software/hardware Firewall tradeoff

If I paint my ceiling blue that doesn't make it the sky. If I call something a firewall it doesn't make it a firewall.

Sort of, I've been doing a lot of work and didn't feel like trying to explain it AGAIN to someone that already had their mind made up. q_q is already decided and I just didn't feel like getting into another drawn out argument about BS and hype.

None of those devices listed is/was/will be a firewall.

What he suspects and what most of us int he security world know are contradictory - I can only hope that he learns the difference from you or I.

Yep, we've said this for years. I wonder if he saw the first BEFSR41 units, that for a year, were called Cable Modem Routers, and then later without ANY changes to the firmware, they started calling them Firewalls, again without any changes to the firmware.

I agree.

Maybe he'll learn Duane.

Reply to
Leythos
Loading thread data ...

Maybe, one day you'll learn the difference.

Duane :)

Reply to
Duane Arnold

[snip...]

After reading his reply to me, I doubt it.

Duane :)

Reply to
Duane Arnold

There are people that give criteria to show that a NAT Router with whatever additional firewall functionality, is not a firewall . The criteria they give is that it must Only act as a firewall.

There are those that say that a host based firewall is not a firewall (be it running iptables, WIPFW or a "personal firewall" ) *unless it's multihomed*.

And there are those that say it has to be Dedicated.

You however, say nothing. Infact, you may get by without argument in this newsgroup, but that is only because you take the party line. Some posts by others (in other newsgroups infact! and not by yourself) were very useful when I was looking for information on what people say is or is not a firewall. I mentioned some of the criteria above.

You however, never provided any of those arguments, which I found elsewhere googling.

There was a thread with many people that thought NAT functionality Does Not Exclude Firewall functionality. You even participated in that thread, but to say you were unconvincing is an understatement and a complement. And Information posted by others in that thread contained very interesting arguments.

The thread was called "56k dial up on laptop 802.11G ?" in alt.internet.wireless

Reply to
q_q_anonymous

Duane Arnold wrote: [quoted text au masse]

Duane,

could you please learn to quote now? I'm very interested in your postings, but in such a form I cannot read them, I'm just not finding your relevant opinion in them ;-)

formatting link
Thanx!

VB.

Reply to
Volker Birk

q_q snipped-for-privacy@yahoo.co.uk wrote: [even more massive quoting]

formatting link
*PLEAZE*

Thanx! ;-)

VB.

Reply to
Volker Birk

That's their opinion. Everyone has got one, including you.

My opinion of that is that the host based FW solution must be using two NIC's. One NIC facing the Internet and the other NIC facing the LAN with filtering of traffic between them. If the host based solution is not doing that, then it's not a network FW solution as far as I am concerned and is just a packet filter.

Those other people are not FW experts, I am not a FW expert and you are not a FW expert. However, I am going to go by what I have learned from the FW experts in this NG have taught me over the years I have been coming to this NG.

That also includes articles I have read about FW and IDS solutions over the years and real FW solutions I have tried/used software or hardware wise.

Lets get something straight right now, I am not here to provide anything for you. I am not here to cater to you or hold your hand.

I gave my opinion and and I will stick with NAT is mapping technology and is not FW technology.

Again, those people who make the argument are NOT FW experts I would suspect. So, whatever they were saying holds no standing with me.

I have encountered such people in AV and wireless NG(s) saying the same thing. Their arguments didn't change my mind otherwise about a NAT router. They don't know anymore than you do is the bottom line. They didn't mean anything to me and you don't either

Wireless, the people in the wireless NG know wireless and that's about it as far as I am concerned. The people in the AV NG know AV's.

BTW, in Outlook Express, you have been killfiled and OE does this across NG(s). Thunderbird doesn't do this. If I have killfiled you at some point in time, then there is something wrong.

I have some suspicions about you and your purpose. That's for sure.

You can post again, but you will not get a reply back from me and your post will be unread.

Duane

Reply to
Duane Arnold

I'll take a look at the link. If this is about the post I made to the other person in this tread that needed to run off about the mouth, I really had nothing to say, except for what was at the bottom of the post.

Duane :)

Reply to
Duane Arnold

Well, I can't comment on his "home router". But a "Home Router" that I had- The DLink DSL 504, had NAT, and a packet filter which let me specify : (ip, port , TCP/UDP, incoming/outgoing, allow/deny) And it let me specify whether to "Allow All except" or "Deny All Except".

Is that a firewall function in there?

What about a NAT Router with iptables on it, is that a firewall function in there?

Reply to
q_q_anonymous

This person needs to go hang himself on some CAT5 cable and put himself out of his misery.

The person is turning into some kind of a *clown* with this. I really do think there is something in the UK water over there. I have to say that every lunatic I have encountered on the Internet is out of the UK.

Duane :)

Reply to
Duane Arnold

I'm not calling it a "network firewall". I could - but i'm not. And i'm not using commercial phrases like "FW Solution"

i'm just saying "firewall" for the moment.

Your criteria is inconsistent. It doesn't exclude a NAT Router with firewall functionality.

A Criteria i'd propose for the case that a NAT router cannot be a firewall, is that NAT obscures the firewall functionality, causing it to not be a proper firewall. This is if we define firewall as a packet filter - letting - at a minimum - block by IP,Port,Incoming/Outgoing, TCP/UDP, And, specify Blacklist/whitelist

If your situation had NAT, would you still call it a firewall, or as you call it, a "network firewall" ?

