Clueless newbie to firewalls (sygate) seeks info

How would a hardware firewall have done any better?

Yes, and doing so still wouldn't allow the DHCP renew (if that is what is being blocked) to complete successfully.

While I agree about hardware vs software firewalls, this is not a prime example. At most this is an example of how poorly written most software firewalls are, and how difficult to use most hardware firewalls are (meaning that an end user doesn't interact with them directly, or when they do, the end user doesn't try to understand)

I'd get a better firewall if I were you, preferably an external box, but there is little reason to install a firewall on Windows 98 provided that file and print sharing is turned off and no untrusted software is on the system. To determine whether or not any untrusted software is on the system you might start with

Jason

Jason wrote on Thu, 28 Apr 2005 11:19:57 +0100:

I assume that was an attempt at humour.

I've got Win95 machines and Win98 machines here that stay up for weeks on end. Win95 has a 47 day issue with it's screensaver timer, but Win98 does not have that problem.

Dan

Another prime example of why software firewalls are useless

I agree, Windows 98 will stay up for far longer than any other operating system. Its only when you start to use it for any productivity that it satrts to fall over.

It does depend on what the machine is doing and what it is used for, and how much RAM it has, and how many operating system files have been overwritten by application installs and in what order, and other things. If the machine has to do any serious work then I would not expect more than a few days before a restart is required.

No doubt different people will have different experiences with this because it is rare to find two Windows 98 machines with exactly the same set of operating system file versions. If you reinstall it or restore an image every month then it may stay up longer.

Jason

Because a hardware firewall would block it before it even reaches the internal network, which eliminates any configuration errors that a user might make in their Personal Firewall Application - this would apply for those NAT Routers too (which are NOT firewalls).

I have Windows XP Prof and 2000 Server and 2003 server that are used daily with more than 4 months uptime on them, servers with over a year uptime - only rebooted for service packs.

Sure, but that's a design implementation not a hardware vs software issue. It wouldn't be challenging to make a software firewall that shuts the hell up about doodle flangers.

While it would be slightly more difficult in terms of implementation, you could easily make a hardware firewall that notifies the user (either via software on the PC, or by email)

That isn't the primary reason to avoid a software firewall, at least not in my books. Rather, the reason is that many of them are poorly implemented, either not fully stateful (as evidenced the by the number of users reporting their firewall is blocking traffic which turns out to not only be legitimate, but sessions that weren't interrupted in any way), or simply that it's too late -- If there is a bug either in the firewall itself, or in the OS' IP stack, the system can still be compromised.

If my firewall gets compromised, that's all the attacker has gained -- Access to my firewall. They have not gained privileged access to my machines yet, and may well not be able to do so from the firewall.

Irony really does get lost on the other side of the pond ;-)

How would you explain such deeply technical information to a completly clueless and disinterested user?

Bottom line is userland is the wrong place for a firewall.

Generally speaking a hardware firewall would either (a) be installed by someone who has a clue or (b) have a default configuration that makes some sort of sense.

This is what a software firewall looks like to average Joe user:-

WARNING! A doodle flanger has grapoppled!

Do you want me to jangerfap the doodle flanger, discombooble the grapoppler or nurdle the keekwop?

Of course if the user makes one choice, something will stop working, if they make another, they may expose their machine.

A hardware firewall on the other hand does this:-

Well, I have a time-lag as the mental images/impressions pass over the ocean to my location from yours :)

I think you've missed how these devices work - The WAN interface on most of the cheap NAT devices is fully capable of getting it's IP via DHCP from the ISP's equipment over DSL or any other connection supported by the device.

The LAN side can have a DHCP service setup on the Router to provide leases to the LAN side devices.

The only possible complication is when a ISP changes their DHCP assignments that are pushed (or not) via the DHCP service on the WAN.

Many routers/nat boxes issue a lease for 24 hours, that means that there "could" be a problem between the ISP changing their DNS information and the routers WAN connection renewing it's IP and then passing that information to the routers internal DHCP service to provide to the internal systems on the LAN. A simple power-cycle on the router and reboot of the computers/devices takes care of that.

There is a large difference between PERSONAL firewall applications and Firewall Applications designed to protect networks. The big flaw is in the User based firewall system - as many users have no clue, will never have a clue, and don't really want to do more than USE their computers, there will always be a path to compromise a PERSONAL firewall application. The simple NAT Router provides a means for users to rebuild their systems without being hacked in the process, install a personal firewall before being hacked, block their machines (without the PFW) from connections all the time, and to limit exposure of services that may have unseen exploits (not to mention the known exploits).

With most NAT boxes you get a good inbound protection method that beats the heck out of any soft solution you could provide to any typical home user base.

Jason wrote on Thu, 28 Apr 2005 12:20:34 +0100:

I guess I can agree with most of that.

However, there are always exceptions to the norm. One particular machine I have sitting here next to me at work runs Win95, and throughout the week runs a VB6 app to pull data via the Amazon ECS webservice using the MSXML object dumping the results into an Access 2000 database using Jet 4.0 (so straight away has had IE4 and IE5 installed, plus MDAC and the VB6 SP5 runtimes and components). This machine was last restarted 24 days ago when we switched our internet connection at work and I found that I'd set up the DNS servers statically instead of using DHCP, requiring a reboot due to changing the TCP/IP properties (bit of an annoyance). It's got a whacking great big 128MB of SDRAM (:P) on a Pentium II 266, and has had loads of software installed on it over the years (it used to also be our CD-RW machine - and occassionally is still seconded for that - and used for scanning, and prior to that was a machine used off-site by one of our sales team, and it never did get wiped prior to it's current use). Being only a small business we tend to re-use old equipment for little automated tasks that are not yet mission critical.

Dan