firewall questions

1. whats the best home pc software firewall. out there
I used to use atguard by wrq and the fuckers sold it to mcafee who in turn tottaly fucked it up.

2. what make a hardware firewall so good? I know something about firealls. bottom line is you have to configure the box to only allow certain ports(sockets) to have traffic, and you can restrict access to and from certain sites, and you can restrict access by/from certain programs. ALL software driven. so why a hardware firewall?

thanx in advance

1. probably Kerio... and it's free.

2. because it's dedicated to just doing that task, and presumably hardened to remove vunerabilities.

would you turn a stock, no service pack Windows 2000 machine into a firewall? HELL NO.... it's got vunerabilities out the yin-yang.

why? because it has a whole ton of non-required shit turned on. Stuff that can be compromised....

a hardware firewall should have minimal services running, and steps should be taken to harden the machine against compromise...

if it does, it is significantly harder to compromise than before... and therefor, it is harder to get past the firewall by breaking into the firewall....

ok, thanks.

But....

If I had software that allowed me to only allow traffic over certain sockets, and only allowed traffic over certain programs, (like shutting off thoughs MS pgms that send your machine info with it, the software only solution would work, correct?

yes.

BUT-

your software based firewall is not as protected from crashes as a hardware firewall is, and is more likely to go down than a hardware firewall would be.

if someone find a DoS (Denial of Service) attack that shuts down your firewall, you are just as open as you were before.

the best thing to do is shut off non-required services, and then put a firewall up there as insurance...

security is about layers of countermeasures, not one perfect countermeasure... because there is no perfect countermeasure.

There is a lot of ambiguity in regards to hardware/software firewall. It
is usually given that a hardware firewall should be hardened as the OS
is embedded, but its not always the case. Cisco Pix, Netscreen,
Watchguard, etc all had OS related vulnerabilities in the past and they
are all hardware appliances.

The marketing 'theory' behind the appliance is that it is solid state, It
is less prone to failure as there are no harddisk. The truth is, these
hardware firewalls are usually only stateful packet filters, and only
protect at layers 3/4. Layer 7 still requires an additional proxy. So you
end up with a box on your network that has a harddisk anyways. The
truth is, those hardware boxes fail just as often as any computer. One
of my partners is a Watchguard vendor, and he has to send a shitload
of the boxes back to get claimed. Inside those hardware firewalls are
sometimes stock desktop parts, but when something goes wrong, the
vendor charges you a heavy premium to get it fixed.

Another marketing strategy by hardware vendors is for speed. A lot of
these hardware vendors have pissing contests as to who has the best
throughput. You see the addition of ASIC chips inside the hardware
box that pushes the speeds into the Gigabit +. I can see the need for
speed within a large enterprise who needs to transfer large data
between one subnet and another which is segmented by a firewall.
What doesn't make sense to me is when a customer wants a Gigabit
firewall and only one internal LAN, but thinks the firewall will be a
bottleneck for their ADSL connection for example.

The security of the organization is built upon policy, and firewalls,
proxies, IDS, anti-virus gateways, VPNs, ad nausem are only tools to
enforce the policy. I would suggest an end-to-end security solution
that is easy to administer instead of buying into the vendor hype. A
Linux firewall box does the job as well as any hardware appliance, and
you can even slap gigabit network cards into them. THE granddaddy of
all firewalls (at least in marketing), Checkpoint, is a software firewall.
One of my favorite firewalls, Astaro, is built from a hardened linux
kernel, and is marketed as a software appliance (it is all-in-one too -
firewall, proxy, antivirus, content filter, IDS, etc).

I've dealt with all of the major firewalls in the market, and I'm telling
you that the multi-billion dollar firewall industry is built upon a lot of
FUD. Its how they charge you a premium for their parts. Great if
you're a large corporation who can afford it, but mom and pop shops
can have equal levels of security for a fraction of the cost.


thanks

warez is correct.

that's why I said "presumably"....