perfect. For experienced and progressive admins, a home firewall ... I just don't see as something needed. Proof is in the pudding I mean, I could always just post my IP and tell you all to go at it, and do your best to prove me wrong by having authorized permission to crack my system.

    And yes, an excellent topic.

    edit: I just reread this and realised how egotystical it may sound. I really don't mean it to come off that way if it does, moreso meant as a "we need proof of it working, so here it is" sort of thing.

  8. #28
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I glanced through this thread briefly so forgive me if these points have already been covered. I think its important to note you seem to be referring to hostbased firewalls in particular. From what I understand youre saying instead of blocking access to open ports via the firewall why dont I just turn them off. I think 99% of the time shutting down unneccessary services will do the trick, but this is the case only when we are talking about one host(a home user) and not a network (which is a whole nother can of worms). I say 99% because there are advantages to having the extra layer of security. There are cases where a service simply cannot by disabled because it is needed by the OS. In these instances where services must be running, there is a chance of exploitation regardless of administration. For example the recent RPCSS exploit contained a bufferoverflow in the DCOM code, and although DCOM can be disabled RPCSS cannot (at least in WinNT/2000/XP where the kernel space and user space communicate via RPC). Had the overflow been in a more critical section of the code you would have found that your machine would be vulnerable to remote exploit no matter how tight a grip you have on your OS. This is not a problem with administration, rather a weaknesses present in the operating system at a kernel level. These are the kinds of threats a firewall could help mitigate by blocking any remote access to system services. Of course you could just configure your machine not to accept incoming RPC packets, but then you really just have a host based firewall dont you?


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  9. #29
    I would accept your point, if...

    Had the overflow been in a more critical section of the code you would have found that your machine would be vulnerable to remote exploit no matter how tight a grip you have on your OS.

    That exploitable code runs off of port 139, NetBIOS, which is configurable to be turned off, especially if not being used. So, it falls back again, to simply securing the OS for aother bug that Thus, during that entire phase of the worm, I was completely protected from it. It falls back again, as it always does, to securing the OS, and knowing it enough to secure it. Any system services that operate and are a problem to security I disable, none of which are crucial components

    And yes, you are correct, as the origonal post states, this is about a home, singular computer scenarior. The table turns completely if this was a buisness.

  10. #30
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Ahh, do not confuse NetBios with RPC my friend. which is in fact port 135 (Although I believe you CAN use the NetBios ports as well). Although it is possible to disable DCOM, this can cripple or disable some applications, so if you'd rather cripple your OS than firewall it, so be it.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •