View Poll Results: How many firewalls are too many?
- Voters
- 10. You may not vote on this poll
-
Sep 26th, 2003, 11:31 AM
#1
Thread Starter
So Unbanned
How many firewalls are too many?
I just noticed VisionIT's sig with 4 firewalls in it.
How many is too many though?
-
Sep 26th, 2003, 11:45 AM
#2
Monday Morning Lunatic
I'd think that was maybe overkill. One firewall should do the same job as any other, it's really just configuration that could cause problems.
Here, I have one net-facing firewall (OpenBSD's pf), and on the internal Windows machines, ZoneAlarm for outgoing protection.
I refuse to tie my hands behind my back and hear somebody say "Bend Over, Boy, Because You Have It Coming To You".
-- Linus Torvalds
-
Sep 27th, 2003, 03:55 PM
#3
Thread Starter
So Unbanned
I've never liked Zonealarm....
I use Sygate.
-
Sep 27th, 2003, 04:20 PM
#4
Anymore than 1 good software firewall is just stupid. It makes packets have to go through each firewall, each 1 has to check it.... it's just stupid, can slow things down and even currupt incoming/outgoing packets.
I'll try to find the article I had before, but there are alot of problems that can and will occour if you use more than 1 software firewall on 1 pc.
Having a nice hardware firewall into a router using nat and then to each computer with a software firewall is ideal
-
Sep 27th, 2003, 06:03 PM
#5
Thread Starter
So Unbanned
I used to have Conseal PC Firewall by signal9.
It was like a hardware firewall in many aspects, except more feature rich.
It was wholely based on protocols and ports, rather than what seems to have become today's standard of application management. I think a mixture of the two would be ideal.
I was running my firewall(Sygate) on XP and still got blasted.
Ironically... my firewall caught the TFTP trying to spread it, but didn't capture it incoming. Which didn't make much sense as my messenger and RPC services were off.
-
Sep 27th, 2003, 06:49 PM
#6
Monday Morning Lunatic
Software firewalls like ZoneAlarm are in the good position, being vaguely OS-integrated (services/device drivers/etc.), of being able to know which application has opened which socket, or performed some operation.
Hardware firewalls are denied this information, so they just have raw rules to work on, which is great for incoming stuff, not so great for egress filtering (you can do the normal stuff like anti-spoofing, but not much else).
I refuse to tie my hands behind my back and hear somebody say "Bend Over, Boy, Because You Have It Coming To You".
-- Linus Torvalds
-
Sep 27th, 2003, 07:26 PM
#7
Originally posted by parksie
Hardware firewalls are denied this information, so they just have raw rules to work on, which is great for incoming stuff, not so great for egress filtering (you can do the normal stuff like anti-spoofing, but not much else).
What hardware firewalls have you used? They all can do advanced filters and all sorts of good stuff, especially anti-spoofing.
That's why hardware firewalls are so damn expencive! Cheapest I've ever seen a semi-good hardware firewall go for was about $200 on eBay.
Don't confuse NAT with a firewall, because it isn't 1.
-
Sep 27th, 2003, 07:46 PM
#8
Monday Morning Lunatic
Trust me, I'm not.
But your hardware firewall isn't to know that a connection to a site on port 80 isn't your web browser, but instead some spyware. A software firewall actually on the machine *will*. That's the general point I was trying to make.
Oh, and anyone wanting to say that you can't do per-program rules on Unix, you *can*. Look up systrace 
Edit: My hardware firewall is an OpenBSD 3.3 box
I refuse to tie my hands behind my back and hear somebody say "Bend Over, Boy, Because You Have It Coming To You".
-- Linus Torvalds
-
Oct 1st, 2003, 04:41 AM
#9
Fanatic Member
Originally posted by kasracer
[B it's just stupid, can slow things down and even currupt incoming/outgoing packets.[/B]
Hi All.
I agree it can slow things down, but only by a few ms, nothing stupid about that... and the corruption B$, that's completely wrong.
Providing each firewall runs properly in it's own right, it shouldn't interfere/corrupt with ANY packets, regardless of where they were sent from.
Just a quick note though... I don't use all the firewall software on one box... they are spread between several systems, some running one, other running two or more. I had an instance of someone breaking through a Norton install (which isn't hard anyway!) and then trying to hack through Sygate... which was fun to watch!
I don't think you can take security lightly, and any software is better than nothing. I lost around 4GB's of important work when a CodeRedII attack broke through the firewall, and wasted one of the systems!!! Since then, I don't take ANY chances.
Kasracer... don't try to tell Parksie his job... it's like teaching ma' to suck eggs! NAT can be configured as a basic firewall, but it would need constant modifications in order to be any use.
Anyone wondering what this posts about, check out my sig...
-
Oct 1st, 2003, 06:14 PM
#10
Retired VBF Adm1nistrator
To be honest, I don't see a problem with NAT. For anyone who actually knows what's going on, if inbound packets not coming 'through' an already established outbound connection are just ignored, then there's no way for them to get through.
So a single hardware firewall is what I've installed in our own sites, and all of our customer sites. (all permanent connections to the web with a static IP, and port 25 mapping through to exchange for ETRN and SMTP email setups)
Microsoft MVP : Visual Developer - Visual Basic [2004-2005]
-
Oct 2nd, 2003, 04:41 AM
#11
Fanatic Member
Originally posted by plenderj
To be honest, I don't see a problem with NAT. For anyone who actually knows what's going on, if inbound packets not coming 'through' an already established outbound connection are just ignored, then there's no way for them to get through.
Hmm... i'de agree with that, to a point! 
Only problem with that theory would be any existing exploits of the packages which are already connected... such as RHN's openssl fix a few days ago... NAT wouldn't stop that, but a firewall may...
I like NAT, I think it's pretty damn easy to use, and simple to reconfigure, but it's only helpful when you can ensure all packages which are granted access don't have their own problems (which is almost never!)
Firewall-1 rules though!
-
Oct 2nd, 2003, 04:50 AM
#12
Monday Morning Lunatic
RHN? Red Hat? O.o
Either way, yeah. I still patched my openssl and more importantly things like sendmail/openssh which have appeared in the last couple of weeks or so.
BUT PLEASE FOR THE LOVE OF ALL THAT IS DARK AND MANKY WOULD PEOPLE *PLEASE* STOP HAMMERING MY ROUTER ON PORT 135 THERE IS NOTHING FOR YOU THERE! 
*twitch twitch convulse*
*falls over*
I refuse to tie my hands behind my back and hear somebody say "Bend Over, Boy, Because You Have It Coming To You".
-- Linus Torvalds
-
Oct 2nd, 2003, 05:00 AM
#13
Fanatic Member
-
Oct 2nd, 2003, 05:21 AM
#14
Monday Morning Lunatic
"RHN's openssl fix"
I refuse to tie my hands behind my back and hear somebody say "Bend Over, Boy, Because You Have It Coming To You".
-- Linus Torvalds
-
Oct 2nd, 2003, 05:27 AM
#15
Fanatic Member
-
Oct 2nd, 2003, 05:29 AM
#16
Monday Morning Lunatic
No I knew what the vulnerability was because I was patched before I got most of the mailings about it :P
Was just asking who RHN was...so it *was* Red Hat like I guessed
I refuse to tie my hands behind my back and hear somebody say "Bend Over, Boy, Because You Have It Coming To You".
-- Linus Torvalds
-
Oct 2nd, 2003, 05:35 AM
#17
Fanatic Member
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|