Hey There,
Interesting analysis... But perhaps these comments can give you a
different perspective on it:
You seem to be comparing a desktop firewall solution (a firewall
installed on a laptop/desktop/server) to a gateway firewall solution.
The key to security is really defence-in-depth, so in an ideal world
where corporate budgets may not be restrained, then both solutions
together would be great. Most organisations would really only have
perimeter protection (a gateway firewall) between the Internet and their
internal network. This is a standard method of keeping most nasties from
coming in (from the Internet) and does a so-so job of keeping bad
traffic from going out (depending on how strict the security policy is).
One thing a gateway firewall solution doesn't do is protect your
internal hosts from each other. Take for example a laptop user who,
after allowing their kids ample time to download all sorts of
"interesting" stuff over the weekend plugs their laptop back into the
corporate network. The difference this time is that they're laptop is
infected with a virus/worm and begins propagating to all other machines
on the internal network. The gateway firewall won't be able to do much
for you in this instance.
Though it is true that desktop firewalls can sometimes be at the mercy
of vulnerabilities in the Operating System (and even cause
vulnerabilities in some instances), it can't be denied that they assist
in mitigating _most_ of the vulnerabilities of an Operating System using
various methods. This includes blocking of typically vulnerable ports
that are unnecessary and blocking unauthorised outbound connections
(such as instances where the machine may be infected). More advanced
desktop firewalls are also capable of providing hooks into procedure
calls to protect the Operating System from being buffer overflowed (as
an example). Most importantly though, in a centralised policy
environment, an administrator can enforce a security policy on all
machines, restricting the type of connections allowed to and from as
well as the applications that can be executed.
One other major benefit of a desktop firewall is that they can protect
laptop users when they are at home and away from the gateway firewall
protection provided by being in the office.
So at the end of the day, there isn't exactly a direct comparison and
the use of both security solutions (if it can be afforded) is
recommended. The general benefits of having a desktop (what you were
referring to as a software firewall) outweigh the rare vulnerabilities
that they may cause.
Regards,
Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Asia Pacific
-----Original Message-----
From: netnut6@comcast.net [mailto:netnut6@comcast.net]
Sent: Sunday, May 08, 2005 5:31 AM
To: firewalls@securityfocus.com
Subject: Software vs hardware firewalls ...
Hello,
I was wondering how a software based firewall(mcafee, Norton etc) can
help protect your machine if the operating system(Windows XP) is
vulnerable?
Also how is a software based firewall any better then hardware. The way
I see it if you have a software based firewall and the operating system
has security issues I doubt very much a software firewall will protect
that machine.whereas if it's a hardware based firewall and the operating
system has vulnerabilities the chances of it being attacked are slim
since they would have to first find some vulnerability with the hardware
firewall then go after the operating system(firewall default settings
with all ports closed). Obviously if a port is open and that
application has a vulnerability then it would get attacked. Please let
me know if I'm on the right track here.
Thank you..
