Best way to go?

Duane Arnold

No, but software placed on ROM, diskette or CD does not change into hardware.

You should not. For example, please read this:

On Sun, 11 Jun 2006 11:35:26 +0200, B. Nice spoketh

This is true. A "hardware firewall" uses software to actually do something. Without it, it would just be a plastic box with some wiring inside...

However, the term has been adopted as an acceptable term for "firewall appliance", which is probably closer to the dedicated device that you mention. However, a dedicated device won't differentiate between an appliance and a regular PC acting as a firewall. Whether the distinction is necessary or not, I don't know...

Software firewall is also an ambiguous term, since as you pointed out, all firewalls are really software. However, if we take the appliance firewalls out of the equation, you're still stuck with two remaining firewalls: Network firewalls installed on PC (windows/unix/linux based) and the "desktop firewalls".

Because of this, a distinction between network firewalls and host based firewalls makes more sense that identifying the type of device.

$0.02

Lars M. Hansen

That's just another opinion. And they are a dime a dozen.

Since I don't know what I am talking about, please don't repeat my statements.

No, those are the facts take it or leave it. And anyone with any kind of expertise about FW(s) knows this. The host based FW is only as secure as the platform/O/S has been made to be secure.

If the O/S has not been harden to attack, then nothing running with the O/S is secure. And host a based FW can and does get attacked just like the O/S can be attack, since it's a program running with the O/S.

Those are the facts.

Again, you don't know what you're talking about.

Duane :)

Beside "desktop firewalls", there're also some serious host-based packet filters.

Host based packet filters are no firewalls. Firewalls are a concept of separating networks and achieve much more serious security standards than a HBPF. (And no, I'm not willing to accept wrong terminology because some idiots are marketing lousy HBPFs as "personal firewalls".)

What you are willing to accept or not it totally irrelevant to everyone but you. The fact of the matter is that the term has been accepted in the marketplace, whether you find it correct or not. Rather than arguing about terminology, perhaps you should focus your energy on contributing in a more positive way such as educating the end users about the danger they may face and how to protect themselves. You are fighting the wrong battle, my friend.

Lars M. Hansen snipped-for-privacy@hansenonline.net

You may accept that marketing talk is not approciate when discussing about real security terms. You may call them firewalls as you want, they'll remain being host-based packet filters, a much less effective security measure than real firewalls.

Exactly. Tell them that their firewalls are no real firewalls, don't offer the security of such ones and that they got their concept wrong (if they actually have one).

Guess what? Most users are actually willing to understand, especially since the permanent "Yes, allow this." or "No, trace it to its source and report it to the ISP. WTF, why does he complain?" is an unnecessary PITA.

Duane Arnold