| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.GSO.4.43.0401151648300.4503-100000@tundra.winternet.com> From: dufresne at winternet.com (Ron DuFresne) Subject: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] On Thu, 15 Jan 2004, Mary Landesman wrote: > Interpretation is subjective, but I have always interpreted the Sam Spade > rant to be directed at the alerting many of these PFWs do, vs. the actual > effectiveness. In fact, his point seems to be to get a hardware-based > firewall. This isn't an option for the "Annie's" of this world. Properly > used, a PFW provides excellent adjunct protection and, I believe, is a > must-have. In fact, even when hardware-based firewalls are available, a > properly configured PFW can prevent the scenario played out over and over > again with Blaster - laptops piggybacking the infection past the perimeter > defenses (i.e., hand-carried in through the front door) and then wreaking > havoc once inside. Had these enterprises also employed PFWs, that would not And is what is meant by one of the fundamental principles of security; layering! Good point! > have occurred. (Of course, there are many reasons a PFW in the enterprise > could be problematic and I do recognize that - but this isn't the focus of > the discussion). > > NO solution is immune from user-error. Thus, folks who want to help out > their friends and neighbors (and the Internet as a whole), should not just > recommend a PFW, but take the time to show the person how to use it > properly. And, yes, part of that should involve disabling alerting where > prudent and taking a few moments to configure the appropriate trusted apps. > Doing this will ensure the best chance (though never 100%) of a PFW working > properly and effectively on "Annie's" computer. > > I use a NAT+firewall for my home network. But I also use a PFW. Why? It's > great policy management. If I turn on a system my son also uses, I can keep > his chat and other superfluous apps from connecting while I do whatever it > is I need. > Additionally, the PFW in this case can be a warning of a problem in the HW FW, it either not functioning, malfunctioning, or someone actually finding a way to circumvent it. The PFW in this case being a config/activity chack of the HWFW. Silence is golden, even with a PFW setup to be chatting in this case <smile>. > In the Sam Spade article, it is clear he is frustrated with user inquiries > into why something is alerting or what something in the log means. And his > frustration is completely understandable. However, I think it is disservice > to somehow interpret his frustration as an argument that PFWs are bad ideas. > For many, they provide the best means of protection accessible to a > particular breed of user. And, as such, their use should be encouraged. With > proper training, of course. > > And yes, some malware can disable it. This is a fairly common tactic with > some email worms. But that simply underscores the need to educate users > about email - it is not, IMO, an indictment of PFWs nor is it a reason to > not use one. Using your house analogy, that would be like telling someone > not to bother locking their front door, because an intruder could come in > through the back and unlock the front one... Better to learn to lock both > doors, use the peephole, etc. > Good points! Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists