I just noticed VisionIT's sig with 4 firewalls in it.
How many is too many though?
Printable View
I just noticed VisionIT's sig with 4 firewalls in it.
How many is too many though?
I'd think that was maybe overkill. One firewall should do the same job as any other, it's really just configuration that could cause problems.
Here, I have one net-facing firewall (OpenBSD's pf), and on the internal Windows machines, ZoneAlarm for outgoing protection.
I've never liked Zonealarm....
I use Sygate.
Anymore than 1 good software firewall is just stupid. It makes packets have to go through each firewall, each 1 has to check it.... it's just stupid, can slow things down and even currupt incoming/outgoing packets.
I'll try to find the article I had before, but there are alot of problems that can and will occour if you use more than 1 software firewall on 1 pc.
Having a nice hardware firewall into a router using nat and then to each computer with a software firewall is ideal
I used to have Conseal PC Firewall by signal9.
It was like a hardware firewall in many aspects, except more feature rich.
It was wholely based on protocols and ports, rather than what seems to have become today's standard of application management. I think a mixture of the two would be ideal.
I was running my firewall(Sygate) on XP and still got blasted.
Ironically... my firewall caught the TFTP trying to spread it, but didn't capture it incoming. Which didn't make much sense as my messenger and RPC services were off.
Software firewalls like ZoneAlarm are in the good position, being vaguely OS-integrated (services/device drivers/etc.), of being able to know which application has opened which socket, or performed some operation.
Hardware firewalls are denied this information, so they just have raw rules to work on, which is great for incoming stuff, not so great for egress filtering (you can do the normal stuff like anti-spoofing, but not much else).
What hardware firewalls have you used? They all can do advanced filters and all sorts of good stuff, especially anti-spoofing.Quote:
Originally posted by parksie
Hardware firewalls are denied this information, so they just have raw rules to work on, which is great for incoming stuff, not so great for egress filtering (you can do the normal stuff like anti-spoofing, but not much else).
That's why hardware firewalls are so damn expencive! Cheapest I've ever seen a semi-good hardware firewall go for was about $200 on eBay.
Don't confuse NAT with a firewall, because it isn't 1.
Trust me, I'm not.
But your hardware firewall isn't to know that a connection to a site on port 80 isn't your web browser, but instead some spyware. A software firewall actually on the machine *will*. That's the general point I was trying to make.
Oh, and anyone wanting to say that you can't do per-program rules on Unix, you *can*. Look up systrace :)
Edit: My hardware firewall is an OpenBSD 3.3 box :)
Hi All.Quote:
Originally posted by kasracer
[B it's just stupid, can slow things down and even currupt incoming/outgoing packets.[/B]
I agree it can slow things down, but only by a few ms, nothing stupid about that... and the corruption B$, that's completely wrong.
Providing each firewall runs properly in it's own right, it shouldn't interfere/corrupt with ANY packets, regardless of where they were sent from.
Just a quick note though... I don't use all the firewall software on one box... they are spread between several systems, some running one, other running two or more. I had an instance of someone breaking through a Norton install (which isn't hard anyway!) and then trying to hack through Sygate... which was fun to watch! :lol:
I don't think you can take security lightly, and any software is better than nothing. I lost around 4GB's of important work when a CodeRedII attack broke through the firewall, and wasted one of the systems!!! Since then, I don't take ANY chances.
Kasracer... don't try to tell Parksie his job... it's like teaching ma' to suck eggs! :lol: :bigyello: NAT can be configured as a basic firewall, but it would need constant modifications in order to be any use.
Anyone wondering what this posts about, check out my sig...
:wave:
To be honest, I don't see a problem with NAT. For anyone who actually knows what's going on, if inbound packets not coming 'through' an already established outbound connection are just ignored, then there's no way for them to get through.
So a single hardware firewall is what I've installed in our own sites, and all of our customer sites. (all permanent connections to the web with a static IP, and port 25 mapping through to exchange for ETRN and SMTP email setups)
Hmm... i'de agree with that, to a point! :pQuote:
Originally posted by plenderj
To be honest, I don't see a problem with NAT. For anyone who actually knows what's going on, if inbound packets not coming 'through' an already established outbound connection are just ignored, then there's no way for them to get through.
Only problem with that theory would be any existing exploits of the packages which are already connected... such as RHN's openssl fix a few days ago... NAT wouldn't stop that, but a firewall may...
I like NAT, I think it's pretty damn easy to use, and simple to reconfigure, but it's only helpful when you can ensure all packages which are granted access don't have their own problems (which is almost never!)
Firewall-1 rules though! :D
RHN? Red Hat? O.o
Either way, yeah. I still patched my openssl and more importantly things like sendmail/openssh which have appeared in the last couple of weeks or so.
BUT PLEASE FOR THE LOVE OF ALL THAT IS DARK AND MANKY WOULD PEOPLE *PLEASE* STOP HAMMERING MY ROUTER ON PORT 135 THERE IS NOTHING FOR YOU THERE! :mad:
*twitch twitch convulse*
*falls over*
RHN? Red Hat? O.o (eh?)Quote:
Originally posted by parksie
RHN? Red Hat? O.o
Either way, yeah. I still patched my openssl and more importantly things like sendmail/openssh which have appeared in the last couple of weeks or so.
BUT PLEASE FOR THE LOVE OF ALL THAT IS DARK AND MANKY WOULD PEOPLE *PLEASE* STOP HAMMERING MY ROUTER ON PORT 135 THERE IS NOTHING FOR YOU THERE! :mad:
*twitch twitch convulse*
*falls over*
Sounds to me like someone's infected with Sobig.X!!!! I had thousands of hits on 135 (location service) a few weeks ago from someone infected with that damn virus. The logs make for a good read though! :D
Parksie, you need to get that twitch sorted... you're blurring when you type! :lol:
"RHN's openssl fix" :confused:
https://rhn.redhat.com/network/errat...s.pxt?eid=1854Quote:
Originally posted by parksie
"RHN's openssl fix" :confused:
It's quite a nasty one too :p
It fixes that ASN.1 parsing problem, which everyone should know about by now! ;)
No I knew what the vulnerability was because I was patched before I got most of the mailings about it :P
Was just asking who RHN was...so it *was* Red Hat like I guessed :)
Yep, Redhat Network
Anywayz, i'm cream crackered and i'm going back2bed! :D:D:D