Full Disclosure mailing list archives
YABBT [1] - Re: Zone Alarm
From: Jason <security () brvenik com>
Date: Wed, 04 Jun 2003 23:57:04 -0400
Inline. Michael Osten wrote:
On Wed, 2003-06-04 at 21:15, Jason wrote:Are you implying that1) You know of a hardware only solution that can do per application network blocking when dealing with like protocols.No idea, but that is not what he said. I quote "There is one big benefit, which no hardware router can bring you. Zone alarm and other Windows based Software Firewalls can block network access for programs. A HW firewall can only block a whole machine but can't denied access for one software and allow access for another software on thesame machine."Bonus points: Who can spot the inaccuracies.
I suppose I am suffering from reading the intent not the literal. I will have to work on that.
"There is one big benefit, which no hardware router can bring you. Zone alarm and other Windows based Software Firewalls can block network access for programs."
Which is absolutely correct at the core."A HW firewall can only block a whole machine but can't denied access for one software and allow access for another software on the same machine."
Which is not properly constructed and slightly inaccurate. Lets fill it in.'A HW firewall can only block at the protocol level for an entire machine but can not reliably deny access for one program and allow access for another program when they are using like protocols from the same machine.'
Of course there are cases where a host based FW cannot differentiate the program either however the risk factors are greatly reduced.
The fact is that there probably is not (not that I know of) a true "hardware firewall" available. It all has some sort of software unless someone has written a RFC to control transmission packets via resistors.
I know it has been done in HW only, not at layer 7, I cannot remember the conpany and google fails me. I recall a thesis [0] on the topic.
This still does not imply that it would not be vulnerable to attack or exploitable if found to be vulnerable.
For layer 7 filtering, lots will. The Cisco Pix for example.
This is very limited and easily circumvented in many cases, especially when dealing with like protocols and talkback capabilities.
2) The statement is incorrect.See question 1.
I hope a sufficiently reworded statement will both resolve the problem and not offend the orig author.
"There is one big benefit, which no hardware router can bring you. Zone alarm and other similar host based software firewalls can block network access for specific programs. A HW firewall can only block at the protocol level for an entire machine but can not reliably deny access for one program and allow access for another program when they are using like protocols from the same machine."
3) The conversation should be turned into yet another worthless personal attack thread that serves no meaningful purpose.Bad advice needs to be beat like a red-headed stepchild. You won't see me post often for the following reason: 1. If I don't know what the hell I'm talking about, I keep my mouthshut, or in this case, I stop myself from typing.2. I do not post to foreign language mailing lists. It is hard enough to get a point across in my native language.
Both are good reasons, might I suggest one more.3. When I notice an error, omission, or bad advice I question or correct it, not attack the provider of the information. Failing that I reference #1.
IMHO the initial reply failed to further anything and served no purpose. Please, if you are going to beat the red-headed stepchild tell them why. -J [0] - http://www.it.lth.se/it/msprojects/ita/past/firewall/report.pdf [1] - YABBT: Yet another bit bucket thread. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Zone Alarm Ben Tyson-Norrman (Jun 04)
- Re: Zone Alarm morning_wood (Jun 04)
- RE: Zone Alarm Joe Hummel (Jun 04)
- RE: Zone Alarm Larry W. Cashdollar (Jun 04)
- RE: Zone Alarm Ron DuFresne (Jun 05)
- Re: Zone Alarm Jason (Jun 04)
- AW: Zone Alarm Michael Linke (Jun 04)
- AW: Zone Alarm Michael Osten (Jun 04)
- Re: AW: Zone Alarm Jason (Jun 04)
- Re: AW: Zone Alarm Michael Osten (Jun 04)
- YABBT [1] - Re: Zone Alarm Jason (Jun 04)
- Re: YABBT [1] - Re: Zone Alarm Michael Osten (Jun 04)
- Re: YABBT [1] - Re: Zone Alarm Ron DuFresne (Jun 05)
- Re: YABBT [1] - Re: Zone Alarm Jason (Jun 05)
- RE: Zone Alarm Joe Hummel (Jun 04)
- Re: Zone Alarm morning_wood (Jun 04)
- Re: AW: Zone Alarm morning_wood (Jun 04)
- Re: AW: Zone Alarm Shawn McMahon (Jun 05)
- Re: AW: Zone Alarm morning_wood (Jun 05)
- Re: AW: Zone Alarm Adam Lydick (Jun 06)
- Re: AW: Zone Alarm Nick FitzGerald (Jun 04)
- RE: AW: Zone Alarm JT (Jun 04)
- Re: AW: Zone Alarm Shawn McMahon (Jun 05)