Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Software vs hardware firewalls ...

from [J Weiss] Network Security [Permanent Link]
Subject: Re: Software vs hardware firewalls ...
Date: Sun, 8 May 2005 11:21:40 -0500 
Hi,

I'll offer my opinions, for whatever they're worth.
----- Original Message ----- 
From: <netnut6@comcast.net>
To: <firewalls@securityfocus.com>
Sent: Saturday, May 07, 2005 2:31 PM
Subject: Software vs hardware firewalls ...





Hello,



I was wondering how a software based firewall(mcafee, Norton etc) can help

protect your machine if the operating system(Windows XP) is vulnerable?

Also how is a software based firewall any better then hardware.  The way I

see it if you have a software based firewall and the >operating system has
security issues I doubt very much a software firewall will protect that
machine.whereas if it's a hardware based >firewall and the operating system
has vulnerabilities the chances of it being attacked are slim since they
would have to first find some >vulnerability with the hardware firewall then
go after the operating system(firewall default settings with all ports
closed).  Obviously if a >port is open and that application has a
vulnerability then it would get attacked.  Please let me know if I'm on the
right track here.

Products like Zonealarm are meant for consumer-grade protection and as such
are quite excellent for what they do.
But these  consumer firewalls ARE running on consumer-grade exploitable
Windows, and do not have many of the capabilities of many other hardware and
software based  enterprise or hobbyist firewalls.
Products like ZoneAlarm are intended to run on unhardened Windows PCs which
retain most of their out of the box set
of vulnerabilities, run unsecured third party applications,  and allow
myrida protocols to connect to it on the non-Internet side.
"Real" software firewalls never run on desktop workstations and exist in a
controlled, hardened environment where it is impossible to
add applications or users without the "permission" of the firewall software.
 I think that the way that consumer-grade software firewalls are designed
for Windows has a large impact on the security of that "secured" zone since
they do not run on a hardened, stripped down, enhanced Windows install for
reasons of economy.
So,  regardless of any possible basic problems with Windows the very way
Windows is used for the firewall solutions you mention renders the solution
relatively insecure.

If one looks at consumer grade *hardware*-based firewalls such as those
available for retail in local electronics stores, one purchases a possibly
shoe-horned afterthought firmware-based firewall along with a router and
often wireless capabilities for a "you get what you pay for" price. Still,
not bad for a home user and probably more secure that a software firewall
running on a desktop, depending on the hardware implementation.  I have two
home routers; one allows remote management of the firewall  over the
Internet using cleartext and has no SSL support whatsoever!

Commercial grade firewalls come both as software and hardware, such as
Checkpoint's Firewall-1, Secure Computing's Sidewinder,  and Cisco's
hardware=based offerings. Their software/firmware is far more extensive in
capability, robustness, update currency,  and support.

Other good alternatives which bridge these low and high cost solutions would
be the Linux/BSD software firewalls which run on a dedicated PC with
multiple NICs, such as Smoothwall, IPcop, M0n0wall,  Astaro, and
ClarkConnect among others.

A hardened software-based firewall is considered to be as secure as a
hardware firewall, and much easier to update.
In fact, professional-grade Secure Computing  uses the BSD OS, and
Checkpoint  Firewall-1 runs on Solaris and Linux.
Of course they operate on dedicated machines, inaccessible to normal users
ate other applications. As you know, virtually any OS is exploitable under
the right circumstances; these $$$ solutions simply deny these "right"
circumstances.
As far as I know there are no enterprise-grade firewalls using any form of
Windows.

Perhaps it is sufficient to do a review of home and enterprise-grade
firewalls and observe which operating system is used in which application;
there are reasons why the major firewall vendors generally use a
stripped-down form of UNIX for software based firewalls.

The April 28 issue of Network Computing has an excellent, extensive  review
of firewall choices.

Thanks,
Jeffrey Weiss







Thank you..
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Software vs hardware firewalls ..., Ha, Jason
Next by Date:  RE: [SPAM] - Software vs hardware firewalls ... - Email found in subject, Thomas W Shinder
Previous by Thread:  Re: Software vs hardware firewalls ..., Jose Maria Lopez Hernandez
Next by Thread:  RE: Software vs hardware firewalls ..., David Gillett
Indexes:  [Date] [Thread] [Top] [All Lists]