Yep, got your post in the other one, and I agree with you, but I'm going to keep blocking those Destination ports because it saves more than it hurts - the logs do not indicate any connections TO port 1433/1434 from any of the networks we have setup like this.
says... [cut]
So what. A firewall runs software, a PC runs software. So they are like in that sense. I did not say that it was the same software. You could expand my statement into two statements like this: All firewalls have a processor running software. All PCs have a processor running software.
It depends on how you interpret it but I think that what I wanted to say should now be clear to everyone. Thank you for helping to clarify it.
That is true. I see no further reason to argue.
[cut]
Yes I already corrected that with another post. I Apologise for mis-reading you.
Jason
[rest cut]
This was/is the crux of the problem today - While it's technically correct, the implication was that "his computers OS" was the same level as that of a firewalls OS.
If I were to reason your way, I could say:
Since all PC's have a processor running software, they are also firewalls, since all firewalls have a processor running software.
Try thinking of the difference between a Boeing 747 and a jet-fighter - they are both designed to transport people, one is designed for a very limited and specific task with special design considerations, the other is designed for general transport and varied use. One can not be used for the other, and one is more likely to have problems than the other.
The above is the only real problem I have with today's group of people that can't separate the difference between a firewall, a router with NAT, and everything else.
Many people call NAT appliances firewalls, they are not, they offer "firewall like" features without being a firewall - it's only marketing hype that enables them to be called Firewalls.
Personal firewalls are another problem - in the real world, not the home user world, a firewall is a dedicated system, usually a server, running only the bare essentials to boot-up and the firewall application. The system is not used by anyone, it is not accessed by anyone for programs or data (other than firewall logs/management) and has no typical user accounts. These "personal" firewalls, running on the users system, are very easy to compromise, very prone to misconfiguration, and are susceptible to viruses and OS exploits that would not impact a appliance or dedicated firewall server system.
Don't get me wrong, PFW are necessary, I have them installed on my laptops and use them inside clients protected networks, but I buy the higher end PFW apps, not the free ones, and the bigger difference is that I know what I'm doing when I allow/deny something and when I install it - most users of PFW's don't have a clue about them.
That doesn't look like my reasoning to me but no matter.
I wouldn't let it worry you if I were you. It's not going to change.
Marketing would call them firesplogulators if it increased sales.
Yup.
Yup and most users aren't going to change any time soon.
Jason
There is alot of heady info here in this whole RE: hardware firewall thread.
I think of hardware firewall (HF) as a device straddling two networks or subnets. The HF software is placed in the network stack and implements rules. The HF itself performs NAT and routing. HF can also provide proxy services to enforce the RFC of whichever protocol.
I think os software firewall (SF) as a stripped-down version of HF. There is only one network available to the host, so this occupies the network stack and creates networks within the 127.0.0.x system. The SF has to make use of spare localhost addresses and intercepts the packets there to apply whatever rules are in force. The SF host does not provide proxy usually
There is naturally no passage between separate networks in the HF, so the HF must provide that access. The SF firewall is already comprimised, so to speak, and just shuffles the packets on the host network stack.
How hard the rules or the actual software is in either case is subjective. The best defense is layers, and so if a HF were implemented in say Linux for a Windoze or heterogeneous network, I would think that would be very good.
devices, the block inbound as part of the normal NAT function. These devices typically default to allowing ALL OUTBOUND traffic and no inbound traffic that wasn't requested by something inside the network.
2) Firewalls (like WatchGuard, CISCO, etc...) are actually firewalls and do not have to implement NAT. They default to NO INBOUND TRAFFIC AT ALL, and also block all outbound traffic completely. Some of these units default to allowing some outbound traffic like DSN and Web browsing, but many block everything in both directions and require the user to configure exactly what they want in/out.Leythos:
To expand upon your comments: IMO, it easier to know how a firewall device works, then label it, rather just discuss (mktg?) labels.
In general, a useful overview of different firewalls techniques:
Note that NAT is not included in the above (nor is ID), and the reference does not distinguish between host based firewalls and appliance firewalls.
Using the above, IMO, Sygate PF free is a host based packet filtering f/w, and MS's ISA uses all of the above techniques (plus NAT). Per previous post, you and I would have difficulty calling ISA a f/w appliance has it runs on top of a full computer op system, whereas we would consider a f/w appliance to have a very limited op system.
OK. How many 'hardware/real' firewalls are based upon BSD 4.4 and its derivatives? Cisco and Juniper are. I'll be willing to bet that most commerical firewalls are based upon this flavor of UNIX. Perhaps this is not a common choice for a desktop, but it does seem to be reaonable to describe this as running software just like your PC does.
Certainly, the 'hardware firewall' doesn't run DirectX and other software that is not needed for its role. I can strip down any of the open source BSD distributions and end up with a kernel that has only the functionality nneded by a firewall. I will conceed that I cannot rigourously test this like a commercial vendor would do.
In fact, in light of Cisco's annoncement that they HARDCODED a password in their (leaked) source code (See
The other finding that shocked me about open source was the publishing of the original 'fuzz test' papers. They found that the GNU tools were more robust than comemrcial UNIX. People with the guts to show thier code make better code than people hired to write code. While this is strange to many, the emperical evicence was rather clear.
