From: security at brvenik.com (Jason)
Subject: YABBT [1] - Re: Zone Alarm

Inline.

Michael Osten wrote:
> On Wed, 2003-06-04 at 21:15, Jason wrote:
> 
>>Are you implying that
>>
>>1) You know of a hardware only solution that can do per application 
>>network blocking when dealing with like protocols.
> 
> 
> No idea, but that is not what he said.  I quote
> 
> "There is one big benefit, which no hardware router can bring you. Zone
> alarm
> and other Windows based Software Firewalls can block network access for
> programs. A HW firewall can only block a whole machine but can't denied
> access for one software and allow access for another software on the
> same machine." 
> 
> Bonus points: Who can spot the inaccuracies.
> 

I suppose I am suffering from reading the intent not the literal. I will 
have to work on that.

"There is one big benefit, which no hardware router can bring you. Zone 
alarm and other Windows based Software Firewalls can block network 
access for programs."

Which is absolutely correct at the core.

"A HW firewall can only block a whole machine but can't denied access 
for one software and allow access for another software on the same machine."

Which is not properly constructed and slightly inaccurate. Lets fill it in.

'A HW firewall can only block at the protocol level for an entire 
machine but can not reliably deny access for one program and allow 
access for another program when they are using like protocols from the 
same machine.'

Of course there are cases where a host based FW cannot differentiate the 
program either however the risk factors are greatly reduced.

> The fact is that there probably is not (not that I know of) a true
> "hardware firewall" available.  It all has some sort of software unless
> someone has written a RFC to control transmission packets via resistors.

I know it has been done in HW only, not at layer 7, I cannot remember 
the conpany and google fails me. I recall a thesis [0] on the topic.

This still does not imply that it would not be vulnerable to attack or 
exploitable if found to be vulnerable.

> 
> For layer 7 filtering, lots will.  The Cisco Pix for example.

This is very limited and easily circumvented in many cases, especially 
when dealing with like protocols and talkback capabilities.

> 
> 
> 
>>2) The statement is incorrect.
> 
> 
> See question 1.
> 

I hope a sufficiently reworded statement will both resolve the problem 
and not offend the orig author.


"There is one big benefit, which no hardware router can bring you. Zone 
alarm and other similar host based software firewalls can block network 
access for specific programs. A HW firewall can only block at the 
protocol level for an entire machine but can not reliably deny access 
for one program and allow access for another program when they are using 
like protocols from the same machine."



> 
>>3) The conversation should be turned into yet another worthless personal 
>>attack thread that serves no meaningful purpose.
> 
> 
> Bad advice needs to be beat like a red-headed stepchild.  You won't see
> me post often for the following reason:
> 
> 1. If I don't know what the hell I'm talking about, I keep my mouth
> shut, or in this case, I stop myself from typing.  
> 
> 2. I do not post to foreign language mailing lists.  It is hard enough
> to get a point across in my native language.

Both are good reasons, might I suggest one more.

3. When I notice an error, omission, or bad advice I question or correct 
it, not attack the provider of the information. Failing that I reference #1.

IMHO the initial reply failed to further anything and served no purpose.

Please, if you are going to beat the red-headed stepchild tell them why.

-J

[0] - http://www.it.lth.se/it/msprojects/ita/past/firewall/report.pdf
[1] - YABBT: Yet another bit bucket thread.

Powered by blists - more mailing lists