The Un-Official Proxomitron Forum
What is a good free firewall? - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Forum Related (/forumdisplay.php?fid=37)
+--- Forum: General Security (/forumdisplay.php?fid=21)
+--- Thread: What is a good free firewall? (/showthread.php?tid=437)

Pages: 1 2 3 4

- Ralph - Apr. 18, 2005 01:33 PM

And I thought that reference post was simple , for information on a important topic . You guy's have dissected it into bits and pieces . It seems to me that Steve Gibson is the issue and not so much what he was trying to explain . I have since come to learn that controversy surrounds much of what he writes . In any case , the lesson for me here , is for better security , get a router ; this is how it works , broadly speaking ; set it up cautiously , and you are good to go . Real simple ! No astrophysics here ! I hear you saying "Boy is he a dingbat". Be easy .

- besafe - Apr. 18, 2005 08:26 PM

Ralph:

There are two camps,
1) feel that all is needed is a router to protect from inbound communication

2) feel that multilayered approach is best.

I'm in camp 2.

I like control of everything that is happening in my pc, hence the reason that I like apps that control applications.

In my opinion, the people in camp 1 are usually very knowledgeable around computers and for them that approach is probably pretty safe.

The question about the vulnerability was brought up recently at the Kerio/Tiny forum and it ended up with a good explanation about security of a computer by "gwion" and I'm going to quote him because I tend to think about it the same.

gwion (of the K/T forum) Wrote:"While this doesn't exactly make me, personally, very nervous, it's important to have a grasp of the known vulnerabilities of the apps we use, especially security ones. I'm a firm believer, too, in layers. I usually have a NAT box out front of my machines, here, but that's not always an option. Just parenthetically, too, remember, a closed port's a closed port; so, even if the firewall does leak something, long as it's not stateless or hitting an open port, it's deflected as effectively as a firewalled machine. One of the inherent limits, too, of a local software firewall, of course, is that it's ON the machine it protects, and the firewall, especially with DoS stuff, can be the thing that overloads or otherwise brings the rest of things down. Ideally, I think, we run a good software firewall on our machines, and front to the internet with NAT, a good SOHO router, at minimum, or a basic hardware firewall, for the power-user system, taking the frontal assaults. Distributed security... it's a good thing."


- Oddysey - Apr. 19, 2005 06:00 AM

besafe;
Quote:Distributed security... it's a good thing
While there are as many ways to define distribution as there are computer users, the very idea itself is what's important here. Good quote, thanks! Cheers


Oddysey

- Oddysey - Apr. 19, 2005 06:10 AM

Ralph;
Quote:I have since come to learn that controversy surrounds much of what he writes.
There's even a website that purports to debunk Steve Gibson, calling him all sorts of fraud and huckster, etc. I won't give the URL here, it can be found by those that really need it, I'm just saying that there are always naysayers for every spokesman espousing a viewpoint. This is the first time I've ever had anything to say against the guy, and aside from the remark about his lack of cool (he was way too excited), I kept it to a technical level. If he'd been speaking to an extremely technical audience, I'd've let it go - they would have torn him a new one well enough without any help from me. Wink As it was, I couldn't standby and allow him to beguile those users who just want their computer to work like they were promised when they bought it. Smile!

And yes, the overall lesson is - security is as simple or as complicated as you like/feel comfortable with. Besafe's pointed question about how the deuce can a software app protect a machine that it's running on is very on-point. Hence, an external hardware firewall of some sort is the order of the day. B)

Arise, and go forth, Sir Ralph! Be a dingbat no more!! Cheers


Oddysey

- Ralph - Apr. 19, 2005 02:34 PM

Isn't SPI another layer of security which is built into the router sufficient . Adding a software firewall like Outpost or Kerio seems redundant ; or am I missing something here ?

- ProxRocks - Apr. 19, 2005 03:06 PM

I use a software firewall here at the office in addition to the corporate hardware firewall...

Otherwise, the d@mn "I.T. guy" thinks it is "his place" to nose about on my computer...

Management and I are in agreement - it is NOT the "I.T. guy's" job to nose around on engineering's (and management's and sale's) computers - do what you can to PREVENT him from doing so...

- Oddysey - Apr. 20, 2005 07:51 AM

Ralph;
Quote:Isn't SPI another layer of security which is built into the router  sufficient? Adding a software firewall like Outpost or Kerio seems redundant ; or am I missing something here?
Well, I'll be politically correct, and say that "no, you haven't missed anything, we were just discussing Who Shot John." [lol]

Yes, SPI is another layer of security, in that it is the mechanism by which the table is setup and populated with each outgoing connection, and consulted whenever an incoming packet arrives at the "cloud" port (fron the internet). Gibson portrayed it as being always there, in every level of packet switcher, but I'd like to be a fly on the wall of his office when a certain lawyer comes calling:

Quote:Hello, we're from Sonic Blue, and we understand that you think our patented technology is a portion of the Internet Protocol, and is in the public domain.  Would you like to peruse our bona fides from the patent office, issued over six years ago?
Where you gonna go now, Steve? :P

What we've been saying for the last few pages is that using a software firewall on the machine it is supposed to protect is a like asking Barney Fife to guard the President, if you get my drift. Wink We use Kerio or the like strictly for outgoing monitoring of ports, apps, protocols, etc. - nothing for the incoming side, as that truly would be redundant, as well as ineffectual.

And you're still not a dingbat! Cheers


Oddysey

- Oddysey - Apr. 20, 2005 07:55 AM

ProxRocks;
Quote:I use a software firewall here at the office in addition to the corporate hardware firewall...

Otherwise, the d@mn "I.T. guy" thinks it is "his place" to nose about on my computer...

Management and I are in agreement - it is NOT the "I.T. guy's" job to nose around on engineering's (and management's and sale's) computers - do what you can to PREVENT him from doing so...
That individual is a walking, ticking time bomb, waiting to dump all over his (your) employer when he leaves. He should be shown the door now, like this morning. [angry] And without so much as a chance to wave bye-bye to his console, let alone gather up his personal belongings. Then call in a real security pro, and root out the back doors and other traps he's already placed.

Word.


Oddysey

- besafe - Apr. 20, 2005 07:30 PM

Oddysey Wrote:What we've been saying for the last few pages is that using a software firewall on the machine it is supposed to protect is a like asking Barney Fife to guard the President, if you get my drift. Wink We use Kerio or the like strictly for outgoing monitoring of ports, apps, protocols, etc. - nothing for the incoming side, as that truly would be redundant, as well as ineffectual.




Oddysey
Yep.

And that's why I've talked all my friends and relatives into using routers regardless of how many computers they have.

besafe