So, in light of this evidence, I think that it is quite possible to run a secure firewall using an open source BSD on a COTS computer (preferably with killer NIC). I can also run the same OS(perhaps with different kernel options) as a desktop PC.
Now that's a bad assumption right there. There's at least two (127/8 and whatever the primary outgoing interface is), and often more.
No, it doesn't, and just because one software firewall you've seen does things this way doesn't mean that they all do.
Again, this must be based on your experience with *very* few products. I'd say that most software firewalls *do* proxy. AtGuard (now known as Norton Internet Security and Norton Personal Firewall), for example, provides transparent proxy for both HTTP and SMTP.
Regards,
Even if they were to run Windows as their OS it would not be "running software just like your PC does", it would be a very limited subset of the Windows OS. Since you've never looked at what OS modules are included in a firewall, since you appear to not understand that a firewall OS (in an appliance) is completely stripped of anything except the essential components necessary to run the firmware, I don't think you are going to accept that Firewalls DO NOT RUN THE SAME SOFTWARE JUST LIKE YOUR PC DOES.
Clearly there are some circumstances where a firewall appliance may be running _some_ software components that are the same as or similar to _some_ software components found in a desktop PC (I don't mean a Windows PC). But no-one is suggesting that the software in a firewall appliance would be exactly the same software that the average user's desktop PC uses.
One reason why I pointed out that that all firewalls have processors running software is because I have found a few people with the misconception that a 'hardware firewall' does not have a processor running software but has something else. This can lead to the misconception that a hardware firewall is better because it has no software.
I wouldn't worry about it if I were you Leythos. A lot of it comes down to what is meant by various words and I don't think it is worth getting worked up about it.
Jason
If you were to state that firewall appliances are specialized computers running limited versions of a common OS's that only permit the firewall software to run, then I would agree. Again, the problem is lumping in the firewall appliances with "PC's" and "Software" in general - this gives the impression that any PC running a firewall application is the same as a firewall appliance, which, to those of us that design secure solutions, know that it's not anything close to the same.
I'm not worked up, but I'm a BIG advocate for getting the facts correct and not spreading misinformation, especially when it comes to security and firewalls. When I see people suggesting things like the above I always call it out for what it is - a misconception, a fundamental flaw, and a serious lapse in understanding the difference between an embedded system and a program running on a PC.
None of these products offer this capability, I think you're misunderstanding my point here. These products you mention are (more or less transparent) application layer proxies, analyzing the traffic with a knowledge of application layer protocols, which can be a very good thing of course.
But they cannot see if your communication with
The only way it could would be if it had a trusted process running on each host behind it, and even then it would create a potentially huge overhead and still be vulnerable if some malware actually do manage to take control (and in time, this will happen).
I do agree with that.
Yup a desktop PC with firewall software installed is not anything close to the same as a firewall appliance. I agree with that too.
I am too.
Jason
Juniper (Netscreen) firewalls are NOT based upon BSD, nor any other OS.
They run on their own ASIC hardware platform, with their own proprietery OS.
Well, explain this then from my 5GT log: 2004-11-30 17:09:47 info HTTP:TUNNEL:CHAT-MSN-IM has been detected from 192.168.10.2/14473 to 65.54.213.62/80 through policy 15 1 times.
Perhaps you need to do a little bit more research on these products before putting your foot in your mouth.
Just disable MSN messenger via group policy. E.
You said explicity "But it cannot see if the connection is originating from a worm like Slammer or a database client application. Or MSN (on port 80) versus your favorite web browser."
The po> >
compromised.
Errr that wasn't my point. Plus that wouldn't work.
Yes, this is a typical signature, as there's something with that connection that's typical for MSN connections over http (a signature). It could be as easy as your vendor knows which IP addresses at Microsoft that are used for this kind of connections, or as advanced as recognizing the actual http traffic as MSN traffic.
Your computer has processes, and it does not announce any details about those processes to any other systems. Your computer has outgoing connections that is related to one of those processes. The only way to know which process that "owns" which connection is by looking at the processes and the connections _from within the computer system where the connection originates_.
There is _no way_ an independent networking device can know if a certain connection is from application A (which is the nice, wanted application you run, say Internet Explorer) or from application B (which is the bad, unwanted application, say a worm), _unless_ the application has some sort of known characteristics (a signature, either obvious like most web browsers User-Agent field, or less obvious like protocol errors due to bad programming or the occurrence of a certain bit-string like most anti-virus software relies on) that makes it possible to identify it merely from looking at the network traffic it generates.
Now, "personal firewalls", as much as I don't like them in general, actually do run on the same system as the connections which it is filtering originates from, thus it has the unique (compared to our traditional network firewalls) capability of beeing able to see which process the connection belongs to and take appropriate action with this added knowledge.
As for my foot, it is firmly placed on the ground, thank you.
Sorry, I should have written "MSN-application (using port 80) versus your favorite web browser application". I was refering to the client computers application, and the ability to relate a certain network packet with it. If it's still unclear, think of it as two identical MSN-applications running on the same host, and you only want one of them to be filtered. There's no way to do that without some knowledge about the processes on the client computer.
Yes, I know.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.