Full Disclosure mailing list archives

Re: PC Firewall Choices

From: Juliao Duartenn <juliao.duartenn () oblog pt>
Date: Wed, 18 Jan 2006 10:28:51 +0000

On Tue, 2006-01-17 at 23:33 -0500, greybrimstone () aim com wrote:

Thats assuming that malware isn't being designed for that firewall. I'm 
sure you already know that software is software regardless of the 
hardware that it is running on. Likewise a vulnerability is still a 
vulnerability...

I suppose you could r/o the system... but you need to write the confs 
somewhere right?

-Adriel


Configuration on a hardware firewall is usually a pretty stable thing -
you don't go around opening ports at random every day, now do you?

Most modern {linux|bsd} firewall implementations can now run from a
read-only device, namely CD-ROM, and also write their configuration to a
removable device that you can manually set RW or RO - floppy, USB pen,
etc.

Of course, since most implementations mount parts of the filesystem into
RAM, you're still vulnerable to attacks, they are merely non-permanent,
if you reboot you are clean again, albeit with the original hole still
present, i'd say.

There are, of course, solutions for that too, but I still haven't seen
one that really works - meaning that it can detect and prevent tampering
in real-time. The best thing I can remember is running tripwire against
a RO database on CD, but that can still be tampered with. Any thoughts?

Juliao

-----Original Message-----
From: Valdis.Kletnieks () vt edu
To: Nick Hyatt <me () n33t org>
Cc: full-disclosure () lists grok org uk
Sent: Tue, 17 Jan 2006 21:08:39 -0500
Subject: Re: [Full-disclosure] PC Firewall Choices

  On Tue, 17 Jan 2006 18:59:52 MST, Nick Hyatt said:

Given the choice between one of those selections and a standard

Linksys

router / firewall combo, wouldn't it be safer to go with the hardware
firewall? I find the configuration options to be quite a bit more

in-depth,

and the hardware firewall doesn't get itself as stuck in the system

as say,

ZA does.


Even more important, a hardware firewall can't be compromised as easily
by malware that's on a host behind the firewall.  It's easy for a 
program
on a PC to tell ZA to look the other way.  It's a little harder for it 
to
tell a hardware firewall to look the other way.

Unless of course, the firewall implements the UPnP "Pants Down!" RPC.. 
;)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Re: Re: PC Firewall Choices, (continued)
- - - Re: Re: Re: PC Firewall Choices Stan Bubrouski (Jan 20)
    - Re: Re: PC Firewall Choices Dave Korn (Jan 19)
    - Re: Re: PC Firewall Choices Valdis . Kletnieks (Jan 19)
    - RE: PC Firewall Choices Nick Hyatt (Jan 17)
    - Re: PC Firewall Choices Valdis . Kletnieks (Jan 17)
    - RE: PC Firewall Choices Nick Hyatt (Jan 17)
    - Re: PC Firewall Choices Valdis . Kletnieks (Jan 17)
    - Re: PC Firewall Choices Michael Silk (Jan 17)
    - RE: PC Firewall Choices Nick Hyatt (Jan 17)
    - Re: PC Firewall Choices greybrimstone (Jan 17)
    - Re: PC Firewall Choices Juliao Duartenn (Jan 18)
    - Re: PC Firewall Choices Joachim Schipper (Jan 18)
    - Re: PC Firewall Choices greybrimstone (Jan 19)
    - Re: PC Firewall Choices John LaCour (Jan 18)
    - RE: PC Firewall Choices Very Unprivate (Jan 17)
    - Re: PC Firewall Choices greybrimstone (Jan 17)
    - Re: PC Firewall Choices Nancy Kramer (Jan 18)
    - Re: PC Firewall Choices greybrimstone (Jan 19)
    - Re: PC Firewall Choices Stan Bubrouski (Jan 19)
    - Re: Secure Delete for Windows sk (Jan 17)
    - Re: Secure Delete for Windows Yvan Boily (Jan 17)

(Thread continues...)