Do not misrepresent me. I never claimed that it was.

My claim was as a poster(Floyd?) in that thread said - that if something has NAT , that does not exclude OTHER firewall functionality.

The criteria I could propose that counters that, is that NAT obscures firewall functionality, and the firewall ceases to be a firewall - perhaps because, it doesn't receive all packets.

I haven't seen any consistent criteria from you. That was precisely your logic problem in that other fantastic thread

I do not care if you do not reply. This is not a private discussion. Infact, in that other thread, you stated that you can't be bothered to type, you only copy and paste, and you don't care what arguments people there have , since you go by the "top guns" of this newsgroup. And therefore you spent that whole thread hurling insults at everybody.

Reply to
q_q_anonymous

I am through with you stop posting you *clown*.

Reply to
Duane Arnold

If a device that you would consider a stand alone firewall has been configured to not stop any out bound traffic is it still a firewall?

It has been my experience that many SOHO Router / ""Firewall combinations that do packet level filtering, thus fire walling, have been configured to by default not filter outbound traffic. However this is a manufactures choice based on many influencing factors, including that most SOHO users have no clue how to configure the devices. Thus to avoid unnecessary support calls the devices are configured to trust the internal network implicitly while protecting the trusted network from the internet at large. Should these devices be configured to block out bound traffic, most definitely. However the lack of config does not make the device any less of a firewall. I personally configure the systems that I install to block TCP/UDP for ports 135, 137-139, and 445 outbound. I have not had any need to go any more restrictive as of yet. However if the occasion presents it's self I will.

Grant. . . .

Reply to
Taylor, Grant

This all depends on definition. Why arguing that? Or may I ask the two of you for discussion of a sensible definition of this term first? ;-)

Yours, VB.

Reply to
Volker Birk

Drop it man, I am tired of this whole thread.

Duane :)

Reply to
Duane Arnold

Indeed you may. A reasonable request always deserves a reasonable answer.

I consider a firewall, depending on the context of the conversation and how versed the party to whom I'm speaking is, to be any thing from a device that does some form of firewalling all the way up to specialized equipment that may or may not be detectable as a filter short of some traffic passing through or even on up in to an application layer gateway that does content filtering. In fact you could argue that a spam filter is a form of firewall, however most would disagree. Usually a firewalling device is a device that does some sort of filtering based on the contents of layer 2 - layer 4 traffic on layers 2 or 3. You could make a fairly good argument that a firewall is not a device that routes or that can other wise be accessed in band along with the traffic that it is firewalling. I.e. a PIX

501 would probably be considered a firewall by just about all parties involved. However, a software based firewall on a web server may not be considered a firewall by nearly as many.

Duane, you may be tired of this thread, but Volker asked a reasonable question and should be provided a reasonable answer. However seeing as how you have no interest in pursuing this conversation I'll not continue with you.

Grant. . . .

Reply to
Taylor, Grant

I suspect Volker already knows this and just wants to start-up converstaion I am no longer intrested in discussing.

The thread is dead as far as I am concerned.

Duane :)

Reply to
Duane Arnold

This seems to be more a description than a sharp definition.

What's with RFC 2979?

Yours, VB.

Reply to
Volker Birk

Unfortunately. Would be nice to have a common definition of "firewall", at least common to the regulars of this group.

Yours, VB.

Reply to
Volker Birk

I notice that the RFC also says a device may have NAT functionality, and firewall functionality. Which really confirms what i've said, and Duane and perhaps Leythos don't like.

RFCs are only guidelines, they aren't set in stone. Many people hate them because they are often quite imprecise, they are more a description than a prescription. I've found them notoriously bad at defining things. I've seen the use of a term change in the middle of an RFC(I think it was the term datagram in RFC 791). And I've seen the same term "network number" (as in classful addresses) used in different RFCs, and given a different definition (one RFC defines it including class id bits, another defines it excluding it).

To those that think it's such a shame that Duane considers this thread dead and won't provide any argument, they have not read the thread where Duane writes his "argument". I included reference details of that thread in this thread nd again in this post, and it's easily accessible via google. His argument was that he relies on what has been said by the "top guns" of ***this*** newsgroup. He didn't name his authorities, but perhaps Leythos is one. Since it appears he holds the same position as Duane in this thread. And he certainly knows a lot more. And, on googling the archive, I don't see any posts on the subject that are with Duane so strongly, so if there is an authority to Duane, it is "he whose posts disappear". And Leythos is knowledgeable - certainly enough that I can believe Duane trusts him as an authority.

So if you do hope for Duane's arguments, you won't find them fron Duane. You will find them from whoever his authorities are, and they are in this newsgroup - somewhere!

Perhaps he will be kind enough to bother naming them.

But if you want to see Duane post about 30 posts in respond to your question for him to make his position clear. I suggest you read

formatting link
which is
formatting link
which as i've said, is this thread here "56k dial up on laptop 802.11G ?"

If anybody had actually looked at that thread, and got the point, then they would not be asking Duane to establish his position beyond Who his authorities are.

Volker and Grant , may establish their positions, and then people can choose. Do they go with one of those that do include their arguments. Or those that don't.

Reply to
q_q_anonymous

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.